Petri nets for the verification of Ubiquitous Systems with Transient Secure Association


 Randolf Casey
 1 years ago
 Views:
Transcription
1 Petri nets for the verifiation of Ubiquitous Systems with Transient Seure Assoiation Fernando RosaVelardo Tehnial Report 2/07 Dpto. de Sistemas Informátios y Computaión Universidad Complutense de Madrid Abstrat. Transient Seure Assoiation has been widely aepted as a possible alternative to traditional authentiation in the ontext of Ubiquitous Computing. In this paper we develop a formal model for the Resurreting Dukling Poliy that implements it. Our model, that we all TSA systems, is based on Petri Nets, thus obtaining an amenable graphial representation of our systems. We prove that TSA speifiations have the same expressive power as P/T nets, so that overability, that an be used to speify seurity properties in this setting, is deidable for TSA systems. Then we address the problem of implementing TSA systems with a lower level model that only relies on the seure exhange of seret keys. We prove that if we view these systems as losed systems then our implementation is still equivalent to P/T nets. However, if we onsider an open framework then we need a mehanism of fresh name reation to get a orret implementation. This last model is not equivalent to P/T nets, but the overability problem is still deidable for them, even in an open setting, so that heking the seurity properties of the represented systems remains deidable. 1 Introdution The term Ubiquitous Computing was oined by Mark Weiser [21] to desribe environments full of devies that ompute and ommuniate with its surrounding ontext and, furthermore, interat with it in a highly distributed but pervasive way [20]. This omputing paradigm gives rise to a great deal of new situations that produe new problems, in the ontext of mobility, oordination and seurity, among others. For a survey of the hallenges posed by Ubiquitous Computing see [10]. As mentioned above, the new framework of ubiquitous omputing affets traditional seurity assumptions. Authentiation is probably the major seurity problem for ubiquitous systems, sine it is a preondition for other properties Work partially supported by the Spanish projets MIDAS TIC , MAS TER TIC C0201 and PROMESASCAM S0505/TIC/0407.
2 2 as onfidentiality or integrity. But in this new ontext, we an no longer rely on an always online poliy, due to the unreliable nature of ad ho nets. Thus, we annot approah the problem of authentiation by assuming the existene of an online server that verifies in real time the (global) identity of prinipals, nor the existene of publi key repositories. In order to solve this problem, several weak forms of authentiation that substitute global identitybased authentiation have been proposed. One of the proposals is that of Transient Seure Assoiation, implemented by the Resurreting Dukling Poliy [18]. This poliy is based on the fat that sometimes a prinipal may not know anything at all about some onrete devie (e.g., when a user has just bought a PDA), but still it wants to be the only one to use it (e.g., beause she is the first one who gets to push the button). In this ase, even if they have no prior knowledge of eah other, they an still beome assoiated, so that from then on they share an asymmetri relation, one being a slave and the other beoming its master. Other proposals are based on the notion of trust [2], though we will not onsider them here. Another issue of great importane in the field of ubiquitous omputing is that of Coordination. Indeed, inherent to ubiquitous omputing is the ontinuous hange of state of the different omponents that form a system, that need to oordinate to ahieve their goals. This fat, together with the unreliable nature of ad ho nets and the heterogeneity of the omponents make the orhestration approah unrealisti and little robust, so that a horeographi oordination is more advisable in this setting. Therefore, a key tehnology is servie disovery, whih nowadays is based on a heavy standardization [12] (as in Sun s Jini or in Mirosoft s UPnP). In this paper we develop a formal model for horeographi oordination in ubiquitous systems, with primitives implementing the resurreting dukling poliy. The model, alled TSA, is based on Petri nets [3]. By using Petri Nets we obtain an amenable graphial representation of our systems, together with a number of theoretial results for their analysis, whih would not hold in other more expressive models. In partiular, we will prove that TSA speifiations an be seen as a syntati sugar formalism for P/T nets. Moreover, we will see that we an implement TSA systems by means of Mobile Synhronizing Petri Nets, whih an be seen as a lass of Coloured Petri Nets [8] with a single olour of pure names [6], and syntati sugar for mobility, exept for the fat that they an reate fresh names, in a way borrowed from πalulus [9]. We have proved several useful deidability results for them, whih are inherited by TSA systems, even though TSA systems may represent infinite state systems. In partiular, deidability of overability in MSPN system implies that all the properties of TSA systems whih an be stated in terms of overability are deidable. The remainder of the paper is organized as follows. Setion 2 gives an overview of the Resurreting Dukling poliy. In Setion 3 we define our model for Transient Seure Assoiation. Setion 4 presents a simple example. In Setion 5 we prove the simulation results and, finally, in Setion 6 we present our onlusions and diretions for further work.
3 3 imprint dead alive kill Fig. 1. The resurreting dukling poliy 2 The Resurreting Dukling poliy Let us briefly desribe Transient Seure assoiation and the Resurreting Dukling seurity poliy model. Transient seure assoiation is about reating a link between two omponents, that establishes a masterslave relationship (typially between a ontroller and a peripheral). This link needs to be seure, so that no other prinipal an play the role of either the master or the slave. This produes a tree topology of masterslave relationships between omponents. The assoiation must also be transient, in the sense that the topology an hange if desired (by the master) along the exeution of the system. The Resurreting Dukling poliy model implements transient seure assoiation with the following metaphor: A dukling that emerges from its egg reognizes as its mother the first moving objet that emits a sound. From then on, the dukling obeys its mother duk until its death. Similarly, a peripheral an reognize as its mother duk the first entity that sends it a seret key, alled imprinting key, whih it will use to reognize its master from then on. However, in order to make this assoiation transient, we assume that the dukling an die and resurret, and then it an reognize as its mother duk a different entity, to whih it will be faithful from that point on. The poliy an be desribed as a list of four priniples: 1. Two State priniple. Entities an be either imprintable (dead) or imprinted (alive). Imprintable entities an be imprinted by anyone and imprinted entities only obey their mother duk. 2. Imprinting priniple. The step from imprintable to imprinted is alled imprinting, and happens when an entity, from now on the mother duk, sends a key to the dukling (see Fig. 1). 3. Death priniple. The step from imprinted to imprintable is alled death (see Fig. 1). The default ause of death is the mother duk s order to its dukling to ommit seppuku 1, though other auses are envisaged, as death by old age or by ompletion of a task. 4. Assassination priniple. It must be uneonomial for an attaker to kill a dukling (to ause its death). 1 Traditional ritual suiide from Japanese samurai
4 4 3 TSA systems Our aim is to define a model for ubiquitous systems, that we all TSA, based on Petri Nets and with primitives implementing the Resurreting Dukling poliy. It will be a variation of the one developed in [5]. A TSA system is essentially a set of loalized nets that an move between loations and an imprint other nets, give orders to the nets they have previously imprinted, kill those nets, and being imprinted or reeive orders from its master when imprinted. In order to define our model we have to speify some of the aspets of the poliy that were not still ompletely preise. We assume that the different omponents of a system have a type, taken from a set O. We use a speial type O for the type of omponents that need not be imprinted to perform their potential behaviour (e.g., users). Components an be dead or alive. Top or imprinted omponents are alive, otherwise they are dead. Those alive omponents an imprint dead ones, thus reating an unique and asymmetrial link between them. By asymmetrial we mean that from then on the imprinted omponent beomes a slave of the other, doing everything its master orders to it. However, when exeuting its ode, the slave omponent an as well imprint other omponents, thus reating a hierarhial relation between omponents. Therefore, not only the omponent being killed beomes death, but also all of its slaves and so on, reursively. We assume that omponents an only be imprinted within a ertain range, that depends on the imprinting method being used (e.g., physial ontat [17]). We abstrat from those partiular methods and simply assume that the imprinting an take plae whenever both omponents are in the same loation. In partiular, we assume that the key exhange that takes plae when imprinting a omponent is done in a seure way. Besides, a omponent an only give orders to those slave omponents that are urrently oloated with it. Dually, a slave omponent an be killed by its owner only when they are oloated. Thus, we are implementing the default variant of the death priniple, in whih the death of the dukling is aused by the mother duk. Finally, we assume that the prinipals an only interat with eah other using the model s primitives, so that the assassination priniple of the poliy also holds, sine attakers annot kill any dukling in a way not established by the poliy. We will use the set L, a set of loation names. O is a set of omponent types, with a speial element O. We use a set S for the syntati primitives of the standard used for oordination and A to denote autonomous ations. A ontains among others the labels go k for every k L. We denote S? = {s? s S} and S! = {s! s S}. For m > 0, we denote by Labels(m) the set A S? m ({i} Labels Auth ), where Labels Auth = S! {imprint(o) o O \ { }} {kill}. Definition 1. A TSA omponent is a tuple N = (P N,T N,F N,λ N,o N ) suh that P N and T N are disjoint finite set of plaes and transitions, respetively, F N (P N T N ) (T N P N ), λ N : T N Labels(m) for some m > 0 and i=1
