Dynamic role authorization in multiparty conversations

Protocols in distributed settings usually rely on the interaction of several parties and often identify the roles involved in communications. Roles may have a behavioral interpretation, as they do not necessarily correspond to sites or physical devices. Notions of role authorization thus become necessary to consider settings in which, e.g., different sites may be authorized to act on behalf of a single role, or in which one site may be authorized to act on behalf of different roles. This flexibility must be equipped with ways of controlling the roles that the different parties are authorized to represent, including the challenging case in which role authorizations are determined only at runtime. We present a typed framework for the analysis of multiparty interaction with dynamic role authorization and delegation. Building on previous work on conversation types with role assignment, our formal model is based on an extension of the $${\pi}$$ π -calculus in which the basic resources are pairs channel-role, which denote the access right of interacting along a given channel representing the given role. To specify dynamic authorization control, our process model includes (1) a novel scoping construct for authorization domains, and (2) communication primitives for authorizations, which allow to pass around authorizations to act on a given channel. An authorization error then corresponds to an action involving a channel and a role not enclosed by an appropriate authorization scope. We introduce a typing discipline that ensures that processes never reduce to authorization errors, including when parties dynamically acquire authorizations.


Context
Distributed systems operation is based on cooperating remote parties that communicate with each other to coordinate their local actions. In order to complete the tasks they were designed to perform, it is crucial that such interacting parties follow well-defined interaction protocols, as otherwise message contents may be confused and/or systems may get stuck. Furthermore, for the sake of accountability, it is often important to know who are the parties or, more generically, which are the roles involved in the interactions. This identification of roles also seems crucial when reasoning about security policies, as such policies are typically expressed in terms of the capabilities of the involved parties.
Different notions of role-based specifications can be found in modern distributed information systems, ranging from access control to structured interactions in communication-centered systems. These notions sometimes build on the assumption that distinct participants (e.g., users at different physical locations) may belong to the same role, and that a single participant may implement several different roles. The fact that roles may be distributed among parties seems particularly relevant, for instance, in scenarios where several worker threads may be able to impersonate a single server role in order to make load balancing transparent to a client service. Similarly, the fact that a single peer can carry out actions associated to different roles seems essential to implement, e.g., a service broker that interacts as a client with other providers while it acts as a provider with clients. Each role may be associated with a set of permissions (e.g., privileges to access data or perform some action), thus enforcing an assignment of permissions to involved participants.
In this work, we address the issue of dynamic role authorizations in multiparty interactions from the perspective of formal models of communication equipped with behavioral types [HLV + 16]. We introduce a simple process model of communicating systems in which roles and role communication are first-class constructs so as to allow to specify authorization handling in a dedicated way. We equip our model with a type system that ensures that processes faithfully implement multiparty communication protocols, but also that actions of well-typed systems conform to declared role authorizations.
In more detail, we consider communication-centered systems where interaction is governed by roles in the above sense, that is, a role may be carried out by several peers and a single peer may carry out actions on behalf of different roles. Building upon a minimal extension of the π -calculus [SW01], we explore this notion in a setting where interaction is defined by actions performed on communication channels (as usual), but in which each action is associated to a specific role. We then consider that using a communication channel under a specific role is the basic communication capability.
In the model that we propose here, it is essential to ensure that communication capabilities are carried out by parties that are actually granted to do so. This is particularly important when considering that access to channels may be dynamically acquired, and that roles may be flexibly implemented in the system. In order to control resource usage, we introduce authorizations at the level of first-class language primitives: this enables us to explicitly specify which parts of the system are authorized to manipulate a (communication) resource and to identify as errors those systems in which (active) communication actions are not duly authorized. Given the system specification language, our typing system ensures, on the one hand, that parties follow well-defined protocols of interaction and, on the other hand, that active communication actions are always properly authorized. Next, we motivate our development on top of role-based interacting systems so as to capture and control authorizations for communication capabilities.

