Security Policies as Membranes in Systems for Global Computing

We propose a simple global computing framework, whose main concern is code migration. Systems are structured in sites, and each site is divided into two parts: a computing body, and a membrane, which regulates the interactions between the computing body and the external environment. More precisely, membranes are filters which control access to the associated site, and they also rely on the well-established notion of trust between sites. We develop a basic theory to express and enforce security policies via membranes. Initially, these only control the actions incoming agents intend to perform locally. We then adapt the basic theory to encompass more sophisticated policies, where the number of actions an agent wants to perform, and also their order, are considered.


Introduction
Computing is increasingly characterised by the global scale of applications and the ubiquity of interactions between mobile components.Among the main features of the forthcoming "global ubiquitous computing" paradigm we list distribution and location awarness, whereby code located at specific sites acts appropriately to local parameters and circumstances, that is, it is "context-aware"; mobility, whereby code is dispatched from site to site to increase flexibility and expressivity; openness, reflecting the nature of global networks and embodying the permeating hypothesis of localised, partial knowledge of the execution environment.Such systems present enormous difficulties, both technical and conceptual, and are currently more at the stage of exciting future prospectives than that of established of engineering practice.Two concerns, however, appear to clearly have a ever-reaching import: security and mobility control, arising respectively from openness and from massive code and resource migrations.They are the focus of the present paper.
We aim at classifying mobile components according to their behaviour, and at empowering sites with control capabilities which allow them to deny access to those agents whose behaviour does not conform to the site's policy.We see every site of a system as an entity named k and structured in two layers: a computing body P , where programs run their code -possibly accessing local resources offered by the site -and a membrane M , which regulates the interactions between the computing body and the external environment.An agent P wishing to enter a site l must be verified by the membrane before it is given a chance to execute in l.If the preliminary check succeeds, the agent is allowed to execute, otherwise it is rejected.In other words, a membrane implements the policy each site wants to enforce locally, by ruling on the requests of access of the incoming agents.This can be easily expressed by a migration rule of the form: The relevant parts here are P , the agent wishing to migrate from k to l, and l, the receiving site, which needs to be satisfied that P 's behaviour complies with its policy.The latter is expressed by l's membrane, M l .The judgement M l ⊢ k P represents l inspecting the incoming code to verify that it upholds M l .Observe that in the formulation above M l ⊢ k P represents a runtime check of all incoming agents.Because of our fundamental assumption of openendedness, such kind of checks, undesirable as they might be, cannot be avoided.In order to reduce their impact on systems performance, and to make the runtime semantics as efficient as possible, we adopt a strategy which allows for efficient agent verification.Precisely, we adopt an elementary notion of trust, so that from the point of view of each l the set of sites is consistently partitioned between "good," "bad," and "unknown" sites.Then, in a situation like the one in the rule above, we assume that l will be willing to accept from a trusted site k a k-certified digest T of P 's behaviour.We then modify the primitive go and the judgement ⊢ k as in the refined migration rule: Here, l verifies the entire code P against M l only if it does not trust k, the signer of P 's certificate T. Otherwise, it suffices for l to match M l against the digest T carried by go together with P from k, so effectively shifting work from l to the originator of P .
Our main concern in this paper is to put the focus on the machinery a membrane should implement to enforce different kinds of policies.We first distill the simplest calculus which can conceivably convey our ideas and still support a non-trivial study.It is important to remark that we are abstracting from agents' local computations.These can be expressed in any of several well-known models for concurrency, for example CCS [Mil82] or the πcalculus [Mil99].We are concerned, instead, with agents' migration from site to site: our main language mechanism is go rather than intra-site (i.e.local) communication.Using this language, we examine four notions of policy and show how they can be enforced by using membranes.We start with an amusingly simple policy which only lists allowed actions.We then move to count action occurrences and then to policies expressed by deterministic finite automata.Note that such policies are only concerned with the behaviour of single agents, and do not take into account "coalitional" behaviours, whereby incoming agentsapparently innocent -join clusters of resident agents -they too apparently innocent -to perform cooperatively potentially harmful actions, or at least overrule the host site's policy.We call resident those policies intended to be applied to the joint, composite behaviour of the agents contained at a site.We explore resident policies as our fourth and final notion of policy.In all the cases, the theory adapts smoothly; we only need to refine the information stored in the membrane and the inspection mechanisms.
Structure of the paper.In Section 2 we define the calculus used in this paper, and start with the straightforward policy which only prescribes the actions an agent can perform when running in a site.In Section 3, we enhance the theory to control also how many (and not only which kind of) actions an agent wants to perform in a site, and their order of execution.Finally, in Section 4 we extend the theory to control the overall computation taking place at a site, and not only the behaviour of single agents.The paper concludes in Section 5 where a comparison with related work is also given.The theoretical results are proved in Appendix A. With respect to the extended abstract [GHS04], this paper contains more examples together with complete proofs.

A Simple Calculus
In this section we describe a simple calculus for mobile agents, which may migrate between sites.Each site is guarded by a membrane, whose task is to ensure that every agent accepted at the site conforms to an entry policy.

