Capacity Bounded Computational Ambients (talk)

¿ ≪ ≫ À

Capacity-Bounded

Computational Ambients

FOSAD 2002, Bertinoro 25.09.02

Vladimiro Sassone

University of Sussex,

A Global Computing Scenario

Global Computing

refers to computation via the sharing of a seamless, distributed, open-ended network of bounded resource by agents of all sort (possibly malicious), acting with partial knowledge and no central coordination.

AmI: Ambient Intelligence: Some of the technologies just behind the corner

Personal Area Networks (PAN) Vehicle Area Networks (VAN) Personal Communication Device (P-Com) Digital Me (D-Me)

Automated Debiting Systems (ADS) . . . Devices that are _{carried along} and _exit and _enter domains.

Some of the aspects involved:

localities mobility and migration

diversity communication

open endedness no central control

no a priori trustworthy authority malicious entities

¿ ≪ ≫ À

A Global Computing Scenario

Global Computing

refers to computation via the sharing of a seamless, distributed, open-ended network of bounded resource by agents of all sort (possibly malicious), acting with partial knowledge and no central coordination.

AmI: Ambient Intelligence: Some of the technologies just behind the corner

Personal Area Networks (PAN) Vehicle Area Networks (VAN) Personal Communication Device (P-Com) Digital Me (D-Me)

Automated Debiting Systems (ADS) . . . Devices that are _{carried along} and _exit and _enter domains.

Some of the aspects involved:

localities mobility and migration

diversity communication

open endedness no central control

no a priori trustworthy authority malicious entities

partial knowledge. . . and its acquisition

A Global Computing Scenario

Global Computing

refers to computation via the sharing of a seamless, distributed, open-ended network of bounded resource by agents of all sort (possibly malicious), acting with partial knowledge and no central coordination.

AmI: Ambient Intelligence: Some of the technologies just behind the corner

Personal Area Networks (PAN) Vehicle Area Networks (VAN) Personal Communication Device (P-Com) Digital Me (D-Me)

Automated Debiting Systems (ADS) . . . Devices that are _{carried along} and _exit and _enter domains.

Some of the aspects involved:

localities mobility and migration

diversity communication

¿ ≪ ≫ À

Global Computing Requirements

Requirements:

Dynamic Learning and Checking about Environment and Peers Trust Formation and Management

Location Awareness

Security: Authentication, Privacy, Non Repudiation Policies of Access Control and their Enforcement

Negotiation of Access, Access Rights, Resource Acquisition Protection of Resource Bounds

and more. . .

Typical Devices:

Today: _{Smart Cards, Embedded devs (e.g. in cars), Mobile phones, PDAs, Sat navigators, . . .} Tomorrow: _{PAN, VAN, D-ME, P-COM, . . .}

In this lecture we focus on

Capacity Bounds Awareness

.

Global Computing Requirements

Requirements:

Dynamic Learning and Checking about Environment and Peers Trust Formation and Management

Location Awareness

Security: Authentication, Privacy, Non Repudiation Policies of Access Control and their Enforcement

Negotiation of Access, Access Rights, Resource Acquisition Protection of Resource Bounds

and more. . .

Typical Devices:

¿ ≪ ≫ À

Roadmap

Part I – Objective Mobility: MR

Objective Mobility

Bounded Capacity Slots

nbrc k n B m.P k mb•c & nb•c k P k mbrc

objective move capability

available slot

Part II – Subjective Mobility: BoCa

Subjective Mobility

Bounded Capacity Ambients

Space as a linear co-capability. Finer Control of Capacity.

a[ inb. P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

subject move capability

space co-capability

Roadmap

Part I – Objective Mobility: MR

Objective Mobility

Bounded Capacity Slots

nbrc k n B m.P k mb•c & nb•c k P k mbrc

objective move capability

available slot

Part II – Subjective Mobility: BoCa

Subjective Mobility

Bounded Capacity Ambients

Space as a linear co-capability. Finer Control of Capacity.

a[ inb. P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

¿ ≪ ≫ À

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

Resource

hiding

nbrc k (k)(n B k.p k kb•c) & nb•c k (k)(p k kbrc) Deep

nesting

of resources: n₀b· · ·n_kbrc · · ·c

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

¿ ≪ ≫ À

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

Resource

hiding

nbrc k (k)(n B k.p k kb•c) & nb•c k (k)(p k kbrc) Deep

nesting

of resources: n₀b· · ·n_kbrc · · ·c

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

¿ ≪ ≫ À

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q Resource

hiding

nbrc k (k)(n B k.p k kb•c) & nb•c k (k)(p k kbrc)

Deep

nesting

of resources: n₀b· · ·n_kbrc · · ·c

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

hiding

B

¿ ≪ ≫ À

A Calculus of Mobile Resources

The elements of the calculus

Empty slot

: nb•c;

Slot

containing a resource nbrc; unitary slot

capacity

:

nb•c may receive a resource from the context: nb•c à nbrc; nbrc can only emit r to the context: nbrc à nb•c;

Objective movement

: nbrc k n B m.p k mb•c & nb•c k p k mbrc

Synchronisation

:

local: α.p k α.q & p k q

with resources: nα.p k nbα.qc & p k nbqc

Slot

deletion

: nbr c_m k \m.q & q

Resource

hiding

nbrc k (k)(n B k.p k kb•c) & nb•c k (k)(p k kbrc) Deep

nesting

of resources: n₀b· · ·n_kbrc · · ·c

MR: Syntax

Names

N and

co-names

N: α ∈ N ∪ N.

Direction paths

: δ ∈ N+, γ ∈ N∗.

Action prefixes

: λ ::= γα | δ B δ0 | \γn

Processes

: P:

p, q ::= 0 | λ.p | p k p | (n)p | !p | nbr c_m

¿ ≪ ≫ À

MR: Structural Congruence

A

structural congruence

is used to quotient terms to suitably abstract entities, so as to dispense with boring details (e.g. associativity of k).

