digital signature and blocking in mobile...

Software System EngineeringSpring 2006

Digital Signature and Blocking inMobile Ambients

Supervisor: Hans Huttel Group: B1-215Anupam Palit

Bin RenSagar BingiYepeng Sun

Aalborg University29th June 2006

Group: B1-215

Anupam Palit

Bin Ren

Sagar Bingi

Yepeng Sun

Preface

The calculus of Mobile Ambients derives its process primitives from the π-calculus.It introduces the notion of a bounded environment(the ambient) where processesor mobile agents co-operate. An ambient consists of a set of local agents andpossibly other subambients. Ambients are moved as a whole under the control ofthe enclosed agents, which are confined to their ambients. This report presents avariant of Mobile Ambients. It addresses the security issues of robustness againstmalicious tampering, access control and execution safety by introducing the con-cept of digital signature and blocking into ambients. The model of Digitally SignedAmbients with Blocking on Capabilities(DSABC) is similar to the Java Sandboxmodel for JDK2.0 and Umbrella project developed for Linux security. A typesystem which captures various security policies has been presented based on theproposed calculus. This project report is developed as our master’s thesis at De-partment of Computer Science, Aalborg University, Denmark.

We would like to thank Mr.Hans Huttel for encouraging and challenging usthroughout the development of this project and constantly providing us with newideas and invaluable suggestions, never accepting less than our best efforts.

i

Contents

1 Introduction 21.1 Mobility and Security . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Mobile Ambients(Review) . . . . . . . . . . . . . . . . . . . . . . 3

1.2.1 The Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 The Characteristics of Digital Signature . . . . . . . . . . . . . . 61.4 Java Sandbox Model . . . . . . . . . . . . . . . . . . . . . . . . . 71.5 Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Digital Signature for Mobile Ambients 142.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.1.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Digitally Signed Ambients 223.1 Signing Ambients . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.2 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Blocking in Mobile Ambients 324.1 Blocking in Process Calculus . . . . . . . . . . . . . . . . . . . . . 324.2 Blocking on Names: MABN . . . . . . . . . . . . . . . . . . . . . 34

4.2.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . 354.2.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.3 Blocking on Capabilities: MABC . . . . . . . . . . . . . . . . . . . 424.3.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . 434.3.2 The Comparison between MABN and MABC . . . . . . . . 47

4.4 Blocking at Ambient level: MABA . . . . . . . . . . . . . . . . . . 484.4.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . 494.4.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5 Digitally Signed Ambients with Blocking on Capabilities 545.1 Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.2 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . . . . 56

ii

5.3 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6 A Type System for DSABC 646.1 General Overview of Type Systems . . . . . . . . . . . . . . . . . 646.2 The Ideas of Type System for DSABC . . . . . . . . . . . . . . . . 656.3 Typing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666.4 Type Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7 Conclusion 827.1 Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Appendix 83

A Subject Congruence 84

B Subject Reduction 98

Bibliography 127

iii

List of Figures

1.1 Modeling Safe System using Mobile Ambients . . . . . . . . . . . 61.2 JDK 1.0 Security Model . . . . . . . . . . . . . . . . . . . . . . . 71.3 JDK 1.1 Security Model . . . . . . . . . . . . . . . . . . . . . . . 81.4 Organization of the report . . . . . . . . . . . . . . . . . . . . . . 11

3.1 Modeling of Safe System using DSA . . . . . . . . . . . . . . . . . 30

5.1 Java2 Platform Security Model . . . . . . . . . . . . . . . . . . . 555.2 The Umbrella Model . . . . . . . . . . . . . . . . . . . . . . . . . 565.3 Modeling Safe System using DSABC . . . . . . . . . . . . . . . . . 62

iv

List of Tables

1.1 The syntax of Mobile Ambients . . . . . . . . . . . . . . . . . . . 41.2 The free names of Mobile Ambients . . . . . . . . . . . . . . . . . 5

2.1 The syntax of DISA . . . . . . . . . . . . . . . . . . . . . . . . . 162.2 The free names of DISA . . . . . . . . . . . . . . . . . . . . . . . 162.3 The syntactic conventions of DISA . . . . . . . . . . . . . . . . . 172.4 The structural congruence of DISA . . . . . . . . . . . . . . . . . 182.5 The reduction rules of DISA . . . . . . . . . . . . . . . . . . . . . 19

3.1 The syntax of DSA . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 The free names of DSA . . . . . . . . . . . . . . . . . . . . . . . . 253.3 The syntactic conventions of DSA . . . . . . . . . . . . . . . . . . 263.4 The definition of structural congruence . . . . . . . . . . . . . . . 273.5 The reduction Rules of DSA . . . . . . . . . . . . . . . . . . . . . 29

4.1 The syntax of MABN . . . . . . . . . . . . . . . . . . . . . . . . . 364.2 The free names of MABN . . . . . . . . . . . . . . . . . . . . . . . 364.3 The syntactic conventions of MABN . . . . . . . . . . . . . . . . . 364.4 The structural congruence of MABN . . . . . . . . . . . . . . . . . 374.5 The reduction rules of MABN . . . . . . . . . . . . . . . . . . . . 394.6 The syntax of MABC . . . . . . . . . . . . . . . . . . . . . . . . . 444.7 The free names of MABC . . . . . . . . . . . . . . . . . . . . . . . 444.8 The syntactic conventions of MABC . . . . . . . . . . . . . . . . . 444.9 The structural congruence of MABC . . . . . . . . . . . . . . . . . 454.10 The reduction rules of MABC . . . . . . . . . . . . . . . . . . . . 464.11 The syntax of MABA . . . . . . . . . . . . . . . . . . . . . . . . . 494.12 The free names of MABA . . . . . . . . . . . . . . . . . . . . . . . 494.13 The syntactic conventions of MABA . . . . . . . . . . . . . . . . . 504.14 The structural congruence of MABA . . . . . . . . . . . . . . . . . 514.15 The reduction rules of MABA . . . . . . . . . . . . . . . . . . . . 52

5.1 The syntax of DSABC . . . . . . . . . . . . . . . . . . . . . . . . 575.2 The free names of DSABC . . . . . . . . . . . . . . . . . . . . . . 575.3 The syntactic conventions of DSABC . . . . . . . . . . . . . . . . 58

v

5.4 The structural congruence of DSABC . . . . . . . . . . . . . . . . 595.5 The reduction rules of DSABC . . . . . . . . . . . . . . . . . . . . 60

6.1 Typing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Chapter 1

Introduction

This report describes two security mechanisms introduced into Mobile Ambients[1]:digital signature and access control for migrating processes. This calculus isnamed as Digitally Signed Ambients with Blocking on Capabilities (DSABC). Thisidea emerged while investigating the concept of mobile ambients and the securitymechanism in Internet.

1.1 Mobility and Security

Mobile Computing is a generic term used to represent the ability to handle infor-mation access, communication and business transaction, that wirelessly connectand use centrally located information or application software while in the state ofmotion. The devices that are involved in mobile computation could be portablewireless computing and communication devices such as laptops, mobile phones,PDA’s etc.

Mobile computation is the notion that running programs need not be forevertied to a single network node. A program can cross barriers, move between dif-ferent networks and be able to execute at different virtual locations. One of themajor concerns in the concept of mobile computation is security. Mobile com-putation has to do with virtual mobility that is mobile software, while mobilecomputing has to do with physical mobility that is mobile hardware.

The major security concerns of mobile computation are:

1. Confidentiality: Confidential information such as passwords, credit cardinformation etc, should not be intercepted by third parties when transmit-ted over the Internet.

2. Integrity: It ensures that confidential information should not be gainedaccess, modified or destroyed during the transit.

1

3. Accountability: It ensures that all the entities in the network are heldresponsible for their activities. For example we would not want migratingprocesses over the network to wreak havoc at the receiving site. In such acase we should be able to track the responsible entity.

4. Availability: It ensures that the authorized entities always have access tothe desired services. Attacks like denial of service must be prevented.

5. Legitimate use: It must ensure that only intended users are allowed togain access to the desired resources. For example, network servers shouldbe safeguarded against intrusion from unwanted parties.

6. Access Control: It refers to practice of restricting entrance to a property.It is implemented by using access rights. In distributed systems some partsof the system have restricted access rights that is not every process shouldbe allowed to have direct access to all the resources. For example, we wouldnot want all the processes to be able to gain access to the operating systemkernel.

1.2 Mobile Ambients(Review)

Ambient calculus [1] is a process calculus devised by Luca Cardelli and AndrewD.Gordon in 1998. The main aim of Ambient calculus is to model new compu-tational phenomena over wide areas network. Ambients are used to representbounded places for computation such as a web page (bounded by a file), a virtualaddress space (bounded by an addressing range), a laptop (bounded by its caseand data ports) etc. Ambients move into and out of other ambients bringingalong moving processes, static processes and possibly other ambients. The threebasic ambient primitives are in , out and open . The following are the maincharacteristics of mobile ambients:

• Each ambient has a name.

• An ambient boundary defines the scope of a computation, therefore estab-lish a container, which may be easily identified.

• An ambient is a collection of agents, i.e. processes, which run directlyinside the ambient. n[P ] is an ambient named n with the running processP inside.

• Ambients can move, i.e. they can enter or exit other ambients.

• An ambient moves with all the subambients and processes inside it. Thismay occur by performing an in or out operation.

2

n namesP, Q ::= processes

(νn)P restriction0 inactivityP |Q composition! P replicationn[P ] ambientM.P action

M ::= capabilitiesin n can enter nout n can exit nopen n can open n

Table 1.1: The syntax of Mobile Ambients

• Movement operations initiated by an ambient on itself are called subjectivemoves, while objective moves are performed by an ambient on the otherambient.

• Ambients can be nested inside other ambients. Each subambient has itsown name and behaves as an independent ambient. One example of nest-ing is: A Java applet is running within a Java Virtual Machine, the JavaVirtual Machine is running within a Web Browser, the Web Browser isrunning within an operating system, the operating system is running on aworkstation.

1.2.1 The Syntax

In the syntax we look at the mobility primitives. The main categories in thesyntax are the processes and their capabilities. The syntax is shown in Table 1.2.1:

Restriction, written as (νn)P , makes the name n private and unique to P . Noother process can use this name for interacting with P . Restriction is a binderand P is its scope. Inactivity, is the process that does not reduce. Composition,written as P |Q means that P and Q are running in parallel. Replication, writtenas ! P, simulates recursion by spinning off copies of P . Ambient, written as n[P ],is composed of two parts (it is a binary operator) where n is the name of theambient and P is the active process inside it. The square brackets around Pindicate the perimeter of the ambient. If the ambient moves, everything insidemoves with it. Action prefix written as M.P, represents a process where P isenabled only if the prefix M has been consumed. Capabilities can be thought asterms that enable the ambients to perform some actions. An ambient gains theability to go inside ambient n with in n capability. An ambient gains the ability

3

fn((νn)P ) , fn(P )− {n} fn(in n) , {n}fn(0) , ∅ fn(out n) , {n}fn(P |Q) , fn(P ) ∪ fn(Q) fn(open n) , {n}fn(! P ) , fn(P )

fn(n[P ]) , {n} ∪ fn(P )

fn(M.P ) , fn(M) ∪ fn(P )

Table 1.2: The free names of Mobile Ambients

to leave its parent ambient n with out n capability. Ambient n can be dissolvedby the means of open n capability.

The only ambient name binding operator is restriction. The names that arenot bound by a restriction operator are thus free names. We denote by fn(P )the set of free names of process P , Table 1.2 gives the set of free names fn(P ) forMobile Ambients.

We define the bound names bn(P ) as those names created by a restrictionwithin a process P . For example, in (νn)n[Q], n is a bound name. It is possiblethat a name is a bound name and a free name at the same time. For example,in n[0]|(νn)n[0], name n is a free name and also a bound name.

Safe Systems

The main characteristics of safe systems is that the system can avoid harmfulforeign codes over the Internet to enter or be executed. A safe system usuallyprovides access control on the incoming processes based on their source. Wemodel the safe system using various variants of the calculi of mobile ambientsduring the evolution of this project.

Example 1.2.1 Modeling of Safe System using Mobile Ambients:

app1[in sys.P ]|app2[in sys.Q]|sys[T ] → sys[app1[P ]|app2[Q]|T ]

In Example 1.2.1, sys represents a safe system containing the internal resource T .Two applets app1 and app2 can get into the system by exercising in sys capability.We can observe that the system can be modeled using mobile ambients to showthe movement of the applets but the security mechanism cannot be modeledeffectively using mobile ambients due to the following reasons:

• If app1 is trusted whereas app2 is not an trusted ambient. The systemcannot distinguish the two kinds of ambients.

4

• The system does not provide access control on the incoming codes.

The diagrammatic representation of the model of safe system is shown in Fig-ure 1.1.

In sys.P

In sys.Q

T P Q

T

sys

app1

app2

sys

Figure 1.1: Modeling Safe System using Mobile Ambients

1.3 The Characteristics of Digital Signature

A digital signature [2] is a string of bits that is computed from the data trans-mitted and the private key of an entity. The signature can be used to verify ifthe data comes from the correct entity and is not tampered during transit.

The main characteristics of digital signature are:

1. Authenticity: It ensures the correct sender sends the message. This canbe verified through authentication by using the public key correspondingwith the private key used to generate the signature. For example executa-bles transmitted over the Internet. Authenticity is required when an updateclaims to be a security update from Microsoft, the users should be able toverify that the executable does come from Microsoft before they install it .

2. Integrity: It ensures that the message is not altered accidentally or mali-ciously during the transit. For example it should not be possible for somethird party to be able to insert malicious behavior in a security update fromMicrosoft.

3. Non-repudiation: The word non-repudiation is a synonym of non-denialwhich means that it can be verified that the sender and the receiver were

5

the parties who claimed to send or receive the message in case the owner-ship is denied by one of the parties. For example it could happen that whenan user downloads some security update from Microsoft website which hassome malicious behaviors in that case Microsoft should not be able to de-fend themselves by proving that those updates were not downloaded fromtheir website.

1.4 Java Sandbox Model

Sandbox Model JDK1.0

The first sandbox model[3] was introduced in JDK1.0 to provide a restrictedenvironment to run untrusted code. This restricted environment was namedas sandbox and the code running within it was provided only limited accessto resources. The local code was provided complete access to all the systemresources. This model is shown in the Figure 1.2.

Local Code Remote Code

Sandbox

JVM

Valuable Resources

Figure 1.2: JDK 1.0 Security Model

Sandbox Model JDK1.1

The notion of Signed Applet was introduced in JDK1.1. A digitally signedapplet whose signature could be verified by the receiver is treated as the localcode. Unsigned applets or applets whose signature cannot be verified are allowedto run only within the sandbox. The applets along with their signatures, aredelivered in the JAR (Java Archive) format. The concept of signed applet is

6

shown in the Figure 1.3

Local Code Remote Code

Sandbox

JVM

Valuable Resources

Figure 1.3: JDK 1.1 Security Model

Java uses the concept of digital signature[4] to recognize the source of thecode, and restricts the running of codes by using Protection Domain in sandboxmodel.

• Protection Domain: It consists of a set of classes whose instances aregranted the same set of permissions. Those classes coming from the sameCodeSource which is a set of public keys together with a codebase(in theform of url), are usually placed into the same domain according to the pub-lic key which identifies where the classes come from. All code shipped aspart of the JDK is treated as trusted code, and is placed into the systemdomain. All other applets and applications are placed into appropriate do-main, determined by their CodeSource.

• Permission: An applet needs permission for accessing a particular re-source. The security policy in a Java application environment specifieswhich permissions are available for code from a specified CodeSource. Eachpermission typically has a name. In JDK there are a number of built-inpermission types, and additional ones can be configured by the users.

• Policy: It specifies which permissions are available for code from variouscode sources. The source location for the policy information is decided

7

by the policy implementation. The JDK contains a default Policy imple-mentation that obtains its information from static policy configuration files.

• Security Manager: The main functionality of the security manager is tocheck the policy currently in effect and perform access control checks. Thesecurity manager prevents applet code from accessing resources unless it isexplicitly granted permission to do so by an entry in a policy file.

The analysis of the calculus of mobile ambients, advantages and applicationsof digital signatures including the Java Sandbox model, provides us with the mo-tivation to introduce the concept of digital signature into the calculus of mobileambients in the Chapter 2. We introduce a new notion like Java applet into ourcalculus by introducing the concept of code along with two new capabilities authand enter.

1. A new notion of code is introduced. A code is a signed piece of informationwhich needs a carrier that is another ambient for its movement.

2. All the information(processes) contained within the code are passive i.e, itcannot undergo any changes within the boundaries of the code.

3. The code is considered to be signed by default, and its signature is generatedby encrypting the hash value of its contents with the key k.

4. A code is represented as m{P}sig, where P is the passive process enclosedwithin the code.

5. The auth capability is introduced. The main functionality of this capabilityis to authenticate a piece of code. This is used to ensure that the codecomes from the intended sender. In the following example:

m{P}h(k,P )|a[auth(m, k).Q] → a[P |Q]

The code m is allowed to enter the ambient a if it can be authenticated i.e,if the key k contained within the ambients auth capability matches the keyusing which the code was signed.

6. The enter capability is introduced. The main functionality of this capabilityis to sign a piece of code. The ambient holding the enter capability is theholder of the private key k and hence can sign itself through entering a codewith the matched key in the enter capability. So that the digital signatureof the code is recalculated. In the following example:

8

m{P}h(k,P )|a[enter(m, k).Q] → m{P |a[Q]}h(k,P |a[Q])

The ambient a can enter a code m if it holds the private key k with whichthe code m was originally signed, once ambient enters into the code, thesignature of the code has to be recalculated and hence its digital signaturechanges.

1.5 Blocking

For implementing the concept of access control in mobile ambients, we inves-tigate the concept of blocking in π-calculus [5] by Vivas Frontana in his Phdthesis. The concept of blocking is similar to access control on resources in thereal world. Unix restricts the access to its files using read, write and execute per-missions. The Umbrella model [6] proposed for Linux enforces authentication offiles along with process based mandatory access control at process level, by a setof restrictions for each process, where every process has at least the restrictions ofits parent. The further details of the Umbrella model are mentioned in Chapter 5.

After investigating the concept of blocking in Mobile Ambients, three kindsof possible blocking were introduced:

• Blocking on Names

• Blocking on Capabilities

• Blocking at Ambient level

Out of the three kinds of blocking, the Blocking on Capability is flexible and issimilar to the access control mechanism of Umbrella. The capabilities which areblocked cannot be exercised within the blocking scope. The concept of blockingis explained in detail in Chapter 4.

Ambient calculus is a process calculus used to effectively model the mobilecomputations over the network. Mobile ambients in the real world are like agentswhich are autonomous and intelligent programs that move through the networkinteracting with other services over the network. Security in mobile computa-tion is one of the major concerns which the calculus of Mobile Ambients cannotaddress effectively. That is the main reason we introduce the concept of digitalsignature and access control on migrating processes to ensure more security andsecurity. We develop a new model very similar to sandbox model for Java2 andthe Umbrella project developed for Linux with a few variations. The conceptof digital signature is introduced in the calculus of DSA by signing ambients di-rectly using a private key. Access control on process is captured by introducingthe concept of blocking into mobile ambients. The calculus of Digitally Signed

9

Ambients(DSA), captures the concept of digital signature, while the calculus ofMobile Ambients with Blocking on Capabilities(MABC) captures the property ofaccess control on processes. For capturing both these properties we combine thetwo calculi into one hybrid calculus and name it as Digitally Signed Ambientswith Blocking on Capabilities(DSABC). Advance safety properties like key distri-bution, who can visit whom and minimal blocking for access control on migratingprocesses are captured in its type system.

MobileAmbients CCS

Blocking

Blocking in Pi

DISA

MABNMABC MABA

DSABC

DSA

Figure 1.4: Organization of the report

The report is organized as follows: Chapter 2 describes the review of ourprevious work on Digital Signature for Mobile Ambients(DISA ) along with itssyntax and semantics. In DISA we consider a piece of code to be digitally signedby default. Chapter 3 is a discussion of the extension to the concept of DISA intoDigitally Signed Ambients(DSA). In the new concept of DSA we directly signan ambient instead of using code and describe its syntax and semantics. Chap-ter 4 introduces a new concept of blocking into mobile ambients. In this chapterwe investigate the three different kinds of blocking in mobile ambients namelyBlocking on Names(MABN), Blocking on Capabilities(MABC) and Blocking atAmbient Level(MABA) and describe their syntax and semantics. Chapter 5 de-scribes a hybrid calculus formed by merging the calculus of DSA along with the

10

calculus of MABC and describe its syntax and semantics along with its advan-tages. In Chapter 6 we give a detailed description of type system for the calculusof DSABC. Finally, we conclude in Chapter 7. The organization of this report isshown in Figure 1.4. The arrows in the figure indicate the evolution of the report.

11

Chapter 2

Digital Signature for MobileAmbients

The calculus of Mobile Ambients is effective in representing mobile computationsover complex network structures but has a few security breaches over the opennetwork. It is not secure enough to prevent intrusions and message tampering.The concept of digital signature has been effectively implemented in the realworld to resolve this issue. The calculus of DISA [7] was developed in the previ-ous semester with the main aim to introduce the concept of Digital Signature intomobile ambients. This serves as the foundation for our present work on digitalsignature and blocking in mobile ambients.

2.1 Syntax and Semantics

In this section, we introduce syntax and semantics for DISA .

2.1.1 Syntax

We now introduce the primitives for DISA . We assume there is an infinite set ofnames, N , ranged over by n and m, where n and m are the ambient and codenames respectively, k denotes the key in the digital signature, and C denotesa code group name. Table 2.1 shows the syntax of DISA . The main syntacticcategories are processes, digital signature and capabilities.

All the processes have the same informal meaning as described in mobile am-bients. Two new processes primitives, restriction on code name, (νm : C)P , andcode m{P}sig are introduced.

The process (νm : C)P , creates a new code name m within a scope P , makes

13

the code name private and unique to P , C is a code group name, m belong tocode group C. The new code name can be used to name codes and to be op-erated within ambients by name. No other process can use this code name forinteracting with P .

A code is a bounded area surrounded by delimiters consisting of special kind ofpassive process which is represented as m{P}sig, where P is the passive process,m is the code name, sig is the digital signature which is obtained by encryptingthe hash value of P with a key k. Each code has a name. A code may containother ambients or processes within it. A code can enter an ambient through au-thentication and a code can allow an ambient to enter it through signing.

We define the form of digital signature, h(k, P ) where h is a digital signaturecreation algorithm. It first calculates the hash value of process P , and encryptshash value with the key k. For code m{P}h(k,P ), in h(k, P ), P is always the sameas the P inside the code m.

Two new capabilities are introduced, enter(m, k) can sign m with key k, andauth(m, k) can authenticate m with key k. We will describe the two capabilitiesin the reduction rules.

Table 2.2 gives the set of free names fn(P ) for DISA .

Table 2.3 shows the syntactic conventions of DISA .

2.1.2 Semantics

Structural congruence is a way of identifying processes that we do not want todifferentiate for any semantic reason. Processes of calculus are grouped intoequivalence classes by the relation ≡, which denotes structural congruence toidentify the processes which intuitively represent the same thing. In particular,structural congruence is an important relation because it is used to rearrange theprocess so that they can reduce.

Table 2.4 defines the structural congruence of DISA which inherits seventeenrules from the calculus of mobile ambients, we only comment on the new clausesin the definition.

(Struct ResC): The restriction on code name has no effect on structurallycongruent processes.

14

k keym,n namesC code group name

P, Q ::= processes(νm : C)P restriction on code name(νn)P restriction on ambient name0 inactivityP |Q composition! P replicationn[P ] ambientM.P actionm{P}sig code

sig ::= h(k, P ) digital signature

M ::= capabilitiesin n can enter nout n can exit nopen n can open nenter(m, k) can sign m with key kauth(m, k) can authenticate m with key k

Table 2.1: The syntax of DISA

fn((νm : C)P ) , fn(P )− {m} fn(h(k, P )) , {k} ∪ fn(P )

fn((νn)P ) , fn(P )− {n} fn(in n) , {n}fn(0) , ∅ fn(out n) , {n}fn(P |Q) , fn(P ) ∪ fn(Q) fn(open n) , {n}fn(! P ) , fn(P ) fn(enter(m, k)) , {m, k}fn(n[P ]) , {n} ∪ fn(P ) fn(auth(m, k)) , {m, k}fn(M.P ) , fn(M) ∪ fn(P )

fn(m{P}sig) , {m} ∪ fn(P ) ∪ fn(sig)

Table 2.2: The free names of DISA

15

(νm : C)P |Q is read ((νm : C)P )|Q(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1 . . . nj)P , (νn1) . . . (νnj)P

n[] , n[0]

m{}sig , m{0}sig

M , M.0

Table 2.3: The syntactic conventions of DISA

(Struct Res ResC): More than one restriction of different names is appliedon a process consecutively, the order of restrictions does not matter.

(Struct Code): If P ≡ Q then m{P}h(k,P ) and m{Q}h(k,Q) shows the samebehavioral properties, even if they have different hash values.

(Struct ResC Par): m /∈ fn(P ), means m is not bound within process P ,therefore (νm : C)(P |Q) ≡ P |(νm : C)Q is obtained.

(Struct Zero ResC): The restriction on code name has no effect on inactivity.

We now introduce reduction relation → to identify the behavior of processes.

The calculus of DISA expresses mobility through the migration of processes,from one locality to another. The meaning of computation is represented by theinteraction among codes and ambients. Ambients, with the appropriate capabil-ity, can enter other ambients, an ambient from inside can exit or a boundary canbe dissolved, an ambient can allow a code to enter it or an ambient can entera code. These are the basic actions that define computation in the calculus ofDISA . The reduction relations as mathematical tool capture those basic move-ments.

The Reduction rules of DISA inherits seven rules from the calculus of mobileambients, table 2.5 gives all the reduction rules.

For the two rules (Red Enter) and (Red Auth), the code and ambientmust be at the same level.