The Syntax.
The syntax is given in Figure 1 and assumes two pairwise disjoint sets: basic agent actions Act, ranged over by a, b, c, • • • , and localities Loc, ranged over by l, k, h, • • • .Agents are constructed using the standard action-prefixing, parallel composition and replication operators from process calculi, [Mil82].The one novel operator is that for migration, go T l.P This agent seeks to migrate to site l in order to execute the code P ; moreover it promises to conform to the entry policy T. In practical terms this might consist of a certification that the incoming code P conforms to the policy T, which the site l has to decide whether or not to accept.In our framework, this certification is a policy that describes the (local) behaviour of the agent; thus, in go T l.P , T will be called the digest of P .
A system consists of a finite set of sites running in parallel.A site takes the form l[[ M | P ]] where • l is the site name • P is the code currently running at l • M is the membrane which implements the entry policy.For convenience we assume that site names are unique in systems.Thus, in a given system we can identify the membrane associated with the site named l by M l .We start with a very simple kind of policy, which we will then progressively enhance.
A policy is a finite subset of Act ∪ Loc.For two policies T 1 and T 2 , we write Intuitively an agent conforms to a policy T at a given site if • every action it performs at the site is contained in T • it will only migrate to sites whose names are in T. For example, conforming to the policy {info, req, home}, where info, req are actions and home a location, means that the only actions that will be performed are from the set {info, req} and migration will only occur, if at all, to the site home.With this interpretation of policies, our definition of the predicate enforces is also intuitive; if some code P conforms to the policy T 1 and T 1 enforces T 2 then P also automatically conforms to T 2 .
The purpose of membranes is to enforce such policies on incoming agents.In other words, at a site l[[M | Q]] wishing to enforce a policy T in , the membrane M has to decide when to allow entry to an agent such as go T l.P from another site.There are two possibilities.
• The first is to syntactically check the code P against the policy T in ; an implementation would actually expect the agent to arrive with a proof of this fact, and this proof would be checked.• The second would be to trust the agent that its code P conforms to the stated T and therefore only check that this conforms to the entry policy T in .Assuming that checking one policy against another is more efficient than the code analysis, this would make entry formalities much easier.Deciding on when to apply the second possibility presupposes a trust management framework for systems, which is the topic of much current research.To simplify matters, here we simply assume that each site contains, as part of its membrane, a record of the level of trust it has in other sites.Moreover, we assume only three possible levels: bad, unknown and good.Intuitively, a site is good/bad if it behaves in a reliable/unreliable way, i.e. it does/doesn't properly calculate digests.On the other hand, a site tagged as unknown can behave in a non specified way; thus, for the sake of security, it will be considered as bad.
Figure 3: The structural equivalence In a more realistic scenario, it would be possible to refine unknown to either good or bad, upon collection of enough evidence to consider it reliable or not.For the sake of simplicity, we do not model this framework here.Having defined both policies and membranes, we now give an operational semantics for the calculus, which formalises the above discussion on how to manage agent migration.This is given as a binary relation N → N ′ over systems; it is defined to be the least relation which satisfies the rules in Figure 2. Rule (r-act) says that the agent a.P running in parallel with other code in site l, such as Q, can perform the action a; note that the semantics does not record the occurrence of a. (r-par) and (r-struct) are standard.The first allows reductions within parallel components, while the second says that reductions are relative to a structural equivalence; the rules defining this equivalence are given in Figure 3.The interesting reduction rule is the last one, (r-mig), governing migration; the agent go T l.P can migrate from site k to site l provided the predicate M l ⊢ k T P is true.This 'enabling' predicate formalises our discussion above on the role of the membrane M l , and requires in turn a notion of code P satisfying a policy T, ⊢ P : T With such a notion, we can then define M l ⊢ k T P to be: In other words, if the target site l trusts the source site k, it trusts that the professed policy T is a faithful reflection of the behaviour of the incoming agent P , and then entry is gained provided that T enforces the entry policy M p l (i.e., in this case, T ⊆ M p l ).Otherwise, if k can not be trusted, then the entire incoming code P has to be checked to ensure that it conforms to the entry policy, as expressed by the predicate ⊢ P : M p l .In Figure 4 we describe a simple inference system for checking that agents conform to policies, i.e. to infer judgements of the form ⊢ P : T. Rule (tc-empty) simply says that the empty agent nil satisfies all policies.(tc-act) is also straightforward; a.P satisfies a policy T and if a is allowed by T, and the residual P satisfies T. The rule (tc-par) says that to check P | Q it is sufficient to check P and Q separately, and similarly for replicated agents.The most interesting rule is (tc-mig), which checks go T ′ l.P .This not only checks that migration to l is allowed by the policy, that is l ∈ T, but it also checks that the code to be spawned there, P , conforms to the associated professed policy T ′ .In some sense, if the agent go T ′ l.P is allowed entry into a site k, then k assumes responsibility for any promises that it makes about conformance to policies.

