2G1517

Available in English only!

2G1517

Advanced Formal Methods

NOTE: From 06-07 academic year the course is given as 2D1453

Mads Dam, 05-06 academic year, School of Computer Science and Communication, KTH

News

060519: Congratulations to Rana for getting her project paper accepted for MTCoord06 !
060418: Exam uploaded, here is ringBuffer.ps, ringBuffer.gif
060328: Project proposals uploaded
060315: You are invited to take a look at some hardware design tools
060315: Check out seminars in the theory group: http://www.csc.kth.se/tcs/seminarsevents/ (spec. Sprengers seminar on 060323)

Aims - Syllabus - Requirements - Schedule - Exercises - Prerequisites - Literature - Projects - Exam - Workshop - Contact

Over the past decade a host of new techniques have emerged for the modelling of systems focusing on aspects such as distribution, mobility and security. The pi-calculus, invented at the end of the 80'es, is a paradigmatic example. The pi-calculus has given rise to a flurry of activity and new ideas in areas such as programming language and software system semantics, and the modelling and analysis of specific system features such as distribution, mobility and security. In the course we will study the pi-calculus and some of its cousins in some depth, including applications to security protocol analysis and verification. Part of the course is given in seminar form, and attendance is for this reason limited.

Aims

The course is intended to put students in touch with the state-of-the-art in the area of formal modelling and analysis, and to train their presentation and research skills. Upon completion of the course the students will be able understand and apply the guiding principles of modelling calculus design sufficiently well to be able to use and adapt these tools in concrete application contexts.

Syllabus

Pi-calculus syntax and semantics
Reduction and transition semantics

Bisimulations, equivalences, congruences

Sorts and encodings
Security protocol basics
Applied pi-calculus
Modal and temporal logics for processes
Logics for pi-calculus
Security protocol logics

Requirements

Project 5 pts involving:

Midterm exam. One-day take-home exam given on 18 April. Details TBA.
Project work based on research paper
Active participation in lectures and seminars
Presentation of results, as report and seminar presentation

Each seminar presentation will be of 1 hr duration and must include presentation of background material (theory and results of your allocated paper and whatever other material you've found it necessary to penetrate) as well as results of your own work.

The primary purpose of the report is to document the results of your investigations. So it must explain clearly the problem you set out to investigate, your chosen approach, how you realised it, and your results and conclusions, in whatever form appropriate. Think of the report as a prototype research paper.

Schedule

Period 4

Lectures: 8 double lectures

Seminars: 1 full-day workshop

Location: Room 4523, CSC/Nada, Lindstedtsv 5, lvl 5

Week 11
2006-03-15	13:00-15:00	4523	L1	Sequential processes	Milner ch 1-7
Week 12
2006-03-22	13:00-15:00	4523	L2	Pi-calculus, intro	Milner ch 8-9.3
2006-03-24	13:00-15:00	4523	L3	Polyadic pi, data types	Milner ch 9.4-10
Week 13
2006-03-29	13:00-15:00	4523	L4	Sorts, objects, functions	Milner ch 11
2006-03-31	13:00-15:00	4523	L5	Bisimulations etc	Milner ch 12, 13
Week 14
2006-04-03	13:00-15:00	4523	L6	Modal logics	Slides, MPW paper
2006-04-05	13:00-15:00	4523	L7	Mu-Calculus	Bradfield-Stirling up to 3.3
2006-04-07	13:00-15:00	4523	L8	Mu-Calculus	Bradfield-Stirling, rest of ch. 3, ch 4 to 4.5, section 5.1 on local model checking
Week 16
2006-04-18	9:00-17:00			Midterm exam
Week 19
2006-05-11	8:00-12:00	4523	W1	Course workshop
2006-05-11	13:00-17:00	4523	W2	Course workshop

Exercises

Exercises will be elaborated as we move along. Starred exercises are harder than unstarred ones. Do try them.

Lecture 1:

4.10, 4.12, 4.14, 4.16, 5.11, 5.12
If you haven't done CCS already you must try some of the examples in ch 1-7 in full detail plus the associated exercises.
Do some representative cases (not covered in Milner or in class) of the proof of prop 5.2
Define carefully alpha-conversion and name substitution for concurrent processes.
A name substitution is any function f: Name -> Name extended to actions such that f(tau) = tau and f(overbar(a)) = overbar(f(a)). Is strong bisimulation equivalence preserved under name substitution. What if f is injective? (*)
Prove prop. 4.6

Lecture 2:

9.8, 9.10, 9.14 (*), 9.15 (**), 9.18

Lecture 3:

9.22, 9.25, 9.26, all exercises in ch. 10.

Lecture 4:

11.4, 11.13, 11.15, 11.21
Object variables in section 11.4 are local (in a pi-calculus sense). That is, a variable A.V is not made directly available to the environment, but it can be exported, i.e. a method can pass the location of A.V as a return value. Modify the encoding so that A.V is public, i.e. directly available at the object interface. Can you produce an encoding where A.V is private in the sense that it is not exportable?

Lecture 5:

12.7, 12.20, 12.27, 12.30, 13.9
Prove prop. 12.12.1

Lecture 6:

A modal formula F is valid if P |= F for all processes P. Show that the following proof rules for modal validity are valid
- If |- F then |- [L]F for any L
- |- [L](F -> G) -> ([L]F -> [L]G)
Determine whether the following formulas are valid:
- [-](F /\ G) -> [-]F /\ [-]G
- [-](F \/ G) -> [-]F \/ [-]G
- [-]F -> F
Show that concurrent processes (as in the pi-calculus book) are image finite

Lecture 7:

Prove, using fixed point induction:
1. mf £ f(mf)
2. mf £ nf
3. mf = f(f(mf))
Assume mf = m(g o f) where o is function composition. Assume that g o f = f o g. Show, using fixed point induction, that mf = mg.
Reprove 1.-3. above using transfinite induction.