(Red Enter) It expresses the ambient n can enter a code m if n has the samekey k with which the code m was signed, after the ambient enters the code, the

16

P ≡ P (Struct Refl)P ≡ Q

Q ≡ P (Struct Symm)

P ≡ Q,Q ≡ R

P ≡ R(Struct Trans)

P ≡ Q

(νm : C)P ≡ (νm : C)Q(Struct ResC)

P ≡ Q

(νn)P ≡ (νn)Q(Struct Res)

P ≡ Q

P |R ≡ Q|R (Struct Par)

P ≡ Q

! P ≡! Q (Struct Repl)

P ≡ Q

n[P ] ≡ n[Q] (Struct Amb)

P ≡ Q

M.P ≡ M.Q(Struct Action)

P ≡ Q

m{P}h(k,P ) ≡ m{Q}h(k,Q)(Struct Code)

P |Q ≡ Q|P (Struct Par Comm)(P |Q)|R ≡ P |(Q|R) (Struct Par Assoc)! P ≡ P |! P (Struct Repl Par)(νm : C)(νm

′: C

′)P ≡ (νm

′: C

′)(νm : C)P (Struct Res ResC)

(νn)(νn′)P ≡ (νn

′)(νn)P (Struct Res Res)

(νm : C)(P |Q) ≡ P |(νm : C)Q if m /∈ fn(P ) (Struct ResC Par)(νn)(P |Q) ≡ P |(νn)Q if n /∈ fn(P ) (Struct Res Par)(νn)(n

′[P ]) ≡ n

′[(νn)P ] if n 6= n

′(Struct Res Amb)

P |0 ≡ P (Struct Zero Par)(νn)0 ≡ 0 (Struct Zero Res)(νm : C)0 ≡ 0 (Struct Zero ResC)! 0 ≡ 0 (Struct Zero Repl)

Table 2.4: The structural congruence of DISA17

a[in b.P |Q] | b[R] → b[R|a[P |Q]] (Red In)b[a[out b.P |Q]|R] → b[R] |a[P |Q] (Red Out)open a.P | a[Q] → P | Q (Red Open)m{P}h(k,P ) | a[enter(m, k).Q|R] → m{P |a[Q|R]}h(k,P |a[Q|R]) (Red Enter)m{P}h(k,P ) | a[auth(m, k).Q|R] → a[P |Q|R] (Red Auth)

P → Q

(νn)P → (νn)Q(Red Res)

P → Q

(νm : C)P → (νm : C)Q(Red ResC)

P → Q

n[P ] → n[Q] (Red Amb)

P → Q

P |R → Q|R (Red Par)

P ′ ≡ P, P → Q,Q ≡ Q′

P ′ → Q′ (Red ≡)

Table 2.5: The reduction rules of DISA

signature of the code has to be recalculated and hence its signature changes.

(Red Auth) It expresses the ambient n allows the code m to enter it and acti-vate processes P if the key k contained in its auth capability matches the key kwith which the code m was signed.

(Red ResC) It means the restriction has no effect on the internal event withinthe restriction scope.

2.2 Discussion

In the DISA , we introduce the concept of code. We also introduced the interac-tion among codes and ambients, an ambient can allow a code to enter it or viceversa. In practice, one interesting feature of the calculus of DISA is the possibil-ity to capture problems related to network security.

An ambient can be considered to be an administrative domain, such as aPDA, and the process inside it accepts only trusted codes. Consider the follow-

18

ing process:

P = m{Q}h(k,Q) | m{R}h(k′,R) | b[auth(m, k)|S]

There are two codes having the same name m signed using two different keys,k and k′. If the two codes want to enter ambient b, according to the (Red Auth)rule, if the k in m is the same as the k in auth capability, then the code m with thek can enter ambient b, another code m with k′ is rejected. If m with k added toPDA that the process Q can interact with the process S. All data held on PDAis fully protected, because only the trusted code is allowed to enter the PDA.DISA has been developed to capture the notion of digital signatures. In the realworld we assume signed applets to be similar to code in our calculus. An attemptwas made to model the concept of digital signature into mobile ambients. Thereare still scope of improvements as follows:

1. The code is static that is it cannot move by itself. Movement is possibleonly with the use of a carrier.

2. All the processes within the code are passive that means reductions cannothappen within the code which may not be true in the real world.

3. The model of DISA is based on the sandbox model of Java1 and not thelatest sandbox model of Java2. In DISA , the untrusted code is not allowedto enter the system where as trusted code is given complete access to allthe system resources.

4. There is no key distribution i.e, it cannot be made sure if the code wasindeed signed by the desired signatory.

5. The concept of code and ambients is not unified. That is we consider codeand ambients to be two separate entities.

19

Chapter 3

Digitally Signed Ambients

In this chapter, we introduce the calculus of Digitally Signed Ambients. In Sec-tion 3.1, we investigate the applications of DISA , its weakness, and introduce thenew concept of digitally signed ambients based on mobile agents. In Section 3.2,we give the formal definition of the calculus of digitally signed ambients, anddiscuss its security concerns.

3.1 Signing Ambients

In DISA , an ambient can be signed by a code by exercising the enter capability,as a result the ambient enters the code and becomes a static process. If this codeis authenticated by another ambient, then the static processes contained withinthe code become active, enters the authenticating ambient and becomes a part ofit. A code is a passive process which cannot move by itself but can only be carriedby other ambients. A code can be used to store ambients in passive state, andguarantee integrity of the stored ambients by signing them using digital signature.

DISA can be used to model the traditional view of remote code: The sourcesite signs the code with its private key, and sends the signed code to the destina-tion site; the destination site authenticates the code with the public key of thesource site, then activates the code as processes in case of successful authentica-tion; during transit, the code cannot be altered, hence it cannot execute by itself.For example, a signed applet downloaded from a website is a static Java bytecode, which can be executed after its authentication at the destination. Appletsare always treated as passive objects until they are executed.

However, it is believed that the current trends in Internet technology lead tothe use of mobile agents [8], which are different from Java applets. Mobile agentsare programs that can migrate from host to host in a network, decided by their

21

own choosing according to the times, places and other environmental factors. Thestate of the running program is saved, transported to the new host, and restored,allowing the program to continue where it left. Because mobile agents can makedecision and move by themselves, they can run as they move. Mobile agents canbe treated as some autonomous subjects.

The calculus of mobile ambients is a mathematic model for mobile agents. Inmobile ambients, a transporting ambient containing some critical information orprocesses can be a subambient of a source host ambient; then the transportingambient moves itself into a destination host ambient through a series of reduc-tions, and maybe travel across other untrustful ambients during the transit. Thisarises some security concerns as following:

• How does the destination host ambient identify that the transporting am-bient comes from the source host ambient it expects?

• How dose the destination host ambient guarantee that the transportingambient is not inserted some harmful processes by those untrustful ambientsduring the transit?

As a solution for these security concerns, instead of signing ambients throughstatic code, we can sign ambients directly.

n[P ]k denotes a digitally signed ambient. n is the ambient name, P is theprocess, k is the key which is used to sign process P . Traditionally if a processis digitally signed, it is supposed not to be changed during transit. However,a digitally signed ambient should keep the capabilities of autonomous mobility,so that the process enclosed by the signed ambient always changes, how do weexplain this? We can understand it like this: if an action is initiated by anambient, the ambient should be able to recalculate its own digital signature sincethe process enclosed by the ambient is changed; on the contrary, a digitally signedambient does not allow to be changed by other ambients. For example:

P = a[in b.S]k|b[T ]Q = a[in b.S]k|b[T ]k′

P can be reduced to b[T |a[S]k], ambient a can enter ambient b. After in b isconsumed, the process enclosed by ambient a is naturally changed, the signatureis recalculated by ambient a and it becomes a[S]k. On the contrary, in processQ, in b cannot be executed, because ambient b is digitally signed, it will preventthe change initiated by ambient a.

The only way to change a digitally signed ambient is that the action is initiatedby this digitally signed ambient. auth capability can be initiated by a digitallysigned ambient. For example:

22

a[S]k|b[auth(a, k).T ]k′ → b[T |a[S]]k′

Ambient b authenticate digitally signed ambient a with key k, then ambient abecome unsigned and trusted by ambient b, so that ambient a become a subambi-ent of ambient b. auth(a, k) is initiated by signed ambient b, so that it can accepta trustful ambient through authentication and changes its own digital signature.

There is another case we have to consider: if an event only happen within adigitally signed ambient, how dose this ambient deal with it? For example, inn[a[in b]|b[0]]k, ambient a can enter ambient b, this is an internal event for ambi-ent n. Because ambient a and ambient b are subambients of ambient n, we cantake them as parts of ambient n, so that the internal event can be regarded asan internal action of ambient n. Since we understand the internal action withinan ambient is also initiated by the ambient, the ambient can still recalculate thedigital signature after its enclosed process changes.

In general, an action is related with a subject and an object(In case of theinternal event, it is only related a subject), the action is initiated by the subject,the subject can change its own digital signature. And if the object is digitallysigned, its digital signature cannot be changed by the subject, so that it canprevent any change caused by the environment and guarantee the integrity ofthe process. We will give the formal definition of the calculus of Digitally SignedAmbient(DSA) in Section 3.2.


Table 3.1 gives the formal definition of the syntax of Digitally Signed Ambients.All the processes have the same meaning as described in section 5.2 except, forone new process, i.e, signed ambient. Ambient is signed directly and it is writtenas:

n[P ]s

Where n is the name of the ambient, P is the process running inside the ambientand s can be either key k or an empty key. When s = k, n is signed ambient. Aswe have seen in DISA , signed ambient can be written as n[P ]h(k,P ), where h(k, P )is the digital signature obtained by encrypting the hash value of the process Pusing key k. But for simplicity, we write signed ambient as n[P ]k. When s = ε,n is normal ambient, which can be opened by any process who holds open ncapability. The digital signature of a signed ambient can be changed by itself orby its enclosed subambients or by any process who holds the sign capability withthe corresponding key.

23

n namess ::= k|ε key

P, Q ::= processes(νn)P restriction0 inactivityP |Q composition! P replicationn[P ]s signed ambientM.P action

M ::= capabilitiesin n can enter nout n can exit nopen n can open nauth(n, k) can authenticate n with key ksign(n, k) can sign n with key k

Table 3.1: The syntax of DSA

Table 3.2 shows the definition of free names of DSA. The only differencefrom that of DISA is fn(n[P ]s). In DISA , the ambient is a normal ambient, buthere it is a signed ambient. Therefore, we should also consider the free names of s.

Table 3.3 shows the definition of syntactic conventions of DSA. Most of themare similar to the syntactic conventions of mobile ambients. The only differenceis with signature. If s = k then that ambient is read as a singed ambient. Ifs = ε, the ambient is read as a normal ambient.

fn((νn)P ) , fn(P )− {n} fn(in n) , {n}fn(0) , ∅ fn(out n) , {n}fn(P |Q) , fn(P ) ∪ fn(Q) fn(open n) , {n}fn(! P ) , fn(P ) fn(sign(m, k)) , {m, k}fn(n[P ]s) , {n} ∪ fn(P ) ∪ fn(s) fn(auth(m, k)) , {m, k}fn(M.P ) , fn(M) ∪ fn(P ) fn(ε) , ∅fn(k) , {k}

Table 3.2: The free names of DSA

24

(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1...νnm)P , (νn1)...(νnm)P

n[P ]ε , n[P ]

n[]s , n[0]sM , M.0

Table 3.3: The syntactic conventions of DSA

Table 3.4 shows the definition of structural congruence of DSA. The new rulesare explained as follows:

(Struct Amb) : If processes P and Q which are enclosed in ambient n, arestructurally equivalent, then even though the digital signatures of the ambientsare different, the two ambients show the same behavioral properties.

(Struct Res Amb) : This rule is the same as in Mobile Ambients. Inaddition to the Struct Res Amb, the following should be emphasized:

(νn)(n′[P ]k) 6≡ n

′[(νn)P ]k

The two processes (νn)(n′[P ]k) and n

′[(νn)P ]k are not structurally equivalent.

Since the restriction present in (νn)(n′[P ]k) is not signed, it can extend its scope.

Where as the restriction present in n′[(νn)P ]k is signed, therefore it can not ex-

tend its scope.

Table 3.5 shows the reduction rules of DSA.

(Red In): Reduction In can be performed only when an ambient enters anunsigned ambient. As shown in Table 3.5 an ambient n tries to enter unsignedambient m. The reason is when the capability in m is exercised within the am-bient n, the contents of n changes accordingly. However, a subject can changeits own digital signature, by exercising the in capability which will changes thedigital signature of n. In contrast, subject can not change the digital signature ofthe object. When n enters m, the contents of m will automatically be changed.Hence, if m is a signed ambient, the digital signature of m has to be changed byn, which is not reasonable and hence the In reduction is not possible.

(Red Out): Reduction Out can be performed only when an ambient movesout of an unsigned ambient. In Red Out rule the ambient n tries to move outof an ambient m. Here ambient n is subject, which can change its own contentsby exercising out capability. When ambient n moves out from m, if m is a

25



P ≡ Q,Q ≡ R


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q

n[P ]s ≡ n[Q]s(Struct Amb)

P ≡ Q


P |Q ≡ Q|P (Struct Par Comm)(P |Q)|R ≡ P |(Q|R) (Struct Par Assoc)! P ≡ P |! P (Struct Repl Par)(νn)(νn

′)P ≡ (νn


(νn)(P |Q) ≡ P |(νn)Q if n /∈ fn(P ) (Struct Res Par)(νn)(n

′[P ]) ≡ n

′[(νn)P ] if n 6= n

′(Struct Res Amb)

P |0 ≡ P (Struct Zero Par)(νn)0 ≡ 0 (Struct Zero Res)! 0 ≡ 0 (Struct Zero Repl)

Table 3.4: The definition of structural congruence

26

signed ambient, digital signature of m has to be changed by subject n, which isnot reasonable. Therefore, if m is signed ambient, Red Out can not be possible.

(Red Open): Only an unsigned ambient can be opened. In Red Open ruleprocess P tries to open the ambient n through open capability. Therefore, if nis signed ambient, it can not allow other processes to dissolve its boundary.

(Red Auth): Reduction Auth is special type of reduction rule, the onlyway in which subject can accept the signed ambient. Here ambient n tries toauthenticate a signed ambient m through auth capability. In general, a subjectcan not change the digital signature of an object. But in this rule, since ambientn holds valid public key, it can accept the signed ambient m. Therefore, afterauth capability is exercised, ambient n changes its own contents, hence digitalsignature of ambient n is recalculated.

(Red Sign): Reduction Sign is performed only when a process who holdsvalid private key, signs an unsigned ambient.

(Red Amb): In n[P ]k, it is understood that P is actively running, and thatP can be the parallel composition of several processes. We emphasize that P isrunning even when the surrounding ambient is moving. As we know the digitalsignature of an ambient can be changed by itself or by its enclosed ambients, weexpress the fact that any reduction of the process which is enclosed in an signedambient will lead to recalculation of the hash value of that ambient.

Example 3.2.1 Modeling of the Secure Systems using DSA.

app1[auth(app3, k3)|P ]k1|app2[Q]k2|app3[R]k3|app4[R]k4 |sys[auth(app1, k1)|auth(app4, k4)|auth(app2, k5)|auth(app2, k5).T3|pri[X]|pub[Y ]]kj

→ app1[app3[R]|P ]k1|app2[Q]k2|app4[R]k4|sys[auth(app1, k1)|auth(app4, k4)|auth(app2, k5)|pri[X]|pub[Y ]]kj

→ app2[Q]k2|sys[app1[app3[R]]|auth(app2, k5)|app4[Q]|pri[X]|pub[Y ]]kj

In this model we consider four applets namely app1 to app4. The resource T ofSecure Systems can be considered to be a combination of a private resource(pri[X]),public resource(pub[Y ]) and some additional processes. The model of the systemusing DSA is shown in the Figure 3.1.

In the first reduction the app3 is authenticated by app1. In the second reduc-tion app3 and app4 are authenticated and hence have access to all the resources

27

within the ambient where as app2 cannot be authenticated as the key does notmatch. From the reductions above it is evident that digitally signed ambientscan distinguish between trusted and untrusted code. There are a few problemswhich still persist such as:

• In the first reduction we can see that the ambient app1 trusts the key k3 ofthe ambient app3 and hence authenticates it. There could be a case wherethe key k3 is not trusted by the Secure System but we see from the reduc-tion that even then app3 ends up within system gaining access to all thesystem resources. This could be taken as a Trojan horse example whereambient app1 acts as the horse.

• In the second reduction, we can see that the system trusts the key of app1

and app4 which are allowed access to all the resources within the system,but this mechanism is not flexible as it is similar to the Java sandbox modelof JDK1.1 where the applet is either given complete access to the resourceor no access at all. We need to device a more flexible mechanism for accesscontrol on processes. That is to provide different access control for differentprocesses based on their sources.

app1 app2 app3 app4

sys

1

app3

app1 app2 app42

k3k1 k2 k4

app2 sys

sys

app3app1 app4

ks

ksk4k2k3

ks

ksk2

Figure 3.1: Modeling of Safe System using DSA

Security Concerns

29

Security is a major concern in mobile agents. For example in the followingreduction:

open n.P |n[Q]ε → P |Q

An open operation dissolves the boundary of the ambient n. From the pointof view of P , we cannot predict the behavior of Q when it is unleashed. Fromthe point of view of Q, its environment is being ripped open. This is a securityconcern as there could be a case where the ambient n does not wish its boundaryto be dissolved but there is no mechanism to prevent it. This is one of thereasons why we introduce the concept of blocking which will be described in thechapter 4.

30

Chapter 4

Blocking in Mobile Ambients

In this chapter, we introduce the three kinds of blockings into Mobile Ambi-ents. In Section 4.1, the concept of blocking in Calculus for CommunicatingSystem(CCS ) and π calculus is investigated; in Section 4.2, the calculus of Mo-bile Ambients with Blocking on Names is introduced; in Section 4.3, the calculusof Mobile Ambients with Blocking on Capabilities is introduced; in Section 4.4,the calculus of Mobile Ambients with Blocking at Ambient Level is introduced.

4.1 Blocking in Process Calculus

In CCS [9], the concept of blocking is introduced as restriction. The following isthe syntax of CCS :

P ::= K∣∣ α.P

∣∣ P + P∣∣ P |Q

∣∣ P [f ]∣∣ P\L

K is the process name; α.P is the prefix, that means P can be executed only afteraction α is executed; P + P is the nondeterministic process; P |Q is parallelism;P [f ] is relabeling, which is equivalent with substitution defined by f ; P\L isrestriction, which blocks any process out of P to use port names in L. Thefollowing is one example to represent the usage restriction[10]:

CMdef= coin.coffee.CM

CSdef= pub.coin.coffee.CS

CS ′ def= pub.coin.coffee.CS

SmUnidef= (CM |CS)\coin\coffee

CM is a process that represents a coffee machine which accept a coin and thenoutput a coffee; CS is a process that represents a computer scientist who is ini-tially keen to produce a publication, then needs to get coffee from CM and makethe next publication. CS ′ is another computer scientist who competes for the

31

resource coffee machine with CS inside process CM |CS|CS ′. In order to makethe coffee machine private for CS, the restriction on port names coin and coffeeis used to block any process other than CM and CS to know these port names,therefore the port names coin and coffee in CS ′ do not mean the same channelsexpressed by the same port names coin and coffee in SmUni.

In his PhD thesis [5], Vivas Frontana introduced the concept of blocking intoπ-calculus, which is different from the concept of restriction in π-calculus, but itis similar as the concept of restriction in CCS. The following is the syntax of thefirst-order π-calculus with blocking:

P ::= 0∣∣ xy.P

∣∣ x(y).P∣∣ τ.P

∣∣ ν(x)P∣∣ [x = y]P

∣∣P |P

∣∣ P + Q∣∣ A(y1, · · · , yn)

∣∣ P\z (4.1)

0 is the inactivity; xy.P is the output prefix, which sends the channel name yalong the channel x before continuing as P; x(y).P is the input prefix, whichinputs an arbitrary name z from the channel x before continuing as P{z\y}; τ.Pis the prefix whose action is a silent action; ν(x)P denotes a process P in whichoccurrences of x in P are bound by ν(x); the match [x = y]P acts as 0 if itis not the case that x = y, otherwise as P ; P |P is the parallelism; P + Q isthe summation which represents alternative choice; A(y1, · · · , yn) is the identifierwhich defines a process template.

The blocking operator in π-calculus is denoted by P\a. It works as a firewallwhich prevents any kind of communication through the channel a between pro-cess P and its environment, but allows the communication of the channel namea across the firewall. Therefore the blocking operator merely restricts the com-munication capabilities of channel a by the means of name space management,that the name a appeared out of the scope of the blocking does not bind with thename a appeared within the scope of the blocking. In addition, the most signif-icant difference between restriction and blocking is that the scope of restrictioncan be extruded through communication of the restricted name but the scope ofblocking cannot be extruded in any way, even if the blocked names are leakedout of the blocking scope through communications. The following is an exampleto explain the above description:

P = xa.a(y).RQ = x(z).zb.S

For process ν(a)P |Q, it is structural equivalent with process ν(a)(P |Q). Whenchannel name a is transferred from P to Q, the scope of the restriction is expandedto Q according to the semantic rules of π-calculus, which is a mechanism calledextrusion of the restriction scope. (νa)(P |Q) have the following reductions:

32

ν(a)(xa.a(y).R|x(z).zb.S) → ν(a)(a(y).R|ab.S{a\z}) → ν(a)(R{b\y}|S{a\z})

On the contrary, process P\a|Q is not structurally equivalent to the process(P |Q)\a. In the first reduction step, channel name a can go through the blockingthrough the communication along channel x, so that name a is leaked out of theblocking scope:

xa.a(y).R\a|x(z).zb.S → a(y).R\a|ab.S{a\z}

After this step, the communication along a can not happen, because the block-ing on name a divides the process into two different name spaces, where name awithin the blocking scope cannot bind with name a out of the blocking scope.

We can see that the two calculi above have the similar constructs in terms ofblocking, and they also have the similar constructs as mobile ambients, such asinactivity, parallelism and prefix, so that it is feasible to introduce the conceptof blocking into the calculus of Mobile Ambients. In this chapter, we try tointroduce the concept of blocking into the calculus of Mobile Ambients which ismore complex than introducing blocking in CCS and π-calculus. In this chapter,we propose the three different calculi for blocking in the following sections: inSection 4.2, we introduce Mobile Ambients with Blocking on Names(MABN); inSection 4.3, we introduce Mobile Ambients with Blocking on Capabilities(MABC);in Section 4.4, we introduce Mobile Ambients with Blocking defined at AmbientLevel(MABA).

4.2 Blocking on Names: MABN

In mobile ambients, any action in terms of movement has a subject and an object.For example, in a[in b], for the action in b, ambient a is the subject, ambient bis the object, a takes the action on b, finally it will enter b. The blocking in π-calculus[11][5] prohibits any communication between processes within and out ofthe scope of blocking along any blocked channel name. Similarly the blocking onnames in mobile ambients can prohibit the actions applied on the objects whosenames are out of the scope of the blocking, and we denote P\a as name a isblocked on process P . The following is one example:

P = a[in b]|b[0]Q = (a[in b])\b|b[0]R = a[in b]|(b[0])\b

In P , it is evident that a can enter b after in b is exercised. In Q, a cannot enterb, because ambient b outside the blocking scope cannot be referenced by name bwithin the blocking scope, that b within in b does not bind with ambient b. Forthe same reason, within R, the action in b cannot be taken by ambient a, name b

33

outside the blocking scope cannot bind with ambient b within the blocking scope.Therefore, we can say that blocking on names can make effect bi-directionally onprocesses within the scope and out of the scope.

This section introduces the calculus of MABN. The subsection 4.2.1, gives theformal definition of this calculus and its explanation. In subsection 4.2.2, sometopics about this calculus are discussed.

4.2.1 Syntax and Semantics

Table 4.1 gives the formal definition of the syntax of MABA. It is assumed thatan infinite set of names N ranges over ambient names. P\N denotes that theambient names belonging to N are blocked within the scope of process P . Whenset N has only one element such as n, it can be written as P\n. The other syn-tactic elements have the same meaning as the calculus of Mobile Ambients.

Table 4.2 shows the definition of free names in MABN. The rule fn(P\N) ,fn(P ) ∪N tries to collect the free names in the blocking set.

Table 4.3 shows the syntactic conventions of MABN.

Table 4.4 gives the definition of structural congruence of MABN. Most ofthem are the same as in Mobile Ambients. The introduction of blocking opera-tion brings some new rules which are explained as follows:

(Struct Block): Blocking has no effects on the internal events within thescope of the blocking.

(Struct Block Empty): A process without blocking is equivalent with theprocess with blocking of empty names set. Hence, general reduction rules for thiscalculus are possible.

(Struct Block Union): Two consecutive blockings can be combined withunion of the two blocking name sets. This gives another rule: P\N\N ′ ≡ P\N ′\N .

(Struct Zero Block): Any blocking on inactivity does not make any effect.

(Struct Block Par Symm): The blocking on names makes the same effecton bi-directions.

(Struct Res Block): If there is no shared name between restriction andblocking on names, they make no effect with each other.

34

n namesN sets of names

P, Q ::= processes(νn)P restriction on ambient name0 inactivityP |Q composition! P replicationn[P ] ambientP\N blocking on ambient namesM.P action


Table 4.1: The syntax of MABN

fn((νn)P ), fn(P )− {n} fn(M.P ) , fn(M) ∪ fn(P )

fn(0) , ∅ fn(in n) , {n}fn(P |Q) , fn(P ) ∪ fn(Q) fn(out n) , {n}fn(! P ) , fn(P ) fn(open n), {n}fn(P\N) , fn(P ) ∪N fn(n[P ]) , fn(P ) ∪ {n}

Table 4.2: The free names of MABN

P |Q\N is read P |(Q\N)(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1 . . . nm)P , (νn1) . . . (νnm)P

n[] , n[0]

()\N , (0)\N

M , M.0

Table 4.3: The syntactic conventions of MABN

35



P ≡ Q, Q ≡ R


P ≡ Q

P\N ≡ Q\N(Struct Block)

P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q



′)P ≡ (νn



′[P ]) ≡ n

′[(νn)P ] if n 6= n

′(Struct Res Amb)

P |0 ≡ P (Struct Zero Par)(νn)0 ≡ 0 (Struct Zero Res)! 0 ≡ 0 (Struct Zero Repl)P\∅ ≡ P (Struct Block Empty)P\N\N ′ ≡ P\N∪N ′ (Struct Block Union)0\N ≡ 0 (Struct Zero Block)(P )\N |Q ≡ P |(Q)\N (Struct Block Par Symm)(νn)(P\N) ≡ ((νn)P )\N if n /∈ N (Struct Res Block)

Table 4.4: The structural congruence of MABN

36

In addition, the following should be emphasized:

n[P\N ] 6≡ n[P ]\N

P\N |Q\N 6≡ (P |Q)\N

In n[P\N ], the blocking of N is carried on by ambient n as a part of ambientn. For example, n[in m.Q\N ]|m[R] can be reduced to m[R|n[Q\N ]] in the caseof m /∈ N , the blocking is carried by ambient n. On the contrary, in n[P ]\N ,after ambient n exercises some capability in terms of movements, it can jump outof the blocking scope of N . For example, n[in m.Q]\N |m[R] can be reduced to()\N |m[R|n[in m.Q]]. Hence blocking has different effects on an ambient withinand out of it.