Safety.
We have just outlined a reduction semantics in which sites seek to enforce policies either by directly checking the code of incoming agents against entry policies, or more simply by checking the professed policy of trusted agents.The extent to which this strategy works depends, not surprisingly, on the quality of a site's trust management.
Example 2.3.Let home be a site name with the following trust function in which the entry policy of home, M p h , is {info, req, secure}, and that of secure, M p s , is {give, home}.Since M h t (bob) = good, agents migrating from bob to home are trusted and only their digests are checked against the entry policy M p h .So, if P b contains the agent go T 1 home.(take.Q) where T 1 enforces M p h , then the entry policy of home will be transgressed.As another example, suppose alice, again trusted by home, contains the agent where T 2 is some policy which enforces the entry policy of secure, M p s .Again because T 1 enforces M p h , the migration is allowed from alice to home, and moreover the incoming agent conforms to the policy demanded of home.The second migration of the agent is also successful if secure trusts home: M s t (home) = good and therefore only the digest T 2 is checked against the entry policy of secure.We then have the reduction in which now the entry policy of secure has been foiled.The problem in this example is that the trust knowledge of home is faulty; it trusts in sites which do not properly ensure that professed policies are enforced.Let us divide the sites into trustworthy and otherwise.This bipartition could be stored in an external record stating which nodes are trustworthy (i.e.typechecked) and which ones are not.However, for economy, we prefer to record this information in the membranes, by demanding that the trust knowledge at trustworthy sites is a proper reflection of this division.This is more easily defined if we assume the following ordering over trust levels: unknown <: bad and unknown <: good This reflects the intuitive idea that sites classified as unknown may, perhaps with further information, be subsequently classified either as good or bad.On the other hand, good or bad cannot be further refined; sites classified as either, will not be reclassified.
Definition 2.4 (Trustworthy sites and Coherent systems).In a system N , the site k is for every trustworthy site k.Thus, if a trustworthy site k believes that a site l can be trusted (i.e., M k t (l) = good), then l is indeed trustworthy (as represented by M l t (l) = good).Similarly, if it believes l to be bad, then l is indeed bad.The only uncertainty is when k classifies l as unknown: then l may be either good or bad.Of course, in coherent systems we expect sites which have been classified as trustworthy to act in a trustworthy manner, which amounts to saying that code running at such a k must have at one time gained entry there by satisfying the entry policy.Note that by using policies as in Definition 2.1, if P satisfies an entry policy M p k , then it continues to satisfy the policy while running at k (cf.Theorem 2.7 below).
This property of coherent systems, which we call well-formedness, can therefore be checked syntactically.In Figure 5, we give the set of rules for deriving the judgement ⊢ N : ok of well-formedness of N .There are only two interesting rules.Firstly, (wf-g.site) says that l[[ M | P ]] is well-formed whenever l is trustworthy and ⊢ P : M p .There is a subtlety here; this not only means that P conforms to the policy M p , but also that any digests proffered by agents in P can also be trusted.The second relevant rule is (wf-u.site),for typing unknown sites: here there is no need to check the resident code, as agents emigrating from such sites will not be trusted.
Example 2.5.(Example 2.3 continued.)Let us now re-examine the system N in Example 2.3.Suppose home is trustworthy, that is M h t (home) = good.Then, if N is to be ⊢ 0 : ok (wf-g.site)where T 1 enforces M p h .Since take ∈ M p h , this is not possible.One can also check that the code running at alice stops the system from being wellformed.Establishing ⊢ N : ok would also require the judgement In well-formed systems we know that entry policies have been respected.So one way of demonstrating that our reduction strategy correctly enforces these policies is to prove that • system well-formedness is preserved by reduction • only legal computations take place within trustworthy sites The first requirement is straightforward to formalize: Theorem 2.6 (Subject Reduction).If ⊢ N : ok and N → N ′ , then ⊢ N ′ : ok.

Proof. See Appendix A.1
To formalise the second requirement we need some notion of the computations of an agent.With this in mind, we first define a labelled transition system between agents, which details the immediate actions an agent can perform, and the residual of those actions.The rules for the judgements P α → Q where we let α to range over Act ∪ Loc, are given in Figure 6, and are all straightforward.These judgements are then extended to where σ ranges over (Act ∪ Loc) * , in the standard manner: σ = α 1 , . . ., α k , when there exists P 0 , . . ., P k such that P = P 0 α 1 → . . .Theorem 2.7 (Safety).Let N be a well-formed system.Then, for every trustworthy site l Proof.See Appendix A.1

