Ilaria Castellani - Academia.edu (original) (raw)
Papers by Ilaria Castellani
Journal of Logical and Algebraic Methods in Programming
Electronic proceedings in theoretical computer science, Mar 23, 2022
We propose a calculus for asynchronous multiparty sessions where input choices with different sen... more We propose a calculus for asynchronous multiparty sessions where input choices with different senders are allowed in processes. We present a type system that accepts such input races provided they do not hinder lock-freedom. * This research has been supported by the ANR17-CE25-0014-01 CISC project. † This original research has the financial support of the Università del Piemonte Orientale. 1 We call "third participant" any participant which is not involved in the first communication of a branch.
We present a calculus for concurrent reversible multiparty sessions, which improves on recent pro... more We present a calculus for concurrent reversible multiparty sessions, which improves on recent proposals in several respects: it allows for concurrent and sequential composition within processes and types, it gives a compact representation of the past of processes and types, which facilitates the definition of rollback, and it implements a fine-tuned strategy for backward computation. We propose a refined session type system for our calculus and show that it enforces the expected properties of session fidelity, forward and backward progress, as well as causal consistency. In conclusion, our calculus is a conservative extension of previous proposals, offering enhanced expressive power and refined analysis techniques.
Models, Languages, and Tools for Concurrent and Distributed Programming, 2019
We propose an interpretation of multiparty sessions as flow event structures, which allows concur... more We propose an interpretation of multiparty sessions as flow event structures, which allows concurrency between communications within a session to be explicitly represented. We show that this interpretation is equivalent, when the multiparty sessions can be described by global types, to an interpretation of global types as prime event structures.
Journal of Logical and Algebraic Methods in Programming, 2017
Journal of Logical and Algebraic Methods in Programming, 2019
Electronic Proceedings in Theoretical Computer Science, 2016
Multiparty session calculi have been recently equipped with security requirements, in order to gu... more Multiparty session calculi have been recently equipped with security requirements, in order to guarantee properties such as access control and leak freedom. However, the proposed security requirements seem to be overly restrictive in some cases. In particular, a party is not allowed to communicate any kind of public information after receiving a secret information. This does not seem justified in case the two pieces of information are totally unrelated. The aim of the present paper is to overcome this restriction, by designing a type discipline for a simple multiparty session calculus, which classifies messages according to their topics and allows unrestricted sequencing of messages on independent topics.
Journal of Logical and Algebraic Methods in Programming, 2015
Today's software systems are highly distributed and interconnected, and they increasingly rely on... more Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties.
We study three notions of bisimulation equivalence for concurrent processes. Bisimulation equival... more We study three notions of bisimulation equivalence for concurrent processes. Bisimulation equivalences are based on an operational interpretation of processes as labelled transition systems, and constitute the strongest notion of equivalence one may adopt for such systems: two systems are equivalent if and only if they have the same step-by-step behaviour. We focus first on Milner's notion of weak bisimulation (also known as observational equivalence) and propose an alternative formulation for it. More specifically, we show that Milner's notion may be redefined as one of reducibility to a same system-via a reduction function called abstraction homorriorphism. We use our characterisation to derive a complete set of reduction rules for observational equivalence on finite processes. We also show how abstraction homomorphisms may be extended to labelled event structures: however we do not consider the possibility of unobservable events here. We look then for notions of bisimulation which account for the concurrent aspects of processes. Traditional transition systems-evolving via successive elementary actions-only provide an interleaving semantics for concurrency. We suggest two generalisations of the notion of transition system: distributed transition systems, obtained by generalising the residual of a transition, and pornset transition systems, obtained by extending the notion of action labelling a transition (an action being now a partially ordered multiset). For the latter we find a corresponding notion of bisimulation on labelled event structures. Based on these new kinds of transitions, we obtain two bisimulation equivalences-one stronger than the other-which are both more discriminating than Milner's equivalence. For both of them we present an algebraic characterisation by means of a complete set of axioms.
Handbook of Process Algebra, 2001
Abstract Process algebras can be enriched with localities that explicitly describe the distributi... more Abstract Process algebras can be enriched with localities that explicitly describe the distribution of processes. Localities may represent physical machines, or more generally distribution units where processes are grouped according to some criterion like the sharing of resources. In a concurrent process, localities are naturally associated with (groups of) parallel components. These localities then intervene in the semantics of processes and become part, to some extent, of their observable behaviour. In a first line of research, initiated in the early nineties, localities have been used to give noninterleaving semantics for process algebras, and particularly for Milner's calculus CCS. Here localities are used to differentiate parallel components. The resulting semantics, taking into account distribution, is more discriminating than the standard interleaving semantics of the calculus. It is also incomparable with other noninterleaving semantics proposed for CCS, based on the notion of causality. More recently, localities have appeared in a number of new calculi for describing mobile processes. The idea here is that some “network awareness” is required to model wide-area distributed mobile computation. In these calculi localities are more than simple units of distribution. According to the case, they become units of failure, of communication, of migration or of security. This chapter reviews in some detail the first body of work, and tries to delineate the main ideas of the more recent studies, which are still, for the most part, at an early stage of development.