≡ is the least congruence on P satisfying alpha-conversion and

p k 0 ≡ p p k q ≡ q k p

(p k q) k s ≡ p k (q k s)

(k)0 ≡ 0

(k)p k q ≡ (k)(p k q), if n 6∈ fn(q)

(k)nbr c_m ≡ nb(k)pc_m, if k 6∈ {n, m}

!p ≡ !p k p

What is a Reduction Systems

A reduction system over a signature Σ is a relation & ⊆ T_Σ × T_Σ, T_Σ is the set of

terms

Σ.

Reduction systems are often presented parametrically.

Contexts

: terms with variables: C_{[x1, . . . , xn]}

Reduction rules

: set R _{of parametric rewriting rules:} C_{[x1, . . . , xn] &} D_{[x1, . . . , xn].}

Evaluation Contexts

: chosen set E _{of single-variable contexts.}

¿ ≪ ≫ À

MR: Reduction Semantics

Direction path

contexts C_{γ and} D_{δ by}

C_{² ::= (−)} C_{nγ ::= nb}C_{γ k pc}

m

D_{γn ::=} C_γ(nb(−)c

m)x

& is the least relation closed under ≡ and under evaluation contexts, E _such

that

γδ₁ B γδ₂.p k C_γ¡ D_δ

1(r) k Dδ2(•)

¢

& p k C_γ¡D_δ

1(•) k Dδ2(r)

¢

γα.p k C_{γ(α.q ) & p k} C_{γ(q )}

\γm.p k C_{γ(nbr c}

m) & p k Cγ(0)

where E _{::= (−) | nb}E _c

m | E k p | (n)E.

Reduction Barbed Congruence

Barbs

:

p↓n if p ≡ (˜n)(α.p0 k q), where α ∈ {n, n} and n 6∈ n.˜

Barbed bisimulation congruence

:

The largest congruence ∼b such that if p ∼b q then

p & p0 implies ∃q & q0 such that p0 ∼b q0 (

reduction closed

) p↓n iff q↓n (

barb-preserving

)

¿ ≪ ≫ À

Reduction Barbed Congruence

Barbs

:

p↓n if p ≡ (˜n)(α.p0 k q), where α ∈ {n, n} and n 6∈ n.˜

Barbed bisimulation congruence

:

The largest congruence ∼b such that if p ∼b q then

p & p0 implies ∃q & q0 such that p0 ∼b q0 (

reduction closed

) p↓n iff q↓n (

barb-preserving

)

Note

: To prove that p ∼b q one must prove that they (and all their reducts) produce the matching observations (_barbs) in all contexts (_congruence).

Reduction Barbed Congruence

Barbs

:

p↓n if p ≡ (˜n)(α.p0 k q), where α ∈ {n, n} and n 6∈ n.˜

Barbed bisimulation congruence

:

The largest congruence ∼b such that if p ∼b q then

p & p0 implies ∃q & q0 such that p0 ∼b q0 (

reduction closed

) p↓n iff q↓n (

barb-preserving

)

¿ ≪ ≫ À

Example

Resources cannot be copied

.

A model of a pre-paid cash card (the resource b) in the slot a of a vending machine that delivers a cup of coffee (action c) for each cash card of the right kind, b,

inserted in a.

(b)¡abbc k !ab.c¢ ∼b (b) ¡

abbc k ab.c¢

If there exists only one card of the ‘right’ type, then there will ever be only one cup of coffee: the cash card cannot be copied.

Exercise:

Use the operational definition to convince yourself of the ∼b-equation above.

Example

Resources cannot be copied

.

A model of a pre-paid cash card (the resource b) in the slot a of a vending machine that delivers a cup of coffee (action c) for each cash card of the right kind, b,

inserted in a.

(b)¡abbc k !ab.c¢ ∼b (b) ¡

abbc k ab.c¢

If there exists only one card of the ‘right’ type, then there will ever be only one cup of coffee: the cash card cannot be copied.

Exercise:

¿ ≪ ≫ À

Scope and Mobility

The interplay of upward and downward moves and scope is a major challenge.

C₁ , _{cb(−)c k a,} C₂ , _{db(−)c k da .b}

p , (a)C₁₍C_{2(•)) = (a)}¡ _{cbdb•c k da.bc k a} ¢_. Suppose in fact that p and q are inserted into the context

C _{= xb(−)c k yb•c k xc} B _{y .x} B _yd.

Then C_{(p) reduces (in two steps) to}

(a)¡ xb•c k ybC₂₍C_{1(•)) c}¢ _{= (a)}¡_{xb•c k ybdbcb•c k ac k da.bc),}

where C_{1 and} C_{2 have swapped place. Now the b-action may be unleashed upon}

synchronisation on a.

Scope and Mobility

The interplay of upward and downward moves and scope is a major challenge.

C₁ , _{cb(−)c k a,} C₂ , _{db(−)c k da .b}

p , (a)C₁₍C_{2(•)) = (a)}¡ _{cbdb•c k da.bc k a} ¢_.

It seems that no resource can be inserted into the empty slot d to synchronise with the da-action; similarly, no process can ever synchronise with the a action at

top-level. It then follow that p behaves like q , (a)(cbdb•cc).

Yet, this is not the case. Under a suitable context, it is possible for the process a to change its role from being the parent of da .b to being its child in the slot named d. Suppose in fact that p and q are inserted into the context

C _{= xb(−)c k yb•c k xc} B _{y .x} B _yd.

Then C_{(p) reduces (in two steps) to}

(a)¡ xb•c k ybC₂₍C_{1(•)) c}¢ _{= (a)}¡_{xb•c k ybdbcb•c k ac k da.bc),}

where C_{1 and} C_{2 have swapped place. Now the b-action may be unleashed upon}

¿ ≪ ≫ À

Scope and Mobility

The interplay of upward and downward moves and scope is a major challenge.

C₁ , _{cb(−)c k a,} C₂ , _{db(−)c k da .b}

p , (a)C₁₍C_{2(•)) = (a)}¡ _{cbdb•c k da.bc k a} ¢_.

Suppose in fact that p and q are inserted into the context

C _{= xb(−)c k yb•c k xc} B _{y .x} B _yd.

