Petri nets for the verification of Ubiquitous Systems with Transient Secure Association


 Randolf Casey
 1 years ago
 Views:
Transcription
1 Petri nets for the verifiation of Ubiquitous Systems with Transient Seure Assoiation Fernando RosaVelardo Tehnial Report 2/07 Dpto. de Sistemas Informátios y Computaión Universidad Complutense de Madrid Abstrat. Transient Seure Assoiation has been widely aepted as a possible alternative to traditional authentiation in the ontext of Ubiquitous Computing. In this paper we develop a formal model for the Resurreting Dukling Poliy that implements it. Our model, that we all TSA systems, is based on Petri Nets, thus obtaining an amenable graphial representation of our systems. We prove that TSA speifiations have the same expressive power as P/T nets, so that overability, that an be used to speify seurity properties in this setting, is deidable for TSA systems. Then we address the problem of implementing TSA systems with a lower level model that only relies on the seure exhange of seret keys. We prove that if we view these systems as losed systems then our implementation is still equivalent to P/T nets. However, if we onsider an open framework then we need a mehanism of fresh name reation to get a orret implementation. This last model is not equivalent to P/T nets, but the overability problem is still deidable for them, even in an open setting, so that heking the seurity properties of the represented systems remains deidable. 1 Introdution The term Ubiquitous Computing was oined by Mark Weiser [21] to desribe environments full of devies that ompute and ommuniate with its surrounding ontext and, furthermore, interat with it in a highly distributed but pervasive way [20]. This omputing paradigm gives rise to a great deal of new situations that produe new problems, in the ontext of mobility, oordination and seurity, among others. For a survey of the hallenges posed by Ubiquitous Computing see [10]. As mentioned above, the new framework of ubiquitous omputing affets traditional seurity assumptions. Authentiation is probably the major seurity problem for ubiquitous systems, sine it is a preondition for other properties Work partially supported by the Spanish projets MIDAS TIC , MAS TER TIC C0201 and PROMESASCAM S0505/TIC/0407.
2 2 as onfidentiality or integrity. But in this new ontext, we an no longer rely on an always online poliy, due to the unreliable nature of ad ho nets. Thus, we annot approah the problem of authentiation by assuming the existene of an online server that verifies in real time the (global) identity of prinipals, nor the existene of publi key repositories. In order to solve this problem, several weak forms of authentiation that substitute global identitybased authentiation have been proposed. One of the proposals is that of Transient Seure Assoiation, implemented by the Resurreting Dukling Poliy [18]. This poliy is based on the fat that sometimes a prinipal may not know anything at all about some onrete devie (e.g., when a user has just bought a PDA), but still it wants to be the only one to use it (e.g., beause she is the first one who gets to push the button). In this ase, even if they have no prior knowledge of eah other, they an still beome assoiated, so that from then on they share an asymmetri relation, one being a slave and the other beoming its master. Other proposals are based on the notion of trust [2], though we will not onsider them here. Another issue of great importane in the field of ubiquitous omputing is that of Coordination. Indeed, inherent to ubiquitous omputing is the ontinuous hange of state of the different omponents that form a system, that need to oordinate to ahieve their goals. This fat, together with the unreliable nature of ad ho nets and the heterogeneity of the omponents make the orhestration approah unrealisti and little robust, so that a horeographi oordination is more advisable in this setting. Therefore, a key tehnology is servie disovery, whih nowadays is based on a heavy standardization [12] (as in Sun s Jini or in Mirosoft s UPnP). In this paper we develop a formal model for horeographi oordination in ubiquitous systems, with primitives implementing the resurreting dukling poliy. The model, alled TSA, is based on Petri nets [3]. By using Petri Nets we obtain an amenable graphial representation of our systems, together with a number of theoretial results for their analysis, whih would not hold in other more expressive models. In partiular, we will prove that TSA speifiations an be seen as a syntati sugar formalism for P/T nets. Moreover, we will see that we an implement TSA systems by means of Mobile Synhronizing Petri Nets, whih an be seen as a lass of Coloured Petri Nets [8] with a single olour of pure names [6], and syntati sugar for mobility, exept for the fat that they an reate fresh names, in a way borrowed from πalulus [9]. We have proved several useful deidability results for them, whih are inherited by TSA systems, even though TSA systems may represent infinite state systems. In partiular, deidability of overability in MSPN system implies that all the properties of TSA systems whih an be stated in terms of overability are deidable. The remainder of the paper is organized as follows. Setion 2 gives an overview of the Resurreting Dukling poliy. In Setion 3 we define our model for Transient Seure Assoiation. Setion 4 presents a simple example. In Setion 5 we prove the simulation results and, finally, in Setion 6 we present our onlusions and diretions for further work.