Structure of the paper
The rest of this paper is organized as follows. In Sect. 2, we define our process language and further illustrate the intended model of dynamic role authorization. The language is endowed with two operational semantics, a reduction semantics and a Labeled Transition System (LTS), which are shown to coincide. Section 3 presents the type system and the properties for well-typed processes. In Sect. 4, we comment on related works. Finally, Sect. 5 draws some concluding remarks and discusses open problems. Omitted proofs have been collected in the Appendix.
This paper offers a unified presentation of two papers: [GJP + 14] and [GJP + 15]. While the paper [GJP + 14] already considered dynamic role authorization in the setting of conversation types, the paper [GJP + 15] introduced the idea of authorization scopes to control and give a spatial meaning to explicit authorizations on process actions which inspires the work presented in this document. As such, the papers [GJP + 14] and [GJP + 15] offer orthogonal perspectives to the issue of dynamic role authorization with delegation; the current paper combines these two perspectives in a uniform way. In this presentation, we have added a Labeled Transition System supporting authorization (not present in [GJP + 14, GJP + 15]), together with a preliminary investigation on its associated behavioral theory, and have extended the type system (based on conversation types) in order to account for explicit role authorization and authorization scopes.

Process language
In this section we present our process language for dynamic role authorization. Our language arises as an extension of the π -calculus, and is endowed with a reduction semantics and a labeled transition system (LTS).

Syntax
We consider a synchronous π -calculus [SW01] extended with tagged communications and prefixes for authorization sending and receiving. Let L, R, and N be infinite base sets of tags, roles, and channels, respectively. We use l , l , . . . to range over L; r, s, d, t . . . to range over R; and a, b, c, . . . to range over N .
The syntax of processes is given in Table 1. It includes standard constructs for inaction (0), parallel composition (P | Q), and name restriction ((νa)P ). We write (ν a) as a shorthand for (νa 1 ) · · · (νa n ). To specify communication of channels and authorizations, our language includes four kinds of prefixes, denoted σ . Each prefix is associated to a role r: intuitively, this says that σ is allowed to perform its associated action under r. The intuitive semantics for prefixes follows: a s !l (b) expresses sending of name b, in a message with tag l , along channel a, under role s; a r ?l (b) expresses receiving of name b, in a message with tag l , along channel a, under role r.
These two prefixes are taken from [BCVV12]. The second pair of prefixes is new to our calculus and concerns the communication of an authorization to act on a role: a s l d expresses sending authorization for role d, in a message with tag l , along channel a, under role s; a r l (d) expresses receiving authorization for role d, in a message with tag l , along channel a, under role r.
In addition to these new prefixes, we introduce a new scoping construct: -(a, r)P specifies the scope of authorizations: it authorizes all actions on channel a in P to act according to role r (up to delegation).
The set of free names of these novel constructs for authorization manipulation is defined as follows: fn((a, r)P ) fn(a r l (d)P ) fn(a r l d P ) fn(P ) ∪ {a}.