5 5 o N O. We say that N has type o N, that m is the apaity of N, and we denote by ap(n) the set {1,...,m}. A TSA omponent is a typedlabelled Petri net. The apaity of a omponent represents the number of slaves it an have simultaneously imprinted. Its type o is just a syntati ategory, whih an be intuitively understood as the type of devie it is (e.g., PDA, eletroni note,...), as the imprinting protool it uses when being imprinted or both simultaneously. The labelling of the transitions of the net establishes a partition in its transition set: Those transitions t with λ(t) A are autonomous transitions, that is, those that an be exeuted in an autonomous way, without needing to synhronize with others; If λ(t) S? the transition is used to reeive orders from their masters, when imprinted; Otherwise, we have that λ(t) {i} Labels(m). The set Labels(m) is the disjoint union of m idential sets Labels Auth, eah of them used to ommuniate with a different islave. If some net fires t with λ(t) = (i,imprint(o)) then some omponent of type o is heneforth a islave of it. If λ(t) = (i,s!) then the firing of t instruts the orresponding slave to perform ation s?. Finally, if λ(t) = (i,kill) then its islave is instruted to ommit seppuku. Next we introdue these onepts formally. As usual, given a transition t we will denote by t = {p (p,t) F }, the set of preonditions of t and by t = {p (t,p) F }, its set of postonditions. If ap(n) = {1} and λ(t) = (1, l) we will simply write λ(t) = l. Definition 2. A TSA system N is a set of pairwise disjoint TSA omponents. Intuitively, the nets N with o N = are omponents that need not be imprinted in order to exeute their ations. We will denote by P N the set of all plaes in N and by T N the set of all transitions in N, or just P and T when there is no onfusion. Next we define the part of the state of the system regarding the dependeny relations between its omponents. Definition 3. Given a TSA system N, a dependeny funtion of N is a partial mapping R : {(N,j) N N,j ap(n)} N. A dependeny funtion R indues a dependeny graph G(R) with set of nodes N and an ar from N to N labelled by j if R(N,j) = N, in whih ase we say that N is a jslave (or just a slave) of N in R. We will all direted tree to any direted graph in whih there is a node, that we all root of the tree, so that for every node in the graph there is a single path from the root to it. Therefore, a direted forest is a set of direted trees. Given two nodes s and s of a direted forest, we will say s is a desendant of s if there is a path in the forest from s to s. Moreover, given a set A we will denote by MS(A) the set of multisets with elements in A. Definition 4. A marking of a TSA N is a tuple M = (M,lo,R), where M MS(P N ), lo : N L and R is a dependeny funtion of N suh that:
6 6 G(R) is a direted forest, For every N N, if o N = then N is not a slave in R. Therefore, a marking is omposed by an ordinary marking for Petri nets, a funtion speifying the loality in whih eah omponent is present, and a dependeny funtion. We will say a omponent N is alive in R if o N = or it is a slave in R. Otherwise, we will say it is dead. The omponents N and N are oloated if lo(n) = lo(n ). Now let us define the behaviour of TSA systems. In general, only alive omponents an fire transitions. Next we define the firing of autonomous transitions, that are as ordinary transitions in P/T nets, that remove tokens from preondition and add them in postonditions, exept that they are restrited to alive omponents and an ause the movement of the exeuting net. We will denote by + and the multiset union and the multiset differene, respetively, to distinguish them from and \, the orresponding operations over sets. Definition 5. Let N be a TSA system, M = (M,lo,R) a marking of N, N an alive omponent in R, and t T N suh that λ(t) A. We say that t is enabled in M if t M. In that ase we say that t an be fired and then the marking (M,lo,R) is reahed, where: M = M t + t. If λ(t) = go k then lo (N) = k and lo (N) = lo(n) for every N N. Otherwise, lo = lo. Now we define the firing of imprinting transitions. The net firing any of them speifies the type it wants to imprint. Definition 6. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N an alive and a dead omponent in R, respetively, both oloated, and t T N suh that λ(t) = (i,imprint(o N )). We say that t is enabled in M if t M (N,i) / Dom(R) Then t an be fired, to reah the marking (M,lo,R ), where M = M t + t and R extends R with R (N,i) = N. Therefore, the imprinted net must be dead in order to be imprinted, and of the type required by the imprinting omponent. Moreover, the imprinting net must not already have an islave net. Let us now define the transitions that represent orders from masters to slaves. Definition 7. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N two oloated alive omponents suh that N is a islave of N in R. Let us also onsider t T N suh λ(t) = (i,s!) and t T N suh that λ(t ) = s?. We say that the pair of transitions (t,t ) is enabled in M if t t M. Then the pair (t,t ) an be fired, getting (M,lo,R) where M = M t t + t + t.
7 7 go inf go home kill home l imprint(ontr) go rest k hek l alarm! Fig. 2. Nurse Therefore, if N is an islave of N then N an give orders to N, whih is formalized by a synhronous firing of two transitions. Finally, let us define how a master an kill one of its slaves. Definition 8. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N two oloated alive omponents suh that N is a islave of N, and t T N suh λ(t) = (i,kill). We say that t is enabled in M if t M. Then t an be fired, getting (M,lo,R ) where M = M t + t and R is the result of removing (N,i) from the domain of R, and removing (N,j) from the domain of R, for every N desendant of N in G(R) and every j. Therefore, all the omponents that depend of N are also indiretly killed. Notie that this is so even if those omponents are not oloated with N and N. Alternatively, we ould fore N to expliitly searh and kill its slaves, and so on, but this would not modify the potential behaviour of any of the so killed omponents. This is so beause these nets an perform two kind of ations: autonomous ations, that ould have been performed anyway before their death; and synhronizations with its master, whih will not happen after the seppuku order. We will use u,u,... to range over transitions or pairs of transitions. Thus, in any of the previous ases we will write M[u M if M is the result of firing u in M. Sine alive omponents annot be imprinted, and only alive omponents an imprint, whenever the dependeny graph is initially a direted forest, it remains so. Therefore, we have the following result. Proposition 1. If M is a marking of a TSA system N and M[u M then M is also a marking of N. Reahability for TSA systems is defined as expeted. We say a marking (M,lo,R) an be overed if there is a reahable marking (M,lo,R ) suh that M M, lo = lo, Dom(R) Dom(R ) and for every (N,i) Dom(R), R(N,i) = R (N,i). The overability problem onsists on deiding if a given marking an be overed.
8 8 inf go (1, good!) k go k 1 l (1, imprint(th)) (1, bad! alarm! k go rest l (2, bad!) go k 2 (2, imprint(th)) go (2, good!) Fig. 3. Thermometer ontroller 4 An appliation example In this setion we present a simple appliation example to illustrate the definitions in the previous setion. Let us onsider a senario with several patients in two rooms of a hospital, alled k 1 and k 2. Eah of the patients has an eletroni thermometer [19] that reads the temperature every one in a while, and willing to send (e.g., using RFID) a message stating whether everything is all right or not. We assume that these thermometers are inative (that is, dead aording to our terminology), exept when a thermometer ontroller takes over them. Intuitively, we assume that every room has one of these ontrollers, that reads the messages output by thermometers, and sends an alarm message to a nurse whenever the temperature is not orret. For simpliity, we assume that all these ontrollers are in fat part of a single omponent that moves between rooms in the hospital and that it an only simultaneously ontrol two thermometers, so that it has apaity two. Finally, there is a night shift nurse, that must hek the temperature of the patients. For that purpose, it may imprint a ontroller, so that she is the only one to reeive alarm messages from it. Therefore, the life yle of a nightshift nurse onsists on going from her home to the infirmary, imprinting a thermometer ontroller, going to rest, heking the patient in ase she reeives an alarm message, or killing the ontroller and going bak home. We model this senario by means of a TSA system with several omponents. The first one, shown in Fig. 2, represents the nurse, that we assume has type. Initially, it is loated in loation home. Then it an fire go inf, thus moving to the infirmary, where it an imprint the thermometer ontroller and then go to rest. Notie that, sine the nurse has apaity one, we use simple names as labels of its synhronizing transitions, suh as kill, instead of (1,kill).
