Sequential Composition - Composition of Secure Action Systems

6.2 Composition of Secure Action Systems

6.2.1 Sequential Composition

To expressSAS1;SAS2 as a normal form, we need a mechanism to detect the final state

ofSAS1 and to start dynamically SAS2 from that state. Let watchdog be an new agent

that sets a local variablef lagto true when it detects the final state ofSAS1. Initiallyf lag

is set to false. The agent watchdog participates in a single action called switch and both are defined as follows:

(6.1) agent watchdog : var f lag; f lag:=f alse.

(6.2)

action switchon P1,P2 by watchdog :

¬f lag →f lag, yp1, . . . , ypn :=true, cp1, . . . , cpn.

wherepi ∈ P2 and there exists an initialisation statement Init2(pi) = (ypi := cpi), for

i= 1, . . . , n.

A sequential compositionSAS1;SAS2denotes a normal form

(P,A, Agents, Actions, P olicy)

where

• P =_b P1 ∪ P2 ∪ {watchdog}andA =b A1 ∪ A2 ∪ {switch};

• Agents =_b Agents1 ∪ Agents02 ∪ {(6.1)},

whereAgents0

2 is identical toAgents2without initialisation statements for agents.

• P olicycontains the functionsautho,autho+_and_autho−_{defined as follows:}

1. autho(x, y, z) = (¬f lag∧autho1(x, y, z)),∀x, y ∈ P1 \ P2, ∀z ∈ A1\ A2;

2. autho(x, y, z) = (f lag∧autho2(x, y, z)),∀x, y ∈ P2\ P1, ∀z ∈ A2\ A1;

3. autho(x, y, z) = (¬f lag∧autho1(x, y, z))∨(f lag∧autho2(x, y, z)),

∀x, y ∈ P1∩ P2, ∀z ∈ A1∩ A2;

4. autho(watchdog, x, switch) =f inal1,∀x∈ P1 ∪ P2;

5. autho(x, y, z) =f alse, otherwise.

The functionsautho+ _and_autho−_{are defined similarly to}_autho_.

Note that the actions inSAS1 are not enabled if f lag evaluates to true and the actions

inSAS2 are not enabled iff lag evaluates to false. Initiallyf lag is equal to false and it

is kept to false untilSAS1 terminates. At the termination ofSAS1 the actionswitchis

enabled becausef lag is still false. Since it is the only enabled action in that state, it is selected for execution. Its execution setsf lagto true, performs all the initialisation statements provided inSAS2 and preserves the postconditions of SAS1 that are not affected

by these initialisation statements (see the formal semantics of secure action systems in Chapter 3, page 30). From there on, only actions inSAS2 can be enabled becausef lag

is true.

6.2.2 Parallel Composition

A parallel compositionSAS1kSAS2 denotes a normal form

where

• P =_b P1 ∪ P2 andA =b A1 ∪ A2;

We assume that any agent in P1 ∩ P2 has the same definition in Agents1 and

Agents2.

• Agents =_b Agents1 ∪ Agents2andActions =b Actions1 ∪ Actions2;

• P olicycontains the functionsautho,autho+_and_autho−_{defined as follows:}

1. autho(x, y, z) =autho1(x, y, z),∀x∈ P1\ P2, ∀y ∈ P1, ∀z ∈ A1;

2. autho(x, y, z) =autho1(x, y, z),∀x∈ P1, ∀y∈ P1\ P2, ∀z ∈ A1;

3. autho(x, y, z) =autho1(x, y, z),∀x∈ P1, ∀y∈ P1, ∀z ∈ A1\ A2;

4. autho(x, y, z) =autho2(x, y, z),∀x∈ P2\ P1, ∀y ∈ P2, ∀z ∈ A2;

5. autho(x, y, z) =autho2(x, y, z),∀x∈ P2, ∀y∈ P2\ P1, ∀z ∈ A2;

6. autho(x, y, z) =autho2(x, y, z),∀x∈ P2, ∀y∈ P2, ∀z ∈ A2\ A1;

7. autho(x, y, z) =autho1(x, y, z)∧autho2(x, y, z),∀x, y ∈ P1∩ P2,

∀z ∈ A1∩ A2;

8. autho(x, y, z) =f alse, otherwise.

The functionsautho+ _and_autho−_{are defined similarly to}_autho_.

In a parallelSAS1kSAS2, the security policy of a joint action which is common toSAS1

andSAS2 is the conjunction of the security policies of the action in each of the subsys-

6.2.3 Unless

A normal formal that implements an expressionhbiSAS1 contains an agentdetectorthat

monitors the value ofb and performs an action stop to end the execution of the system oncebis true. The agent detectorand the action stopare defined as follows, where the local variablef lagis set to true when the conditionbis true:

(6.3) agent detector: var f lag; f lag :=f alse.