Entry Policies
The calculus of the previous section is based on a simple notion of entry policies, namely finite sets of actions and location names.An agent conforms to such a policy T at a site if it only executes actions in T before migrating to some location in T. However both the syntax and the semantics of the calculus are completely parametric on policies.All that is required of the collection of policies is • a binary relation T 1 enforces T 2 between them • a binary relation ⊢ P : T indicating that the code P conforms to the policy T. With any collection of policies, endowed with two such relations, we can define the predicate M ⊢ k T P as in (2.1) above, and thereby get a reduction semantics for the calculus.In this section we investigate two variations on the notion of entry policies and discuss the extent to which we can prove that the reduction strategy correctly implements them.
3.1.Multisets as Entry Policies.The policies of the previous section only express the legal actions agents may perform at a site.However in many situations more restrictive policies are desirable.To clarify this point, consider the following example.
Example 3.1.Let mail serv be the site name of a mail server with the following entry policy M p ms : {list, send, retr, del, reset, quit} The server accepts client agents performing requests for listing mail messages, sending/retrieving/deleting messages, resetting the mailbox and quitting.Now, consider the system where T = {send}.According to the typechecking of Figure 4  In such scenarios it would be more suitable for policies to be able to fix an upper-bound over the number of messages sent.This can be achieved in our setting by changing policies from sets of agent actions to multisets of actions.Consequently, predicate enforces is now multiset inclusion.
First let us fix some notation.We can view a multiset as a set equipped with an occurrence function, that associates a natural number to each element of the set.To model permanent resources, we also allow the occurrence function to associate ω to an element with an infinite number of occurrences in the multiset.Notationally, e ω stands for an element e occurring infinitely many times in a multiset.This notation is extended to sets and multisets; for any set/multiset E, we let E ω to denote the multiset {e ω : e ∈ E}.
Example 3.2.(Example 3.1 continued.)Coming back to Example 3.1, it would be sufficient to define M p ms to be {. . ., send K , . ..}where K is a reasonable constant.In this way, an agent can only send at most K messages in each session; if it wants to send more messages, it has to disconnect from mail serv (i.e.leave it) and then reconnect again (i.e.immigrate again later on).In practice, this would prevent major spamming attacks, because the time spent for login/logout operations would radically slow down the spam propagation.
The theory presented in Sections 2.2 and 2.3 can be adapted to the case where policies are multisets of actions.The judgment ⊢ P : T is redefined in Figure 7, where operator ∪ stands for multiset union.The key rules are (tc-act), (tc-par) and (tc-repl).The first two properly decrease the type satisfied when typechecking sub-agents.The third one is needed because recursive agents can be, in general, freely unfolded; hence, the actions they intend to locally perform can be iterated arbitrarily many times.For instance, agent Notice that the new policy satisfaction judgement prevents the spamming virus of Example 3.1 from typechecking against the policy of mail serv defined in Example 3.2.
The analysis of the previous section can also be repeated here but an appropriate notion of well-formed system is more difficult to formulate.The basic problem stems from the difference between entry policies and resident policies.The fact that all agents who have ever entered a site l respects an entry policy M p gives no guarantees as to whether the joint effect with the code currently occupying the site l also satisfies M p .For instance, in the terms of Example 3.2, mail serv ensures that each incoming agent can only send at most K messages.Nevertheless, two such agents, having gained entry and now running concurrently at mail serv, can legally send -jointly -up to 2K messages.It is therefore necessary to formulate well-formedness in terms of the individual threads of the code currently executing at a site.Let us say P is a thread if it is not of the form P 1 | P 2 .Note that every agent P can be written in the form of P 1 | . . .|P n , n ≥ 1, where each P i is a thread.So the well-formedness judgment is modified by replacing rule (wf-g.site) in Figure 5 as below.Proof.Similar to that of Theorem 2.6.The necessary changes are outlined in Appendix A.2.
The statement of safety must be changed to reflect the focus on individual threads rather than agents.Moreover, we must keep into account also multiple occurrences of actions in a trace; thus, we let act(σ) return a multiset formed by all the actions occurring in σ.

Finite Automata as Entry Policies.
A second limitation of the setting presented in Section 2 is that policies will sometimes need to prescribe a precise order for executing legal actions.This is very common in client/server interactions, where a precise protocol (i.e. a pattern of message exchange) must be respected.To this end we define policies as deterministic finite automata (DFAs, for short).
Example 3.5.Let us consider Example 3.1 again.Usually, mail servers requires a preliminary authentication phase to give access to mail services.To express this fact, we could implement the entry policy of mail serv, M p ms , to be the automaton associated to the regular expression below.