Then C_{(p) reduces (in two steps) to}

(a)¡ xb•c k ybC₂₍C_{1(•)) c}¢ _{= (a)}¡_{xb•c k ybdbcb•c k ac k da.bc),}

where C_{1 and} C_{2 have swapped place. Now the b-action may be unleashed upon}

synchronisation on a.

Digital Signature Card

Enc_k (Deck) encrypts (decrypts) resources received in its in-buffer with key k, and returns the encrypted resource via its out-buffer.

Enck , !(reg)(in B reg k.reg B out k regbkb•cc) k inb•c k outb•c

Deck , !(reg)(in B reg.reg k B out. k regb•c) k inb•c k outb•c If k is a shared secret between Alice and Bob, then Alice can send messages

secretly to Bob.

Alicek,M , (m)(a) ¡

abEnckc k mbMc k m B a in .a out B network ¢

Bobk , (m)(b)(bbDeckc k mb•c k network B b in. b out B m)

SecretComM , (k) ¡

Alicek,M k Bobk ¢

k networkb•c

Digital signature card which generates the key and exports the decryption resource (as many times as needed) but keeps the encryption resource private.

¿ ≪ ≫ À

Digital Signature Card

Enc_k (Deck) encrypts (decrypts) resources received in its in-buffer with key k, and returns the encrypted resource via its out-buffer.

Enck , !(reg)(in B reg k.reg B out k regbkb•cc) k inb•c k outb•c

Deck , !(reg)(in B reg.reg k B out. k regb•c) k inb•c k outb•c

If k is a shared secret between Alice and Bob, then Alice can send messages secretly to Bob.

Alicek,M , (m)(a) ¡

abEnckc k mbMc k m B a in .a out B network ¢

Bobk , (m)(b)(bbDeckc k mb•c k network B b in. b out B m)

SecretComM , (k) ¡

Alicek,M k Bobk ¢

k networkb•c

Digital signature card which generates the key and exports the decryption resource (as many times as needed) but keeps the encryption resource private.

SignatureCard , (k)¡ !exportbDeckc k Enck ¢

Digital Signature Card

Enc_k (Deck) encrypts (decrypts) resources received in its in-buffer with key k, and returns the encrypted resource via its out-buffer.

Enck , !(reg)(in B reg k.reg B out k regbkb•cc) k inb•c k outb•c

Deck , !(reg)(in B reg.reg k B out. k regb•c) k inb•c k outb•c

If k is a shared secret between Alice and Bob, then Alice can send messages secretly to Bob.

Alicek,M , (m)(a) ¡

abEnckc k mbMc k m B a in .a out B network ¢

Bobk , (m)(b)(bbDeckc k mb•c k network B b in. b out B m)

SecretComM , (k) ¡

Alicek,M k Bobk ¢

k networkb•c

0 0 0 0

Digital signature card which generates the key and exports the decryption resource (as many times as needed) but keeps the encryption resource private.

¿ ≪ ≫ À

Digital Signature Card

Enc_k (Deck) encrypts (decrypts) resources received in its in-buffer with key k, and returns the encrypted resource via its out-buffer.

Enck , !(reg)(in B reg k.reg B out k regbkb•cc) k inb•c k outb•c

Deck , !(reg)(in B reg.reg k B out. k regb•c) k inb•c k outb•c

If k is a shared secret between Alice and Bob, then Alice can send messages secretly to Bob.

Alicek,M , (m)(a) ¡

abEnckc k mbMc k m B a in .a out B network ¢

Bobk , (m)(b)(bbDeckc k mb•c k network B b in. b out B m)

SecretComM , (k) ¡

Alicek,M k Bobk ¢

k networkb•c

Digital signature card which generates the key and exports the decryption resource (as many times as needed) but keeps the encryption resource private.

SignatureCard , (k)¡ !exportbDeckc k Enck ¢

What is a Labelled Transition System?

Rather than describing the internal behaviour of a system (_reductions) it describe the _interactions this is willing to offer to the surrounding enviroment.

These are characterised and described using label transitions, where a transition indicates an activitiy and a label classifies it.

For instance client − ‘insert coin’ → client0. Or perhaps, machine − ‘delivers candy’ → machine0.

This yield a _{compositional} semantics, as e.g.:

client − ‘insert coin’ → client0 machine − ‘delivers candy’ → machine0 client | machine − ‘jum’ → client0 | machine0

¿ ≪ ≫ À

MR: A Compositional Operational Semantics

The

labelled transition semantics

consists of CCS-like rules plus rules for:

Nested resources

Mobility

– a three party interaction: move + exit + enter

Scope extension

Slot deletion

(prefix)

λ.p −→λ p

(rest)

p −→π p0

n 6∈ fn(π) ∪bn(π) (n)p −→π (n)p0

(rep)

p k !p −→π p0

!p −→π p0

(sync)

p₁ −→(˜n)π p0₁ p₂ −→π p0₂

fn(p₂) ∩n˜ = ∅

p₁ k p₂ −→τ (˜n)(p0₁ k p0₂)

(sym)

p k q −→π p0 k q

q k p −→π q k p0

(par)

p −→π p0

fn(q) ∩bn(π) = ∅

p k q −→π p0 k q

MR: A Compositional Operational Semantics

The

labelled transition semantics

consists of CCS-like rules plus rules for:

Nested resources

Mobility

– a three party interaction: move + exit + enter

Scope extension

Slot deletion

(prefix)

λ.p −→λ p

(rest)

p −→π p0

n 6∈ fn(π) ∪bn(π) (n)p −→π (n)p0

(rep)

p k !p −→π p0

!p −→π p0

(sync)

p₁ −→(˜n)π p0₁ p₂ −→π p0₂

fn(p₂) ∩n˜ = ∅

¿ ≪ ≫ À

Labelled Transition Semantics – Nesting

Labels of the form δα capture path communication by synchronising with directed actions of the form δα which appear as prefixes in the calculus.

(nesting)

p −→π p0 nbpc n−→·(π) nbp0c

where · ‘distributes’ n over (a potentially complex) π.