In (P |Q)\N , P can interact with Q through some names, even though someof these names belong to the blocking N , because P and Q are within the samescope of Blocking, according to (Red Block), this blocking makes no effecton the internal event within the scope of this blocking. On the contrary, forP\N |Q\N , P cannot interact with Q through names belonging to N .

Table 4.5 shows the reduction rules of MABN.

In order to express that a reduction is managed by multi-level blocks, thefollowing evaluation context is defined:

Definition 4.2.1 (Evaluation Context)

C N(| |) ::= (| |)\N

∣∣ (C N ′(| |)|P )\N ′′(N = N ′ ∪N ′′) (4.2)

where N , N ′ and N ′′ are three blocked name sets, P is an arbitrary process. (| |)is a hole which can be filled up with any process, capability or another evaluationcontext.

From (Red In) (Red Out) (Red Open), an action can occur if there is noname blocking on its object along the way its subject moves. Additionally, theblocking scope is fixed relative to the ambient in which it resides, ambients canmove into or out of blocking scopes by entering into or exit from ambients, andthe blocking within one ambient has to be moved along with the ambient.

From (Red Block), we can see that, the blocking makes no effect on theevent happening within the scope of the blocking.

37

C N(| a[C N ′(| in b.P |)]|Q|)|C N ′′

(| b[R]|)→ C N(|Q|)|C N ′′

(| b[R|a[C N ′(| P |)]]|)(b /∈ N ∪N ′ ∪N ′′) (Red In)

b[C N(| a[C N ′(| out b.P |)]|Q|)] → b[C N(|Q|)]|a[C N ′

(| P |)](b /∈ N ∪N ′) (Red Out)

C N(| open b.P |)|C N ′(| b[Q]|) → C N(| P |)|C N ′

(|Q|)(b /∈ N ∪N ′) (Red Open)

P → Q


P → Q


P → Q


P → Q

P\N → Q\N

(Red Block)

P ′ ≡ P, P → Q, Q ≡ Q′

P ′ → Q′ (Red ≡)

Table 4.5: The reduction rules of MABN

38

4.2.2 Discussion

The introduction of blocking on names into mobile ambients brings some newinsights on name space management, and it is also worth comparing blockingwith restriction. We will have some discussion on these topics in the following.

1. Name Space Management and Dynamic Name Binding

Blocking on names can be considered as a mechanism of name space man-agement and name dynamic binding. Name space management usuallyadopts a hierarchical structure to organize names to avoid name collisionas Domain Name System[12] in Internet. Dynamic name binding is a pat-tern to associate identifiers or references to entities on runtime. An ambientname can appear in two forms: when n appears as n[P ], name n means anentity which is an ambient encapsulates a process; when n appears in acapability such as in n, name n means a reference to some ambient. There-fore these two forms of names must be bound dynamically when an actioncan happen, for example, in a[0]|b[c[in a]|a[0]], when in a is executed, ainside in a is bound with ambient a inside ambient b, not ambient a outsideambient b. Blocking on names can split a process into two separated namespaces, but allow dynamic name binding on execution. For example,

(1

a[in n] |2

n[in a])\n|3

n[in a] |4

a[in n]

In the above process, the blocking splits the process into two name spaces inwhich name n can only bind with the entity in the same name space. Everyambient is labeled by a unique number in order to describe name dynamicbinding clearly. In the following, we use → to express the feasibility ofambients movement, for example (1) → (2) means ambient a labeled by 1can move into ambient n labeled by 2, (1) 9 (3) means ambient a labeledby 1 can not move into ambient n labeled by 3. According to the semantics,the process has the following feasibilities of movement:

(1) → (2) (1) 9 (3)(2) → (1) (2) → (4)(3) → (4) (3) → (1)(4) → (3) (4) 9 (2)

From the left column, we can see that the blocking makes no effect on theactions within the blocking scope. From the right column, we can see thatthe movements by in n are blocked by the block on name n, but the block-ing on name n makes no effect on the movements by in a.

39

The most important point is: the blocking cannot prohibit (1) → (3) for-ever, this block can be overcome by name dynamic binding. Suppose thatthe process has the following starting configuration:

(1

a[in n|in a.out a] |2

n[in a])\n|3

n[in a] |4

a[in n]

It has the following reductions:

(1

a[in n|in a.out a] |2

n[in a])\n|3

n[in a] |4

a[in n]

→ (2

n[in a])\n|3

n[in a] |4

a[in n|1

a[in n|out a]]

→ (2

n[in a])\n|3

n[in a] |4

a[in n] |1

a[in n]

→ (2

n[in a])\n|3

n[in a|1

a[]] |4

a[in n]

Ambient a labeled by 1 can enter the name space where ambient a labeledby 4 through (1) → (4), so that ambient a is in the same name space withambient n labeled by (3), ambient a labeled by (1) may have a chance toenter ambient n labeled by (3). When ambient a labeled by (1) exits fromambient a labeled by 4, name n in the capability in n of ambient a labeledby 1 binds with ambient n labeled by 3.

2. The Comparison between Blocking on Names and Restriction

Restriction is a mechanism to create a new name which can be used withinthe scope of the restriction. In contrast, blocking on names does not cre-ate new names but defines name spaces which limit dynamic name bindingwithin the same name space. The most obvious difference between thescopes of restriction and blocking on names is: the scope of restriction canbe extruded using (Struct Res Par); blocking on names is a fixed struc-ture whose scope cannot be extruded. For example, (νm)m[in n]|n[0] ≡(νm)(m[in n]|n[0]) so that the scope of the restriction is extruded from am-bient m to ambients m and n, as a result in n can be exercised; m[in n]\m|n[0]is not structural congruent with (m[in n]|n[0])\m although in n can be ex-ercised in both cases according to our reduction rules.

However, after the difference is explored more deeply, it can be found thatrestriction can prohibit dynamic name binding, but blocking on names al-lows dynamic name binding. It is explained by the following example:

40

P = (νb)(b[0]|m[0])|n[in b|in m.out m]Q = (b[0]|m[0])\{b}|n[in b|in m.out m]

Process P can be converted to (νb)(b[0]|m[0]|n[in b′|in m.out m]) using α-conversion with which in b becomes in b′, since name b within ambient n isa free name. Therefore, ambient n can not enter ambient b in process Pforever, and the restriction on name b prohibits this.

For process Q, it has the following reductions:

(b[0]|m[0])\{b}|n[in b|in m.out m]

→ (b[0]|m[n[in b|out m]])\{b}→ (b[0]|m[0]|n[in b])\{b}→ (b[n[0]]|m[0])\{b}

Although the scope of the blocking on name b is fixed, ambient n can enterthe blocking scope by entering into ambient m which is not blocked, thenname b in in b binds with ambient b, as a result it can enter ambient b.Therefore, ambient n can enter ambient b by circumventing through en-tering ambient m which is not blocked but in the same blocking scope asambient b.

This comparison make it easier to answer the question why (νa)(P\{a}) ≡((νa)P )\a does not hold. The reason is simply that creating a name withinthe scope of the blocking on the name is different from blocking a nameafter creating it.

4.3 Blocking on Capabilities: MABC

In this section we will introduce the calculus of mobile ambients with Blockingon Capabilities (MABC). In MABN, blocking on names prohibits the actions ap-plied on the objects whose names are out of the scope of the blocking. In MABC,blocking on capabilities controls the access capability on the objects. The ideaof block on capabilities is an inspiration from the concept of access control.

Access control[13] is a method of restricting access to resources, allowing onlyprivileged entities access. For example, when we access a web resource, accesscan be granted or denied based on some criteria, such as the browser which weare using. Access control is analogous to having a bouncer at the entrance, it

41

controls entrance by some arbitrary condition which may or may not have any-thing to do with the attributes of the particular visitor.

We use P oC to express blocking on capabilities, where C is a set of abstractcapabilities, oC can block the interaction taken by those capabilities belonging toC between process P and its environment. For example, consider the followingprocess,

open m.P oopen m | m[Q]

In the above process, since open capability is blocked and the access can notbe executed. Hence, ambient m can not be dissolved. Here the scope of blockingvirtually represents the scope of access control.


Table 4.6 gives the formal definition of the syntax of MABC. It is assumed thatan infinite set of names N ranges over ambient names.

Table 4.7 defines the set of free names fn(P ) for MABC.

Table 4.8 shows the syntactic conventions of MABC.

Table 4.9 gives the structural congruence for MABC. We have the followingfive new structural congruence rules,

(Struct BC): Blocking has no effect on any processes that are structurallycongruent.

(Struct Res BC): If the restricted name does not appear in the block set, therestriction and blocking do not interrupt each other.

(Struct BC Union): Two consecutive blocking can be combined with unionof the two blocking capability sets.

(Struct BC Empty): Empty blocking set means no blocking within process.

42

n namesCap = {in , out , open } the set of capabilitiesAmb the complete ambient name setC ⊆ Cap× Amb the blocking capability set

P, Q ::= processes(νn)P restriction on ambient name0 inactivityP |Q composition! P replicationn[P ] ambientM.P actionP oC blocking on capabilities


Table 4.6: The syntax of MABC

fn((νn)P ) , fn(P )− {n} fn(n[P ]) , {n} ∪ fn(P )

fn(0) , ∅ fn(P oC) , fn(P ) ∪ fn(C)

fn(P |Q) , fn(P ) ∪ fn(Q) fn(in n) , {n}fn(! P ) , fn(P ) fn(out n) , {n}fn(M.P ) , fn(M) ∪ fn(P ) fn(open n) , {n}fn(C) ,

⋃M∈C

fn(M)

Table 4.7: The free names of MABC

P oC |Q is read (P oC)|Q(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1 . . . nm)P , (νn1) . . . (νnm)P

n[] , n[0]

()oC , (0)oCM , M.0

Table 4.8: The syntactic conventions of MABC

43



P ≡ Q,Q ≡ R


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q

P oC ≡ QoC (Struct BC)


′)P ≡ (νn



′[P ]) ≡ n

′[(νn)P ] if n 6= n

′(Struct Res Amb)

(νn)(P oC) ≡ ((νn)P )oC if n /∈ fn(C) (Struct Res BC)


P oC oC′ ≡ P oC∪C′ (Struct BC Union)P o∅ ≡ P (Struct BC Empty)0oC ≡ 0 (Struct Zero BC)

Table 4.9: The structural congruence of MABC

44

C C(| n[C C′(| in m.P |)] | Q|) | C C′′

(|m[R]|)→ C C(|Q|) | C C′′

(|m[R | n[C C′(| P |)]]|) (in m /∈ C ∪ C ′) (Red In)

m[C C(| n[C C′(| out m.P |)] | Q|)]

→ m[C C(|Q|)] | n[C C′(| P |)] (out m /∈ C ∪ C ′) (Red Out)

C C(| open m.P |) | C C′(|m[Q]|)

→ C C(| P |) | C C′(|Q|) (open m /∈ C) (Red Open)

P → Q


P → Q


P → Q


P → Q

P oC → QoC (Red BC)

P ′ ≡ P, P → Q, Q ≡ Q′

P ′ → Q′ (Red ≡)

Table 4.10: The reduction rules of MABC

(Struct Zero BC): The blocking on inactivity does not make any effect.

Since there are multi-level of blocking on capability, for example, n[P oC ],(P oC |n[Q])oC′ . Hence, in order to express the reduction rules accurately, weintroduce the context of Blocking on Capabilities, written as C C(| |).

Definition 4.3.1 (The context of Blocking on Capabilities) . Let C, C’and C” be blocked sets of capability, where C = C’ ∪ C”, P is a process, C C(| |) de-notes the context of blocking on capability, we write C C(| |) ::= (| |)oC

∣∣(C C′(| |)|P )oC′′

to express multi-level blocking context in MABC. If C is equal to ∅, it means noblocking.

We can think (| |) as a hole which can be filled up with anything, like processes,capabilities and another context.

Table 4.10 shows the all reduction rules for MABC.

45

There are four new reduction rules, namely, (Red In), (Red Out), (Red Open)and (Red BC).

The first three rules express the reduction happening in multi-level blockingcontexts. If all of the blocked sets of capability are empty, then these three rulesare the same as the general reduction rules for in , out and open in mobileambients.

In (Red In), if in m /∈ C ∪ C ′, then ambient n can enter ambient m, as theresult, ambient n leave block C, block C ′ will be moved along with n; block C ′′

does not control this movement.

In (Red Out), if out m /∈ C ∪ C ′, then ambient n can exit ambient m, asthe result, ambient n leave block C, block C ′ will be moved along with n.

In (Red Open), if open m /∈ C, after ambient m is dissolved, block C ′ onprocess Q is reserved.

In (Red BC), blocking has no effect on internal event within the blockingscope.

4.3.2 The Comparison between MABN and MABC

In MABN, the effect of blocking on names is name hiding. If a process accessessome external resources, it must know the names of the resources it tries to visit.In MABC, blocking on capabilities is a mechanism of the process based mandatoryaccess control. blocking on capabilities is used to apply restriction on processes.Blocking on names more relax than blocking on capabilities.

We will consider the following process which illustrates what is differencebetween blocking on names and blocking on capabilities.

((1)

a[in n] |(2)

n[in a]) oin n |(3)

n[in a] |(4)

a[in n]

We have four ambients which try to exercise in capability, and in n capabilityis blocked within the scope of (a[in n]|n[in a]). We will use notations (1), (2), (3),(4) instead of four ambients respectively.

In this example, only one different from the example in section 4.2.2, weuse oin n instead of \n. In the previous example, the process has the followingfeasibilities of movement:

46

(1) → (2) (1) 9 (3)(2) → (1) (2) → (4)(3) → (4) (3) → (1)(4) → (3) (4) 9 (2)

In this case, we have the following behavior of processes can happen or cannot happen:

(1) → (2) (1) 9 (3)(2) → (1) (2) → (4)(3) → (4) (3) → (1)(4) → (3) (4) → (2)

In both cases, we see the last reduction in the right column, in the first case, itblocks any movement in terms of n. In the second case, in n capability is blockedwithin its scope, it can not be exercised from scope to outside, on the contrary,it is unblocked from outside to its scope.

In MABN, the rule (Struct Block Par Symm),P\N |Q ≡ P |Q\N expressesthe blocking on names makes the same effect on bi-directions. In MABC, a re-markable is P oC |Q 6≡ P |QoC . The blocking on capabilities only make effect onone direction.

4.4 Blocking at Ambient level: MABA

Mobile Ambients with Blocking at Ambient level (MABA) is one of the three kindsof blockings available for the calculus of Mobile Ambients. The idea of blockingat the ambient level is similar to the blocking on capability but is applied directlyon the ambient. That is ambients are assigned a set of blockings which must berespected by the ambient during its movement. This kind of blocking movesalong with the ambient and can be dissolved in case the ambient is opened. Theblocking at ambient level is denoted by the notation n[P ][C], where C representsthe capabilities that are blocked within the ambient boundary. Consider thefollowing example:

n[in m.P ][in a]|m[in c|Q][in c]|c[R][in b] → m[in c|Q|n[P ]][in c]|c[R][in b]

In the above example ambient n can enter an ambient m, but the ambient mcannot enter ambient c. Therefore, we can say that blocking on ambient leveleffects all the processes contained within that ambient.

47

n namesCap = {in , out , open }C ⊆ Cap× Amb

P, Q ::= processes(νn)P restriction0 inactivityP |Q composition! P replicationn[P ][C] blocking at ambient levelM.P action


Table 4.11: The syntax of MABA


Table 4.11 give the formal definition of the syntax of MABA. It is assumed thatan infinite set of names N ranges over n, where n are the ambient name. C de-notes a set of capabilities which are blocked within the boundary of an ambient.The other syntactic elements have the same meaning as the calculus of mobileambients.

Table 4.12 shows the definition of free names in MABA.

fn((νn)P ) , fn(P )− {n} fn(in n) , {n}fn(0) , ∅ fn(out n) , {n}fn(P |Q) , fn(P ) ∪ fn(Q) fn(open n) , {n}fn(! P ) , fn(P ) fn(C) ,

⋃M∈C

fn(α)

fn(n[P ][C]) , {n} ∪ fn(P ) ∪ fn(C)

fn(M.P ) , fn(M) ∪ fn(P )

Table 4.12: The free names of MABA

48

(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1 . . . nm)P , (νn1) . . . (νnm)P

n[][C] , n[0][C]

n[P ][ε] , n[P ]

n[][ε] , n[0]

M , M.0

Table 4.13: The syntactic conventions of MABA

Table 4.13 shows the syntactic conventions of MABA.

Table 4.14 gives the definition of structural congruence of MABA. Most ofthem are the same as that of mobile ambients. The introduction of blockingoperation brings some new rules which are explained in the Table 4.14:

(Struct Amb): If two equivalent processes are enclosed within the same ambi-ent having the same blocking then they will have the same behavioural properties.

(Struct Res Amb): If the restricted name is not the name of the ambient onwhich there is a blocking, and the name is not contained in the blocking set then,they do not make effect on each other(that is it does not matter if the restrictionis outside or within the ambient).

The behavior of a processes is given by its reduction rule. Table 4.15 showsthe reduction rules of MABA.

From (Red In) and (Red Out), the blocking is carried along with the am-bient. This kind of blocking is effective on all the processes within that ambientonly on the first level i.e, it prohibits the capabilities from being exercised at theprocess level directly enclosed within the ambient and not on its subambients.From (Red Open), we can see that, the blocking dissolves along with the am-bient boundary in case an ambient is opened.

4.4.2 Discussion

The calculus of MABA is different from the calculus of MABC in the sense thatthe blocking is applied directly on the ambient as a result of which the blockingcan be carried along with an ambient. Hence we can say that the blocking atambient level is a self constraint placed on an ambient. Hence, it can prevent

49



P ≡ Q, Q ≡ R


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q

n[P ][C] ≡ n[Q][C](Struct Amb)

P ≡ Q



′)P ≡ (νn



′[P ][C]) ≡ n

′[(νn)P ][C] if n 6= n

′and n /∈ fn(C) (Struct Res Amb)


Table 4.14: The structural congruence of MABA

50

n[in m.P ][C]|m[Q][C′] → m[n[P ][C]|Q][C

′] (in m /∈ C) (Red In)m[n[out m.P ][C]|Q][C

′] → m[Q][C′]|n[P ][C] (out m /∈ C) (Red Out)

open m.P |m[Q][C] → P |Q (Red Open)

P → Q


P → Q

n[P ][C] → n[Q][C](Red Amb)

P → Q


P ′ ≡ P, P → Q,Q ≡ Q′

P ′ → Q′ (Red ≡)

Table 4.15: The reduction rules of MABA

some harmful code from being executed within an ambient even if it managesto enter it. There are also a few security concerns. One of the major securityconcerns of MABA is that it cannot prevent the harmful execution of processeseffectively.

Example 4.4.1 Consider the following reduction:

d[a[open b][in b]|b[in c|Q][in c]][open m]|c[P ][open a] ∗→ c[d[a[][in b]|Q][open m]][in d]

In Example 4.4.1, we can observe that the capability in c was blocked at ambientlevel of ambient b but, as ambient b was opened the blocking was dissolved alongwith the ambient boundary as a result the capability in c was executed and theprocess Q within ambient b was able to enter the ambient c. This is a majorsecurity concern of the calculus of MABA.

51

Chapter 5

Digitally Signed Ambients withBlocking on Capabilities

The calculus of DSA with Blocking on capability(DSABC) was developed by com-bining the calculi of DSA and Blocking on capabilities. The main motive behindthis was to model the concept of digital signatures and access control on processmigration. The two pre existing models based on similar lines that served as amotivation were the Sandbox model for Java2 and Umbrella.

5.1 Security Models

The two security models that were analyzed before creation of the calculus ofDSABC were the Sandbox model for Java2 and Umbrella model for Security inLinux.

Sandbox Model for Java2

The architecture of the sandbox model[3] was further evolved in the Java2Platform Security Architecture. In this model the local code is subjected to thesame security control as applets from an untrusted source. The difference beingthat the policy on the local code is more liberal than the remote code, thus en-abling such code to run effectively as totally trusted. The same principle appliesto signed applets and any Java application. That is a signed applet is subjectedto some security control based on its source which can be its key. It is shown inthe Figure 5.1

The main features of this model are:

1. Fine-grained access control.

2. Easily configurable security policy.

53

Remote Code

Sandbox4

JVM

Valuable Resources

Sandbox2

Sandbox3

Sandbox1

Class LoaderSecurity Policy

Figure 5.1: Java2 Platform Security Model

3. Easily extensible access control structure.

4. Extension of security checks to all Java programs.

Umbrella

Umbrella project was developed with an intention of providing more securityto the Linux platform. It carries out a combination of process based mandatoryaccess control (MAC) and authentication of files for Linux. In the MAC schemerestrictions are enforced on individual processes. The Umbrella security serverfirst authenticates the signature of the file before allowing it to enter the system.If the signature is valid then it enforces the restrictions that are included alongwith the signature of that file. In the MAC scheme restrictions are enforcedon individual processes. If the file cannot be authenticated then it is assigneda default set of restrictions. This eases the introduction of restrictions on thesystem. The working of the Umbrella model[6] is shown in the Figure 5.2:The two improvement areas provided by Umbrella were:

1. Discretionary access control (DAC) mechanism was supplemented by intro-ducing the concept of mandatory access control(MAC). In MAC structureas a tree, the children have at least all the restrictions of its parent. Itavoids the need for manual setting of restrictions for all programs in thesystem.

2. Integrity of executables was implemented by introducing vendor-signing ofexecutable files.

54

Umbrella Security Server

Running Process

Signed File SystemResources

Execute FileFile System

Import File

Authentication

Resou

rce A

cces

ss

Linux

Check Restrictions

Figure 5.2: The Umbrella Model

DSA with Blocking on Capability(DSABC)

The calculus of DISA is different from the Sandbox model and Umbrella inthe following ways:

• In the sandbox model for Java2 the system assigns the restriction basedon the source of the code, in Umbrella the restrictions are included alongwith the key and if there are no restrictions included or the key cannot beauthenticated then a default set of restrictions are applied on the processeswhere as in DSABC a set of minimal blocking are associated with the groupof that ambient which must be respected during its movement.

• In sandbox model for Java2 and Umbrella a default set of blocking is appliedin case the signature cannot be verified but in DSABC the code is not allowedto enter the system in case the authentication fails. That is signed ambientscan enter other signed ambients only in case they can be authenticated.


Table 5.1 shows the syntax of DSABC. All the definitions have the same meaningas described in the calculi of DSA and MABC.

Table 5.2 defines the set of free names of DSABC.

Table 5.3 shows the syntactic conventions of DSABC.

55

n namesk keys = ε|k signatureCap = {in , out , open } the set of three capabilitiesAmb the complete ambient name setC ⊆ Cap× Amb the blocking capability set

P, Q ::= processes(νn)P restriction0 inactivityP |Q composition! P replicationn[P ]s signed ambientM.P actionP oC blocking on capabilities

M ::= capabilitiesin n can enter nout n can exit nopen n can open nauth(m, k) can authenticate m with key ksign(m, k) can sign m with key k

Table 5.1: The syntax of DSABC

fn((νn)P ) , fn(P )− {n} fn(ε) , ∅fn(0) , ∅ fn(k) , {k}fn(P |Q) , fn(P ) ∪ fn(Q) fn(in n) , {n}fn(! P ) , fn(P ) fn(out n) , {n}fn(n[P ]s) , fn(P ) ∪ {n} ∪ fn(s) fn(open n) , {n}fn(M.P ) , fn(M) ∪ fn(P ) fn(auth(m, k)) , {m, k}fn(P oC) , fn(P ) ∪ fn(C) fn(sign(m, k)) , {m, k}fn(C) ,

⋃M∈C

fn(M)

Table 5.2: The free names of DSABC

56

P oC |Q is read (P oC)|Q(νn)P |Q is read ((νn)P )|QM.P |Q is read (M.P )|Q

(νn1 . . . nm)P , (νn1) . . . (νnm)P

n[P ]ε , n[P ]

n[]s , n[0]s()oC , (0)oCM , M.0

Table 5.3: The syntactic conventions of DSABC

The structural congruence of DSABC inherits all the rules from the calculusof MABC. The only difference is in the rule (Struct Amb), where signed ambi-ents are used instead of normal ambients. Table 5.4 describes all the structuralcongruence rules.

Similarly, we have the form of the evaluation context, C C(| |) ::= (| |) oC∣∣(C C′(| |)|P )oC′′ , where C = C ′ ∪ C ′′. The Reduction rules of DSABC inherits

seven rules from the calculi of DSA and MABC, Table 5.5 shows all the reductionrules.

It is important to notice that the rules, (Red In), (Red Out), (Red Auth).If all of the blocked sets of capabilities are empty, then these three rules are thesame as the reduction rules for in , out and auth in DSA.

In (Red In), if in m /∈ C ∪ C ′, then signed ambient n can enter unsignedambient m, ambient n leave block C, block C ′ will be moved along with n; blockC ′′ has no effect on this movement. (Red In) expresses only the signed ambientcan enter the unsigned ambient.

In (Red Out), if out m /∈ C ∪ C ′, then signed ambient n can exit unsignedambient m, signed ambient n leaves block C, block C ′ will be moved along withn. (Red Out) expresses only the signed ambient can exit the unsigned ambient.

In (Red Auth), For the authentication to occur, the authenticating ambientshould be within the same blocking level as the signed ambient to be authenti-cated. After the authentication, the authenticated ambient becomes an unsignedambient and is assigned the same blocking scope as the auth capability.

(Red Open), this rules is more strict than the in MABC. It expresses that

57



P ≡ Q,Q ≡ R


P ≡ Q


P ≡ Q


P ≡ Q


P ≡ Q

n[P ]s ≡ n[Q]s(Struct Amb)

P ≡ Q


P ≡ Q

P oC ≡ QoC (Struct BC)


′)P ≡ (νn



′[P ]) ≡ n

′[(νn)P ] if n 6= n

′(Struct Res Amb)

(νn)(P oC) ≡ ((νn)P )oC if n /∈ fn(C) (Struct Res BC)


P oC oC′ ≡ P oC∪C′ (Struct BC Comb)P o∅ ≡ P (Struct BC Empty)0oC ≡ 0 (Struct Zero BC)

Table 5.4: The structural congruence of DSABC

58

C C(| n[C C′(| in m.P |)]s | Q|) | C C′′

(|m[R]|)→ C C(|Q|) | C C′′

(|m[R | n[C C′(| P |)]s]|) (in m /∈ C ∪ C ′) (Red In)

m[C C(| n[C C′(| out m.P |)]s | Q|)]

→ m[C C(|Q|)] | n[C C′(| P |)]s (out m /∈ C ∪ C ′) (Red Out)

open m.P | m[Q] → P | Q (Red Open)

m[P ]k|n[C C(| auth(m, k).Q|)|R]s → n[C C(|Q|m[P ]|) | R]s (Red Auth)

sign(m, k).P |m[Q]ε → P |m[Q]k (Red Sign)

P → Q


P → Q

n[P ]s → n[Q]s(Red Amb)

P → Q


P → Q

P oC → QoC (Red BC)

P ′ ≡ P, P → Q, Q ≡ Q′

P ′ → Q′ (Red ≡)

Table 5.5: The reduction rules of DSABC

59

our system only allows open operations to occur at the same blocking level.