usr.pwd.(list
The server accepts client requests only upon authentication, via a username/password mechanism.Moreover, the policy imposes that each session is regularly committed by requiring that each sequence of actions is terminated by quit.This could be needed to save the status of the transaction and avoid inconsistencies. We now give the formal definitions needed to adapt the theory developed in Section 2. We start by defining a DFA, the language associated to it, the enforces predicate between DFAs and a way for an agent to satisfy a DFA.As usual [HU79], a DFA is a quintuple A △ = (S, Σ, s 0 , F, δ) where • S is a finite set of states; • Σ is the input alphabet; • s 0 ∈ S is a reserved state, called the starting state; • ∅ ⊂ F ⊆ S is the set of final states (also called accepting states); • δ : S × Σ → S is the transition relation.In our framework, the alphabet of the DFAs considered is a finite subset of Act ∪ Loc.Moreover, for the sake of simplicity, we shall always assume that the DFAs in this paper are minimal.Definition 3.6 (DFA Acceptance and Enforcement).Let A be a DFA.Then • Acp s (A) contains all the σ ∈ Σ * such that σ leads A from state s to a final state; • Acp(A) is defined to be Acp s 0 (A); • A 1 enforces A 2 holds true whenever Acp(A 1 ) ⊆ Acp(A 2 ).
Notice that, as expected, there is an efficient way to extablish A 1 enforces A 2 , once given the automata A 1 and A 2 (see Proposition A.2 in Appendix A.3).We now formally describe the language associated to an agent by exploiting the notion of concurrent regular expressions (CRE, for short) introduced in [GR92] to model concurrent processes.For our purposes, the following subset of CRE suffices: ǫ denotes the empty sequence of characters, α ranges over Act ∪ Loc, '.' denotes concatenation, ⊙ is the interleaving (or shuffle) operator and ⊗ is its closure.Intuitively, if e represents the language L, then e ⊗ represents {ǫ} ∪ L ∪ L⊙L ∪ L⊙L⊙L . ... Given a CRE e, the language associated to it, written lang(e), can be easily defined; a formal definition is recalled in Appendix A.3.Now, given a process P , we easily define a CRE associated to it.Formally In Proposition A.2, we prove that DFA satisfaction is decidable, although extremely hard to establish.This substantiate our hypothesis that verifying digests is preferable to inspecting the full code from the point of view computational complexity.We are now ready to state the soundness of this variation.It simply consists in finding a proper notion of well-formed systems.As in Section 3.1, the entry policy can only express properties of single threads, instead of coalitions of threads hosted at a site.Thus, we modifiy rule (wf-g.site)from Figure 5 to: This essentially requires that the languages associated to each of the threads in l are suffixes of words accepted by M p (cf. Theorem 3.9 below).Since this may appear quite weak, it is worth remarking that the well-formedness predicate is just a 'consistency' check, a way to express that the agent is in a state from where it will respect the policy of l.The soundness theorems are reported below and are proved in Appendix A.3.Theorem 3.8 (Subject Reduction for automata policies).If ⊢ N : ok and N → N ′ , then ⊢ N ′ : ok.Theorem 3.9 (Safety for automata policies).Let N be a well-formed system.Then, for every trustworthy site l[[M | P 1 | . . .|P n ]] in N , where each P i is a thread, σ ∈ lang(CRE(P i )) implies that there exists some σ ′ ∈ Acp(M p ) such that σ ′ = σ ′′ σ, for some σ ′′ .

CRE(nil)
We conclude this section with two interesting properties enforceable by using automata.
Example 3.10 (Lock/Unlock).We have two actions, lock and unlock, with the constraint that each lock must be always followed by an unlock.Let Σ l = Σ − {lock} and Σ u = Σ−{lock, unlock}.Thus, the desired policy (written using a regular expression formalism) is (Σ * l .(lock.Σ * u .unlock)* ) * Example 3.11 (Secrecy).Let secret be a secret action; we require that, whenever an agent performs secret, it cannot migrate anymore (this policy enforces that agents having performed secret always remain co-located).Let Σ s = Σ − {secret} and Σ g = Σ − Loc; thus, the desired policy is Σ * s .(ǫ+ secret.Σ * g )

Resident Policies
Here we change the intended interpretation of policies.In the previous section a policy dictated the proposed behaviour of an agent prior to execution in a site, at the point of entry.This implied that safety in well-formed systems was a thread-wise property (see rules (wf-g.siteM ) and (wf-g.siteA )).Here we focus on policies which are intended to describe the permitted (coalitional) behaviour of agents during execution at a site.Nevertheless these resident policies are still used to determine whether a new agent is allowed access to the site in question; entry will only be permitted if the addition of this incoming agent to the code currently executing at the site does not violate the policy.Let us consider an example to illustrate the difference between entry and resident policies.
Example 4.1.Let licence serv be the site name of a server that makes available K licences to download and install a software product.The distribution policy is based on a queue: the first K agents landing in the site are granted the licence, the following ones are denied.The policy of the server should be M p s △ = {get licence K }.However if this policy is interpreted as an entry policy, applying the theory of Section 3.1, then the system grants at most K licences to each incoming agent.Moreover this situation continues indefinitely, effectively handing out licences to all incoming agents.We wish to re-interpret the policies of the previous section as resident policies and here we outline two different schemes for enforcing such policies.For simplicity we confine our attention to one kind of policy, that of multisets.

