Mobile Ambients

1
Mobile Ambients

• Luca Cardelli
• Digital Equipment Corporation, Systems Research
  Center
• Andrew D. Gordon
• University of Cambridge, Computer Laboratory

Presented by Michael Hicks CIS 640 Spring 1998
2
Mobility

• Mobile Computing
• Computing devices are mobile environments
• Mobile Computation
• Computations which move among environments are
  mobile agents

3
Administrative Domains

• Network level
• Firewall partitioning of Intranet from Internet
• Address partitioning of subnet from LAN
• Host level
• Access to remote resources (disk, CPU, etc.)

Mobility and access require authorization
4
Outline

• Overview of approach and related work
• Mobility Calculus
• Primitives, Semantics, and Examples
• Complete Ambient Calculus
• Communication Primitives
• Examples and Encoding of async ?-calculus
• Criticisms and Conclusions

5
Ambients

• Bounded location for computation
• a web page, an address space, a filesystem, a
  data object, a laptop,
• not a thread, collections of objects,
• Each ambient has a name, and may contain
• a collection of local agents
• a collection of sub-ambients

6
Names

• May be
• created,
• passed around, and
• used to name new ambients
• May be used to derive capabilities

7
Related Work

• Obliq
• Telescript
• Java
• Linda

• ?-calculus
• spi-calculus
• Chemical Abstract Machine
• join-calculus
• LLinda
• distributed calculi

8
Mobility Primitives

• n names
• P,Q processes
• (vn)P restriction
• 0 inactivity
• P Q composition
• !P replication
• nP ambient
• M.P action

M capabilities in n can enter n out n
can leave n open n can open n
9
Restriction
(vn)P

• creates a new (unique) name n within a scope of P
• may be used to name ambients and operate on
  ambients by name
• is transparent to reduction
• P ? Q ? (vn)P ? (vn)Q

10
Inaction
0

• does nothing

11
Composition
P Q

• denotes process P executing in parallel with
  process Q
• is commutative and associative
• obeys the rule
• P ? Q ? P R ? Q R

12
Replication
!P

• creates as many parallel replicas of P as needed
• may be used to express iteration and recursion
• to be reduced, it is first expanded to P !P

13
Ambients
nP

• an ambient with name n within which P is
  executing
• P ? Q ? nP ? nQ
• may contain nested sub-ambients as well as
  processes running in parallel
• nP1 Pp m1 mq

14
Entry capability
in n. P

• instructs the surrounding ambient to enter a
  sibling ambient n
• If n doesnt exist, it blocks. If more than one
  exists, any one may be chosen
• Reduction rule
• nin m. P Q mR ? mnP Q R

15
Exit capability
out n. P

• instructs the surrounding ambient to exit its
  parent ambient n
• If n doesnt exist, it blocks.
• Reduction rule
• mnout m. P Q R ? nP Q mR

16
Open capability
open n. P

• dissolves the ambient n at the same level as the
  surrounding ambient
• If n doesnt exist, it blocks. If more than one
  exists, any one may be chosen
• Reduction rule
• open n. P nQ ? P Q

17
Example Locks

• acquire n. P ? open n. P
• release n. P ? n P
• handshake
• acquire n. release m. P release n. acquire m. Q

18
Objective Moves

• Allows a computation to move into an ambient.
  Only possible if the ambient allows it
• mv in n. P n??Q ? n??P Q
• n??mv out n. P Q ? P n??Q

19
Objective Moves
allow n ? !open n mv in n. P ? (vk) kin n.
inout k. P mv out n. P ? (vk) kout n.
outout k. P n?P ? nP allow in n?P
? nP allow out n??P ? nP allow in
allow out
20
Synchronization on Named Channels

• Channel n is defined as n??
• n?.P ? mv in n. acquire rd. release wr. mv out
  n. P
• n!.P ? mv in n. release rd. acquire wr. mv out
  n. P

21
Mobility and Communication Primitives
P,Q processes (vn)P restriction 0
inactivity P Q composition !P
replication MP ambient M.P action (x).P
input action ltMgt async output action
M capabilities x variable n name in
M can enter M out M can leave M open M can
open M ? null M.M path
22
Communicable Values

• Names, capabilities, and ? may be exchanged
• Multiple capabilities may be combined into paths
  (such as for transmitting a route)

23
Ambient I/O
(x). P
ltMgt

• ltMgt releases a capability into the local ambient
• (x).P captures the result and binds it lexically
• Reduction rule
• (x). P ltMgt ? P x ? M

24
Examples Cells

• Allows for storage and retrieval of values at a
  named location

cell c v ? c??ltvgt !(x).ltxgt get c (x). P ?
mv in c. (x). (ltxgt mv out c. P) set c (v). P ?
mv in c. (x). (ltvgt mv out c. P)
25
Routable Packets

• A packet carries a computation
• May be routed to an ambient via path M
• An ambient may forward a packet via a path

packet pkt ? pkt!(x).x !open route route
pkt with P to M ? routein pkt. ltMgt P forward
pkt to M ? route pkt with 0 to M
26
Ether I/O

• Both parent and child ambients must be enabled
  for I/O. Children may then input and output
  using parents Ether
• n?P ? a parent nP enabling Ether I/O
• n?P ? a child nP enabling Ether I/O
• n?(x).P ? receive a value from the Ether
• n? ltMgt ? send a value into the Ether

27
Ether I/O
n?P ? ne?? P n?P ? n??P n?(x).P ?
mv out n. mv in e. (x). mv out e. mv in n. P n?
ltMgt ? mv out n. mv in e. ltMgt
28
Encoding the ?-calculus channels
ch n ? a channel (ch n)P ? a new
channel n(x).P ? channel input nltMgt ? async
channel output Should satisfy the
reduction n(x).P nltMgt ? P x ? M
29
Encoding the ?-calculus channels
ch n ? n!open io (ch n)P ? (vn) (ch n
P) n(x).P ? (vp) (ioin n. (x). pout n. P
open p) nltMgt ? ioin n.ltMgt
30
Channel Reduction

• ch n n(x).P nltMgt
• ? (vp) (n!open io ioin n. (x). pout n. P
  open p ioin n.ltMgt)
• ? (vp) (n!open io io(x). pout n. P
  ioltMgt open p)
• ? (vp) (n!open io (x). pout n. P ltMgt
  open p)
• ? (vp) (n!open io pout n. Px ? M open
  p)
• ? (vp) (n!open io pPx ? M open p)
• ? (vp) (n!open io Px ? M)
• ? ch n Px ? M

31
Encoding

• ?(vn)P? ? (vn) (n!open io ?P?)
• ?n(x).P? ? (vp) (ioin n. (x). pout n. ?P?
  open p)
• ?nltmgt? ? ioin n.ltmgt
• ?P Q? ? ?P? ?Q?
• ?!P? ? !?P?

32
Issues

• Interference
• name clashes with temporary locations during
  evaluation with concurrent processes
• No type system (yet)
• some legal programs are meaningless because of
  type errors resulting from communication
• Notions of security are too simple

33
Conclusions

• Introduced notion of mobile ambients
• Presented a simple, yet powerful calculus
• mobility
• security
• Other document (the Annex) formally defines
  notions of observational equivalence