1. 1 The Endeavour Expedition: 21st Century Computing to the eXtreme Randy H. Katz, Principal Investigator EECS Department University of California, Berkeley Berkeley, CA 94720-1776

2. 2 The Endeavour Expedition: 21st Century Computing to the eXtreme R. H. Katz, Principal Investigator, University of California, Berkeley New Ideas Systems Architecture for Vastly Diverse Computing Devices (MEMS, cameras, displays) Wide-area “Oceanic” Data Information Utility Sensor-Centric Data Management for Capture and Reuse (MEMS + networked storage) Negotiation Architecture for Cooperating Components (Composable system architecture) Tacit Knowledge Infrastructure to support High-Speed Decision-Making Information Management for Intelligent Classroom Environments Scalable Safe Component-based Design and UI Design Tools Impact Enhancing human understanding by making it dramatically more convenient for people to interact with information, devices, and other people Supported by a “planetary-scale” Information Utility, stress tested by applications in decision making and learning, achieved thru new methodologies for design, construction, and administration of systems of unprecedented scale and complexity Schedule Jun 99 Start Jun 00Jun 01May 02 End Initial Architectural Design & Testbeds Initial Application Implementation & Evaluation Information Utility Information Applications Design Methodologies Initial Evaluation & 2nd Gen Redesign Final Deployment & Evaluation Refined Implementation & Final Evaluation Usability Studies & Early Tool Design Implementation of UI &Sys Design Tools Tools Release & Final Evaluations Initial Architectural Design Document Initial Experiments & Revised Design Doc Final Experiments & Architecture Docs

3. 3 Agenda Project Motivation and Overview, Katz System Architecture for eXtreme Devices, Culler “Oceanic” Data Storage Utility, Kubiatowicz Sensor-Centric Data Management, Hellerstein Usability and User Interface Design, Landay Remaining Options and Wrap-up, Katz Q&A by DARPA PMs expected throughout

4. 4 Agenda Project Motivation and Overview, Katz System Architecture for Extreme Devices, Culler Oceanic Data Storage Utility, Kubiatowicz Sensor-Centric Data Management, Hellerstein Usability and User Interface Design, Landay Remaining Options and Wrap-up, Katz

5. 5 Why “Endeavour”? Endeavour: to strive or reach; a serious determined effort (Webster’s 7th New Collegiate Dictionary); British spelling Captain Cook’s ship from his first voyage of exploration of the great unknown of his day: the southern Pacific Ocean (1768-1771) –Brought more land and wealth to the British Empire than any military campaign –Cook’s lasting contribution: comprehensive knowledge of the people, customs, and ideas that lay across the sea –“He left nothing to his successors other than to marvel at the completeness of his work.”

6. 6 Expedition Goals Enhancing understanding –Dramatically more convenient for people to interact with information, devices, and other people –Supported by a “planetary-scale” Information Utility »Stress tested by challenging applications in decision making and learning »New methodologies for design, construction, and administration of systems of unprecedented scale and complexity –Figure of merit: how effectively we amplify and leverage human intellect A pervasive Information Utility, based on “fluid systems” to enable new approaches for problem solving & learning

7. 7 Expedition Assumptions Human time and attention, not processing or storage, are the limiting factors Givens: –Vast diversity of computing devices (PDAs, cameras, displays, sensors, actuators, mobile robots, vehicles); No such thing as an “average” device –Unlimited storage: everything that can be captured, digitized, and stored, will be –Every computing device is connected in proportion to its capacity –Devices are predominately compatible rather than incompatible (plug-and-play enabled by on-the-fly translation/adaptation)

8. 8 Expedition Challenges Personal Information Mgmt is the Killer App –Not corporate processing but management, analysis, aggregation, dissemination, filtering for the individual People Create Knowledge, not Data –Not management/retrieval of explicitly entered information, but automated extraction and organization of daily activities Information Technology as a Utility –Continuous service delivery, on a planetary-scale, on top of a highly dynamic information base Beyond the Desktop –Community computing: infer relationships among information, delegate control, establish authority