Static membranes.
Our first scheme is conservative in the sense that many of the concepts developed in Section 3.1 for entry policies can be redeployed.Let us reconsider rule (r-mig) from Figure 2. There, the membrane M l only takes into consideration the incoming code P , and its digest T, when deciding on entry, via the predicate M l ⊢ k T P .But if the membrane is to enforce a resident policy, then it must also take into account the contribution of the code already running in l, namely R. To do so we need a mechanism for joining policies, such as those of the incoming P and the resident R in rule (r-mig).So let us assume that the set of policies, with the relation enforces is a partial order in which every pair of elements T 1 and T 2 has a least upper bound, denoted T 1 ⊔ T 2 .For multiset policies this is the case as ⊔ is simply multiset union.In addition we need to be able to calculate the (minimal) policy which a process R satisfies; let us denote this as pol(R).For multiset policies we can adjust the rules in Figure 7, essentially by eliminating weakening, to perform this calculation; the resulting rules are given in Figure 8, with judgements of the form P : T. Lemma 4.2.
• For every P , there is at most one T such that P : T.
• ⊢ P : T implies that there exists some policy T ′ such that T ′ enforces T and P : T ′ .
Proof.The first statement is proved by structural induction on P ; the second by induction on the derivation ⊢ P : T. With these extra concepts we can now change rule (r-mig) in Figure 2 to take the current resident code into account.It is sufficient to change the side condition, from M l ⊢ k T P to M l , R ⊢ k T P , where this latter is defined to be if Here if only the digest needs to be checked then we compare T⊔ pol(R), that is the result of adding the digest to the policy of the resident code R, against the resident policy M p l .On the other hand if the source site is untrusted we then need to analyse the incoming code in parallel with the resident code R. It should be clear that the theory developed in Section 3.1 is readily adapted to this revised reduction semantics.In particular the Subject Reduction and Safety theorems remain true; we spare the reader the details.However it should also be clear that this approach to enforcing resident policies has serious practical drawbacks.An implementation would need to: (1) freeze and retrieve the current content of the site, namely the agent R; (2) calculate the minimal policy satisfied by R to be merged with P 's digest in order to check the predicate enforces , or typecheck the composed agent P | R; (3) reactivate R and, according to the result of the checking phase, activate P .Even if the language were equipped with a 'passivation' operator, as in [SS03], the overall operation would still be computationally very intensive.Consequently we suggest below another approach.In the previous approach we have to repeatedly calculate the policy of the current resident code each time a new agent requests entry.Here we allow the policy in the membrane to "decrease," in order to reflect the resources already allocated to the resident code.So at any particular moment in time the policy currently in the membrane records what resources remain, for any future agents who may wish to enter; with the entry of each agent there is a corresponding decrease in the membrane's policy.Formally we need to change the migration rule rule (r-mig) to one which not only checks incoming code, or digest, against the membrane's policy, but also updates the membrane: First notice that if this migration occurs then the membrane at the target site changes, from M p l to M l p .The latter is obtained from the former by eliminating those resources allocated to the incoming code P .If the source site, k, is deemed to be good this is calculated via the incoming digest T; otherwise a direct analysis of the code P is required, to calculate pol(P ).
This revised schema is more reasonable from an implementation point of view, but its soundness is more difficult to formalise and prove.As a computation proceeds no permanent record is kept in the system of the original resident policies at the individual sites.Therefore well-formedness can only be defined relative to an external record of what the resident policies were, when the system was initiated.For this purpose we use a function Θ, mapping trustworthy sites to policies; it is sufficient to record the original polices at these sites as we are not interested in the behaviour elsewhere.
Then we can define the notion of well-formed systems, relative to such a Θ; this is written as Θ ⊢ N : ok and the formal definition is given in Table 9.The crucial rule is (wf-g.site),for trustworthy sites.If l is such a site then l[[ M | P ]] is well-formed relative to the original record Θ if M p l ⊔ pol(P ) guarantees the original resident policy at l, namely Θ(l).
The introduction of these external records of the original resident policies also enables us to give a Safety result.
Theorem 4.5 (Safety for resident policies).Let N be a well-formed system w.r.t.Θ.Then, for every trustworthy site l Proof.See Appendix A.4.

