Description of the collection
Programs that use mobility as a mechanism to adapt to resource changes have three requirements that are not shared with other mobile programs. First, they need to monitor the level and quality of resources in their operating environment. Second, they need to be able to react to changes in resource availability. Third, they need to be able to control the way in which resources are used on their behalf (by libraries and other support code). In this chapter, we describe the design and implementation of Sumatra, an extension of Java that supports resource-aware mobile programs. We also describe the design and implementation of a distributed resource monitor that provides the information required by Sumatra programs.
Programs that use mobility as a mechanism to adapt to resource changes have three requirements that are not shared with other mobile programs. First, they need to monitor the level and quality of resources in their operating environment. Second, they need to be able to react to changes in resource availability. Third, they need to be able to control the way in which resources are used on their behalf (by libraries and other support code). In this chapter, we describe the design and implementation of Sumatra, an extension of Java that supports resource-aware mobile programs. We also describe the design and implementation of a distributed resource monitor that provides the information required by Sumatra programs. changes.
This paper evaluates the design and implementation of Omniware: a safe, efficient, and language-independent system for executing mobile program modules. Previous approaches to implementing mobile code rely on either language semantics or abstract machine interpretation to enforce safety. In the former case, the mobile code system sacrifices universality to gain safety by dictating a particular source language or type system. In the latter case, the mobile code system sacrifices performance to gain safety through abstract machine interpretation. Omniware uses software fault isolation, a technology developed to provide safe extension code for databases and operating systems, to achieve a unique combination of language-independence and excellent performance. Software fault isolation uses only the semantics of the underlying processor to determine whether a mobile code module can corrupt its execution environment. This separation of programming language implementation from program module safety enables our mobile code system to use a radically simplified virtual machine as its basis for portability. We measured the performance of Omniware using a suite of four SPEC92 programs on the Pentium, PowerPC, Mips, and Sparc processor architectures. Including the overhead for enforcing safety on all four processors, OmniVM executed the benchmark programs within 21% as fast as the optimized, unsafe code produced by the vendor-supplied compiler.
Network management is gaining increasing importance due to the pervasiveness of computer networks. Nevertheless, mainstream approaches to network management are presently limited by centralized management strategies and poor flexibility--a consequence of their rigid client-server architecture. In this paper we analyze how to overcome these problems by new design paradigms and technologies encompassing the capability to relocate dynamically the components of a distributed application. We evaluate the opportunities offered by this approach and provide feasibility considerations, also discussing a few interim architectural solutions adopted in our on-going implementation work.
Driven by the question how to identify potential communication partners and the need for well-suited communication schemes in agent-based systems, we discuss two communication concepts: sessions and global event management. Sessions establish either actively or passively a context for inter-agent interactions. Communication partners are addressed by globally unique agent identifiers or via badges. Communication in sessions is based on RPC or message mechanisms. Global event management addresses the need for anonymous communication. Event managers are employed as a synchronization means within agent groups. Based on this approach, we introduce synchronization objects, -- active components that offer various synchronization services. The presented model is finally mapped onto OMG event services.
We introduce a new genre of user interface applications that can migrate from one machine to another, taking their user interface and application contexts with them, and continue from where they left off. Such applications are not tied to one user or one machine, and can roam freely over the network, rendering service to a community of users, gathering human input and interacting with people. We envisage that this will support many new agent-based collaboration metaphors. The ability to migrate executing programs has applicability to mobile computing as well. Users can have their applications travel with them, as they move from one computing environment to another. We present an elegant programming model for creating migratory applications and describe an implementation. The biggest strength of our implementation is that the details of migration are completely hidden from the application programmer; arbitrary user interface applications can be migrated by a single ``migration'' command. We address system issues such as robustness, persistence and memory usage, and also human factors relating to application design the interaction metaphor and safety.
We present a new genre of user interface applications: applications that can migrate from one machine to another, taking their user interface and application contexts with them, and continue from where they left off. Such applications are not tied to one user or one machine, and can roam freely over the network, rendering service to a community of users, gathering human input and interacting with people. We envisage that this will support many new agent-based collaboration metaphors. The ability to migrate executing programs has applicability to mobile computing as well. Users can have their applications travel with them, as they move from one computing environment to another. We present an elegant programming model for creating migratory applications and describe an implementation. The biggest strength of our implementation is that the details of migration are completely hidden from the application programmer; arbitrary user interface applications can be migrated by a single ``migration'' command. We address system issues such as robustness, persistence and memory usage, and also human factors relating to the application design process, the interaction metaphor and safety.
Autonomous Objects are a new paradigm for distributed systems, based on the concept of intelligent messages that carry their own behavior as they navigate autonomously through the underlying computational network.
A network object is an object whose methods can be invoked over a network. This report describes the design and implementation of a network objects system for Modula-3. The system is novel for its overall simplicity. The report includes a thorough description of realistic marshaling algorithms for network objects, precise informal specifications of the major internal interfaces, preliminary experience, and performance results.
Mobile agents are programs that can migrate from machine to machine in a heterogeneous, partially disconnected network. As mobile agents move across a network, they consume resources. We discuss a system for controlling the activities of mobile agents that uses electronic cash, a banking system, and a set of resource managers. We describe protocols for transactions between agents. We present fixed-pricing and dynamic-pricing policies for resources. We focus on and analyze the sealed-bid second-price auction as a mechanism for dynamic pricing.
We investigate the possibility of using markets to regulate mobile agents, computer programs that are capable of migrating from one machine to another. Market participation requires quantitative information about resource consumption to define demand and calculate utility.
We create a formal utility model to derive user-demand functions, allowing agents to efficiently plan expenditure and deal with price fluctuations. By quantifying demand and utility, resource owners can precisely set a value for a good. We simulate our model in a mobile agent scheduling environment and show how prices fluctuate, compounding uncertainty in an agent's plans. To solve this problem, we propose that resource owners sell options to allow agents to trade away their risk.
Obliq is a lexically-scoped untyped interpreted language that supports distributed object-oriented computation. An Obliq computation may involve multiple threads of control within an address space, multiple address spaces on a machine, heterogeneous machines over a local network, and multiple networks over the Internet. Obliq objects have state and are local to a site. Obliq computations can roam over the network, while maintaining network connections.
