Laboratory We introduce a calculus describing the movement of processes and devices, including movement through administrative domains.

INTRODUCTION Mobile computation, where independent agents roam widely distributed networks in search of resources and information, is fast becoming a reality. A number of programming languages, APIs and protocols have recently emerged which seek to provide high-level support for mobile agents. These include Java [30], Odyssey [15], Aglets [19], Voyager [24] and the latest revisions of the Internet protocol [25, 2]. In addition to these commercial efforts, many prototype languages have been developed and implemented within the programming language research community --- examples include Linda [8, 9], Facile [16], Obliq [7], Infospheres [11], the join calculus [13], and Nomadic Pict [33]. In this paper we address the issue of resource access control for such languages. Central to the paradigm of mobile computation are the notions of agent, resource and location. Agents are effective entities that perform computation and interact with other First publis

Java has demonstrated the utility of type systems for mobile code, and in particular their use and implications for security. Security properties rest on the fact that a well-typed Java program (or the corresponding verified bytecode) cannot cause certain kinds of damage. In this paper we provide a type system for mobile computation, that is, for computation that is continuously active before and after movement. We show that a well-typed mobile computation cannot cause certain kinds of run-time fault: it cannot cause the exchange of values of the wrong kind, anywhere in a mobile system. 1

Abstract. We discuss the difficulties caused by mobile computing and mobile computation over wide area networks. We propose a unified framework for overcoming such difficulties. 1

. The Seal calculus is a distributed process calculus with localities and mobility of computational entities called seals. Seal is also a framework for writing secure distributed applications over large scale open networks such as the Internet. This paper motivates our design choices, presents the syntax and reduction semantics of the calculus, and demonstrates its expressiveness by examples focused on security and management distributed systems. 1 Introduction Advances in computer communications and computer hardware are changing the landscape of computing. Networking is now cheap and pervasive. The Internet has become a platform for large scale distributed programming. What is needed now is programming languages that support the development of Internet applications. In the last couple of years a number of process calculi have been designed to model programming large scale distributed systems over open networks. Several of these calculi [12, 19, 34, 21] advocate programming m...

The asynchronous pi-calculus is considered the basis of experimental programming languages (or proposal of programming languages) like Pict, Join, and Blue calculus. However, at a closer inspection, these languages are based on an even simpler calculus, called Local (L), where: (a) only the output capability of names may be transmitted; (b) there is no matching or similar constructs for testing equality between names. We study the basic operational and algebraic theory of Lpi. We focus on bisimulation-based behavioural equivalences, precisely on barbed congruence. We prove two coinductive characterisations of barbed congruence in Lpi, and some basic algebraic laws. We then show applications of this theory, including: the derivability of delayed input; the correctness of an optimisation of the encoding of call-by-name lambda-calculus; the validity of some laws for Join.

We describe a foundational language for specifying dynamically evolving networks of distributed processes, Dp. The language is a distributed extension of the p-calculus which incorporates the notions of remote execution, migration, and site failure. Novel features of Dp include 1. Communication channels are explicitly located: the use of a channel requires knowledge of both the channel and its location. 2. Names are endowed with permissions: the holder of a name may only use that name in the manner allowed by these permissions. A type system is proposed in which the types control the allocation of permissions; in well-typed processes all names are used in accordance with the permissions allowed by the types. We prove Subject Reduction and Type Safety Theorems for the type system. In the final section we define a semantic theory based on barbed bisimulations and discuss its characterization in terms of a bisimulation relation over a relativized labelled transition system. 1 Introduction...

. We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for mobile agents in open distributed systems in which some sites may harbor malicious intentions. Nonetheless, the semantics guarantees traditional type-safety properties at good locations by using a mixture of static and dynamic type-checking. We show how the semantics can be extended to allow trust between sites, improving performance and expressiveness without compromising type-safety. 1 Introduction In [12] we presented a type system for controlling the use of resources in a distributed system, or network. The type system guarantees two properties: resource access is always safe, e.g. integer resources are always accessed with integers and string resources are always accessed with strings, and resource access is always authorized, i.e. resources may only be accessed by agents that have been granted permission to do so. While these properties are desirable, they are properti...

This paper considers how locality restrictions on the use of capabilities can be enforced by a static type system. A distributed π-calculus with a simple reduction semantics is introduced, integrating location and migration primitives from the Distributed Join Calculus with asynchronous π communication. It is given a type system in which the input and output capabilities of channels may be either global, local or absent. This allows compile-time optimization where possible but retains the expressiveness of channel communication. Subtyping allows all communications to be invoked uniformly. We show that the most local possible capabilities for internal channels can be inferred automatically.

The -calculus with synchronous output and mixed-guarded choices is strictly more expressive than the -calculus with asynchronous output and no choice. As a corollary, Palamidessi recently proved that there is no fully compositional encoding from the former into the latter that preserves divergence-freedom and symmetries. This paper shows