3 3 imprint dead alive kill Fig. 1. The resurreting dukling poliy 2 The Resurreting Dukling poliy Let us briefly desribe Transient Seure assoiation and the Resurreting Dukling seurity poliy model. Transient seure assoiation is about reating a link between two omponents, that establishes a masterslave relationship (typially between a ontroller and a peripheral). This link needs to be seure, so that no other prinipal an play the role of either the master or the slave. This produes a tree topology of masterslave relationships between omponents. The assoiation must also be transient, in the sense that the topology an hange if desired (by the master) along the exeution of the system. The Resurreting Dukling poliy model implements transient seure assoiation with the following metaphor: A dukling that emerges from its egg reognizes as its mother the first moving objet that emits a sound. From then on, the dukling obeys its mother duk until its death. Similarly, a peripheral an reognize as its mother duk the first entity that sends it a seret key, alled imprinting key, whih it will use to reognize its master from then on. However, in order to make this assoiation transient, we assume that the dukling an die and resurret, and then it an reognize as its mother duk a different entity, to whih it will be faithful from that point on. The poliy an be desribed as a list of four priniples: 1. Two State priniple. Entities an be either imprintable (dead) or imprinted (alive). Imprintable entities an be imprinted by anyone and imprinted entities only obey their mother duk. 2. Imprinting priniple. The step from imprintable to imprinted is alled imprinting, and happens when an entity, from now on the mother duk, sends a key to the dukling (see Fig. 1). 3. Death priniple. The step from imprinted to imprintable is alled death (see Fig. 1). The default ause of death is the mother duk s order to its dukling to ommit seppuku 1, though other auses are envisaged, as death by old age or by ompletion of a task. 4. Assassination priniple. It must be uneonomial for an attaker to kill a dukling (to ause its death). 1 Traditional ritual suiide from Japanese samurai
4 4 3 TSA systems Our aim is to define a model for ubiquitous systems, that we all TSA, based on Petri Nets and with primitives implementing the Resurreting Dukling poliy. It will be a variation of the one developed in [5]. A TSA system is essentially a set of loalized nets that an move between loations and an imprint other nets, give orders to the nets they have previously imprinted, kill those nets, and being imprinted or reeive orders from its master when imprinted. In order to define our model we have to speify some of the aspets of the poliy that were not still ompletely preise. We assume that the different omponents of a system have a type, taken from a set O. We use a speial type O for the type of omponents that need not be imprinted to perform their potential behaviour (e.g., users). Components an be dead or alive. Top or imprinted omponents are alive, otherwise they are dead. Those alive omponents an imprint dead ones, thus reating an unique and asymmetrial link between them. By asymmetrial we mean that from then on the imprinted omponent beomes a slave of the other, doing everything its master orders to it. However, when exeuting its ode, the slave omponent an as well imprint other omponents, thus reating a hierarhial relation between omponents. Therefore, not only the omponent being killed beomes death, but also all of its slaves and so on, reursively. We assume that omponents an only be imprinted within a ertain range, that depends on the imprinting method being used (e.g., physial ontat [17]). We abstrat from those partiular methods and simply assume that the imprinting an take plae whenever both omponents are in the same loation. In partiular, we assume that the key exhange that takes plae when imprinting a omponent is done in a seure way. Besides, a omponent an only give orders to those slave omponents that are urrently oloated with it. Dually, a slave omponent an be killed by its owner only when they are oloated. Thus, we are implementing the default variant of the death priniple, in whih the death of the dukling is aused by the mother duk. Finally, we assume that the prinipals an only interat with eah other using the model s primitives, so that the assassination priniple of the poliy also holds, sine attakers annot kill any dukling in a way not established by the poliy. We will use the set L, a set of loation names. O is a set of omponent types, with a speial element O. We use a set S for the syntati primitives of the standard used for oordination and A to denote autonomous ations. A ontains among others the labels go k for every k L. We denote S? = {s? s S} and S! = {s! s S}. For m > 0, we denote by Labels(m) the set A S? m ({i} Labels Auth ), where Labels Auth = S! {imprint(o) o O \ { }} {kill}. Definition 1. A TSA omponent is a tuple N = (P N,T N,F N,λ N,o N ) suh that P N and T N are disjoint finite set of plaes and transitions, respetively, F N (P N T N ) (T N P N ), λ N : T N Labels(m) for some m > 0 and i=1
5 5 o N O. We say that N has type o N, that m is the apaity of N, and we denote by ap(n) the set {1,...,m}. A TSA omponent is a typedlabelled Petri net. The apaity of a omponent represents the number of slaves it an have simultaneously imprinted. Its type o is just a syntati ategory, whih an be intuitively understood as the type of devie it is (e.g., PDA, eletroni note,...), as the imprinting protool it uses when being imprinted or both simultaneously. The labelling of the transitions of the net establishes a partition in its transition set: Those transitions t with λ(t) A are autonomous transitions, that is, those that an be exeuted in an autonomous way, without needing to synhronize with others; If λ(t) S? the transition is used to reeive orders from their masters, when imprinted; Otherwise, we have that λ(t) {i} Labels(m). The set Labels(m) is the disjoint union of m idential sets Labels Auth, eah of them used to ommuniate with a different islave. If some net fires t with λ(t) = (i,imprint(o)) then some omponent of type o is heneforth a islave of it. If λ(t) = (i,s!) then the firing of t instruts the orresponding slave to perform ation s?. Finally, if λ(t) = (i,kill) then its islave is instruted to ommit seppuku. Next we introdue these onepts formally. As usual, given a transition t we will denote by t = {p (p,t) F }, the set of preonditions of t and by t = {p (t,p) F }, its set of postonditions. If ap(n) = {1} and λ(t) = (1, l) we will simply write λ(t) = l. Definition 2. A TSA system N is a set of pairwise disjoint TSA omponents. Intuitively, the nets N with o N = are omponents that need not be imprinted in order to exeute their ations. We will denote by P N the set of all plaes in N and by T N the set of all transitions in N, or just P and T when there is no onfusion. Next we define the part of the state of the system regarding the dependeny relations between its omponents. Definition 3. Given a TSA system N, a dependeny funtion of N is a partial mapping R : {(N,j) N N,j ap(n)} N. A dependeny funtion R indues a dependeny graph G(R) with set of nodes N and an ar from N to N labelled by j if R(N,j) = N, in whih ase we say that N is a jslave (or just a slave) of N in R. We will all direted tree to any direted graph in whih there is a node, that we all root of the tree, so that for every node in the graph there is a single path from the root to it. Therefore, a direted forest is a set of direted trees. Given two nodes s and s of a direted forest, we will say s is a desendant of s if there is a path in the forest from s to s. Moreover, given a set A we will denote by MS(A) the set of multisets with elements in A. Definition 4. A marking of a TSA N is a tuple M = (M,lo,R), where M MS(P N ), lo : N L and R is a dependeny funtion of N suh that:
6 6 G(R) is a direted forest, For every N N, if o N = then N is not a slave in R. Therefore, a marking is omposed by an ordinary marking for Petri nets, a funtion speifying the loality in whih eah omponent is present, and a dependeny funtion. We will say a omponent N is alive in R if o N = or it is a slave in R. Otherwise, we will say it is dead. The omponents N and N are oloated if lo(n) = lo(n ). Now let us define the behaviour of TSA systems. In general, only alive omponents an fire transitions. Next we define the firing of autonomous transitions, that are as ordinary transitions in P/T nets, that remove tokens from preondition and add them in postonditions, exept that they are restrited to alive omponents and an ause the movement of the exeuting net. We will denote by + and the multiset union and the multiset differene, respetively, to distinguish them from and \, the orresponding operations over sets. Definition 5. Let N be a TSA system, M = (M,lo,R) a marking of N, N an alive omponent in R, and t T N suh that λ(t) A. We say that t is enabled in M if t M. In that ase we say that t an be fired and then the marking (M,lo,R) is reahed, where: M = M t + t. If λ(t) = go k then lo (N) = k and lo (N) = lo(n) for every N N. Otherwise, lo = lo. Now we define the firing of imprinting transitions. The net firing any of them speifies the type it wants to imprint. Definition 6. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N an alive and a dead omponent in R, respetively, both oloated, and t T N suh that λ(t) = (i,imprint(o N )). We say that t is enabled in M if t M (N,i) / Dom(R) Then t an be fired, to reah the marking (M,lo,R ), where M = M t + t and R extends R with R (N,i) = N. Therefore, the imprinted net must be dead in order to be imprinted, and of the type required by the imprinting omponent. Moreover, the imprinting net must not already have an islave net. Let us now define the transitions that represent orders from masters to slaves. Definition 7. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N two oloated alive omponents suh that N is a islave of N in R. Let us also onsider t T N suh λ(t) = (i,s!) and t T N suh that λ(t ) = s?. We say that the pair of transitions (t,t ) is enabled in M if t t M. Then the pair (t,t ) an be fired, getting (M,lo,R) where M = M t t + t + t.