Large scale distributed systems are becoming of paramount importance, due to the evolution of technology and to the interest of market. Their development, however, is not yet supported by a sound technological and methodological background, as the results developed for small size distributed systems often do not scale up. Recently, mobile code languages (MCLs) have been proposed as a technological answer to the problem. In this work, we abstract away from the details of these languages by deriving design paradigms exploiting code mobility that are independent of any particular technology. We present such design paradigms, together with a discussion of their features, their application domain, and some hints about the selection of the correct paradigm for a given distributed application.
We describe a distributed implementation of Scheme that permits efficient transmission of higher-order objects such as closures and continuations. The integration of distributed communication facilities within a higher-order programming language engenders a number of new abstractions and paradigms for distributed computing. Among these are user-specified load-balancing and migration policies for threads, incrementally linked distributed computations, and parameterized client-server applications. To our knowledge, this is the first distributed dialect of Scheme (or a related language) that addresses lightweight communication abstractions for higher-order objects.
In this chapter we are going to analyze mobile code issues in the perspective of object oriented systems in which thread migration is not supported. This means that both object's code and data can be transmitted from a place to another but not the current execution state (if any) associated to the object. This is the case with the Java language which is often used in the WWW for developing applets which are little applications downloaded on the fly and executed in the client machine. While this mechanism is quite useful for enhancing HTML documents with sound and animation, we think that this technology can give its best in the field of distributed-cooperative work, both in the perspective of Internet and Intranet connectivity. Java is indeed a concurrent, multithreaded language, but it offers little help for distributed programming. Thus, we introduce Jada, a coordination toolkit for Java where coordination among either concurrent threads or distributed Java objects is achieved via shared object spaces. By exchanging objects through tuple spaces, Java programs and applets can exchange data or synchronize their actions over a single host, a LAN, or even the Internet.
The access to an object space is performed using a set of methods of the ObjectSpace class. Such operations are Out (to put an object in the object space), In and Read (to get or to read associatively an object from the object space), and others, mostly inspired by the Linda language.
Jada does not extends the syntax of Java because it is a set of classes. We show how it changes the way we design multiuser, distributed applications (such as the ones based on the WWW) allowing easy interactions between software components and agents.
Under this perspective we can outline a system of any scale which uses the dynamic linking capability of Java to distribute the code and the coordination facility of Jada to handle distributed entities inter-relations.
The growing importance of telecommunication networks has stimulatedresearch on a new generation of programming languages. Such languagesview the network and its resources as a global environment in whichcomputations take place. In particular, they support the notion of codemobility and state distribution. To understand, discuss, evaluate, andcompare such languages, it is necessary to develop an abstract modelthat allows the meaning of mobility and state distribution to be definedprecisely. The purpose of this paper is to provide such a model and toapply it to the analysis of a number of existing new languages.
The growing importance of telecommunication networks has stimulated research on a new generation of programming languages. Such languages view the network and its resources as a global environment in which computations take place. In particular, they support the notion of code mobility. To understand, discuss, evaluate, and compare such languages, it is necessary to develop a new set of programming language concepts and/or extend the concepts that are used to deal with conventional languages. The purpose of this paper is to provide such framework. This is done hand-in-hand with a survey of a number of existing new languages.
Large-scale networked environments, such as the Internet, possess the characteristics of distributed data, distributed access and distributed control; this gives the user a powerful mechanism for building and integrating large repositories of distributed information from diverse resources. However, few support tools have been developed to allow the user to take advantage of the distributed nature of their information. To help address this problem, we advocate the integration of two technologies; distributed information management principles to allow users to create, disseminate, discover and manage their information, and mobile agent technology to provide the flexibility, scalability and dynamism necessary to develop such distributed information management applications.
We present four principles that we have identified as being key to achieving distributed information management and an architecture where mobile agents can move across distributed environments, integrate with local resources and other mobile agents, and communicate their results back to the user. We also describe a number of prototype distributed information management agents that we have developed.
Distributed information management tools allow users to author, disseminate, discover and manage information within large-scale networked environments, such as the Internet. Agent technology provides the flexibility and scalability necessary to develop such distributed information management applications. We present a layered organisation that is shared by the specific applications that we build. Within this organisation we describe an architecture where mobile agents can move across distributed environments, integrate with local resources and other mobile agents, and communicate their results back to the user.
Large-scale networked environments, such as the Internet, possess the characteristics of distributed data, distributed access and distributed control; this gives the user a powerful mechanism for building and integrating large repositories of distributed information from diverse resource sets. However, few support tools have been developed to allow the user to take advantage of the distributed nature of their information.
Distributed information management is the process by which users can create, disseminate, discover and manage information that is spread across distributed resources. Distributed open hypermedia systems have shown how distributed information, such as documents and hypermedia links, can be managed and handled within an environment that integrates smoothly between the user's desktop and the network. However, such systems are now looking at addressing the problem of interoperability across hypermedia systems, so that documents and links can be shared between users on heterogeneous integrating technologies.
This thesis proposes that the distributed information management provided by open hypermedia systems needs to be extended so that it is more interoperable, extensible and pervasive and that this can be achieved by integrating the principles of open hypermedia with the technology of mobile agents. Mobile agents present a new development mechanism for designing and building distributed applications which are well suited to the dynamic environment of large-scale networks.
This thesis describes the development of a mobile agent architecture within which distributed information management tasks can be built and executed. Mobile agents present an important abstraction mechanism when designing distributed environments and also allow the user to manage distributed information indirectly through their mobile agents. A number of prototype agents are described that have been developed to illustrate distributed information management tasks within the architecture and to show how abstractionism and indirect management can be achieved.
The introduction of Java applets has taken the WorldWide Web by storm. Information servers can customize the pre- sentation of their content with server-supplied code which executes inside the Web browser. We examine the Java language and both the HotJava and Netscape browsers which support it, and find a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and bytecode semantics, and weaknesses in the design of the language and the bytecode format. On a deeper level, these flaws arise because of weaknesses in the design methodology used in creating Java and the browsers. In addition to the flaws, we discuss the underlying tension between the openness desired by Web application writers and the security needs of their users, and we suggest how both might be accommodated.
Dynamic linking is a requirement for portable executable content. Executable content cannot know, ahead of time, where it is going to be executed, nor know the proper operating system interface. This imposes a requirement for dynamic linking. At the same time, we would like languages supporting executable content to be statically typable, for increased efficiency and security. Static typing and dynamic linking interact in a security-relevant way. This interaction is the subject of this paper. One solution is modeled in PVS, and formally proven to be safe.