9 9 nurse thermometer ontroller 1 2 thermometer Fig. 4. Dependeny relation kill k 1 bad! good! kill Fig. 5. Patients The thermometer ontroller, with type ontr, is shown in Fig. 3, initially in loation inf. The ontroller, however, does not have a type, so that it must wait to be imprinted to perform any ation. After been imprinted, it an go either to loation k 1 or to k 2. In these loations there are patients, all of them like that in Fig. 5. Now the ontroller has a hoie between good!, bad! or imprint(th). However, sine the patient thermometers are still dead (in our sense), all the ontroller an do at the present time is imprinting them. Then it an again hoose between any of the loations. If it goes bak again to the same plae then it an read the thermometer and, if it reads bad, that is, if it synhronizes with the thermometer in transition bad!, then it goes to the rest room and sends an alarm message to the nurse. Eventually, the system will reah a dependeny state like the one shown in Fig. 4, with both thermometers imprinted by the ontroller. At any point, the nurse an fire its kill transition, thus killing the ontroller (and, reursively, the ontroller killing its thermometers). Notie that the ontroller does not have any killing transition, so that it only kills its thermometers when, in turn, the nurse kills it. 5 Verifiation of TSA systems In the previous setions we have presented a model that allows us to speify systems using primitives that implement the resurreting dukling poliy, whih are orret by definition. In this setion we will see how we an use the known deidability results for the verifiation of the obtained TSA systems. First of all, we will prove that the loality omponent of TSAs is not essential in the model. More preisely, we will say a TSA system is entralized if none of its omponents have movement transitions and all of them are initially loated in the same loation. Under these assumptions, we an ignore the loality omponent
10 10 of entralized TSA systems, thus writing just (M,R) instead of (M,lo,R). In the following result we will write A to denote the set A \ {go k k L}. Lemma 1. Every TSA system an be simulated by a entralized TSA system. Proof. Let N be a TSA system. Given N N we will define the entralized TSA omponent N, so that the entralized system N = {N N N} simulates N. Let K = {k t T N,λ(t) = go k} lo 0 (N) L, whih is the set of loalities in whih omponents an reside in any reahable marking. Sine that set is finite, we an add for eah omponent N one plae per loality k K, all marked in mutual exlusion, thus representing the urrent loality of eah omponent as part of its ordinary marking. Then, for eah nonautonomous transition we will onsider also one per loality, so that a transition t being fired in k is represented by the firing of a transition t(k). The plae must be a pre/postondition of transition t(k), and movement transitions must hange the tokens in the new plaes aordingly. Then, if N = (P,T,F,λ,o) we take N = (P,T,F,λ,o), where P = P k K} T = {t T λ(t) A } {t(k) λ(t) / A, k K} F = {(p,t) F λ(t) A } {(t,p) F λ(t) A } {(p,t(k)) (p,t) F, λ(t) / A } {(t(k),p) (t,p) F, λ(t) / A } k K, λ(t) go k } ) λ(t) = go k } λ (t) = λ(t) and λ (t(k)) = λ(t) We assume that a transition in the simulating entralized system labelled by go k is just an autonomous transition. For a given reahable marking M = (M,lo,R) we define M = (M,R), where M (p) = M(p) for every p P, M = 1 and M = 0 if k lo(n) for every N. Then, it holds that M 1 [u M 2 M 1[u M 2 where, if M 1 = (M 1,lo 1,R 1 ) then u if λ(u) A u = u(k) if λ(u) = go k (t(k),t (k)) if u = (t,t ) T N T N, lo 1 (N) = lo 1 (N ) = k Therefore, in the following we an assume that every TSA system is entralized. Now, we prove that every TSA system an be simulated by a P/T net. Proposition 2. Every TSA system an be simulated by a P/T net. Proof. Aording to the previous result we an assume that we are given a entralized TSA system N with initial marking M 0 = (M 0,R 0 ), and we must onstrut the P/T net N = (P,T,F,M 0 ) that simulates it. Let us first introdue some notations. We write OK(t,t,R) whenever t T N, t T N and both N and N are alive and N is a slave of N, aording to R. Analogously, we write OK(t,N,R) whenever λ(t) = imprint(o N ) and N is dead aording to
11 k 11 s! q 0 p 0 imprint(o) p 1 k p 2 l s? kill q 1 h Fig. 6. Simple example of TSA system imprint p 1 k s q 0 p 0 R 2 kill p 2 l q 1 h R 1 Fig. 7. Translation of the TSA system in Fig. 6 R, or whenever λ(t) = kill and N is alive aording to R. Finally, given a dependeny funtion R, we will write R(t,N) to denote the dependeny funtion that results when firing t with N as goal. More preisely, if λ(t) = (i,imprint(o N )) then R(t,N) is the result of adding to R, R(N,i) = N, where t T N. Analogously, if λ(t) = (i,kill) then R(t,N) is the result of removing (i,n ) from the domain of R, as well as every desendant of N. In order to simulate a TSA system by means of a P/T net, for eah omponent N we add plaes dead(n) and alive(n), marked in mutual exlusion, thus stating whether that omponent is dead or alive. Sine there are a finite number of omponents and eah of them has a finite apaity, there is only a finite number of dependeny funtions. Then we an have one plae for eah one of them, also marked in mutual exlusion, and used to restrit synhronizations to happen only in the right onfigurations. For instane, for eah pair (t,t ) of synhronizing transitions labelled respetively by s? and (i, s!) we onsider for every dependeny funtion R the transition (t,t,r) that represents the synhronized firing of (t,t ) in a dependeny state R. Of ourse, this synhronization an only happen when the net firing t is an islave of the one firing t aording to R. Therefore, this transition must have R as pre/postondition, as well the preonditions and postonditions of both t and t. An analogous onstrution applies to killing and imprinting transitions. Then, let us take: P = P N {alive(n),dead(n) N N} {R R dependeny funtion of N} T = {t T N λ(t) A} {(t,t,r) λ(t) = s?,λ(t ) = (i,s!),ok(t,t,r)} {(t,n,r) OK(t,N,R)λ(t) = kill or λ(t) = imprint(o N )} F = F 1 F 2 F 3, where F 1 = {(p,t) λ(t) A, p t} {(t,p) λ(t) A, p t } {(alive(n),t),(t,alive(n)) t T N }
12 12 F 2 = {(p,(t,t,r)) p t t } {((t,t,r),p) p t t } {(R,(t,t,R)),((t,t,R),R) (t,t,r) T } F 3 = {(p,(t,n,r)) p t} {((t,n,r),p) p t } {(R,(t,N,R)) (t,n,r) T } {((t,n,r),r(t,n))} {(alive(n),(t,n,r)) λ(t) = kill} {((t,n,r),dead(n)) λ(t) = kill} {(dead(n),(t,n,r)) λ(t) = imprint(o N )} {((t,n,r),alive(n)) λ(t) = imprint(o N )} Finally, given a marking M = (M,R) of N we define the marking M of N as follows: M (p) = M(p) for every p P N M (R) = 1 and M{ (R ) = 0 for every R R 1 if N alive in R N (alive(n)) = { 0 otherwise 1 if N dead in R N (dead(n)) = 0 otherwise Using these notations, it holds that (M 1,R 1 )[u (M 2,R 2 ) (M 1,R 1 ) [u (M 2,R 2 ) t if u T N and λ(t) A where u = (t,t,r 1 ) if u = (t,t ) (t,n,r) if u = t and λ(t) = kill or λ(t) = imprint(o N ) Figure 7 shows the P/T net that simulates the TSA system in Fig. 6, assuming that the net in the right has type o. In it we use plae R 1 for the dependeny funtion in whih there is no assoiations between omponents, and R 2 for that in whih the omponent in the left of Fig. 6 is master of the one in the right. Then, the transition labelled by imprint an only be fired when there is a token in R 1, and that firing has the effet of moving that token from R 1 to R 2, as well as moving the token in p 0 to p 1. The killing transition has an analogous behaviour. Finally, transitions s! and s? are merged into a single transition s, that has R 2 as a pre/postondition plae, beause it an only happen when both omponents are assoiated, and it does not hange this assoiation. This onstrution, even for the simple example shown here, produes the typial spaghetti problem of P/T nets, though, fortunately, it an be arried out automatially. By applying this result, we an use all the existing mahinery for ordinary P/T nets in the analysis of our systems. For instane, overability 2 and home state problems are known to be deidable for P/T nets (for a survey see [4]). Then, in priniple, we ould algorithmially hek any property that an be stated in terms of them. For example, regarding the example in the previous setion, we ould hek that, whenever a thermometer is imprinted by a dotor, then whenever needed it eventually raises the alarm, and only to the right dotor, sine that is a home state property. Another property that ould be interesting 2 In fat, the onstrution translates overability problems of TSA systems to finite sets of overability problems of P/T nets.