7 7 go inf go home kill home l imprint(ontr) go rest k hek l alarm! Fig. 2. Nurse Therefore, if N is an islave of N then N an give orders to N, whih is formalized by a synhronous firing of two transitions. Finally, let us define how a master an kill one of its slaves. Definition 8. Let N be a TSA system, M = (M,lo,R) a marking of N, N and N two oloated alive omponents suh that N is a islave of N, and t T N suh λ(t) = (i,kill). We say that t is enabled in M if t M. Then t an be fired, getting (M,lo,R ) where M = M t + t and R is the result of removing (N,i) from the domain of R, and removing (N,j) from the domain of R, for every N desendant of N in G(R) and every j. Therefore, all the omponents that depend of N are also indiretly killed. Notie that this is so even if those omponents are not oloated with N and N. Alternatively, we ould fore N to expliitly searh and kill its slaves, and so on, but this would not modify the potential behaviour of any of the so killed omponents. This is so beause these nets an perform two kind of ations: autonomous ations, that ould have been performed anyway before their death; and synhronizations with its master, whih will not happen after the seppuku order. We will use u,u,... to range over transitions or pairs of transitions. Thus, in any of the previous ases we will write M[u M if M is the result of firing u in M. Sine alive omponents annot be imprinted, and only alive omponents an imprint, whenever the dependeny graph is initially a direted forest, it remains so. Therefore, we have the following result. Proposition 1. If M is a marking of a TSA system N and M[u M then M is also a marking of N. Reahability for TSA systems is defined as expeted. We say a marking (M,lo,R) an be overed if there is a reahable marking (M,lo,R ) suh that M M, lo = lo, Dom(R) Dom(R ) and for every (N,i) Dom(R), R(N,i) = R (N,i). The overability problem onsists on deiding if a given marking an be overed.
8 8 inf go (1, good!) k go k 1 l (1, imprint(th)) (1, bad! alarm! k go rest l (2, bad!) go k 2 (2, imprint(th)) go (2, good!) Fig. 3. Thermometer ontroller 4 An appliation example In this setion we present a simple appliation example to illustrate the definitions in the previous setion. Let us onsider a senario with several patients in two rooms of a hospital, alled k 1 and k 2. Eah of the patients has an eletroni thermometer [19] that reads the temperature every one in a while, and willing to send (e.g., using RFID) a message stating whether everything is all right or not. We assume that these thermometers are inative (that is, dead aording to our terminology), exept when a thermometer ontroller takes over them. Intuitively, we assume that every room has one of these ontrollers, that reads the messages output by thermometers, and sends an alarm message to a nurse whenever the temperature is not orret. For simpliity, we assume that all these ontrollers are in fat part of a single omponent that moves between rooms in the hospital and that it an only simultaneously ontrol two thermometers, so that it has apaity two. Finally, there is a night shift nurse, that must hek the temperature of the patients. For that purpose, it may imprint a ontroller, so that she is the only one to reeive alarm messages from it. Therefore, the life yle of a nightshift nurse onsists on going from her home to the infirmary, imprinting a thermometer ontroller, going to rest, heking the patient in ase she reeives an alarm message, or killing the ontroller and going bak home. We model this senario by means of a TSA system with several omponents. The first one, shown in Fig. 2, represents the nurse, that we assume has type. Initially, it is loated in loation home. Then it an fire go inf, thus moving to the infirmary, where it an imprint the thermometer ontroller and then go to rest. Notie that, sine the nurse has apaity one, we use simple names as labels of its synhronizing transitions, suh as kill, instead of (1,kill).