This chapter gives an introduction into the two object-oriented programming environments Telescript and Java which both allow to write mobile code. It illustrates some of the more interesting features of these languages as platforms for mobile object systems. Further emphasis lies on the cooperation of agents in these two object-oriented worlds. Moreover, several descriptions of some higher-level agents scenarios are given.
The ML programming language has several features that make it desirableas a language for distributed application programming. It supportsfirst-class closures, which are useful for distributed scope and mobileagents. Type inference removes much of the tedium of lower-levelprogramming, without compromising reliability. Finally ML provides apowerful type system, including type polymorphism. A dialect of MLintended for distributed application programming is introduced. Adistinguishing characteristic of this implementation is the use ofrun-time type information, motivated by several constructs in thelanguage. This is intended to motivate the use of run-time types in implementations of polymorphic languages intended for distributed programming.
Several languages have been designed and implemented for programming mobile computations. This chapter describes a mobile code language based on extending the popular ML language. The language design, and its implementation, are distinguished by the use of run-time type information for computation. This is intended to motivate the use of run-time types in implementations of languages intended for distributed programming and mobile computations, particularly languages such as ML that provide type polymorphism.
In this paper, we present a history-based access-control mechanism that is suitable for mediating accesses from mobile code. The key idea behind history-based access-control is to maintain a selective history of the access requests made by individual programs and to use this history to improve the differentiation between safe and potentially dangerous requests. What a program is allowed to do depends on its own behavior and identity in addition to currently used discriminators like the location it was loaded from or the identity of its author/provider. History-based access-control has the potential to significantly expand the set of programs that can be executed without compromising security or ease of use. We describe the design and implementation of Deeds, a history-based access-control mechanism for Java. Access-control policies for Deeds are written in Java, and can be updated while the programs whose accesses are being mediated are still executing.
Mobile agents are processes which can autonomously migrate to new hosts. Despite its many practical benefits, mobile agent technology results in significant new security threats from malicious agents and hosts. The primary added complication is that, as an agent traverses multiple hosts that are trusted to different degrees, its state can change in ways that adversely impact its functionality. In this paper, we discuss achievable security goals for mobile agents, and we propose an architecture to achieve these goals. The architecture models the trust relations between the principals of mobile agent systems. A unique aspect of the architecture is a ``state appraisal'' mechanism that protects users and hosts from attacks via state modifications and that provides users with flexible control over the authority of their agents.
Security flaws are routinely discovered in commercial implementations of mobile code systems such as the Java Virtual Machine (JVM). Typical architectures for such systems exhibit complex interdependencies between the loader, the verifier, and the linker, making them difficult to craft, validate, and maintain. This reveals a software engineering challenge that is common to all mobile code systems in which a static verification phase is introduced before dynamic linking. In such systems, one has to articulate how loading, verification, and linking interact with each other, and how the three processes should be organized to address various security issues.
We propose a standard architecture for crafting mobile code verifiers, based on the concept of proof linking. This architecture modularizes the verification process and isolates the dependencies among the loader, verifier, and linker. We also formalize the process of proof linking and establish properties to which correct implementations must conform. As an example, we instantiate our architecture for the problem of Java bytecode verification and assess the correctness of this instantiation. Finally, we briefly discuss alternative mobile code verification architectures enabled by our modularization.
Mobile code computation is a new paradigm for structuring distributed systems. Mobile programs migrate from remote sites to a host, and interact with the resources and facilities local to that host. This new mode of distributed computation promises great opportunities for electronic commerce, mobile computing, and information harvesting. There has been a general consensus that security is the key to the success of mobile code computation. In this paper, we survey the issues surrounding the protection of a host from potentially hostile mobile programs.
Decades of research in operating systems has provided significant experience and insight into the nature of system security. Before we propose any new security model for mobile code systems, it is wise to question why the existing protection mechanisms found in distributed operating systems do not fully address the security needs of mobile code systems. We propose three security challenges that are distinctive of the mobile code phenomenon, namely, the establishment of anonymous trust (establishing trust with programs from unfamiliar origin), layered protection (establishing fine-grained protection boundaries among mutually-distrusting parts of the same process), and implicit acquisition (coping with the implicit nature of mobile program acquisition).
We also survey various approaches to protection in existing mobile code systems. We classify protection approaches into four categories: discretion, verification, transformation, and arbitration. We evaluate each category by looking at how well they address the security needs of mobile code computation.
We are designing and implementing a flexible infrastructure for mobile-object systems. Two fundamental innovations distinguish our architecture from other proposed solutions. First, our representation of mobile code is based on adaptive compression of syntax trees. Not only is this representation more than twice as dense as Java byte-codes, but it also encodes semantic information on a much higher level than linear abstract-machine representations such as p-code or Java byte-codes. The extra structural information that is contained in our mobile-code format is directly beneficial for advanced code optimizations.
Second, our architecture achieves superior run-time performance by integrating the activity of generating executable code into the operating system itself. Rather than being an auxiliary function performed off-line by a stand-alone compiler, code generation constitutes a central, indispensable service in our system. Our integral code generator has two distinct modes of operation: instantaneous load-time translation and continuous dynamic re-optimization.
In contrast to just-in-time compilers that translate individual procedures on a call-by-call basis, our system's integral code-generator translates complete code-closures in a single burst during loading. This has the apparent disadvantage that it introduces a minor delay prior to the start of execution. As a consequence, to some extent we have to favor compilation speed over code quality at load time.
But then, the second operation mode of our embedded code generator soon corrects this shortcoming. Central to our run-time architecture is a thread of activity that continually optimizes all of the already executing software in the background. Since this is strictly a re-compilation of already existing code, and since it occurs completely in the background, speed is not critical, so that aggressive, albeit slow, optimization techniques can be employed. Upon completion, the previously executing version of the same code is supplanted by the newly generated one and re-optimization starts over. By constructing globally optimized code-images from mobile software components, our architecture is able to reconcile dynamic composability with the run-time efficiency of monolithic applications.
MESSENGERS is a paradigm for the programming of distributed systems. It is based on the principles of autonomous messages, called Messengers, which carry their own behavior in the form of a program. This enables them to navigate freely in the underlying computational network, communicate with one another, and invoke pre-compiled node-resident functions. Coordination is facilitated at two distinct levels of abstraction: first, Messengers coordinate the invocation and the exchange of data among the various functions distributed throughout the network in both time and space (intra-object coordination); second, Messengers, each representing a high-level entity, can coordinate their behaviors among themselves (inter-object coordination). These principles, where an application is composed of autonomous, mobile entities whose behaviors may change dynamically and which can coordinate their actions among themselves, offer great flexibility in interacting with and manipulating the application at run time, as well as improved performance. This is illustrated using two concrete examples-a Toxicology simulation from medicine and a study of collective fish behavior from biology.