5.3 Advantages

The hybrid calculus of DSABC is advantageous as the property of digital signa-ture prevents the malicious code from being downloaded and run on the clientmachine. The property of blocking ensures that the downloaded code is run withsome restrictions which ensure that it does not harm the system. Hence thecombination of the calculi of DSA and MABC we can ensure the properties oftrust provided by digital signature and access control provided by blocking oncapabilities. As a result of which the system can provide selective access controlthat is assigning different access rights to different processes depending on thekey which makes the calculus more robust. Codes coming from trusted sourcesare also given some restrictions. This model is similar to the Java sandbox modelin Java2 where even the trusted code are given some restrictions but which aremore liberal than the ones laid on untrusted code. In the system that calculus ofDSABC the untrusted code is not allowed to enter the system at all which ensuresa very high level of security. Every code is assigned a different set of restrictionssimilar to the sandbox model where the different pieces of code coming from thevarious sources are assigned different sandboxes and are executed separately.

Example 5.3.1 Modeling of the Safe System using DSABC:

app1[auth(app3, k3)|P ]k1|app2[Q]k2|app3[out app1.in pub.out pub.in pri|R1]k3 |app4[S]k4|sys[(auth(app1, k1)) oC |(auth(app4, k4)) oC′ |pri[X]|pub[Y ]]ks

→ app1[app3[out app1.in pub.out pub.in pri|R1]|P ]k1|app2[Q]k2|app4[S]k4 |sys[(auth(app1, k1)) oC |(auth(app4, k4)) oC′ |pri[X]|pub[Y ]]ks

→ app2[Q]k2|sys[(app1[app3[out app1.in pub.out pub.in pri|R1]|P ]) oC |(app4[S]) oC′ |pri[X]|pub[Y ]]ks

In this we further evolve the example and model the system using the conceptof blocking on capabilities. The diagrammatic representation of the system isshown in Figure 5.3.

In the first reduction, app3 is authenticated by app1. In the second reduction,the authenticated applets app1 and app4 are assigned different capability blockingcorresponding to their source. The source of an ambient is identified using thekey with which it is signed. This resolves the issue of access control on processes.The following are the security issues which are not covered by the calculus ofDSABC :

60

app1 app2 app3 app4

sys

1

app3

app1 app2 app42

k3k1 k2 k4

app2 sys

sys

app3app1 app4

ks

ksk4k2k3

ks

ksk2

C C’

Figure 5.3: Modeling Safe System using DSABC

• The problem of app3 using app1 as a Trojan horse to enter the system stillpersists. A malicious process is still being executed within the system.

• The second problem is regarding key distribution. If ambient app1 signssome processes and releases the public key, how does system know thatapp1 is the right signatory and not an impostor?

• The third problem is regarding minimal blocking. When an ambient entersanother ambient its minimal blocking policy should be respected. In theexample above when the ambient app1 enters into the Safe System, itsminimum blocking policy

To resolve this kind of security issues that may arise, the type system of DSABCis proposed.

61

Chapter 6

A Type System for DSABC

In this chapter, we will introduce a type system for DSABC which captures threesafety properties: who visit whom, key distribution, and the minimal blockingpolicy for ambients. In Section 6.1, the general characteristics of type systems isintroduced; in Section 6.2, the three safety properties that our type system caresfor are introduced; in Section 6.3, the formal definition of the type system andthe explanation on typing rules are given; in Section 6.4, the semantic soundnessand type safety are given.

6.1 General Overview of Type Systems

A type system[14] is used to classify values and variables into different typesand describe their way in which they interact and are manipulated. The basicpurpose of a type system is to indicate a set of values that have the same mean-ing or purpose. Thus it prevents the execution errors from occurring during theprogram execution. A program is supposed to run according to some constraintswhich are specified in the type system. The compiler of a programming languageis constructed based on its type system which ensures that the program is typesafe.

Type systems can be used to do type checking. Type checking is the process ofverifying and enforcing the constraints predefined on types of values or processes.There are two kinds of type checking:

1. Static Typing: In this way, type checking is performed at compilation time.Static type checking is the primary task of the semantic analysis carriedout by a compiler.

2. Dynamic Typing: In this way, type checking is performed during the run-time of a program. During the runtime, all type information must be col-

63

lected, and all changes on type information must be monitored and ana-lyzed.

Type systems can provide the following advantages:

1. Safety: The compiler can detect invalid code using a type system.

2. Optimization: More information can be provided to the compiler usingstatic type checking.

3. Documentation: Type systems which are more expressive can serve as alevel of documentation.

4. Abstraction: It allows the programmers to think at a higher level and notconsider the lower level implementation details.

6.2 The Ideas of Type System for DSABC

DSABC was developed with the aim of modeling the sandbox model in Java2.Umbrella was also analyzed with the ideas which are related to the sandboxmodel in Java2. In Umbrella an executable file is authenticated before beingallowed to enter the system. If the authentication is successful, the file can beexecuted as a process, and it is given a set of restrictions predefined according towhere the executable file comes from, which is identified through the authenti-cation; otherwise a default set of restrictions is applied. The restrictions laid onthe active processes are checked by the Umbrella security server running in thesystem, when the processes try to gain access to system resources.

The formulation of the type system for DSABC began with the investigating onthe safety properties in terms of blocking. The calculus of DSABC can prevent aprocess to exercise the blocked capabilities to interact with its environment, whenthe process is managed within the blocking scope; however, the blocking cannotavoid the blocked capabilities to be prohibited forever. The blocking scope isalways fixed relative to the ambient enclosing it directly, so that once an ambientmoves out of the blocking scope which encloses the ambient directly, and enterthe scope of the other blocking, some capabilities prohibited by the former block-ing may be executed, because the latter blocking maybe prohibit less capabilitiesthan the former. In order to avoid this situation, we introduced minimal block-ing policy into our type system. Every ambient has its minimal blocking policy,which is a set of blocked capabilities and must be respected during the tran-sitions, that means the ambient must be always managed by the blocking morerestricted than its minimal blocking policy during the movements of the ambient.

64

Another important aspect of DSABC is who can visit whom. This is a veryimportant safety property, because we need to ensure who are the trusted visitorsand who are allowed to visit for the specified ambient. There exist following waysfor an ambient to visit another ambient: (1)If an ambient resides within anotherambient, then the former is regarded as the visitor of the later; (2) An ambientuses in capability to enter another ambient; (3)when an ambient exercises outcapability, it leaves its parent ambient, and enters the ambient which encloses itsparent; (4) an ambient is authenticated by another ambient by exercising auth ca-pability, the authenticated ambient is the visitor of the authenticating ambient;(5) or an ambient can visit another ambient through entering an intermediateambient which can visit the later. For capturing this safety property, we use theconcept of Ambient Groups [15]. In our type system, every ambient belongs toone group. We prefer to put the ambients with the same security policy intothe same ambient group, so that we can say ambients of which group can visitambients of the specified group. Based on the concept of ambient groups, wealso introduced abstract capabilities such as in A, which means ”enter ambientsof group A”. Our type system takes care of the location of a process. A pro-cess or an ambient maybe reside within another ambient, but not every ambientor process resides within a specified ambient, so that we have to introduce theconcept of the universal ambient @. If we do not specify a location for a processor an ambient, we say that it resides within the universal ambient @. Accord-ingly there exist the universal group Uni, which has only one member ambient @.

The third property of our type system for DSABC is Key Distribution whichis captured by introducing the notion of key groups, which is similar to ambientgroups. Every key belongs to one key group, keys of the same key group has thesame key distribution policy, which check the following safety properties:

1. The group of ambients that can be authenticated by the ambients who holdsan auth capability with the corresponding public key.

2. The group of ambients who are allowed to sign an unsigned ambient withthe corresponding private key.

6.3 Typing Rules

Our type system is implicitly parameterized with respect to a set of securityconstraints. Security constraints ensure which process migrations are allowed be-tween the ambients. We have introduced the notion of groups, with the intentionthat each ambient(a) belongs to an ambient group(A) and each key(k) belongs toa key group(K). Abstract capabilities are extracted from concrete capabilities,

65

which are explained in the definition type(β).

Process Types

Process types describe the behaviors that process may exhibit. We use setnotation for various components on process types. Process type of process P interms of components can be defined as follows:

P ::= (B,A, T ,U)

Where B is a set of abstract capabilities that can be exhibited by process P . Ais a set of ambient groups which are found within the scope of current blockinglevel. T is a set of abstract auth capabilities that are found within the scopeof current blocking level. U is a set of all ambient groups whose ambients arecontained in P . This set also includes the ambient groups which are containedin A. Therefore, A ⊆ U .

Security Policy and Environments

As [16] described, an ambient is a generalization of barriers, and security hasto do with the ability or inability to cross barriers. Therefore, the security policyis defined at the ambient level. Suppose ambient a has the security policy s ∈ S,where S is the set of security policies. s defines the relationship between ambientgroups, set of capabilities as follows:

s ::= ( P(G)× P(C)× P(C) ) ∪ ( P(G)× P(G) )

Where P(G) is a set of ambient groups, and P(C) is a set of abstract capabilities.We define two kinds of environments, namely Group Environments, denoted

by Γ, and Security Policy Environments, denoted by ∆.

1. Γ Environment:

Γ : N → GΓ : a 7→ AΓ : k 7→ K

Where N is an infinite set of names ranged over ambients and keys, andG is a set of ambient groups or key groups. Γ is a function from names togroups. Here, two kinds of Γ environments can be possible. One is ambientgroup environments and the other is key group environments. Γ : a 7→ Ameans that ambient a belongs to ambient group A. Γ : k 7→ K means thatkey k belongs to key group K. Each ambient a holds a minimal blockingpolicy which is described in ∆ environment.

66

2. ∆ Environment:

∆ : G → S∆ : A 7→ (VA, κA, MA)∆ : K 7→ (Ak, Sk)

Where ∆ is a function from ambient groups or key groups to security pol-icy. Each ambient group or key group must follow the security policy. Here,two kinds of ∆ environments can be possible. ∆ : A 7→ (VA, κA, MA) meansthat ambient group A follows the security policy (VA, κA, MA). Where VA

is the set of ambient groups who are allowed to visit any ambient of groupA, κA is the set of abstract capabilities that can be contained by the ambi-ents of group A, and MA is the set of blocked capabilities, which is knownas a minimal blocking policy that is defined on ambient of group A. Theminimal blocking policy should be respected during the movement of theambients, that means the ambients should be managed by blocking notweaker than the minimal blocking policy. ∆ : K 7→ (Ak, Sk) means thatkey group K follows the security policy (Ak, Sk), where Ak is the set of am-bient groups who can be authenticated by any ambient that holds a validpublic key k of key group K, and Sk is the set of ambient groups who are al-lowed to sign an ambient or who holds a valid private key k of key group K.

type(β)

type(β) is a function converting a set of concrete blocked capabilities(β) to aset of corresponding abstract capabilities as described in the following definition:

Definition 6.3.1 (type(β)) .

type(β) =

∅ ifβ = ∅⋃C∈β

{type(C)} ifβ 6= ∅

type(in a) = in A if Γ(a) = Atype(out a) = out A if Γ(a) = A

type(open a) = open A if Γ(a) = Atype(auth(a, k)) = auth(A, K) if Γ(a) = A, Γ(k) = Ktype(sign(a, k)) = sign(A, K) if Γ(a) = A, Γ(k) = K

Judgments

We base our type system on three judgments. Judgments usually have theform ∆, Γ ` =, where = is either � or P : (B,A, T ,U). The pair Γ, ∆ are referredto as group environment and security policy environment. The judgments havethe following standard meaning:

67

Γ, ∆ ` � well-formed environment∆, Γ `b P : (B,A, T ,U) P has type (B,A, T ,U) within b

∆, Γ `s@ P : (B,A, T ,U) P is well-typed within @

b can also be @. @ is the universal ambient, which may contain any processesand any ambients. In this report, we follow the convention, that if we specifyan arbitrary process without its location, then it is supposed to reside in theuniversal ambient.

Every ambient has its own minimal blocking policy. When one ambient entersanother ambient, the minimal blocking policy of the entering ambient must berespected during transit. i.e, a migrating process is not supposed to enter an areawith weaker blocking constraints than its minimal blocking policy. An environ-ment can be considered as well-formed, if it satisfies the following predicate:

∆, Γ ` � ⇐⇒ ∀a ∈ Dom(Γ)( Γ(a) = A ∧ ∆(A) = (VA, κA, MA) ∧(∀b ∈ Dom(Γ)(Γ(b) = B ∧∆(B) = (VB, κB, MB)∧∀(in B ∈ κA ∨ out B ∈ κA))) =⇒ MA ⊆ MB )

Based on the discussion that we have had so far, we can formalize the typingrules as described in table 6.1.

Explanation

(Nil) : Process 0 is well-typed within a well-formed environment.

(Res) & (Repl) : Restriction and replication that are applied on process Pwill not change its type.

(Par) : The process type of two parallel processes is the union of their re-spective components from each process.

(In) : If process P which is enclosed in an ambient b is well-typed, then in a.Pis also well-typed in case that it is within a well-formed environment, if it alsosatisfies the following conditions: (1) Since ambient b tries to enter ambient a,the ambients who can visit ambient b must also be the visitors of ambient a. (2)Ambient b must be the visitor of ambient a, as ambient b itself performs subjec-tive move in a. If these constraints are not satisfied, then the process violates thesecurity policy of ”who visit whom”.

(Out) : According to Out rule, an ambient a is trying to move out from anambient b. Therefore, before exercising out a capability, the ambient b must be

68

∆, Γ ` �∆, Γ `b 0 : (∅, ∅, ∅, ∅)

(Nil)

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b (νn)P : (B,A, T ,U)(Res)

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b! P : (B,A, T ,U)(Repl)

∆, Γ `b P : (B,A, T ,U) ∆, Γ `b P ′ : (B′,A′, T ′,U ′)

∆, Γ `b P |P ′ : (B ∪ B′,A ∪A′, T ∪ T ′,U ∪ U ′)(Par)

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b in a.P : (B ∪ {in A},A, T ,U)(In)

Γ(a) = A ∆(A) = (VA, κA, MA)Γ(b) = B ∆(B) = (VB, κB, MB)VB ⊆ VA B ∈ VA

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b out a.P : (B ∪ {out A},A, T ,U)(Out)

Γ(a) = A ∆(A) = (VA, κA, MA)Γ(b) = B ∆(B) = (VB, κB, MB)VB ⊆ VA B ∈ VA

∀r ∈ Dom(Γ) ( Γ(r) = R ∧∆(R) = (VR, κR, MR)∧A ∈ VR =⇒ B ∈ VR )

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b open a.P : (B ∪ {open A} ∪ κA,A, T ,U)(Open)

Γ(a) = A ∆(A) = (VA, κA, MA)Γ(b) = B ∆(B) = (VB, κB, MB)VA ⊆ VB A ∈ VB

69

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b P oβ : (B − type(β), ∅, ∅,U)(Block)

β 6= ∅∀A ∈ A ( ∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(β) )∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(β))

∆, Γ `b P : (B,A, T ,U)

∆, Γ `r b[P ] : (∅,A ∪ {B}, ∅,U ∪ {B})(Amb)

∀A ∈ A(Γ(a) = A ∧∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB)Γ(b) = B ∆(B) = (VB, κB, MB) B ⊆ κB U ⊆ VB

∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD = ∅)

∆, Γ `b P : (B,A, T ,U)

∆, Γ `r b[P ]k : (∅,A ∪ {B}, ∅,U ∪ {B})(Sign Amb)

∀A ∈ A(Γ(a) = A ∧∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB)Γ(b) = B ∆(B) = (VB, κB, MB)Γ(k) = K ∆(K) = (Ak, Sk)B ⊆ κB B ∈ Sk U ⊆ VB

∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD = ∅)

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b auth(a, k).P : (B ∪ {auth(A, K)},A, T ∪ {auth(A, K)},U)(Auth)

Γ(a) = A ∆(A) = (VA, κA, MA)Γ(b) = B ∆(B) = (VB, κB, MB)Γ(k) = K ∆(K) = (Ak, Sk)A ∈ Ak VA ⊆ VB A ∈ VB

∆, Γ `b P : (B,A, T ,U)

∆, Γ `b sign(a, k).P : (B ∪ {sign(A, K)},A, T ,U)(Sign)

Γ(a) = A ∆(A) = (VA, κA, MA)Γ(b) = B ∆(B) = (VB, κB, MB)Γ(k) = K ∆(K) = (Ak, Sk)B ∈ Sk VA ⊆ VB A ∈ VB

70

B1 ⊆ B2 U1 ⊆ U2

∀A ∈ A1(∆(A) = (VA, κA, MA) ∧MA 6= ∅ =⇒ A ∈ A2)∀auth(D, K) ∈ T1( ∆(D) = (VD, κD, MD) ∧MD 6= ∅

=⇒ auth(D, K) ∈ T2 )

(B1,A1, T1,U1) ≤ (B2,A2, T2,U2)

(Sub)

∆, Γ `b P : (B,A, T ,U) (B,A, T ,U) ≤ (B′,A′, T ′,U ′)

∆, Γ `b P : (B′,A′, T ′,U ′)(SubSumption)

∆, Γ `@ P : (B,A, T ,U)∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA = ∅)∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD = ∅)

∆, Γ `s@ P : (B,A, T ,U)

(Uni)

Table 6.1: Typing Rules

inside ambient a, and the environment must also satisfy the following conditions:(1) Since ambient b is inside ambient a, ambients who can visit the ambient bmust also be the visitors of ambient a. (2) And ambient b must be the visitor ofthe ambient a. (3) After the out a capability is exercised, ambient b enters somearbitrary ambient r. Therefore, we have to make sure that ambient b must bethe visitor of ambient r.

(Open) : When a process dissolves the boundary of an ambient, the capa-bilities that are enclosed by that ambient are unleashed and the process acquiresthose capabilities. As a result those capabilities get exercised within the system.Hence, this eventual action indirectly affects the behavior of the whole system.Therefore, these capabilities must be reflected in the component B. And theenvironment must also satisfy the following conditions: (1) The ambient that isbeing opened must be the visitor of an ambient which contains the open capa-bility, otherwise the open capability can never be exercised. (2) The ambientswho are the visitors of the ambient which is being opened, must be the visitorsof the opening ambient.

(Block) : The crux of our type system is (Block), in which every compo-nent of the process type has some special feature. Each component of the processtype can be clearly explained with the following process:

P ::= a[0]|auth(m, k).0|in b.in n

The components of process type for above process can be defined as follows:

71

• B is the set of abstract capabilities that are exhibited by process P . i.e,B = {in B, in N, auth(M, K)}.

• A is the set of ambient which are found within the scope of current blockinglevel or the set of ambients that are waiting to be blocked by some blockingi.e, A = {A}.

• T is the set of abstract auth capabilities that are found within the scopeof current blocking level or the set of abstract auth capabilities that arewaiting to be blocked by some blocking. i.e, T = {auth(M, K)}.

• U is the set of all ambient groups whose ambients are contained in P . i.e,U = {A}.

When blocking β = {in b} is applied on the above process as follows:

(a[0]|auth(m, k).0|in b.in n)oin b

then the type of the resulting process changes as described below:

• β is a set of blocked capabilities that manages process P . Hence, those capa-bilities are prohibited to get exercised to make interaction between processP and its environment. Therefore, the resulting B must not include thoseset of capabilities. In the example, the resulting B = {in N, auth(M, K)}.

• The condition, MA ⊆ type(β) ensures that the minimal blocking policy ofambients in A must be respected within the scope of β. If this conditionis satisfied, then the component A becomes empty set after the process isenclosed by β.

• Similarly, MD ⊆ type(β) ensures that the minimal blocking policy of ambi-ents that are being authenticated, must also be respected within the scopeof β. When this condition is satisfied, then the component T becomesempty set after the process is enclosed by β.

• Component U collects all ambients that are contained in process P . There-fore U remains the same.

(Amb) : In Amb rule, to ensure the environment to be well-formed whenprocess P is enclosed in an ambient b, process P must follow the security policyof b. The environment must also satisfies the following conditions: (1) Accordingto MA ⊆ MB, the minimal blocking policy of all the ambients that are presentwithin the blocking scope of process P are respected when they are being migratedto ambient b, that means the parent ambient should have more stronger minimalblocking policy than its subambients if they are within the same blocking scope.(2)According to U ⊆ VB, the set of ambients U contained in P must be the

72

visitors of ambient b, since they are subambients of ambient b. (3) According toB ⊆ κB, the set of capabilities that are exhibited by P can be held by ambientb. (4)According to MD = ∅, when a process enclosed in an ambient has authcapabilities which are not managed by any blocking within the ambient, thenthe ambients which are to be authenticated by these auth capabilities have norequirement with respect to blocking. Consider the following example:

P ::= m[T ]k|a[b[Q]|auth(m, k).R|c[in b.S]]

Here we think process P is b[Q]|auth(m, k).R|c[in b.S], which is enclosed by am-bient a, and we will check this with our typing rules. When ambient m is au-thenticated, it is placed in parallel to process R. Since there is no blocking thatmanages the auth capability, and if the minimal blocking policy of ambient m isnot empty, it may enter an area without blocking. Therefore, to avoid such typeof security inconsistency, the minimal blocking policy of m must be empty.

The components of process type can be changed as follows:

• The reason for the B = ∅ is that when process P is enclosed in an ambient,the behavior of the ambient becomes nothing with respect to the capabilitiesthat are exhibited by process P . An ambient can be regarded as process 0.

• As a new ambient a is checked, it should be collected in A.

• When process P is enclosed in an ambient, the behavior of the ambientbecomes nothing with respect to the auth capabilities that are exhibitedby process P , since the authenticated ambients have no requirements withrespect to blocking.

• Ambient a must be added to the set U , since it is checked here.

(Sign Amb): In addition to the conditions that are specified in Amb rule,Sing Amb rule must also follow the following one condition: Ambient b can signits own contents. Therefore, it must belong to the group of ambients who areallowed to sign an ambient with the corresponding key k.

(Auth) : In this typing rule, we try to check the ambients who can be au-thenticated by an ambient that holds a valid public key k. A process auth(a, k).Pis well-formed if it satisfies the following conditions: (1) Since ambient a gets au-thenticated by auth(a, k), it must belong to the set of ambients who are allowedto be authenticated with key k. (2) Since this objective move reflects ambienta to enter ambient b, the ambients who can visit ambient a must also be thevisitors of the ambient b. (3) And ambient a must be the visitor of ambient b.

73

(Sign) : In this typing rule, we try to check the ambients who are allowedto sign an ambient. A process sign(a, k).P is well-formed if it satisfies the follow-ing conditions: (1) Since ambient b is the one who is going to sign the ambienta, the ambient b must hold a valid private key. If it holds a valid private key,it can belong to the set of ambients who are allowed to sign an ambient with key k.

(Sub) : As mentioned in[14], Subtyping captures the intuitive notion of inclu-sion between types. An element of a type can be considered also as an element ofany of its super types. Therefore, if the type of a process is a subtype of anotherprocess, it follows the following conditions: (1) All behaviors exhibited by theformer are also exhibited by the later as in B1 ⊆ B2. (2) All ambients that arepresent in the set U1 are also part of the set U2. (3) The ambients which have norequirement on blocking can not distinguish the behavioral properties of processin terms of blocking.

(Uni) : A process can be well-typed within the universal ambient(@) throughtype checking, if it can guarantee the safety properties that are mentioned inSection 6.2; and the process satisfies the following two conditions: (1) ∀A ∈A(∆(A) = (VA, κA, MA) =⇒ MA = ∅, (2) ∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒MD = ∅. These two conditions ensure that there are no safety critical informa-tion or subprocesses to be exposed to the universal ambient, then the process issafe(marked by s) in an open public environment.

The security issues discussed in Example ?? of Chapter 5 are resolved by thetype systems as follows:

• The issue of app3 using app1 as a Trojan horse to enter the system stillpersists. A malicious process is still being executed within the system.Solution: For this to be type safe, according to the auth rule VA ⊆ VB,from the reductions it is evident that for this to be possible Vapp3 ⊆ Vapp1

and Vapp1 ⊆ Vsys hence we can ensure that if the applet app3 entered intothe system using a carrier, the system is still safe.

• The second issue was regarding key distribution. If ambient app1 signs someprocesses and releases the public key, how does system know that app1 isthe right signatory and not an impostor?Solution: Using the (Sign) rule, the condition A ∈ Ak ensure that onlyvalid signatories are allowed to sign. In addition to that the sideline con-dition A ∈ VB that ensures that the ambient that will be signed will be inits visitors list VB

• The third issue was regarding minimal blocking. When an ambient enters

74

another ambient its minimal blocking policy should be respected. In theexample above when the ambient app1 enters into the Safe System, its min-imum blocking policy.Solution: It is achieved in the (Block),(Amb) and (Sign Amb) rules.When ever we come across an auth capability it is stored in the T compo-nent, the ambients names are collected in the A component and the blockrules is used when ever we come across any blocking. This ensures thatminimum blocking is respected.

6.4 Type Safety

In this section, we show our type system is semantically sound. The semanticsoundness is formulated as subject reduction. Subject reduction is a propertystating that a well typed process always reduce to a well typed process, thus itcan guarantee that a well typed process cannot generate ”type errors” during itsreductions, and it behaves according to the safety properties. In Section 6.2, itis pointed that the three safety properties are captured by our type system.

The soundness of our type system is expressed by the following theorem:

Theorem 1 (Subject Reduction) If ∆, Γ `r P : (B,A, T ,U) and P → Q,then ∆, Γ `r Q : (B,A, T ,U).

Proof: By induction on the derivation of P → Q. The basic idea is: For onekind of reduction as P → Q, suppose ∆, Γ `r P : (B,A, T ,U), then calculate theprocess type of every term in process P according to typing rules. Q is reducedfrom P , hence the process Q is composed of the terms in process P . Based on theprocess types of those terms which have already been known, we can calculatethe process type of Q according to typing rules.

In order to give proof for (Red ≡), Proposition 1 is given.

And in order to overcome the difficulties brought by multi-level blocking, thesix propositions 2 3 4 5 6 7 are given.

All the proofs are found in Appendix A and Appendix B.2

Proposition 1 (Subject Congruence) (1) If ∆, Γ `b P : (B,A, T ,U) andP ≡ Q, then ∆, Γ `b Q : (B,A, T ,U).

(2) If ∆, Γ `b P : (B,A, T ,U) and Q ≡ P , then ∆, Γ `b Q : (B,A, T ,U).