α.q −→α q

mbα.qc −→mα mbqc mα.p0 −→mα p0

mbα.qc k mα.p0 −→τ mbqc k p0

nbmbα.qc k mα.p0c −→τ nbmbqc k p0c

where m · (α) = mα and m · (τ) = τ

Labelled Transition Semantics – Nesting

Labels of the form δα capture path communication by synchronising with directed actions of the form δα which appear as prefixes in the calculus.

For instance: nba.pc −→na nbpc

(nesting)

p −→π p0 nbpc n−→·(π) nbp0c

where · ‘distributes’ n over (a potentially complex) π.

α.q −→α q

mbα.qc −→mα mbqc mα.p0 −→mα p0

mbα.qc k mα.p0 −→τ mbqc k p0

nbmbα.qc k mα.p0c −→τ nbmbqc k p0c

¿ ≪ ≫ À

Labelled Transition Semantics – Nesting

Labels of the form δα capture path communication by synchronising with directed actions of the form δα which appear as prefixes in the calculus.

(nesting)

p −→π p0 nbpc n−→·(π) nbp0c

where · ‘distributes’ n over (a potentially complex) π.

α.q −→α q

mbα.qc −→mα mbqc mα.p0 −→mα p0

mbα.qc k mα.p0 −→τ mbqc k p0

nbmbα.qc k mα.p0c −→τ nbmbqc k p0c

where m · (α) = mα and m · (τ) = τ

Labelled Transition Semantics – Nesting

Labels of the form δα capture path communication by synchronising with directed actions of the form δα which appear as prefixes in the calculus.

(nesting)

p −→π p0 nbpc n−→·(π) nbp0c

where · ‘distributes’ n over (a potentially complex) π.

α.q −→α q

mbα.qc −→mα mbqc mα.p0 −→mα p0

mbα.qc k mα.p0 −→τ mbqc k p0

¿ ≪ ≫ À

Labelled Transition Semantics – HO Labels

Modelling the three-party interaction required for the movement of resources needs higher-order labels.

δBhpi (p exits from δ) and (p)Bδ (p enters in δ).

The corresponding co-labels are δB(p) and hpiBδ. Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂

Summing up

δ₁ B δ₂ coalesces with δ₁Bhpi yielding hpiBδ₂, δ₁ B δ₂ coalesces with (p)Bδ₂ yielding δ₁B(p), δ₁Bhpi coalesces with (p)Bδ₂ yielding δ₁Bδ₂.

Labelled Transition Semantics – HO Labels

Modelling the three-party interaction required for the movement of resources needs higher-order labels.

δBhpi (p exits from δ) and (p)Bδ (p enters in δ).

The corresponding co-labels are δB(p) and hpiBδ. For instance

nbpc n−→Bhpi nb•c _(exit), mb•c (p)−→Bm mbpc _(enter).

which may synchronise

nbpc k mb•c −→nBm nb•c k mbpc _(co-move)

Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂ Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂

Summing up

¿ ≪ ≫ À

Labelled Transition Semantics – HO Labels

Modelling the three-party interaction required for the movement of resources needs higher-order labels.

δBhpi (p exits from δ) and (p)Bδ (p enters in δ).

The corresponding co-labels are δB(p) and hpiBδ.

Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂ Summing up

δ₁ B δ₂ coalesces with δ₁Bhpi yielding hpiBδ₂, δ₁ B δ₂ coalesces with (p)Bδ₂ yielding δ₁B(p), δ₁Bhpi coalesces with (p)Bδ₂ yielding δ₁Bδ₂.

Labelled Transition Semantics – HO Labels

Modelling the three-party interaction required for the movement of resources needs higher-order labels.

δBhpi (p exits from δ) and (p)Bδ (p enters in δ).

The corresponding co-labels are δB(p) and hpiBδ.

Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂ Also, _(exit) and _(move) transitions may

nbpc k n B m .q hpi−→Bm nb•c k q _(give)

ready for a _(enter) transition. Same for _(enter) and _(move)

mb•c k n B m.q n−→B(p) mbpc k q _(take), Summing up

¿ ≪ ≫ À

Labelled Transition Semantics – HO Labels

Modelling the three-party interaction required for the movement of resources needs higher-order labels.

δBhpi (p exits from δ) and (p)Bδ (p enters in δ).

The corresponding co-labels are δB(p) and hpiBδ.

Labels of the form δ₁Bδ₂ are the co-actions of the _(move) action δ₁ B δ₂ Summing up

δ₁ B δ₂ coalesces with δ₁Bhpi yielding hpiBδ₂, δ₁ B δ₂ coalesces with (p)Bδ₂ yielding δ₁B(p), δ₁Bhpi coalesces with (p)Bδ₂ yielding δ₁Bδ₂.

Labelled Transition Semantics – Mobility (I)

(exit)

nbpc_m n−→Bhpi nb • c_m

(enter)

nb • c_m (p)−→Bn nbpc_m

(co-move)

p₁ δ1−→Bhqi p₁0 p₂ (q)−→Bδ2 p0₂

p₁ k p₂ δ−→1Bδ2 p0₁ k p0₂

nk B m.p nk−→Bm p

kbqc k−→Bhqi kb•c

nbkbqcc nk−→Bhqi nbkb•cc mb•c (−→q)Bm mbqc

nbkbqcc k mb•c nk−→Bm nbkb•cc k mbqc

¿ ≪ ≫ À

Labelled Transition Semantics – Mobility (I)

(exit)

nbpc_m n−→Bhpi nb • c_m

(enter)

nb • c_m (p)−→Bn nbpc_m

(co-move)

p₁ δ1−→Bhqi p₁0 p₂ (q)−→Bδ2 p0₂

p₁ k p₂ δ−→1Bδ2 p0₁ k p0₂

nk B m.p nk−→Bm p

kbqc k−→Bhqi kb•c

nbkbqcc nk−→Bhqi nbkb•cc mb•c (−→q)Bm mbqc

nbkbqcc k mb•c nk−→Bm nbkb•cc k mbqc

nk B m.p k nbkbqcc k mb•c −→τ p k nbmb•cc k n0bqc

Labelled Transition Semantics – Mobility (II)

