. Mobile agents are processes which can autonomously migrate to new hosts. Despite its many practical benets, mobile agent technology results in signicant new security threats from malicious agents and hosts. The primary added complication is that, as an agent traverses multiple hosts that are trusted to dierent degrees, its state can change in ways that adversely impact its functionality. In this paper, we discuss achievable security goals for mobile agents, and we propose an architecture to achieve these goals. The architecture models the trust relations between the principals of mobile agent systems. A unique aspect of the architecture is a \state appraisal" mechanism that protects users and hosts from attacks via state modications and that provides users with exible control over the authority of their agents. 1 Introduction Currently, distributed systems employ models in which processes are statically attached to hosts and communicate by asynchronous messages or s...

The last few years have seen a renewed interest in continuations for expressing advanced control structures in programming languages, and new models such as Abstract Continuations have been proposed to capture these dimensions. This article investigates an alternative formulation, exploiting the latent expressive power of the standard continuation-passing style (CPS) instead of introducing yet other new concepts. We build on a single foundation: abstracting control as a hierarchy of continuations, each one modeling a specific language feature as acting on nested evaluation contexts. We show how iterating the continuation-passing conversion allows us to specify a wide range of control behavior. For example, two conversions yield an abstraction of Prologstyle backtracking. A number of other constructs can likewise be expressed i...

IONS 3.1 Scheme 48 Kali Scheme is implemented as an extension to Scheme 48 [Kelsey and Rees 1994], an implementation of Scheme [Clinger and Rees 1991]. Scheme is a lexically scoped dialect of Lisp. Scheme 48 is based on as byte-coded interpreter written in a highly optimized, restricted dialect of Scheme called Pre-Scheme, which compiles to C. Because of the way it is implemented, the system is very portable and is reasonably efficient for an interpreted system. 2 Unlike other Scheme implementations, 2 Scheme 48 is roughly 10-15 times slower slower than a highly optimized Scheme compiler generating native code [Kranz et al. 1986]. (define-record-type thread : : : continuation : : : ) (define current-thread : : : ) (define (spawn thunk) (let ((thread (make-thread))) (set-thread-continuation! thread (lambda (ignore) (thunk) (terminate-current-thread))) (context-switch thread))) (define (context-switch thread) (add-to-queue! runnable-threads current-thread) (switch-to-thread thre...

A fully abstract model of a programming language assigns the same meaning to two terms if and only if they have the same operational behavior. Such models are well-known for functional languages but little is known about extended functional languages with sophisticated control structures. We show that a direct model with error values and the conventional continuation model are adequate for functional languages augmented with first- and higher-order control facilities, respectively. Furthermore, both models become fully abstract on adding a control delimiter and a parallel conditional to the programming languages.

. Dynamic binding, which has always been associated with Lisp, is still semantically obscure to many. Although largely replaced by lexical scoping, not only does dynamic binding remain an interesting and expressive programming technique in specialised circumstances, but also it is a key notion in semantics. This paper presents a syntactic theory that enables the programmer to perform equational reasoning on programs using dynamic binding. The theory is proved to be sound and complete with respect to derivations allowed on programs in "dynamic-environment passing style". From this theory, we derive a sequential evaluation function in a context-rewriting system. Then, we exhibit the power and usefulness of dynamic binding in two different ways. First, we prove that dynamic binding adds expressiveness to a purely functional language. Second, we show that dynamic binding is an essential notion in semantics that can be used to define the semantics of exceptions. Afterwards, we further refin...

We present a new static analysis method for first-class continuations that uses an effect system to classify the control domain behavior of expressions in a typed polymorphic language. We introduce two new control effects, goto and comefrom, that describe the control flow properties of expressions. An expression that does not haveagoto effect is said to be continuation following because it will always call its passed return continuation. An expression that does not haveacomefrom effect is said to be continuation discarding because it will never preserve its return continuation for later use. Unobservable control effects can be masked by the effect system. Control effect soundness theorems guarantee that the effects computed statically by the effect system are a conservative approximation of the dynamic behavior of an expression. The effect

Engines provide the means for a computation to be run for a limited period of time, interrupted if it does not complete in that time, and later restarted from the point of interruption. Previous work on engines demonstrated that engines can be implemented by defining a new interpreter to support them. This article demonstrates that engines may be defined in terms of continuations and timer interrupts and thereby incorporated into an existing language implementation. The article extends the engine mechanism to solve several problems with nestable engines, and demonstrates that the extended mechanism can be implemented in terms of continuations as well.

Dynamic binding and delimited control are useful together in many settings, including Web applications, database cursors, and mobile code. We examine this pair of language features to show that the semantics of their interaction is ill-defined yet not expressive enough for these uses. We solve this open and subtle problem. We formalise a typed language DB+DC that combines a calculus DB of dynamic binding and a calculus DC of delimited control. We argue from theoretical and practical points of view that its semantics should be based on delimited dynamic binding: capturing a delimited continuation closes over part of the dynamic environment, rather than all or none of it; reinstating the captured continuation supplements the dynamic environment, rather than replacing or inheriting it. We introduce a type- and reduction-preserving translation from DB + DC to DC, which proves that delimited control macro-expresses dynamic binding. We use this translation to implement DB + DC in Scheme, OCaml, and Haskell. We extend DB + DC with mutable dynamic variables and a facility to obtain not only the latest binding of a dynamic variable but also older bindings. This facility provides for stack inspection and (more generally) folding over the execution context as an inductive data structure.

We present the first formalization of implementation strategies for first-class continuations. The formalization hinges on abstract machines for continuation-passing style (CPS) programs with a special treatment for the current continuation, accounting for the essence of first-class continuations. These abstract machines are proven equivalent to a standard, substitution-based abstract machine. The proof techniques work uniformly for various representations of continuations. As a byproduct, we also present a formal proof of the two folklore theorems that one continuation identifier is enough for second-class continuations and that second-class continuations are stackable.

Non-local control transfer and exception handling have a long tradition in higher-order programming languages such as Common Lisp, Scheme and ML. However, each language stops short of providing a full and complementary approach --- control handling is provided only if the corresponding control operator is first-order. In this work, we describe handlers in a higher-order control setting. We invoke our earlier theoretical result that all denotational models of control languages invariably include capabilities that handle control. These capabilities, when incorporated into the language, form an elegant and powerful higher-order generalization of the first-order exception-handling mechanism. 1 Introduction Control manipulation in applicative programming languages comes in two flavors. First-order control operators allow computations to abort to a dynamically enclosing control context, e.g., Common Lisp's [23, 24] throw and ML's [9, 17] raise. They are invariably accompanied by forms th...