Conclusion and Related Work
We have presented a framework to describe distributed computations of systems involving migrating agents.The activity of agents entering/running in 'good' sites is constrained by a membrane that implements the layer dedicated to the security of the site.We have described how membranes can enforce several interesting kind of policies.The basic theory presented for the simpler case has been refined and tuned throughout the paper to increase the expressiveness of the framework.Clearly, any other kind of behavioural specification of an agent can be considered a policy.For example, a promising direction could be considering logical frameworks (by exploiting model checking or proof checkers).
The calculus we have presented is very basic: it is even simpler than CCS [Mil82], as no synchronization can occur.Clearly, we did not aim at Turing-completeness, but at a very basic framework in which to focus on the rôle of membranes.We conjecture that, by suitably advancing the theory presented here, all the ideas can be lifted to more complex calculi (including, e.g., synchronization, value passing and/or name restriction).
Related Work.In the last decade, several calculi for distributed systems with code mobility have appeared in literature.In particular, structuring a system as a (flat or hierarchical) collection of named sites introduced the possibility of dealing with sophisticated concrete features.For example, sites can be considered as the unity of failure [FG+96, Ama00], mobility [FG+96,CG00] or access control [HR02, RH03,GP03].The present work can be seen as a contribution to the last research line.
As in [GP03], we have presented a scenario where membranes can evolve.However, the membranes presented in Section 4 only describe 'what is left' in the site.On the other hand, the (dynamically evolving) type of a site in [GP03] always constrains the overall behaviour of agents in the site and it is modified upon acquisition/loss of privileges through computations.
We borrowed from [RH03] the notion of trust between sites, where agents coming from trusted sites are accepted without any control.Here, we relaxed this choice by examining the digest of agents coming from trusted sites.Moreover, we have a fixed net of trust; we believe that, once communication is added to our basic framework, the richer scenario of [RH03] (where the partial knowledge of a site can evolve during its computation) can be recovered.
A related paper is [IK01], where authors develop a generic type system that can be smoothly instantiated to enforce several properties of the π-calculus (dealing with arity mismatch in communications, deadlock, race control and linearity).They work with one kind of type, and modify the subtyping relation in order to yield several relevant notions of safety.The main difference with our approach is that we have different kind of types (and, thus, different type checking mechanisms) for all the variations we propose.It would be nice to lift our work to a more general framework closer to theirs; we leave this for future work.
Our work is also related to [NR05].Policies are described there as deterministic finite automata and constrain the access to critical sections in a concurrent functional language.A type and effect system is provided that guarantees adherence of systems to the policy.In particular, the sequential behaviour of each thread is guaranteed to respect the policy, and the interleavings of the threads' locks to be safe.But unlike our paper [NR05] has no code migration, and no explicit distribution; thus, only one centralised policy is used.
Membranes as filters between the computing body of a site and the external environment are also considered in [FMP04,Bou04,SS03].There, membranes are computationally capable objects, and can be considered as a kind of process.They can evolve and communicate both with the outer and with the inner part of the associated node, in order to regulate the life of the node.This differs from our conception of membranes as simple tools for the verification of incoming agents.
To conclude, we remark that our understanding of membranes is radically different from the concept of policies in [ES99].Indeed, in loc.cit., security automata control the execution of agents running in a site by in-lined monitoring.This technique consists of accepting incoming code unconditionally, but blocking at runtime those actions not abiding the site policy.Clearly, in order to implement the strategy, the execution of each action must be filtered by the policy.This contrasts with our approach, where membranes are 'containers' that regulate the interactions between sites and their environments.The computation taking place within the site is out of the control of the membrane, which therefore cannot rely on in-lined monitoring.

Proof of Theorem 2.6 [Subject Reduction]:
The proof is by induction over the inference of N → N ′ .Notice that trustworthiness is invariant under reduction.Therefore coherence, which is defined in terms of the trustworthiness of sites, is also preserved by reduction.
We outline the proof when the inference is deduced using rule (r-mig), a typical example.By hypothesis, We have two possible situations: l trustworthy: Judgment ⊢ R : M p l holds by hypothesis; judgment ⊢ P : M p l is implied by M l ⊢ k T P .Indeed, because of the coherence hypothesis, T P is exactly the required ⊢ P : M p l .Otherwise, we know that ⊢ go T l.P : M p k ; by rule (tc-mig) this implies that ⊢ P : T. Judgment ⊢ P : M p l is obtained by using Lemma A.1, since M l ⊢ k T P is defined to be T enforces M p l (see (2.1) in Section 2.2).Thus, by using (tc-par), we obtain the desired ⊢ P |R : M p l .l not trustworthy: This case is simple, because rule (wf-u.site)always allows to derive ⊢ l[[ M l | P | R ]] : ok.The case when (r-act) is used is similar, although simpler, and the case when rule (r-par) is used requires a simple inductive argument.Finally to prove the case when rule (r-struct) is used, we need to know that coherency of systems is preserved by structual equivalence; the proof of this fact, which is straightforward, is left to the reader.If the transition has been inferred by using rule (lts-act), then P = a.P ′′ and, by rule (wf-g.site),we have that ⊢ a.P ′′ : M p ; by definition of rule (tc-act), we have the desired a ∈ M p and ⊢ P ′′ : M p .When (lts-mig) is used the argument is similar, and all other cases follow in a straightforward manner by induction.Thus, we can now apply induction on the number of actions performed in P ′′ σ ′ → P ′ and obtain that act(σ ′ ) enforces M p .This sufficies to conclude that act(σ) = (act(σ ′ ) ∪ {α}) enforces M p .
The proofs given in Appendix A.1 can be easily adapted to the setting in which entry policies are multisets.We outline only the main changes.First recall that enforces is multiset inclusion, that judgments ⊢ P : T must be now inferred by using the rules in Figure 7 and that rule (wf-g.siteM ) is used for well-formedness.Then, Lemma A.1 remains true in this revised setting.