9. 9 Driving Factors Technology Push –Accelerating developments at the eXtremes: »Cluster-based compute/storage servers »MEMS sensor/actuators, CCD cameras, LCD displays, … User Pull –More effective community leverage: the next power tool –Desire: »Enhanced interaction, ease of use »Easier configuration, “plug and play” »Less fragile tools, “always there” utility functionality

10. 10 Computing Evolution: Distribution with Sharing Batch processing One at a time use User comes to machine Remote Job Entry One at a time use Remote access to machine Time Sharing Shared resources Remote access FS Workstation Shared servers/ Dedicated computing Remote access PS LAN PC + Internet Shared servers/ Dedicated computing Remote access Internet Web Server Mail Server Increasing Freedom from Colocation Increasing Sharing & Distribution Increasing Personalization Increasing Ratio of Computers:Users

11. 11 Computing Revolution: Devices in the eXtreme Evolution Information Appliances: Scaled down desktops, e.g., CarPC, PdaPC, etc. Evolved Desktops Servers: Scaled-up Desktops, Millennium Revolution Information Appliances: Many computers per person, MEMs, CCDs, LCDs, connectivity Servers: Integrated with comms infrastructure; Lots of computing in small footprint Display Keyboard Disk Mem  Proc PC Evolution Display Camera Smart Sensors Camera Smart Spaces Computing Revolution WAN Server, Mem, Disk Information Utility BANG! Display Mem Disk  Proc

12. 12 Expedition Approach Information Devices –Beyond desktop computers to MEMS-sensors/actuators with capture/display to yield enhanced activity spaces Information Utility Information Applications –High Speed/Collaborative Decision Making and Learning –Augmented “Smart” Spaces: Rooms and Vehicles Design Methodology –User-centric Design with HW/SW Co-design; –Formal methods for safe and trustworthy decomposable and reusable components “Fluid”, Network-Centric System Software –Partitioning and management of state between soft and persistent state –Data processing placement and movement –Component discovery and negotiation –Flexible capture, self- organization, and re-use of information

13. 13 Information Utility Information Devices Applications Collaboration Spaces High Speed Decision Making Learning Classroom Info Appliances E-BookVehicles PDA Handset Laptop Camera Smartboard MEMS Sensor/Actuator/Locator Wallmount Display Generalized UI Support Proxy Agents Human Activity Capture Event Modeling Transcoding, Filtering, Aggregating Statistical Processing/Inference Negotiated APIsSelf-Organizing Data Interface ContractsWide-area Search & Index Nomadic Data & Processing Automated Duplication Distributed Cache Management Wide-Area Data & Processing Movement & Positioning Stream- and Path-Oriented Processing & Data Mgmt Non-Blocking RMISoft-/Hard-State Partitioning

14. 14 Needed Expedition Expertise “Today, scientists and adventurers are lured by exploratory challenges to all regions of the globe and beyond. The explorer attempts routes of greater difficulty, the researcher perfects field techniques in remote locales. All are breaking new ground in isolated areas of the world usually under harsh conditions over extended periods of time.” http://www.expeditionresearch.org /english/ MEMS and hardware devices Scalable computing architectures Networked-oriented operating systems Distributed file systems Data management systems Security/privacy User interfaces Collaboration applications Intelligent learning systems Program verification Methodologies for HW/SW design/evaluation

15. 15 Interdisciplinary, Technology- Centered Expedition Team Alex Aiken, PL Eric Brewer, OS John Canny, AI  David Culler, OS/Arch  Joseph Hellerstein, DB Michael Jordan, Learning Anthony Joseph, OS  Randy Katz, Nets  John Kubiatowicz, Arch  James Landay, UI Jitendra Malik, Vision George Necula, PL Christos Papadimitriou, Theory David Patterson, Arch Kris Pister, Mems Larry Rowe, MM Alberto Sangiovanni- Vincentelli, CAD Doug Tygar, Security Robert Wilensky, DL/AI