MESSENGERS is a system for general-purpose distributed computing based on the concept of autonomous mobile objects, capable of navigating through a network and invoking native-mode C functions in the nodes they visit. We present performance measurements using three specific applications to illustrate the cost of using this paradigm for developing and using distributed applications.
Messengers are autonomous objects, each capable of navigating through the underlying network and performing various tasks at each node. Messengers applications are written using navigational commands rather than the send/receive primitives of conventional message-passing approaches. In this paper we contrast the two programming styles. The navigational style generally results in a smaller semantic gap between abstract algorithm descriptions and their actual implementations, which makes programs easier to construct, understand, and maintain. Other advantages of the navigational programming style include the ability to compute in unknown or dynamically changing network topologies.
MESSENGERS is a system for general-purpose distributed computing based on the principles of mobile agents. Its underlying infrastructure consists of a collection of daemon processes, whose task it is to receive incoming agents, provide the necessary environment for their execution, and send them on to their next destinations as dictated by their behaviors. The structure of the daemon processes and their mapping onto the physical network is the main subject of this paper. Given the autonomous nature of each computation, the mapping problem is very different from those implemented for systems of communicating processes. At the same time, it offers new opportunities for solving the problems of load balancing, dynamic resource utilization, and trade-offs between computation granularity and communication overhead.
An individual-based simulation organizes the application as a collection of autonomous entities. The behavior of the system is simulated as interactions among such entities and hence the application development focuses primarily on describing the entities' behaviors. A natural implementation of individual-based modeling is to use autonomous objects, i.e., mobile entities navigating autonomously through their underlying computational network. This is further simplified if the programming and execution environment supports global virtual time management. MESSENGERS is a virtual-time computing environment for autonomous objects, and therefore the present work is the first experiment in applying the paradigm of autonomous objects to distributed individual-based simulations. We discuss MESSENGERS' advantages for application development from the software engineering point of view and compare its performance with conventional message-passing executions.
MESSENGERS is a paradigm for the programming of distributed systems. It is based on the principles of autonomous messages, called Messengers, which carry their own behavior in the form of a program. This enables them to navigate freely in the underlying computational network, communicate with one another, and invoke compiled node-resident C functions in the nodes they visit. Hence a distributed application is viewed as a collection of C functions whose invocation and interoperation is orchestrated by Messengers. This provides for a clear separation between computations, as expressed by the individual node functions, and coordination, which is the order of function invocations and the transport of information among them as prescribed by messengers. This separation allows each layer to be designed and implemented separately. It also supports the reuse of the coordination structures and the interactive and incremental development and use of distributed applications.
The opportunities offered by the Internet are encouraging research aimed at the creation of a computational infrastructure that exploits the wide spread communication infrastructure. The mobile computation paradigm is a proposal to build a computational infrastructure that goes beyond the well-known client-server paradigm and increases dynamicity and flexibility. Despite the promising first steps, there is still confusion on the role of paradigms and technology in the development on applications based on the mobile computation paradigm. We present a case study in which we develop several versions of an application using different paradigms and different technologies in order to show when these concepts come into play and which are their relationships.
Many popular programs, such as Netscape, use untrusted helper applications to process data from the network. Unfortunately, the unauthenticated network data they interpret could well have been created by an adversary, and the helper applications are usually too complex to be bug-free. This raises significant security concerns. Therefore, it is desirable to create a secure environment to contain untrusted helper applications. We propose to reduce the risk of a security breach by restricting the program's access to the operating system. In particular, we intercept and filter dangerous system calls via the Solaris process tracing facility. This enabled us to build a simple, clean, user-mode implementation of a secure environment for untrusted helper applications. Our implementation has negligible performance impact, and can protect pre-existing applications.
Mobile-agent systems must address three security issues: protecting an individual machine, protecting a group of machines, and protecting an agent. In this chapter, we discuss these three issues in the context of D'Agents, a mobile-agent system whose agents can be written in Tcl, Java and Scheme. (D'Agents was formerly known as Agent Tcl.) First we discuss mechanisms existing in D'Agents for protecting an individual machine: (1) cryptographic authentication of the agent's owner, (2) resource managers that make policy decisions based on the owner's identity, and (3) secure execution environments for each language that enforce the decisions of the resource managers. Then we discuss our planned market-based approach for protecting machine groups. Finally we consider several (partial) solutions for protecting an agent from a malicious machine.
Agent Tcl is a transportable agent system. The agents are written in an extended version of the Tool Command Lanuage (Tcl). Each agent can suspend its execution at an arbitrary point, transport to another machine and resume execution on the new machine. This migration is accomplished with the agent jump command. agent jump captures the current state of the Tcl script and transfers this state to the destination machine. The state is restored on the new machine and the Tcl script continues its execution from the command immediately after the agent jump. In addition to migration, agents can send messages to each other and can establish direct connections. A direct connection is more efficient than message passing for bulk data transfer. Finally, agents can use the Tk toolkit to create graphical user interfaces on their current machine. Agent Tcl is implemented as two components. The first component is an extended Tcl interpreter. The second component is a server which runs on each machine. The server accepts incoming agents, messages and connection requests and keeps track of the agents that are running on its machine. An alpha release of Agent Tcl is available for public use. This documentation describes how to obtain and compile the source code, how to run the server and how to write transportable agents.
An information agent manages all or a portion of a user's information space. The electronic resources in this space are often distributed across a network and can contain tremendous quantities of data. Mobile agents provide efficient access to such resources and are a powerful tool for implementing information agents. A mobile agent is an autonomous program that can migrate from machine to machine in a heterogeneous network. By migrating to the location of a resource, the agent can access the resource efficiently even if network conditions are poor or the resource has a low-level interface. Telescript is the best-known mobile-agent system. Telescript, however, requires the programmer to learn and work with a complex object-oriented language and a complex security model. Agent Tcl, on the other hand, is a simple, flexible, and secure system that is based on the Tcl scripting language and the Safe Tcl extension. In this paper we describe the architecture of Agent Tcl and its current implementation.