9 9 nurse thermometer ontroller 1 2 thermometer Fig. 4. Dependeny relation kill k 1 bad! good! kill Fig. 5. Patients The thermometer ontroller, with type ontr, is shown in Fig. 3, initially in loation inf. The ontroller, however, does not have a type, so that it must wait to be imprinted to perform any ation. After been imprinted, it an go either to loation k 1 or to k 2. In these loations there are patients, all of them like that in Fig. 5. Now the ontroller has a hoie between good!, bad! or imprint(th). However, sine the patient thermometers are still dead (in our sense), all the ontroller an do at the present time is imprinting them. Then it an again hoose between any of the loations. If it goes bak again to the same plae then it an read the thermometer and, if it reads bad, that is, if it synhronizes with the thermometer in transition bad!, then it goes to the rest room and sends an alarm message to the nurse. Eventually, the system will reah a dependeny state like the one shown in Fig. 4, with both thermometers imprinted by the ontroller. At any point, the nurse an fire its kill transition, thus killing the ontroller (and, reursively, the ontroller killing its thermometers). Notie that the ontroller does not have any killing transition, so that it only kills its thermometers when, in turn, the nurse kills it. 5 Verifiation of TSA systems In the previous setions we have presented a model that allows us to speify systems using primitives that implement the resurreting dukling poliy, whih are orret by definition. In this setion we will see how we an use the known deidability results for the verifiation of the obtained TSA systems. First of all, we will prove that the loality omponent of TSAs is not essential in the model. More preisely, we will say a TSA system is entralized if none of its omponents have movement transitions and all of them are initially loated in the same loation. Under these assumptions, we an ignore the loality omponent
10 10 of entralized TSA systems, thus writing just (M,R) instead of (M,lo,R). In the following result we will write A to denote the set A \ {go k k L}. Lemma 1. Every TSA system an be simulated by a entralized TSA system. Proof. Let N be a TSA system. Given N N we will define the entralized TSA omponent N, so that the entralized system N = {N N N} simulates N. Let K = {k t T N,λ(t) = go k} lo 0 (N) L, whih is the set of loalities in whih omponents an reside in any reahable marking. Sine that set is finite, we an add for eah omponent N one plae per loality k K, all marked in mutual exlusion, thus representing the urrent loality of eah omponent as part of its ordinary marking. Then, for eah nonautonomous transition we will onsider also one per loality, so that a transition t being fired in k is represented by the firing of a transition t(k). The plae must be a pre/postondition of transition t(k), and movement transitions must hange the tokens in the new plaes aordingly. Then, if N = (P,T,F,λ,o) we take N = (P,T,F,λ,o), where P = P k K} T = {t T λ(t) A } {t(k) λ(t) / A, k K} F = {(p,t) F λ(t) A } {(t,p) F λ(t) A } {(p,t(k)) (p,t) F, λ(t) / A } {(t(k),p) (t,p) F, λ(t) / A } k K, λ(t) go k } ) λ(t) = go k } λ (t) = λ(t) and λ (t(k)) = λ(t) We assume that a transition in the simulating entralized system labelled by go k is just an autonomous transition. For a given reahable marking M = (M,lo,R) we define M = (M,R), where M (p) = M(p) for every p P, M = 1 and M = 0 if k lo(n) for every N. Then, it holds that M 1 [u M 2 M 1[u M 2 where, if M 1 = (M 1,lo 1,R 1 ) then u if λ(u) A u = u(k) if λ(u) = go k (t(k),t (k)) if u = (t,t ) T N T N, lo 1 (N) = lo 1 (N ) = k Therefore, in the following we an assume that every TSA system is entralized. Now, we prove that every TSA system an be simulated by a P/T net. Proposition 2. Every TSA system an be simulated by a P/T net. Proof. Aording to the previous result we an assume that we are given a entralized TSA system N with initial marking M 0 = (M 0,R 0 ), and we must onstrut the P/T net N = (P,T,F,M 0 ) that simulates it. Let us first introdue some notations. We write OK(t,t,R) whenever t T N, t T N and both N and N are alive and N is a slave of N, aording to R. Analogously, we write OK(t,N,R) whenever λ(t) = imprint(o N ) and N is dead aording to
11 k 11 s! q 0 p 0 imprint(o) p 1 k p 2 l s? kill q 1 h Fig. 6. Simple example of TSA system imprint p 1 k s q 0 p 0 R 2 kill p 2 l q 1 h R 1 Fig. 7. Translation of the TSA system in Fig. 6 R, or whenever λ(t) = kill and N is alive aording to R. Finally, given a dependeny funtion R, we will write R(t,N) to denote the dependeny funtion that results when firing t with N as goal. More preisely, if λ(t) = (i,imprint(o N )) then R(t,N) is the result of adding to R, R(N,i) = N, where t T N. Analogously, if λ(t) = (i,kill) then R(t,N) is the result of removing (i,n ) from the domain of R, as well as every desendant of N. In order to simulate a TSA system by means of a P/T net, for eah omponent N we add plaes dead(n) and alive(n), marked in mutual exlusion, thus stating whether that omponent is dead or alive. Sine there are a finite number of omponents and eah of them has a finite apaity, there is only a finite number of dependeny funtions. Then we an have one plae for eah one of them, also marked in mutual exlusion, and used to restrit synhronizations to happen only in the right onfigurations. For instane, for eah pair (t,t ) of synhronizing transitions labelled respetively by s? and (i, s!) we onsider for every dependeny funtion R the transition (t,t,r) that represents the synhronized firing of (t,t ) in a dependeny state R. Of ourse, this synhronization an only happen when the net firing t is an islave of the one firing t aording to R. Therefore, this transition must have R as pre/postondition, as well the preonditions and postonditions of both t and t. An analogous onstrution applies to killing and imprinting transitions. Then, let us take: P = P N {alive(n),dead(n) N N} {R R dependeny funtion of N} T = {t T N λ(t) A} {(t,t,r) λ(t) = s?,λ(t ) = (i,s!),ok(t,t,r)} {(t,n,r) OK(t,N,R)λ(t) = kill or λ(t) = imprint(o N )} F = F 1 F 2 F 3, where F 1 = {(p,t) λ(t) A, p t} {(t,p) λ(t) A, p t } {(alive(n),t),(t,alive(n)) t T N }
12 12 F 2 = {(p,(t,t,r)) p t t } {((t,t,r),p) p t t } {(R,(t,t,R)),((t,t,R),R) (t,t,r) T } F 3 = {(p,(t,n,r)) p t} {((t,n,r),p) p t } {(R,(t,N,R)) (t,n,r) T } {((t,n,r),r(t,n))} {(alive(n),(t,n,r)) λ(t) = kill} {((t,n,r),dead(n)) λ(t) = kill} {(dead(n),(t,n,r)) λ(t) = imprint(o N )} {((t,n,r),alive(n)) λ(t) = imprint(o N )} Finally, given a marking M = (M,R) of N we define the marking M of N as follows: M (p) = M(p) for every p P N M (R) = 1 and M{ (R ) = 0 for every R R 1 if N alive in R N (alive(n)) = { 0 otherwise 1 if N dead in R N (dead(n)) = 0 otherwise Using these notations, it holds that (M 1,R 1 )[u (M 2,R 2 ) (M 1,R 1 ) [u (M 2,R 2 ) t if u T N and λ(t) A where u = (t,t,r 1 ) if u = (t,t ) (t,n,r) if u = t and λ(t) = kill or λ(t) = imprint(o N ) Figure 7 shows the P/T net that simulates the TSA system in Fig. 6, assuming that the net in the right has type o. In it we use plae R 1 for the dependeny funtion in whih there is no assoiations between omponents, and R 2 for that in whih the omponent in the left of Fig. 6 is master of the one in the right. Then, the transition labelled by imprint an only be fired when there is a token in R 1, and that firing has the effet of moving that token from R 1 to R 2, as well as moving the token in p 0 to p 1. The killing transition has an analogous behaviour. Finally, transitions s! and s? are merged into a single transition s, that has R 2 as a pre/postondition plae, beause it an only happen when both omponents are assoiated, and it does not hange this assoiation. This onstrution, even for the simple example shown here, produes the typial spaghetti problem of P/T nets, though, fortunately, it an be arried out automatially. By applying this result, we an use all the existing mahinery for ordinary P/T nets in the analysis of our systems. For instane, overability 2 and home state problems are known to be deidable for P/T nets (for a survey see [4]). Then, in priniple, we ould algorithmially hek any property that an be stated in terms of them. For example, regarding the example in the previous setion, we ould hek that, whenever a thermometer is imprinted by a dotor, then whenever needed it eventually raises the alarm, and only to the right dotor, sine that is a home state property. Another property that ould be interesting 2 In fat, the onstrution translates overability problems of TSA systems to finite sets of overability problems of P/T nets.
