Download presentation
Presentation is loading. Please wait.
1
Mobile Ambients Luca Cardelli Andrew D. Gordon Pravin Shetty
Digital Equipment Corporation, Systems Research Center Andrew D. Gordon University of Cambridge, Computer Laboratory Presented by Pravin Shetty CSE2500
2
Mobility Mobile Computing Mobile Computation
Computing devices are mobile environments Mobile Computation Computations which move among environments are mobile agents
3
Administrative Domains
Network level Firewall partitioning of Intranet from Internet Address partitioning of subnet from LAN Host level Access to remote resources (disk, CPU, etc.) Mobility and access require authorization
4
Outline Overview of approach and related work Mobility Calculus
Primitives, Semantics, and Examples Complete Ambient Calculus Communication Primitives Examples and Encoding of async -calculus Criticisms and Conclusions
5
Ambients Bounded location for computation
a web page, an address space, a filesystem, a data object, a laptop, … not a thread, collections of objects, … Each ambient has a name, and may contain a collection of local agents a collection of sub-ambients
6
Names May be May be used to derive capabilities created,
passed around, and used to name new ambients May be used to derive capabilities
7
Related Work Obliq Telescript Java Linda -calculus spi-calculus
Chemical Abstract Machine join-calculus LLinda distributed calculi
8
Mobility Primitives n names M ::= capabilities P,Q ::= processes
(vn)P restriction 0 inactivity P | Q composition !P replication n[P] ambient M.P action M ::= capabilities in n can enter n out n can leave n open n can open n
9
(vn)P Restriction creates a new (unique) name n within a scope of P
may be used to name ambients and operate on ambients by name is transparent to reduction: P Q (vn)P (vn)Q
10
Inaction does nothing
11
Composition P | Q denotes process P executing in parallel with process Q is commutative and associative obeys the rule: P Q P | R Q | R
12
!P Replication creates as many parallel replicas of P as needed
may be used to express iteration and recursion to be reduced, it is first expanded to P | !P
13
n[P] Ambients an ambient with name n within which P is executing:
P Q n[P] n[Q] may contain nested sub-ambients as well as processes running in parallel: n[P1 | … | Pp | m1[…] | … | mq[…]]
![n[P] Ambients an ambient with name n within which P is executing:](http://slideplayer.com./slide/13207342/79/images/13/n%5BP%5D+Ambients+an+ambient+with+name+n+within+which+P+is+executing%3A.jpg "P Q n[P] n[Q] may contain nested sub-ambients as well as processes running in parallel: n[P1 | … | Pp | m1[…] | … | mq[…]]")
14
Entry capability in n. P instructs the surrounding ambient to enter a sibling ambient n If n doesn’t exist, it blocks. If more than one exists, any one may be chosen Reduction rule: n[in m. P | Q] | m[R] m[n[P | Q] | R]
15
Exit capability out n. P instructs the surrounding ambient to exit its parent ambient n If n doesn’t exist, it blocks. Reduction rule: m[n[out m. P | Q] | R] n[P | Q] | m[R]
16
open n. P Open capability
dissolves the ambient n at the same level as the surrounding ambient If n doesn’t exist, it blocks. If more than one exists, any one may be chosen Reduction rule: open n. P | n[Q] P | Q
17
Example: Locks acquire n. P open n. P release n. P n[] | P
handshake: acquire n. release m. P | release n. acquire m. Q
![Example: Locks acquire n. P open n. P release n. P n[] | P](http://slideplayer.com./slide/13207342/79/images/17/Example%3A+Locks+acquire+n.+P+%EF%80%BE+open+n.+P+release+n.+P+%EF%80%BE+n%5B%5D+%7C+P.jpg "handshake: acquire n. release m. P | release n. acquire m. Q.")