16. 16 Organization: The Expedition Cube Information Devices Information Utility Applications DesIgnDesIgn MethodologyMethodology MEMS Sensors/Actuators, Smart Dust, Radio Tags, Cameras, Displays, Communicators, PDAs Fluid Software, Cooperating Components, Diverse Device Support, Sensor-Centric Data Mgmt, Always Available, Tacit Information Exploitation (event modeling) Rapid Decision Making, Learning, Smart Spaces: Collaboration Rooms, Classrooms, Vehicles Base Program Option 1: Sys Arch for Diverse Devices Option 2: Oceanic Data Utility Option 4: Negotiation Arch for Cooperation Option 5: Tacit Knowledge Infrastructure Option 6: Classroom Testbed Option 7: Scalable Safe Component-Based Design Option 3: Capture and Re-Use

17. 17 Base Program: Leader Katz Broad but necessarily shallow investigation into all technologies/applications of interest –Primary focus on Information Utility »No new HW design: commercially available information devices »Only small-scale testbed in Soda Hall –Fundamental enabling technologies for Fluid Software »Partitioning and management of state between soft and persistent state »Data and processing placement and movement »Component discovery and negotiation »Flexible capture, self-organization, info re-use –Limited Applications –Methodology: Formal Methods & User-Centered Design

18. 18 Base Program Schedule Year 1Year 2Year 3 Eval. & Initial Design Tools Smart Space Testbed1st Gen Fluid R/T Environ. 1st Gen Comp Neg. Protocols 1st Gen Persistent Fluid Store 1st Gen Sensor-Centric Info Mgmt Design Document + Early Evaluation Cooperative Learning App Rapid Decision Making App Refined Doc + Experiments Refine & Use Perf Eval 2nd Gen Persistent Fluid Store 2nd Gen Sensor-Centric IM 2nd Gen Fluid R/T Environ. 2nd Gen Negotiation Final Doc + Experiments Refined Tools & Flow Design Methodology Information Utility Information Applications

19. 19 In-Depth Technical Presentations Option 1: “Systems Architecture for Vastly Diverse Computing Devices”, David Culler, Subexpedition Leader Option 2: “Implementation/Deployment of the Oceanic Data Information Utility”, John Kubiatowicz, Subexpedition Leader Option 3: “Sensor-Centric Data Management for Capture and Reuse”, Joseph Hellerstein, Subexpedition Leader Parts of Options 5, 6, 7: UI Design Cross Cut (UI design tools with applications to Tacit Information Extraction and Intelligent Classrooms), James Landay, Subexpedition Leader

20. 20 Roll-Up of Remaining Options Option 4: “A Negotiation Architecture for Cooperating Components”, Robert Wilensky, Subexpedition Leader Option 7: “Scalable Safe Component-based Design”, Alberto Sangiovanni-Vincentelli, Subexpedition Leader Option 8: “Scale-Up Field Trials”, Randy Katz, Subexpedition Leader (Essential elements of Option 5: “Tacit Information Infrastruction and High Speed Decision Making and Option 6: “Information Management for Intelligent Classroom Environment” covered by James Landay

21. 21 Option 4: Negotiation Architecture for Cooperating Components Cooperating Components –Self-administration through auto-discovery and configuration among confederated components –Less brittle/more adaptive systems –Essential for all pieces of the Endeavour Utility Infrastructure Negotiation Architecture –Components announce their needs and services –Service discovery and rendezvous mechanisms to initiate confederations –Negotiated/contractural APIs: contract designing agents –Compliance monitoring and renegotiation –Graceful degradation in response to environmental changes

22. 22 The Problem: Configuration Difficulties Individual computing components require considerable manual configuration –OS, software installation –Local data (solved by Oceanic storage!) –Configuration to access services Today: small number of machines per individual--(manual) configuration limits –State (software/data) is inconsistent across machines –Manual updating is time-consuming –Degrades poorly in the presence of failure/change Future: orders of magnitude more machines per individual--manual configuration completely infeasible