13 13 imprint(o)! k kill p s! Fig. 8. TSA system to analyze, and an be stated in terms of overability (adding a ontrol point to the speifiation), is heking that it is not possible for a ontroller to (for example) send out an alarm message without first been imprinted. If we assume that we have several nurses like the one in Fig. 2 and several ontrollers like the one in Fig. 3, we ould also speify in terms of overability the property that says that any nurse has at most one ontroller. So far, we are regarding our TSA systems as the speifiation of systems using the resurreting dukling poliy, sine our primitives assume that the imprinting and killing mehanisms are always orret. However, it is also desirable to perform a lower level analysis, with weaker assumptions. For that purpose, we will prove that every TSA system an be implemented by an MSPN system. An MSPN system intuitively onsists on a set of Petri nets, eah of them at some loation. Those nets an move between loation and, synhronize between them. Moreover, and this is more important, they an manage pure names (in the sense of [6]), that we all identifiers, and use them for authentiation purposes, that is, as imprinting keys. Therefore, apart from ordinary tokens, MSPN omponents an have identifiers as tokens. For instane, a omponent ould offer a synhronization only to omponents exhibiting a determined identifier. This is formalized by using variables as labels on ars. MSPN omponents an also reate fresh identifiers by means of a speial variable ν, whih an only be instantiated to fresh identifiers. However, they do not need to use this variable to implement TSA systems. Proposition 3. Every TSA system an be simulated by a MSPN system without namereation transitions. Proof. Let N be a TSA system, that we an assume to be entralized. For every N = (P,T,F,λ,o) N we want to define a MSPN N in suh a way that the MSPN system N = {N N N} implements N. The main differene with the previous result is that omponents annot have a global view of the dependenies in the system, but only of those that affet them diretly, that is, they only know whih omponents are their master and their slaves. For that purpose, we add a plae master to every omponent, ontaining at eah time the key used to ommuniate with its master. Similarly, if a net has apaity m then we add plaes slave(1),...,slave(m), used to ommuniate with the orresponding slaves. We represent alive omponents as those that ontain a key in its master plae. Sine only alive omponents an exeute ations, we must add that plae as preondition of every transition (notie that omponents of
14 14 p 1 q 1 p 1 q 1 (i, s!) s! p 2 q 2 slave(i) a p 2 d b q 2 master s? s? master a Fig. 9. Implementation of synhronizations p d (i, imp(o)) imp(o)! b master imp(o)? q p q free a slave(i) a dead(i) master Fig. 10. Implementation of imprintings type are always alive though they do not have a master and hene they must have a key in that plae, though they do not use it to ommuniate). We also add a plae dead, marked with an ordinary token in mutual exlusion with master. Finally, we add a plae free that ontains a set of keys that are free to be used in future imprintings. If the omponent has apaity m and does not have any slave in the initial state, then that plae must ontain m pairwise different keys in that plae in its initial marking. Now let us see how we implement the transitions of eah kind. Autonomous transitions are left as they are, exept for the fat already mentioned that they have the master plae as preondition and postondition, so that they an only be fired when the omponent is alive and stay that way after it. The synhronization of two transitions (see Fig. 9), labelled by (i, s!) and s?, respetively, is implemented by the synhronization of two transitions, now labelled by s! and s?. However, we want them to synhronize only when they share the proper dependeny relation. For that purpose we add the plae slave(i) as preondition (and postondition) of (i,s!) and the plae master as preondition (and postondition of s?, and label all those ars with the same variable. In this way, only omponents that ontain the same value in those plaes (share the same key) an ommuniate. Therefore, we have to guarantee that omponents only share values whenever told by the imprinting and killing primitives. In the implementation, imprinting and killing transitions are just ordinary synhronizing transitions, so that we
15 15 imprint(o)! x x free η η slave kill! p Fig. 11. Implementation of the TSA system in Fig. 8 assume there are synhronizing labels kill and imprint(o) for every o O. The imprinting of a omponent of type o is implemented by the synhronized firing of two transitions, labelled by imprint(o)! and imprint(o)? (see Fig. 10). Notie that the latter transition an only be fired by dead omponents, so that in fat it is the only transition that has the plae dead as preondition instead of master. When these two synhronize, a token is taken from the free plae in the imprinting omponent and plaed both in the orresponding slave(i) plae and in the master plae of the imprinted omponent. The behaviour of the implementation of the killing transitions is dual, by means of the synhronization of two transitions labelled by kill! and kill?. Basially, the killing net moves the token in the orresponding slave(i) plae and puts it in free, and the killed net removes its token from master and puts a blak token in dead. However, the killing of a omponent auses the death not only of that omponent, but also of all its slaves. Therefore, before putting that token in plae dead it must kill all its slaves. MSPN systems without namereation are still equivalent to P/T nets, so that we an take advantage of all the existing analysis methods for P/T nets even in the implementation of TSA systems as losed systems. The previous proof profits from the fat that we are regarding TSA systems as losed systems, so that we an extensively and statially analyze all of their partiipants. In partiular, we an hek (and fore) that the omponents being imprinted, that is, reeiving their masters imprinting key, throw away those keys when they are killed. Therefore, omponents an safely reuse those keys in a forthoming imprinting. However, it is not very realisti to assume in the ontext of ubiquitous omputing that we are dealing with losed systems. In this ontext, we want our servies to be offered in a global and uniform way, so that some of the prinipals that imprint or some of the devies that are imprinted may not be part of the system, but part of the environment of the system. In this ase, we an no longer hek (even less fore) that they erase the imprinting keys after been killed so that, if we reuse them, then the prinipals of the environment ould use old keys to illegitimately interat with a omponent. Let us again onsider the simple TSA omponent in Fig. 8 or, more preisely, its implementation as an MSPN system (without name reation) in Fig. 11. This omponent attempts to imprint some devie of type o, then uses some servie s that this devie provides and finally kills it, thus moving to its initial state. If this omponent is in an environment like the one in the left of Fig. 12 then its behaviour is the intended one. Indeed, when being killed by its master, that s! k
16 16 k k imprint(o)? s? kill? master imprint(o)? s? kill? master Fig. 12. Environments for TSA system in Fig. 8 imprint(o)! ν η slave kill! s! p k Fig. 13. Open implementation of the TSA system in Fig. 8 omponent throws away the imprinting key (the identifier in plae master), so that it an be safely reused. However, let us suppose that its environment is like the one in the right of the same figure, whih is almost the same, exept for the fat that it does not throw away that identifier (there is no arrow from plae master to transition kill?) and an provide servie s even after synhronizing in transition kill (whih, in this ase, does not have the effet of killing the omponent). Therefore, Fig. 11 would be a wrong implementation of the TSA system in Fig. 8, when onsidered in the environment in the right of Fig. 12. For more details about open MSPN systems see [16]. However, we an make use of the freshidentifier reation apability of MSPN systems to perform a orret implementation, even in the open ase. Proposition 4. Every TSA system an be simulated by an open MSPN system. Proof. The onstrution is idential to the one of the previous result, exept for the fat that when impriting, keys are not taken from a plae free, but reated and when killing they are not put bak in free, but erased. Figure 13 shows the open implementation of the TSA system in Fig. 8, whih is similar to that in Fig. 11, exept for the fat that it does not have a plae free for free identifiers and that it has the speial variable ν labelling the ar to the plae alled slave. This speial variable formalizes the reation of new identifiers, by foring its instantiation only to identifiers that are not in the urrent marking. In partiular, notie that the environment on the right of Fig. 12 an no longer offer servie s after being killed, even if it does not throw away its key, sine in a new imprinting the TSA omponent will use a different imprinting key in order to ommuniate with its slave. As we have proved in [14, 16], the general lass of MSPN system (in whih we allow name reation) is not equivalent to P/T nets anymore, but are not Turingomplete either. In partiular, we have proved that overability is still
17 17 deidable, even in the open ase, so that we an still verify any property that an be stated in terms of it. 6 Conlusions and Future Work In this paper we have defined a model based on Petri Nets that addresses the problem of Seure Transient Assoiation in ubiquitous systems. The fat of using Petri Nets gives us an amenable and easy to grasp model. Then we study whether we an approah the problem of the verifiation the properties of these systems. As a first step, we prove that TSA systems, seen as speifiation of systems using the primitives of the Resurreting Dukling Poliy, are equivalent to P/T nets, so that we have many deidable properties for them as reahability, overability or home state. Then we show how these primitives an be implemented solely relying on a mehanism that manages pure names, that an be seen as imprinting keys. These implementations an be studied from two different points of view: first assuming that our systems work in a losed environment, and then without this assumption. In the first ase, we have proved that this implementation is still equivalent to P/T nets. However, this is no longer true in the seond ase, beause we need to allow the reation of fresh identifiers, but even so we an approah the verifiation of their properties. As future work, we plan to study in a more systemati way the kind of properties of TSA systems that an be studied. It would also be interesting to follow a dual approah, namely that in whih we want to verify that a given system does indeed implement the resurreting dukling poliy, whih would ertainly lead us to approahes like proof arrying ode [11] or dynami typing [7]. We also plan to onsider the studies about transations in the ontext of Petri nets [1], to apply them to killing of slaves in our model, whih are learly transations, though we do not treat them expliitly as suh in the open implementation with identifiers. Another diretion for future work is that of extending the basi model with other features, suh as allowing unbounded apaities for some omponentes (e.g., users), other auses of death, or a finer treatment of loalities. In [15] we presented a tool for the verifiation of MSPN system, based on rewriting logi. We are urrently extending this prototype to make it ope with the primitives presented in this paper, so that it automatially performs the translations we have desribed in the paper and hek the properties that we have proved to be deidable using those translations. Referenes [1] R. Bruni and U.Montanari. Exeuting Transations in ZeroSafe Nets. 21st Int. Conf. on Appliation and Theory of Petri Nets, ICATPN 00. LNCS vol. 1825, pp SpringerVerlag, 2000.
