Foundations of Global Computing A Personal Perspective (talk)

Foundations of Global Computing

A Personal Perspective

Vladimiro Sassone

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

Models for Concurrency

Global Ubiquitous Computing:

computation over a global network of

mobile, bounded resources shared among mobile entities which move between highly dynamic, largely unknown, untrusted

networks.

Difficulties:

Extreme dynamic reconfigurability; lack of coordination and trust; limited capabilities; partial knowledge . . .

Issues:

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

Petri Nets Based Models and Calculi

A

distributed timed-arc Petri net

(_DTAPN) is a Petri net together with

➤ a _{interval time constraint} on transitions, either _discrete or _continuous;

➤ a _{clock synchronisation equivalence Σ} on places.

Tokens age, and transitions are enabled accordingly. Time elapses at the same speed on p and p0 if p _Σ p0.

Globally Asynchronous, Locally Synchronous

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

Models for Concurrency

➤ A categorical machinery which allows the

derivation

of

LTS

s from

reduction systems

. ➤

_Bisimulation

on such LTSs is a

congruence

,

provided a general condition is met.

Coinduction Principle Desiderata:

➤ _{Operational Corresp.:} p & q iff p τ I _q

➤ _Correctness: p ≈ q implies p q

➤ _{Completeness:} p q implies p ≈ q

The intuition:

a C I _{b iff} C_{[a] & b}

Eg:

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

➤ A categorical machinery which allows the

derivation

of

LTS

s from

reduction systems

. ➤

_Bisimulation

on such LTSs is a

congruence

,

provided a general condition is met.

Coinduction Principle Desiderata:

➤ _{Operational Corresp.: p} & q iff p τ I _q

➤ _{Correctness: p} ≈ q implies p q

➤ _{Completeness:} p q implies p ≈ q

The intuition:

a C I _{b iff} C_{[a] & b}

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

Models for Concurrency

Jeeg:

concurrent OO with _{history-sensitive} access control ➤

_Java

(no _{synchronized()}, _wait(), _notify(), _notifyAll()) for

business code;

➤

_{Linear Time Temporal Logic}

for _{synchronisation} code (method guards).

public class _MyClass {

sync {

m : φ; .... }

...// Standard Java class def }

where m is a method identifier and φ, the

guard

, is an

LTL

formula. When m is invoked, the thread is

kept on

hold

unless φ. When the condition is true, all

waiting

threads are

awaken

. m is implicitly

synchronised

.

Foundations of Global Computing

Resource Control

Programming Languages

Semantic Theories

Resources: Models, Types, Logics, Languages

➤

_{Access Control}

_{(Concur 2002, ESOP 2004)}

➤

_{Access Authorisation}

_{(FST&TCS 2002, Info&Co)}

➤

_{Secrecy for Mobile Agents}

_{(ICALP 2003)}

Mobile Ambients

Both administrative domains and computational environments

➤

_{Subjective movements}

n[ in m.P | Q ] | m[ R ] −→ m[ n[ P | Q ] | R ]

m[ n[ out m.P | Q ] | R ] −→ n[ P | Q ] | m[ R ]

➤

_{Boundary dissolver}

open n.P | n[ Q ] −→ P | Q.

➤

_{Process interaction}

Group Types for Mobility

Aim:

Resource Access Control

➤ Detect and prevent _{unwanted access} to resources.

➤ Focus on _static approaches based on enforcing type disciplines.

Groups:

Sets of processes with common access rights.

Constraints like k : _CanEnter(n) are modelled as:

n belongs to group G

k may cross the border of ambients of group G.

For instance, the system:

k[inn | l[outk] ] | n[ ]

is

well-typed

under assumptions of the form:

k : _amb[K,_cross(N)]

Group Types for Mobility

Aim:

Resource Access Control

➤ Detect and prevent _{unwanted access} to resources.

➤ Focus on _static approaches based on enforcing type disciplines.

Groups:

Sets of processes with common access rights. Constraints like k : _CanEnter(n) are modelled as:

n belongs to group G

k may cross the border of ambients of group G.