Reduction semantics
The process semantics is defined via a reduction relation, which is defined in Table 3 and denoted →. Reduction is closed under static contexts and structural congruence, denoted ≡, defined in Table 2 following standard lines (cf. [SW01]). Apart from the standard identities for the static fragment of the π -calculus (cf. Table 2, left column), structural congruence gives basic principles for the novel authorization scope (cf. Table 2, right column): Table 3. Reduction relation. δ abbreviates a sequence of authorization scopes (a 1 , r 1 ) · · · (a k , r k ) (1) authorizations can be discarded/created only for the inactive process (sc-auth-inact); (2) authorizations can be swapped around (sc-auth-swap); (3) authorizations distributes over parallel composition (sc-auth-dist); and (4) authorizations and name restrictions can be swapped if the corresponding names differ (sc-auth-scope).
We remark that, differently from name restrictions, authorization scopes can neither be extruded/confined: since authorizations are specified for free names (that cannot be α-converted), extruding/confining authorizations actually changes the meaning of processes. For example, we have because both parallel branches of the right-hand side process are authorized to interact on a (role s), while one of the parallel branches of the left-hand side process is not (we return to this issue in Example 3). Another distinctive property comes from the significance of multiplicity of authorization scopes. We do not adopt (a, r)P ≡ (a, r)(a, r)P for P 0, for the sake of authorization accounting. Before presenting the operational semantics of the language, we ensure that the rewriting supported by structural congruence is enough to isolate top-level communication actions together with their respective authorization scopes. We require some extra notation: we write δ as an abbreviation of a sequence of authorization scopes (a 1 , r 1 ) · · · (a k , r k ). This way, a process (a 1 , r 1 ) · · · (a k , r k )P can be simply written as δ P . With a slight abuse of notation, we write (a j , r j ) ∈ δ if the scope (a j , r j ) is included in δ.
Proposition 1 (Normal form) For any process Q, there are P 1 , . . . , P k , σ 1 , . . . , σ k , c, and δ 1 , . . . , δ k , where (ν c) and δ i for i ∈ 1, . . . , k can be empty sequences, such that Proof (by induction on the structure of Q). We now describe the reduction rules in Table 3. Rules (comm) and (auth) specify synchronizations: two processes can exchange a message l on a channel b under roles s and r, only if they are authorized for the specified roles on the channel b. Using Rule (auth), a process can authorize another process to act under a role (d) only if the first process has permission to do such an authorization (it is in the scope of (b, d)) and the second process is asking for explicit authorization of the same role (d). As the considered role will be unauthorized in the continuation of the sender process, we consider this interaction as a kind of authorization delegation. Rules (parc), (newc), (stru) are standard and/or self-explanatory.
We use → * to denote the reflexive and transitive closure of → . We introduce some auxiliary notions in order to syntactically characterize authorization errors in our setting. First of all, we define the usual notion of active contexts for our calculus: Active contexts allow us to talk about any active communication prefixes of a process. Also, we may introduce a predicate that states that an active context authorizes actions on a given channel. More precisely, for a given context and a channel-role pair, when the hole of the context is filled with an action on the channel, it is authorized for that action.
Definition 2 (Context authorization) For an active context C[·] and a pair (a, r), the context authorization predicate, denoted auth(C[·], (a, r)), is defined inductively on the structure of C[·] as auth(C[·], (a, r)) We may then use active contexts and context authorization to precisely characterize errors in our model, since active contexts allow us to talk about any communication prefix in the process and the context authorization predicate allows to account for the authorizations granted by the context: processes that have active communication prefixes which are not authorized are errors: , (a, r)) f alse or 2. σ (a,r) a r l d and auth(C[·], (a, d)) f alse.
We write σ (a,r) to denote a communication prefix on channel a under role r, so essentially any communication action that may cause a stuck configuration according to our semantics (where synchronizations only occur when processes hold the proper authorizations) is seen as an error.
We illustrate the reduction relation and our notion of error by means of a sequence of examples: Example 1 We show two processes that are authorized for all their actions and that safely reduce to 0. Example 2 We can go back now to the property (1) and consider processes P (a, s)(a, r)(a, r)a s l r .a r !l 1 (b).0 | (a, t)a t l (r).a r ?l 1 (x ).0 and Q (a, s)(a, r)a s l r .a r !l 1 (b).0 | (a, t)a t l (r).a r ?l 1 (x ).0.
Example 3 Regarding authorization extrusion/confinement consider the following processes where P differs from Q by an extrusion of authorization (a, s) (or, conversely, confinement). We have that P reduces to an error while Q does not: This example shows that authorization extrusion is not sound in our model even when considering an expected side condition on the extruded name (notice a does not occur free in the left-hand side of P ).

