Specifying and Implementing Secure Mobile Applications in the Channel Ambient System
Total Page:16
File Type:pdf, Size:1020Kb
University of London Imperial College of Science, Technology and Medicine Department of Computing Specifying and Implementing Secure Mobile Applications in the Channel Ambient System Andrew Nicholas John Brojer Phillips Submitted in part fulfilment of the requirements for the degree of Doctor of Philosophy in Computing of the University of London and the Diploma of Imperial College, October 2005 Abstract The Internet has grown substantially in recent years, and an increasing number of applications are now being developed to exploit this distributed infrastructure. Mobility is an important paradigm for such applications, where mobile code is supplied on demand and mobile components interact freely within a given network. However, mobile applications are difficult to develop: not only do they involve complex parallel interactions between multiple components, but they must also satisfy strict security requirements. One could argue that the development of such applications requires a rigorous means of describing and reasoning about mobile computation, through the use of an appropriate model. Foundational research by Cardelli and Gordon on the Ambient Calculus has shown that process calculi are a promising approach to modelling mobile computation. This thesis builds on more recent research in the field of process calculi, and presents a new model of computation known as the Channel Ambient calculus, which can be used both to specify mobile applications and to reason about their security properties. The primitives of the model were developed with real-world applications in mind, and are designed to be at a level of abstraction suitable for an application programmer. The thesis also bridges a gap between theory and implementation by defining a distributed abstract machine for the Channel Ambient calculus. The abstract machine uses a list semantics, which is close to an implementation language, and a blocking semantics, which leads to an effi- cient implementation. The machine is proved sound and complete with respect to the underlying calculus. A prototype implementation is also described, together with an application for tracking the location of migrating ambients. The correctness of the machine ensures that the work done in specifying and analysing mobile applications is not lost during their implementation. 2 To Sandra Acknowledgements I would like to thank my supervisors, Susan Eisenbach and Nobuko Yoshida, for their dedication and support during my time at Imperial and throughout the writing of this thesis. Both have shown tremendous patience in reading and evaluating my work, and have been an invaluable source of encouragement, providing the guidance and advice I needed to bring this research to fruition. Susan’s expertise in distributed programming languages was instrumental in building the foundations for this research, allowing me to identify and implement programming abstractions for mobile applications. I also benefited from discussions with the SLURP programming group, which helped to place this research in the broader context of modern programming languages for distributed computing. Nobuko’s expertise in process calculi was essential in developing the theoretical foundations of this research, and I am grateful for her patience in teaching me the theoretical background I needed to design and implement a calculus for mobile computation. I also benefited from numerous discussions with the members of the Concurrency Group, which provided an ideal environment for exchanging ideas and exploring the technical challenges of process calculi. I am particularly grateful to Sergio Maffeis and Maria Vigliotti, not only for lively discussion and sound technical advice, but also for their friendship and support. I would also like to thank my co-supervisor, Bashar Nuseibeh, without whom none of this research would have been possible. His expertise in the area of Software Engineering provided an ideal background for studying the design and implementation of mobile applications. I also benefited from discussions with the Requirements Engineering group, which helped to crystallise some of the challenges faced by modern software developers and to identify potential areas for research. I am particularly grateful to my external examiners, Andrew Gordon and Julian Rathke, for their thorough examination of this thesis and their invaluable suggestions for improvement. I am also grateful to my advisers, Luca Cardelli and Stephen Emmott at Microsoft Research Cambridge, for giving me the time I needed to complete this thesis. During my time at Imperial I was fortunate to work in an ideal environment. I am very grateful to my colleagues and friends in the Department of Computing, who helped to make my teaching 4 and research activities that much more enjoyable. I have particularly fond memories