Printable Version of this PageHome PageRecent ChangesSearchSign In

Research Ideas

Safe Replication of Capabilities between Distrusting Machines

Missing File (/tony/uploads/

Research Ideas

Constraints on object migration

Transaction Threads



Potential Committee Members:
Ralf Merkle
Brian Cooper

Research Topic

Open, multi-user, secure, evolving, persistent, distributed, functional, programming language/system. A structured alternative to the Web.

A secure programming language/model and a middleware for distributing that model efficiently. I like the capabilities approach ala the E object-oriented language. But I prefer abstract datatypes over objects to prevent spoofing by subclassing. Futhermore, unlike SML, I prefer all data types to be abstract to keep their contents non-public. Naively we cannot replicate the contents of abstract data values to untrusted machines. The challenge is to discover when it is safe to replicate because the target machine has the necessary accessors anyway, and to know this without too much overhead.

Basic Language Values

Object:       {type, field1, field2, ...}
ObjectType:   {metaType, id, fieldNames, constraints}

Array:        {type, size, element1, element2, ...}
ArrayType:    {metaType, constraints}

Function:     {type, free1, free2, ...}
FunctionType: {metaType, id, numFree, parentFunctionClassOrEnvironment, expression, machineInstructions}
Constraints is a generalization of type checking.
All values hide their fields. Only their type is public.
A type cannot be used to construct instances, it can only be used for type checking. Only a type's constructor can construct instances, and only a type's deconstructor can access fields of instances. The type does not reveal (or even hold) its constructor/deconstructor. These are separate functions that can only be obtained from the type's creator. Therefore all types are "abstract" data types.
Types with different ids are different even if they have the same fields and constraints. Usually these ids are unguessable, so no one can create a new type that matches someone elses type and use his constructor/deconstructor on it.
Only functions can be invoked.
Each function has an associated builder that was created with the function. If one has access to a function's builder, one can add specialized behavior to the function for new types. This is the equivalent to overriding methods in object-oriented languages, except here we require access to the function's builder. This helps prevent spoofing.
Each object is only intended to hold "identifying" fields. For example, a point is identified by its x and y coordinates, while a person is identified by his unique-id. Relationships to other objects are held in relations (tables). For example, a person's parents are found in the Parent relation. Again, the reader and writer functions for a relation can only be obtained from the relation's creator.

Open Wide-Area Middleware

Open to anyone, like the WWW.
Modular layers from hardware to RPC abstractions. Users can interface with any layer.
Security through safe language and trusted assembly/primitive code.
Security also through object-capability model (encapsulation and unforgeable object references).

Dynamically-checked Language-based Information Flow

Open dynamic distributed system
Objects themselves are principles. A function is free values plus code, and code has an integrity and confidentiality label just like other values. Application result includes the integrity of the code and the function reference. Its confidentiality includes just the confidentiality of the function reference. But the code confidentiality is constrains what secret will be sent to it. As an optimization, code written in a safe language residing on the local machine can be given the top confidentiality clearance, because the end-to-end argument will catch violations at the ends. Intermediatary computations are benign as long as side effects are checked (storage is an end).

Nodes holding replicas may be malicious, ie. refuse to update the replica when requested or delete it.

Globally unique ids require trusted parties to generate those ids, otherwise a malicious party can regenerate the same id everytime.


Digital Rights Management - Sun Dream
Application Integration - Apache Synapse by WSO2

CX717 drug to restore alertness when sleep deprived.

QuickSilver paper - "transactions for communications" Patrick. Distributed shared memories.

SPIN operating system (Module-3)