13 13 imprint(o)! k kill p s! Fig. 8. TSA system to analyze, and an be stated in terms of overability (adding a ontrol point to the speifiation), is heking that it is not possible for a ontroller to (for example) send out an alarm message without first been imprinted. If we assume that we have several nurses like the one in Fig. 2 and several ontrollers like the one in Fig. 3, we ould also speify in terms of overability the property that says that any nurse has at most one ontroller. So far, we are regarding our TSA systems as the speifiation of systems using the resurreting dukling poliy, sine our primitives assume that the imprinting and killing mehanisms are always orret. However, it is also desirable to perform a lower level analysis, with weaker assumptions. For that purpose, we will prove that every TSA system an be implemented by an MSPN system. An MSPN system intuitively onsists on a set of Petri nets, eah of them at some loation. Those nets an move between loation and, synhronize between them. Moreover, and this is more important, they an manage pure names (in the sense of [6]), that we all identifiers, and use them for authentiation purposes, that is, as imprinting keys. Therefore, apart from ordinary tokens, MSPN omponents an have identifiers as tokens. For instane, a omponent ould offer a synhronization only to omponents exhibiting a determined identifier. This is formalized by using variables as labels on ars. MSPN omponents an also reate fresh identifiers by means of a speial variable ν, whih an only be instantiated to fresh identifiers. However, they do not need to use this variable to implement TSA systems. Proposition 3. Every TSA system an be simulated by a MSPN system without namereation transitions. Proof. Let N be a TSA system, that we an assume to be entralized. For every N = (P,T,F,λ,o) N we want to define a MSPN N in suh a way that the MSPN system N = {N N N} implements N. The main differene with the previous result is that omponents annot have a global view of the dependenies in the system, but only of those that affet them diretly, that is, they only know whih omponents are their master and their slaves. For that purpose, we add a plae master to every omponent, ontaining at eah time the key used to ommuniate with its master. Similarly, if a net has apaity m then we add plaes slave(1),...,slave(m), used to ommuniate with the orresponding slaves. We represent alive omponents as those that ontain a key in its master plae. Sine only alive omponents an exeute ations, we must add that plae as preondition of every transition (notie that omponents of
14 14 p 1 q 1 p 1 q 1 (i, s!) s! p 2 q 2 slave(i) a p 2 d b q 2 master s? s? master a Fig. 9. Implementation of synhronizations p d (i, imp(o)) imp(o)! b master imp(o)? q p q free a slave(i) a dead(i) master Fig. 10. Implementation of imprintings type are always alive though they do not have a master and hene they must have a key in that plae, though they do not use it to ommuniate). We also add a plae dead, marked with an ordinary token in mutual exlusion with master. Finally, we add a plae free that ontains a set of keys that are free to be used in future imprintings. If the omponent has apaity m and does not have any slave in the initial state, then that plae must ontain m pairwise different keys in that plae in its initial marking. Now let us see how we implement the transitions of eah kind. Autonomous transitions are left as they are, exept for the fat already mentioned that they have the master plae as preondition and postondition, so that they an only be fired when the omponent is alive and stay that way after it. The synhronization of two transitions (see Fig. 9), labelled by (i, s!) and s?, respetively, is implemented by the synhronization of two transitions, now labelled by s! and s?. However, we want them to synhronize only when they share the proper dependeny relation. For that purpose we add the plae slave(i) as preondition (and postondition) of (i,s!) and the plae master as preondition (and postondition of s?, and label all those ars with the same variable. In this way, only omponents that ontain the same value in those plaes (share the same key) an ommuniate. Therefore, we have to guarantee that omponents only share values whenever told by the imprinting and killing primitives. In the implementation, imprinting and killing transitions are just ordinary synhronizing transitions, so that we
15 15 imprint(o)! x x free η η slave kill! p Fig. 11. Implementation of the TSA system in Fig. 8 assume there are synhronizing labels kill and imprint(o) for every o O. The imprinting of a omponent of type o is implemented by the synhronized firing of two transitions, labelled by imprint(o)! and imprint(o)? (see Fig. 10). Notie that the latter transition an only be fired by dead omponents, so that in fat it is the only transition that has the plae dead as preondition instead of master. When these two synhronize, a token is taken from the free plae in the imprinting omponent and plaed both in the orresponding slave(i) plae and in the master plae of the imprinted omponent. The behaviour of the implementation of the killing transitions is dual, by means of the synhronization of two transitions labelled by kill! and kill?. Basially, the killing net moves the token in the orresponding slave(i) plae and puts it in free, and the killed net removes its token from master and puts a blak token in dead. However, the killing of a omponent auses the death not only of that omponent, but also of all its slaves. Therefore, before putting that token in plae dead it must kill all its slaves. MSPN systems without namereation are still equivalent to P/T nets, so that we an take advantage of all the existing analysis methods for P/T nets even in the implementation of TSA systems as losed systems. The previous proof profits from the fat that we are regarding TSA systems as losed systems, so that we an extensively and statially analyze all of their partiipants. In partiular, we an hek (and fore) that the omponents being imprinted, that