A mobile agent is an autonomous program that can migrate under its own control from machine to machine in a heterogeneous network. In other words, the program can suspend its execution at an arbitrary point, transport itself to another machine, and then resume execution from the point of suspension. Mobile agents have the potential to provide a single, general framework in which a wide range of distributed applications can be implemented efficiently and easily. Several challenges must be faced, however, most notably reducing migration overhead, protecting a machine from malicious agents (and an agent from malicious machines), and insulating the agent against network and machine failures. Agent Tcl is a mobile-agent system under development at Dartmouth College that has evolved from a Tcl-only system into a multiple-language system that currently supports Tcl, Java, and Scheme. In this thesis, we examine the motivation behind mobile agents, describe the base Agent Tcl system and its security mechanisms for protecting a machine against malicious agents, and analyze the system's current performance. Finally, we discuss the security, fault-tolerance and performance enhancements that will be necessary for Agent Tcl and mobile agents in general to realize their full potential.
The recent trend towards dynamically extensible systems holds the promise of more powerful and flexible systems. At the same time, the impact of extensibility on overall system security and, specifically, access control is still ill understood, and protection mechanisms in these extensible systems are rudimentary at best. In this paper, we identify the structure of extensible systems as it relates to system security, and present an access control mechanism that is user-friendly and complete. The mechanism, by using ideas first introduced by the security community, offers mandatory access control which can be used to enforce a given security policy. Additional discretionary access control allows users to express their own fine-grained access constraints.
We introduce a new access mode, called the extend access mode, in addition to the familiar execute access mode, to reflect how extensions interact. Furthermore, in a departure from work in the security community, we treat both extensions and threads of control as subjects, i.e., as active entities, in order to correctly capture their interaction in an extensible system. We present the design of the access control mechanism and define a formal model. We describe an implementation of the access control mechanism in the SPIN extensible operating system, which allows us to evaluate its performance and to explore optimizations that reduce the overhead of access control. The measured end-to-end overhead of access control in our system is less than 2%.
We have designed and implemented a mobile code system. It has been integrated with an existing distributed programming environment that includes a Remote Procedure Call (RPC) system, object interface definition language, a trader, an event system and continuous media streams. This bespoke platform for distributed programming has allowed us to experiment with mobile code and propose new facilities.
Use of mobile code can make distributed systems and the abstractions they provide more flexible to build and use.
Richer functionality can be given to the interaction between processes by allowing code to be sent between them. More convenient, application-level operations can be made over a network. By making higher order language features transmissible, distributed components can be tightly bound together when they communicate. At the same time, familiar distributed systems can be built using mobile code.
Mobile code can make distributed systems adaptable to application needs. Rather than fixing the interface to a resource and the pattern of interaction with it, a minimal interface can be defined and code implementing higher-level interfaces placed alongside it as and when required. These higher-level interfaces can be application-specific, allowing for interaction patterns that were unknown at the time the resource was made available. Sending code close to a resource can also reduce network usage because the point of interaction with it moves.
The combination of document markup supporting hypertext and a language supporting state-saving allows for stateful client-server sessions with stateless servers and lightweight clients. Putting dormant mobile code in documents provides an alternative to holding knowledge of application functionality on a server machine or running arbitrary code on a client machine.
Mobile code helps to support user mobility. Personalised environments that support state-saving can follow a user between computers. Heterogeneous state-saving allows a user's programs to be relocated between computers. By using a mobile code system with language support for state-saving, applications can direct arbitrary component migration without priming program servers with specific support.
In summary, this dissertation supports the thesis that mobile code can be used to enhance distributed systems.
In recent years, there has been an explosive growth in the amount of information available to our society. In particular, the amount of information available on-line through vast networks like the global Internet has been growing at a staggering rate. This growth rate has by far exceeded the rate of growth in network speeds, as has the number of individuals and organizations seeking access to this information. There is thus a motivation to find abstract methods of manipulating this on-line data in ways that both serve the needs of end users efficiently and use network resources intelligently. In lieu of a traditional client-server model of information processing, which is both inflexible and potentially very inefficient, a Transportable Intelligent Agent system has the potential to achieve a more efficient and flexible network system. An intelligent agent is a program that models the information space for a user, and allows the user to specify how the information is to be processed. A transportable agent can suspend its execution, transport itself to a new location on a network, and resume execution at the new location. This is a particularly attractive model for both wireless and dialup networks where a user might not be able to maintain a permanent network connection, as well as for situations where the amount of information to be processed is large relative to the network bandwidth. Preliminary work in the field has shown that such agent systems are possible and deserve further study. This thesis describes a prototype transportable intelligent agent system that extends work already done in the field. Agents are written in a modified version of the Tcl programming language and transported using TCP/IP connections. Several simple examples demonstrate the properties of the system.
Mobile agents are programs, typically written in a script language, which may be dispatched from a client computer and transported to a remote server com- puter for execution. Several authors have suggested that mobile agents offer an important new method of performing transactions and information retrieval in networks. Other writers have pointed out, however, that mobile agent introduce severe concerns for security. We consider the advantages offered by mobile agents and assess them against alternate methods of achieving the same function. We conclude that, while the individual advantages of agents do not represent an overwhelming motivation for their adoption, the creation of a pervasive agent framework facilitates a very large number of network services and applications.
This paper introduces the idea of dynamically moving functionality in a network--between clients and servers, and between hosts at the edge of the network and nodes inside the network. At the heart of moving functionality is the ability to support mobile code--code that is not tied to any single machine, but instead can easily move from one machine to another. Mobile code has been studied mostly for application-level code. This paper explores its use for all facets of the network, and in a much more general way. Issues of efficiency, interface design, security, and resource allocation, among others, are addressed. We use the term liquid software to describe the complete picture--liquidsoftware is an entire infrastructure for dynamically moving functionality throughout a network. We expect liquid software to enble new paradigms, such as active networks that allow users and applications to customize the network by interjecting code into it.
The Agent Tcl language is an extension of Tcl/Tk that supports distributed programming in the form of transportable agents. AGDB is a debugger for the Agent Tcl language. AGDB mixes of traditional and distributed debugging facilities. Traditional debugging features include breakpoints (line-specific, conditional, and once-only), watch conditions and variables, and interrupts. Distributed-debugging features address issues inherent in distributed programming such as migration and communication. These capabilities make debugging distributed programs difficult because they add complexities like race conditions to the set of problems a program can encounter. This paper discusses how AGDB uses distributed debugging features to debug agents.