(co-enter)

p₁ δ−→1Bhqi p₁0 p₂ δ−→1Bδ2 p0₂ p₁ k p₂ h−→qiBδ2 p0₁ k p0₂

(co-exit)

p₂ δ−→1Bδ2 p0₂ p₁ (−→q)Bδ2 p0₁ p₁ k p₂ δ−→1B(q) p0₁ k p0₂

n B m.p −→nBm p mb•c (−→q)Bm mbqc

n B m.p k mb•c n−→B(q) p k mbqc

¿ ≪ ≫ À

Labelled Transition Semantics – Mobility (II)

(co-enter)

p₁ δ−→1Bhqi p₁0 p₂ δ−→1Bδ2 p0₂ p₁ k p₂ h−→qiBδ2 p0₁ k p0₂

(co-exit)

p₂ δ−→1Bδ2 p0₂ p₁ (−→q)Bδ2 p0₁ p₁ k p₂ δ−→1B(q) p0₁ k p0₂

n B m.p −→nBm p mb•c (−→q)Bm mbqc

n B m.p k mb•c n−→B(q) p k mbqc

m 6∈ (fn(q) ∪ {n}) (m)(n B m.p k mb•c) n−→B(q) (m)(p k mbqc)

Labelled Transition Semantics – Scope extension

(open)

p (˜n−→)δBhqi p0

n∈fn(q)\(fn(δ)∪n˜)

(n)p (nn˜−→)δBhqi p0

(sync)

p₁ −→(˜n)π p0₁ p₂ −→π p0₂

fn(p_{2 )}∩n˜=∅

p₁ k p₂ −→τ (˜n)(p0₁ k p0₂) . . .

nbkc k nk n−→Bhki nb•c k nk

(k)(nbkc k nk) (k−→)nBhki nb•c k nk

. . .

n B m k mb•c n−→B(k) mbkc

¿ ≪ ≫ À

Labelled Transition Semantics – Scope extension

(open)

p (˜n−→)δBhqi p0

n∈fn(q)\(fn(δ)∪n˜)

(n)p (nn˜−→)δBhqi p0

(sync)

p₁ −→(˜n)π p0₁ p₂ −→π p0₂

fn(p_{2 )}∩n˜=∅

p₁ k p₂ −→τ (˜n)(p0₁ k p0₂)

. . .

nbkc k nk n−→Bhki nb•c k nk

(k)(nbkc k nk) (k−→)nBhki nb•c k nk

. . .

n B m k mb•c n−→B(k) mbkc

(k)(nbkc k nk) k n B m k mb•c −→τ (k)(nb•c k nk k mbkc)

Labelled Transition Semantics – Resource receptors

Resource receptors

replace higher order exit and co-enter actions.

p (˜n−→)hqiBδ p0

fn(D

δ)∩n˜=∅

p B−→δ(Dδ) (˜n)¡p0 k D_δ(q)¢

p (˜n)δ

0_Bhqi

−→ p0

(fn(C_γ)∪fn(D

δ))∩n˜=∅

p (Cγ)δ

0_B(D

δ)

¿ ≪ ≫ À

LTS: The rules

(exit)

nbpc_m n−→Bhpid nb • c_m

(enter)

nb • c_m (p)−→Bn nbpc_m

(give)

p₁ (˜n)δ−→1Bhqi p₁0 p₂ δ−→1Bδ2 p0₂

fn(p₂) ∩ n˜ = ∅

p₁ k p₂ (˜n)−→hqiBδ2 p0₁ k p0₂

(take)

p₂ δ−→1Bδ2 p₂0 p₁ (q)−→Bδ2 p0₁

p₁ k p₂ δ−→1B(q) p0₁ k p0₂

(co-move)

p₁ (˜n)δ−→1Bhqi p0₁ p₂ (q)−→Bδ2 p0₂

fn(p₂) ∩n˜ = ∅

p₁ k p₂ δ−→1Bδ2 (˜n)(p0₁ k p0₂) (nesting)

p −→π p0

nbpc_m n−→·(π) nbp0 c_m

(delete)

˜

nbrc_m −→\m 0

(alpha)

p ≡α p0 p0 −→π q

p −→π q

(open1)

p (˜n)δ−→Bhqi p0

n∈fn(q)\(fn(δ)∪n˜)

(n)p (nn)δ˜−→Bhqi p0

(open2)

p (˜n)−→hqiBδ p0

n∈fn(q)\(fn(δ)∪n˜)

(n)p (nn)˜−→hqiBδ p0

MR: Labelled Transition Bisimulation

Bisimulation

∼ is the largest symmetric relation such that if p ∼ q then

p −→ψ p0 implies ∃q −→ψ q0 such that p0 ∼ q0

Thm:

∼ is a congruence.

Thm:

∼b = ∼.

Note:

To prove that p ∼ q we do not need to prove it for all contexts (_congruence).

Exercise:

Resources cannot be copied (revisited):

¿ ≪ ≫ À

MR: Labelled Transition Bisimulation

Bisimulation

∼ is the largest symmetric relation such that if p ∼ q then

p −→ψ p0 implies ∃q −→ψ q0 such that p0 ∼ q0

Thm:

∼ is a congruence.

Thm:

∼b = ∼.

Note:

To prove that p ∼ q we do not need to prove it for all contexts (_congruence).

Exercise:

Resources cannot be copied (revisited):

(b)¡abbc k !ab.c¢ ∼ (b)¡ abbc k ab.c¢

A Copy Capability

Let us consider a

copy

capability that allows duplication of resources.

nbrc k nB>m.p k mb•c & nbrc k p k mbrc

This is interesting in order to provide a finer control of copying: We allow slots to declare if they allow to be copied, and to what slots, using a

Type System

.

What is a Type System?

Type systems are formal systems that assign

types

to

terms

. Types

classify

terms. Most famous application: ‘terms are good if integers are never confused with booleans’. Since the classification should be stable under reductions, if p is good and p &∗ q, we expect q to be good. This fundamental property is called

Subject reduction

. Type systems are often specified by

inference rules

, which allow to ‘deduce’ type assignments.