75

We use the following function to catch the most interior blocking in an eval-uation context:

Definition 6.4.1 (The Inner Most Blocking)

InnerMostBlk(C C(| |)) =

∅ if C = ∅type(C) if C 6= ∅ and C C(| |) = (| |)oCtype(C) if C 6= ∅ and C ′ = 0 and

C C(| |) = (C C′(| |)|P ) oC′′ (C = C ′ ∪ C ′′)

InnerMostBlk(C C′(| |)) if C 6= ∅ and C ′ 6= 0 and

C C(| |) = (C C′(| |)|P ) oC′′ (C = C ′ ∪ C ′′)

Proposition 2 is used to calculate the process type when an in capability isconsumed within one evaluation context.

Proposition 2 If ∆, Γ `b C C(| in a.P |) : (B,A, T ,U) , then ∆, Γ `b C C(| P |) :(B′,A, T ,U) , where Γ(a) = A, B = B′ ∪ {in A} when in a /∈ C, B = B′ whenin a ∈ C.

Proposition 3 is used to calculate the process type when an out capability isconsumed within one evaluation context.

Proposition 3 If ∆, Γ `b C C(| out a.P |) : (B,A, T ,U) , then ∆, Γ `b C C(| P |) :(B′,A, T ,U) where Γ(a) = A, B = B′ ∪ {out A} when out a /∈ C, B = B′ whenout a ∈ C.

Proposition 4 is used to calculate the process type when an ambient leavesout from an evaluation context.

Proposition 4 If ∆, Γ `b C C(| a[P ]s|Q|) : (B,A, T ,U) and ∆, Γ `b a[P ]s :(∅,A′, ∅,U ′), then ∆, Γ `b C C(| Q|) : (B,A′′, T ,U ′′) when C = ∅, ∆, Γ `b

C C(| Q|) : (B,A, T ,U ′′) when C 6= ∅, where A = A′ ∪ A′′, and U = U ′ ∪ U ′′.

Proposition 5 is used to calculate the process type when an ambient entersinto another ambient which resides in an evaluation context.

Proposition 5 If ∆, Γ `n C C(| b[R]|) : (B,A, T ,U), ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′),U ′ ⊆ VB and MA ⊆ MB, then ∆, Γ `n C C(| b[R|a[Q]s]|) : (B,A ∪ A′, T ,U ∪ U ′)when C = ∅, ∆, Γ `n C C(| b[R|a[Q]s]|) : (B,A, T ,U ∪ U ′) when C 6= ∅, whereΓ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB).

76

Proposition 6 is used to calculate the process type when an auth capability isconsumed within an evaluation context.

Proposition 6 If ∆, Γ `b C C(| auth(a, k).P |) : (B,A, T ,U), then ∆, Γ `b C C(| P |) :(B′,A, T ′,U) when C = ∅, ∆, Γ `b C C(| P |) : (B′,A, T ,U) when C 6= ∅,where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(k) = K, B = B′ ∪ {auth(A, K)},T = T ′ ∪ {auth(A, K)}.

Proposition 7 is used to calculate the process type when an ambient entersinto a blocking scope by being authenticated.

Proposition 7 If ∆, Γ `b C C(| Q|) : (B,A, T ,U), ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′)and MA ⊆ InnerMostBlk(C C(| |)), then ∆, Γ `b C C(|Q|a[P ]s|) : (B,A, T ,U∪U ′)when C 6= ∅, ∆, Γ `b C C(| Q|a[P ]s|) : (B,A ∪ A′, T ,U ∪ U ′) when C = ∅, whereΓ(a) = A and ∆(A) = (VA, κA, MA).

The contribution of our type system is that, it can detect and prohibit theerror transition defined in Definition 6.4.2.

Definition 6.4.2 (Error Transition) →err, denotes error transition. Supposethere exists predefined environments Γ and ∆, which satisfy Γ, ∆ ` �. The errortransitions are defined in terms of Γ and ∆ as follows:

• (Error In):

C C(| b[C C′(| in a.P |)]s | Q|) | C C′′

(| a[R]|) →err

C C(|Q|) | C C′′(| a[R | b[C C′

(| P |)]s]|) (in a /∈ C ∪ C ′)

when in A /∈ κB, or VB 6⊆ VA, or B /∈ VA, or B /∈ Sk if s = k, orMb 6⊆ InnerMostBlk(C C(| |)), or MA 6⊆ InnerMostBlk(C C′′

(| |)), whereΓ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) =K, and ∆(K) = (Ak, Sk).

• (Error Out):

a[C C(| b[C C′(| out a.P |)]s | Q|)] →err a[C C(|Q|)] | b[C C′

(| P |)]s (out a /∈C ∪ C ′)

when out A /∈ κB, or VB 6⊆ VA, or B /∈ VA, or MB 6⊆ InnerMostBlk(C C′(| |)),

or B /∈ Sk if s = k, where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B,∆(B) = (VB, κB, MB), Γ(k) = K, and ∆(K) = (Ak, Sk).

• (Error Open):

b[C C(| open a.P | a[Q]|)]s | →err b[C C(| P | Q|)]s

77

when open A /∈ κB, or κA 6⊆ κB, or VA 6⊆ VB, or A /∈ VB, or MA 6⊆InnerMostBlk(C C(| |)), or B /∈ Sk if s = k, where Γ(a) = A, ∆(A) =(VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) = K, and ∆(K) =(Ak, Sk).

• (Error Auth):

a[P ]k|b[C C(| auth(a, k).Q|)|R]s →err b[C C(|Q|a[P ]|) | R]s

when auth(A, K) /∈ κB, or MA 6⊆ InnerMostBlk(C C(| |)), or A /∈ Sk, orB /∈ Ak, or B /∈ S ′

k if s = k′, where Γ(a) = A, ∆(A) = (VA, κA, MA),Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) = K, ∆(K) = (Ak, Sk), Γ(k′) = K ′,and ∆(K ′) = (A′

k, S′k).

• (Error Sign):

b[sign(a, k).P |a[Q]ε]s →err b[P |a[Q]k]s

when B /∈ Sk, or VA 6⊆ VB, or A /∈ VB, or B /∈ S ′k if s = k′, where Γ(a) =

A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) = K,∆(K) = (Ak, Sk), Γ(k′) = K ′, and ∆(K ′) = (A′

k, S′k).

• (Error Res):

P →err Q

(νn)P →err (νn)Q

• (Error Amb):

P →err Q

a[P ]s →err a[Q]s

• (Error Par):

P →err Q

P |R →err Q|R

• (Error BC):

78

P →err Q

P oC →err QoC

• (Error ≡):

P ≡ P ′ P ′ →err Q′ Q′ ≡ Q

P →err Q

(Error In) (Error Out) (Error Open) (Error Auth) (Error Sign)define the basic transitions which violate the security policy with respect to ourtype system; (Error Res) (Error Amb) (Error Par) (Error BC) aredefined based on the basic error transitions, that means if an internal event of aprocess is an error transition, then the reduction of the whole process caused bythe internal transition is also an error transition; (Error ≡) shows if a processhas error transitions, its semantic equivalent processes also have the same errortransitions.

A safe process should have no error transition in a predefined well formedenvironment. Therefore, in order to make judgments if a process is safe, we candefine one predicate safe(Γ, ∆, P ) as following:

Definition 6.4.3 (Safety) Given the environments Γ, ∆ and process P , we saythat safe(Γ, ∆, P ) if Γ, ∆ ` � and P 9err in the environments Γ and ∆, whereP 9err denotes there exists no error transition from P .

If a process is well typed in the universal ambient, it is supposed to satisfythe safety defined in Definition 6.4.3. This can be expressed by the followingtheorem:

Theorem 2 (Type Safety) If ∆, Γ `s@ P : (B,A, T ,U), then safe(Γ, ∆, P ).

Proof: By inductions on the derivations of ∆, Γ `@ P : (B,A, T ,U). 2

79

Chapter 7

Conclusion

An extension of Mobile Ambients with digital signature and blocking is intro-duced in this report. We introduced the concept of digital signatures and accesscontrol in the form of blocking into Mobile Ambients for the first time. Section 7.1describes the main objectives that this project accomplishes, and in Section 7.2we describe a few of the possible continuations of this project.

7.1 Achievements

Based on the application of digital signature and the sandbox model in Java, wehave developed the calculus of DISA , which describes a traditional view of theInternet: a piece of code is signed in the sender site, and the code is authenticatedby the receiver site, if the authentication is successful, the code can be activatedas a process running within the receiver site. We introduce code as a new nota-tion to express this. code is one kind of static structure, processes within codeare passive and digitally signed to prevent any tampering. An ambient uses thesign capability to enter a code in order to sign itself, and the auth capability toauthenticate an incoming code and activate it in the case of a successful authen-tication.

Inspired from mobile agents, we think over a mechanism for autonomous mi-grating program to protect itself to be tampered. Ambients can be used to modelthis kind of programs. Ambients are allowed to sign itself in the calculus of DSA.In DSA, the concept of digitally signed ambients is introduced. A digitally signedambient can recalculate its own digital signature as it is moving, but prohibits theother ambients without its private key to change its contents and digital signature.

Inspired from Java sandbox model and Umbrella, we introduced the conceptof blocking into mobile ambients to model restrictions on processes. We developthree kinds of calculi of mobile ambients with blocking: MABN introduces block-

81

ing on names into mobile ambients, which is a mechanism to divide a process intodifferent name spaces, and prohibit actions with respect to the blocked namesthrough name hiding; MABC introduces blocking on capabilities into mobile am-bients, which models process based mandatory access control; MABA introducesblocking at ambient level into Mobile Ambients, which combines ambient bound-ary with blocking together, in which blocking is applied along with the boundaryof ambients.

For the motivation of modeling Umbrella in which the foreign code gets thecorresponding blocking according to where it comes from(identified by its publickey), and for the motivation of proposing new solutions of mobile code, we com-bine DSA and MABC together, and form the calculus of DSABC, which modelsa predefined blocking assigned to an incoming code according to the key used tocalculate its digital signature.

Based on DSABC, we developed a type system which captures the three safetyproperties to guarantee there is no error transition violating the security policypredefined: who visit whom, the minimal blocking policy and key distribution.

7.2 Future Work

There are various directions for the future work of this project. One of the pos-sible directions is to introduce communication primitives into our calculi withblocking. This would enrich the semantics of blocking when we propose theblocking on communication in mobile ambients.

To capture the property of hierarchical blocking at all levels that is at anygiven level of an ambient for it to be well typed the child should have more re-strictions than its parent.

Another possible direction is to investigate the critical problems of securityin the applications of mobile computing and mobile computation. To figure outways to use our calculi of blocking to solve those problems and improve the se-curity of the applications, at the same time improve our calculi.

Finally, based on the improvements on the calculi, we can develop a typechecker and a series of tools.

82

Appendix A

Subject Congruence

Proposition 1 (Subject Congruence) (1) If ∆, Γ `b P : (B,A, T ,U) andP ≡ Q, then ∆, Γ `b Q : (B,A, T ,U).


Proof: By mutual induction on the derivations of P ≡ Q and Q ≡ P .

(1) If ∆, Γ `b P : (B,A, T ,U) and P ≡ Q, then ∆, Γ `b Q : (B,A, T ,U).

(Struct Refl) Trival.

(Struct Symm) If P ≡ Q, then Q ≡ P . According to hypothesis (2),∆, Γ `b Q : (B,A, T ,U).

(Struct Trans) For P ≡ Q, there exists R to make P ≡ R, and R ≡ Q.We have ∆, Γ `b P : (B,A, T ,U), according to hypothesis (1), we canget ∆, Γ `b R : (B,A, T ,U). According to the same hypothesis, we canget ∆, Γ `b Q : (B,A, T ,U).

(Struct Res) P = (νn)P ′, Q = (νn)Q′, and P ′ ≡ Q′. Using (Res), wehave

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b (νn)P ′ : (B,A, T ,U)(A.1)

from (A.1), according to hypothesis (1), we have ∆, Γ `b Q′ : (B,A, T ,U).Using (Res), we have

∆, Γ `b Q′ : (B,A, T ,U)

∆, Γ `b (νn)Q′ : (B,A, T ,U)(A.2)

83

(Struct Par) P = P ′|R, Q = Q′|R, P ′ ≡ Q′. Using (Par)

∆, Γ `b P ′ : (B′,A′, T ′,U ′) ∆, Γ `b R : (B′′,A′′, T ′′,U ′′)

∆, Γ `b P ′|R : (B′ ∪ B′′,A′ ∪ A′′, T ′ ∪ T ′′,U ′ ∪ U ′′)(A.3)

From (A.3),according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A′, T ′,U ′).Using (Par)

∆, Γ `b Q′ : (B′,A′, T ′,U ′) ∆, Γ `b R : (B′′,A′′, T ′′,U ′′)

∆, Γ `b Q′|R : (B′ ∪ B′′,A′ ∪ A′′, T ′ ∪ T ′′,U ′ ∪ U ′′)(A.4)

(Struct Repl) P =! P ′,Q =! Q′,P ′ ≡ Q′. Using (Repl)

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b! P ′ : (B,A, T ,U)(A.5)

From (A.5), according to hypothesis (1), we have ∆, Γ `b Q′ : (B,A, T ,U).Using (Repl)

∆, Γ `b Q′ : (B,A, T ,U)

∆, Γ `b! Q′ : (B,A, T ,U)(A.6)

(Struct Amb) P = n[P ′]s, Q = n[Q′]s, P ′ ≡ Q′. Using (Amb) or (Sign Amb)

∆, Γ `n P ′ : (B′,A′, T ′,U ′)

∆, Γ `b n[P ′]s : (∅,A, ∅,U)(A.7)

Where Γ(b) = B ∆(B) = (VB, κB, MB), B ⊆ κB, U ⊆ VB, ∀A ∈A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD = ∅), A = A′∪{N}, U = U ′∪{N}

From (A.7), according to hypothesis (1), we have ∆, Γ `n Q′ : (B′,A′, T ′,U ′).Using (Amb)

∆, Γ `n Q′ : (B′,A′, T ′,U ′)

∆, Γ `b n[Q′]s : (∅,A, ∅,U)(A.8)

Where Γ(b) = B ∆(B) = (VB, κB, MB), B ⊆ κB, U ⊆ VB, ∀A ∈A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD = ∅), A = A′∪{N}, U = U ′∪{N}

(Struct Action) P = M.P ′, Q = M.Q′, P ′ ≡ Q′.If M = in a: Using (In),

∆, Γ `b P ′ : (B′,A, T ,U)

∆, Γ `b in a.P ′ : (B,A, T ,U)(A.9)

84

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VB ⊆ VA, B ∈ VA, B = B′ ∪ {in A}

From (A.9), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (In)

∆, Γ `b Q′ : (B′,A, T ,U)

∆, Γ `b in a.Q′ : (B,A, T ,U)(A.10)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VB ⊆ VA, B ∈ VA, B = B′ ∪ {in A}

If M = out a: Using (Out),

∆, Γ `b P ′ : (B′,A, T ,U)

∆, Γ `b out a.P ′ : (B,A, T ,U)(A.11)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VB ⊆ VA, B ∈ VA, ∀r ∈ Dom(Γ)(Γ(r) = R∧∆(R) = (VR, κR, MR)∧A ∈VR =⇒ B ∈ VR), B = B′ ∪ {out A}

From (A.11), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (Out)

∆, Γ `b Q′ : (B′,A, T ,U)

∆, Γ `b out a.Q′ : (B,A, T ,U)(A.12)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VB ⊆ VA, B ∈ VA, ∀r ∈ Dom(Γ)(Γ(r) = R∧∆(R) = (VR, κR, MR)∧A ∈VR =⇒ B ∈ VR), B = B′ ∪ {out A}

If M = open a: Using (Open),

∆, Γ `b P ′ : (B′,A, T ,U)

∆, Γ `b open a.P ′ : (B,A, T ,U)(A.13)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VA ⊆ VB, A ∈ VB, B = B′ ∪ {open A} ∪ κA

From (A.13), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (Open)

∆, Γ `b Q′ : (B′,A, T ,U)

∆, Γ `b open a.Q′ : (B,A, T ,U)(A.14)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VA ⊆ VB, A ∈ VB, B = B′ ∪ {open A} ∪ κA

85

If M = auth(a, k): Using (Auth)

∆, Γ `b P ′ : (B′,A, T ′,U)

∆, Γ `b auth(a, k).P ′ : (B,A, T ,U)(A.15)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),Γ(k) = K, ∆(K) = (Ak, Sk), A ∈ Ak, VA ⊆ VB, A ∈ VB, B =B′ ∪ {auth(A, K)}, T = T ′ ∪ {auth(A, K)}

From (A.15), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (Auth)

∆, Γ `b Q′ : (B′,A, T ′,U)

∆, Γ `b auth(a, k).Q′ : (B,A, T ,U)(A.16)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),Γ(k) = K, ∆(K) = (Ak, Sk), A ∈ Ak, VA ⊆ VB, A ∈ VB, B =B′ ∪ {auth(A, K)}, T = T ′ ∪ {auth(A, K)}

If M = sign(a, k): Using (Sign)

∆, Γ `b P ′ : (B′,A, T ,U)

∆, Γ `b sign(a, k).P ′ : (B,A, T ,U)(A.17)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),Γ(k) = K, ∆(K) = (Ak, Sk), B ∈ Sk, VA ⊆ VB, A ∈ VB, B =B′ ∪ {sign(A, K)}

From (A.17), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (Sign)

∆, Γ `b Q′ : (B′,A, T ,U)

∆, Γ `b signak.Q′ : (B,A, T ,U)(A.18)

Where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),Γ(k) = K, ∆(K) = (Ak, Sk), B ∈ Sk, VA ⊆ VB, A ∈ VB, B =B′ ∪ {sign(A, K)}

(Struct BC) P = P ′oC , Q = Q′oC , P ≡ Q′, ∆, Γ `b P : (B,A, T ,U), Using(Block)

∆, Γ `b P ′ : (B′,A′, T ′,U)

∆, Γ `b P ′oC : (B,A, T ,U)(A.19)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B = B′ − type(C),

86

A = ∅, T = ∅

From (A.19), according to hypothesis (1), we have ∆, Γ `b Q′ : (B′,A, T ,U).Using (Block)

∆, Γ `b Q′ : (B′,A′, T ′,U)

∆, Γ `b Q′oC : (B,A, T ,U)(A.20)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B = B′ − type(C),A = ∅, T = ∅

(Struct Par Comm) P = P ′|Q′,Q = Q′|P ′. Using (Par),

∆, Γ `b P ′ : (B1,A1, T1,U1) ∆, Γ `b Q′ : (B2,A2, T2,U2)

∆, Γ `b P ′|Q′ : (B,A, T ,U)(A.21)

Where B = B1 ∪ B2, A = A1 ∪ A2, T = T1 ∪ T2, U = U1 ∪ U2

From (A.21), using (Par), we have

∆, Γ `b Q′ : (B2,A2, T2,U2) ∆, Γ `b P ′ : (B1,A1, T1,U1)

∆, Γ `b P ′|Q′ : (B2 ∪ B1,A2 ∪ A1, T2 ∪ T1,U2 ∪ U1)(A.22)

Where B2 ∪ B1 = B, A2 ∪ A1 = A, T2 ∪ T1 = T , U2 ∪ U2 = U

(Struct Par Assoc) P = (P ′|Q′)|R′,Q = P ′|(Q′|R′).Using (Par), wehave the following:

∆, Γ `b P ′|Q′ : (B1,A1, T1,U1) ∆, Γ `b R′ : (B2,A2, T2,U2)

∆, Γ `b (P ′|Q′)|R′ : (B,A, T ,U)(A.23)


∆, Γ `b P ′ : (B′1,A′

1, T ′1,U ′

1) ∆, Γ `b Q′ : (B′′1,A′′

1, T ′′1,U ′′

1)

∆, Γ `b P ′|Q′ : (B1,A1, T1,U1)(A.24)

Where B1 = B′1 ∪B′′

1, A1 = A′1 ∪A′′

1, T1 = T ′1 ∪ T ′′

1, U1 = U ′1 ∪ U ′′

1

From (A.23) and (A.24), using (Par), we have the following:

∆, Γ `b Q′ : (B′′1,A′′

1, T ′′1,U ′′

1) ∆, Γ `b R′ : (B2,A2, T2,U2)

∆, Γ `b Q′|R′ : (B2 ∪ B′′1,A2 ∪ A′′

1, T2 ∪ T ′′1,U2 ∪ U ′′

1)(A.25)

87

∆, Γ `b P ′ : (B′1,A′

1, T ′1,U ′

1)∆, Γ `b Q′|R′ : (B2 ∪ B′′

1,A2 ∪ A′′1, T2 ∪ T ′′

1,U2 ∪ U ′′1)

∆, Γ `b P ′|(Q′|R′) : (B′1 ∪ B2 ∪ B′′

1,A′1 ∪ A2 ∪ A′′

1, T ′1 ∪ T2 ∪ T ′′

1,U ′1 ∪ U2 ∪ U ′′

1)(A.26)

Where B′1 ∪ B2 ∪ B′′

1 = B, A′1 ∪ A2 ∪ A′′

1 = A, T ′1 ∪ T2 ∪ T ′′

1 = T ,U ′

1 ∪ U2 ∪ U ′′1 = B

(Struct Repl Par) P =! P ′,Q = P ′|! P ′. Using (Repl), we have

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b! P ′ : (B,A, T ,U)(A.27)

From (A.27), using (Par), we have

∆, Γ `b P ′ : (B,A, T ,U) ∆, Γ `b! P′ : (B,A, T ,U)

∆, Γ `b P ′|! P ′ : (B,A, T ,U)(A.28)

(Struct Res Res) P = (νn)(νn′)P ′, Q = (νn′)(νn)P ′. Using (Res), wehave the following:

∆, Γ `b (νn′)P ′ : (B,A, T ,U)

∆, Γ `b (νn)(νn′)P ′ : (B,A, T ,U)(A.29)

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b (νn′)P ′ : (B,A, T ,U)(A.30)

From (A.30), Using (Res), we have:

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b (νn)P ′ : (B,A, T ,U)(A.31)

∆, Γ `b (νn)P ′ : (B,A, T ,U)

∆, Γ `b (νn′)(νn)P ′ : (B,A, T ,U)(A.32)

(Struct Res Par) P = (νn)(P ′|Q′), Q = P ′|(νn)Q′,n /∈ fn(P ′). Using(Res) and (Par), we have the following:

∆, Γ `b P ′|Q′ : (B,A, T ,U)

∆, Γ `b (νn)P ′|Q′ : (B,A, T ,U)(A.33)

88

∆, Γ `b P ′ : (B1,A1, T1,U1) ∆, Γ `b Q′ : (B2,A2, T2,U2)

∆, Γ `b P ′|Q′ : (B,A, T ,U)(A.34)


From (A.34), using (Res),we have

∆, Γ `b Q′ : (B2,A2, T2,U2)

∆, Γ `b (νn)Q′ : (B2,A2, T2,U2)(A.35)

From (A.34), (A.35), Using (Par), we have

∆, Γ `b P ′ : (B1,A1, T1,U1) ∆, Γ `b (νn)Q′ : (B2,A2, T2,U2)

∆, Γ `b P ′|(νn)Q′ : (B,A, T ,U)(A.36)

(Struct Res Amb) P = (νn)n′[P ′], Q = n′[(νn)P ′], n 6= n′. Using (Res),we have

∆, Γ `b n′[P ] : (B,A, T ,U)

∆, Γ `b (νn)n′[P ] : (B,A, T ,U)(A.37)

Using (Amb), we have

∆, Γ `n P ′ : (B′,A′, T ′,U ′)

∆, Γ `b n′[P ′] : (B,A, T ,U)(A.38)

Where Γ(b) = B ∆(B) = (VB, κB, MB), B ⊆ κB, U ⊆ VB, ∀A ∈A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD = ∅), A = A′ ∪ {N ′}, U =U ′ ∪ {N ′}, B = ∅, T = ∅

From (A.38), using (Res), we have

∆, Γ `b P : (B′,A′, T ′,U ′)

∆, Γ `b (νn)P : (B′,A′, T ′,U ′)(A.39)

From (A.39) and (A.38), using (Amb), we have

∆, Γ `n (νn)P ′ : (B′,A′, T ′,U ′)

∆, Γ `b n′[(νn)P ′] : (∅,A, ∅,U)(A.40)

Where Γ(b) = B ∆(B) = (VB, κB, MB), B ⊆ κB, U ⊆ VB, ∀A ∈A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MB), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD = ∅), A = A′ ∪ {N ′}, U =U ′ ∪ {N ′}

89

(Struct Res BC) P = (νn)(P ′oC), Q = ((νn)P ′)oC , n /∈ fn(C), Using(Res), we have

∆, Γ `b P ′oC : (B,A, T ,U)

∆, Γ `b (νn)(P )oC : (B,A, T ,U)(A.41)

From (A.41), and using (Block), we have:

∆, Γ `b P ′ : (B′,A′, T ′,U)

∆, Γ `b P ′oC : (B,A, T ,U)(A.42)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B = B′ − type(C),A = ∅, T = ∅From (A.42), using (Res), we have:

∆, Γ `b P ′ : (B′,A′, T ′,U)

∆, Γ `b (νn)P ′ : (B′,A′, T ′,U ′)(A.43)

From (A.43), using (Block), we have:

∆, Γ `b (νn)P ′ : (B′,A′, T ′,U ′)

∆, Γ `b ((νn)P ′)oC : (B′′,A′′, T ′′,U ′′)(A.44)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B′′ = B′ − type(C),A′′ = ∅, T ′′ = ∅, U ′′ = U ′

(Struct Zero Par) P = P ′|0,P = P ′. Using (Par) and (Nil), we have

∆, Γ `b P ′ : (B,A, T ,U) ∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b P ′|0 : (B,A, T ,U)

(A.45)

Hence, we get ∆, Γ `b P ′ : (B,A, T ,U).

(Struct Zero Res) P = (νn)0, Q = 0. Using (Res),we have

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b (νn)0 : (∅, ∅, ∅, ∅)

(A.46)

From (A.46), we have ∆, Γ `b 0 : (∅, ∅, ∅, ∅).

(Struct Zero Repl) P =! 0, Q = 0.Using (Repl), we have

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b! 0 : (∅, ∅, ∅, ∅)

(A.47)

From (A.47), we have ∆, Γ `b 0 : (∅, ∅, ∅, ∅).

