Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access control types for agents – p.1/20
� Overview: an agent calculus We consider an extension of -calculus It has two named entities Channels used for communication Agents use channels to communicate Channels are the resources in this calculus Types are used to control access to the channels The type of a channel names the agents that can access the channel Access control types for agents – p.2/20
✧ ✌ ✒ ✕ ✖ ✗ ★ ✥ ✆ ✚ ✂ ✛ ✠ ✜✢ ✍ ☞ ✔ ✣ ✞✟ ✚ ✄ ✂ ✤ ✜ ✗ ✥ ✁ ✦ ✦ ✁ ✍ ✓ Syntax A system has a two-level structure At the lower level, there are extended -processes At the higher level, there are agents running threads At the level of processes, we add a primitive for sender authentication The process ☎✝✆ inputs along the channel and is bound to ✠☛✡ the name of the sender The details of the authentication are abstracted away A typical system looks like ✎✑✏ ✎✙✘ and are agents which share the name is executing the thread and is executing the thread Access control types for agents – p.3/20
✪ ✭ ✮ ✥ ✣ ✢ ✜ ✛ ✬ ✶ ✫ ✵ ✴ ✘ ✵ ✜ ✢ ✎ ✠ ✘ ✚ ✣ ✢ ✜ ✛ ✚ ✲ ✯ ✱ ✜ ✤ ✗ ✰ ✕ ✢✶ ✴✵ ✳ ✬ ✠ ✣ ✢ ✜ ✛ ✭ ✫ ✎ ✪ ✢ ✘ ✶ ✜ ✣ ✮ ✯ ✢ ✛ ✳ ✤ ✚ ✣ ✢ ✜ ✚ ✕ ✘ ✲ ✱ ✜ ✤ ✗ ✰ ✤ Communication There are no sites and communication occurs globally There are two types of communication Standard communication: ✚✙✩ ✚✙✩ Authenticated input: ✚✙✩ ✚✙✩ ✳✙✷ ✆✹✸ learns the identity of the sender. Access control types for agents – p.4/20
❄ ❄ ✂ ❅ ✿ ✾ ✽ ❄ ❈ ✂ ❊ ❅ ✿ ✾ ✽ ❇ ❄ ❆ ❉ Overview: types Channels are typed as list of input and output capabilities An input capability means can read on the channel ✺✼✻ An output capability means can write on the channel ❀✼✻ There is subtyping relation on channel ❁❃❂ types A channel type, is a subtype of if is less restrictive than The type classifies a name as an agent Access control types for agents – p.5/20