¿ ≪ ≫ À

A Copy Capability

Let us consider a

copy

capability that allows duplication of resources.

nbrc k nB>m.p k mb•c & nbrc k p k mbrc

This is interesting in order to provide a finer control of copying: We allow slots to declare if they allow to be copied, and to what slots, using a

Type System

.

What is a Type System?

Type systems are formal systems that assign

types

to

terms

. Types

classify

terms. Most famous application: ‘terms are good if integers are never confused with booleans’. Since the classification should be stable under reductions, if p is good and p &∗ q, we expect q to be good. This fundamental property is called

Subject reduction

. Type systems are often specified by

inference rules

, which allow to ‘deduce’ type assignments.

In our case, we classify processes as good if they don’t attempt to copy resources (and more) unless explicitly permitted.

A Copy Capability

Let us consider a

copy

capability that allows duplication of resources.

nbrc k nB>m.p k mb•c & nbrc k p k mbrc

This is interesting in order to provide a finer control of copying: We allow slots to declare if they allow to be copied, and to what slots, using a

Type System

.

What is a Type System?

¿ ≪ ≫ À

MR: A Type System for Resource Control

π ::= [S,T,M,C,X,D]

process types

performs synchronisation with names in S

performs moving/copying to names in T

performs moving resources from names in M

performs copying from names in C

performs actions crossing names in X

performs deletion of names in D

ν ::= π_\

name types

replace ‘performs’ with ‘allows’ and can be deleted according to \

\ ::= ¤ _{| 4}

deletion flag

_{can (resp. cannot) be deleted}

µ ::= [X, a]

path type

crosses names in X

and acts on name a

π is ordered componentwise and ∪ is defined accordingly.

MR: A Type System

Environments:

E ::= ∅ | E, n : ν

Judgments:

E ` ¦ good environment

E ` ν good name type ν E ` µ good path type µ

E ` π good group and process type π

¿ ≪ ≫ À

MR: A Type System: Paths and Labels

(Path Start)

E, a : ν ` ¦

α ∈ {a, a} E, a : ν ` α : [∅, a]

(Path Formation)

E, n : ν ` δ : [X, a]

E, n : ν ` nδ : [X ∪ {n}, a]

(Label co-Sync)

E, n : ν ` δ : [X, a]

E, n : ν ` δn : [{n},∅,∅,∅,X,∅]

(Label Sync)

E, n : ν ` δ : [X, a]

E, n : ν ` δn : [{n},∅,∅,∅,X,∅]

(Label Move)

E, a : π_\, b : π_\00 ` δ : [X, a] E, a : π<sub>\</sub>, b : π<sub>\</sub>00 ` δ0 : [X0, b] π ≤ π0

E, a : π_\, b : π_\00 ` δ B δ0 : [∅,{b},{a},∅,X ∪ X0∅] (Label Copy)

E, a : π_\, b : π_\00 ` δ : [X, a] E, a : π<sub>\</sub>, b : π<sub>\</sub>00 ` δ0 : [X0, b] π ≤ π0

E, a : π_\, b : π_\00 ` δB>δ0 : [∅,{b},∅,{a},X ∪ X0∅]

MR: A Type System: Processes

(Label Destroy)

E, a : π¤ ` δ : [X, a]

E ` \δ : [∅,∅,∅,∅,X,{a}]

(Proc 0)

E ` ¦

E ` 0 : [∅,∅,∅,∅,∅,∅]

(Res •)

E ` ¦

E ` • : [∅,∅,∅,∅,∅,∅]

(Proc Pref)

E ` λ : π E ` p : π0

E ` λ.p : π ] π0

(Proc Par)

E ` p : π E ` q : π0

E ` p k q : π ] π0

(Proc Rep)

E ` p : π

E ` !p : π

¿ ≪ ≫ À

Subject Reduction

Thm.

If E ` p : π and p & q, then E ` q : π0 with π0 ≤ π

Exercise:

Can you devise an algorithm of type inference? That is, given a process p_,

A _{(p) = hE, πi such that E ` p : π . . .}

Intermezzo

— Part II —

De Dimensionibus, Capacitatis et

Mobilitate Calculus

¿ ≪ ≫ À

A Criticism to MR

The model is fitting for the area it was meant to work for, but it doesn’t scale up to other situations where you want resources to matter.

Main criticisms:

Not realistic on the space occupation. All processes take one slot.

nbbig and fat Pc k mb•c k nbsmall and slim Pc k n B m

Replication is not handled appropriately

ab!Pc = ab!P k Pc = ab!P k P k Pc = ab!P k P k P k Pc = . . .

It doesn’t really allow an analisys of variation in space occupation: Computation takes space, dynamically, and we’d like to model it.

A Criticism to MR

The model is fitting for the area it was meant to work for, but it doesn’t scale up to other situations where you want resources to matter.

Main criticisms:

Not realistic on the space occupation. All processes take one slot.

nbbig and fat Pc k mb•c k nbsmall and slim Pc k n B m

Replication is not handled appropriately

ab!Pc = ab!P k Pc = ab!P k P k Pc = ab!P k P k P k Pc = . . .

¿ ≪ ≫ À

A Calculus of Bounded Capacities: Movement

Fundamentals: Space Conscious Movement

a[ inb.P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

| b[ a[ outb .P | Q ] | R ] & a[ P | Q ] | b[ | R ]

Example: Travelling needs but consumes no space

.

a[ inb .inc.out c. outb .0 ] | b[ | c[ ] ]

&& | b[ | c[ a[ outc .outb .0 ] ] ]

&& a[ 0 ] | b[ | c[ ] ]

A Calculus of Bounded Capacities: Movement

Fundamentals: Space Conscious Movement

a[ inb.P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

| b[ a[ outb .P | Q ] | R ] & a[ P | Q ] | b[ | R ]

Example: Travelling needs but consumes no space

.

a[ inb .inc.out c. outb .0 ] | b[ | c[ ] ]

&& | b[ | c[ a[ outc .outb .0 ] ] ]

¿ ≪ ≫ À

A Calculus of Bounded Capacities: Replication

Fundamentals: Space Conscious Replication

!kP |

k times

z }| {

| . . . | ≡ !kP | P

What is the

!

k

?