18 18 [2] M. Carbone, M. Nielsen and V. Sassone. A Calulus for Trust Management. 24th Int. Conf. on Foundations of Software Tehnology and Theoretial Computer Siene, FSTTCS 04. LNCS vol. 3328, pp SpringerVerlag, [3] J. Desel and W. Reisig, Plae/Transition Petri Nets. Letures on Petri Nets I: Basi Models, LNCS vol. 1491, pp SpringerVerlag, [4] J. Esparza and M. Nielsen. Deidability issues for Petri Nets  a survey. Bulletin of the EATCS 52: (1994). [5] D. Frutos Esrig, O. Marroquín Alonso and F. Rosa Velardo. Ubiquitous Systems and Petri Nets. Ubiquitous Web Systems and Intelligene, LNCS vol Springer Verlag, [6] A. Gordon. Notes on Nominal Caluli for Seurity and Mobility. Foundations of Seurity Analysis and Design,FOSAD 00. LNCS vol.2171, pp Springer,2001. [7] M. Hennessy and J. Riely. Resoure Aess Control in Systems of Mobile Agents. HighLevel Conurrent Languages, HLCL 98. ENTCS 16:3 17. Elsevier, [8] K. Jensen. Coloured Petri Nets. Basi Conepts, Analysis Methods and Pratial Use.. Volume 1, Basi Conepts. Monographs in Theoretial Computer Siene, Springer, [9] R. Milner, J. Parrow and D. Walker. A alulus of mobile proesses I. Information and Computation 100(1):1 40. Aademi Press In., [10] R. Milner. Theories for the Global Ubiquitous Computer. Foundations of Software Siene and Computation StruturesFoSSaCS 2004, LNCS vol.2987, pp SpringerVerlag, [11] G.C. Neula and P. Lee. Safe, Untrusted Agents Using ProofCarrying Code. Mobile Agents and Seurity. LNCS vol. 1419, pp Springer, [12] G.G. Rihard. Servie Advertisement and Disovery: Enabling Universal Devie Cooperation. IEEE Internet Computing arhive 4(5): IEEE Eduational Ativities Department, [13] F. Rosa Velardo, O. Marroquín Alonso and D. Frutos Esrig. Mobile Synhronizing Petri Nets: a horeographi approah for oordination in Ubiquitous Systems. In 1st Int. Workshop on Methods and Tools for Coordinating Conurrent, Distributed and Mobile Systems, MTCoord 05. ENTCS, 150. [14] F. Rosa Velardo, D. Frutos Esrig and O. Marroquín Alonso. On the expressiveness of Mobile Synhronizing Petri Nets. In 3rd International Workshop on Seurity Issues in Conurreny, SeCo 05. ENTCS (to appear). [15] F. RosaVelardo. Coding Mobile Synhronizing Petri Nets into Rewriting Logi. 7th Int. Workshop on Rulebased Programming, RULE 06. ENTCS (to appear). [16] F. RosaVelardo, and D. FrutosEsrig. Symboli Semantis for the Veriation of Seurity Properties of Mobile Petri Nets. 4th Int. Symposium on Automated Tehnology for Verifiation and Analysis, ATVA 06. LNCS vol. 4218, pp Springer, [17] F. Stajano and R.J. Anderson. The Resurreting Dukling: Seurity Issues for Adho Wireless Networks. 7th Int. Workshop on Seurity Protools. LNCS vol. 1796, pp Springer, [18] F. Stajano. Seurity for Ubiquitous Computing. Wiley Series in Communiations Networking & Distributed Systems. John Wiley & Sons, [19] R. Want. Enabling Ubiquitous Sensing with RFID. Computer vol.37(4), pp IEEE Computer Soiety Press, [20] M. Weiser. Some Computer Siene Issues in Ubiquitous Computing. Comm. of the ACM vol.36(7), pp ACM Press, [21] M. Weiser. The Computer for the 21st Century. In Humanomputer Interation: Toward the Year 2000, pp Morgan Kaufmann Publishers In, 1995.
A Holistic Method for Selecting Web Services in Design of Composite Applications
A Holisti Method for Seleting Web Servies in Design of Composite Appliations Mārtiņš Bonders, Jānis Grabis Institute of Information Tehnology, Riga Tehnial University, 1 Kalu Street, Riga, LV 1658, Latvia,
More informationSebastián Bravo López
Transfinite Turing mahines Sebastián Bravo López 1 Introdution With the rise of omputers with high omputational power the idea of developing more powerful models of omputation has appeared. Suppose that
More informationOpen and Extensible Business Process Simulator
UNIVERSITY OF TARTU FACULTY OF MATHEMATICS AND COMPUTER SCIENCE Institute of Computer Siene Karl Blum Open and Extensible Business Proess Simulator Master Thesis (30 EAP) Supervisors: Luiano GaríaBañuelos,
More informationComputer Networks Framing
Computer Networks Framing Saad Mneimneh Computer Siene Hunter College of CUNY New York Introdution Who framed Roger rabbit? A detetive, a woman, and a rabbit in a network of trouble We will skip the physial
More information' R ATIONAL. :::~i:. :'.:::::: RETENTION ':: Compliance with the way you work PRODUCT BRIEF
' R :::i:. ATIONAL :'.:::::: RETENTION ':: Compliane with the way you work, PRODUCT BRIEF Inplae Management of Unstrutured Data The explosion of unstrutured data ombined with new laws and regulations
More informationGranular Problem Solving and Software Engineering
Granular Problem Solving and Software Engineering Haibin Zhu, Senior Member, IEEE Department of Computer Siene and Mathematis, Nipissing University, 100 College Drive, North Bay, Ontario, P1B 8L7, Canada
More informationA ContextAware Preference Database System
J. PERVASIVE COMPUT. & COMM. (), MARCH 005. TROUBADOR PUBLISHING LTD) A ContextAware Preferene Database System Kostas Stefanidis Department of Computer Siene, University of Ioannina,, kstef@s.uoi.gr Evaggelia
More informationInformation Security 201
FAS Information Seurity 201 Desktop Referene Guide Introdution Harvard University is ommitted to proteting information resoures that are ritial to its aademi and researh mission. Harvard is equally ommitted
More informationChannel Assignment Strategies for Cellular Phone Systems
Channel Assignment Strategies for Cellular Phone Systems Wei Liu Yiping Han Hang Yu Zhejiang University Hangzhou, P. R. China Contat: wliu5@ie.uhk.edu.hk 000 Mathematial Contest in Modeling (MCM) Meritorious
More informationSOFTWARE ENGINEERING I
SOFTWARE ENGINEERING I CS 10 Catalog Desription PREREQUISITE: CS 21. Introdution to the systems development life yle, software development models, analysis and design tehniques and tools, and validation
More informationUNIVERSITY AND WORKSTUDY EMPLOYERS WEB SITE USER S GUIDE
UNIVERSITY AND WORKSTUDY EMPLOYERS WEB SITE USER S GUIDE September 8, 2009 Table of Contents 1 Home 2 University 3 Your 4 Add 5 Managing 6 How 7 Viewing 8 Closing 9 Reposting Page 1 and WorkStudy Employers
More informationFrom a strategic view to an engineering view in a digital enterprise
Digital Enterprise Design & Management 2013 February 1112, 2013 Paris From a strategi view to an engineering view in a digital enterprise The ase of a multiountry Telo Hervé Paault Orange Abstrat In
More informationDeadlinebased Escalation in ProcessAware Information Systems
Deadlinebased Esalation in ProessAware Information Systems Wil M.P. van der Aalst 1,2, Mihael Rosemann 2, Marlon Dumas 2 1 Department of Tehnology Management Eindhoven University of Tehnology, The Netherlands
More informationSupply chain coordination; A Game Theory approach
aepted for publiation in the journal "Engineering Appliations of Artifiial Intelligene" 2008 upply hain oordination; A Game Theory approah JeanClaude Hennet x and Yasemin Arda xx x LI CNRUMR 668 Université
