namespace logic

09.04.2005 Trustworthy Global ComputingETAPS `05

1

namespace logic

a logic for a reflective higher-order process calculus

a logic for a reflective higher-order process calculus

L.G. Meredith1

1Djinnisys Corporation

09.04.2005 Trustworthy Global Computing ETAPS 05

2

AgendaAgenda Motivations -calculus A warm-up: replication Namespace logic Examples Conclusions and future work

Motivations -calculus A warm-up: replication Namespace logic Examples Conclusions and future work


3

What’s in a name?What’s in a name?

mac addressesip addressesdns entries

url’s

distributed computing is done using names

and it is essential that these names

have structure

mac addressesip addressesdns entries

url’s

distributed computing is done using names

and it is essential that these names

have structure


4


-calculus is not a closed theory dependent upon a theory of names such a theory will at least dictate computation

of name-equality Name-equality is a computation

nowhere is there an infinite set of atomic elements available to the computer scientist

all countably infinite sets available to the computer scientist are generated from a finite presentation

perforce the elements of these sets have structure -- and this structure is used to compute equality

-calculus is not a closed theory dependent upon a theory of names such a theory will at least dictate computation

of name-equality Name-equality is a computation

nowhere is there an infinite set of atomic elements available to the computer scientist

all countably infinite sets available to the computer scientist are generated from a finite presentation

perforce the elements of these sets have structure -- and this structure is used to compute equality


5


If interaction is to provide a foundational theory of computation, then this computation must be accounted for, too!

All realizations (e.g., implementations) of mobile process calculi face this fact Would our theory better serve our practitioners

therefore if it accounted for name structure as well?

Synchronization and Substitution play very different roles in -like mobile process calculi: requiring different computations

If interaction is to provide a foundational theory of computation, then this computation must be accounted for, too!

All realizations (e.g., implementations) of mobile process calculi face this fact Would our theory better serve our practitioners

therefore if it accounted for name structure as well?

Synchronization and Substitution play very different roles in -like mobile process calculi: requiring different computations


6

potential applicationspotential applications

Security: concrete realizations of network protocols use naming scheme exploiting the structure of names, subject to guessing attacks theory of interaction with a structural account

of names can facilitate reasoning about this Biology: sites in molecular biology are

decidedly not atomic locations: Ligand-binding receptors, phosphorylation sites,

etc, have extension and behavior modeling these as atomic names may miss important

behavior

Security: concrete realizations of network protocols use naming scheme exploiting the structure of names, subject to guessing attacks theory of interaction with a structural account

of names can facilitate reasoning about this Biology: sites in molecular biology are

decidedly not atomic locations: Ligand-binding receptors, phosphorylation sites,

etc, have extension and behavior modeling these as atomic names may miss important

behavior


7

The -calculus syntaxThe -calculus syntax Grammar

P, Q ::= 0 null processx(y).P inputx^P_ liftP|Q parallel composition _x^ drop

x,y ::= ^P_ quote

PROC denotes the set of processes generated by this grammar;

^PROC_ denotes the set of names generated by this grammar

Syntactic sugar: x[y] @ x^ _y^ _

GrammarP, Q ::= 0 null process

x(y).P inputx^P_ liftP|Q parallel composition _x^ drop

x,y ::= ^P_ quote

PROC denotes the set of processes generated by this grammar;

^PROC_ denotes the set of names generated by this grammar

Syntactic sugar: x[y] @ x^ _y^ _


8

The -calculus syntax - examples

The -calculus syntax - examples

0

^0_ ^0_[^0_]

^0_(^0_).0

^ ^0_[^0_] _ , ^

^0_(^0_).0 _

0

^0_ ^0_[^0_]

^0_(^0_).0

^ ^0_[^0_] _ , ^

^0_(^0_).0 _

the ur-process, everything

literally comes ex nihilo, out of

nothing!

the first name

the first output process

the first input process

some new names

Looks remarkably like machine code!


9

Structural equivalence, -equivalence and name equivalence


Clearly, we want 0 7 0|0 7 0|0|0 7 …

should ^0_7N ^0|0_ 7N ^0|0|0_ 7N …?

Name equivalence, N ^PROC_ ^PROC_ , is the smallest

equivalence relation respecting

x N ^_x^_ P 7 Q ^P_7N ^Q_

Structural equivalence, PROC PROC, is the smallest

equivalence relation, containing -equivalence, respecting P | 0 7 P 7 0 | P P | Q 7 Q | P(P | Q) | R 7 P | (Q | R )

Clearly, we want 0 7 0|0 7 0|0|0 7 …

should ^0_7N ^0|0_ 7N ^0|0|0_ 7N …?