Labeled transition system (LTS)
We now introduce a labeled transition system (LTS) for our language. Our LTS extends the (early) LTS for the π -calculus by considering a syntax for labels with explicit annotations and rules for representing authorization scopes. Before formally giving the LTS, we describe some intuitions. Consider the following set of labels: An LTS based on labels λ would be able to describe process evolution in terms of name output and input, delegation and reception of authorization, name extrusions, and the internal action τ . However, it would not allow us to describe the authorization scope under which any of these actions may take place, nor the fact that senders may lose authorization through communication. To this end, we define two modifications: (a) We annotate labels λ with authorization scopes of the form (a, t), describing that any action along channel a is authorized on role t. As such, we will consider labels of the form where λ is as above and the superscript i ∈ {0, 1} in (a, t) i denotes the number of occurrences of (a, t). As a convention, we will identify (a, t) 0 λ with λ, for any not yet authorized action λ.
(b) We distinguish two kinds of internal actions, denoted τ ω and τ (a,d) ω , where ω stands for zero, one, or two pairs of names and roles. Intuitively, a pair (a, r) included in the ω of τ ω says that such an internal action depends on an action along name a which still requires authorization for role r. This way, for example, ω will become invisible if the two actions leading to the synchronization are both properly authorized. The pair (a, d) in label τ (a,d) ω states that this internal action was performed by communicating (delegating) the authorization for not yet authorized role d along a. Once again, it is worth noticing that when an invisible action results from the synchronization of dual actions on authorized roles, we will have label τ . When considering closed processes, only the internal action relation τ − → agrees with reduction, up to structural congruence (see Sect. 2.4).
Based on the above intuitions, we may now introduce the set of labels for our LTS, ranged over α, α , . . .. We have: where ω :: (a, s) i (a, r) j , with i , j ∈ {0, 1}. Given a label α, we write n(α) and bn(α) to denote its associated sets of names and bound names, respectively. These sets are defined as expected.
Let P denote the set of all processes. We define the relation α − →⊆ P × P, for every action α. As a key novelty, we require a set of rules to govern authorization scopes, including authorization delegation which may or may not involve losing the communicated authorization. The transition relation is inductively defined by the following five groups of rules, denoted (I)-(V): 1. Rule (lout) expresses that process a s !l (b).P can send b (in a message with tag l ), along a under role s, and evolve to P . 2. Using Rule (lout-a), process a s l d .P can send authorization d over a under the role s, and evolve to P .
This ability is enabled for roles d and s. 3. By Rule (lin), process a r ?l (x ).P is able to receive b along a, under role r, and evolve to P {b/x }. 4. By Rule (lin-a), process a r l (d).P can get authorization for d along a and evolve to (a, d)P . (II) Similarly as in the π -calculus, we have Rules (lres1) and (lres2), here not depending on included authorization scopes.
The observable behavior of a process within an authorization scope is governed by Rules (lscope1) -(lscope5).
In Rule (lscope1) we use an auxiliary function that gives authorization to the pair (a, t) in the label α. It is formalized by the authorization function, (a, t) · α, defined as follows: where action λ is defined above and λ (a,t) denotes that the action is performed under the role t along a (i.e. a t !l (b), a t ?l (b), a t l d or a t l (d)). These rules describe the behavior of process (a, t)P provided that P can evolve to Q by performing action α. In three of these rules, (a, t)P loses authorization scope (a, t) after forwarding it, and then evolves to Q.
(a) By Rule (lscope2), a process can forward authorization d under the same (once authorized) role d. For example: In this way, process loses its own authorization scope. (b) By Rule (lscope3), a process can forward authorization d under different role s. For example: (c) By Rule (lscope5), a process can internally communicate authorized role d (see examples (3)-(5)). For example: Notice that only left-hand side threads lose authorization scope (a, d), since they forward it to right-hand side threads. As right-hand side threads were authorized to communicate role d over a, authorization scopes (a, d) are doubled after the transitions. In the other two rules, (a, t)P keeps the authorization scope and evolves to (a, t)Q: (d) By Rule (lscope4), a process having double authorization, after passing an authorization, still keeps its copy. For example: (e) Rule (lscope1) covers all the cases where α does not include role delegation. For example, (IV) The four Rules (lcomm1), (lcomm2), (lauth1), and (lauth2) capture to internal actions (we omit the four symmetric rules with commuted parallel processes in conclusions of the respective rules).
All four rules that describe invisible actions ((lcomm1), (lcomm2), (lauth1), (lauth2)) keep in ω and ω of τ ω ω visible pairs that point to roles that were used in actions within corresponding invisible actions, but still require authorization. Rules (lcomm1) and (lcomm2) are as in the π -calculus, with the main difference of having authorization pairs. If where i ∈ {0, 1}, then we say that α 1 and α 2 are mutually dual actions and write α 1 α 2 . If i 0 in (a, t) i for some α, we write α (a,t) . For example: Rules (lauth1) and (lauth2), characteristic of our calculus, describe an internal communication of an unauthorized role d along a name a between processes P and Q, continuing in parallel composition P and (a, d)Q. For example: (V) Finally, there are three rules (and three symmetric rules) that describe parallel composition contexts -Rules (lpar1), (lpar2), and (lpar3)).
One should notice that not all transitions seamlessly cross parallel composition. By (lpar2) and (lpar3), in case a process can delegate not yet authorized role or communicate it within an internal action, then all processes in parallel get the authorization scope. For example: After closing the parallel composition with the same authorization scope, the process delegating the role will lose it and all others will keep it.
It is in a sense analogous to open and close rules for name scoping, but having in mind that we do not have authorization scope extrusion in the structural congruence (Table 2). Moreover, this treatment conveniently endows processes (a, r)(P | Q) and (a, r)P | (a, r)Q with the same behavior. For example,