90

(Struct Par BC) P = P ′ oC |Q′oC , Q = (P ′|Q′)oC , Using (Par), we have:

∆, Γ `b P ′oC : (B1,A1, T1,U1) ∆, Γ `b Q′oC : (B2,A2, T2,U2)

∆, Γ `b P ′ oC |Q′oC : (B,A, T ,U)(A.48)


From (A.48), using (Block), we have:

∆, Γ `b P ′ : (B′1,A′

1, T ′1,U ′

1)

∆, Γ `b P ′oC : (B1,A1, T1,U1)(A.49)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B1 = B′

1 − type(C),A1 = ∅, T1 = ∅, U1 = U ′

1

∆, Γ `b Q′ : (B′2,A′

2, T ′2,U ′

2)

∆, Γ `b Q′oC : (B2,A2, T2,U2)(A.50)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), B2 = B′

2 − type(C),A2 = ∅, T2 = ∅, U2 = U ′

2

From (A.49), (A.50), Using (Par), we have:

∆, Γ `b P ′ : (B′1,A′

1, T ′1,U ′

1) ∆, Γ `b Q′ : (B′2,A′

2, T ′2,U ′

2)

∆, Γ `b P ′|Q′ : (B3,A3, T3,U3)(A.51)

Where B3 = B′1 ∪ B′

2, A3 = A′1 ∪ A′

2, T3 = T ′1 ∪ T ′

2, U3 = U ′1 ∪ U ′

2

From (A.51), Using (Block), we have:

∆, Γ `b P ′|Q′ : (B3,A3, T3,U3)

∆, Γ `b (P ′|Q′)oC : (B4,A4, T4,U4)(A.52)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), A4 = ∅ = A, T4 = ∅ =T , U4 = U3 = A, , B4 = B3 − type(C) =⇒ B4 = (B′

1 ∪ B′2) −

type(C) =⇒ B4 = (B′1 − type(C)) ∪ (B′

2 − type(C)) =⇒ B4 =B1 ∪ B2 =⇒ B

(Struct BC Comb) P = P ′ oC oC′ , Q = (P ′)oC∪C′ , Using (block), wehave:

∆, Γ `b P ′oC : (B1,A1, T1,U1)

∆, Γ `b P ′ oC oC′ : (B,A, T ,U)(A.53)

91

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), A = ∅, T = ∅, U = U1,, B = B1 − type(C ′)

∆, Γ `b P ′ : (B2,A2, T2,U2)

∆, Γ `b P ′oC : (B1,A1, T1,U1)(A.54)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), A1 = ∅, T1 = ∅,U1 = U2, , B1 = B2 − type(C)

From (A.54), Using (Block), we have:

∆, Γ `b P ′ : (B2,A2, T2,U2)

∆, Γ `b P ′oC∪C′ : (B3,A3, T3,U3)(A.55)

Where ∀A ∈ A(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)), ∀auth(D, K) ∈T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)), A3 = ∅, T3 = ∅,U3 = U2, , B3 = B2−type(C∪C ′) =⇒ B3 = B2−type(C)−type(C ′) =⇒B3 = B1 − type(C ′) =⇒ B3 = B

(Struct BC Empty) Trivial as in P ≡ P .

(Struct Zero BC) P = 0oC , Q = 0. Using (Block), we have:

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b 0oC : (B,A, T ,U)

(A.56)

Where B = ∅−type(C) =⇒ B = ∅. Hence, we get ∆, Γ `b 0 : (∅, ∅, ∅, ∅)


(Struct Refl) Trival.

(Struct Symm) We have P ≡ Q.According to hypothesis (1), ∆, Γ `b Q :(B,A, T ,U).

(Struct Trans) For Q ≡ P , there exists R to make Q ≡ R,R ≡ P . Sup-pose ∆, Γ `b P : (B,A, T ,U), according to hypothesis (2), we have∆, Γ `b R : (B,A, T ,U). And according to the same hypothesis, we get∆, Γ `b Q : (B,A, T ,U).

(Struct Res) (Struct Par) (Struct Repl) (Struct Amb) (Struct Action)(Struct BC) (Struct Par Comm) (Struct Par Assoc) (Struct Res Res)symmertical to case (1).

92

(Struct Repl Par) P = P ′|! P ′,Q =! P ′. Using (Par), We have

∆, Γ `b P ′ : (B,A, T ,U) ∆, Γ `b! P′ : (B,A, T ,U)

∆, Γ `b P ′|! P ′ : (B,A, T ,U)(A.57)

(Struct Res Par) P = P ′|(νn)Q′,Q = (νn)(P ′|Q′),n /∈ fn(P ′). Using(Par), we have

∆, Γ `b P ′ : (B1,A1, T1,U1) ∆, Γ `b (νn)Q′ : (B2,A2, T2,U2)

∆, Γ `b P ′|(νn)Q′ : (B,A, T ,U)(A.58)


Using (Res), we have

∆, Γ `b Q′ : (B2,A2, T2,U2)

∆, Γ `b (νn)Q′ : (B2,A2, T2,U2)(A.59)

From (A.58), we get ∆, Γ `b P ′ : (B1,A1, T1,U1). Using (Par), we have

∆, Γ `b P ′ : (B1,A1, T1,U1) ∆, Γ `b Q′ : (B2,A2, T2,U2)

∆, Γ `b P ′|Q′ : (B,A, T ,U)(A.60)


Using (Res), we get

∆, Γ `b P ′|Q′ : (B,A, T ,U)

∆, Γ `b (νn)P ′|Q′ : (B,A, T ,U)(A.61)

(Struct Res Amb) P = s[(νn)P ′],Q = (νn)s[P ′],n 6= m. Using (Amb),we have

∆, Γ `s (νn)P ′ : (B,A, T ,U)

∆, Γ `r s[(νn)P ′] : (∅,A ∪ {S}, ∅,U ∪ {S})(A.62)

Where ∀A ∈ A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MS), Γ(s) =S ∆(S) = (VS, κS, MS) B ⊆ κS U ⊆ VS,∀auth(D, K) ∈ T (∆(D) =(VD, κD, MD) =⇒ MD = ∅)Using (Res),we have

∆, Γ `s P ′ : (B,A, T ,U)

∆, Γ `s (νn)P ′ : (B,A, T ,U)(A.63)

From (A.62) and (A.63),using (Amb), we have

∆, Γ `s P ′ : (B,A, T ,U)

∆, Γ `r s[P ′] : (∅,A ∪ {S}, ∅,U ∪ {S})(A.64)

93

Where ∀A ∈ A(Γ(a) = A ∆(A) = (VA, κA, MA) =⇒ MA ⊆ MS), Γ(s) =S ∆(S) = (VS, κS, MS) B ⊆ κS U ⊆ VS,∀auth(D, K) ∈ T (∆(D) =(VD, κD, MD) =⇒ MD = ∅)Using (Res), we get

∆, Γ `r s[P ′] : (∅,A ∪ {S}, ∅,U ∪ {S})∆, Γ `r (νn)s[P ′] : (∅,A ∪ {S}, ∅,U ∪ {S})

(A.65)

(Struct Zero Par) P = P ′, Q = P ′|0. Using (Par) and (Nil), we have

∆, Γ `b P ′ : (B,A, T ,U) ∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b P ′|0 : (B,A, T ,U)

(A.66)

(Struct Zero Res) P = 0, Q = (νn)0. Using (Nil), we get ∆, Γ `b 0 :(∅, ∅, ∅, ∅). Using (Res), we have

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b (νn)0 : (∅, ∅, ∅, ∅)

(A.67)

(Struct Zero Repl) P = 0, P =! 0. Using (Nil), we get ∆, Γ `b 0 :(∅, ∅, ∅, ∅). Using (Repl), we have

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b! 0 : (∅, ∅, ∅, ∅)

(A.68)

(Struct BC Comb) P = P ′oC∪C′ , Q = P ′ oC oC′ . Using (Block), we have

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b P ′oC∪C′ : (B − type(C ∪ C ′), ∅, ∅,U)(A.69)

Where C ∪ C ′ 6= ∅,∀A ∈ A ( ∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C∪C ′) ),∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C ∪ C ′)Using (Block), we get

∆, Γ `b P ′ : (B,A, T ,U)

∆, Γ `b P ′oC : (B − type(C), ∅, ∅,U)(A.70)

Where C 6= ∅,∀A ∈ A ( ∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C) ),∀auth(D, K) ∈ T (∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)Using (Block), we get

∆, Γ `b P ′oC : (B − type(C), ∅, ∅,U)

∆, Γ `b P ′ oC oC′ : (B − type(C ∪ C ′), ∅, ∅,U)(A.71)

Where C ∪ C ′ 6= ∅

94

(Struct BC Empty) Trival.

(Struct Zero BC) P = 0, Q = 0oC . Using (Nil), we get ∆, Γ `b 0 :(∅, ∅, ∅, ∅). Using (Block), we have

∆, Γ `b 0 : (∅, ∅, ∅, ∅)∆, Γ `b 0oC : (∅, ∅, ∅, ∅)

(A.72)

2

95

Appendix B

Subject Reduction

Proposition 2 If ∆, Γ `b C C(| in a.P |) : (B,A, T ,U) , then ∆, Γ `b C C(| P |) :(B′,A, T ,U) , where Γ(a) = A, B = B′ ∪ {in A} when in a /∈ C, B = B′ whenin a ∈ C.

Proof: By induction on the structure of C C(| |).

(1) In the case of C C(| |) = (| |)oC :

• If C = ∅:We have ∆, Γ `b in a.P : (B,A, T ,U) and in a /∈ C, try to prove∆, Γ `b P : (B′,A, T ,U) where B = B′ ∪ {in A}. Using (In), we get

∆, Γ `b P : (B′,A, T ,U)

∆, Γ `b in a.P : (B,A, T ,U)(B.1)

where B = B′ ∪ {in A}, Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B,∆(B) = (VB, κB, MB), VB ⊆ VA, B ∈ VA.

• If C 6= ∅:We have ∆, Γ `b (in a.P )oC : (B, ∅, ∅,U), try to prove ∆, Γ `b (P )oC :(B′, ∅, ∅,U) where B = B′∪{in A} when in a /∈ C, B = B′ when in a ∈ C.Using (Block), we get

∆, Γ `b in a.P : (B1,A1, T1,U)

∆, Γ `b (in a.P )oC : (B, ∅, ∅,U)(B.2)

where B = B1 − type(C), ∀R ∈ A1(∆(R) = (VR, κR, MR) =⇒ MR ⊆type(C)), ∀auth(D, K) ∈ T1(∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)).From (B.2),using (In), we get

∆, Γ `b P : (B′1,A1, T1,U)

∆, Γ `b in a.P : (B1,A1, T1,U)(B.3)

97

where B1 = B′1 ∪ {in A}, Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B,

∆(B) = (VB, κB, MB), VB ⊆ VA, B ∈ VA.

So that, we have the following:From (B.3), according to (B.2), using (Block), we get

∆, Γ `b P : (B′1,A1, T1,U)

∆, Γ `b (P )oC : (B′, ∅, ∅,U)(B.4)

where B′ = B′1 − type(C)

We have known B = B1 − type(C) and B1 = B′1 ∪ {in A}. From these,

we can get B = B′1∪{in A}− type(C). If in a ∈ C, then in A ∈ type(C),

then B = (B′1 − type(C)) ∪ ({in A} − type(C)) = B′

1 − type(C) = B′;If in a /∈ C, then in A /∈ type(C), then B = (B′

1 − type(C)) ∪ {in A} =B′ ∪ {in A}

(2) In the case of C C(| |) = (C C′(| |)|P0) oC′′ (C = C ′ ∪ C ′′):

Suppose this proposition is hold in C C′(| |), we must prove this proposition is

hold in C C(| |).

• If C ′′ = ∅:We have ∆, Γ `b C C′

(| in a.P |)|P0 : (B,A, T ,U), we must prove ∆, Γ `b

C C′(| P |)|P0 : (B′,A, T ,U), where B = B′ ∪ {in A} when in a /∈ C,

B = B′ when in a ∈ C.Using (Par), we get

∆, Γ `b C C′(| in a.P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| in a.P |)|P0 : (B,A, T ,U)(B.5)

where B = B1 ∪ B2, A = A1 ∪ A2, T = T1 ∪ T2, U = U1 ∪ U2.According to the supposition, from (B.5), we can have ∆, Γ `b C C′

(| P |) :(B′

1,A1, T1,U1) where B1 = B′1 ∪ {in A} when in a /∈ C ′, or B1 = B′

1

when in a ∈ C ′.So that, we have the following:From (B.5), using (Par), we get

∆, Γ `b C C′(| P |) : (B′

1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′1 ∪ B2,A, T ,U)

(B.6)

Because B′1 ∪ B2 ⊆ B,using (Sub), we have (B′

1 ∪ B2,A, T ,U) ≤(B,A, T ,U).

98

Using (SubSumption), we have

∆, Γ `b C C′(| P |)|P0 : (B′

1 ∪ B2,A, T ,U) (B′1 ∪ B2,A, T ,U) ≤ (B,A, T ,U)

∆, Γ `b C C′(| P |)|P0 : (B,A, T ,U)(B.7)

• If C ′′ 6= ∅:We have ∆, Γ `b (C C′

(| in a.P |)|P0)oC′′ : (B, ∅, ∅,U), we must prove∆, Γ `b (C C′

(| P |)|P0)oC′′ : (B, ∅, ∅,U). Using (Block), we get

∆, Γ `b C C′(| in a.P |)|P0 : (Bt,At, Tt,U)

∆, Γ `b (C C′(| in a.P |)|P0)oC′′ : (B, ∅, ∅,U)(B.8)

where B = Bt − type(C ′′), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C ′′)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C ′′)).From (B.8), using (Par), we get

∆, Γ `b C C′(| in a.P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| in a.P |)|P0 : (Bt,At, Tt,U)(B.9)

where Bt = B1 ∪ B2, At = A1 ∪ A2, Tt = T1 ∪ T2, U = U1 ∪ U2.According to the supposition, from (B.9), we get ∆, Γ `b C C′

(| P |) :(B′

1,A1, T1,U1) where B1 = B′1 ∪{in A} when in a /∈ C ′, B1 = B′

1 whenin a ∈ C ′.So that, we have the following:From (B.9), using (Par), we get

∆, Γ `b C C′(| P |) : (B′

1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′1 ∪ B2,At, Tt,U)

(B.10)From (B.8), using (Block), we get

∆, Γ `b C C′(| P |)|P0 : (B′

1 ∪ B2,At, Tt,U)

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B′1 ∪ B2 − type(C ′′), ∅, ∅,U)

(B.11)

Because B′1 ⊆ B1, B′

1 ∪ B2 ⊆ Bt. So that B′1 ∪ B2 − type(C ′′) ⊆ B.

Using (Sub), we have (B′1 ∪ B2 − type(C ′′), ∅, ∅,U) ≤ (B, ∅, ∅,U)

Using (SubSumption), we get

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B′

1 ∪ B2 − type(C ′′), ∅, ∅,U)(B′

1 ∪ B2 − type(C ′′), ∅, ∅,U) ≤ (B, ∅, ∅,U)

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B, ∅, ∅,U)(B.12)

2

99

Proposition 3 If ∆, Γ `b C C(| out a.P |) : (B,A, T ,U) , then ∆, Γ `b C C(| P |) :(B′,A, T ,U) where Γ(a) = A, B = B′ ∪ {out A} when out a /∈ C, B = B′ whenout a ∈ C.

Proof: By induction on the structure of C C(| |).

(1) In the case of C C(| |) = (| |)oC :

• If C = ∅:We have ∆, Γ `b out a.P : (B,A, T ,U) and out a /∈ C, try to prove∆, Γ `b P : (B′,A, T ,U) where B = B′ ∪ {out A}. Using (Out), we get

∆, Γ `b P : (B′,A, T ,U)

∆, Γ `b out a.P : (B,A, T ,U)(B.13)

where B = B′ ∪ {out A}, Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B,∆(B) = (VB, κB, MB), VB ⊆ VA, B ∈ VA, ∀r ∈ Dom(Γ)(Γ(r) = R ∧∆(R) = (VR, κR, MR) ∧ A ∈ VR =⇒ B ∈ VR).

• If C 6= ∅:We have ∆, Γ `b (out a.P )oC : (B, ∅, ∅,U), try to prove ∆, Γ `b (P )oC :(B′, ∅, ∅,U) where B = B′ ∪ {out A} when out a /∈ C, B = B′ whenout a ∈ C. Using (Block), we get

∆, Γ `b out a.P : (B1,A1, T1,U)

∆, Γ `b (out a.P )oC : (B, ∅, ∅,U)(B.14)

where B = B1 − type(C), ∀R ∈ A1(∆(R) = (VR, κR, MR) =⇒ MR ⊆type(C)), ∀auth(D, K) ∈ T1(∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)).From (B.14),using (Out), we get

∆, Γ `b P : (B′1,A1, T1,U)

∆, Γ `b out a.P : (B1,A1, T1,U)(B.15)

where B1 = B′1 ∪ {out A}, Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B,

∆(B) = (VB, κB, MB), VB ⊆ VA, B ∈ VA, ∀r ∈ Dom(Γ)(Γ(r) =R ∧∆(R) = (VR, κR, MR) ∧ A ∈ VR =⇒ B ∈ VR).

So that, we have the following:From (B.15), according to (B.14), using (Block), we get

∆, Γ `b P : (B′1,A1, T1,U)

∆, Γ `b (P )oC : (B′, ∅, ∅,U)(B.16)

where B′ = B′1 − type(C)

100

We have known B = B1 − type(C) and B1 = B′1 ∪ {out A}. From

these, we can get B = B′1 ∪ {out A} − type(C). If out a ∈ C, then

out A ∈ type(C), then B = (B′1 − type(C)) ∪ ({out A} − type(C)) =

B′1 − type(C) = B′; If out a /∈ C, then out A /∈ type(C), then B =

(B′1 − type(C)) ∪ {out A} = B′ ∪ {out A}


Suppose this proposition is hold in C C′(| |), we must prove this proposition is

hold in C C(| |).

• If C ′′ = ∅:We have ∆, Γ `b C C′

(| out a.P |)|P0 : (B,A, T ,U), we must prove ∆, Γ `b

C C′(| P |)|P0 : (B′,A, T ,U), where B = B′ ∪ {out A} when out a /∈ C,

B = B′ when out a ∈ C.Using (Par), we get

∆, Γ `b C C′(| out a.P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| out a.P |)|P0 : (B,A, T ,U)(B.17)

where B = B1 ∪ B2, A = A1 ∪ A2, T = T1 ∪ T2, U = U1 ∪ U2.According to the supposition, from (B.17), we can have ∆, Γ `b C C′

(| P |) :(B′

1,A1, T1,U1) where B1 = B′1 ∪ {out A} when out a /∈ C ′, or B1 = B′

1

when out a ∈ C ′.So that, we have the following:From (B.17), using (Par), we get

∆, Γ `b C C′(| P |) : (B′

1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′1 ∪ B2,A, T ,U)

(B.18)Because B′

1 ∪ B2 ⊆ B,using (Sub), we have (B′1 ∪ B2,A, T ,U) ≤

(B,A, T ,U).Using (SubSumption), we have

∆, Γ `b C C′(| P |)|P0 : (B′

1 ∪ B2,A, T ,U) (B′1 ∪ B2,A, T ,U) ≤ (B,A, T ,U)

∆, Γ `b C C′(| P |)|P0 : (B,A, T ,U)(B.19)

• If C ′′ 6= ∅:We have ∆, Γ `b (C C′

(| out a.P |)|P0)oC′′ : (B, ∅, ∅,U), we must prove∆, Γ `b (C C′

(| P |)|P0)oC′′ : (B, ∅, ∅,U). Using (Block), we get

∆, Γ `b C C′(| out a.P |)|P0 : (Bt,At, Tt,U)

∆, Γ `b (C C′(| out a.P |)|P0)oC′′ : (B, ∅, ∅,U)(B.20)

101

where B = Bt − type(C ′′), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C ′′)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C ′′)).From (B.20), using (Par), we get

∆, Γ `b C C′(| out a.P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| out a.P |)|P0 : (Bt,At, Tt,U)(B.21)

where Bt = B1 ∪ B2, At = A1 ∪ A2, Tt = T1 ∪ T2, U = U1 ∪ U2.According to the supposition, from (B.21), we get ∆, Γ `b C C′

(| P |) :(B′

1,A1, T1,U1) where B1 = B′1 ∪ {out A} when out a /∈ C ′, B1 = B′

1

when out a ∈ C ′.So that, we have the following:From (B.21), using (Par), we get

∆, Γ `b C C′(| P |) : (B′

1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′1 ∪ B2,At, Tt,U)

(B.22)From (B.20), using (Block), we get

∆, Γ `b C C′(| P |)|P0 : (B′

1 ∪ B2,At, Tt,U)

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B′1 ∪ B2 − type(C ′′), ∅, ∅,U)

(B.23)

Because B′1 ⊆ B1, B′

1 ∪ B2 ⊆ Bt. So that B′1 ∪ B2 − type(C ′′) ⊆ B.

Using (Sub), we have (B′1 ∪ B2 − type(C ′′), ∅, ∅,U) ≤ (B, ∅, ∅,U)

Using (SubSumption), we get

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B′

1 ∪ B2 − type(C ′′), ∅, ∅,U)(B′

1 ∪ B2 − type(C ′′), ∅, ∅,U) ≤ (B, ∅, ∅,U)

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B, ∅, ∅,U)(B.24)

2

Proposition 4 If ∆, Γ `b C C(| a[P ]s|Q|) : (B,A, T ,U) and ∆, Γ `b a[P ]s :(∅,A′, ∅,U ′), then ∆, Γ `b C C(| Q|) : (B,A′′, T ,U ′′) when C = ∅, ∆, Γ `b

C C(| Q|) : (B,A, T ,U ′′) when C 6= ∅, where A = A′ ∪ A′′, and U = U ′ ∪ U ′′.

Proof:

• When C = ∅:It can be supposed that C ∅(| a[P ]s|Q|) = a[P ]s|Q|Pt, C ∅(|Q|) = Q|Pt.

We have ∆, Γ `b a[P ]s|Q|Pt : (B,A, T ,U) and ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′),try to prove ∆, Γ `b Q|Pt : (B,A′′, T ,U ′′), where A = A′ ∪ A′′, and

102

U = U ′ ∪ U ′′.

Using (Par), we have

∆, Γ `b a[P ]s : (∅,A′, ∅,U ′) ∆, Γ `b Q|Pt : (B,A′′, T ,U ′′)

∆, Γ `b a[P ]s|Q|Pt : (B,A, T ,U)(B.25)

where A = A′ ∪ A′′, and U = U ′ ∪ U ′′.

• When C 6= ∅:By induction on the structure of C C(| |).

(1) In the case of C C(| |) = (| |)oC :We have ∆, Γ `b (a[P ]s|Q)oC : (B, ∅, ∅,U) and ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′),try to prove ∆, Γ `b (Q)oC : (B, ∅, ∅,U ′′) where U = U ′ ∪ U ′′.

Using (Block), we have

∆, Γ `b a[P ]s|Q : (Bt,At, Tt,U)

∆, Γ `b (a[P ]s|Q)oC : (B, ∅, ∅,U)(B.26)

where B = Bt − type(C), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C)).

From (B.26), using (Par), we have

∆, Γ `b a[P ]s : (∅,A′, ∅,U ′) ∆, Γ `b Q : (Bt,A1, Tt,U ′′)

∆, Γ `b a[P ]s|Q : (Bt,At, Tt,U)(B.27)

where At = A1 ∪ A′, U = U ′′ ∪ U ′.

So that we have the following:From (B.27), using (Block), we get

∆, Γ `b Q : (Bt,A1, Tt,U ′′)

∆, Γ `b (Q) o: (B, ∅, ∅,U ′′)(B.28)

since A1 ⊆ At.


Suppose this proposition is held on C C′(| |), we must prove it is held

on C C(| |).

103

– if C ′′ = ∅:We have ∆, Γ `b C C′

(| a[P ]s|Q|)|P0 : (B,A, T ,U) and ∆, Γ `b

a[P ]s : (∅,A′, ∅,U ′), try to prove ∆, Γ `b C C′(|Q|)|P0 : (B,A, T ,U).


∆, Γ `b C C′(| a[P ]s|Q|) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| a[P ]s|Q|)|P0 : (B,A, T ,U)(B.29)

where B = B1 ∪ B2, A = A1 ∪ A2, T = T1 ∪ T2, U = U1 ∪ U2.

We know C ′ 6= ∅. From (B.29), according to the supposition, weget ∆, Γ `b C C′

(|Q|) : (B1,A1, T1,U ′1) where U1 = U ′

1 ∪ U ′.

So that we have the following:Using (Par), we get

∆, Γ `b C C′(|Q|) : (B1,A1, T1,U ′

1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|)|P0 : (B,A, T ,U ′1 ∪ U2)

(B.30)Because U ′

1 ∪ U2 ⊆ U , (B,A, T ,U ′1 ∪ U2) ≤ (B,A, T , U). Using

(SubSumption), we get

∆, Γ `b C C′(|Q|)|P0 : (B,A, T ,U ′

1 ∪ U2)(B,A, T ,U ′

1 ∪ U2) ≤ (B,A, T , U)

∆, Γ `b C C′(|Q|)|P0 : (B,A, T ,U)(B.31)

– if C ′′ 6= ∅:We have ∆, Γ `b (C C′

(| a[P ]s|Q|)|P0)oC′′ : (B, ∅, ∅,U) and ∆, Γ `b

a[P ]s : (∅,A′, ∅,U ′), try to prove ∆, Γ `b (C C′(| Q|)|P0)oC′′ :

(B, ∅, ∅,U).


∆, Γ `b C C′(| a[P ]s|Q|)|P0 : (Bt,At, Tt,U)

∆, Γ `b (C C′(| a[P ]s|Q|)|P0)oC′′ : (B, ∅, ∅,U)(B.32)

where B = Bt − type(C ′′), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒MA ⊆ type(C ′′)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒MD ⊆ type(C ′′)).


∆, Γ `b C C′(| a[P ]s|Q|) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| a[P ]s|Q|)|P0 : (Bt,At, Tt,U)(B.33)

104

where Bt = B1 ∪ B2, At = A1 ∪ A2, Tt = T1 ∪ T2, U = U1 ∪ U2.

From (B.33), according to the supposition, we get ∆, Γ `b C C′(|Q|) :

(B1,A′1, T1,U ′

1) where U1 = U ′1 ∪ U ′, A′

1 = A1 when C ′ 6= ∅,A1 = A′

1 ∪ A′ when C ′ = ∅.