is, reeiving their masters imprinting key, throw away those keys when they are killed. Therefore, omponents an safely reuse those keys in a forthoming imprinting. However, it is not very realisti to assume in the ontext of ubiquitous omputing that we are dealing with losed systems. In this ontext, we want our servies to be offered in a global and uniform way, so that some of the prinipals that imprint or some of the devies that are imprinted may not be part of the system, but part of the environment of the system. In this ase, we an no longer hek (even less fore) that they erase the imprinting keys after been killed so that, if we reuse them, then the prinipals of the environment ould use old keys to illegitimately interat with a omponent. Let us again onsider the simple TSA omponent in Fig. 8 or, more preisely, its implementation as an MSPN system (without name reation) in Fig. 11. This omponent attempts to imprint some devie of type o, then uses some servie s that this devie provides and finally kills it, thus moving to its initial state. If this omponent is in an environment like the one in the left of Fig. 12 then its behaviour is the intended one. Indeed, when being killed by its master, that s! k
16 16 k k imprint(o)? s? kill? master imprint(o)? s? kill? master Fig. 12. Environments for TSA system in Fig. 8 imprint(o)! ν η slave kill! s! p k Fig. 13. Open implementation of the TSA system in Fig. 8 omponent throws away the imprinting key (the identifier in plae master), so that it an be safely reused. However, let us suppose that its environment is like the one in the right of the same figure, whih is almost the same, exept for the fat that it does not throw away that identifier (there is no arrow from plae master to transition kill?) and an provide servie s even after synhronizing in transition kill (whih, in this ase, does not have the effet of killing the omponent). Therefore, Fig. 11 would be a wrong implementation of the TSA system in Fig. 8, when onsidered in the environment in the right of Fig. 12. For more details about open MSPN systems see [16]. However, we an make use of the freshidentifier reation apability of MSPN systems to perform a orret implementation, even in the open ase. Proposition 4. Every TSA system an be simulated by an open MSPN system. Proof. The onstrution is idential to the one of the previous result, exept for the fat that when impriting, keys are not taken from a plae free, but reated and when killing they are not put bak in free, but erased. Figure 13 shows the open implementation of the TSA system in Fig. 8, whih is similar to that in Fig. 11, exept for the fat that it does not have a plae free for free identifiers and that it has the speial variable ν labelling the ar to the plae alled slave. This speial variable formalizes the reation of new identifiers, by foring its instantiation only to identifiers that are not in the urrent marking. In partiular, notie that the environment on the right of Fig. 12 an no longer offer servie s after being killed, even if it does not throw away its key, sine in a new imprinting the TSA omponent will use a different imprinting key in order to ommuniate with its slave. As we have proved in [14, 16], the general lass of MSPN system (in whih we allow name reation) is not equivalent to P/T nets anymore, but are not Turingomplete either. In partiular, we have proved that overability is still
17 17 deidable, even in the open ase, so that we an still verify any property that an be stated in terms of it. 6 Conlusions and Future Work In this paper we have defined a model based on Petri Nets that addresses the problem of Seure Transient Assoiation in ubiquitous systems. The fat of using Petri Nets gives us an amenable and easy to grasp model. Then we study whether we an approah the problem of the verifiation the properties of these systems. As a first step, we prove that TSA systems, seen as speifiation of systems using the primitives of the Resurreting Dukling Poliy, are equivalent to P/T nets, so that we have many deidable properties for them as reahability, overability or home state. Then we show how these primitives an be implemented solely relying on a mehanism that manages pure names, that an be seen as imprinting keys. These implementations an be studied from two different points of view: first assuming that our systems work in a losed environment, and then without this assumption. In the first ase, we have proved that this implementation is still equivalent to P/T nets. However, this is no longer true in the seond ase, beause we need to allow the reation of fresh identifiers, but even so we an approah the verifiation of their properties. As future work, we plan to study in a more systemati way the kind of properties of TSA systems that an be studied. It would also be interesting to follow a dual approah, namely that in whih we want to verify that a given system does indeed implement the resurreting dukling poliy, whih would ertainly lead us to approahes like proof arrying ode [11] or dynami typing [7]. We also plan to onsider the studies about transations in the ontext of Petri nets [1], to apply them to killing of slaves in our model, whih are learly transations, though we do not treat them expliitly as suh in the open implementation with identifiers. Another diretion for future work is that of extending the basi model with other features, suh as allowing unbounded apaities for some omponentes (e.g., users), other auses of death, or a finer treatment of loalities. In [15] we presented a tool for the verifiation of MSPN system, based on rewriting logi. We are urrently extending this prototype to make it ope with the primitives presented in this paper, so that it automatially performs the translations we have desribed in the paper and hek the properties that we have proved to be deidable using those translations. Referenes [1] R. Bruni and U.Montanari. Exeuting Transations in ZeroSafe Nets. 21st Int. Conf. on Appliation and Theory of Petri Nets, ICATPN 00. LNCS vol. 1825, pp SpringerVerlag, 2000.