Properties
Having introduced reduction and LTS semantics for our process model, in what follows we prove their equivalence. We need some auxiliary results: Lemma 1 Let P and Q be processes and i ∈ {0, 1}.
Proof By induction on the length of the derivation of P ≡ P .
Proof The proof is in one direction by induction on derivation of P → Q and in opposite direction by induction on the derivation P τ − → Q.
An advantage of defining an LTS is that it allows us to define behavioral equivalences. We say that a symmetric binary relation B on processes is a strong bisimulation if The largest strong bisimulation, the strong bisimilarity, is denoted by ∼ .
We may now state congruence of strong bisimilarity with respect to active contexts: Proposition 4 attests that active contexts are proper functions of behavior: no two equivalent behaviors placed in an active context yield different (image) behaviors. As part of the proof of Proposition 3 we prove (a, r)(P | Q) ∼ (a, r)P | (a, r)Q which serves as a behavioral validation of the authorization distribution law (cf. Table 2). We may also show that there is P such that (a, r)(a, r)P ∼ (a, r)P (consider P may delegate the authorization twice) so as to witness our authorization accounting principle. We may also show that (a, r)σ.P ∼ σ.(a, r)P , for any P , provided that prefix σ does not involve channel a or role r. In fact, since roles are statically prescribed we may show that (a, r)P ∼ P when role r does not occur in process P .
The behavioral equivalence, defined using the labeled transition system, serves as a proof method to show such behavioral (in)equalities, so as to further validate our design principles and inform on the behavioral model.