(6.4)

action stopon detectorby detectorasync P1 : (¬f lag∧b)→f lag:=true.

The expressionhbiSAS1denotes a normal form

(P1∪ {detector},A1∪ {stop}, Agents1∪ {(6.3)}, Actions1∪ {(6.4)}, P olicy)

where

1. autho(x, y, z) = ¬b∧ ¬f lag∧autho1(x, y, z),∀x, y ∈ P1, ∀z ∈ A1;

2. autho(detector, detector, stop) =true;

3. autho(x, y, z) = f alse, otherwise.

The functionsautho+ _and_autho− _{are defined similarly to}_autho_{. The security guard of}

each action is strengthened with the condition¬b∧ ¬f lagso that the action is not enabled when the conditionbbecomes true. The system will then terminate.

6.2.4 Duration

In order to expresst : SAS1 in normal form, we need an agent clock that observes the

execution of SAS1 and stops it if it does not terminate before t time units. The agent

clockhas a state variabletimeinitialised to0, and participates in the execution of a single actiontick that increments the value of the variabletime by1 at each transition of the system.

(6.5) agent clock : var time; time:= 0.

(6.6) _action _tick_on _clock_by _clock _: _{time < t}_→_time_:=_time_{+ 1.}

The expressiont :SAS1 denotes a normal form

(P1∪ {clock},A1∪ {tick}, Agents1∪ {(6.5)}, Actions1∪ {(6.6)}, P olicy)

where

1. autho(x, y, z) = time < t∧autho1(x, y, z),∀x, y ∈ P1, ∀z ∈ A1;

2. autho(clock, clock, tick) =true;

3. autho(x, y, z) = f alse, otherwise.

The functions autho+ _and _autho− _{are defined similarly to} _autho_{. Note that no action}

(including the actiontick) is enabled when the value of timeequalstand thereafter. So the system will stop.

6.2.5 Conditional

To express a conditionalb?SAS1 : SAS2 in normal form, we need an agent choiceand

an action select defined below. The Boolean variable cond in the agent choice stores the value of the Boolean expressionb in the initial state while the control variablelock

is used to keep the value ofcondstable through the actionselect. The action select is executed in the initial state to assigncondthe value of the expressionb. Ifbholds in the initial state, the actionselectperforms the initialisation statements ofSAS1, otherwise it

performs those ofSAS2. After that it will never execute again becauselock= 1, keeping

so the values ofcondandlock unchanged till termination. The variablescondandlock

are used to control the execution of the actions inSAS1andSAS2. Only actions inSAS1

are executed whencondis true, otherwise only those inSAS2are executed.

(6.7) agent choice: var cond, lock; cond, lock :=f alse,0.

(6.8)

action selecton P1,P2by choice:

lock= 0→ cond, lock :=b,1

kif bthen yp1, . . . , ypn :=cp1, . . . , cpn

else yq1, . . . , yqm :=cq1, . . . , cqm fi.

wherepi ∈ P1,qj ∈ P2 and there exists an initialisation statement

Init1(pi) = (ypi := cpi) and an initialisation statement Init2(qj) = (yqj := cqj), for

A conditionalb?SAS1 :SAS2 denotes a normal form

(P,A, Agents, Actions, P olicy)

where

• P =_b P1 ∪ P2 ∪ {choice}andA =b A1 ∪ A2 ∪ {select};

• Agents =_b Agents0

1 ∪ Agents02 ∪ {(6.7)},

whereAgents0

iis identical toAgentsiwithout the initialisation statements,i= 1,2;

• Actions =_b Actions1 ∪ Actions2 ∪ {(6.8)};

• P olicycontains the functionsautho,autho+_and_autho−_{defined as follows:}

1. autho(x, y, z) = (lock= 1∧cond∧autho1(x, y, z)),∀x, y ∈ P1 \ P2,

∀z ∈ A1\ A2;

2. autho(x, y, z) = (lock= 1∧ ¬cond∧autho2(x, y, z)),∀x, y ∈ P2\ P1,

∀z ∈ A2\ A1;

3. autho(x, y, z) = (lock= 1∧cond∧autho1(x, y, z))∨(lock= 1∧ ¬cond∧

autho2(x, y, z)),∀x, y ∈ P1∩ P2, ∀z ∈ A1∩ A2;

4. autho(choice, choice, select) =true;

5. autho(x, y, z) =f alse, otherwise.