A _{type annotation} depending on the size of P. Gives a

typed

reduction

: (1) types appear as conditions on reductions; (2) some of the calculus’ operators make only sense with type annotations.

Notation.

We use k as a shorthand for

k times

z }| {

| . . . | .

Example: Simple recursion

: rec (x)p in q

ppq , substitute x with k in p

Then hhrec (x)p in qii , !kppq | pqq (assuming p has ‘size’ k and q ‘nice’, i.e. spawns no space-grabbing actions in parallel with x).

A Calculus of Bounded Capacities: Replication

Fundamentals: Space Conscious Replication

!kP |

k times

z }| {

| . . . | ≡ !kP | P

What is the

!

k

?

A _{type annotation} depending on the size of P. Gives a

typed

reduction

: (1) types appear as conditions on reductions; (2) some of the calculus’ operators make only sense with type annotations.

Notation.

We use k as a shorthand for

k times

z }| {

| . . . | .

Example: Simple recursion

: rec (x)p in q

¿ ≪ ≫ À

A Calculus of Bounded Capacities: Open

Fundamentals: Space Conscious Incremental Open

It would be possible to use

k _{| opna .P | a}k_{[ Q ] & Q | P |}

but it would not be tight enough: in spite of static types, ambients may change size dynamically. In order to have better control on space usage, we use:

k _{| opna .P | a[ ↑}k_{Q | R ] & Q | P | a[ R ]}

together with a garbage collection rule n[ 0 ] ≡ .

Two readings:

(1) step-wise refinement of open;

(2) spawning of process in the father’s ambient.

BoCa: Open (Examples)

Example: Locks:

lock n.p , opnn.p

unlock n.p , n[ ↑0 ] | p

Example: Communication Channels:

from a to b(m).p , ch[ outa .inb.↑khMi ] (b and the father ambient must provide suitable space for _ch to travel; b must perform opn _ch).

Example: Simple Recursion:

rec (x₁)p₁ . . .(x_n)p_n in q

ppq , substitute x_i with x_i[ ↑0 ] | ki in p

¿ ≪ ≫ À

BoCa: Open (Examples)

Example: Locks:

lock n.p , opnn.p

unlock n.p , n[ ↑0 ] | p

Example: Communication Channels:

from a to b(m).p , ch[ outa .inb.↑khMi ] (b and the father ambient must provide suitable space for _ch to travel; b must perform opn _ch).

Example: Simple Recursion:

rec (x₁)p₁ . . .(x_n)p_n in q

ppq , substitute x_i with x_i[ ↑0 ] | ki in p

Then hhrec (x₁)p₁ . . .(xn)pn in qii , ( Πi!kiopnxi .ppiq ) | pqq (assuming p_i has ‘size’ k_i and q ‘nice’, i.e. no space-grabbing actions in parallel with x).

BoCa: Open (Examples)

Example: Locks:

lock n.p , opnn.p

unlock n.p , n[ ↑0 ] | p

Example: Communication Channels:

from a to b(m).p , ch[ outa .inb.↑khMi ] (b and the father ambient must provide suitable space for _ch to travel; b must perform opn _ch).

Example: Simple Recursion:

rec (x₁)p₁ . . .(x_n)p_n in q

ppq , substitute x_i with x_i[ ↑0 ] | ki in p

¿ ≪ ≫ À

A Calculus of Bounded Capacities: Transfer

Fundamentals: Space Acquisition and Release

| tra.P | a[ trˆˆ.Q | R ] & P | a[ Q | R | ]

tra .P | a[ trˆˆ.Q | | R ] & | P | a[ Q | R ]

Example: A Memory Module

memMod , 256M B | | !trmalloc . | !tr _free.

A Calculus of Bounded Capacities: Transfer

Fundamentals: Space Acquisition and Release

| tra.P | a[ trˆˆ.Q | R ] & P | a[ Q | R | ]

tra .P | a[ trˆˆ.Q | | R ] & | P | a[ Q | R ]

Example: A Memory Module

¿ ≪ ≫ À

A Calculus of Bounded Capabilities: Syntax

P ::= | 0 | M .P | P | P | M[ P ] | !kP | ↑kP | (νn : π)P | (x : χ)P | hMiP

M ::= ε | x | a | M .M | inM | out M | opn M | trη | trη

η ::= a | ˆˆ

Structural Congruence:

(|,0) is a commutative monoid.

(νa)(P | Q) ≡ (νa)P | Q if a 6∈ fn(Q) (νa)0 ≡ 0

(νa)hMiP ≡ hMi(νa)P if a 6∈ fn(P) (νa)(νb)P ≡ (νb)(νa)P

a[ (νb)P ] ≡ (νb)a[ P ] if a 6= b

!00 ≡ 0

!kP | k ≡ !kP | P n[ 0 ] ≡

A Calculus of Bounded Capabilities: Syntax

P ::= | 0 | M .P | P | P | M[ P ] | !kP | ↑kP | (νn : π)P | (x : χ)P | hMiP

M ::= ε | x | a | M .M | inM | out M | opn M | trη | trη

η ::= a | ˆˆ

Structural Congruence:

(|,0) is a commutative monoid.

(νa)(P | Q) ≡ (νa)P | Q if a 6∈ fn(Q) (νa)0 ≡ 0

(νa)hMiP ≡ hMi(νa)P if a 6∈ fn(P) (νa)(νb)P ≡ (νb)(νa)P

¿ ≪ ≫ À

BoCa: Reduction Semantics

(R-in) a[ inb .P | Q ] | b[ | R ] & | b[ a[ P | Q ] | R ]

(R-out) | b[ a[ outb.P | Q ] | R ] & a[ P | Q ] | b[ | R ]

(R-opn) k | opn a.P | a[ ↑kQ | R ] & Q | P | a[ R ]

(R-trdown) | tra .P | a[ trˆˆ.Q | R ] & P | a[ Q | R | ]

(R-trup) tra.P | a[ trˆˆ.Q | | R ] & | P | a[ Q | R ]

(R-comm) (x : χ)P | hMiQ & P{x ← M} | Q

A System of Capacity Types

Capacity Types:

σ, φ, . . . have pairs of ints hm, Mi, with m ≤ M and 0 ≤ M. Notation: formal sum: σ = k₁ · m + k₂ · M, and σ_m = k₁ and σ_M = k₁.