❱ ✒ ✭ ◆ ❳ ✰ ✫ ✂ ❙ ✓ ✕ ❯ ❭ ✏ ✰ ❲ ✗ ✰ ▼ ✂ ✫ ❳ ✭ ✶ ◆ ✢ ✭ ✫ ✰ ❏ ✶ ■ ❏ ❑ ✢ ▲ ● ■ ❏ ❑ ✂ ✢ ✂ ✳ ✰ ▼ ✂ ✫ ✰ ✭ ✰ ◆ ◆ ✰ ✓ ✳ Capability Types In capability types, or , may be ❋❍● A normal transmission type can read values of at least type means can read values of at most type means An authenticated transmission type ✎✙❚ ❖P❘◗ means can read authenticated values Values read must have at least type ✢✼❨ ✵❬❩ , if is the sender means can write authenticated values Values written must have at most ✵❬❩ Access control types for agents – p.6/20
✭ ✓ ❪ ✭ ❳ ❫ ✫ ✫ ❳ ❴ The wild card * In place of an identifier , a capability type may also have a special symbol means anybody can read on the channel ▼✑❴ means anybody can write on the channel Access control types for agents – p.7/20
❵ ❪ ❂ ❢ ❣ ❵ ❛ ❵ ❄ ❣ ✂ ❄ ✡ ✂ ✥ ❡ ❞ ◗ ❝ ❜ ✡ ✥ ❵ ❛ ❵ Type judgements A type judgement for a system in the agent calculus takes the form , the type environment, is a list of identifiers , meaning that is an agent , meaning that is a channel that has capability list if in the execution of , an agent in accesses a channel in , only when allowed by Access control types for agents – p.8/20
✭ ❧ ◆ ❵ ✰ ✫ ✥ ▼ ✕ ◆ ❦ ✰ ❛ ♠ ❥ ❂ ✘ ❵ ❦ ✛ ✘ Typing values and processes The typing judgement uses two other judgements A judgement for typing values, ❛✐❤ Keeps track of access For example, if then is allowed to input values of type on A judgement for typing process threads, is allowed by to perform the possible input/output while executing Access control types for agents – p.9/20
❧ ❦ ✶ ✰ ✕ ✯ ✳ ✸ ✭ ♥ ✰ ✫ ✥ ▼ ✕ ◆ ❧ ✛ ❦ ✮ ✛ ✗ ✰ ✕ ✯ ✎ ◆ ✕ ♥ ❧ ❦ r q ♦♣ ♣ qr ♦ ◆ ✭ ✰ ✫ ✥ ✓ ✕ ❧ ❧ ❦ ✰ ✕ ✬ ❧ ❦ ❦ ♥ qr ✪ ♦♣ ✕ ✛ ✭ ✬ ✫ ◆ ✛ ♥ ❧ ❦ qr ♦♣ ✕ ✕ Type inference for communication Output on a channel Input from a channel Access control types for agents – p.10/20
Access control types for agents – p.11/20 ✰ ✸ ❲ ✏ ✒ ❱ ❯ ✕ ✷ ✸ ❦ ✭ ✗ ✯ ❲ ✏ ✒ ❱ ❯ ✕ ✷ ✎ ❙ ✫ ✥ ▼ ✳ ✕ ◆ ✷ qr ♣ ♦ ✕ ✛ ✗ ✰ ✕ ✯ ✎ ✶ ✳ ✰ ✮ ◆ ♥ ❧ ❦ qr ♦♣ ✕ ✛ ♥ ❧ ✶ ✕ ❧ ✏ ✥ ✒ ❱ ❯ ✕ ✷ ✎ ❙ ✬ ❖ ✫ ✓ ❲ ✕ ◆ ❧ ❦ ✶ ✢ ✆ ✵ ✥ ✢ ✳ ✸ ✗ ✕ ✪ ❦ ❦ r q ❧ ♦♣ ✕ ✛ ✭ ✬ ✫ ◆ ✰ ♥ ❧ ❦ qr ♦♣ ✕ ✛ ♥ ❧ ❦ ✭ ✰ Authenticated communication Input from an authenticated channel Output on an authenticated channel P❘◗ ❖P❘◗
