We investigate the issue of designing a kernel programming language for Mobile Computing and describe Klaim, a language that supports a programming paradigm where processes, like data, can be moved from one computing environment to another. The language consists of a core Linda with multiple tuple spaces and of a set of operators for building processes. Klaim naturally supports programming with explicit localities. Localities are first-class data (they can be manipulated like any other data), but the language provides coordination mechanisms to control the interaction protocols among located processes. The formal operational semantics is useful for discussing the design of the language and provides guidelines for implementations. Klaim is equipped with a type system that statically checks access rights violations of mobile agents. Types are used to describe the intentions (read, write, execute, etc.) of processes in relation to the various localities. The type system is used...

INTRODUCTION Mobile computation, where independent agents roam widely distributed networks in search of resources and information, is fast becoming a reality. A number of programming languages, APIs and protocols have recently emerged which seek to provide high-level support for mobile agents. These include Java [30], Odyssey [15], Aglets [19], Voyager [24] and the latest revisions of the Internet protocol [25, 2]. In addition to these commercial efforts, many prototype languages have been developed and implemented within the programming language research community --- examples include Linda [8, 9], Facile [16], Obliq [7], Infospheres [11], the join calculus [13], and Nomadic Pict [33]. In this paper we address the issue of resource access control for such languages. Central to the paradigm of mobile computation are the notions of agent, resource and location. Agents are effective entities that perform computation and interact with other First publis

We investigate whether the π-calculus is able to serve as a good foundation for the design and implementation of a strongly-typed concurrent programming language. The first half of the dissertation examines whether the π-calculus supports a simple type system which is flexible enough to provide a suitable foundation for the type system of a concurrent programming language. The second half of the dissertation considers how to implement the π-calculus efficiently, starting with an abstract machine for π-calculus and finally presenting a compilation of π-calculus to C. We start the dissertation by presenting a simple, structural type system for π-calculus, and then, after proving the soundness of our type system, show how to infer principal types for π-terms. This simple type system can be extended to include useful type-theoretic constructions such as recursive types and higherorder polymorphism. Higher-order polymorphism is important, since it gives us the ability to implement abstract datatypes in a type-safe manner, thereby providing a greater degree of modularity for π-calculus programs. The functional computational paradigm plays an important part in many programming languages. It is well-known that the π-calculus can encode functional computation. We go further and show that the type structure of λ-terms is preserved by such encodings, in the sense that we can relate the type of a λ-term to the type of its encoding in the π-calculus. This means that a π-calculus programming language can genuinely support typed functional programming as a special case. An efficient implementation of π-calculus is necessary if we wish to consider π-calculus as an operational foundation for concurrent programming. We first give a simple abstract machine for π-calculus and prove it correct. We then show how this abstract machine inspires a simple, but efficient, compilation of π-calculus to C (which now forms the basis of the Pict programming language implementation).

Bugs in distributed systems are often hard to find. Many bugs reflect discrepancies between a system’s behavior and the programmer’s assumptions about that behavior. We present Pip 1, an infrastructure for comparing actual behavior and expected behavior to expose structural errors and performance problems in distributed systems. Pip allows programmers to express, in a declarative language, expectations about the system’s communications structure, timing, and resource consumption. Pip includes system instrumentation and annotation tools to log actual system behavior, and visualization and query tools for exploring expected and unexpected behavior 2. Pip allows a developer to quickly understand and debug both familiar and unfamiliar systems. We applied Pip to several applications, including FAB, SplitStream, Bullet, and RanSub. We generated most of the instrumentation for all four applications automatically. We found the needed expectations easy to write, starting in each case with automatically generated expectations. Pip found unexpected behavior in each application, and helped to isolate the causes of poor performance and incorrect behavior. 1

. We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for mobile agents in open distributed systems in which some sites may harbor malicious intentions. Nonetheless, the semantics guarantees traditional type-safety properties at good locations by using a mixture of static and dynamic type-checking. We show how the semantics can be extended to allow trust between sites, improving performance and expressiveness without compromising type-safety. 1 Introduction In [12] we presented a type system for controlling the use of resources in a distributed system, or network. The type system guarantees two properties: resource access is always safe, e.g. integer resources are always accessed with integers and string resources are always accessed with strings, and resource access is always authorized, i.e. resources may only be accessed by agents that have been granted permission to do so. While these properties are desirable, they are properti...

To my parents A general abstract theory for computation involving shared resources is presented. We develop the models of sharing graphs, also known as term graphs, in terms of both syntax and semantics. According to the complexity of the permitted form of sharing, we consider four situations of sharing graphs. The simplest is first-order acyclic sharing graphs represented by let-syntax, and others are extensions with higher-order constructs (lambda calculi) and/or cyclic sharing (recursive letrec binding). For each of four settings, we provide the equational theory for representing the sharing graphs, and identify the class of categorical models which are shown to be sound and complete for the theory. The emphasis is put on the algebraic nature of sharing graphs, which leads us to the semantic account of them. We describe the models in terms of the notions of symmetric monoidal categories and functors, additionally with symmetric monoidal adjunctions and traced

Contextual equivalences for cryptographic process calculi, like the spi-calculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely may-testing and barbed equivalence, and investigate tractable proof methods for them. To this aim, we design an enriched labelled transition system, where transitions are constrained by the knowledge the environment has of names and keys. The new transition system is then used to define a trace equivalence and a weak bisimulation equivalence, that avoid quantification over contexts. Our main results are soundness and completeness of trace and weak bisimulation equivalence with respect to may-testing and barbed equivalence, respectively. They lead to more direct proof methods for equivalence checking. The use of these methods is illustrated with a few examples, concerning implementation of secure channels and verification of proto...

Abstract. We define an extension of the π-calculus with a static type system which supports high-level specifications of extended patterns of communication, such as client-server protocols. Subtyping allows protocol specifications to be extended in order to describe richer behaviour; an implemented server can then be replaced by a refined implementation, without invalidating type-correctness of the overall system. We use the POP3 protocol as a concrete example of this technique. 1

Abstract—Traditional IDLs were defined for describing the services that objects offer, but not those services they require from other objects, nor the relative order in which they expect their methods to be called. Some of the existing proposals try to add protocol information to object interfaces, but most of them fail to do so in a modular way. In this paper we propose an extension of the CORBA IDL that uses a sugared subset of the polyadic-calculus for describing object service protocols, based on the concept of roles. Roles allow the modular specification of the observable behavior of CORBA objects, reducing the complexity of the compatibility tests. Our main aim is the automated checking of protocol interoperability between CORBA objects in open component-based environments, using similar techniques to those used in software architecture description and analysis. In addition, our proposal permits the study of substitutability between CORBA objects, as well as the realization of dynamic compatibility tests during their runtime execution. Index Terms—Interface definition languages, software components, component-based software development, protocols, compatibility and substitutability of components.

. We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for open distributed systems in which some sites may harbor malicious agents. Nonetheless, the semantics guarantee traditional type-safety properties at "good" locations by using a mixture of static and dynamic type-checking. The run-time semantics is built on the model of an anonymous network where the source of incoming agents is unknowable. To counteract possible misuse of resources all sites keep a record of local resources against which incoming agents are dynamically typechecked. 1 Introduction In [7] we presented a type system for controlling the use of resources in a distributed system. The type system guarantees that resource access is always safe, in the sense that, for example, integer channels are always used with integers and boolean channels are always used with booleans. The type system of [7], however, requires that all agents in the system be well-typed. In open syste...