Electronic Notes in Theoretical Computer Science, 2006
In this note we revisit the so-called reactive programming style, which evolves from the synchron... more In this note we revisit the so-called reactive programming style, which evolves from the synchronous programming model of the Esterel language by weakening the assumption that the absence of an event can be detected instantaneously. We review some research directions that have been explored since the emergence of the reactive model ten years ago. We shall also outline some questions that remain to be investigated.
Journal of Computer and System Sciences, 1987
Electronic Notes in Theoretical Computer Science, 2007
We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Syst... more We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Systems (CCS), in such a way that Milner's translation of a standard parallel imperative language into CCS preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner's translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a security type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld's result by showing that a slightly different variant of Milner's translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner's translation preserves a natural behavioural equivalence on programs. We present a type system ensuring the PBNDC-property on CCS, inspired from type systems for the π-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem.
Lecture Notes in Computer Science, 1991
Without Abstract
Lecture Notes in Computer Science, 1987
Lecture Notes in Computer Science, 1983
Lecture Notes in Computer Science, 2010
We consider a calculus for multiparty sessions with delegation, enriched with security levels for... more We consider a calculus for multiparty sessions with delegation, enriched with security levels for session participants and data. We propose a type system that guarantees both session safety and a form of access control. Moreover, this type system ensures secure information flow, including controlled forms of declassification. In particular, it prevents leaks due to the specific control constructs of the calculus, such as session opening, selection, branching and delegation. We illustrate the use of our type system with a number of examples, which reveal an interesting interplay between the constraints of security type systems and those used in session types to ensure properties like communication safety and session fidelity.
... In the following we have L' CL Cnite Ch". We also assume the following sequences of... more ... In the following we have L' CL Cnite Ch". We also assume the following sequences of distinct names in Ch': fc, nea cf n(o and c T,aa',a,aa',aa,a' cCh" c' ne co and aa', aa, a' 6 Ch" dncca and ea acCh" e[n =co RM Amodia et al. ...
Journal of Logical and Algebraic Methods in Programming
Electronic proceedings in theoretical computer science, Mar 23, 2022
We propose a calculus for asynchronous multiparty sessions where input choices with different sen... more We propose a calculus for asynchronous multiparty sessions where input choices with different senders are allowed in processes. We present a type system that accepts such input races provided they do not hinder lock-freedom. * This research has been supported by the ANR17-CE25-0014-01 CISC project. † This original research has the financial support of the Università del Piemonte Orientale. 1 We call "third participant" any participant which is not involved in the first communication of a branch.
We present a calculus for concurrent reversible multiparty sessions, which improves on recent pro... more We present a calculus for concurrent reversible multiparty sessions, which improves on recent proposals in several respects: it allows for concurrent and sequential composition within processes and types, it gives a compact representation of the past of processes and types, which facilitates the definition of rollback, and it implements a fine-tuned strategy for backward computation. We propose a refined session type system for our calculus and show that it enforces the expected properties of session fidelity, forward and backward progress, as well as causal consistency. In conclusion, our calculus is a conservative extension of previous proposals, offering enhanced expressive power and refined analysis techniques.
Models, Languages, and Tools for Concurrent and Distributed Programming, 2019
We propose an interpretation of multiparty sessions as flow event structures, which allows concur... more We propose an interpretation of multiparty sessions as flow event structures, which allows concurrency between communications within a session to be explicitly represented. We show that this interpretation is equivalent, when the multiparty sessions can be described by global types, to an interpretation of global types as prime event structures.
Journal of Logical and Algebraic Methods in Programming, 2017
Journal of Logical and Algebraic Methods in Programming, 2019
Electronic Proceedings in Theoretical Computer Science, 2016
Multiparty session calculi have been recently equipped with security requirements, in order to gu... more Multiparty session calculi have been recently equipped with security requirements, in order to guarantee properties such as access control and leak freedom. However, the proposed security requirements seem to be overly restrictive in some cases. In particular, a party is not allowed to communicate any kind of public information after receiving a secret information. This does not seem justified in case the two pieces of information are totally unrelated. The aim of the present paper is to overcome this restriction, by designing a type discipline for a simple multiparty session calculus, which classifies messages according to their topics and allows unrestricted sequencing of messages on independent topics.
