The Andrew File System is a location-transparent distributed tile system that will eventually span more than 5000 workstations at Carnegie Mellon University. Large scale affects performance and complicates system operation. In this paper we present observations of a prototype implementation, motivate changes in the areas of cache validation, server process structure, name translation, and low-level storage representation, and quantitatively demonstrate Andrew’s ability to scale gracefully. We establish the importance of whole-file transfer and caching in Andrew by comparing its perform-ance with that of Sun Microsystem’s NFS tile system. We also show how the aggregation of files into volumes improves the operability of the system.

A personal and rather discursive account is given of the background to the start of work in the early 1970s at Newcastle on software fault tolerance, and of how work has developed to encompass forward as well as backward error recovery, and parallel and distributed software as well as sequential programs. A major theme of the paper is that of the links between this work and that carried out elsewhere in connection with the topic of objectoriented programming, in particular on concepts such as generic classes and functions, exception-handling, delegation and reflection.

The early 1980s saw the development of some rather sophisticated distributed systems. These were not merely networked file systems: rather, using remote procedure calls, hierarchical naming, and what would now be called middleware, they allowed a collection of systems to operate as a coherent whole. One such system in particular was developed at Newcastle that allowed pre-existing applications and (Unix) systems to be used, completely unchanged, as components of an apparently standard large (multiprocessor) Unix system. The Distributed Secure System (DSS) described in our 1983 paper proposed a new way to construct secure systems by exploiting the design freedom created by this form of distributed computing. The DSS separated the security concerns of policy enforcement from those due to resource sharing and used a variety of mechanisms (dedicated components, cryptography, periods processing, separation kernels) to manage resource sharing in ways that were simpler than before. In this retrospective, we provide the full original text of our DSS paper, prefaced by an introductory discussion of the DSS in the context of its time, and followed by an account of the subsequent implementation and deployment of an industrial prototype of DSS, and a description of its modern interpretation in the form of the MILS architecture. We conclude by outlining current opportunities and challenges presented by this approach to security. (Invited paper IEEE ACSAC 2007)

Application mobility is the ability for an application to travel with its user, moving between computers or moving with a computer between locations. We describe new techniques that enable unmodified applications to move independently of each other without requiring changes to infrastructure or actions by administrators. The techniques are based on three new abstractions that overcome the obstacles to application mobility unresolved by previous work in process migration and mobile computing. First, we introduce reliable network connections, an abstraction that automatically detects network connection failures caused by movement, and that recovers from these failures transparently. We introduce an enhancement detection protocol that enables the use of this abstraction in environments where not all applications support it. This protocol is a general-purpose solution to the problem of safely detecting, at user-level, the presence of remote support for any type of network communication enhancement. Second, we introduce the abstraction of a window session, a transportable representation of the state of a graphical user interface, that allows the user interface of a running application to be moved, either with or independently of the application process, from one display to

Objects............................................................................10 2.3.2 Client/Server Properties.............................................................10 2.3.3 Reference Model Modules ..............................................................11 3. Detailed Description of the Reference Model ...........................................................15 3.1 Bitfile Client ................................................................................................15 3.2 Name Server.................................................................................................16 3.3 Bitfile Server...............................................................................................17 3.3.1 Bitfile Server Commands..............................................................18 3.3.2 Bitfile Request Processor .............................................................19 3.3.3 Bitfile Descriptor Manager and Descriptor Table..................

English Electric Company, where he led a team that implemented a number of compilers, including the Whetstone KDF9 Algol compiler. From 1964 to 1969, he was with IBM in the United States, mainly at the IBM T. J. Watson Research Center, working on operating systems, the design of ultra-high speed computers, and computing system design methodology. He then became Professor of Computing Science at Newcastle University, where in 1971 he set up the project that initiated research into the possibility of software fault tolerance, and introduced the “recovery block ” concept. Subsequent major developments included the Newcastle Connection, and the prototype Distributed Secure System. He has been Principal Investigator on a succession of research projects in reliability and security funded by the Science