18
Objective Moves Allows a computation to move into an ambient. Only possible if the ambient allows it mv in n. P | n[Q] * n[P | Q] n[mv out n. P | Q] * P | n[Q]
19
Objective Moves allow n !open n
mv in n. P (vk) k[in n. in[out k. P]] mv out n. P (vk) k[out n. out[out k. P]] n[P] n[P | allow in] n[P] n[P] | allow out n[P] n[P | allow in] | allow out
20
Synchronization on Named Channels
Channel n is defined as n[] n?.P mv in n. acquire rd. release wr. mv out n. P n!.P mv in n. release rd. acquire wr. mv out n. P
21
Mobility and Communication Primitives
P,Q ::= processes (vn)P restriction 0 inactivity P | Q composition !P replication M[P] ambient M.P action (x).P input action <M> async output action M ::= capabilities x variable n name in M can enter M out M can leave M open M can open M null M.M’ path
22
Communicable Values Names, capabilities, and may be exchanged
Multiple capabilities may be combined into paths (such as for transmitting a route)
23
(x). P <M> Ambient I/O
<M> releases a capability into the local ambient (x).P captures the result and binds it lexically Reduction rule: (x). P | <M> P {x M}
24
Examples: Cells Allows for storage and retrieval of values at a named location cell c v c[<v> | !(x).<x>] get c (x). P mv in c. (x). (<x> | mv out c. P) set c (v). P mv in c. (x). (<v> | mv out c. P)
![Examples: Cells Allows for storage and retrieval of values at a named location. cell c v c[<v> | !(x).<x>]](http://slideplayer.com./slide/13207342/79/images/24/Examples%3A+Cells+Allows+for+storage+and+retrieval+of+values+at+a+named+location.+cell+c+v+%EF%80%BE+c%EF%82%AD%EF%82%AF%5B%3Cv%3E+%7C+%21%28x%29.%3Cx%3E%5D.jpg "get c (x). P mv in c. (x). (<x> | mv out c. P) set c (v). P mv in c. (x). (<v> | mv out c. P)")
25
Routable Packets A packet carries a computation
May be routed to an ambient via path M An ambient may forward a packet via a path packet pkt pkt[!(x).x | !open route] route pkt with P to M route[in pkt. <M> | P] forward pkt to M route pkt with 0 to M
26
Ether I/O Both parent and child ambients must be enabled for I/O. Children may then input and output using parent’s Ether n[P] a parent n[P] enabling Ether I/O n[P] a child n[P] enabling Ether I/O n(x).P receive a value from the Ether n <M> send a value into the Ether
27
Ether I/O n[P] n[e[] | P] n[P] n[P]
n(x).P mv out n. mv in e. (x). mv out e. mv in n. P n <M> mv out n. mv in e. <M>
![Ether I/O n[P] n[e[] | P] n[P] n[P]](http://slideplayer.com./slide/13207342/79/images/27/Ether+I%2FO+n%5B%EF%82%ABP%5D+%EF%80%BE+n%5Be%EF%82%AD%EF%82%AF%5B%5D+%7C+P%5D+n%EF%82%AB%5BP%5D+%EF%80%BE+n%EF%82%AD%EF%82%AF%5BP%5D.jpg "n(x).P mv out n. mv in e. (x). mv out e. mv in n. P. n <M> mv out n. mv in e. <M>")
28
Encoding the -calculus: channels
ch n a channel (ch n)P a new channel n(x).P channel input n<M> async channel output Should satisfy the reduction n(x).P | n<M> * P {x M}
29
Encoding the -calculus: channels
ch n n[!open io] (ch n)P (vn) (ch n | P) n(x).P (vp) (io[in n. (x). p[out n. P]] | open p) n<M> io[in n.<M>]
30
Channel Reduction ch n | n(x).P | n<M>
(vp) (n[!open io] | io[in n. (x). p[out n. P]] | open p | io[in n.<M>]) * (vp) (n[!open io | io[(x). p[out n. P]] | io[<M>]] | open p) * (vp) (n[!open io | (x). p[out n. P] | <M>] | open p) (vp) (n[!open io | p[out n. P{x M}]] | open p) (vp) (n[!open io] | p[P{x M}] | open p) (vp) (n[!open io] | P{x M}) ch n | P{x M}
31
Encoding (vn)P (vn) (n[!open io] | P)
n(x).P (vp) (io[in n. (x). p[out n. P]] | open p) n<m> io[in n.<m>] P | Q P | Q !P !P
![Encoding (vn)P (vn) (n[!open io] | P)](http://slideplayer.com./slide/13207342/79/images/31/Encoding+%EF%82%84%28vn%29P%EF%82%85+%EF%80%BE+%28vn%29+%28n%5B%21open+io%5D+%7C+%EF%82%84P%EF%82%85%29.jpg "n(x).P (vp) (io[in n. (x). p[out n. P]] | open p) n<m> io[in n.<m>] P | Q P | Q !P !P")
32
Issues Interference No type system (yet)
name clashes with “temporary” locations during evaluation with concurrent processes No type system (yet) some legal programs are meaningless because of ‘type errors’ resulting from communication Notions of security are too simple
33
Conclusions Introduced notion of mobile ambients
Presented a simple, yet powerful calculus mobility security Other document (the “Annex”) formally defines notions of observational equivalence
Similar presentations