For instance, the system:

k[inn | l[outk] ] | n[ ]

is

well-typed

under assumptions of the form:

Indirect Border Crossing

Trojan Horses:

The system

Odysseus[in_Horse.out_Horse.Destroy ] | _Horse[in_Troy ] | _Troy[_Trojans]

is well-typed under assumptions:

Odysseus : _amb[Achaean,_cross(Toy)] Horse : _amb[Toy,_cross(City)]

Troy : _amb[City, ]

However

, the system may evolve to

Troy[ _Trojans | _Horse[ ] | _Odysseus[ _Destroy ] ]

Indirect Border Crossing

Trojan Horses:

The system

Odysseus[in_Horse.out_Horse.Destroy ] | _Horse[in_Troy ] | _Troy[_Trojans]

is well-typed under assumptions:

Odysseus : _amb[Achaean,_cross(Toy)] Horse : _amb[Toy,_cross(City)]

Troy : _amb[City, ]

However

, the system may evolve to

Troy[ _Trojans | _Horse[ ] | _Odysseus[ _Destroy ] ]

Types

Groups:

G,H, . . .

Sets of groups:

P_,S _{, . . .} U _{The universal set of groups}

Ambients types:

A ::_{= amb}[G, M] _{amb of group} G,_{with mobility type} M

Process types:

Π ::_{= proc}[G, M] _{process that can be enclosed in an ambient of group} G,

may drive to ambients whose groups are in M

Capability types:

K ::_{= cap}[G, M] _{capability that can appear in an ambient of group} G,

may drive it to ambients whose groups are in M

Mobility types:

Access Control Properties

Mobility properties:

➤ If _Γ ` n[inm.P | Q] | m[R] : _Π, then

Γ ` m : <sub>amb</sub>[M, ] and <sub>Γ</sub> ` n : _amb[ ,_mob[P_]]

with M ∈ P_.

➤ If _Γ ` m[n[outm.P | Q ] | R] : _Π, then

Γ ` m : <sub>amb</sub>[M,<sub>mob</sub>[P<sub>m]] and Γ ` n : amb[N,mob[</sub>P_n]]

Detecting Odysseus’ intentions

Now, in order to assign a type to

Odysseus[in_Horse.out_Horse.Destroy ] | _Horse[in_Troy ] | _Troy[_Trojans]

we need assumptions of the form:

Odysseus : _amb[Achaean,_mob[{Ground,Toy,City}]]

Horse : _amb[Toy,_mob[{Ground,City}]]

Troy : _amb[City, ]

representing that _Odysseus is an Achaean intentioned to move into a City! On the other hand, under assumptions of the form

Odysseus : _amb[Achaean,_mob[{Ground,Toy}]]

Detecting Odysseus’ intentions

Now, in order to assign a type to

Odysseus[in_Horse.out_Horse.Destroy ] | _Horse[in_Troy ] | _Troy[_Trojans]

we need assumptions of the form:

Odysseus : _amb[Achaean,_mob[{Ground,Toy,City}]]

Horse : _amb[Toy,_mob[{Ground,City}]]

Troy : _amb[City, ]

representing that _Odysseus is an Achaean intentioned to move into a City!

On the other hand, under assumptions of the form

Odysseus : _amb[Achaean,_mob[{Ground,Toy}]]

Dependent Types for Access Control

Dependent Mobility Types:

(P _and C _{are sets of names, not groups.)}

A ::_{= amb}[hasFathers(P_{),hasChildren(}C_)]

Dependent types

allow personalised services and dynamic access control.

HorseServer , _!(x)(νHorse : amb[ ,hasChildren{x}])Horse[outTroy.inTroy.0 ]

➤ Names have several possible types, depending on the

actual

communications occurred.

Dependent Types for Access Control

Dependent Mobility Types:

(P _and C _{are sets of names, not groups.)}

A ::_{= amb}[hasFathers(P_{),hasChildren(}C_)]

Dependent types

allow personalised services and dynamic access control.

HorseServer , _!(x)(νHorse : amb[ ,hasChildren{x}])Horse[outTroy.inTroy.0 ] ➤ Names have several possible types, depending on the

actual

communications occurred.

Dependent Types for Access Control

Dependent Mobility Types:

(P _and C _{are sets of names, not groups.)}

A ::_{= amb}[hasFathers(P_{),hasChildren(}C_)]

Dependent types

allow personalised services and dynamic access control.

HorseServer , _!(x)(νHorse : amb[ ,hasChildren{x}])Horse[outTroy.inTroy.0 ]

➤ Names have several possible types, depending on the

actual

communications occurred.

Secrecy in Mobile Ambients

Names

≈

_Cryptokeys:

Carrying messages inside _private ambients preserves message _integrity and _privacy. Or, does it?