Type system
We now introduce a behavioral type system for our language. It ensures that well-typed processes are not (authorization) errors, in the sense of Definition 3 (Proposition 5). In turn, this property entails a natural form of type safety (Corollary 1).
Our type discipline builds on the conversation types language as presented in [BCVV12]: we extend message type M with the role r, so that we may capture role authorization passing. This is a rather natural extension, formally given by the syntax in Table 4. Behavioral types B include: end, which describes inaction; -B | B , which allows to describe concurrent independent behavior; -the sometime type 3B , which says that behavior B may take place immediately or later on; pl (M ).B , which describes a communication action identifying the role(s) involved, and whether the action is an input ?r or an output !r or a message exchange (r → r) :, a carried message type M and the behavior B that is prescribed to take place after the communication action.
We use behavioral types to specify the interactions in linear channels, where no communication races are allowed (which is to say that at any given moment, there can only be one matching pair of input/output actions). In our setting, where several parties may simultaneously use a channel, this linear communication pairing is ensured via message tags: at a given moment, there can be only one pair of processes able to exchange a tagged message. For shared channels, where communication races are allowed, we ensure consistent usage (but no structured protocol of interaction) via shared channel types T , which carry a (linear) behavioral type describing the usage delegated in the communication.
Message type M also captures the usages delegated in communications: in case M is a behavioral type B or a shared channel type T it describes how the receiving process uses the received channel; in case M identifies a role r then the message type captures an authorization delegation in the specified role.
Type environments separate linear and shared channel usages: associates channels with (linear) behavioral types, given by :: ∅ | , a : B , whereas associates channels with shared channel types, given by :: ∅ | , a : T . Typing rules rely on subtyping as well as on some auxiliary notions of apartness, well-formedness, and splitting of types. Explanations for these notions are in order: -The subtyping relation is given in Table 5, where we use B 1 ≡ B 2 iff B 1 <: B 2 and B 2 <: B 1 . Apart from some usual structural identifications and context closure, subtyping specifies that B <: 3B (provided the latter is well-formed) which allows to say that a behavior B that is prescribed to take place immediately may as well be used in a context that expects B to take place later on in the protocol. -Type apartness is used to identify non-interfering concurrent behaviors that may be safely composed in a linear interaction. To define type-apartness we use tg(B ) to denote the set of tags occurring in type B, defined as expected. Two types B 1 and B 2 are apart, written B 1 #B 2 , if they have disjoint sets of message tags (tg(B 1 ) ∩ tg(B 2 ) ∅). -Well-formedness of a type (Table 6) ensures that parallel behaviors are apart and that the sometime 3 is not associated to message synchronizations -synchronizations are not allowed to take place sometime later, they are always specified to take place at a given stage in the protocol. Also, well-formedness ensures that parallel behaviors are independent (via apartness # that checks disjointness of message tags sets).  Table 7. Type Split Relation -Type splitting given in Table 7 supports the distribution of protocol "slices" among the participants in a conversation: we write B B 1 • B 2 to say that behavior B may be split in behaviors B 1 and B 2 so that an overall behavior B may be distributed (e.g., in the two branches of a parallel composition). We remark that B 1 and B 2 may be further split so as to single out the individual contributions of each participant in a conversation, where decomposition is driven by the structure of the process in the typing rules. We highlight Rule (S-TAU) that allows to distribute a synchronization in the two (dual) communication prefixes, where one of them is prescribed to happen sometime (3) while the other is prescribed to take place immediately (so as to ensure the synchronization takes place immediately). Rule (S-BRK) allows to extract a (3) part of the protocol that is prescribed to happen after a prefix (provided the extracted behavior and the prefix are independent) so that, for instance, an already active third party that will only be engaged later on in the protocol may be initially characterized by the respective sometime behavior extracted from the later stages of the protocol. We lift the split relation to type environments in unsurprising lines: , a : B 1 , a : B 1 • 2 , a : B 2 if B B 1 • B 2 and 1 • 2 , and also , a : B 1 , a : B • 2 (and symmetrically) if 1 • 2 . In typing rules we write 1 • 2 to represent (if there is such ) such that 1 • 2 . Moreover, behavioral type and linear type environment reduction are given in Table 8, where the former states that a synchronized communication prefix can reduce to its continuation, including under parallel composition, while the latter lifts the relation to environments by allowing any type in the environment to reduce, embedding reflexivity via ∅ → ∅. A typing judgment is of the form ; P , where denotes the authorization set. This is a subset of the direct product of the set of channel names and the set of roles, i.e., ⊆ N × R. The typing judgment ; P states that the process P is well typed under and with roles from pr 2 ( ) (the projection on the second element of the pairs in ) appearing in P unauthorized on corresponding channels from pr 1 ( ).
Typing rules are presented in Fig. 9. There are three rules that are specific to our model: Notice that in Rules (T-rolein) and (T-roleout) the typing environment in the conclusion is split in a typing of a that specifies the reception of the authorization (up to subtyping). All other rules are similar to the typing rules from [BCVV12], with the derivation of the novel decoration as follows. Rule (T-end) states that a well-typed inactive process has no unauthorized roles and only end usages of linear channels (denoted by end ). Rule  with (a, r). The authorization is not performed on shared channels, implying that all actions on shared channels in a typed process must be under the corresponding authorization scope. Rule (T-par) states that the unauthorized pairs in a parallel composition of two processes is the union of unauthorized pairs of the two composed processes. We say that a process P is well typed if there are and such that ; ∅ P . Example 4 Consider process Other Provider from our motivating example ( §1.3). Using Rules (T-auth), (T-in), (T-rolein), and (T-out) given in the
that attempts using the channel y under role server without receiving the authorization for this role, is not typable.
We define the reduction relation → between behavioral types B and corresponding environments by allowing a synchronized communication prefix to reduce to its continuation (s → r) : l (M ).B → B , so as to mimic the respective process behavior, by allowing reduction to occur in a branch of a parallel composition (e.g., , and by lifting the relation point-wise to environments, embedding reflexivity so as to encompass process reductions involving shared or bound channels (where no reduction in the linear usages of free names is required).
Theorem 1 (Type preservation) Let ; P for some , , and P . If P → Q then there is such that → and ; Q.
A direct consequence of type preservation is protocol fidelity: every reduction of the process corresponds to a reduction of the types, thus ensuring that the process follows the protocols prescribed by the types. Notice that communication safety (no type mismatches in communications) is entailed by protocol fidelity, which in our case also attests that processes agree in the role when sending and receiving authorizations.

Proposition 5 (Error free) If P is a well-typed process, then P is not an authorization error.
Combining freedom from errors and type preservation results we immediately obtain our notion of type safety, which ensures that well-typed processes never reach an error configuration.
Corollary 1 (Type safety) If P is a well-typed process and P → * Q, then Q is not an authorization error.
Our type safety result ensures every action that may eventually become active is duly authorized. Notice that our typing characterization directly records the authorizations required by the system from the external context. However, we may also infer the authorizations held by the system itself, by contrasting the channel usage (captured by the typing environment) with the required authorizations: channels that are not mentioned in the required authorizations that have a prescribed usage must be authorized in the system. As such the behavioral interface captured by the typing characterization can also be viewed as a system specification: provided some authorizations, the system behavior must be compliant with the prescribed interface, possibly including actions for which authorization is not provided.