23. 23 Solution: Negotiation Architecture for Auto-Configuration Allow components to dynamically configure themselves by having components –Specify the potential services they provide, the terms and conditions, and to whom –Disseminate the availability of these services –Specify the services they require, and their terms and conditions –Discover other objects that provide required services –Allow objects to enter into multi-phase negotiations of contracts, committing to provide services under terms and conditions –Provide compliance monitoring services of contracts –Provide means for dealing with non-performing confederates

24. 24 Plan for Success Develop: –Language for specifying services, and their terms and conditions –Protocol for negotiating contracts between objects –Infrastructural services, including discovery, service availability dissemination, and compliance monitoring services –Means to adapt to a non-performing service Emphasis on system architecture/easy of use: –E.g., standard, parameterized “boilerplate” contracts between components, with standard “compliance officers” Some related issues: –Can we assure interesting adaptive properties? Recent development: HP’s e”speak

25. 25 Option 7: Safe Component Design Leader Sangiovanni Information Appliances as an application of hardware/software codesign –Specification based on “Co-design Finite State Machines” »Exploited in software for eXtreme devices –Formal methods to verify safety from faults –Safe partitioning of components into communicating subcomponents placed into the wide-area Component-Based System Design –Composition of third party components to build systems –Can such components be trusted? »Correctness (Necula) »Security (Tygar)

26. 26 Option 7: Safe Component Design Leader Sangiovanni Formal Specifications and Methods –Decomposition of components into safe partitionings of communicating subcomponents placed in the wide- area »HW/SW “Co-design Finite State Machines” »Exploits success in embedded software arena »Use in software for eXtreme devices –Compositions of third party components »JAVA or C/C++ modules »Use in Oceanic Store, Sensor-centric Data Mgmt –Formal methods to verify »Correctness/safety from faults »Trust and assurance

27. 27 An Essential Problem for Component-based Fluid Software Cannot be trusted to behave as advertised –If unknown origin: must be assumed to be malicious –If known origin: can be erroneous or even malicious Concerned with: –Extrinsic properties (non-semantic properties) »e.g., author, time of creation, 3rd party- endorsements,... –Semantic properties (behaviors) »e.g., memory safety, lack of information flow, etc. Needed: –Safety enforcement technologies –Design and development methodologies

28. 28 Solution: Proof Carrying Code Safety without sacrificing performance –Works for low-level languages, machine code, optimized code Small trusted code base –Checking is easier than proving –No need to use (and trust) a compiler Flexible and general (in principle) –Need a specification that captures the property of interest –Plus proof of that property for the untrusted code –“If you can prove it, PCC can check it!” –Install one checker for a multitude of policies Use tools that certify their output –Delegate but do not trust –Effective way to debug the tools themselves!

29. 29 Plan for Success “Ratify” a broad set of safe programming practices for component-based systems –Failures point to programming errors OR tool suggests convenient stylistic adjustments OR tool inserts run-time checks Build toolkit for producing provably-safe native methods with off-the-shelf Java compilers Build toolkit for certifying type safety of C programs Proof Code Proof Checker Yes/No Untrusted code Heuristic-based certifier SlowQuick

30. 30 Security and Assurance Two issues for apps based on mobile code –Protecting the remote host from the mobile code –Protecting the mobile code from the remote host! Automatic generation of “best” security protocol Ad hoc and temporal access control –Access control/security negotiation Cryptographic hardware tokens as type of Information Device –How to evaluate, build, break tamper-resistant boundaries –Differential power analysis

31. 31 Infrastructure Enables Microactions/economics for resource control –Pervasive need for authentication –Enables resource management based on privileges Rights management tagging –Who can operate on what under what conditions? Design for survivability –Exploit resource control to mitigate denial of service attacks All of this with privacy –Users control when and to whom information is released –Trade better system support for privacy