Lecture 8:

Express the following properties in the modal mu-calculus:
- An a action can never happen without a b action happening first
- Infinitely often an a and a b action are simultaneously enabled
Prove that the modal mu-calculus is monotone in the sense that if A Í B then || f ||r[A/X] Í || f ||r[B/X]
Define P = a.P and Q = (a'.a'.Q) + b.0. Show that the term new a (P | Q) satisfies the mu-calculus property nu X.mu Y.[tau](((<b>X) \/ Y) /\ <tau>true).
A function f: A -> A on a complete lattice A is continuous if f(\/{a_i | i in I}) = \/{f(a_i) | i in I} for all chains {ai | i in I}. Is the modal mu-calculus continuous in this sense? (*)

Prerequisites

2G1516 Formal methods (or similar).You need to be comfortable with propositional and first-order logic, discrete structures like trees and graphs, automata and languages. Previous exposure to basic concepts in programming language semantics, in particular process algebra, as in 2G1516, will be extremely helpful. Contact course responsible if in doubt.

Literature and Resources

Textbook:

Robin Milner: "Communicating and Mobile Systems: The Pi-Calculus". Cambridge University Press 1999, isbn 0 521 64320. Amazon link

Available at Kårbokhandeln

Pi-calculus:

The Pi-Calculus: A Theory of Mobile Processes, Davide Sangiorgi and David Walker, Cambridge University Press 2001. Comprehensive
Joachim Parrow: An Introduction to the Pi-Calculus
The calculi for mobile processes home page
On structural congruence: "A paper which proves (1) that structural congruence without replication is decidable (exercise 9.14 in Milner), and (2) that structural congruence is decidable for processes limited in replication; the general case (exercise 9.15 in Milner) remains open." J. Engelfriet and T. Gelsema: "The decidability of structural congruence for replication restricted pi-calculus processes", http://www.liacs.nl/home/engelfri/repres.ps

Applied pi:

Main text: M. Abadi and C. Fournet: Mobile Values, New Names, and Secure Communication
Protocols:
- M. Abadi, B. Blanchet, C. Fournet: Just Fast Keying in the Pi Calculus
- M. Abadi, B. Blanchet: Computer-assisted Verification of a Protocol for Certified Email
- Steve Kremer and Mark D. Ryan. Analysis of an Electronic Voting Protocol in the Applied Pi Calculus.
M. Baldamus, J. Parrow, B. Victor: A Fully Abstract Encoding of the pi-Calculus with Data Terms

Modal logics and mu-calculus:

Main text: J. Bradfield and C. Stirling: Modal logics and mu-calculi: an introduction
Modal logics and mu-calculus for pi-calculus:
- R. Milner, J. Parrow, D. Walker: Modal Logics for Mobile Processes.
- M. Dam: Proof systems for pi-calculus logics
Tools and applications:
- CWB and MWB
- EVT - the Erlang verification tool: http://www.sics.se/fdt/VeriCode/

Projects

Each project is based on some research paper. Probably you will find that several papers will be needed. Different sorts of projects are possible, depending on interest and paper. The preferred option will be to apply some tool or technique introduced in the paper on some protocol of interest; evaluate, identify problems and possible extensions, if relevant, or, possibly, try a different tool on the same example. Some examples of protocols or problems are given below. Alternatively, if the main contribution of the paper is an algorithm or proof system or similar, an objective could be to implement a prototype tool, or modify an existing one. If you are more theoretically inclined, an objective might be to reproduce proofs in detail. Regardless, you'll need to agree your choice of project with the lecturer.

Contract signing/payment protocols in applied pi and ProVerif
- Consider one or two of the contract signing/payment protocols below, model in applied pi and analyze using ProVerif
Contract signing protocols in Isabelle
- Same, but this time use Paulson's theorem proving framework in Isabelle
Comparison of the ProVerif and Avispa toolsets
- Analyze the same non-trivial protocol in ProVerif and Avispa. Compare the approaches concerning scope, performance, etc
Mu-calculus theorem prover
- Implement the proof system of Sprenger and Dam below as an interactive theorem prover and do some simple experiments.
Security protocol analysis in mobility workbench
- Model one or two simple protocols such as NSPK and Yahalom in pi-calculus, analyze using mobility workbench. Take inspiration from finite state analyses such as those of Mitchell et al below.

References:

Mitchell J.C., Mitchell M., and Stern U. Automated analysis of cryptographic protocols using Murphi
L C Paulson. The inductive approach to verifying cryptographic protocols
C. Sprenger and M. Dam: A note on global induction mechanisms in a µ-calculus with explicit approximations

Tools:

Protocols:

Here is a Protocol repository of various protocols which have been subject to study using formal techniques. The AVISPA site also has a large number of protocols.

Contract signing:

N. Asokan, Matthias Schunter, Michael Waidner: Optimistic Protocols for Fair Exchange
Juan Garay, Markus Jakobsson, Philip MacKenzie: Abuse-free Optimistic Contract Signing
Michael Ben-Or, Oded Goldreich, Silvio Micali, Ronald Rivest: A Fair Protocol for Signing Contracts

Payment protocols: SET , iKP

Aims

Syllabus

Requirements

Schedule

Exercises

Prerequisites

Literature and Resources

Pi-calculus:

The Pi-Calculus: A Theory of Mobile Processes, Davide Sangiorgi and David Walker, Cambridge University Press 2001. Comprehensive

The calculi for mobile processes home page

Projects

Tools:

Protocols:

Midterm exam

060418: Exam, ringBuffer.ps, ringBuffer.gif

Workshop

Contact

Mads Dam, CSC, E-mail: mfd at kth dot se