The {\em Ambient Calculus} and the {\em Safe Ambient Calculus} have been recently successfully proposed as models for the Web. They are based on the notions of ambient {\em movement} and ambient {\em opening}. Different type disciplines have been devised for them in order to avoid unwanted behaviours of processes. In the present paper we propose a type discipline for safe mobile ambients which is essentially motivated by ensuring {\em security} properties. We associate security levels to ambients and we require that an ambient at security level $s$ can only be traversed or opened by ambients at security level at least $s$. Since the movement and opening right can be unrelated, we consider two partial orders between security levels. We give some examples of use of our type discipline. A first protocol models a mailserver with different mailboxes and users: each user is allowed to enter only his own mailbox. A second example show that we can encode a security policy for reading and writing recently proposed for the $\pi$-calculus. Lastly we present the renaming, firewall and channel protocols which are already typed in other type disciplines for comparisons and for showing how some behavioural conditions can be expressed in our system as type constraints.
Security Types for Mobile Safe Ambients / M., Dezani; Salvo, Ivano. - STAMPA. - 1961:(2000), pp. 215-236. (Intervento presentato al convegno Advances in Computing Science - ASIAN 2000, 6th Asian Computing Science Conference tenutosi a Penang, Malaysia nel November 25-27, 2000) [10.1007/3-540-44464-5_16].
Security Types for Mobile Safe Ambients
SALVO, Ivano
2000
Abstract
The {\em Ambient Calculus} and the {\em Safe Ambient Calculus} have been recently successfully proposed as models for the Web. They are based on the notions of ambient {\em movement} and ambient {\em opening}. Different type disciplines have been devised for them in order to avoid unwanted behaviours of processes. In the present paper we propose a type discipline for safe mobile ambients which is essentially motivated by ensuring {\em security} properties. We associate security levels to ambients and we require that an ambient at security level $s$ can only be traversed or opened by ambients at security level at least $s$. Since the movement and opening right can be unrelated, we consider two partial orders between security levels. We give some examples of use of our type discipline. A first protocol models a mailserver with different mailboxes and users: each user is allowed to enter only his own mailbox. A second example show that we can encode a security policy for reading and writing recently proposed for the $\pi$-calculus. Lastly we present the renaming, firewall and channel protocols which are already typed in other type disciplines for comparisons and for showing how some behavioural conditions can be expressed in our system as type constraints.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
