Refinement-Friendly Bigraphs and Spygraphs

Over the past decade the successful approach to specification and mechanical analysis of correctness and security properties using CSP and its refinement checker FDR has been extended to contexts including mobile ad-hoc networks and pervasive systems. But the more scope for network reconfiguration the system exhibits, the more intricate and less obviously accurate the models must become in order to accommodate such dynamic behaviour in a language with a basically static process and communication graph. Milner´s Bigraph framework, on the other hand, and in particular Blackwell´s Spygraph specialisation, are ideally suited for describing intuitively such dynamic reconfigurations of a system and support notions of locality and adjacency which fit them well for reasoning, for instance, about the interface between physical and electronic security; but they lack powerful analytic tool support. Our long-term goal is to combine the best of both approaches. Unfortunately the canonical labelled transition system induced by the category-theoretic semantics of a bigraphical reactive system present a number of challenges to the refinement-based approach. Prominent amongst these is the feature that the label on a transition is the ´borrowed context´ required to make the redex of some reaction rule appear in the augmented source bigraph; this means that any reaction which can already take place entirely within a given bigraph gives rise to a transition labelled only with the trivial identity context, equivalent to a tau transition in CCS or CSP, with the result that neither the reaction rule nor the agents involved can be distinguished. This makes it quite impossible for an observer of the transition system to determine whether such a reaction was desirable with respect to any specification. We are investigating ways to remedy this situation. Here we present a systematic transformation of a bigraphical reactive system, both its rules and the underlying bigraphs, with the effec- - t that every transition becomes labelled with the specific rule that gave rise to it and the set of agents involved. We also consider how that now possibly over-precise labelling can be restricted through selective hiding and judicious forgetful renaming.