32. 32 Plan for Success One year –Synthesis of code for optimal security protocols –Toolkit for cryptographic key management for mobile code –Design of ad hoc and temporal access control –“Little TEMPEST” protection for hardware tokens Three year –Integration with applications across Endeavour –Privacy analysis for high assurance mechanisms –Automatic or semi-automatic resource allocation using micro-auctions. –High survivability mechanisms

33. 33 Option 8: Scaled-up Field Trials Leader Katz Testbed Rationale –Study impact on larger/more diverse user community –Higher usage levels to stress underlying architecture –Make commitment to true utility functionality Increasing Scale of Testbeds –Building-Scale »Order 100s individuals –Campus-Scale »Order 1000s individuals –City-Scale »Order 100000 individuals

34. 34 Experimental Testbeds Network Infrastructure GSM BTS Millennium Cluster WLAN / Bluetooth Pager IBM WorkPad CF788 MC-16 Motorola Pagewriter 2000 Velo TCI @Home Adaptive Broadband LMDS H.323 GW Nino Smart Classrooms Audio/Video Capture Rooms Pervasive Computing Lab CoLab Soda Hall CalRen/Internet2/NGI Smart Dust LCD Displays Wearable Displays

35. 35 Summary: Putting It All Together 1. eXtreme Devices 2. Data Utility 3. Capture/Reuse 4. Negotiation 5. Tacit Knowledge 6. Classroom 7. Design Methods 8. Scale-up Devices Utility Applications Fluid Software Info Extract/Re-use Decision Making Group Learning Component Discovery & Negotiation Self-Organization

36. 36 Conclusions 21st Century Computing –Making people’s exploitation of information more effective –Encompassing eXtreme diversity, distribution, and scale –Computing you can depend on Key Support Technologies –“Fluid software” computational paradigms –System and UI support for eXtreme devices –Pervasive, planetary-scale system utility functionality –Active, adaptive, safe and trusted components –New “power tool” applications that leverage community activity

37. 37 Conclusions Commercial spin, but direct relevance for many DoD future information technology requirements –Survivable, secure communications systems –System support for pervasive sensor networks –Fluid infrastructure support for: »CONUS + forward basing concepts »Rapid force deployment »Coalition leverage of shared/untrusted infrastructure –Information apps serve are examples for »Training »Mission planning »Battlespace decision making

38. 38 Conclusions Broad multidisciplinary team spanning the needed applications, evaluation, and system technology skills –Builds on many existing DARPA investments »BARWAN, Digital Libraries, iStore, Marco, MASH, MEMS, Ninja, Proof Carry Code,Tertiary Disk, …), »Integrates and extends these into a comprehensive information system architecture for 21st century computing –History of building large-scale prototypes, influencing industrial development

39. 39 Back-Up

40. 40 Technology Evolution versus Revolution Distribution Personalization More Less More Batch RJE Time Sharing WS/Server PC + Network Many people per computer One person per computer Many computers per person Information Appliances Scaled down PCs, desktop metaphor

41. 41 Option 1: “System Architecture for Vastly Diverse Devices” Leader Culler Distributed control & resource management: data mvmt & transformation, not processing –Path concept for information flow, not the thread –Persistent state in the infrastructure, soft state in the device –Non-blocking system state, no application state in the kernel –Functionality not in device is accessible thru non-blocking remote method invocation Extend the Ninja concepts (thin client/fat infrastructure) beyond PDAs to MEMS devices, cameras, displays, etc.