Name equivalence, N ^PROC_ ^PROC_ , is the smallest

equivalence relation respecting

x N ^_x^_ P 7 Q ^P_7N ^Q_

Structural equivalence, PROC PROC, is the smallest

equivalence relation, containing -equivalence, respecting P | 0 7 P 7 0 | P P | Q 7 Q | P(P | Q) | R 7 P | (Q | R )


10



First subtlety -- a cycle in Structural equivalence structural equivalence depends on -equivalence -equivalence depends on name equality name equality depends on structural equivalence!

Each ‘recursive call’ is one level of quotes fewer Quote Depth

#(^P_) = 1+#(P) #(P) = max({ #(^Q_) | ^Q_ N(P)})

Grammar enforces strict alternation of quoting and process constructor

Calculation of structural equivalence terminates by easy induction on quote depth

First subtlety -- a cycle in Structural equivalence structural equivalence depends on -equivalence -equivalence depends on name equality name equality depends on structural equivalence!

Each ‘recursive call’ is one level of quotes fewer Quote Depth

#(^P_) = 1+#(P) #(P) = max({ #(^Q_) | ^Q_ N(P)})

Grammar enforces strict alternation of quoting and process constructor

Calculation of structural equivalence terminates by easy induction on quote depth


11

SubstitutionSubstitutionSyntactic substitution

A substitution is a partial map, : ^PROC_ ^PROC_ ; {^Q_/^P_} denotes the map which sends ^P_ to ^Q_; we write x for (x)

x{^Q_/^P_} = ^Q_ if x N ^P_, x otherwise.A substitution, , is uniquely extended to a map, _^ : PROC PROC

by the following recursive definition

0 _{^Q_/^P_}^ @ 0(R|S) _{^Q_/^P_}^ @ (R _{^Q_/^P_}^ ) | (S _{^Q_/^P_}^ )(x(y).R) _{^Q_/^P_}^ @ x{^Q_/^P_} (z). ((R _{z/y}^ ) _{^Q_/^P_}^ ) (x^R_) _{^Q_/^P_}^ @ x {^Q_/^P_}^R{^Q_/^P_}^ _(_x^) _{^Q_/^P_}^ @ ^Q_ if x N ^P_ , _x^ otherwise

where z is chosen distinct from the names in R, ^P_ and ^Q_

Syntactic substitutionA substitution is a partial map, : ^PROC_ ^PROC_ ; {^Q_/^P_} denotes the map which sends ^P_ to ^Q_; we write x for (x)

x{^Q_/^P_} = ^Q_ if x N ^P_, x otherwise.A substitution, , is uniquely extended to a map, _^ : PROC PROC

by the following recursive definition

0 _{^Q_/^P_}^ @ 0(R|S) _{^Q_/^P_}^ @ (R _{^Q_/^P_}^ ) | (S _{^Q_/^P_}^ )(x(y).R) _{^Q_/^P_}^ @ x{^Q_/^P_} (z). ((R _{z/y}^ ) _{^Q_/^P_}^ ) (x^R_) _{^Q_/^P_}^ @ x {^Q_/^P_}^R{^Q_/^P_}^ _(_x^) _{^Q_/^P_}^ @ ^Q_ if x N ^P_ , _x^ otherwise

where z is chosen distinct from the names in R, ^P_ and ^Q_


12

SubstitutionSubstitution

Semantic substitution -- same as above except for drop where the process is instantiated at substitution time

(_x^) _{^Q_/^P_}^ @ Q if x N ^P_ , _x^ otherwise

Examples

w^y[z]_ {u/z} = w^y[u]_ w[^y[z]_] {u/z} = w[^y[z]_]

w^_x^_{^Q_ /x} = w^Q_

Semantic substitution -- same as above except for drop where the process is instantiated at substitution time

(_x^) _{^Q_/^P_}^ @ Q if x N ^P_ , _x^ otherwise

Examples

w^y[z]_ {u/z} = w^y[u]_ w[^y[z]_] {u/z} = w[^y[z]_]

w^_x^_{^Q_ /x} = w^Q_


13

Operational semanticsOperational semantics

The operational semantics is given by a reduction relation

PROC PROC recursively specified by the following

rules.comm: xsrc N xtrgt

xsrc^P_ | xtrgt(y).Q Q _{^P_ /y}^

par: P P P | Q P | Q

equiv: P P, P Q, Q P

P Q

The operational semantics is given by a reduction relation

PROC PROC recursively specified by the following

rules.comm: xsrc N xtrgt

xsrc^P_ | xtrgt(y).Q Q _{^P_ /y}^

par: P P P | Q P | Q

equiv: P P, P Q, Q P

P Q


14

ReplicationReplication

Replication is defined by the following equation

D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_

x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[_P | D(x)^]