More informationTable of Contents. Appendix II Application Checklist. Export Finance Program Working Capital Financing...7
Export Finane Program Guidelines Table of Contents Setion I General...........................................................1 A. Introdution............................................................1
More informationStatic Fairness Criteria in Telecommunications
Teknillinen Korkeakoulu ERIKOISTYÖ Teknillisen fysiikan koulutusohjelma 92002 Mat208 Sovelletun matematiikan erikoistyöt Stati Fairness Criteria in Teleommuniations Vesa Timonen, email: vesatimonen@hutfi
More informationExploiting Relative Addressing and Virtual Overlays in Ad Hoc Networks with Bandwidth and Processing Constraints
Exploiting Relative Addressing and Virtual Overlays in Ad Ho Networks with Bandwidth and Proessing Constraints Maro Aurélio Spohn Computer Siene Department University of California at Santa Cruz Santa
More informationChapter 1 Microeconomics of Consumer Theory
Chapter 1 Miroeonomis of Consumer Theory The two broad ategories of deisionmakers in an eonomy are onsumers and firms. Eah individual in eah of these groups makes its deisions in order to ahieve some
More informationWORKFLOW CONTROLFLOW PATTERNS A Revised View
WORKFLOW CONTROLFLOW PATTERNS A Revised View Nik Russell 1, Arthur H.M. ter Hofstede 1, 1 BPM Group, Queensland University of Tehnology GPO Box 2434, Brisbane QLD 4001, Australia {n.russell,a.terhofstede}@qut.edu.au
More informationState of Maryland Participation Agreement for PreTax and Roth Retirement Savings Accounts
State of Maryland Partiipation Agreement for PreTax and Roth Retirement Savings Aounts DC4531 (08/2015) For help, please all 18009666355 www.marylandd.om 1 Things to Remember Complete all of the setions
More informationIEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE 2012 401
IEEE TRASACTIOS O DEPEDABLE AD SECURE COMPUTIG, VOL. 9, O. 3, MAY/JUE 2012 401 Mitigating Distributed Denial of Servie Attaks in Multiparty Appliations in the Presene of Clok Drifts Zhang Fu, Marina Papatriantafilou,
More informationHierarchical Clustering and Sampling Techniques for Network Monitoring
S. Sindhuja Hierarhial Clustering and Sampling Tehniques for etwork Monitoring S. Sindhuja ME ABSTRACT: etwork monitoring appliations are used to monitor network traffi flows. Clustering tehniques are
More informationAn Enhanced Critical Path Method for Multiple Resource Constraints
An Enhaned Critial Path Method for Multiple Resoure Constraints ChangPin Lin, HungLin Tai, and ShihYan Hu Abstrat Traditional Critial Path Method onsiders only logial dependenies between related ativities
More informationRetirement Option Election Form with Partial Lump Sum Payment
Offie of the New York State Comptroller New York State and Loal Retirement System Employees Retirement System Polie and Fire Retirement System 110 State Street, Albany, New York 122440001 Retirement Option
More informationPROCEEDS OF CRIME (BUSINESS IN THE REGULATED SECTOR) ORDER 2015
Proeeds of Crime (Business in the Regulated Setor) Order 2015 Artile 1 Statutory Doument No. 2015/0073 Proeeds of Crime At 2008 PROCEEDS OF CRIME (BUSINESS IN THE REGULATED SECTOR) ORDER 2015 Approved
More informationHenley Business School at Univ of Reading. PreExperience Postgraduate Programmes Chartered Institute of Personnel and Development (CIPD)
MS in International Human Resoure Management For students entering in 2012/3 Awarding Institution: Teahing Institution: Relevant QAA subjet Benhmarking group(s): Faulty: Programme length: Date of speifiation:
More informationImproved SOMBased HighDimensional Data Visualization Algorithm
Computer and Information Siene; Vol. 5, No. 4; 2012 ISSN 19138989 EISSN 19138997 Published by Canadian Center of Siene and Eduation Improved SOMBased HighDimensional Data Visualization Algorithm Wang
More informationClassical Electromagnetic Doppler Effect Redefined. Copyright 2014 Joseph A. Rybczyk
Classial Eletromagneti Doppler Effet Redefined Copyright 04 Joseph A. Rybzyk Abstrat The lassial Doppler Effet formula for eletromagneti waves is redefined to agree with the fundamental sientifi priniples
More informationINCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS
Virginia Department of Taxation INCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS www.tax.virginia.gov 2614086 Rev. 07/14 * Table of Contents Introdution... 1 Important... 1 Where to Get Assistane... 1 Online
More informationPerformance Analysis of IEEE 802.11 in Multihop Wireless Networks
Performane Analysis of IEEE 80.11 in Multihop Wireless Networks Lan Tien Nguyen 1, Razvan Beuran,1, Yoihi Shinoda 1, 1 Japan Advaned Institute of Siene and Tehnology, 11 Asahidai, Nomi, Ishikawa, 9319
More informationCustomer Efficiency, Channel Usage and Firm Performance in Retail Banking
Customer Effiieny, Channel Usage and Firm Performane in Retail Banking Mei Xue Operations and Strategi Management Department The Wallae E. Carroll Shool of Management Boston College 350 Fulton Hall, 140
More informationSoftware Ecosystems: From Software Product Management to Software Platform Management
Software Eosystems: From Software Produt Management to Software Platform Management Slinger Jansen, Stef Peeters, and Sjaak Brinkkemper Department of Information and Computing Sienes Utreht University,
More informationcomputer science Program Educational Objectives
omputer siene bahelor of siene minor ertifiates: managing information on the world wide web master of siene in omputer siene master of siene in software engineering advaned ertifiate programs: bioinformatis
More informationThe Basics of International Trade: A Classroom Experiment
The Basis of International Trade: A Classroom Experiment Alberto Isgut, Ganesan Ravishanker, and Tanya Rosenblat * Wesleyan University Abstrat We introdue a simple webbased lassroom experiment in whih
More informationSUDOKU: Secure and Usable Deployment of Keys on Wireless Sensors
SUDOKU: Seure and Usable Deployment of Keys on Wireless Sensors Matthias Wilhelm, Ivan Martinovi, Ersin Uzun, and Jens B. Shmitt diso Distributed Computer Systems Lab, TU Kaiserslautern, Germany {wilhelm,
More informationBoard Building Recruiting and Developing Effective Board Members for NotforProfit Organizations
Board Development Board Building Reruiting and Developing Effetive Board Members for NotforProfit Organizations Board Development Board Building Reruiting and Developing Effetive Board Members for NotforProfit
More informationAUDITING COST OVERRUN CLAIMS *
AUDITING COST OVERRUN CLAIMS * David PérezCastrillo # University of Copenhagen & Universitat Autònoma de Barelona Niolas Riedinger ENSAE, Paris Abstrat: We onsider a ostreimbursement or a ostsharing
More information3 Game Theory: Basic Concepts
3 Game Theory: Basi Conepts Eah disipline of the soial sienes rules omfortably ithin its on hosen domain: : : so long as it stays largely oblivious of the others. Edard O. Wilson (1998):191 3.1 and and
More informationIn this chapter, we ll see state diagrams, an example of a different way to use directed graphs.