(νn)(a[ n[out a.in b.hMi] ] | b[ open n.(x)P ] ) It actually offers no guarantees for software agents, as n must be revealed along

the move, and servers may peek inside.

How to provide stronger protection?

A new crypto-primitive:

subjective access control using co-capabilities + data encryption to preserve secrecy of data while agents move autonomously

n[ seal k.P | Q] −→ n{| P | Q |}_k sealed under k

crypto-key

Effects:

➤

_blocks

message exchanges and

encrypts

their contents;

Secrecy in Mobile Ambients

Names

≈

_Cryptokeys:

Carrying messages inside _private ambients preserves message _integrity and _privacy. Or, does it?

(νn)(a[ n[out a.in b.hMi] ] | b[ open n.(x)P ] )

It actually offers no guarantees for software agents, as n must be revealed along the move, and servers may peek inside.

How to provide stronger protection?

A new crypto-primitive:

subjective access control using co-capabilities + data

encryption to preserve secrecy of data while agents move autonomously

n[ seal k.P | Q] −→ n{| P | Q |}_k sealed under k

crypto-key

Effects:

➤

_blocks

message exchanges and

encrypts

their contents;

Secrecy in Mobile Ambients

Names

≈

_Cryptokeys:

Carrying messages inside _private ambients preserves message _integrity and _privacy. Or, does it?

(νn)(a[ n[out a.in b.hMi] ] | b[ open n.(x)P ] )

It actually offers no guarantees for software agents, as n must be revealed along the move, and servers may peek inside.

How to provide stronger protection?

A new crypto-primitive:

subjective access control using co-capabilities + data encryption to preserve secrecy of data while agents move autonomously

n[ seal k.P | Q] −→ n{| P | Q |}_k sealed under k

crypto-key

Effects:

➤

_blocks

message exchanges and

encrypts

their contents;

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

−→ (νk)a[ ] | b[ n[ hMiˆˆ] | (y)n.P{x := n} ]

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Sealed Ambients

➤ The mechanism to resume to a fully operational state is associated to movements and co-capabilities containing keys

n{|in m.P | Q |}_k | m{in {x}_k.R | R0 } −→ m{ n[ P | Q ] | R{x :₌ n} | R0 }

Example:

(νk)a[ n[seal k.out a.in b.hMiˆˆ] ] | b[in {x}_k.(y)x.P]

−→ (νk)a[ n{|out a.in b.hMiˆˆ|}_k ] | b[ in {x}_k.(y)x.P]

−→ (νk)a[ ] | n{|in b.hMiˆˆ|}_k | b[in {x}_k.(y)x.P ]

Secrecy and Adversaries

Intuitively:

A process preserves the secrecy of a piece of data M _{if it does not publish} M_{, or}

anything that would permit the computation of M_.

S-Adversary:

A context _A(−) which initially knows names and capabilities in S.

Revealing Names:

P _{may reveal} n to S if there exists an S-adversary A(−) and a name c ∈ S such that:

A(P) ₌⇒ C(c[ hniˆˆ | Q]) (c free )

Typing System:

Secrecy is captured by a type system ` which may classify processes as

untrusted

_Γ ` P : Un, and data as

public

a : Public if it can be exchanged with untrusted process.

Secrecy Theorem:

Well-typed processes do not reveal their secrets publicly. Formally, if Γ ` P : Un and _Γ 0 _{s : Public, then P preserves the secrecy of s from all public}

Secrecy and Adversaries

Intuitively:

A process preserves the secrecy of a piece of data M _{if it does not publish} M_{, or}

anything that would permit the computation of M_.

S-Adversary:

A context _A(−) which initially knows names and capabilities in S.

Revealing Names:

P _{may reveal} n to S if there exists an S-adversary A(−) and a name c ∈ S such that:

A(P) ₌⇒ C(c[ hniˆˆ | Q]) (c free )

Typing System:

Secrecy is captured by a type system ` which may classify

processes as

untrusted

_Γ ` P : Un, and data as

public

a : Public if it can be exchanged with untrusted process.

Secrecy Theorem:

Well-typed processes do not reveal their secrets publicly. Formally, if Γ ` P : Un and _Γ 0 _{s : Public, then P preserves the secrecy of s from all public}

Secrecy and Adversaries

Intuitively:

A process preserves the secrecy of a piece of data M _{if it does not publish} M_{, or}

anything that would permit the computation of M_.