=P | D(x) | x^P | D(x)_


D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_


=P | D(x) | x^P | D(x)_


D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_


=P | D(x) | x^P | D(x)_


D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_


=P | D(x) | x^P | D(x)_


D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_

x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[x[__P P || D(x) D(x)^̂]]

=P | D(x) | xx^̂P P || D(x) D(x)__


D(x) = x(y).( _y^ | x[y] )

!xP = D(x) | x^P | D(x)_

x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[x[__P P || D(x) D(x)^̂]]

=P | D(x) | xx^̂P P || D(x) D(x)__


15

Namespace logic -- syntaxNamespace logic -- syntax Grammar

, ::= true verity 0 nullity negation& conjunction | simultaneity _b^ descenta^_ elevationa?b activity rec X.rec X. greatest fix-pointgreatest fix-point n:n:^̂__.. quantificationquantification

a ::= ^_ indicationb

b ::= ^P_ nominationnn

Grammar , ::= true verity

0 nullity negation& conjunction | simultaneity _b^ descenta^_ elevationa?b activity rec X.rec X. greatest fix-pointgreatest fix-point n:n:^̂__.. quantificationquantification

a ::= ^_ indicationb

b ::= ^P_ nominationnn


16

Namespace logic -- satisfaction

Namespace logic -- satisfaction

P \ true always P \ 0 iff P 7 0P \ iff P ^ P \ & iff P \ , P \ P \ | iff P 7 P1 |P2, P1 \ , P2 \

P \ _b^ iff P 7 _b^

P \ a^_ iff P 7 Q | x^P_, x\ a, P \

a?b iff P 7 Q | x(y).P, x\ a, c. z.P{z/y} \ {c/b}

^P_ \ ^_ iff P \ x\ b iff x N b

P \ true always P \ 0 iff P 7 0P \ iff P ^ P \ & iff P \ , P \ P \ | iff P 7 P1 |P2, P1 \ , P2 \

P \ _b^ iff P 7 _b^

P \ a^_ iff P 7 Q | x^P_, x\ a, P \

a?b iff P 7 Q | x(y).P, x\ a, c. z.P{z/y} \ {c/b}

^P_ \ ^_ iff P \ x\ b iff x N b


17

ExamplesExamples P insists all next requests are from the namespace

^_P \ ^_?btrue& ^_?btrue

(think: all next requests must come from this range of addresses and ports)

P only takes requests from the namespace ^_P \ rec . ^_?b & ^_?btrue

(think: all requests must come from this range of addresses and ports)

P enjoys balanced i/oP \ rec .(0 n:^true_. (n?b||n^ _))

(think: no starved requests, no unsent replies) x enjoys well-formed internal structure

x \ ^ rec .(0 n:^true_. (rec .n?b ( _b^| |n^0_)) n^_ |) _

(think: every <tag> has a corresponding </tag>)

P insists all next requests are from the namespace ^_

P \ ^_?btrue& ^_?btrue(think: all next requests must come from this range of addresses and ports)

P only takes requests from the namespace ^_P \ rec . ^_?b & ^_?btrue

(think: all requests must come from this range of addresses and ports)

P enjoys balanced i/oP \ rec .(0 n:^true_. (n?b||n^ _))

(think: no starved requests, no unsent replies) x enjoys well-formed internal structure

x \ ^ rec .(0 n:^true_. (rec .n?b ( _b^| |n^0_)) n^_ |) _

(think: every <tag> has a corresponding </tag>)


18

XML in Namespace logic - dom

XML in Namespace logic - dom

x conforms to domx \ ^m:^true_. mm^̂ rec .n:^true_.

(0 nn^̂__ rec rec . .nn::^̂truetrue__.nn?b?b(( )) ||) ___

Document rootDocument root ElementElement SequencingSequencing GroupingGrouping

x conforms to domx \ ^m:^true_. mm^̂ rec .n:^true_.