Related work
From a broad, historical perspective, studies on access control and authorization go back at least to the seminal work by Lampson [Lam74], who proposed the access control matrix model. Harrison, Ruzzos and Ullman (HRU) [HRU76] formalized this protection model as a matrix which has columns indexed by objects and rows indexed by subjects; each entry in the matrix is a subject of a set of access models. HRU proved that it is undecidable whether a given state of a given protection system is safe for a given generic right. Sandhu [San92] developed the typed access matrix (TAM) model by introducing strong typing into the HRU model (in essence, by assigning types to objects), and showed that strong typing usefully enables decidable safety analyses. See [SdV00] for an introduction to access control systems and their formalization.
Fournet et al. [FGM07] consider the problem of verifying whether a distributed system correctly implements a target authorization policy, expressed as statements and expectations. Their formal development is based on the spi-calculus, a variant of the π -calculus with cryptographic operations. They develop a type system based on annotations that define authorization policies: the type system checks conformance to a policy by tracking the logical facts/rules in the typing environment, and using logical deduction to type authorization expectations.
Role-based access control in distributed systems with dynamic access rights was handled by Dezani-Ciancaglini et al. [DGJP10] by means of a type system, which ensures security properties. In this calculus, roles assigned to data can be dynamically administered, while role communication between processes was not treated. Previous works in the setting of session calculi consider security properties like confidentiality and integrity (we refer the interested reader to the recent overview [BCD + 15]). For instance, Bonelli et al. [BCG05] extend session types with correspondence assertions, a form of dependent types which ensures consistency of data during computation. More recently, aspects of secure information flow and access control have been addressed for sessions in works such as [BCCDC11,CCDC11,CCDCR10]. Deniélou and Yoshida [DY11] use a kind of role-based approach where communication is controlled by a previously acquired reputation. Similarly to our work, Lapadula et al. [LPT07] consider a typed approach to role-based authorizations for service-oriented applications. Differently from our model, assigned roles are initially authorized and communicated data carries information on roles that will use it.
Scoping operators have been used to model security aspects; they typically rely on bound names to represent secrets or nonces. With the aim of representing secrecy and confidentiality requirements in process specifications, Giunti et al. [GPV12] investigate an scoping operator called hide, alternative to usual name restriction; the hide operator is embedded in the so-called secrecy π -calculus, tailored to program secrecy in communications. The expressiveness of the hide operator is investigated in the context of a behavioral theory, by means of a Spy agent. In contrast, our (free name) scoping operator focuses on authorization, a different security concern.
Vivas and Yoshida [VY02] propose a scoping operator (called filter) for dynamic channel screening. In a different setting (higher-order process communication) and with similar properties, the filter operator blocks all the actions that are not contained in the corresponding filter (which contains polarized channel names). Contrary to our authorization scope construct, filters are statically assigned to processes, while the authorization scope assigned to a process may be dynamically changed.
To the best of our knowledge, the authorization scoping proposed here has not been explored before for the specification of communication-centered systems. Our integration of the authorization scoping in the system specification language in an uniform way is a distinguished feature of our approach when compared to other forms of site-level authorization handling (see, e.g., Gorla and Pugliese's work [GP09]). There are high-level similarities between our work and the concept of ownership types, as well studied for object-oriented languages [CPN98]. Although in principle ownership types focus on static ownership structures, assessing their use for disciplining dynamic authorizations is interesting future work. Also, it may also prove to be worthwhile to exploit dependent/refinement types (see, e.g., [SCC10]) in our setting.