42. 42 Option 2: Implementation & Deploy- ment of Oceanic Data Info Utility Leader Kubiatowicz Nomadic Data Access: serverless, homeless, freely flowing thru infrastructure –Opportunistic data distribution –Support for: promiscuous caching; freedom from administrative boundaries; high availability and disaster recovery; application-specific data consistency; security Data Location and Consistency –Overlapping, partially consistent indices –Data freedom of movement –Expanding search parties to find data, using application- specific hints (e.g., tacit information)

43. 43 Option 3: Sensor-Centric Data Management for Capture/Reuse Leader Hellerstein Integration of embedded MEMS with software that can extract, manage, analyze streams of sensor-generated data –Wide-area distributed path-based processing and storage –Data reduction strategies for filtering/aggregation –Distributed collection and processing New information management techniques –Managing infinite length strings –Application-specific filtering and aggregation –Optimizing for running results rather than final answers –Beyond data mining to “evidence accumulation” from inherently noisy sensors

44. 44 Option 5: Tacit Knowledge Infra- structure/Rapid Decision Making Leader Canny Exploit information about the flow of information to improve collaborative work –Capture, organize, and place tacit information for most effective use –Learning techniques: infer communications flow, indirect relationships, and availability/participation to enhance awareness and support opportunistic decision making New collaborative applications –3D “activity spaces” for representing decision-making activities, people, & information sources –Visual cues to denote strength of ties between agents, awareness levels, activity tracking, & attention span

45. 45 Problem: Applications for Ubiquitous Computing People are the main “knowledge asset” in an organization How do we design computing tools and work processes in the age of universal computing? Study practice; look at difficulties of use; identify new opportunities

46. 46 Application: Remote Interaction PRoPs: Wireless robot appliances that act as proxys or avatars What they could achieve: –Mobility and access to remote workplaces: factories, offices, warehouses –A better level of interpersonal interaction through non-verbal communication –Recreation when its too far to go

47. 47 Application: Tacit Information Mining Use logs from single or multiple servers to compute: –High level context, current activity –An organized activity view –Personal expertise and referrals –Document authority –Document history and creation context –Perspectives on a document or meeting

48. 48 Application: Bearable Computing An exploration of issues in personal, persistent computing (augmented reality, worn interfaces) using ordinary laptop computers Avoid head-mounted displays (expensive and low-res) head-tracking, and cables The approach: use optics to overlay computer images on reality, but use laptop or pocket- mounted displays Testbed: Grad course in HCC this semester

49. 49 Option 6: Info Mgmt for Intelligent Classrooms Leader Joseph Electronic Problem-based Learning –Collaborative learning enabled by information appliances Enhanced Physical and Virtual Learning Spaces –Wide-area, large-scale group collaboration –Capture interaction once for replay –Preference/task-driven information device selection –Service accessibility –Device connectivity –Wide-area support –Iterative evaluation

50. 50 The Problem: Configuration and Scaling Device/Network-independent People-to-People Communications –Any-to-Any people-level (not device) communications –Service Handoff (cross network/device mobility) Classroom Learning –Related option is 6 –Challenge of scaling, while preserving 1-on-1 Wide-area information mgmt / access –Related options area 1, 2, 4, 8 –Device/Network-independent People-to-Service Communication –Flexible consistency, replication, access control

51. 51 Solution: Service Architecture Device/Network-independent People-to-People Communications –Open arch for device & network-independence »Ninja’s Automatic Path Creation »Iceberg’s IAPs, PAT, Preference Registry (dyn rules) –Iceberg testbed: Universal Inbox Classroom Learning –Iceberg information dissemination technologies »InfoCaster, CASA, Secure Service Discovery Service –Iceberg testbed: real-world data Wide-area information mgmt / access –Experience w/ Secure Service Discovery Services: Wide- area information dissemination

52. 52 Plan for Success Dev./Net.-indep. People-to-People Comm –Y1: Deploy real-world testbed w/ 1st cut arch –Y2: Detailed experiments and design of 2nd gen –Y3: Deployment / measurement of 2nd gen Classroom Learning –Y1: Design classroom experiment, deploy sw/hw –Y2: Group mtg experiment/large class experiment –Y3: Larger class? Wide-area information mgmt / access –Y1: Deploy SDS. First-cut info utility svc. –Y2: Few users of single-node info utility –Y3: Second version (distrib) w/ real users