∆, Γ `b C C′(|Q|) : (B1,A′

1, T1,U ′1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|)|P0 : (Bt,A′1 ∪ A2, Tt,U ′

1 ∪ U2)(B.34)

We know A′1 ∪ A2 ⊆ At and U ′

1 ∪ U2 ⊆ U . From (B.34) and(B.32), using (Block), we get

∆, Γ `b C C′(|Q|)|P0 : (Bt,A′

1 ∪ A2, Tt,U ′1 ∪ U2)

∆, Γ `b (C C′(|Q|)|P0)oC′′ : (B, ∅, ∅,U ′1 ∪ U2)

(B.35)

Because U ′1 ∪ U2 ⊆ U , according to (Sub) we have (B, ∅, ∅,U ′

1 ∪U2) ≤ (B, ∅, ∅,U). Using (SubSumption), we have

∆, Γ `b (C C′(|Q|)|P0)oC′′ : (B, ∅, ∅,U ′

1 ∪ U2)(B, ∅, ∅,U ′

1 ∪ U2) ≤ (B, ∅, ∅,U)

∆, Γ `b (C C′(|Q|)|P0)oC′′ : (B, ∅, ∅,U)(B.36)

2

Proposition 5 If ∆, Γ `n C C(| b[R]|) : (B,A, T ,U), ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′),U ′ ⊆ VB and MA ⊆ MB, then ∆, Γ `n C C(| b[R|a[Q]s]|) : (B,A ∪ A′, T ,U ∪ U ′)when C = ∅, ∆, Γ `n C C(| b[R|a[Q]s]|) : (B,A, T ,U ∪ U ′) when C 6= ∅, whereΓ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB).

Proof:

• When C = ∅:It can be supposed that C ∅(| b[R]|) = b[R]|Pt, C ∅(| b[R|a[Q]s]|) = b[R|a[Q]s]|Pt.We have ∆, Γ `n b[R]|Pt : (B,A, T ,U), ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′),U ′ ⊆ VB

and MA ⊆ MB, try to prove ∆, Γ `n b[R|a[Q]s]|Pt : (B,A ∪ A′, T ,U ∪ U ′),∀A ∈ A′

1(∆(A) = (VA, κA, MA) =⇒ MA ⊂ MB).Using (Par), we have

∆, Γ `n b[R] : (∅,A1, ∅,U1) ∆, Γ `n Pt : (B,A2, T ,U2)

∆, Γ `n b[R]|Pt : (B,A, T ,U)(B.37)

where A = A1 ∪ A2, U = U1 ∪ U2.

105

From (B.37), using (Amb), we have

∆, Γ `b R : (B′1,A′

1, T ′1,U ′

1)

∆, Γ `n b[R] : (∅,A1, ∅,U1)(B.38)

where Γ(b) = B, ∆(B) = (VB, κB, MB), B′1 ⊆ κB, ∀auth(D, K) ∈ T ′

1(∆(D) =(VD, κD, MD) =⇒ MD = ∅), U1 = U ′

1 ∪ {B}, U ′1 ⊆ VB, A1 = A′

1 ∪ {B}.

So that, we have the following:Using (Par), we get

∆, Γ `b R : (B′1,A′

1, T ′1,U ′

1) ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′)

∆, Γ `b R|a[Q]s : (B′1,A′

1 ∪ A′, T ′1,U ′

1 ∪ U ′)(B.39)

From (B.39), according to (B.38), we have know U ′ ⊆ VB, using (Amb),we get

∆, Γ `b R|a[Q]s : (B′1,A′

1 ∪ A′, T ′1,U ′

1 ∪ U ′)

∆, Γ `n b[R|a[Q]s] : (∅,A1 ∪ A′, ∅,U1 ∪ U ′)(B.40)

From (B.40) and (B.37), using (Par), we get

∆, Γ `n b[R|a[Q]s] : (∅,A1 ∪ A′, ∅,U1 ∪ U ′) ∆, Γ `n Pt : (B,A2, T ,U2)

∆, Γ `n b[R|a[Q]s]|Pt : (B,A ∪A′, T ,U ∪ U ′)(B.41)


(1) In the case of C C(| |) = (| |)oC :We have ∆, Γ `n (b[R])oC : (∅, ∅, ∅,U), ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′),U ′ ⊆ VB and MA ⊆ MB, try to prove ∆, Γ `n (b[R|a[Q]s])oC :(∅, ∅, ∅,U ∪ U ′).


∆, Γ `n b[R] : (∅,A1, ∅,U)

∆, Γ `n (b[R])oC : (∅, ∅, ∅,U)(B.42)

where ∀A ∈ A1(∆(A) = (VA, κA, MA) =⇒ MA ⊆ type(C)).

From (B.42), using (Amb), we have

∆, Γ `b R : (B′1,A′

1, T1,U ′1)

∆, Γ `n b[R] : (∅,A1, ∅,U)(B.43)

106

where Γ(b) = B, ∆(B) = (VB, κB, MB), B′1 ⊆ κB, ∀auth(D, K) ∈

T1(∆(D) = (VD, κD, MD) =⇒ MD = ∅), ∀A ∈ A′1(∆(A) = (VA, κA, MA) =⇒

MA ⊆ MB), A1 = A′1 ∪ {B}, U = U ′

1 ∪ {B}, U ′1 ⊆ VB.

So that we have the following:

From (B.43), using (Par), we get

∆, Γ `b R : (B′1,A′

1, T1,U ′1) ∆, Γ `b a[Q]s : (∅,A′, ∅,U ′)

∆, Γ `b R|a[Q]s : (B′1,A′

1 ∪ A′, T1,U ′1 ∪ U ′)

(B.44)

From (B.44) and (B.43), using (Amb), we get

∆, Γ `b R|a[Q]s : (B′1,A′

1 ∪ A′, T1,U ′1 ∪ U ′)

∆, Γ `n b[R|a[Q]s] : (∅,A1 ∪ A′, ∅,U ∪ U ′)(B.45)

Because B ∈ A1, MB ⊆ type(C). And because we have MA ⊆ MB,MA ⊆ type(C). And according to (Sign Amb), ∀G ∈ A′(∆G =(VG, κG, MG) =⇒ MG ⊆ MA), so that ∀G ∈ A′(∆G = (VG, κG, MG) =⇒MG ⊆ type(C)). From (B.45), using (Block), we get

∆, Γ `n b[R|a[Q]s] : (∅,A1 ∪ A′, ∅,U ∪ U ′)

∆, Γ `n (b[R|a[Q]s])oC : (∅, ∅, ∅,U ∪ U ′)(B.46)



on C C(| |).

– If C ′′ = ∅:We have ∆, Γ `n C C′

(| b[R]|)|P0 : (B,A, T ,U), ∆, Γ `b a[Q]s :(∅,A′, ∅,U ′), U ′ ⊆ VB and MA ⊆ MB, try to prove ∆, Γ `n

C b(|R|a[Q]s|)|P0 : (B,A, T ,U ∪ U ′).


∆, Γ `n C C′(| b[R]|) : (B1,A1, T1,U1) ∆, Γ `n P0 : (B2,A2, T2,U2)

∆, Γ `n C C′(| b[R]|)|P0 : (B,A, T ,U)(B.47)


We know C ′ 6= ∅. From (B.47), according to this supposition, weget ∆, Γ `n C C′

(| b[R|a[Q]s]|) : (B1,A1, T1,U1 ∪ U ′).

107

Using (Par), we can get

∆, Γ `n C C′(| b[R|a[Q]s]|) : (B1,A1, T1,U1 ∪ U ′) ∆, Γ `n P0 : (B2,A2, T2,U2)

∆, Γ `n C C′(| b[R|a[Q]s]|)|P0 : (B,A, T ,U ∪ U ′)(B.48)

– If C ′′ 6= ∅:We have ∆, Γ `n (C C′

(| b[R]|)|P0)oC′′ : (B, ∅, ∅,U), ∆, Γ `b a[Q]s :(∅,A′, ∅,U ′), U ′ ⊆ VB and MA ⊆ MB,, try to prove ∆, Γ `n

(C C′(| b[R|a[Q]s]|)|P0)oC′′ : (B, ∅, ∅,U ∪ U ′).


∆, Γ `n C C′(| b[R]|)|P0 : (Bt,At, Tt,U)

∆, Γ `n (C C′(| b[R]|)|P0)oC′′ : (B, ∅, ∅,U)(B.49)



∆, Γ `n C C′(| b[R]|) : (B1,A1, T1,U1) ∆, Γ `n P0 : (B2,A2, T2,U2)

∆, Γ `n C C′(| b[R]|)|P0 : (Bt,At, Tt,U)(B.50)

where Bt = B1 ∪B2, At = A1 ∪A2, Tt = T1 ∪ T2 and U = U1 ∪U2.

From (B.50), according to this supposition, we can get ∆, Γ `n

C C′(| b[R|a[Q]s]|) : (B1,A′

1, T1,U1 ∪ U ′), where A′1 = A1 when

C ′ 6= ∅, A′1 = A1 ∪ A′ when C ′ = ∅.


∆, Γ `n C C′(| b[R|a[Q]s]|) : (B1,A′

1, T1,U1 ∪ U ′) ∆, Γ `n P0 : (B2,A2, T2,U2)

∆, Γ `n C C′(| b[R|a[Q]s]|)|P0 : (Bt,A′1 ∪ A2, Tt,U ∪ U ′)

(B.51)whereA′

1∪A2 = At when C ′ 6= ∅, A′1∪A2 = At∪A′ when C ′ = ∅.

We have MA ⊆ MB, and B ∈ At when C ′ = ∅, so that we have∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆ type(C ′′)). Using(Block), we can get

∆, Γ `n C C′(| b[R|a[Q]s]|)|P0 : (Bt,A′

1 ∪ A2, Tt,U ∪ U ′)

∆, Γ `n (C C′(| b[R|a[Q]s]|)|P0)oC′′ : (B, ∅, ∅,U ∪ U ′)(B.52)

108

2

Proposition 6 If ∆, Γ `b C C(| auth(a, k).P |) : (B,A, T ,U), then ∆, Γ `b C C(| P |) :(B′,A, T ′,U) when C = ∅, ∆, Γ `b C C(| P |) : (B′,A, T ,U) when C 6= ∅,where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(k) = K, B = B′ ∪ {auth(A, K)},T = T ′ ∪ {auth(A, K)}.

Proof:

• When C = ∅:It can supposed that C ∅(| auth(a, k).P |) = auth(a, k).P |Pt, C ∅(| P |) = P |Pt.

We have ∆, Γ `b auth(a, k).P |Pt : (B,A, T ,U), try to prove ∆, Γ `b P |Pt :(B′,A, T ′,U), where B = B′ ∪ {auth(A, K)}, T = T ′ ∪ {auth(A, K)}.


∆, Γ `b auth(a, k).P : (B1,A1, T1,U1) ∆, Γ `b Pt : (B2,A2, T2,U2)

∆, Γ `b auth(a, k).P |Pt : (B,A, T ,U)(B.53)


From (B.53), using (Auth), we have

∆, Γ `b P : (B′1,A1, T ′

1,U1)

∆, Γ `b auth(a, k).P : (B1,A1, T1,U1)(B.54)

where B1 = B′1 ∪ {auth(A, K)} and T1 = T ′

1 ∪ {auth(A, K)}, Γ(a) = A,∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) = K,∆(K) = (Ak, Sk), A ∈ Ak, VA ⊆ VB, A ∈ VB.

So that , we have the following:Using (Par), we get

∆, Γ `b P : (B′1,A1, T ′

1,U1) ∆, Γ `b Pt : (B2,A2, T2,U2)

∆, Γ `b P |Pt : (B′,A, T ′,U)(B.55)

where B′ = B′1 ∪ B2, T ′ = T ′

1 ∪ T2. From (B.54), we can get B =B′ ∪ {auth(A, K)}, T = T ′ ∪ {auth(A, K)}.


109

(1) In the case of C C(| |) = (| |)oC :We have ∆, Γ `b (auth(a, k).P )oC : (B, ∅, ∅,U), try to prove ∆, Γ `b

(P )oC : (B′, ∅, ∅,U) where B = B′ ∪ {auth(D, K)}.


∆, Γ `b auth(a, k).P : (Bt,At, Tt,U)

∆, Γ `b (auth(a, k).P )oC : (B, ∅, ∅,U)(B.56)

where B = Bt − type(C), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C)), ∀auth(D, K) ∈ TA(∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C)).

From (B.56), using (Auth), we have

∆, Γ `b P : (B′t,At, T ′

t,U)

∆, Γ `b auth(a, k).P : (Bt,At, Tt,U)(B.57)

where Bt = B′t ∪ {auth(A, K)}, Tt = T ′

t ∪ {auth(A, K)}, Γ(a) = A,∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB), Γ(k) = K,∆(K) = (Ak, Sk), A ∈ Ak, VA ⊆ VB, A ∈ VB.

So that , we have the following:Using (Block), we get

∆, Γ `b P : (B′t,At, T ′

t,U)

∆, Γ `b (P )oC : (B′, ∅, ∅,U)(B.58)

where B′ = B′t − type(C). Since Bt = B′

t ∪ {auth(A, K)}, B =Bt − type(C) = B′ ∪ {auth(A, K)}.



on C C(| |).

– If C ′′ = ∅:We have ∆, Γ `b C C′

(| auth(a, k).P |)|P0 : (B,A, T ,U), try to prove∆, Γ `b C C′

(| P |)|P0 : (B′,A, T ,U) where B = B′ ∪ {auth(A, K)}.


∆, Γ `b C C′(| auth(a, k).P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| auth(a, k).P |)|P0 : (B,A, T ,U)(B.59)

110


From (B.59), according to this supposition, we can get ∆, Γ `b

C C′(| P |) : (B′

1,A1, T1,U1) where B1 = B′1 ∪ {auth(A, K)}, since

C ′ 6= ∅.So that we have the following:Using (Par), we get

∆, Γ `b C C′(| P |) : (B′

1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′,A, T ,U)(B.60)

where B′ = B′1 ∪ B2. Since B1 = B′

1 ∪ {auth(A, K)}, B =B′ ∪ {auth(A, K)}.

– If C ′′ 6= ∅:We have ∆, Γ `b (C C′

(| auth(a, k).P |)|P0)oC′′ : (B, ∅, ∅,U), tryto prove ∆, Γ `b (C C′

(| P |)|P0)oC′′ : (B′, ∅, ∅,U) where B =B′ ∪ {auth(A, K)}.


∆, Γ `b C C′(| auth(a, k).P |)|P0 : (Bt,At, Tt,U)

∆, Γ `b C C′(| auth(a, k).P |)|P0)oC′′ : (B, ∅, ∅,U)(B.61)

where B = Bt − type(C), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒MA ⊆ type(C ′′)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒MD ⊆ type(C ′′)).


∆, Γ `b C C′(| auth(a, k).P |) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| auth(a, k).P |)|P0 : (Bt,At, Tt,U)(B.62)



C C′(| P |) : (B′

1,A1, T ′1,U1) where B1 = B′

1 ∪ {auth(D, K)},T ′

1 = T1 when C ′ 6= ∅, T1 = T ′1 ∪ {auth(A, K)} when C ′ = ∅.


∆, Γ `b C C′(| P |) : (B′

1,A1, T ′1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(| P |)|P0 : (B′t,At, T ′

1 ∪ T2,U)(B.63)

111

where Bt = B′t ∪ {auth(D, K)}.

From (B.64), using (Block), we get

∆, Γ `b C C′(| P |)|P0 : (B′

t,At, T ′1 ∪ T2,U)

∆, Γ `b (C C′(| P |)|P0)oC′′ : (B′, ∅, ∅,U)(B.64)

where B′ = B′t − type(C ′′). Since Bt = B′

t ∪ {auth(D, K)} andB = Bt − type(C ′′), B = B′ ∪ {auth(D, K)}.

2

Proposition 7 If ∆, Γ `b C C(| Q|) : (B,A, T ,U), ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′)and MA ⊆ InnerMostBlk(C C(| |)), then ∆, Γ `b C C(|Q|a[P ]s|) : (B,A, T ,U∪U ′)when C 6= ∅, ∆, Γ `b C C(| Q|a[P ]s|) : (B,A ∪ A′, T ,U ∪ U ′) when C = ∅, whereΓ(a) = A and ∆(A) = (VA, κA, MA).

Proof:

• When C = ∅:It can be supposed that C ∅(| Q|) = Q|Pt and C ∅(| Q|a[P ]s|) = Q|a[P ]s|Pt.And InnerMostBlk(C ∅(| |)) = ∅, so that MA = ∅.

We have ∆, Γ `b Q|Pt : (B,A, T ,U), ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′) andMA ⊆ InnerMostBlk(C C(| |)), try to prove ∆, Γ `b Q|a[P ]s|Pt : (B,A ∪A′, T ,U ∪ U ′).


∆, Γ `b Q : (B1,A1, T1,U1) ∆, Γ `b Pt : (B2,A2, T2,U2)

∆, Γ `b Q|Pt : (B,A, T ,U)(B.65)


So that , we have the following:Using (Par), we get

∆, Γ `b Q : (B1,A1, T1,U1) ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′)

∆, Γ `b Q|a[P ]s : (B1,A1 ∪ A′, T1,U1 ∪ U ′)(B.66)


∆, Γ `b Q|a[P ]s : (B1,A1 ∪ A′, T1,U1 ∪ U ′) ∆, Γ `b Pt : (B2,A2, T2,U2)

∆, Γ `b Q|a[P ]s|Pt : (B,A ∪A′, T ,U ∪ U ′)(B.67)

112


(1) In the case of C C(| |) = (| |)oCWe have ∆, Γ `b (Q)oC : (B, ∅, ∅,U), ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′).InnerMostBlk((| |)oC) = type(C), so that MA ⊆ type(C). Try toprove ∆, Γ `b (Q|a[P ]s)oC : (B, ∅, ∅,U ∪ U ′).


∆, Γ `b Q : (Bt,At, Tt,U)

∆, Γ `b (Q)oC : (B, ∅, ∅,U)(B.68)

where B = Bt − type(C), ∀A ∈ At(∆(A) = (VA, κA, MA) =⇒ MA ⊆type(C)), ∀auth(D, K) ∈ Tt(∆(D) = (VD, κD, MD) =⇒ MD ⊆type(C)).


∆, Γ `b Q : (Bt,At, Tt,U) ∆, Γ `b a[P ]s : (∅,A′, ∅,U ′)

∆, Γ `b Q|a[P ]s : (Bt,At ∪ A′, Tt,U ∪ U ′)(B.69)

From (B.69), using (Block), we can get

∆, Γ `b Q|a[P ]s : (Bt,At ∪ A′, Tt,U ∪ U ′)

∆, Γ `b (Q|a[P ]s)oC : (B, ∅, ∅,U ∪ U ′)(B.70)

since MA ⊆ type(C), and those ambients of group sets A′ − {A} arewithin ambient a, so that ∀G ∈ (A′−{A})(∆(G) = (VG, κG, MG) =⇒MG ⊆ MA), hence ∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆type(C)).



on C C(| |).

– If C ′′ = ∅:We have ∆, Γ `b C C′

(| Q|)|P0 : (B,A, T ,U), ∆, Γ `b a[P ]s :(∅,A′, ∅,U ′) and MA ⊆ InnerMostBlk(C C(| |)), try to prove∆, Γ `b C C′

(|Q|a[P ]s|)|P0 : (B,A, T ,U ∪ U ′).


∆, Γ `b C C′(|Q|) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|)|P0 : (B,A, T ,U)(B.71)

113

where B = B1 ∪ B2, A = A1 ∪ A2, T = T1 ∪ T2, U = U1 ∪ U2.From (B.71), according to the supposition, we can get ∆, Γ `b

C C′(|Q|a[P ]s|) : (B1,A1, T1,U1 ∪ U ′), since C ′ 6= ∅.

So that we have the following:Using (Par), we have

∆, Γ `b C C′(|Q|a[P ]s|) : (B1,A1, T1,U1 ∪ U ′) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|a[P ]s|)|P0 : (B,A, T ,U ∪ U ′)(B.72)

– If C ′′ 6= ∅:We have ∆, Γ `b (C C′

(| Q|)|P0)oC′′ : (B, ∅, ∅,U), ∆, Γ `b a[P ]s :(∅,A′, ∅,U ′) and MA ⊆ InnerMostBlk(C C(| |)), try to prove∆, Γ `b (C C′

(|Q|a[P ]s|)|P0)oC′′ : (B, ∅, ∅,U).


∆, Γ `b C C′(|Q|)|P0 : (Bt,At, Tt,U)

∆, Γ `b (C C′(|Q|)|P0)oC′′ : (B, ∅, ∅,U)(B.73)



∆, Γ `b C C′(|Q|) : (B1,A1, T1,U1) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|)|P0 : (Bt,At, Tt,U)(B.74)



C C′(| Q|a[P ]s|) : (B1,A′

1, T1,U1 ∪ U ′) where A′1 = A1 ∪ A′ when

C ′ = ∅, A′1 = A1 when C ′ 6= ∅.

So that, we have the following:Using (Par), we can get

∆, Γ `b C C′(|Q|a[P ]s|) : (B1,A′

1, T1,U1 ∪ U ′) ∆, Γ `b P0 : (B2,A2, T2,U2)

∆, Γ `b C C′(|Q|a[P ]s|)|P0 : (Bt,A′1 ∪ A2, Tt,U ∪ U ′)

(B.75)If C ′ = ∅, InnerMostBlk(C C(| |)) = type(C ′′). So that MA ⊆type(C ′′). Because all ambients ofA′−{A} are in ambient a, ∀G ∈(A′ − {A})(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA). Therefore∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆ type(C ′′)). If C ′ =

114

∅, ∆, Γ `b C C′(| Q|a[P ]s|)|P0 : (Bt,At ∪ A′, Tt,U ∪ U ′). Using

(Block), we get

∆, Γ `b C C′(|Q|a[P ]s|)|P0 : (Bt,At ∪ A′, Tt,U ∪ U ′)

∆, Γ `b (C C′(|Q|a[P ]s|)|P0)oC′′ : (B, ∅, ∅,U)(B.76)

If C ′ 6= ∅, ∆, Γ `b C C′(| Q|a[P ]s|)|P0 : (Bt,At, Tt,U ∪ U ′). Using

(Block), we get

∆, Γ `b C C′(|Q|a[P ]s|)|P0 : (Bt,At, Tt,U ∪ U ′)

∆, Γ `b (C C′(|Q|a[P ]s|)|P0)oC′′ : (B, ∅, ∅,U)(B.77)

2

Lemma 1 If ∆, Γ `a P : (B,A, T ,U), then ∆, Γ `b P : (B,A, T ,U).

Lemma 2 If ∆, Γ `r a[P ]k : (∅,A, ∅,U), then ∆, Γ `r a[P ] : (∅,A, ∅,U).

Lemma 3 If ∆, Γ `r a[P ] : (∅,A, ∅,U), then ∆, Γ `r a[P ]k : (∅,A, ∅,U).

Theorem 1 (Subject Reduction) If ∆, Γ `r P : (B,A, T ,U) and P → Q,then ∆, Γ `r Q : (B,A, T ,U).

Proof: By induction on the derivation of P → Q.

(Red In) P = C C(| a[C C′(| in b.P ′|)]s|Q′|)|C C′′

(| b[R′]|), Q = C C(|Q′|)|C C′′(| b[R′|a[C C′

(| P ′|)]s]|),and in b /∈ C ∪C ′. Suppose ∆, Γ `r C C(| a[C C′

(| in b.P ′|)]s|Q′|)|C C′′(| b[R′]|) :

(B,A, T ,U), prove ∆, Γ `r C C(|Q′|)|C C′′(| b[R′|a[C C′

(| P ′|)]s]|) : (B,A, T ,U).


∆, Γ `r C C(| a[C C′(| in b.P ′|)]s|Q′|) : (B1,A1, T1,U1) ∆, Γ `r C C′′

(| b[R′]|) : (B2,A2, T2,U2)

∆, Γ `r C C(| a[C C′(| in b.P ′|)]s|Q′|)|C C′′(| b[R′]|) : (B,A, T ,U)(B.78)


Suppose∆, Γ `r a[C C′

(| in b.P ′|)]s : (∅,A3, ∅,U3) (B.79)

From ∆, Γ `r C C(| a[C C′(| in b.P ′|)]s|Q′|) : (B1,A1, T1,U1) in (B.78), accord-

ing to Proposition 4, we can get

∆, Γ `CC (|Q′|) : (B1,A′

1, T1,U ′1) (B.80)

where U1 = U ′1 ∪ U3, A1 = A′

1 ∪ A3 when C = ∅, A′1 = A1 when C 6= ∅.

115

From (B.79), using (Sign Amb) or (Amb), we have

∆, Γ à C C′(| in b.P ′|) : (B′

3,A′3, T ′

3,U ′3)

∆, Γ `r a[C C′(| in b.P ′|)]s : (∅,A3, ∅,U3)(B.81)

where Γ(a) = A, ∆(A) = (VA, κA, MA), B′3 ⊆ κA, ∀auth(D, K) ∈ T ′

3(∆(D) =(VD, κD, MD) =⇒ MD = ∅), ∀G ∈ A′

3(∆(G) = (VG, κG, MG) =⇒ MG ⊆MA), U ′

3 ⊆ VA, A3 = A′3 ∪ {A}, U3 = U ′

3 ∪ {A}.

From ∆, Γ à C C′(| in b.P ′|) : (B′

3,A′3, T ′

3,U ′3) in (B.81), we have known

in b /∈ C ′, according to Proposition 2, we can get

∆, Γ à C C′(| P ′|) : (B′′

3,A′3, T ′

3,U ′3) (B.82)

where B′3 = B′′

3 ∪ {in B}, Γ(b) = B, ∆(B) = (VB, κB, MB).

From (B.82) and (B.81), using (Sign Amb) or (Amb), we can get

∆, Γ à C C′(| P ′|) : (B′′

3,A′3, T ′

3,U ′3)

∆, Γ `r a[C C′(| P ′|)]s : (∅,A3, ∅,U3)(B.83)

From ∆, Γ `r a[C C′(| P ′|)]s : (∅,A3, ∅,U3) in (B.83), according to Lemma 1,

we get∆, Γ `b a[C C′

(| P ′|)]s : (∅,A3, ∅,U3) (B.84)

From (B.81), because in b /∈ C ′, we can get in B ∈ B′3, and because

B′3 ⊆ κA, so that in B ∈ κA. According to the definition of ∆, Γ ` �, we

can get MA ⊆ MB.

From (B.81), we can see that C C′(| in b.P ′|) is well typed, so that in b.P ′

is also well typed, Suppose ∆, Γ à in b.P : (B′,A′, T ′,U ′). Using (In), wecan have

∆, Γ à P ′ : (B′′,A′, T ′,U ′)

∆, Γ à in b.P ′ : (B′,A′, T ′,U ′)(B.85)

where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),VA ⊆ VB, A ∈ VB, B′ = B′′ ∪ {in B}.

From (B.85) and (B.81), we can get U3 ⊆ VB.

From (B.84) and ∆, Γ `r C C′′(| b[R′]|) : (B2,A2, T2,U2) in (B.78), we have

known U3 ⊆ VB and MA ⊆ MB, according to Proposition 5, we can get

∆, Γ `r C C′′(| b[R′|a[C C′

(| P ′|)]s]|) : (B2,A′2, T2,U2 ∪ U3) (B.86)

116

where A′2 = A2 ∪ A3 when C ′′ = ∅, A′

2 = A2 when C ′′ 6= ∅.