18 18 [2] M. Carbone, M. Nielsen and V. Sassone. A Calulus for Trust Management. 24th Int. Conf. on Foundations of Software Tehnology and Theoretial Computer Siene, FSTTCS 04. LNCS vol. 3328, pp SpringerVerlag, [3] J. Desel and W. Reisig, Plae/Transition Petri Nets. Letures on Petri Nets I: Basi Models, LNCS vol. 1491, pp SpringerVerlag, [4] J. Esparza and M. Nielsen. Deidability issues for Petri Nets  a survey. Bulletin of the EATCS 52: (1994). [5] D. Frutos Esrig, O. Marroquín Alonso and F. Rosa Velardo. Ubiquitous Systems and Petri Nets. Ubiquitous Web Systems and Intelligene, LNCS vol Springer Verlag, [6] A. Gordon. Notes on Nominal Caluli for Seurity and Mobility. Foundations of Seurity Analysis and Design,FOSAD 00. LNCS vol.2171, pp Springer,2001. [7] M. Hennessy and J. Riely. Resoure Aess Control in Systems of Mobile Agents. HighLevel Conurrent Languages, HLCL 98. ENTCS 16:3 17. Elsevier, [8] K. Jensen. Coloured Petri Nets. Basi Conepts, Analysis Methods and Pratial Use.. Volume 1, Basi Conepts. Monographs in Theoretial Computer Siene, Springer, [9] R. Milner, J. Parrow and D. Walker. A alulus of mobile proesses I. Information and Computation 100(1):1 40. Aademi Press In., [10] R. Milner. Theories for the Global Ubiquitous Computer. Foundations of Software Siene and Computation StruturesFoSSaCS 2004, LNCS vol.2987, pp SpringerVerlag, [11] G.C. Neula and P. Lee. Safe, Untrusted Agents Using ProofCarrying Code. Mobile Agents and Seurity. LNCS vol. 1419, pp Springer, [12] G.G. Rihard. Servie Advertisement and Disovery: Enabling Universal Devie Cooperation. IEEE Internet Computing arhive 4(5): IEEE Eduational Ativities Department, [13] F. Rosa Velardo, O. Marroquín Alonso and D. Frutos Esrig. Mobile Synhronizing Petri Nets: a horeographi approah for oordination in Ubiquitous Systems. In 1st Int. Workshop on Methods and Tools for Coordinating Conurrent, Distributed and Mobile Systems, MTCoord 05. ENTCS, 150. [14] F. Rosa Velardo, D. Frutos Esrig and O. Marroquín Alonso. On the expressiveness of Mobile Synhronizing Petri Nets. In 3rd International Workshop on Seurity Issues in Conurreny, SeCo 05. ENTCS (to appear). [15] F. RosaVelardo. Coding Mobile Synhronizing Petri Nets into Rewriting Logi. 7th Int. Workshop on Rulebased Programming, RULE 06. ENTCS (to appear). [16] F. RosaVelardo, and D. FrutosEsrig. Symboli Semantis for the Veriation of Seurity Properties of Mobile Petri Nets. 4th Int. Symposium on Automated Tehnology for Verifiation and Analysis, ATVA 06. LNCS vol. 4218, pp Springer, [17] F. Stajano and R.J. Anderson. The Resurreting Dukling: Seurity Issues for Adho Wireless Networks. 7th Int. Workshop on Seurity Protools. LNCS vol. 1796, pp Springer, [18] F. Stajano. Seurity for Ubiquitous Computing. Wiley Series in Communiations Networking & Distributed Systems. John Wiley & Sons, [19] R. Want. Enabling Ubiquitous Sensing with RFID. Computer vol.37(4), pp IEEE Computer Soiety Press, [20] M. Weiser. Some Computer Siene Issues in Ubiquitous Computing. Comm. of the ACM vol.36(7), pp ACM Press, [21] M. Weiser. The Computer for the 21st Century. In Humanomputer Interation: Toward the Year 2000, pp Morgan Kaufmann Publishers In, 1995.
WORKFLOW CONTROLFLOW PATTERNS A Revised View
WORKFLOW CONTROLFLOW PATTERNS A Revised View Nik Russell 1, Arthur H.M. ter Hofstede 1, 1 BPM Group, Queensland University of Tehnology GPO Box 2434, Brisbane QLD 4001, Australia {n.russell,a.terhofstede}@qut.edu.au
More informationFrom the Invisible Handshake to the Invisible Hand? How Import Competition Changes the Employment Relationship
From the Invisible Handshake to the Invisible Hand? How Import Competition Changes the Employment Relationship Marianne Bertrand, University of Chiago, Center for Eonomi Poliy Researh, and National Bureau
More informationNodal domains on graphs  How to count them and why?
Proeedings of Symposia in Pure Mathematis Nodal domains on graphs  How to ount them and why? Ram Band, Idan Oren and Uzy Smilansky, Abstrat. The purpose of the present manusript is to ollet known results
More informationHow can firms profitably give away free products? This paper provides a novel answer and articulates
MANAGEMENT SCIENCE Vol. 5, No. 0, Otober 005, pp. 494 504 issn 005909 eissn 56550 05 50 494 informs doi 0.87/mns.050.0400 005 INFORMS TwoSided Network Effets: A Theory of Information Produt Design Geoffrey
More informationHierarchical Beta Processes and the Indian Buffet Process
Hierarhial Beta Proesses and the Indian Buffet Proess Romain Thibaux Dept. of EECS University of California, Berkeley Berkeley, CA 9472 Mihael I. Jordan Dept. of EECS and Dept. of Statistis University
More informationRanking Community Answers by Modeling QuestionAnswer Relationships via Analogical Reasoning
Ranking Community Answers by Modeling QuestionAnswer Relationships via Analogial Reasoning XinJing Wang Mirosoft Researh Asia 4F Sigma, 49 Zhihun Road Beijing, P.R.China xjwang@mirosoft.om Xudong Tu,Dan
More informationON THE ELECTRODYNAMICS OF MOVING BODIES
ON THE ELECTRODYNAMICS OF MOVING BODIES By A. EINSTEIN June 30, 905 It is known that Maxwell s eletrodynamis as usually understood at the present time when applied to moing bodies, leads to asymmetries
More informationON THE ELECTRODYNAMICS OF MOVING BODIES
ON THE ELECTRODYNAMICS OF MOVING BODIES By A. EINSTEIN June 30, 905 It is known that Maxwell s eletrodynamis as usually understood at the present time when applied to moing bodies, leads to asymmetries
More informationRandom Walk Inference and Learning in A Large Scale Knowledge Base
Random Walk Inferene and Learning in A Large Sale Knowledge Base Ni Lao Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213 nlao@s.mu.edu Tom Mithell Carnegie Mellon University 5000 Forbes
More informationData Abstraction and Hierarchy
Data Abstraction and Hierarchy * This research was supported by the NEC Professorship of Software Science and Engineering. Barbara Liskov Affiliation: MIT Laboratory for Computer Science Cambridge, MA,
More informationData Integration: A Theoretical Perspective
Data Integration: A Theoretical Perspective Maurizio Lenzerini Dipartimento di Informatica e Sistemistica Università di Roma La Sapienza Via Salaria 113, I 00198 Roma, Italy lenzerini@dis.uniroma1.it ABSTRACT
More informationWhen Are Two Workflows the Same?