Wireless communication with Mobile Computing devices is known to be problematic. It is very different in character from conventional communication over wired networks. Since many distributed applications make assumptions about network characteristics, they may not be used in a hostile mobile environment.
We are proposing a new kind of messaging system which incorporates adaptive behaviour into the messages themselves. We call these 'Smart Messages', and implement them using Mobile Agents. They are transported between machines via Agent Airports. The metaphor we use is of a message being delivered by a courier (Mobile Agent), through Agent Airports, on a potentially unresolved route. The 'intelligence' is in the messages (couriers in our metaphor) themselves rather than in the network.
The approach taken expands on the self-routing capabilities of current Mobile Agent systems such as Aglets or Telescript. We aim to provide structured support for handling the particular problems associated with wireless communications. These include very limited, variable and asymmetric bandwidth, frequent and prolonged disconnections, geographical mobility and high usage costs. We argue that this offers an efficient, adaptable and robust solution to many of the problems associated with this hostile communications environment.
Mobile agents can optimize their communication patterns to reduce bandwidth and latency and can adapt to changes in network service. We report on use of the Knowbot Operating Environment to support mobile agents in a wide-area network. Experiments with an application that monitors Web pages for changes show that a mobile program can outperform its stationary counterpart. The performance benefits are obtained by moving clients within the network to reduce the costs of wide-area network connections.
Knowbot ® Programs are mobile agents intended for use in widely distributed systems like the Internet. We describe our experiences implementing security, process migration, and inter-process communication in a prototype system implemented using the object-oriented programming language Python. This infrastructure supports applications that are composed of multiple, autonomous agents that can migrate to use network resources more efficiently.
This extended abstract presents a solution based on mobile agents forarchie/ftp sessions on Internet. Due to the increased rate ofinteractivity, which imposes relatively long connection periods,required by these services, their use is not appropriate for mobile stations. This solution provides mobile user access to these services while keeping a low rate of the connections.
Downloading executable content, which enables principals to run programs from remote sites, is a key technology in a number of emerging applications, including collaborative systems, electronic commerce, and web information services. However, the use of downloaded executable content also presents serious security problems because it enables remote principals to execute programs on behalf of the downloading principal. Unless downloaded executable content is properly controlled, a malicious remote principal may obtain unauthorized access to the downloading principal's resources. Current solutions either attempt to strictly limit the capabilities of downloaded content or require complete trust in the remote principal, so applications which require intermediate amounts of sharing, such as collaborative applications, cannot be constructed over insecure networks. In this paper, we describe an architecture that flexibly controls the access rights of downloaded content by: (1) authenticating content sources; (2) determining content access rights based on its source and the application that it is implementing; and (3) enforcing these access rights over a wide variety of objects and for the entire computation, even if external software is used. We describe the architecture in the context of an infrastructure for supporting collaborative applications.
An ``agent'' is a process that may migrate through a computer network in order to satisfy requests made by its clients. Agents implement a computational metaphor that is analogous to how most people conduct business in their daily lives: visit a place, use a service (perhaps after some negotiation), and then move on. Thus, for the computer illiterate, agents are an attractive way to describe network-wide computations. Agents are also useful abstractions for programmers who must implement distributed applications. This is because in the agent metaphor, the processor or ``place'' the computation is performed is not hidden from the programmer, but the communications channels are. Most current research on agents has focused on language design and application issues. The TACOMA project (Tromso And COrnell Moving Agents) has, instead, focused on operating system support for agents and how agents can be used to solve problems traditionally addressed by operating systems. We have implemented prototype systems to support agents using UNIX and using Tcl/Tk on top of Horus. This paper outlines insights and questions based on that experience. We discuss abstractions needed by an operating system to support agents, and discuss some problems that arise in connection with electronic commerce involving agents.
This report briefly introduces TACOMA Version 1.0. This distributed system supports agents, computations that can roam the internet. The report presents the TACOMA project, the computational model, how to get started, and the basic TACOMA abstractions.
The Rover toolkit combines relocatable dynamic objects andqueued remote procedure calls to provide unique services for ``roving'' mobile applications. A relocatable dynamic object is an object with a well-defined interface that can be dynamically loaded into a client computer from a server computer (or vice versa) to reduce client-server communication requirements. Queuedremote procedurecall is a communication system that permits applications to continue to makenon-blockingremote procedure call requests even whena host is disconnected, with requests and responses being exchangedupon network reconnection. The challenges of mobile environments include intermittent connectivity, limited bandwidth, and channel-use optimization. Experimental results from a Rover-based mail reader, calendar program, and two non-blocking versions of World-Wide Web browsers show that Rover's services are a good match to these challenges. The Rover toolkit also offers advantages for workstation applications by providing a uniform distributed object architecture for code shipping, object caching, and asynchronous object invocation.
Emerald is an object-based language and system designed for the construction of distributed programs. An explicit goal of Emerald is support for object mobility; objects in Emerald can freely move within the system to take advantage of distribution and dynamically changing environments. We say that Emerald has fine-grained mobility because Emerald objects can be small data objects as well as process objects. Fine-grained mobility allows us to apply mobility in new ways but presents implementation problems as well. This paper discusses the benefits of fine-grained mobility, the Emerald language and run-time mechanisms that support mobility, and techniques for implementing mobility that do not degrade the performance of local operations. Performance measurements of the current implementation are included.
Mobile agents offer a new paradigm for distributed computation, but their potential benefits must be weighed against the very real security threats they pose. These threats originate not just in malicious agents but in malicious hosts as well.
In this article, we present our security model for the IBM Aglets Workbench, a Java-based environment for building mobile agent applications. We detail both the security model and the corresponding security architecture that represents a framework for the inclusion of security services in future releases of the AWB. This work therefore represents an additional step toward the comprehensive security model required for widespread commercial adoption of mobile agent systems to occur.
Worldwide networks such as the Internet are becoming very popular, so distributed computing environments for such networks are in high demand. We think the design of such an environment should be based on a mobile-object computing model and are therefore designing a mobile-object system called Planet. One of the most significant issues in designing mobile object systems for world-wide networks is to provide the control needed to assure the protection and security of mobile objects and of computing resources. In this paper we describe our approach to this issue.
Several companies riding the current wave of popularity of Java want to let you play in the mobile agent sandbox. Each claims that mobile agent technologies are going to change the way we live and work, and each wants to be the company that provides the breakthrough system we all end up using. What do these agent systems actually do and, more importantly, what distinguishes one agent system from another?
