Security of Functional Active Objects A

Survey and Experiments

F. Kammuller, Middlesex University
October 25, 2010

1 Study Area Review

This dissertation is concerned with language based security for distributed
object-based systems with asynchronous communication. The language we
study is ASP fun [6], a computation model for functional active objects. Active
objects, or more generally Actors [7], are a paradigm of distributed
computation without sharing of data and asynchronous message passing.
ASP fun is a new calculus realising the active object paradigm as a functional
object-oriented language, i.e., it is stateless and adheres to the principles of
object-oriented programming. ASP fun is defined rigorously, i.e. it has a formal
def init ion of syntax and semantics based on the theory of objects [1] and
even mechanized in the theorem prover Isabelle/HOL [9]. ASP fun uses futures
[4] to enable asynchronous communication of distributed objects: futures are
promises for the results of remote method calls.

For practical experimentation, ASP fun has been implemented as a pro-

totype in the Erlang [2] language. Erlang is a concurrent functional pro-
gramming platform for open distributed telecommunication (OTP) systems
developed by Ericsson corporation. This language also adheres to the Actor
paradigm supporting massive parallelization providing message passing as
strategy for communication between several actors implemented as
processes.

However, in contrast to ASP fun Erlang does not support objects. Since
object orientation is a good principle for data encapsulation and confinement,
i t seems likely that the ASP fun paradigm has good security properties. Since
ASP fun is functional, i t has no side-effects. This quite naturally enhances
its security properties because many side-channel attacks are excluded by
the language. I n current work, ASP fun is used to implement generic pro-
cedures for privacy enhanced communication [8]. I n this dissertation, we aim
at validating such security procedures based on the Erlang prototype
implementation to test their viability and feasibility, possibly finding new
procedures tailored for enhancing security of ASP fun applications.

2 Aims
A global aim of this research is to support the security of distributed appli-
cations. The specific goals of this dissertation are
• to understand and document the underlying principles of active objects,
futures, asynchronous communication, and their security,

• to find out the state of the art of security for distributed objects in
particular for active objects,

• to validate the Erlang prototype by providing and testing small security-

critical case studies,

• to summarize possible new insights or recommendations from the sur-

vey and the practical validation.

3 Objectives
A general objective of this work is to further investigate the ASP fun approach.
To that end, we concentrate on
• performing a study on the foundations of actors and asynchronous
message passing,

• comparing and evaluating existing methods for enhancing security of

asynchronous distributed systems,

• showing how ASP fun can be used to realize security-critical scenarios

and what security properties it guarantees,

• testing the viability of the practical applicability of the ASP fun approach
to security by implementing small security case studies and validating
them
4 Deliverables
• An introduction to the paradigm of active objects and asynchronous
distributed communication of objects, including a summary of ASP fun
and its implementation in Erlang.

• A literature survey of current work on active object calculi, their

formalisations and implementations, and their security features.

• A introduction to the security features of ASP fun explaining the under-

lying principles and how they can be employed to guarantee security.

• A short manual of the ASP fun-Erlang system illustrating on simple

examples how it implements functional active objects.

• A suite of examples for the ASPf u n -Erlang implementation including

test data and the related observations on their security properties.

5 Project Type
Literature survey leading onto an experimental validation using an existing
prototype implementation.

6 Research Methodology
Literature study, comparison and evaluation of existing approaches, experi-
mental implementation of small case studies, and test.

7 Research Audit
The research will produce a written dissertation document including readable
descriptions of practical experiments in Erlang (the source code will be added
as an appendix). The value of the research contribution lies in the clarity and
conciseness of the scientific review and the observations based on it. A
further possibility for assessing the quality lies in the experimental part
providing evidence and reproducibility of the contribution given by the case
studies.
8 Mil estones
A timetable for my research runs along the following milestones.

•Month one: literature review

− Read up on language concepts: actors, asynchronous

communication.
− Read up on security concepts for distributed languages.
− Write up the formal first cut proposal
− Identify important issues for validation.
− Design small examples in ASP fun to address security issues.

•Month two: concepts and experiments

− Get experience with the ASP f u n -Erlang system, try out some sim-
ple examples.
− Understand how ASP fun is encoded in this system, implement the
small security examples designed in ASP fun before.

− Figure out where security attacks are possible on the examples.

− Try to come up with new implementation methods to avoid secu-
rity leaks.

•Month three: writing up

−Write the introduction.

−Write the literature survey, and comparison.
−Write the chapter on ASP fun security with examples.

−Write the short manual on ASP fun-Erlang.

−Write the chapter on the case studies and their evaluation.
−Write conclusions.
References
1] M. Abadi and L. Cardelli. A Theory of Objects. Springer, New York,
1996.

2] J. Armstrong. Programming Erlang Software for a Concurrent World.

The Pragmatic Bookshelf, 2007.

3] A. Fleck and F. Kammuller. Implementing privacy with Erlang active

objects. The 5th International Conference on Internet Monitoring and
Protection, ICIMP10. IEEE, 2010. Also invited for publication in I n -
ternational Journal on Advances in Software.

4] R. H. Halstead, Jr. Multilisp: A language for concurrent symbolic

computation. Transactions on Programming Languages and Systems
(TOPLAS), 7(4), 1985.

5] L. Henrio and F. Kammuller. Functional active objects: Noninterference

and distributed consensus. Technical Report 2009/19, Technische
Universitat Berlin, 2009.

6] L. Henrio and F. Kammuller. Functional Active Objects: Typing and

Formalisation. 8th International Workshop on the Foundations of
Coordination Languages and Software Architectures, FOCLASA 09.
Satellite to ICALP09. ENTCS 255:83101, Elsevier, 2009. Also invited
for Journal publication in Science of Computer Programming,
Elsevier.

7] C. Hewitt, P. Bishop, and R. Steiger. A universal modular actor formal-

ism for artificial intelligence. IJCAI, 1973.

8] F. Kammuller. Privacy Enforcement and Analysis for Functional Active

Objects. Fifth International Workshop on Data Privacy Management,
DPM10. Satellite to ESORICS10. Proceedings to appear in LNCS
Springer, 2010.

9] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL a proof as-

sistant for Higher-Order Logic, volume 2283 of LNCS. Springer-Verlag,
2002.