Proof of Theorem 3.3 [Subject Reduction]:
A straightforward adaptation of the corresponding proof in the previous section.The only significant change is to the case when a replication is unfolded via the rule (r-struct), i.e.
By hypothesis, ⊢ !P : M p ; therefore, by definition of rule (tc-repl), we have that ⊢ P : T for some T such that T ω enforces M p .Since T enforces T ω and because of Lemma A.1, we have that ⊢ l[[ M | P | !P | Q ]] : ok.By induction, ⊢ N ′′ : ok.It is easy to prove that this sufficies to obtain the desired ⊢ N ′ : ok.
Proof of Theorem 3.4 [Safety]: From the rule (wf-g.siteM ) we know that ⊢ P i : M p , for all i = 1, . . ., n.We now proceed by induction over |σ|.The base case is trivial.For the inductive case, we consider σ = ασ ′ and P i α If the transition has been inferred by using rule (lts-act), then P i = a.P ′′ i and, by rule (wf-g.siteM ), we have that ⊢ a.P ′′ i : M p ; by definition of rule (tc-act), we have the desired M p = T ∪ {a} and ⊢ P ′′ : T. When (lts-mig) is used the case is simpler, and all other cases follow in a straightforward manner by induction.
Coming back to the main claim, we use the induction and obtain that act(σ ′ ) enforces M p − {α}; thus, act(σ) enforces M p .A.3.Proofs of Section 3.2.
We start by recalling from [GR92] the formal definition of the language associated to a CRE, as follows.
Notice that the definition of the lang(e 1 ⊙ e 2 ) hides a trick: the x i s and the y i s can also be ǫ.Thus, as expected, we can also consider for interleaving strings of different length.
We start by accounting on the complexity of predicate enforces and the satisfiability relation when policies are automata.This is stated by the following Proposition.
(1) A 1 enforces A 2 can be calculated in polynomial time (2) ⊢ P : A is decidable, but it is super-exponential Proof.
(1) Let A i = (S i , Σ, s i 0 , F i , δ i ) and let L i = Acp(A i ).By definition, we have to check whether L 1 ⊆ L 2 or not.This is equivalent to check whether L 1 ∩ L 2 = ∅.The following steps have been carried out by following [HU79].(2) It has been proved in [GR92] that each CRE e can be represented by a (labelled) Petri net, in that the language accepted by the Petri net is lang(e).Now, we can easily construct a DFA accepting the complement of the language accepted by A (see item (a) of the previous proof).Now, we can construct the product between this DFA (that can be seen as a Petri net) and the Petri net associated to CRE(P ); this Petri net accepts lang(CRE(P )) ∩ Acp(A) (see [Pet81]).Now, the emptyness of this language can be solved with the algorithm for the reachability problem in the corresponding Petri net.This problem has been proved decidable [May84] and solvable in double-exponential time [Bou98].
Proof of Theorem 3.3 [Subject Reduction]: Now ⊢ N : ok relies on rule (wf-g.siteA ). Again, the proof is by induction on the inference of N → N ′ .We only give the base cases, because inductive steps can be handled with in a standard way.We only consider the cases of trustworthy sites; the case for non-trustworthy sites is easier.In what follows, we write ⊢ s P : A to mean that ⊢ P : A ′ , where A ′ is the DFA obtained from A by setting s as starting state.By transitivity of multiset inclusion and by the claim (A.1) above, (pol(P ′′ ) ⊔ M p l ) = T ′ , where T = T ′ ⊔ {α}.Thus, node l[[ M l | P ′′ ]] is well-formed (and trustworthy).By induction we therefore have that act(σ ′ ) enforces T ′ .Hence, act(σ) = act(σ ′ ) ⊔ {α} enforces T ′ ⊔ {α} = T, as required.
To conclude, the original claim of Theorem 4.5 is obtained from the result just proved by noticing that, because of well-formedness, T enforces Θ(l).
This work is licensed under the Creative Commons Attribution-NoDerivs License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Figure 6 :
Figure 6: A Labelled Transition System

→
P k = P ′ .Finally, let act(σ) denote the set of all elements of Act ∪ Loc occurring in σ.
Theorem 3.4 (Safety for multiset policies).Let N be a well-formed system.Then, for every trustworthy site l[[ M | P 1 | . . .|P n ]] in N , where each P i is a thread, P i σ → P ′ i implies that act(σ) enforces M p .Proof.See Appendix A.2.

Definition 4. 3 .
Define the partial function pol(•) by letting pol(P ) be the unique policy such that P : T, if it exists.

Figure 8 :
Figure 8: Type inference for agents with policies as multisets

Figure 9 :
Figure 9: Well-formed systems under Θ Proof of Theorem 2.7 [Safety]: Let l[[ M | P ]] be a site in N such that P σ → P ′ .We have to prove that act(σ) enforces M p .The statement is proved by induction over the length of σ.The base case, when σ = ǫ, is trivial since act(ǫ) = ∅.So we may assume σ = ασ ′ and P α → P ′′ σ ′ → P ′ .Let us consider P α → P ′′ ; by induction on α → , we can prove that α ∈ M p and that ⊢ l[[ M | P ′′ ]] : ok.

Lemma A. 3 .
If ⊢ P : A and A enforces A ′ , then ⊢ P : A ′ .Proof.By transitivity of subset inclusion.Lemma A.4.