Exchange Types

: χ ::= Shh | hσ, χi

Process

and

Ambient Types

are pairs of _capacity and _exchange types.

amb : hσ, χi _amb has no less than σ_m and no more than σ_M spaces

proc : hσ, χi _proc takes no less than σ_m and no more than σ_M spaces

cap : φ _cap transforms processes adding φ to their σ

Capacity types are ordered as follows:

¿ ≪ ≫ À

A Typing System: Capabilities

(Axiom)

Γ, n : χ ` n : χ

(Empty)

Γ ` ε : hh0,0i, χi

(Slot)

Γ ` : hh1,1i, χi

(Zero)

Γ ` 0 : hh0,0i, χi

(In)

Γ ` inM : hh0,0i, χi

(Out)

Γ ` outM : hh0,0i, χi

(Transf)

Γ ` trη : h−m, χi

(CoTransf)

Γ ` trη : h+M, χi

(Open)

Γ, M : hσ, χi ` opn M : hh0,0i, χi

(Composition)

Γ ` M : hφ, χi Γ ` M0 : hφ0, χi Γ ` M.M0 : hφ + φ0, χi

A Typing System: Processes

(Prefix)

Γ ` M : hφ, χi Γ ` P : hσ, χi Γ ` M .P : hφ + σ, χi

(Parallel)

Γ ` P : hσ, χi Γ ` Q : hσ0, χi Γ ` P | Q : hσ + σ0, χi

(Input)

Γ, x : χ ` P : hσ, χi Γ ` (x : χ)P : hσ, χi

(Output)

Γ ` M : χ Γ ` P : hσ, χi Γ ` hMiP : hσ, χi

(New)

Γ, a : π ` P : π0

Γ ` (νa : π)P : π0

(Ambient)

Γ, M : hσ0, χi ` P : hσ, χi σ l σ0

Γ, M : hσ0, χi ` M[ P ] : hh1,1i, χ0i

¿ ≪ ≫ À

A Calculus of Bounded Capabilities

Thm: Subject Reduction

If Γ ` P : hσ, χi and P & Q then Γ ` Q : hσ0, χi for some σ0 ≤ σ.

Exercise:

Prove that

Γ ` P : hhn, ni, χi =⇒ n ≥ 0

Exercise:

What would happen if we considered well-typed the replication of processes like tr .0 _or tr .0_? Consider for istance that the process !tr .0 _{would grant away all the free slots of the ambient.}

Exercise:

Consider each of the following processes and say whether they are

typeable

or

dangerous/unsafe

is some way.

starvy , n[ !tr .0 ]

greedy , n[ !tr .0 | ]

floody , n[ !tr . | ]

A Calculus of Bounded Capabilities

Thm: Subject Reduction

If Γ ` P : hσ, χi and P & Q then Γ ` Q : hσ0, χi for some σ0 ≤ σ.

Exercise:

Prove that

Γ ` P : hhn, ni, χi =⇒ n ≥ 0

Exercise:

What would happen if we considered well-typed the replication of processes like tr .0 _or tr .0_? Consider for istance that the process !tr .0 _{would grant away all the free slots of the ambient.}

Exercise:

Consider each of the following processes and say whether they are

typeable

or

dangerous/unsafe

is some way.

¿ ≪ ≫ À

Some References

J.Chr. Godskesen, T. Hildebrandt, V. Sassone,

A Calculus of Mobile

Resources

, CONCUR 2002 and Tech Rep ITU Copenaghen.

F. Barbanera, M. Bugliesi, M. Dezani, V. Sassone,

A Calculus of Bounded

Capacities

(_{BoCa: De Dimensionibus, Capacitatis et Mobilitate}), Work in progress.

K. Crary, S. Weirich,

Resource Bounds Certification

, POPL 2000.

W. Charatonik, A.D. Gordon, J.-M. Talbot,

Finite Control Mobile Ambients

, ESOP 2002.

D. Teller, P. Zimmer, D. Hirschkoff,

Using Ambients to Control Resources

, CONCUR 2002 + Tech Rep ENS Lyon.

Conclusions

In the large:

Resource bounds negotiation and enforcement in GC.

In the small:

Expressivenss of _MR and _BoCa; Smarter types; . . .

In general:

A lot to be done. . .

Acknowledgments.

This lecture reports joint work with several collegues:

Franco Barbanera

,

Michele Bugliesi

,

Mariangiola Dezani

,

Jens Chr. Godskesen

,

Thomas Hildebrandt

.

Advert

:

’R U a PhD Student?

’R U interested in the “Foundations of Global Computing”?

’R U willing to spend x _{months (}6 ≤ x ≤ 12_{) in Sussex}

Would you like to be a Marie Curie Research Fellow?

Apply for a grant to the Marie Curie Traning Site “DisCo: Distributed Computation”

¿ ≪ ≫ À

Conclusions

In the large:

Resource bounds negotiation and enforcement in GC.

In the small:

Expressivenss of _MR and _BoCa; Smarter types; . . .

In general:

A lot to be done. . .

Acknowledgments.

This lecture reports joint work with several collegues:

Franco Barbanera

,

Michele Bugliesi

,

Mariangiola Dezani

,

Jens Chr. Godskesen

,

Thomas Hildebrandt

.

Advert

:

’R U a PhD Student?

’R U interested in the “Foundations of Global Computing”?

’R U willing to spend x _{months (}6 ≤ x ≤ 12_{) in Sussex}

Would you like to be a Marie Curie Research Fellow?

Apply for a grant to the Marie Curie Traning Site “DisCo: Distributed Computation”

http://www.sussex.ac.uk/Units/pgrad/marie-curie/ http://www.susx.ac.uk/projects/disco