Chapter 19 State Diagrams In this hapter, we ll see state diagrams, an example of a different way to use direted graphs. 19.1 Introdution State diagrams are a type of direted graph, in whih the graph nodes
More informationTrade Information, Not Spectrum: A Novel TV White Space Information Market Model
Trade Information, Not Spetrum: A Novel TV White Spae Information Market Model Yuan Luo, Lin Gao, and Jianwei Huang 1 Abstrat In this paper, we propose a novel information market for TV white spae networks,
More informationBehavior AnalysisBased Learning Framework for Host Level Intrusion Detection
Behavior AnalysisBased Learning Framework for Host Level Intrusion Detetion Haiyan Qiao, Jianfeng Peng, Chuan Feng, Jerzy W. Rozenblit Eletrial and Computer Engineering Department University of Arizona
More informationCIS570 Lecture 4 Introduction to Dataflow Analysis 3
Introdution to Dataflow Analysis Last Time Control flow analysis BT disussion Today Introdue iterative dataflow analysis Liveness analysis Introdue other useful onepts CIS570 Leture 4 Introdution to
More informationBENEFICIARY CHANGE REQUEST
Poliy/Certifiate Number(s) BENEFICIARY CHANGE REQUEST *L2402* *L2402* Setion 1: Insured First Name Middle Name Last Name Permanent Address: City, State, Zip Code Please hek if you would like the address
More informationUsing Live Chat in your Call Centre
Using Live Chat in your Call Centre Otober Key Highlights Yesterday's all entres have beome today's ontat entres where agents deal with multiple queries from multiple hannels. Live Chat hat is one now
More informationPicture This: Molecular Maya Puts Life in Life Science Animations
Piture This: Moleular Maya Puts Life in Life Siene Animations [ Data Visualization ] Based on the Autodesk platform, Digizyme plugin proves aestheti and eduational effetiveness. BY KEVIN DAVIES In 2010,
More informationprotection p1ann1ng report
f1re~~ protetion p1ann1ng report BUILDING CONSTRUCTION INFORMATION FROM THE CONCRETE AND MASONRY INDUSTRIES Signifiane of Fire Ratings for Building Constrution NO. 3 OF A SERIES The use of fireresistive
More informationA Keyword Filters Method for Spam via Maximum Independent Sets
Vol. 7, No. 3, May, 213 A Keyword Filters Method for Spam via Maximum Independent Sets HaiLong Wang 1, FanJun Meng 1, HaiPeng Jia 2, JinHong Cheng 3 and Jiong Xie 3 1 Inner Mongolia Normal University 2
More informationINCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS
Virginia Department of Taxation INCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS www.tax.virginia.gov 2614086 Rev. 01/16 Table of Contents Introdution... 1 Important... 1 Where to Get Assistane... 1 Online File
More informationCustomer Reporting for SaaS Applications. Domain Basics. Managing my Domain
Produtivity Marketpla e Software as a Servie Invoiing Ordering Domains Customer Reporting for SaaS Appliations Domain Basis Managing my Domain Managing Domains Helpful Resoures Managing my Domain If you
More informationParametric model of IPnetworks in the form of colored Petri net
Parametri model of IPnetworks in the form of olored Petri net Shmeleva T.R. Abstrat A parametri model of IPnetworks in the form of olored Petri net was developed; it onsists of a fixed number of Petri
More informationFIRE DETECTION USING AUTONOMOUS AERIAL VEHICLES WITH INFRARED AND VISUAL CAMERAS. J. Ramiro Martínezde Dios, Luis Merino and Aníbal Ollero
FE DETECTION USING AUTONOMOUS AERIAL VEHICLES WITH INFRARED AND VISUAL CAMERAS. J. Ramiro Martínezde Dios, Luis Merino and Aníbal Ollero Robotis, Computer Vision and Intelligent Control Group. University
More informationResearch Data Management ANONYMISATION
ANONYMISATION Sensitive Data Sensitive Data is information overing: The raial or ethni origin of the Data Subjet Politial opinions Religious or other beliefs of a similar nature Membership of trade unions
More informationUnit 12: Installing, Configuring and Administering Microsoft Server
Unit 12: Installing, Configuring and Administering Mirosoft Server Learning Outomes A andidate following a programme of learning leading to this unit will be able to: Selet a suitable NOS to install for
More informationOpenScape 4000 CSTA V7 Connectivity Adapter  CSTA III, Part 2, Version 4.1. Developer s Guide A31003G9310I200176D1
OpenSape 4000 CSTA V7 Connetivity Adapter  CSTA III, Part 2, Version 4.1 Developer s Guide A31003G9310I200176 Our Quality and Environmental Management Systems are implemented aording to the requirements
More informationEE 201 ELECTRIC CIRCUITS LECTURE 25. Natural, Forced and Complete Responses of First Order Circuits
EE 201 EECTRIC CIUITS ECTURE 25 The material overed in this leture will be as follows: Natural, Fored and Complete Responses of First Order Ciruits Step Response of First Order Ciruits Step Response of
More informationComputational Analysis of Two Arrangements of a Central GroundSource Heat Pump System for Residential Buildings
Computational Analysis of Two Arrangements of a Central GroundSoure Heat Pump System for Residential Buildings Abstrat Ehab Foda, Ala Hasan, Kai Sirén Helsinki University of Tehnology, HVAC Tehnology,
More informationTECHNOLOGYENHANCED LEARNING FOR MUSIC WITH IMAESTRO FRAMEWORK AND TOOLS
TECHNOLOGYENHANCED LEARNING FOR MUSIC WITH IMAESTRO FRAMEWORK AND TOOLS ICSRiM  University of Leeds Shool of Computing & Shool of Musi Leeds LS2 9JT, UK +441133432583 kia@imaestro.org www.imaestro.org,
More informationCooperative Search and Nogood Recording
Cooperative Searh and Nogood Reording Cyril Terrioux LSS  Equipe NCA (LM) 39 rue JoliotCurie F1343 Marseille Cedex 13 (Frane) email: terrioux@limunivmrsfr Abstrat Within the framework of onstraint
More informationHenley Business School at Univ of Reading. Chartered Institute of Personnel and Development (CIPD)
MS in International Human Resoure Management (fulltime) For students entering in 2015/6 Awarding Institution: Teahing Institution: Relevant QAA subjet Benhmarking group(s): Faulty: Programme length: Date
More informationElectronic signatures in German, French and Polish law perspective
Artile Eletroni signatures in German, Frenh and Polish law perspetive DR CHRISTIANE BIEREKOVEN, PHILIP BAZIN AND TOMASZ KOZLOWSKI This artile presents some signifiant issues on the reognition of eletroni
More informationA Design Environment for Migrating Relational to Object Oriented Database Systems
To appear in: 1996 International Conferene on Software Maintenane (ICSM 96); IEEE Computer Soiety, 1996 A Design Environment for Migrating Relational to Objet Oriented Database Systems Jens Jahnke, Wilhelm
More informationLearning Curves and Stochastic Models for Pricing and Provisioning Cloud Computing Services
T Learning Curves and Stohasti Models for Priing and Provisioning Cloud Computing Servies Amit Gera, Cathy H. Xia Dept. of Integrated Systems Engineering Ohio State University, Columbus, OH 4310 {gera.,
More informationA Survey of Usability Evaluation in Virtual Environments: Classi cation and Comparison of Methods
Doug A. Bowman bowman@vt.edu Department of Computer Siene Virginia Teh Joseph L. Gabbard Deborah Hix [ jgabbard, hix]@vt.edu Systems Researh Center Virginia Teh A Survey of Usability Evaluation in Virtual
More informationarxiv:astroph/0304006v2 10 Jun 2003 Theory Group, MS 50A5101 Lawrence Berkeley National Laboratory One Cyclotron Road Berkeley, CA 94720 USA
LBNL52402 Marh 2003 On the Speed of Gravity and the v/ Corretions to the Shapiro Time Delay Stuart Samuel 1 arxiv:astroph/0304006v2 10 Jun 2003 Theory Group, MS 50A5101 Lawrene Berkeley National Laboratory
More informationi e AT 3 of 2014 FOREIGN COMPANIES ACT 2014
i e AT 3 of 2014 FOREIGN COMPANIES ACT 2014 Foreign Companies At 2014 Index i e FOREIGN COMPANIES ACT 2014 Index Setion Page PART 1 OPENING PROVISIONS 5 1 Short title... 5 2 Commenement... 5 3 Interpretation...
More informationAgile ALM White Paper: Redefining ALM with Five Key Practices
Agile ALM White Paper: Redefining ALM with Five Key Praties by Ethan Teng, Cyndi Mithell and Chad Wathington 2011 ThoughtWorks ln. All rights reserved www.studios.thoughtworks.om Introdution The pervasiveness
More informationchapter > Make the Connection Factoring CHAPTER 4 OUTLINE Chapter 4 :: Pretest 374
CHAPTER hapter 4 > Make the Connetion 4 INTRODUCTION Developing seret odes is big business beause of the widespread use of omputers and the Internet. Corporations all over the world sell enryption systems
More informationINTELLIGENCE IN SWITCHED AND PACKET NETWORKS
2224 Setember, Sozool, ULGRI INTELLIGENCE IN SWITCHED ND PCKET NETWORKS Ivaylo Ivanov tanasov Deartment of teleommuniations, Tehnial University of Sofia, 7 Kliment Ohridski st., 1000, hone: +359 2 965
More informationThe D.C. Long Term Disability Insurance Plan Exclusively for NBAC members Issued by The Prudential Insurance Company of America (Prudential)
Plan Basis The D.C. Long Term Disability Insurane Plan Exlusively for NBAC members Issued by The Prudential Insurane Company of Ameria (Prudential) What does it over? The D.C. Long Term Disability Insurane
More informationIntelligent Measurement Processes in 3D Optical Metrology: Producing More Accurate Point Clouds
Intelligent Measurement Proesses in 3D Optial Metrology: Produing More Aurate Point Clouds Charles Mony, Ph.D. 1 President Creaform in. mony@reaform3d.om Daniel Brown, Eng. 1 Produt Manager Creaform in.