Access control types for agents – p.12/20 ❲ ➄ ✕ ✣ ✸ ❲ ✏ ✒ ❱ ❯ ✕ ➃ ✸ ✏ q ✒ ❱ ❯ ✕ ✘ ❵ ❵ ✭ ➅ q q ➄ ✫ q ➅ ➅ q ✭ ➅ q q ➄ ✫ ➆ ▼ ✸ ✭ ➅ q ➄ ✸ ✫ ✧ ✓ ✕ ✩ ✸ ❲ ✏ ✒ ❱ ❯ ✕ ✔ ✸ ✭ q ❼ ✒ ❱ ✕ ✘ ❵ ❛ ❵ ⑦ ➂ ❾ ❽ ❻ ❲ ❹ ❂ ⑩ ⑨ ⑦⑧ ⑥ ① ■ ✇ ❢ s ✏ ❯ ✸ ✥ ✓ ✕ ✩ ✸ ➄ ➅ ➃ q q ➄ ✫ ✕ ✣ ✸ ❲ ✏ q ✒ ❱ ❯ ✕ ❿➁➀ ▼⑤➆ ❸❺❹ ❶✈❷ t✈✉ Consider the system Simple examples ❊⑤④ is is ❑③② if if t✈✉
➄ ➅ ✏ ✒ ❱ ❯ ✕ ✔ ✸ q ✸ q ➆ ✕ ✣ ✸ ❲ ✏ ❲ ✩ ❱ ✓ ✭ ➅ q q ➄ ✫ ✧ ✸ ✕ ✭ ➅ q q ➄ ✫ ✥ ✓ ✒ ❯ ▼ ⑦⑧ ❹ q ❂ ➅ ⑩ ✭ ⑨ ⑥ ❼ ➇ ➇ ① ■ ✇ ➈ ❢ s ❻ ❽ ✕ ✕ ➃ ✸ ❲ ✏ ✒ ❱ ❯ ✘ ❾ ✫ ❵ ➄ ❛ ❵ ⑦ ➂ q ✸ Simple examples continued... Consider the system t✈✉ ❑③② t✈✉ ❶✈❷ ❸❺❹ ❿➁➀ ❊⑤④ if is If a channel type lists more elements than , then it is less restrictive Access control types for agents – p.13/20
Access control types for agents – p.14/20 ✏ ✥ ✓ ✕ ✩ ✸ ➅ q q ➄ ✕ ✣ ✸ ❲ ✒ ➄ ❱ ❯ ✕ ➃ ✸ ❲ ✏ ✒ ❱ ❯ ✕ ✘ ✭ ➅ ✫ q ➄ ✭ ✭ ❳ ✫ ✥ ▼ ✭ ❳ ✫ ✭ ❳ ✫ ✥ ✓ ❳ q ✫ ❴ ✓ ✭ ➅ q q ➄ ✫ ❴ ▼ ✸ ✭ ➅ q q ✫ ❽ ✏ ✒ ❱ ❯ ✘ ❵ ❛ ❵ ⑦ ➂ ❾ ❼ ✸ ❻ ❹ ❂ ⑩ ⑨ ⑦⑧ ⑥ ① ■ ✇ ❢ s ❲ ✕ ➃ ➄ ✫ q ❴ ✕ ✓ ✕ ✩ ✸ ➅ q q ➄ ✕ ➅ ✣ ✭ ✸ ✸ ❲ ✏ ✒ ❱ ❯ q or, is less Simple examples continued... ❿➁➀ ▼⑤➆ ▼✑❴ and ❸❺❹ ❶✈❷ is less restrictive than t✈✉ Consider the system ❊⑤④ is restrictive than ❑③② if t✈✉
✕ ✒ ❴ ✓ ✕ ✣ ✸ ❲ ✏ ❱ ➄ ❯ ▼ ➃ ✸ ❲ ✏ ✒ ✫ q ❯ ✓ ✭ ➅ q q ➄ ✫ ➆ ✫ q ✥ ✓ ✕ ✩ ✸ ✭ ➅ ❱ ✕ ✸ ⑥ ❥ ❂ q ⑩ ➅ ⑨ ⑦⑧ ✭ ❽ ✭ ① ■ ✇ ❢ ❢ s ❼ ❾ ✘ ❹ ➆ ❵ ✫ ❛ ❵ ❑ ❻ ✓ q ■ ➆ ✫ ❥ ➄ ⑦ ➂ ✭ Handover of capabilities Consider the system t✈✉ ❑③② t✈✉ ❶✈❷ ❿➁➀ ❊⑤④ Let be ❸❺❹ ▲➊➉ if is hands over the capability of writing on b to d Access control types for agents – p.15/20
❹ ❑ ✕ ✘ q ❵ q ❛ ❵ ❻ ❱ ❹ ➅ ❸ ■ ✭ ✭ ❥ ✸ ❯ ✒ ✫ ✸ ➆ ✓ ✫ ✥ ✓ ✕ ✩ ❲ ✏ ✏ ✒ ❱ ❯ ✕ ➃ ✸ ❲ ✜ ➒ ➄ ❻ ✣ ✓ ✒ q ✎ q ❑ ❹ ✰ ❹ ❸ ■ ➅ ✭ ❢ ✭ ① ✕ ✗ ➑ ✢ ✗ ✰ ✕ ✓ ✮ ✩ ✚ ➃ ✗ ✘ ✜ ➐ ➆ ✫ ✣ ✫ ✪ ➄ ✫ Handover of capabilities continued.. In particular, may be a channel that only knows at ▲➌➋ Consider the system, ✎✑✏ ✚✙✩ ✭❺➍ ✎✙❚ ➓→➔➣ ❲➏➎ Let be ▲➌➋ if is ▼↔➆ Access control types for agents – p.16/20
Recommend
More recommend