Abstract
Abstract We present a comprehensive model of structured communications in which self-adaptation and security concerns are jointly addressed. More specifically, we propose a model of multiparty, self-adaptive communications with access control and secure information flow guarantees. In our model, multiparty protocols (choreographies) are described as global types; security violations occur when process implementations of protocol participants attempt to read or write messages of inappropriate security levels within directed exchanges. Such violations trigger adaptation mechanisms that prevent the violations to occur and/or to propagate their effect in the choreography. Our model is equipped with local and global adaptation mechanisms for reacting to security violations of different gravity; type soundness results ensure that the overall multiparty protocol is still correctly executed while the system adapts itself to preserve the participants’ security.
Highlights
Framed in the setting of formal models and analysis techniques for communication-centric systems [HLV+16], we have introduced a framework for multiparty protocols in which the analysis of communication correctness is coupled with the run-time enforcement of self-adaptation and secure information flow policies
One leading motivation for our development is the observation that as communication-centric systems operate in dynamic and heterogeneous environments, correctness analysis for the underlying structured protocols must account for a range of different issues that influence the interactive behaviour of protocol participants
We have shown how two such issues, self-adaptation and security, exhibit an appealing complementarity and admit a unified treatment based on global types, monitors, monitored processes, and a suitably instrumented operational semantics
Summary
Large-scale distributed systems are nowadays conceived as heterogeneous collections of interconnected software artefacts. We would like to ensure that the buying protocol works as expected, and to avoid that sensitive information, exchanged in certain parts of the protocol, is leaked—e.g., in a tweet that reveals the credit card used in the transaction. Such an undesired behaviour should be corrected as soon as possible. Otherwise, if the leak is serious (e.g., when the plug-in is compromised by a malicious participant) we may wish to adapt the choreography as soon as possible, removing the plug-in and modifying the behaviour of the involved participants This form of reconfiguration, should only concern the participants involved with the insecure plug-in; other participants should not be unnecessarily restarted. A message sequence diagram showing these behaviours is given in Fig. 1, where all communications are intended to be realised by means of a browser, and /(.)-*,+ represents an unsafe plug-in
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