Journal of Logical and Algebraic Methods in Programming, 2015
Today's software systems are highly distributed and interconnected, and they increasingly rely on... more Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties.
We study three notions of bisimulation equivalence for concurrent processes. Bisimulation equival... more We study three notions of bisimulation equivalence for concurrent processes. Bisimulation equivalences are based on an operational interpretation of processes as labelled transition systems, and constitute the strongest notion of equivalence one may adopt for such systems: two systems are equivalent if and only if they have the same step-by-step behaviour. We focus first on Milner's notion of weak bisimulation (also known as observational equivalence) and propose an alternative formulation for it. More specifically, we show that Milner's notion may be redefined as one of reducibility to a same system-via a reduction function called abstraction homorriorphism. We use our characterisation to derive a complete set of reduction rules for observational equivalence on finite processes. We also show how abstraction homomorphisms may be extended to labelled event structures: however we do not consider the possibility of unobservable events here. We look then for notions of bisimulation which account for the concurrent aspects of processes. Traditional transition systems-evolving via successive elementary actions-only provide an interleaving semantics for concurrency. We suggest two generalisations of the notion of transition system: distributed transition systems, obtained by generalising the residual of a transition, and pornset transition systems, obtained by extending the notion of action labelling a transition (an action being now a partially ordered multiset). For the latter we find a corresponding notion of bisimulation on labelled event structures. Based on these new kinds of transitions, we obtain two bisimulation equivalences-one stronger than the other-which are both more discriminating than Milner's equivalence. For both of them we present an algebraic characterisation by means of a complete set of axioms.
Handbook of Process Algebra, 2001
Abstract Process algebras can be enriched with localities that explicitly describe the distributi... more Abstract Process algebras can be enriched with localities that explicitly describe the distribution of processes. Localities may represent physical machines, or more generally distribution units where processes are grouped according to some criterion like the sharing of resources. In a concurrent process, localities are naturally associated with (groups of) parallel components. These localities then intervene in the semantics of processes and become part, to some extent, of their observable behaviour. In a first line of research, initiated in the early nineties, localities have been used to give noninterleaving semantics for process algebras, and particularly for Milner's calculus CCS. Here localities are used to differentiate parallel components. The resulting semantics, taking into account distribution, is more discriminating than the standard interleaving semantics of the calculus. It is also incomparable with other noninterleaving semantics proposed for CCS, based on the notion of causality. More recently, localities have appeared in a number of new calculi for describing mobile processes. The idea here is that some “network awareness” is required to model wide-area distributed mobile computation. In these calculi localities are more than simple units of distribution. According to the case, they become units of failure, of communication, of migration or of security. This chapter reviews in some detail the first body of work, and tries to delineate the main ideas of the more recent studies, which are still, for the most part, at an early stage of development.
Electronic Notes in Theoretical Computer Science, 2006
In this note we revisit the so-called reactive programming style, which evolves from the synchron... more In this note we revisit the so-called reactive programming style, which evolves from the synchronous programming model of the Esterel language by weakening the assumption that the absence of an event can be detected instantaneously. We review some research directions that have been explored since the emergence of the reactive model ten years ago. We shall also outline some questions that remain to be investigated.
Journal of Computer and System Sciences, 1987
Electronic Notes in Theoretical Computer Science, 2007
We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Syst... more We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Systems (CCS), in such a way that Milner's translation of a standard parallel imperative language into CCS preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner's translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a security type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld's result by showing that a slightly different variant of Milner's translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner's translation preserves a natural behavioural equivalence on programs. We present a type system ensuring the PBNDC-property on CCS, inspired from type systems for the π-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem.
Lecture Notes in Computer Science, 1991
Without Abstract
Lecture Notes in Computer Science, 1987
Lecture Notes in Computer Science, 1983
Lecture Notes in Computer Science, 2010
We consider a calculus for multiparty sessions with delegation, enriched with security levels for... more We consider a calculus for multiparty sessions with delegation, enriched with security levels for session participants and data. We propose a type system that guarantees both session safety and a form of access control. Moreover, this type system ensures secure information flow, including controlled forms of declassification. In particular, it prevents leaks due to the specific control constructs of the calculus, such as session opening, selection, branching and delegation. We illustrate the use of our type system with a number of examples, which reveal an interesting interplay between the constraints of security type systems and those used in session types to ensure properties like communication safety and session fidelity.
... In the following we have L' CL Cnite Ch". We also assume the following sequences of... more ... In the following we have L' CL Cnite Ch". We also assume the following sequences of distinct names in Ch': fc, nea cf n(o and c T,aa',a,aa',aa,a' cCh" c' ne co and aa', aa, a' 6 Ch" dncca and ea acCh" e[n =co RM Amodia et al. ...