6.2.6 Iteration

The expression of an iterationb∗SAS1in normal form requires an agentiteratorrespon-

sible for scheduling an execution ofSAS1ifbevaluates to true. This agent participates in

a single actionloopwhich is enabled in the initial state ifb holds in that state, and is enabled each time the systemSAS1 terminates in a state where the conditionbis true. The

body of the action executes the initialisation statements ofSAS1 to initiate a new itera-

tion. Similarly to the sequential composition, the postconditions ofSAS1 which are not

modified by the initialisation statements are preserved during the execution of the action

loop. The Boolean variablef lagis used to distinguish the first iteration from subsequent ones.

(6.9) agent iterator : var f lag;f lag:=f alse.

(6.10)

action loopon P1by iterator:

b→ f lag, yp1, . . . , ypn :=true, cp1, . . . , cpn.

wherepi ∈ P1 and there exists an initialisation statement Init1(pi) = (ypi := cpi), for

i= 1, . . . , n.

An expressionb∗SAS1denotes a normal form

(P,A, Agents, Actions, P olicy)

where

• Agents =_b Agents0

1 ∪ {(6.9)},

whereAgents0

1 is identical toAgents1without the initialisation statements;

• Actions =_b Actions1 ∪ {(6.10)};

• P olicycontains the functionsautho,autho+_and_autho−_{defined as follows:}

1. autho(x, y, z) =f lag∧autho1(x, y, z),∀x, y ∈ P1, ∀z ∈ A1;

2. autho(iterator, x, loop) =f inal1 ∨ ¬f lag,∀x∈ P1;

3. autho(x, y, z) =f alse, otherwise.

The functionsautho+ _and_autho−_{are defined similarly to}_autho_.

6.2.7 Time to Change

The expressionSAS1tbSAS2 :SAS3 denotes a normal form defined as follows, where

observer is a new agent and observe a new action. The Boolean variables cond and

timeout are used to detect respectively when the condition b becomes true and when a duration oft time units elapses since the execution ofSAS1 started. Ifb occurs during

the execution of SAS1 thenSAS1 is stopped and SAS2 is executed, otherwiseSAS3 is

executed ifSAS1terminates or a duration ofttime units has elapsed.

(6.11)

agent observer: var f lag, cond, timeout; f lag, cond, timeout:=true, f alse, f alse.

(6.12)

action observeon P1,P2,P3by observerasync clock :

f lag →if (b∨f inal1)

then f lag, cond, yp1, . . . , ypn :=f alse, true, cp1, . . . , cpn

else f lag, timeout, yq1, . . . , yqm :=f alse, true, cq1, . . . , cqmfi.

wherepi ∈ P2,qj ∈ P3 and there exists an initialisation statement

Init2(pi) = (ypi := cpi) and an initialisation statement Init3(qj) = (yqj := cqj), for

i= 1, . . . , nandj = 1, . . . , m.

Similarly to the actionswitchin the sequential composition, the actionobservepre- serves the postconditions ofSAS1that are not affected by the initialisation steps ofSAS2

andSAS3.

The normal form denoted by an expressionSAS1tbSAS2 :SAS3is

(P,A, Agents, Actions, P olicy)

where

• P =_b P1∪ P2∪ P3∪ {clock, observer}andA =b A1∪ A2∪ A3∪ {tick, observe};

• Agents =_b Agents1∪Agents02∪Agents03∪ {(6.5),(6.11)},

whereAgents0

iis identical toAgentsiwithout the initialisation statements,i= 2,3;

• Actions =_b Actions1∪Actions2∪Actions3∪ {(6.6),(6.12)};

1. autho(x, y, z) =¬cond∧¬timeout∧autho1(x, y, z),∀x, y ∈ P1\(P2∪P3),

∀z ∈ A1\(A2∪ A3);

2. autho(x, y, z) = (¬cond∧ ¬timeout∧autho1(x, y, z))∨

(cond∧autho2(x, y, z))∀x, y ∈(P1∩ P2)\ P3,∀z ∈(A1∩ A2)\ A3;

3. autho(x, y, z) = (¬cond∧ ¬timeout∧autho1(x, y, z))∨

(timeout∧autho3(x, y, z))∀x, y ∈(P1∩ P3)\ P2,∀z ∈(A1∩ A3)\ A2;

4. autho(x, y, z) = (¬cond∧ ¬timeout∧autho1(x, y, z))∨

(cond∧ ¬timeout∧autho2(x, y, z)) ∨(¬cond∧timeout∧autho3(x, y, z))

∀x, y ∈ P1∩ P2∩ P3,∀z ∈ A1∩ A2∩ A3;

5. autho(clock, x, observe) =true,∀x∈ P1;

6. autho(observer, x, observe) =f inal1∨b∨time≥t,∀x∈ P1;

7. autho(x, y, z) =f alse, otherwise.

The functionsautho+ _and_autho−_{are defined similarly to}_autho_.

In document A Compositional Framework for the. Development of Secure Access Control. Systems (Page 144-154)