To help answer these questions, we downloaded three of the leading commercial systems-IBMs Aglets, General Magics Odyssey, and ObjectSpaces Voyager-and looked at issues such as ease of installation, feature set, documentation, and cost. We also discuss new capabilities of Java 1.1 that show promise as simple yet powerful means to create mobile agent systems. We conclude with a brief look at the ways in which mobile agents are currently being used and the limitations of todays technologies.
Mobile agents are code-containing objects that may be transmitted between communicating participants in a distributed system. As opposed to systems that only allow the exchange of nonexecutable data, systems incorporating mobile agents can achieve significant gains in performance and functionality.
A programming language for mobile agents must be able to express their construction, transmission, receipt, and subsequent execution. Its implementation must handle architectural heterogeneity between communicating machines and provide sufficient performance for applications based on agents. In addition to these essential properties, an agent language may support desirable properties such as high-level abstractions for code manipulation and the ability to access resources on remote execution sites.
We designed and implemented an agent programming language that satisfies the essential properties and a number of desirable ones. A key feature of our language is the use of strong static typing for remote resource access. Agents may be linked dynamically to resources on remote sites, and this linking is always guaranteed to be type safe. We provide this guarantee without requiring that all components of an agent-based system be compiled together.
Our language also includes several features to improve the performance of mobile agents. Before an agent is transmitted, it is trimmed of values that are expected to be available on the recipient, thus shrinking transmissions. Agents may be interpreted or compiled depending on the application and the relative performance trade-offs. When compilation is used, it is done lazily: Each component of an agent is only compiled as it is needed. Furthermore, machine-specific representations for an agent can be transmitted with machine-independent ones, opening the possibility for recipients to skip compilation or interpretation altogether.
To evaluate our language and to explore the potential of mobile agents, we developed a programming framework for agents. Several applications were implemented by other programmers within this framework using our language. Their work served to validate our design and our choice of agent language properties. We also analyzed the performance of our language on these applications and several synthetic benchmarks. The analysis shows that the features we incorporated into the implementation significantly improve performance.
Mobile agents are code-containing objects that may be transmitted between communicating participants in a distributed system. Compared to systems that only allow the exchange of nonexecutable data, those incorporating mobile agents can achieve significant gains in performance and functionality.
Languages with first-class functions provide a good starting point for agent programming, as they make it easy to express the construction, transmission, receipt, and subsequent execution of agents. However, for developing real agent-based systems, a language implementation must handle architectural heterogeneity between communicating machines and provide sufficient performance for applications based on agents. In addition, agents need to be able to access resources on remote execution sites yet remain in a framework that provides sufficient security.
In this paper we consider the uses of mobile agents and how a distributed functional language can be extended to support them. We review other agent languages and present several observations on how further work in this area may proceed.
The use of larger and more complex mobile agents in distributed applications has created a need for agent programming systems that deliver better performance. The implementation of Extended Facile, a mobile agent language, uses several strategies to boost performance. We review four main techniques: allowing agents to use different transmissible representations, optimistically transmitting machine code with agents, stripping agents of data and code that can be found at their recipients before transmitting them, and performing agent compilation lazily. Quantitative measurements show that these methods can boost absolute and relative performance.
As network information resources grow in size, it is often most efficient to process queries and updates at the site where the data is located. This processing can be accomplished by using a traditional client-server network interface, which constrains the client to the set of queries supported by the server, or requires the server to send all data to the client for processing. The former is inflexible; the latter is inefficient. Transportable agents, which support the movement of the client computation to the location of the remote resource, have the potential to be more flexible and more efficient. Transportable agents are capable of suspending their execution, transporting themselves to another host on a network, and resuming execution from the point at which they were suspended. Transportable agents consume fewer network resources and can support systems that do not have permanent network connections, such as mobile computers and personal digital assistants. We describe a prototype transportable-agent implementation that facilitates research in this area. Agents are written in a script language that supports agent relocation, and the language is processed at each host by an agent interpreter. Electronic mail is the current transport mechanism and we plan to explore others. We present a technical-report searching agent as a demonstration of the capabilities of our prototype implementation.
Worldwide applications exist in an environment that is inherently distributed, dynamic, heterogeneous, insecure, unreliable, and unpredictable. In particular, the latency and bandwidth of network connections varies tremendously from place to place and time to time, particularly when considering wireless networks, mobile devices, and satellite connections. Applications in this environment must be able to adapt to different and changing conditions. We believe that transportable autonomous agents provide an excellent mechanism for the construction of such applications. We describe our prototype transportable-agent system and several applications.
Mobile computers have become increasingly popular as users discover the benefits of having their electronic work available at all times. However, because network conditions vary from connection to connection, using Internet resources from a mobile platform is a major challenge. Mobile agents are one solution. A mobile agent is an autonomous program that can move from machine to machine in a heterogeneous network under its own control. It can suspend its execution at any point, transport itself to a new machine, and resume execution on the new machine from the point at which it left off. On each machine, it interacts with service agents and other resources to accomplish its task, returning to its home site with a final result when that task is finished.
Agent Tcl is a mobile-agent system whose agents can be written in Tcl, Java, and Scheme. Agent Tcl has extensive navigation and communication services, security mechanisms, and debugging and tracking tools. In this article we focus on Agent Tcls architecture and security mechanisms, its RPC system, and its docking system, which lets an agent move transparently among mobile computers, regardless of when they are connected to the network.
In the last three years we have been working with persistence anddistribution, in particular migration of higher-level objects (such asprocedures) between autonomous persistent programs. In this paper weintroduce persistence and the suitability of Napier88, the persistentsystem we have used for our experiments, as an agent language. We thenpresent a few examples of opportunities and many more challenges thatexist in the combination of persistence with agents.
In the last three years we have been working with persistence and distribution, in particular migration of higher-level objects between autonomous persistent programs. In this chapter we introduce persistence and then present a few examples of opportunities and many more challenges that exist in the combination of persistence and mobility.
This report describes Proof-Carrying Code, a software mechanism that allows a host system to determine with certainty that it is safe to execute a program supplied by an untrusted source. For this to be possible, the untrusted code supplier must provide with the code a safety proof that attests to the code's safety properties. The code consumer can easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with proof-carrying code, we have performed a series of case studies. In one case study, we write safe assembly-language network packet filters. These filters can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the attached proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3. In another case study we show how proof-carrying code can be used to develop safe assembly-language extensions of the a simplified version of the TIL run-time system for Standard ML.