of organising weekly PhD cake meetings with Xiang Feng, which provided an ideal setting for discussing and exchanging ideas. My interest in process calculi was initially sparked by a research project at Cambridge Univer- sity, under the supervision of Peter Sewell. His pragmatic views on the delicate balance between theory and practice were an inspiration for my research. During this time, I also had the privilege of working with Pawel Wojciechowski, who shared with me his experience in developing the No- madic Pict system, and provided invaluable insight on the design and implementation of process calculi. Throughout my time in the UK, my parents John and Mary, and my dearest sister Rosemary have always been near to my heart, encouraging me every step of the way. I am also grateful to friends and extended family for their support. Last but not least, I would like to thank my wife, Sandra, who has been with me from the very beginning of this work, and whose love and kindness have helped me reach this far. This research was supported by an ORS scholarship, and also by a research studentship from the Department of Computing, Imperial College. Declaration This thesis conforms to the requirements for the degree of Doctor of Philosophy in Computing of the University of London and the Diploma of Imperial College. The text of this thesis does not exceed 100,000 words, excluding the bibliography and appendices. The research presented in this thesis has not been submitted for any degree or comparable award of this or any other university or institution. This thesis constitutes my own work, and is not the outcome of work done in collaboration. The thesis was supervised by Susan Eisenbach, Nobuko Yoshida and Bashar Nuseibeh. Some of the research presented in this thesis was previously published in the following article, of which I was the main author: Andrew Phillips, Nobuko Yoshida, and Susan Eisenbach. A distributed abstract machine for boxed ambient calculi. In proceedings of the European Symposium on Programming, LNCS. Springer, 2004. 6 Contents 1 Introduction 14 1.1 Problem Description . 14 1.1.1 Specifying and Implementing Secure Mobile Applications . 14 1.1.2 Example Mobile Applications . 14 1.1.3 Security Properties of Mobile Applications . 17 1.1.4 Implementing Mobile Applications . 18 1.1.5 Specifying Mobile Applications . 18 1.2 Related Work . 19 1.2.1 Process Calculi for Mobile Applications . 19 1.2.2 The π-calculus . 20 1.2.3 The Nomadic π-calculus . 25 1.2.4 The Ambient Calculus . 29 1.2.5 The Boxed Ambient Calculus . 33 1.3 Thesis Outline . 34 1.3.1 Thesis Statement . 34 1.3.2 Thesis Contribution . 34 1.3.3 The Channel Ambient Calculus . 34 1.3.4 The Channel Ambient Machine . 35 1.3.5 The Channel Ambient Runtime . 35 1.3.6 The Channel Ambient Language . 36 2 The Channel Ambient Calculus 37 2.1 Introduction . 37 2.2 Design Principles . 38 2.2.1 Components of Mobile Applications . 39 2.2.2 Interaction Between Mobile Application Components . 40 2.2.3 Communication Between Mobile Application Components . 43 7 CONTENTS 8 2.2.4 Migration of Mobile Application Components . 44 2.3 Definition . 45 2.3.1 Syntax of Calculus Processes . 45 2.3.2 Reduction Rules for Executing Calculus Processes . 47 2.3.3 Structural Congruence Rules for Equating Calculus Processes . 49 2.3.4 Substitution of Free Values Inside Processes . 50 2.3.5 Syntax Abbreviations for Frequently Used Processes . 51 2.4 Distributed Model . 52 2.4.1 Constraining the Calculus Syntax to Model TCP/IP Networks . 52 2.4.2 Using Sites to Model a Hierarchical Network Topology . 54 2.4.3 Using Reduction to Model Network Execution . 55 2.4.4 Allowing Multiple Sites to Share the Same IP Address . 57 2.5 Resource Monitoring Application . 58 2.5.1 Examples of Resource Monitoring Applications . 59 2.5.2 Informal Specification of an Application . 60 2.5.3 Formal Calculus Specification . 61 2.5.4 Calculus Execution Scenario . 62 2.6 Security Properties . 64 2.6.1 Proving Safety to Prevent Runtime Errors . 64 2.6.2 Using Channel Types to Ensure Reliable Communication . 65 2.6.3 Using Syntactic Constraints to Prevent Ambient Impersonation . 68 2.7 Related Work . 72 2.8 Conclusion . 74 3 The Channel Ambient Machine 77 3.1 Introduction . 77 3.2 Design Principles . 79 3.2.1 Problems with Using Calculus Reduction to Implement a Runtime . 79 3.2.2 Using a Normal Form to Execute Reductions up to Structural Congruence . 80 3.2.3 Using Blocking to Efficiently Execute Successive Reductions . 82 3.2.4 Justification for Defining an Abstract Machine . 82 3.3 Definition . 83 3.3.1 Syntax of Machine Terms . 84 3.3.2 Using Construction to Encode a Process to a Machine Term . 85 3.3.3 Using Selection to Schedule a Machine Term . 88 3.3.4 Using Unblocking to Prevent Deadlocks During Execution . 88 CONTENTS 9 3.3.5 Using Reduction to Execute a Machine Term . 89 3.4 Distributed Execution . 93 3.4.1 Summary of Distributed Constraints for the Channel Ambient Calculus .