More informationInteractionDriven Virtual Reality Application Design
Nar s Parés npares@iua.upf.es Ro Parés rpares@iua.upf.es Audiovisual Institute, Universitat Pompeu Fabra, Pg. Cirumval. laió, 8 08003 Barelona, Spain www.iua.upf.es/, gvirtual InterationDriven Virtual
More informationAn integrated optimization model of a Closed Loop Supply Chain under uncertainty
ISSN 18166075 (Print), 18180523 (Online) Journal of System and Management Sienes Vol. 2 (2012) No. 3, pp. 917 An integrated optimization model of a Closed Loop Supply Chain under unertainty Xiaoxia
More informationF220 Series. Installation Instructions. Photoelectric Smoke/Heat Detectors
F0 Series EN Installation Instrutions Photoeletri Smoke/Heat Detetors F0 Series Installation Instrutions.0 General Information EN.0 General Information. F0B6 Series Bases Use with the F0 Series Heat and
More information) ( )( ) ( ) ( )( ) ( ) ( ) (1)
OPEN CHANNEL FLOW Open hannel flow is haraterized by a surfae in ontat with a gas phase, allowing the fluid to take on shapes and undergo behavior that is impossible in a pipe or other filled onduit. Examples
More informationFindings and Recommendations
Contrating Methods and Administration Findings and Reommendations Finding 91 ESD did not utilize a formal written prequalifiations proess for seleting experiened design onsultants. ESD hose onsultants
More informationA novel active mass damper for vibration control of bridges
IABMAS 08, International Conferene on Bridge Maintenane, Safety and Management, 37 July 008, Seoul, Korea A novel ative mass damper for vibration ontrol of bridges U. Starossek & J. Sheller Strutural
More informationi_~f e 1 then e 2 else e 3
A PROCEDURE MECHANISM FOR BACKTRACK PROGRAMMING* David R. HANSON + Department o Computer Siene, The University of Arizona Tuson, Arizona 85721 One of the diffiulties in using nondeterministi algorithms
More informationBUSINESS PRACTICE BULLETIN The School Board of Broward County, Florida
PAGE: 1 OF 16 (ECE) GUIDELINES FOR INFANT, TODDLER AND PREK PROGRAMS TOPICS IN BULLETIN: I. GENERAL INFORMATION II. CRITERIA FOR OPENING PROGRAM III. ACCOUNTING AND FINANCIAL MANAGEMENT IV. OPERATIONAL
More informationFOOD FOR THOUGHT Topical Insights from our Subject Matter Experts
FOOD FOR THOUGHT Topial Insights from our Sujet Matter Experts DEGREE OF DIFFERENCE TESTING: AN ALTERNATIVE TO TRADITIONAL APPROACHES The NFL White Paper Series Volume 14, June 2014 Overview Differene
More informationNeural networkbased Load Balancing and Reactive Power Control by Static VAR Compensator
nternational Journal of Computer and Eletrial Engineering, Vol. 1, No. 1, April 2009 Neural networkbased Load Balaning and Reative Power Control by Stati VAR Compensator smail K. Said and Marouf Pirouti
More informationChapter 5 Single Phase Systems
Chapter 5 Single Phase Systems Chemial engineering alulations rely heavily on the availability of physial properties of materials. There are three ommon methods used to find these properties. These inlude
More informationWireless Networking Guide 2007 www.lexmark.com
Wireless Networking Guide 2007 www.lexmark.om P/N 13L0828 E.C. 3L0101 Contents Installing the printer on a wireless network...4 Wireless network ompatiility...4 Information you will need to set up the
More informationTraitor Tracing Schemes for Protected Software Implementations
Published in S. Katzenbeisser and A.R. Sadeghi, Eds, 11th ACM Workshop on Digital Rights Management (ACM DRM 2011), pp. 1521, ACM Press, 2011. Traitor Traing Shemes for Proteted Software Implementations
More informationContextSensitive Adjustments of Cognitive Control: ConflictAdaptation Effects Are Modulated by Processing Demands of the Ongoing Task
Journal of Experimental Psyhology: Learning, Memory, and Cognition 2008, Vol. 34, No. 3, 712 718 Copyright 2008 by the Amerian Psyhologial Assoiation 02787393/08/$12.00 DOI: 10.1037/02787393.34.3.712
More informationSpecial Relativity and Linear Algebra
peial Relativity and Linear Algebra Corey Adams May 7, Introdution Before Einstein s publiation in 95 of his theory of speial relativity, the mathematial manipulations that were a produt of his theory
More informationChemical Equilibrium. Chemical Equilibrium. Chemical Equilibrium. Chemical Equilibriu m. Chapter 14
Chapter 14 Chemial Equilibrium Chemial Equilibriu m Muh like water in a Ushaped tube, there is onstant mixing bak and forth through the lower portion of the tube. reatants produts It s as if the forward
More informationTHE UNIVERSITY OF TEXAS AT ARLINGTON COLLEGE OF NURSING. NURS 6390004 Introduction to Genetics and Genomics SYLLABUS
THE UNIVERSITY OF TEXAS AT ARLINGTON COLLEGE OF NURSING NURS 6390004 Introdution to Genetis and Genomis SYLLABUS Summer Interession 2011 Classroom #: TBA and 119 (lab) The University of Texas at Arlington
More informationInstallation and operating instructions
Dryinstalled Sewage Pump Type ABS AFC 50/502046 15975180EN (04/2016) Installation and operating instrutions www.sulzer.om 2 Installation and Operating Instrutions (Original Instrutions) Dryinstalled
More informationFixedincome Securities Lecture 2: Basic Terminology and Concepts. Present value (fixed interest rate) Present value (fixed interest rate): the arb
Fixedinome Seurities Leture 2: Basi Terminology and Conepts Philip H. Dybvig Washington University in Saint Louis Various interest rates Present value (PV) and arbitrage Forward and spot interest rates
More informationIn order to be able to design beams, we need both moments and shears. 1. Moment a) From direct design method or equivalent frame method
BEAM DESIGN In order to be able to design beams, we need both moments and shears. 1. Moment a) From diret design method or equivalent frame method b) From loads applied diretly to beams inluding beam weight
More informationA ThreeHybrid Treatment Method of the Compressor's Characteristic Line in Performance Prediction of Power Systems
A ThreeHybrid Treatment Method of the Compressor's Charateristi Line in Performane Predition of Power Systems A ThreeHybrid Treatment Method of the Compressor's Charateristi Line in Performane Predition
More informationTHE PERFORMANCE OF TRANSIT TIME FLOWMETERS IN HEATED GAS MIXTURES
Proeedings of FEDSM 98 998 ASME Fluids Engineering Division Summer Meeting June 225, 998 Washington DC FEDSM98529 THE PERFORMANCE OF TRANSIT TIME FLOWMETERS IN HEATED GAS MIXTURES John D. Wright Proess
More informationTo the Graduate Council:
o the Graduate Counil: I am submitting herewith a dissertation written by Yan Xu entitled A Generalized Instantaneous Nonative Power heory for Parallel Nonative Power Compensation. I have examined the
More informationOptimal Allocation of Filters against DDoS Attacks
Optimal Alloation of Filters against DDoS Attaks Karim El Defrawy ICS Dept. University of California, Irvine Email: keldefra@ui.edu Athina Markopoulou EECS Dept. University of California, Irvine Email:
More informationOptimal Sales Force Compensation
Optimal Sales Fore Compensation Matthias Kräkel Anja Shöttner Abstrat We analyze a dynami moralhazard model to derive optimal sales fore ompensation plans without imposing any ad ho restritions on the
More informationAsymmetric Error Correction and FlashMemory Rewriting using Polar Codes
1 Asymmetri Error Corretion and FlashMemory Rewriting using Polar Codes Eyal En Gad, Yue Li, Joerg Kliewer, Mihael Langberg, Anxiao (Andrew) Jiang and Jehoshua Bruk Abstrat We propose effiient oding shemes
More informationEMS Air Ambulance License Application Packet
EMS Air Ambulane Liense Appliation Paket Contents: 1. 530077... Contents List and Mailing Information...1 Page 2. 530078... Appliation Instrutions Cheklist...3 Pages 3. 530076... EMS Air Ambulane Liense
More information1.3 Complex Numbers; Quadratic Equations in the Complex Number System*
04 CHAPTER Equations and Inequalities Explaining Conepts: Disussion and Writing 7. Whih of the following pairs of equations are equivalent? Explain. x 2 9; x 3 (b) x 29; x 3 () x  2x  22 x  2 2 ; x
More informationTRENDS IN EXECUTIVE EDUCATION: TOWARDS A SYSTEMS APPROACH TO EXECUTIVE DEVELOPMENT PLANNING
INTERMAN 7 TRENDS IN EXECUTIVE EDUCATION: TOWARDS A SYSTEMS APPROACH TO EXECUTIVE DEVELOPMENT PLANNING by Douglas A. Ready, Albert A. Viere and Alan F. White RECEIVED 2 7 MAY 1393 International Labour
More information