Concluding remarks
In this paper, we have introduced a typed process framework for specifying and reasoning about role-based authorization. Our contribution is based on previous work on conversation types [CV10] and their extension with dynamic assignment of roles to several parties in a concurrent system [BCVV12]. We focused on a modular extension of the existing framework, so as to leverage on previous results, adding the minimal elements so as to identify the specific issues at hand and set the basis for further developments.
We have addressed the problem of role authorization and communication of authorizations in an extension of the π -calculus, where communication prefixes are annotated with role authorizations. For simplicity, we have considered a "flat" set of roles; it is conceivable that concrete application settings may require sets of roles subject to hierarchical orderings. The presented calculus allows for the dynamic communication of authorizations and is equipped with an authorization scoping operator that precisely specifies the range of authorized use of particular roles in particular channels. We then extend the conversation type system in which a well-typed process can never reduce to an authorization error, thus (statically) ensuring that well-typed processes are always authorized to communicate on behalf of a role, including when authorizations are dynamically passed in messages.
The analysis technique presented in this paper combines a behavioral type discipline with authorization control. In our view, structured communication and authorization are orthogonal aspects subject to be controlled in separate, dedicated ways. Our type structure retains the meaning of types in [CV10,BCVV12] and does not mention authorizations, which are instead treated at the level of process specifications. This separation between communication and authorizations leads to clear typed interfaces and simplifies analyses. Still, we may already argue that our behavioral types pave the way for the verification of more fine-grained authorization communication control. Indeed, our types mention explicitly the identities of the communicated roles; this allows us to enforce further discipline just by inspecting the types. Consider, for example, the type where the specification yields the information that role d is received and afterwards communicated away. When role authorization containment is a concern, for instance since trust can be of an intransitive nature, it may be desirable to exclude the above communication pattern under some circumstances. One possibility is to completely exclude authorization re-communication. Alternatively we can look at the involved roles and validate according to some trust policy defined for them.
The advantage of lifting the analysis from processes to types is that the simpler the target of the analysis is, the simpler the analysis techniques will be. Such a verification step can be carried out statically, when nevertheless also the system must be verified, but more interestingly, can also be carried out at runtime. If we interpret such types as contracts to which processes will abide to, as ensured by the fidelity property, the composition of systems at runtime may be driven by type information. For instance, one may choose to avoid using web apps that recommunicate authorizations under the chosen circumstances. Investigating this kind of static analysis over types is an interesting direction for the future.
The type structure presented in this paper is purposefully simple and we do not consider constructs for infinite behavior at the level of processes nor at the level of behavioral types. Indeed, the model and examples considered throughout the paper are finite-state, and therefore possibly amenable for analysis using alternative techniques, such as, e.g., reachability analysis/model checking. In the presence of infinite behavior and recursive types, the situation is different. Although recursive types are absent in [BCVV12], we find no fundamental obstacle in extending our model with recursive types, essentially following the approach in [CV10] for conversation types. We believe that recursion and authorization handling are orthogonal concerns; further work is required to clarify this relationship.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Proof The proof is by rule induction on the inference of P α − → Q. We will highlight the following case: (ii) Base case is obtained by rule (lres2). In that case, P (νc)P 1 and P 1 and therefore
we get the proof by (sc-rest-extr) and (comm).
Proposition 2 P → Q if and only if there is Q such that P τ − → Q and Q ≡ Q .
Proof The proof follows by Lemma 3 and 4.

Proposition 3 If P ≡ Q then P ∼ Q.
Proof Let us prove that ≡ ⊆ ∼.
Assume P ≡ Q and P α − → P . Then by Lemma 3 there is a process Q such that Q α − → Q and Q ≡ Q . Which proves ≡ to be a strong bisimulation. Therefore ≡ ⊆ ∼, since ∼ is the largest strong bisimulation.
Proof Assume that ∼ c is a contextual congruence closure (relation) of ∼, i.e.
Then ∼ ⊆ ∼ c which follows by taking C[·] ·. Also, since ∼ c is a contextual closure of ∼ then P ∼ c Q implies that P C[P 1 ], Q C[Q 1 ] and P 1 ∼ Q 1 , for some context C[·] and some processes P 1 and Q 1 .
Let us show that ∼ c is a strong bisimulation, that is if P ∼ c Q and P α − → P , then there is Q such that Q α − → Q and P ∼ c Q . Assume P ∼ c Q and P α − → P , where P C[P 1 ], Q C[Q 1 ] and P 1 ∼ Q 1 . The proof is by induction on the structure of the context C[·].

• If C[·]
·, then P P 1 , Q Q 1 , hence P ∼ Q and the statement holds. R | C 1 [·] can be proved similarly.
The relation ∼ c is a strong bisimulation, then ∼ c ⊆ ∼ since ∼ is the largest bisimulation. To this end ∼ c ∼, hence the strong bisimilarity ∼ is a congruence with respect to active contexts. 8. If ; P | Q, then 1 • 2 and ∪ and 1 ; P and 2 ; Q for some , , 1 and 2 .

A.2. Proofs from
Lemma 6 (Substitution lemma) Let ; P for some and . Theorem 1 (Type preservation) Let ; P for some , , and P . If P → Q then there is such that → and ; Q.
Proof The proof is by induction on the of derivation P → Q and by cases on the last rule applied. The only interesting case is induced by (auth).