(0 nn^̂__ rec rec . .nn::^̂truetrue__.nn?b?b(( )) ||) ___

Document rootDocument root ElementElement SequencingSequencing GroupingGrouping


19

XML in Namespace logic - schema

XML in Namespace logic - schema

x conforms to schema s e is an element( n, s ) x \ ^m:^[n]_.m^[s]__

s is sequence( e0, …, eN ) x \ ^n:^[n0]_. n?b ( [so] |(…n:^[nn]_. n?b ( [sn])…))_

s is a choice( s0, …, sN ) x \ ^[so] … [sn]_

s is a group( s0, …, sN ) x \ ^[so]|…|[sn]_

s is a repetitionleft as an exercise

-- note ,with ‘|’ min and max can be done if x conforms to s then x should model dom

\ [s]dom

x conforms to schema s e is an element( n, s ) x \ ^m:^[n]_.m^[s]__

s is sequence( e0, …, eN ) x \ ^n:^[n0]_. n?b ( [so] |(…n:^[nn]_. n?b ( [sn])…))_

s is a choice( s0, …, sN ) x \ ^[so] … [sn]_

s is a group( s0, …, sN ) x \ ^[so]|…|[sn]_

s is a repetitionleft as an exercise

-- note ,with ‘|’ min and max can be done if x conforms to s then x should model dom

\ [s]dom


20

Operational semantics revisited

Operational semantics revisited

An alternative operational semantics may be given by

commannihil: R.(Pchan | Pcochan * R)R *0 ^Pchan

_^P_ | ^Pcochan_(y).Q Q _{^P_

/y}^

An alternative operational semantics may be given by

commannihil: R.(Pchan | Pcochan * R)R *0 ^Pchan

_^P_ | ^Pcochan_(y).Q Q _{^P_

/y}^

180 6x104 6x1010


21

Conclusions and future workConclusions and future work

Presented a higher-order asynchronous message-passing calculus built on a notion of quoting Provides an account of structured names

Presented a logic for reasoning about

namespaces

Work underway on Proof system Type system Model-checker

Presented a higher-order asynchronous message-passing calculus built on a notion of quoting Provides an account of structured names

Presented a logic for reasoning about

namespaces

Work underway on Proof system Type system Model-checker

09.04.2005 Trustworthy Global ComputingETAPS `05

22

namespace logic

BACKUPBACKUP


23

Encoding the -calculusEncoding the -calculus Paper presents a ‘distributed’ encoding in which par-ands are mapped

to separate namespaces Below we present a centralized encoding (due to Radestock) in which

there is a single resource against which all -requests are synchronized Both encodings use a trick for free names: build a -calculus with the

name set ^PROC_

Let h be a name not in fn(P), e.g. h = ^m fn(P) m[^0_] _

[P] = [P](h) | h [^h[^0_] _][( x)P](h) = h(x). (h^x[^0_]_ | [P](h))[! x(y).P](h) = h(z).(h^z[^0_]_ | z^x(y).(D(z) | [P](h))_ |

D(z))

where z fn(P) and D(z) as in replication

Paper presents a ‘distributed’ encoding in which par-ands are mapped to separate namespaces

Below we present a centralized encoding (due to Radestock) in which there is a single resource against which all -requests are synchronized Both encodings use a trick for free names: build a -calculus with the

name set ^PROC_

Let h be a name not in fn(P), e.g. h = ^m fn(P) m[^0_] _

[P] = [P](h) | h [^h[^0_] _][( x)P](h) = h(x). (h^x[^0_]_ | [P](h))[! x(y).P](h) = h(z).(h^z[^0_]_ | z^x(y).(D(z) | [P](h))_ |

D(z))

where z fn(P) and D(z) as in replication


24

Correctness of the encodingCorrectness of the encodingnames are global in the -calculus… -calculus contexts can make observations that -calculus

contexts cannot to prove correctness of the encoding one must restrict to name-

sets visible in -calculus contexts

an observation relation, N, parameterized in a set of names, N, is given by

x N y P N x or Q N x

y[v] N x P | Q x

an P N x if there is a Q s.t. P*Q and Q N xan N-barbed bisimulation, SN, is a symmetric relation s.t.

P P implies Q * Q , P SN Q

P N x implies Q N x

P 3N Q if there is an N-barbed bisimulation, SN , P SN Q

THM: P 1 Q iff [P] 3FN(P)FN(Q)[Q]

names are global in the -calculus… -calculus contexts can make observations that -calculus

contexts cannot to prove correctness of the encoding one must restrict to name-

sets visible in -calculus contexts

an observation relation, N, parameterized in a set of names, N, is given by

x N y P N x or Q N x

y[v] N x P | Q x

an P N x if there is a Q s.t. P*Q and Q N xan N-barbed bisimulation, SN, is a symmetric relation s.t.

P P implies Q * Q , P SN Q

P N x implies Q N x

P 3N Q if there is an N-barbed bisimulation, SN , P SN Q

THM: P 1 Q iff [P] 3FN(P)FN(Q)[Q]

Documents

namespace logic