S-Adversary:

A context _A(−) which initially knows names and capabilities in S.

Revealing Names:

P _{may reveal} n to S if there exists an S-adversary A(−) and a name c ∈ S such that:

A(P) ₌⇒ C(c[ hniˆˆ | Q]) (c free )

Typing System:

Secrecy is captured by a type system ` which may classify processes as

untrusted

_Γ ` P : Un, and data as

public

a : Public if it can be exchanged with untrusted process.

Secrecy Theorem:

Well-typed processes do not reveal their secrets publicly. Formally, if Γ ` P : Un and _Γ 0 _{s : Public, then P preserves the secrecy of s from all public}

Between Theory and Practice

That’s all good, but . . .

. . . one cannot type the Internet

The gap between theory and practice matters in practice.

All this only works as long as you trust the certified types, or are willing to

typecheck migrating code yourself (

bytecode verification

,

PCC

,. . . ), . . .

➤

_Verification

(relates to type checking/inference)

➤

_Certificates

(groups as certified roles)

➤

_Trust

: In UbiComp,

security

must work be coupled with

trust management

.

Between Theory and Practice

That’s all good, but . . .

. . . one cannot type the Internet

The gap between theory and practice matters in practice.

All this only works as long as you trust the certified types, or are willing to

typecheck migrating code yourself (

bytecode verification

,

PCC

,. . . ), . . . ➤

_Verification

(relates to type checking/inference)

➤

_Certificates

(groups as certified roles)

➤

_Trust

: In UbiComp,

security

must work be coupled with

trust management

.

Between Theory and Practice

That’s all good, but . . .

. . . one cannot type the Internet

The gap between theory and practice matters in practice.

All this only works as long as you trust the certified types, or are willing to

typecheck migrating code yourself (

bytecode verification

,

PCC

,. . . ), . . .

➤

_Verification

(relates to type checking/inference)

➤

_Certificates

(groups as certified roles)

Trust Management

Focus on Trust Evolution and Delegation in Dynamic Networks

a{ A }_π

Focus on Trust Evolution and Delegation in Dynamic Networks

a{ A }_π

principal P

agent/behaviour

trust policy: expressions on lattice (D,≤)

Trust Based Services:

a{ b.`hvi. A } | b{ `(x) .Σ_tB_t }_π −→ a{ A } | b{ B_π(a){x := v} }_π

Trust Evolution:

a{ ζ .A | B }_π −→ a{ A | B }_ζ(π)

Policies and Expressions:

π ::_{= p}p_{q delegation} τ ::₌ t ∈ D _value/var

λx : _P.τ _abstraction π(p) _{policy value}

op(π1, . . . , πn) lattice op e 7→ τ;τ choice

p ::₌ a ∈ P, x : _{P principal/vars} e ::₌ τ _cmp τ , p _eq p _comparisons

Trust Management

Focus on Trust Evolution and Delegation in Dynamic Networks

a{ A }_π

principal P

agent/behaviour

trust policy: expressions on lattice (D,≤)

Trust Based Services:

a{ b.`hvi. A } | b{ `(x) .Σ_tB_t }_π −→ a{ A } | b{ B_π(a){x := v} }_π

Trust Evolution:

a{ ζ .A | B }_π −→ a{ A | B }_ζ(π)

Policies and Expressions:

π ::_{= p}p_{q delegation} τ ::₌ t ∈ D _value/var

λx : _P.τ _abstraction π(p) _{policy value}

op(π₁, . . . , π_n) _{lattice op} e 7→ τ;τ _choice

p ::₌ a ∈ P, x : _{P principal/vars} e ::₌ τ _cmp τ , p _eq p _comparisons

Trust Management

Focus on Trust Evolution and Delegation in Dynamic Networks

a{ A }_π

principal P

agent/behaviour

trust policy: expressions on lattice (D,≤)

Trust Based Services:

a{ b.`hvi. A } | b{ `(x) .Σ_tB_t }_π −→ a{ A } | b{ B_π(a){x := v} }_π

Trust Evolution:

a{ ζ .A | B }_π −→ a{ A | B }_ζ(π)

Policies and Expressions:

π ::_{= p}p_{q delegation} τ ::₌ t ∈ D _value/var

λx : _P.τ _abstraction π(p) _{policy value}

op(π₁, . . . , π_n) _{lattice op} e 7→ τ;τ _choice

p ::₌ a ∈ P, x : _{P principal/vars} e ::₌ τ _cmp τ , p _eq p _comparisons

Trust Management

Focus on Trust Evolution and Delegation in Dynamic Networks

a{ A }_π

principal P

agent/behaviour

trust policy: expressions on lattice (D,≤)

Trust Based Services:

a{ b.`hvi. A } | b{ `(x) .Σ_tB_t }_π −→ a{ A } | b{ B_π(a){x := v} }_π

Trust Evolution:

a{ ζ .A | B }_π −→ a{ A | B }_ζ(π)

Policies and Expressions:

π ::_{= p}p_{q delegation} τ ::₌ t ∈ D _value/var

Understanding Delegation

Example:

a : p 7→ _trusted; b : p 7→ _pa_q(p);

q 7→ _pb_q(q); q 7→ _untrusted;

z 7→ _pp_q(z); z 7→ _pa_q(z);

Delegation, formally:

Global trust as a _fixpoint.

π : (P → P → D) → (P → D) _{Local Policy}

Ξ : (P → P → D) → (P → P → D) _{Collected Policies}

Global Trust:

fix(_Ξ) : P → P → D. But, is this good enough?

p : _trusted q : _untrusted z : _???

Cannot confuse

don’t trust

with

don’t know

: the value of _pp_q(z) could become available later.

Understanding Delegation

Example:

a : p 7→ _trusted; b : p 7→ _pa_q(p);

q 7→ _pb_q(q); q 7→ _untrusted;

z 7→ _pp_q(z); z 7→ _pa_q(z);

Delegation, formally:

Global trust as a _fixpoint.

π : (P → P → D) → (P → D) _{Local Policy}

Ξ : (P → P → D) → (P → P → D) _{Collected Policies}

Global Trust:

fix(_Ξ) : P → P → D. But, is this good enough?

p : _trusted q : _untrusted z : _???

Cannot confuse

don’t trust

with

don’t know

: the value of _pp_q(z) could become available later.

Understanding Delegation

Example:

a : p 7→ _trusted; b : p 7→ _pa_q(p);

q 7→ _pb_q(q); q 7→ _untrusted;

z 7→ _pp_q(z); z 7→ _pa_q(z);

Delegation, formally:

Global trust as a _fixpoint.

π : (P → P → D) → (P → D) _{Local Policy}

Ξ : (P → P → D) → (P → P → D) _{Collected Policies}

Global Trust:

fix(_Ξ) : P → P → D. But, is this good enough?

p : _trusted q : _untrusted z : _???

Cannot confuse

don’t trust

with

don’t know

: the value of _pp_q(z) could become available later.

Trust Structures

(D,≤,v), _where _ _is v _-continous

trust lattice approximation cpo

Thm.

(D,≤,v) yields an _adequate semantics [[−]] : _Policies → _Env → (P → P → D). The trust structure is _derived canonically from (D,≤). The fixpoint is computed with respect to v.

[[π_p1, . . . , π_pn]]_{σ =} fixv(λm.λp.([ πp ])σm)

Ongoing work:

➤ Approximate the fixpoint in the presence of

partial information

.

➤ Use

Kripke

style semantics to capture

trust evolution

in time.

Dimensions, Capacities, Mobility

Central Notion:

Resource Usage

Focus:

Capacity Bounds Awareness

.

➤ Bounded Capacity Ambients

➤ Fine control of capacity.

➤ Space as a linear co-capability.

a[ inb. P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

move capability

space co-capability

A Calculus of Bounded Capacities: Movement

Fundamentals: Space Conscious Movement

a[ inb. P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

| b[ a[ outb . P | Q ] | R ] & a[ P | Q ] | b[ | R ]

Example: Travelling needs but consumes no space

.

a[ inb .inc.outc.outb.0 ] | b[ | c[ ] ]

&& | b[ | c[ a[ outc.outb .0 ] ] ]

A Calculus of Bounded Capacities: Movement

Fundamentals: Space Conscious Movement

a[ inb. P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

| b[ a[ outb . P | Q ] | R ] & a[ P | Q ] | b[ | R ]

Example: Travelling needs but consumes no space

.

a[ inb .inc.outc.outb.0 ] | b[ | c[ ] ]

&& | b[ | c[ a[ outc.outb .0 ] ] ]

A Calculus of Bounded Capacities: Sizes

Fundamentals: Space Conscious Movement

➤ But the

size

of travellers matters!

ak[ inb . P | Q ] | b[

k times

z }| {

| . . . | | R ] &

ktimes

z }| {

| . . . | | b[ ak[ P | Q ] | R ]

| . . . |

| {z } k times

| b[ ak[ outb . P | Q ] | R ] & ak[ P | Q ] | b[ | . . . |

| {z } k times

| R ]

What is the

a

k

_?