∆, Γ `r C C(|Q′|) : (B1,A′1, T1,U ′

1) ∆, Γ `r C C′′(| b[R′|a[C C′

(| P ′|)]s]|) : (B2,A′2, T2,U2 ∪ U3)

∆, Γ `r C C(|Q′|)|C C′′(| b[R′|a[C C′(| P ′|)]s]|) : (U ,A′1 ∪ A′

2, T ,U)(B.87)

Analyze A′1 ∪ A′

2. If C = ∅, then A1 = A′1 ∪ A3; If C 6= ∅, then

A′1 = A1. If C ′′ = ∅, then A′

2 = A2 ∪ A3; if C ′′ 6= ∅, then A2. Sothat there exist 4 cases for calculating A′

1 ∪A′2. When C 6= ∅ and C ′′ = ∅,

A′1 ∪ A′

2 = A ∪A3; in the other three cases, A′1 ∪ A′

2 = A, which satisfy∆, Γ `r C C(|Q′|)|C C′′

(| b[R′|a[C C′(| P ′|)]s]|) : (B,A, T ,U).

Let us prove the case of C 6= ∅ and C ′′ = ∅:Because C C′′

(| b[R′]|) is within the universal ambient, so that we have∆, Γ `@ C C′′

(| b[R′]|) : (B2,A2, T2,U2) from (B.78). According to the def-inition of the well typed process within the universal ambient, we can get∀G ∈ A2(∆(G) = (VG, κG, MG) =⇒ MG = ∅). Because B ∈ A2, MB = ∅.We have MA ⊆ MB, ∀G ∈ A′

3(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA), andA3 = A′

3∪{A}, so that ∀G ∈ A3(∆(G) = (VG, κG, MG) =⇒ MG = ∅). Ac-cording (Sub), (B,A ∪ A3, T ,U) ≤ (B,A, T ,U). Using (SubSumption),we have

∆, Γ `r C C(|Q′|)|C C′′(| b[R′|a[C C′

(| P ′|)]s]|) : (B,A ∪A3, T ,U)(B,A ∪A3, T ,U) ≤ (B,A, T ,U)

∆, Γ `r C C(|Q′|)|C C′′(| b[R′|a[C C′(| P ′|)]s]|) : (B,A, T ,U)(B.88)

(Red Out) P = a[C C(| b[C C′(| out a.P ′|)]s|Q|)], Q = a[C C(| Q′|)]|b[C C′

(| P ′|)]s,out a /∈ C∪C ′. Suppose ∆, Γ `r a[C C(| b[C C′

(| out a.P ′|)]s|Q|)] : (∅,A, ∅,U),prove ∆, Γ `r a[C C(|Q′|)]|b[C C′

(| P ′|)]s : (∅,A, ∅,U).

Using (Amb), we have

∆, Γ `a C C(| b[C C′(| out a.P ′|)]s|Q|) : (B′,A′, T ′,U ′)

∆, Γ `r a[C C(| b[C C′(| out a.P ′|)]s|Q|)] : (∅,A, ∅,U)(B.89)

where Γ(a) = A, ∆(A) = (VA, κA, MA), B′ ⊆ κA, A = A′ ∪ {A}, U =U ′ ∪ {A}, U ′ ⊆ VA, ∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA),∀auth(D, K) ∈ T ′(∆(D) = (VD, κD, MD) =⇒ MD = ∅).

Suppose∆, Γ `a b[C C′

(| out a.P ′|)]s : (∅,A1, ∅,U1) (B.90)

117

From (B.89) and (B.90), according to Proposition 4, we can get

∆, Γ à C C(|Q|) : (B′,A′′, T ′,U ′′) (B.91)

where U ′ = U1 ∪ U ′′, A′ = A1 ∪ A′′ when C = ∅, A′′ = A′ when C 6= ∅.

From (B.91) and (B.89), using (Amb), we get

∆, Γ à C C(|Q|) : (B′,A′′, T ′,U ′′)

∆, Γ `r a[C C(|Q|)] : (∅,A′′ ∪ {A}, ∅,U ′′ ∪ {A})(B.92)

From (B.90), using (Amb) or (Sign Amb), we have

∆, Γ `b C C′(| out a.P ′|) : (B′

1,A′1, T ′

1,U ′1)

∆, Γ à b[C C′(| out a.P ′|)]s : (∅,A1, ∅,U1)(B.93)

where Γ(b) = B, ∆(B) = (VB, κB, MB), B′1 ⊆ κB, A1 = A′

1 ∪ {B}, U1 =U ′

1 ∪ {B}, U ′ ⊆ VB, ∀G ∈ A′1(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB),

∀auth(D, K) ∈ T ′1(∆(D) = (VD, κD, MD) =⇒ MD = ∅).

From ∆, Γ `b C C′(| out a.P ′|) : (B′

1,A′1, T ′

1,U ′1) in (B.93), and out a /∈ C ′,

according to Proposition 3, we get

∆, Γ `b C C′(| P ′|) : (B′′

1,A′1, T ′

1,U ′1) (B.94)

where B′1 = B′′

1 ∪ {out A}.

From (B.94) and (B.93), using (Amb) or (Sign Amb), we get

∆, Γ `b C C′(| P ′|) : (B′′

1,A′1, T ′

1,U ′1)

∆, Γ à b[C C′(| P ′|)]s : (∅,A1, ∅,U1)(B.95)

From (B.95), according to Lemma 1, we get

∆, Γ `r b[C C′(| P ′|)]s : (∅,A1, ∅,U1) (B.96)


∆, Γ `r a[C C(|Q|)] : (∅,A′′ ∪ {A}, ∅,U ′′ ∪ {A}) ∆, Γ `r b[C C′(| P ′|)]s : (∅,A1, ∅,U1)

∆, Γ `r a[C C(|Q|)]|b[C C′(| P ′|)]s : (∅,A′′ ∪ {A} ∪ A1, ∅,U ′′ ∪ {A} ∪ U1)(B.97)

Analyze U ′′ ∪ {A} ∪ U1, we can get U ′′ ∪ {A} ∪ U1 = U .

118

Analyze A′′ ∪ {A} ∪ A1:When C = ∅, we can get A′′∪{A}∪A1 = A. When C 6= ∅, A′′∪{A}∪A1 =A ∪A1.

Let us analyze A ∪A1:From ∀G ∈ A′

1(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB) and A1 =A′

1 ∪ {B}, we get ∀G ∈ A1(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB).

From (B.93), because out a /∈ C ′, out A ∈ B′1. Because B′

1 ⊆ κB,out A ∈ κB. According to the definition of ∆, Γ ` �, we get MB ⊆ MA.

From ∀G ∈ A1(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB) and MB ⊆MA, we can get ∀G ∈ A1(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA).However, ambient a is within the universal ambient, that means ∆, Γ `@

a[C C(| b[C C′(| out a.P ′|)]s|Q|)] : (∅,A, ∅,U), we can get A ∈ A and

∀G ∈ A(∆(G) = (VG, κG, MG) =⇒ MG = ∅), so that MA = ∅. Therefore,∀G ∈ A1(∆(G) = (VG, κG, MG) =⇒ MG = ∅). According to (Sub), wehave (∅,A ∪A1, ∅,U) ≤ (∅,A, ∅,U). Using (SubSumption), we have

∆, Γ `r a[C C(|Q′|)]|b[C C′(| P ′|)]s : (∅,A ∪A1, ∅,U)

(∅,A ∪A1, ∅,U) ≤ (∅,A, ∅,U)

∆, Γ `r a[C C(|Q′|)]|b[C C′(| P ′|)]s : (∅,A, ∅,U)(B.98)

(Red Open) P = open a.P ′|a[Q′], Q = P ′|Q′. Suppose ∆, Γ `r open a.P ′|a[Q′] :(B,A, T ,U), prove ∆, Γ `r P ′|Q′ : (B,A, T ,U).


∆, Γ `r open a.P ′ : (B,A1, T ,U1) ∆, Γ `r a[Q′] : (∅,A2, ∅,U2)

∆, Γ `r open a.P ′|a[Q′] : (B,A, T ,U)(B.99)

where A = A1 ∪ A2, U = U1 ∪ U2.

From ∆, Γ `r open a.P ′ : (B,A1, T ,U1) in (B.99), using (Open), we have

∆, Γ `r P ′ : (B′1,A1, T ,U1)

∆, Γ `r open a.P ′ : (B,A1, T ,U1)(B.100)

where B = B′1∪κA∪{open A}, Γ(r) = R, ∆(R) = (VR, κR, MR), Γ(a0 = A,

∆(A) = (VA, κA, MA), VA ⊆ VR, A ∈ VR.

119

From ∆, Γ `r a[Q′] : (∅,A2, ∅,U2) in (B.99), using (Amb), we have

∆, Γ `a Q′ : (B′2,A′

2, T ′2,U ′

2)

∆, Γ `r a[Q′] : (∅,A2, ∅,U2)(B.101)

where Γ(a) = A, ∆(A) = (VA, κA, MA), B′2 ⊆ κA, A2 = A′

2 ∪ {A}, U2 =U ′

2 ∪ {A}, U ′2 ⊆ VA, ∀G ∈ A′

2(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA),∀auth(D, K) ∈ T ′

2(∆(D) = (VD, κD, MD) =⇒ MD ⊆ ∅).From (B.101), according to Lemma 1, we get

∆, Γ `r Q′ : (B′2,A′

2, T ′2,U ′

2) (B.102)

From (B.102) and (B.100), using (Par), we have

∆, Γ `r P ′ : (B′1,A1, T ,U1) ∆, Γ `r Q′ : (B′

2,A′2, T ′

2,U ′2)

∆, Γ `r P ′|Q′ : (B′1 ∪ B′

2,A1 ∪ A′2, T ∪ T ′

2,U1 ∪ U ′2)

(B.103)

From B = B′1 ∪ κA ∪ {open A} and B′

2 ⊆ κA, we can get B′1 ∪ B′

2 ⊆ B.From A2 = A′

2 ∪ {A} and A = A1 ∪ A2, we can get A1 ∪ A′2 ⊆ A.

From U = U1 ∪ U2 and U2 = U ′2 ∪ {A}, we can get U1 ∪ U ′

2 ⊆ U .Analyze T ∪T ′

2: we have already have ∀auth(D, K) ∈ T ′2(∆(D) = (VD, κD, MD) =⇒

MD ⊆ ∅).Therefore, according to (Sub), we can have (B′

1∪B′2,A1∪A′

2, T ∪T ′2,U1∪

U ′2) ≤ (B,A, T ,U).

Using (SubSumption), we have

∆, Γ `r P ′|Q′ : (B′1 ∪ B′

2,A1 ∪ A′2, T ∪ T ′

2,U1 ∪ U ′2)

(B′1 ∪ B′

2,A1 ∪ A′2, T ∪ T ′

2,U1 ∪ U ′2) ≤ (B,A, T ,U)

∆, Γ `r P ′|Q′ : (B,A, T ,U)(B.104)

(Red Auth) P = a[P ′]k|b[C C(| auth(a, k).Q′|)|R′]s, Q = b[C C(| Q′|a[P ′]|)|R′]s.Suppose ∆, Γ `r a[P ′]k|b[C C(| auth(a, k).Q′|)|R′]s : (∅,A, ∅,U), prove ∆, Γ `r

b[C C(|Q′|a[P ′]|)|R′]s : (∅,A, ∅,U).


∆, Γ `r a[P ′]k : (∅,A1, ∅,U1) ∆, Γ `r b[C C(| auth(a, k).Q′|)|R′]s : (∅,A2, ∅,U2)

∆, Γ `r a[P ′]k|b[C C(| auth(a, k).Q′|)|R′]s : (∅,A, ∅,U)(B.105)

where A = A1 ∪ A2, U = U1 ∪ U2.

From ∆, Γ `r a[P ′]k : (∅,A1, ∅,U1) in (B.105), according to Lemma 2, wecan get

∆, Γ `r a[P ′] : (∅,A1, ∅,U1) (B.106)

120

From (B.106), according to Lemma 1, we can get

∆, Γ `b a[P ′] : (∅,A1, ∅,U1) (B.107)

From ∆, Γ `r b[C C(| auth(a, k).Q′|)|R′]s : (∅,A2, ∅,U2) in (B.105), using(Sign Amb) or (Amb), we have

∆, Γ `b C C(| auth(a, k).Q′|)|R′ : (B′2,A′

2, T ′2,U ′

2)

∆, Γ `r b[C C(| auth(a, k).Q′|)|R′]s : (∅,A2, ∅,U2)(B.108)

where Γ(b) = B, ∆(B) = (VB, κB, MB), B′2 ⊆ κB, A2 = A′

2 ∪ {B}, U2 =U ′

2 ∪ {B}, U ′2 ⊆ VB, ∀G ∈ A′

2(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB),∀auth(D, K) ∈ T ′

2(∆(D) = (VD, κD, MD) =⇒ MD = ∅).


∆, Γ `b C C(| auth(a, k).Q′|) : (B3,A3, T3,U3) ∆, Γ `b R′ : (B4,A4, T4,U4)

∆, Γ `b C C(| auth(a, k).Q′|)|R′ : (B′2,A′

2, T ′2,U ′

2)(B.109)

where B′2 = B3 ∪ B4, A′

2 = A3 ∪ A4, T ′2 = T3 ∪ T4, U ′

2 = U3 ∪ U4.

From ∆, Γ `b C C(| auth(a, k).Q′|) : (B3,A3, T3,U3) in (B.109), according toProposition 6, we can get

∆, Γ `b C C(|Q′|) : (B′3,A3, T ′

3,U3) (B.110)

where B3 = B′3 ∪ {auth(A, K)}, T3 = T ′

3 ∪ {auth(A, K)} when C = ∅,T ′

3 = T3 when C 6= ∅.

From ∆, Γ `b C C(| auth(a, k).Q′|) : (B3,A3, T3,U3) in (B.109), we cansee that C C(| auth(a, k).Q′|) is well typed, so that auth(a, k).Q′ is alsowell typed. Suppose ∆, Γ `b auth(a, k).Q′ : (B′,A′, T ′,U ′), accordingto (Auth), auth(A, K) ∈ T ′, where Γ(a) = A, Γ(k) = K. BecauseC C(| auth(a, k).Q′|) is well typed, according to (Block), we have MA ⊆InnerMostBlk(C C(| |)) where ∆(A) = (VA, κA, MA).

From (B.110), (B.107) and MA ⊆ InnerMostBlk(C C(| |)), according toProposition 7, we can get

∆, Γ `b C C(|Q′|a[P ′]|) : (B′3,A′′

3, T ′3,U1 ∪ U3) (B.111)

where A′′3 = A3 when C 6= ∅, A′′

3 = A3 ∪ A1 when C = ∅.

121

From (B.111) and ∆, Γ `b R′ : (B4,A4, T4,U4) in (B.109), using (Par), wecan get

∆, Γ `b C C(|Q′|a[P ′]|) : (B′3,A′′

3, T ′3,U1 ∪ U3) ∆, Γ `b R′ : (B4,A4, T4,U4)

∆, Γ `b C C(|Q′|a[P ′]|)|R′ : (B′3 ∪ B4,A′′

3 ∪ A4, T ′3 ∪ T4,U1 ∪ U3 ∪ U4)

(B.112)

Before we use (Sign Amb) or (Amb), let us analyze those conditions whichcan be satisfied:

Analyze B′3 ∪ B4: we can get B′

3 ∪ B4 ⊆ B′2, from B′

2 ⊆ κB, we getB′

3 ∪ B4 ⊆ κB.

Analyze A′′3 ∪A4: when C 6= ∅, A′′

3 ∪A4 = A′2; when C = ∅, A′′

3 ∪A4 =A′

2 ∪ A1. In ∆, Γ `r a[P ′]k : (∅,A1, ∅,U1), ambient a is within the univer-sal ambient, that means ∆, Γ `@ a[P ′]k : (∅,A1, ∅,U1). So that we have∀G ∈ A1(∆(G) = (VG, κG, MG) =⇒ MG = ∅). Therefore, we have∀G ∈ (A′′

3 ∪ A4)(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MB).

Analyze T ′3 ∪ T4: we can get T ′

3 ∪ T4 ⊆ T ′2.

Analyze U1 ∪ U3 ∪ U4: we can get U1 ∪ U3 ∪ U4 = U ′2 ∪ U1. From (B.107),

we can get U1 ⊆ VA, where Γ(a) = A, ∆(A) = (VA, κA, MA). Becauseauth(a, k).Q′ is well typed within ambient b, according to (Auth), we canget VA ⊆ VB. So that we can get U1 ⊆ VB.

So that, from (B.112), using (Amb), we can get

∆, Γ `b C C(|Q′|a[P ′]|)|R′ : (B′3 ∪ B4,A′′

3 ∪ A4, T ′3 ∪ T4,U1 ∪ U3 ∪ U4)

∆, Γ `r b[C C(|Q′|a[P ′]|)|R′]s : (∅,A′′3 ∪ A4 ∪ {B}, ∅,U)

(B.113)where A′′

3 ∪ A4 ∪ {B} = A2 when C 6= ∅, A2 ⊆ A; A′′3 ∪ A4 ∪ {B} =

A2 ∪A1 = A when C = ∅. So that, according to (Sub), we have (∅,A′′3 ∪

A4 ∪ {B}, ∅,U) ≤ (∅,A, ∅,U). Using (SubSumption), we have

∆, Γ `r b[C C(|Q′|a[P ′]|)|R′]s : (∅,A′′3 ∪ A4 ∪ {B}, ∅,U)

(∅,A′′3 ∪ A4 ∪ {B}, ∅,U) ≤ (∅,A, ∅,U)

∆, Γ `r b[C C(|Q′|a[P ′]|)|R′]s : (∅,A, ∅,U)(B.114)

(Red Sign) P = sign(a, k).P ′|a[Q′], Q = P ′|a[Q′]k. Suppose ∆, Γ `r sign(a, k).P ′|a[Q′] :(B,A, T ,U), prove ∆, Γ `r P ′|a[Q′]k : (B,A, T ,U).

122


∆, Γ `r sign(a, k).P ′ : (B,A1, T ,U1) ∆, Γ `r a[Q′] : (∅,A2, ∅,U2)

∆, Γ `r sign(a, k).P ′|a[Q′] : (B,A, T ,U)(B.115)

where A = A1 ∪ A2, U = U1 ∪ U2.

From ∆, Γ `r sign(a, k).P ′ : (B,A1, T ,U1) in (B.115), using (Sign), wehave

∆, Γ `r P ′ : (B′,A1, T ,U1)

∆, Γ `r sign(a, k).P ′ : (B,A1, T ,U1)(B.116)

where B = B′ ∪ {sign(A, K)}, Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(r) = R,∆(R) = (VR, κR, MR), VA ⊆ VR, A ∈ VR.

From ∆, Γ `r a[Q′] : (∅,A2, ∅,U2), according to Lemma 3, we get

∆, Γ `r a[Q′]k : (∅,A2, ∅,U2) (B.117)


∆, Γ `r P ′ : (B′,A1, T ,U1) ∆, Γ `r a[Q′]k : (∅,A2, ∅,U2)

∆, Γ `r P ′|a[Q′]k : (B′,A, T ,U)(B.118)

where B = B′ ∪ {sign(A, K)}. So that we have (B′,A, T ,U) ≤ (B,A, T ,U)according to (Sub). Using (SubSumption), we have

∆, Γ `r P ′|a[Q′]k : (B′,A, T ,U)(B′,A, T ,U) ≤ (B,A, T ,U)

∆, Γ `r P ′|a[Q′]k : (B,A, T ,U)(B.119)

(Red Res) P = (νn)P ′, Q = (νn)Q′, and P ′ → Q′. Suppose ∆, Γ `r (νn)P ′ :(B,A, T ,U), prove ∆, Γ `r (νn)Q′ : (B,A, T ,U).

Using (Res), we have

∆, Γ `r P ′ : (B,A, T ,U)

∆, Γ `r (νn)P ′ : (B,A, T ,U)(B.120)

From ∆, Γ `r P ′ : (B,A, T ,U) in (B.120), and P ′ → Q′, according to thehypothesis, we have ∆, Γ `r Q′ : (B,A, T ,U). Using (Res), we get

∆, Γ `r Q′ : (B,A, T ,U)

∆, Γ `r (νn)Q′ : (B,A, T ,U)(B.121)

123

(Red Amb) P = a[P ′]s, Q = a[Q′]s, and P ′ → Q′. Suppose ∆, Γ `b a[P ′]s :(∅,A, ∅,U), prove ∆, Γ `b a[P ′]s : (∅,A, ∅,U).

Using (Amb) or (Sign Amb), we have

∆, Γ `b P ′ : (B′,A′, T ′,U ′)

∆, Γ `b a[P ′]s : (∅,A, ∅,U)(B.122)

where Γ(a) = A, ∆(A) = (VA, κA, MA), Γ(b) = B, ∆(B) = (VB, κB, MB),B′ ⊆ κA, ∀auth(D, K) ∈ T ′(∆(D) = (VD, κD, MD) =⇒ MD = ∅),∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆ MA), U ′ ⊆ VA, A = A′ ∪ {A},U = U ′ ∪ {A}.

From ∆, Γ `b P ′ : (B′,A′, T ′,U ′) in (B.122) and P ′ → Q′, according to thehypothesis, we can get ∆, Γ `b Q′ : (B′,A′, T ′,U ′). According to (B.122),using (Amb) or (Sign Amb), we get

∆, Γ `b Q′ : (B′,A′, T ′,U ′)

∆, Γ `b a[Q′]s : (∅,A, ∅,U)(B.123)

(Red Par) P = P ′|R′, Q = Q′|R′, and P ′ → Q′. Suppose ∆, Γ `r P ′|R′ :(B,A, T ,U), prove ∆, Γ `r Q′|R′ : (B,A, T ,U).


∆, Γ `r P ′ : (B1,A1, T1,U1) ∆, Γ `r R′ : (B2,A2, T2,U2)

∆, Γ `r P ′|R′ : (B,A, T ,U)(B.124)


From ∆, Γ `r P ′ : (B1,A1, T1,U1) in (B.124) and P ′ → Q′, according to thehypothesis, we can get ∆, Γ `r Q′ : (B1,A1, T1,U1). Using (Par), we canget

∆, Γ `r Q′ : (B1,A1, T1,U1) ∆, Γ `r R′ : (B2,A2, T2,U2)

∆, Γ `r Q′|R′ : (B,A, T ,U)(B.125)

(Red BC) P = P ′oC , Q = Q′oC , and P ′ → Q′. Suppose ∆, Γ `r P ′oC :(B, ∅, ∅,U), prove ∆, Γ `r Q′oC : (B, ∅, ∅,U).


∆, Γ `r P ′ : (B′,A′, T ′,U)

∆, Γ `r P ′oC : (B, ∅, ∅,U)(B.126)

124

where B = B′ − type(C), ∀G ∈ A′(∆(G) = (VG, κG, MG) =⇒ MG ⊆type(C)), ∀auth(D, K) ∈ T ′(∆(D) = (VD, κD, MD) =⇒ MD ⊆ type(C)).

From ∆, Γ `r P ′ : (B′,A′, T ′,U) in (B.126), and P ′ → Q′, according to thehypothesis, we can get ∆, Γ `r Q′ : (B′,A′, T ′,U). Using (Block), we canget

∆, Γ `r P ′ : (B′,A′, T ′,U)

∆, Γ `r Q′oC : (B, ∅, ∅,U)(B.127)

(Red ≡) P ′ ≡ P , P → Q, Q ≡ Q′. Suppose ∆, Γ `r P ′ : (B,A, T ,U), prove∆, Γ `r Q′ : (B,A, T ,U).

From ∆, Γ `r P ′ : (B,A, T ,U) and P ′ ≡ P , according to Proposition 1, wecan get ∆, Γ `r P : (B,A, T ,U).

From ∆, Γ `r P : (B,A, T ,U) and P → Q, according to the hypothesis, wecan get ∆, Γ `r Q : (B,A, T ,U).

From ∆, Γ `r Q : (B,A, T ,U) and Q ≡ Q′, according to Proposition 1, wecan get ∆, Γ `r Q′ : (B,A, T ,U) and Q ≡ Q′.

2

125

Bibliography

[1] L. Cardelli and A. D. Gordon, Mobile ambients, in Foundations of Soft-ware Science and Computation Structures: First International Conference,FOSSACS ’98, Springer-Verlag, Berlin Germany, 1998.

[2] Digital signature standard (dss).

[3] S. Microsystems, Java security architecture, http://java.sun.com/j2se/

1.5.0/docs/guide/security/spec/security-spec.doc1.html.

[4] S. Microsystems, Security in java 2, http://java.sun.com/docs/books/

tutorial/security1.2/summary/glossary.html.

[5] J. L. V. Frontana, Dynamic Binding of Names in Calculi for Mobile Pro-cesses, PhD thesis, KTH, Stockholm, 2001.

[6] K. S. Søren Nøhr Christensen and M. Thrysøe, Umbrella, 2004.

[7] S. B. Anupam Palit, Bin Ren and Y. Sun, Digital signature for mobileambients, 2005.

[8] D. Kotz and R. S. Gray, SIGOPS Oper. Syst. Rev. 33, 7 (1999).

[9] R. Milner, Communication and Concurrency (Prentice-Hall, 1989).

[10] K. G. Luca Aceto and A. Ingolfsdottir, An introduction to milner’sccs, BRICS,Department of Computer Science,Aalborg University,Denmark,2005.

[11] J.-L. Vivas and M. Dam, From higher-order pi-calculus to pi-calculus in thepresence of static operators, in International Conference on ConcurrencyTheory, pp. 115–130, 1998.

[12] DNSRD, Dns resources directory, http://www.dns.net/dnsrd/.

[13] T. A. S. Foundation, Authentication, authorization and access control,http://httpd.apache.org/docs/1.3/howto/auth.html#access.

[14] L. Cardelli, ACM Comput. Surv. 28, 263 (1996).

127

http://java.sun.com/j2se/1.5.0/docs/guide/security/spec/security-spec.doc1.html

http://java.sun.com/j2se/1.5.0/docs/guide/security/spec/security-spec.doc1.html

http://java.sun.com/docs/books/tutorial/security1.2/summary/glossary.html

http://java.sun.com/docs/books/tutorial/security1.2/summary/glossary.html

http://www.dns.net/dnsrd/

http://httpd.apache.org/docs/1.3/howto/auth.html#access

[15] L. Cardelli, G. Ghelli, and A. D. Gordon, Lecture Notes in Computer Science1877, 365 (2000).

[16] L. Cardelli, Mobility and security, in Foundations of Secure Computation,edited by F. L. Bauer and R. Steinbruggen, NATO Science Series, pp. 3–37,IOS Press, 2000.

128

digital signature and blocking in mobile...

Documents