When re Two Workflows the Same? Jan Hidders 1, Marlon Dumas 2, Wil M.P. van der alst 3, rthur H.M. ter Hofstede 2,JanVerelst 4 1 Dept. of Mathematics and omputer Science, University of ntwerp, ntwerp,
More informationA Semantical Perspective on Verification of Knowledge
A Semantical Perspective on Verification of Knowledge Paul Leemans, Jan Treur, Mark Willems Vrije Universiteit Amsterdam, Department of Artificial Intelligence De Boelelaan 1081a, 1081 HV Amsterdam The
More informationEquivalence in Answer Set Programming
Equivalence in Answer Set Programming Mauricio Osorio, Juan Antonio Navarro, José Arrazola Universidad de las Américas, CENTIA Sta. Catarina Mártir, Cholula, Puebla 72820 México {josorio, ma108907, arrazola}@mail.udlap.mx
More informationThere are only finitely many Diophantine quintuples
There are only finitely many Diophantine quintuples Andrej Dujella Department of Mathematis, University of Zagreb, Bijenička esta 30 10000 Zagreb, Croatia Email: duje@math.hr Abstrat A set of m positive
More informationSUBSTRUCTURE EXAMPLE. Full Height Abutment on Spread Footing
SUBSTRUCTURE EXAMPLE Full Height Abutment on Spread Footing This example illustrates the design of a full height abutment on spread footings for a single span astinplae posttensioned onrete box girder
More informationA RelationshipBased Approach to Model Integration
A RelationshipBased Approach to Model Integration Marsha Chechik Shiva Nejati Mehrdad Sabetzadeh Department of Computer Science University of Toronto, Toronto, ON, Canada chechik@cs.toronto.edu Simula
More informationClean Answers over Dirty Databases: A Probabilistic Approach
Clean Answers over Dirty Databases: A Probabilistic Approach Periklis Andritsos University of Trento periklis@dit.unitn.it Ariel Fuxman University of Toronto afuxman@cs.toronto.edu Renée J. Miller University
More informationA Federated Architecture for Information Management
A Federated Architecture for Information Management DENNIS HEIMBIGNER University of Colorado, Boulder DENNIS McLEOD University of Southern California An approach to the coordinated sharing and interchange
More informationDesign and Evaluation of a WideArea Event Notification Service
Design and Evaluation of a WideArea Event Notification Service ANTONIO CARZANIGA University of Colorado at Boulder DAVID S. ROSENBLUM University of California, Irvine and ALEXANDER L. WOLF University
More informationFreeze After Writing
Freeze After Writing QuasiDeterministic Parallel Programming with LVars Lindsey Kuper Indiana University lkuper@cs.indiana.edu Aaron Turon MPISWS turon@mpisws.org Neelakantan R. Krishnaswami University
More information1 NOT ALL ANSWERS ARE EQUALLY
1 NOT ALL ANSWERS ARE EQUALLY GOOD: ESTIMATING THE QUALITY OF DATABASE ANSWERS Amihai Motro, Igor Rakov Department of Information and Software Systems Engineering George Mason University Fairfax, VA 220304444
More informationSettheoretic Foundation of Parametric Polymorphism and Subtyping
Settheoretic Foundation of Parametric Polymorphism and Subtyping Giuseppe Castagna 1 Zhiwu Xu 1,2 1 CNRS, Laboratoire Preuves, Programmes et Systèmes, Univ Paris Diderot, Sorbonne Paris Cité, Paris, France.
More informationJCR or RDBMS why, when, how?
JCR or RDBMS why, when, how? Bertil Chapuis 12/31/2008 Creative Commons Attribution 2.5 Switzerland License This paper compares java content repositories (JCR) and relational database management systems
More informationThe must preorder revisited
The must preorder revisited an algebraic theory for web services contracts Cosimo Laneve 1 and Luca Padovani 2 1 Department of Computer Science, University of Bologna 2 Information Science and Technology
More informationAnalysis of dynamic sensor networks: power law then what?
Analysis of dynamic sensor networks: power law then what? (Invited Paper) Éric Fleury, JeanLoup Guillaume CITI / ARES INRIA INSA de Lyon F9 Villeurbanne FRANCE Céline Robardet LIRIS / CNRS UMR INSA de
More informationOPRE 6201 : 2. Simplex Method
OPRE 6201 : 2. Simplex Method 1 The Graphical Method: An Example Consider the following linear program: Max 4x 1 +3x 2 Subject to: 2x 1 +3x 2 6 (1) 3x 1 +2x 2 3 (2) 2x 2 5 (3) 2x 1 +x 2 4 (4) x 1, x 2
More informationHypercomputation: computing more than the Turing machine
Hypercomputation: computing more than the Turing machine Abstract: Toby Ord Department of Philosophy * The University of Melbourne t.ord@pgrad.unimelb.edu.au In this report I provide an introduction to
More informationHow to Make Ad Hoc Proof Automation Less Ad Hoc
How to Make Ad Hoc Proof Automation Less Ad Hoc Georges Gonthier Microsoft Research gonthier@microsoft.com Beta Ziliani MPISWS beta@mpisws.org Aleksandar Nanevski IMDEA Software Institute aleks.nanevski@imdea.org
More information