A _{type annotation} measuring the size of P.

Notation.

We use k as a shorthand for

k times z }| {

A Calculus of Bounded Capacities: Sizes

Fundamentals: Space Conscious Movement

➤ But the

size

of travellers matters!

ak[ inb . P | Q ] | b[

k times

z }| {

| . . . | | R ] &

ktimes

z }| {

| . . . | | b[ ak[ P | Q ] | R ]

| . . . |

| {z } k times

| b[ ak[ outb . P | Q ] | R ] & ak[ P | Q ] | b[ | . . . |

| {z } k times

| R ]

What is the

a

k

_?

A _{type annotation} measuring the size of P.

Notation.

We use k as a shorthand for

k times z }| {

A Calculus of Bounded Capacities: Spawning

Fundamentals: Space Conscious Process Activation

.kP | k & P

Fundamentals: Space Conscious Process Activation

.kP | k & P

passive process: weighs 0

P _weighs k

Example: Replication

: !k, _!.k

!.kP | k & !.kP | P

A Calculus of Bounded Capacities: Spawning

Fundamentals: Space Conscious Process Activation

.kP | k & P

passive process: weighs 0

P _weighs k

Example: Replication

: !k, _!.k

!.kP | k & !.kP | P

A Calculus of Bounded Capacities: Spawning

Fundamentals: Space Conscious Process Activation

.kP | k & P

passive process: weighs 0

P _weighs k

Example: Replication

: !k, _!.k

!.kP | k & !.kP | P

A Calculus of Bounded Capacities: Transfer

Fundamentals: Space Acquisition and Release

putˇˇa . P | | ak[ getˆˆ.Q | R ] & P | ak+1[ Q | | R ]

ak+1[ put.P | | S ] | bh[ geta .Q | R ] & ak[ P | S ] | bh+1[ Q | | R ]

Example: A Memory Module

memMod , _mem[ 256MB | !put | !get_free ]

malloc , _m[ !get_mem.free[ outm .getm.put ] | !put ]

memMod | _malloc &256MB _mem[ !put | !get_free ] | _m[ 256MB | . . . ] &2×256MB

A Calculus of Bounded Capacities: Transfer

Fundamentals: Space Acquisition and Release

putˇˇa . P | | ak[ getˆˆ.Q | R ] & P | ak+1[ Q | | R ]

ak+1[ put.P | | S ] | bh[ geta .Q | R ] & ak[ P | S ] | bh+1[ Q | | R ]

Example: A Memory Module

memMod , _mem[ 256MB | !put | !get_free ]

malloc , _m[ !get_mem.free[ outm .getm.put ] | !put ] memMod | _malloc &256MB _mem[ !put | !get_free ] | _m[ 256MB | . . . ] &2×256MB

A Calculus of Bounded Capacities: Transfer

Fundamentals: Space Acquisition and Release

putˇˇa . P | | ak[ getˆˆ.Q | R ] & P | ak+1[ Q | | R ]

ak+1[ put.P | | S ] | bh[ geta .Q | R ] & ak[ P | S ] | bh+1[ Q | | R ]

Example: A Memory Module

memMod , _mem[ 256MB | !put | !get_free ]

malloc , _m[ !get_mem.free[ outm .getm.put ] | !put ]

memMod | _malloc &256MB _mem[ !put | !get_free ] | _m[ 256MB | . . . ] &2×256MB

A System of Capacity Types

Capacity Types:

φ, . . . are pairs of nats [n,N], with n ≤ N.

Effect Types

E, . . . are pairs of nats (d,i), representing _decs and _incs.

Exchange Types

: χ ::_{= Shh} | _Ambhσ, χi | _CaphE, χi

Process

and

Ambient

and

Capability Types

:

a : _Ambhφ, χi a has no less than φ_m and no more than φ_M spaces

P : _Prochk,E, χi P weighs k and produces the effect E on ambients

C : _CaphE, χi C transforms processes adding E to their effects

Thm: Subject Reduction

: _{Well-typed processes preserve space}.

