Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

doi:10.1016/j.tcs.2008.09.019 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. Manuscript

Abstract. A new field in distributed computing, called Ambient Intelligence, has emerged as a consequence of the increasing availability of wireless devices and the mobile networks they induce. Developing software for mobile networks is extremely hard in conventional programming languages because the network is dynamically demarcated. This leads us to postulate a suite of characteristics of future Ambient-Oriented Programming languages. A simple reflective programming language, called AmbientTalk, that meets the characteristics is presented. It is validated by implementing a collection of high level language features that are used in the implementation of an ambient messenger application. 1

Mirror-based systems are object-oriented reflective architectures built around a set of design principles that lead to reflective APIs which foster a high degree of reusability, loose coupling with baselevel objects and whose structure and design corresponds to the system being mirrored. However, support for behavioral intercession has been limited in contemporary mirror-based architectures, in spite of its many interesting applications. This is due to the fact that mirror-based architectures only support explicit reflection, while behavioral intercession requires implicit reflection. This work reconciles mirrors with behavioral intercession. We discuss the design of a mirror-based architecture with implicit mirrors that can be absorbed in the interpreter, and mirages, base objects whose semantics are defined by implicit mirrors. We describe and illustrate the integration of this reflective architecture for the distributed object-oriented programming language AmbientTalk.

Abstract—In this paper, we describe AmbientTalk: a domainspecific language for orchestrating service discovery and composition in mobile ad hoc networks. AmbientTalk is a distributed object-oriented programming language whose actor-based, eventdriven concurrency model makes it highly suitable for composing service objects across a mobile network. The language is a so-called ambient-oriented programming language which treats network partitions as a normal mode of operation. We describe AmbientTalk’s object model, concurrency model and distributed communication model in detail. We also highlight the major influences from other languages and middleware that have shaped AmbientTalk’s design. Index Terms—distributed languages, actors, events, publish/subscribe, service discovery, service composition, mobile networks, pervasive computing I.

Proxies are a powerful approach to implement meta-objects in object-oriented languages without having to resort to metacircular interpretation. We introduce such a meta-level API based on proxies for Javascript. We simultaneously introduce a set of design principles that characterize such APIs in general, and compare similar APIs of other languages in terms of these principles. We highlight how principled proxy-based APIs improve code robustness by avoiding interference between base and meta-level code that occur in more common reflective intercession mechanisms. Categories and Subject Descriptors D.3.2 [Language Classifications]: Object-oriented languages

Over the last years, the focus of distributed computing has shifted from local to wide-area networks. In these new environments, because of unknown latencies and of the need to allow systems to scale up to large numbers of participants, loosely coupled, asynchronous systems have gained popularity.

Abstract: Using state of the art tools, context-aware applications are notified of relevant changes in their environment through event handlers which are triggered by dedicated middleware. The events signalled by the middleware should percolate through the entire application, requiring a carefully crafted network of observers combined with complex synchronization code to address the inherent concurrency issues. This paper proposes the adoption of reactive programming techniques to bridge the gap between the event-driven middleware and the application.

The Problem: Today’s DoD missions operate over a large, heterogeneous, distributed set of computing resources—from personal mobile devices to massively parallel multicomputers managing millions of connections and petabytes of data. These distributed components must cooperate across agencies and across coalitions of allies; each partner brings independently-managed systems of varying reliability and trust into the distributed resource mix, and each has different policies and legal restrictions. Today, we cannot reliably secure any single system against CyberAttacks, even when it is wholly owned by a single agency with a single mission. Computations can be disrupted (denial-of-service); machines can be co-opted (taken over and used by attacker); data can be corrupted and stolen. The problem is even further beyond the state-of-the-art when considering a coalition of machines under different jurisdictions. There is today no principled way to describe what such systems should be doing and thereby differentiate proper and compliant agents from rogue actors. SOUND Solution: Our proposal, called SOUND (Safety On Untrusted Network Devices) provides a way to compute reliably on distributed coalition systems assembled from a wide range of heterogeneous components while ensuring desired restrictions on information flow (confidentiality), by trusted actors (identification and authentication), preventing information corruption (integrity), and maintaining high computational throughput (availability) despite the fact that the underlying set of computers and processes offered to perform the computation may be vulnerable to attacks or actively trying to compromise the mission. We propose to achieve scalable and tunable innate distributed defense (BAA Task Area 1) by implementing shared situational awareness and trust modeling (first two elements of BAA Technical Area 2). Additionally we are proposing an option for Technical Area 6, Technology Demonstrator. In the following, we list many of the challenges facing the implementation of secure resilient distributed systems today and how the SOUND system proposes to address those challenges. We use the format Challenge: description. SOUND response: response. We also reference numbered

This paper presents Emerson, a new programming system for scripting objects in user-extensible virtual worlds such as Second Life, Active Worlds, Open Wonderland, etc. Emerson’s primary goal is to make it easy for novice programmers to write and deploy interesting applications. Scripting applications for these worlds is difficult due to two characteristics: the worlds must scale to millions of users and are therefore distributed, and there is no central authority or design so interaction is mostly between mutually untrusting applications. To simplify scripting for novices, Emerson employs two abstractions: multi-presencing and execution sandboxes. Multi-presencing allows a single program to centrally control what seem to be many distributed geometric objects. Execution sandboxes allow safely running application code provided by another object, borrowing the execution and deployment model of modern web applications. Emerson itself is implemented as a scripting plugin for the Sirikata open source virtual world platform. We evaluate the benefits of its design by describing several application examples. Through these examples, we explore the interactions between sandboxing and multi-presencing as well as their implications and discuss potential future authentication mechanisms that would make secure in-world application development more accessible.