A System of Capacity Types

Capacity Types:

φ, . . . are pairs of nats [n,N], with n ≤ N.

Effect Types

E, . . . are pairs of nats (d,i), representing _decs and _incs.

Exchange Types

: χ ::_{= Shh} | _Ambhσ, χi | _CaphE, χi

Process

and

Ambient

and

Capability Types

:

a : _Ambhφ, χi a has no less than φ_m and no more than φ_M spaces

P : _Prochk,E, χi P weighs k and produces the effect E on ambients

C : _CaphE, χi C transforms processes adding E to their effects

Thm: Subject Reduction

: _{Well-typed processes preserve space}.

Future Work

➤

_What:

_{Third-Party Resources: Models, Languages and Techniques}

➤

_{Resource-Aware Computation:}

_{resource bounds negotiation & enforcement} ➤

_{Resource Usage:}

_{calculi & logics for quantitative analysis}

➤

_{Resource Safety:}

_{languages for security & trust policies; general resource logics} ➤

_{Resource Trust:}

_{history-based: theory and infrastructures}

➤

_How:

Integrated approach:

Behavioural

,

Execution

,

Abstract Models

.

➤

_Who:

Communities involved:

➤ _{EU FET Global Computing}

Future Work

➤

_What:

_{Third-Party Resources: Models, Languages and Techniques}

➤

_{Resource-Aware Computation:}

_{resource bounds negotiation & enforcement} ➤

_{Resource Usage:}

_{calculi & logics for quantitative analysis}

➤

_{Resource Safety:}

_{languages for security & trust policies; general resource logics} ➤

_{Resource Trust:}

_{history-based: theory and infrastructures}

➤

_How:

Integrated approach:

Behavioural

,

Execution

,

Abstract Models

. ➤

_Who:

Communities involved:

➤ _{EU FET Global Computing}

Future Work

➤

_What:

_{Third-Party Resources: Models, Languages and Techniques}

➤

_{Resource-Aware Computation:}

_{resource bounds negotiation & enforcement} ➤

_{Resource Usage:}

_{calculi & logics for quantitative analysis}

➤

_{Resource Safety:}

_{languages for security & trust policies; general resource logics} ➤

_{Resource Trust:}

_{history-based: theory and infrastructures}

➤

_How:

Integrated approach:

Behavioural

,

Execution

,

Abstract Models

.

➤

_Who:

Communities involved:

➤ _{EU FET Global Computing}

Contexts as Labels

The intuition:

a C I _{b iff} C_{[a] & b}

For instance:

a −|a¯ I _{0 M} (λx.−)N I _{M{N/x} KM} −N I _M

Yep, but not quite:

➤ _{Too many labels not desirable:}

➤ _{Useless combinatorial explosion:} λx.xx −MN I _MMN

➤ _{Messes up the bisimulation (too coarse): l} D I D_{[r] for all rules l & r.}

Choose only ‘minimal’ redex-enabling contexts

➤ _{Case analysis of basic situations: Sewell}. _{Abstract approach: Leifer-Milner}

Contexts as Labels

The intuition:

a C I _{b iff} C_{[a] & b}

For instance:

a −|a¯ I _{0 M} (λx.−)N I _{M{N/x} KM} −N I _M

Yep, but not quite:

➤ _{Too many labels not desirable:}

➤ _{Useless combinatorial explosion:} λx.xx −MN I _MMN

➤ _{Messes up the bisimulation (too coarse): l} D I D_{[r] for all rules l & r.}

Choose only ‘minimal’ redex-enabling contexts

A Categorical Approach

Lawvere theory

on _Σ

➤ the natural numbers for objects

➤ a morphism t: m → n, for t a n-tuple of m-holed terms.

➤ Composition is substitution of terms into holes.

E.G.

for _Σ the signature for arithmetics:

➤ term (−₁ × x) ₊ −₂ is an arrow 2 → 1 (two holes yielding one term)

➤ h3,2 × yi is an arrow 0 → 2 (a pair of terms with no holes).

➤ Their composition is the term (3 × x) ₊ (2 × y), an arrow of type 0 → 1. A generalisation from term rewriting systems to categories.

➤ A category C _{with distinguished object 0.}

➤ A set of

reaction rules

R ⊆ S_C∈C C(0,C) × C(0,C).

➤ A set D _{of arrows of} C _{called the}

reactive contexts

_.

Assume that d0 .d1 ∈ D implies d0 and d1 ∈ D.

The

reaction relation

is defined as

a I _{b iff a = d .l, b = d .r, d ∈} D _{and hl,ri ∈ R.}

A Categorical Approach

Lawvere theory

on _Σ

➤ the natural numbers for objects

➤ a morphism t: m → n, for t a n-tuple of m-holed terms.

➤ Composition is substitution of terms into holes.

A generalisation from term rewriting systems to categories.

➤ A category C _{with distinguished object 0.}

➤ A set of

reaction rules

R ⊆ S_C∈C C(0,C) × C(0,C).

➤ A set D _{of arrows of} C _{called the}

reactive contexts

_.

Assume that d0 .d1 ∈ D implies d0 and d1 ∈ D.

(G)RPOs

Suppose that C _{is a (bi)category and consider a redex square}

• • c • d • a _l • • c c _• p m •

c00 d00 p0 • d d • a _l

➤ a _{relative pushout} (_RPO) is a tuple hc,d, pi which satisfies the universal property that:

(G)RPOs

Suppose that C _{is a (bi)category and consider a redex square}

• • c c _• p • d d • a _l

➤ a _{relative pushout} (_RPO) is a tuple hc,d, pi which satisfies the universal property that: • • c c _• p m •

c00 d00 p0 • d d • a _l

➤ a _{relative pushout} (_RPO) is a tuple hc,d, pi which satisfies the universal property that:

(G)RPOs

Suppose that C _{is a (bi)category and consider a redex square}

•

•

c

c _•

p

m •

c00 d00 p0

•

d

d

•

a _l

➤ a _{relative pushout} (_RPO) is a tuple hc,d, pi which satisfies the universal property that:

Deriving LTS

The LTS

derived

from the reactive system has:

➤

_Nodes:

a : O → N

➤

_Transitions:

a f I _{dr iff for hl,ri ∈ R and d ∈} D_{, hf,d,idi is a relative}

pushout of the square

•

• f

• d

•

a _l

➤

_Thm.

If all

redex squares

like the above have

(G)RPOs

then the bisimulation on the derived LTS is a

congruence

.

Deriving LTS

The LTS

derived

from the reactive system has:

➤

_Nodes:

a : O → N

➤

_Transitions:

a f I _{dr iff for hl,ri ∈ R and d ∈} D_{, hf,d,idi is a relative}

pushout of the square

•

• f

• d

•

a _l

➤

_Thm.

If all

redex squares

like the above have

(G)RPOs

then the bisimulation on the derived LTS is a

congruence

.

Applying (G)RPOs

➤ _{Milner (2001)} worked out

RPOs

for a graphical formalism called

bigraphs

.

➤ _{Sassone and Sobocinski (2002)} introduced

GRPOs

to handle calculi with

non-trivial structural congruences.

➤ _{Jensen and Milner (2003)} derived (essentially) the usual π labelled bisimulation on asynchronous π using

RPOs

.

➤ _{Sassone and Sobocinski (2003)} worked out an easy encoding of Milner’s

pre-category approach into the

G

-world.

➤ _{Jensen and Milner (2004)} found

(G)RPOs

for

ambient-calculus

and for

weak

bisimulations

.

➤ _{Sassone and Sobocinski (2004)} derived

GRPOs

for generic

graph structures

and

graph rewrite systems

. So far, the price of the initial 2-categorical investment seems

worth

paying. . .

Future Work

➤ Extend to more complicated

process calculi

with complex structural

Applying (G)RPOs

➤ _{Milner (2001)} worked out

RPOs

for a graphical formalism called

bigraphs

.

➤ _{Sassone and Sobocinski (2002)} introduced

GRPOs

to handle calculi with

non-trivial structural congruences.

➤ _{Jensen and Milner (2003)} derived (essentially) the usual π labelled bisimulation on asynchronous π using

RPOs

.

➤ _{Sassone and Sobocinski (2003)} worked out an easy encoding of Milner’s

pre-category approach into the

G

-world.

➤ _{Jensen and Milner (2004)} found

(G)RPOs

for

ambient-calculus

and for

weak

bisimulations

.

➤ _{Sassone and Sobocinski (2004)} derived

GRPOs

for generic

graph structures

and

graph rewrite systems

.

So far, the price of the initial 2-categorical investment seems

worth

paying. . .

Future Work

➤ Extend to more complicated

process calculi

with complex structural