This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks.
The main practical difficulty of is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated binaries for them using a special prototype assembler. The binaries can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.
This paper is intended to be both a comprehensive implementation guide for a Proof-Carrying Code system and a case study for using PCC in a mobile agent environment. Specifically, the paper describes the use of PCC for enforcing memory safety, access control and resource usage bounds for untrusted agents that access a database.
This paper describes proof-carrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously defined safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents.
In order to gain preliminary experience with PCC, we have performed several case studies. We show in this paper how proof-carrying code might be used to develop safe assembly-language extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Fi- nally, we briefly discuss how we use proof-carrying code to develop network packet filters that are faster than similar filters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.
Network environments allow computer users to employ distributed information and services to complete a task. However, gathering information and using services distributed in networks requires knowing exactly what kinds of information and services are required for a task, where they are, and how they can be obtained or utilized. Tracking down the answers to these questions can be difficult, time-consuming tasks. Mobile agent technology is expected to free users from these tasks. Instead of the user searching, ïntelligent mobile agents will comprehend the users requirements, search network nodes autonomously for appropriate information and services, and return with the answers.
We developed a model based on the ability of agents to make flexible plans. The Plangent system enables mobile agents to make a plan based on user input and adopt it accordingly to information gathered from the network. In this article, we describe how we combined planning functions with mobile agent facilities, and show how the agents behave intelligently in an example application of personal travel assistance.
Computers and data networks continue to get faster. However computers and networks are geting faster in different ways. This difference is best illustrated by an example. Consider the problem of making a car faster. A 100-times improvement in speed would imply cars with cruising speeds of about 600 miles per hour. Computers are getting faster like cars get faster; they perform more instructions per second. Now imagine giving the car more storage space, while keeping its maximum speed constant. A 100-times improvement yeilds a ca that can hold 100-tomes more luggage, but stilll only goes 60 miles per hour. Networks are getting faster like larger cars, they send more bitss per packet because the speed of limit limits how fast a packet can get from one place to another. This thesis examines the implcations of this difference for the future of distributed computing. The thesis identifies four major implication: itemize The performance difference is permanent.. The speed of light is constant and there is no hope of reducing the network delay. The time spent waiting for data to cross the network will soon become the largest part of most programs' run-time. A single exchange of packets will take far more time than executing all the application's instructions. Due to their differing latencies, LANs and WANs will probably continue to exhibit different performance characteristics for some time to come. Popular distributed computing paradigms such as RPC do not appear to scale well to an environment in which network delays are long. itemize The thesis also presents a novel paradigm for distributed computation call late-binding in which applications send arbitrary pieces of code to arbitrary remote systems for evaluation. It is argued that this paradigm can give optimal performance in the number of network transits required to complete a computation. A model of distributed computation is developed and used to show that optimizing network transits will usually be the determining factor for the performance of distributed applications. Finally, it is shown that implementing late-binding is feasible.
We describe a platform for the portable and secure execution of mobile agents written in various interpreted languages on top of a common run-time core. Agents may migrate at any point in their execution, fully preserving their state, and may exchange messages with other agents. One system may contain many virtual places, each establishing a domain of logically related services under a common security policy governing all agents at this place. Agents are equipped with allowances limiting their resource accesses, both globally per agent lifetime and locally per place. We discuss aspects of this architecture and report about ongoing work.
A good starting point for people new to Ara and possibly mobile agent programming in general. This assumes very little prerequisite knowledge, so expert readers might want to only skim through its initial sections. The report introduces mobile agents and the Ara system, regards potential applications, and proceeds to a fairly complete, but nonformal description of the Ara API, subsequently demonstrated on a larger example of a WWW searching agent. The report closes with some discussion of the Ara implementation and selected aspects of mobile agents in general.
Advancements in network technology have led to the emergence of new computing paradigms that challenge established programming practices by employing weak forms of consistency and dynamic forms of binding. Code mobility, for instance, allows for invocation-time binding between a code fragment and the location where it executes. Similarly, mobile computing allows hosts (and the software they execute) to alter their physical location. Despite apparent similarities, the two paradigms are distinct in their treatment of location and movement. This paper seeks to uncover a common foundation for the two paradigms by exploring the manner in which stereotypical forms of code mobility can be expressed in a programming notation developed for mobile computing. Several solutions to a distributed simulation problem are used to illustrate the modeling strategy for programs that employ code mobility.
In this paper, we investigate network-aware mobile programs, programs that can use mobility as a tool to adapt to variations in network characteristics. We present infrastructural support for mobility and network monitoring and show how adaptalk, a Java-based mobile Internet chat application can take advantage of this support to dynamically place the chat server so as to minimize response time. Our conclusion was that on-line network monitoring and adaptive placement of shared data-structures can significantly improve performance of distributed applications on the Internet.
Efficient data combination over wide-area networks is hard as wide-area networks have large variations in available network bandwidth. In this paper, we examine the utility of changing the location of combination operators as a technique to adapt to variations in wide-area network bandwidth. We try to answer the following questions. First, does relocation of operators provide a significant performance improvement? Second, is on-line relocation useful or does a one-time positioning at start-up time provide most if not all the benefits? If on-line relocation is useful, how frequently should it be done and is global knowledge of network performance required or can local knowledge and local relocation of operators sufficient? Fourth, does the effectiveness of operator relocation depend on the ordering of the combination operations. That is, are certain ways of ordering more amenable to adaptation than others? Finally, how do the results change as the number of data sources changes?
A large class of distributed testing, control and collaborative applications are reactive or event driven in nature. Such applications can be structured as a set of handlers that react to events and that in turn can trigger other events. We have developed an application building toolkit that facilitates development of such applications. Our system is based on the concept of Mobile Streams. Applications developed in our system are dynamically extensible and re-configurable and our system provides the application designer a means to specify resource-control policy-modules that can control how the system can be extended and reconfigured. We describe our system model and compare our design to the design of other similar systems. We also describe three applications that have built using our implementation of Mobile Streams.
The Decode-Encode Language (DEL) is a machine independent language tailored to two specific computer network tasks: accepting input codes from interactive consoles, giving immediate feedback, and packing the resulting information into message packets for network transmissin. and accepting message packets from another computer, unpacking them, building trees of display information, and sending other information to the user at his interactive station.
Transportable agents are autonomous programs. They can move through a heterogeneous network of computers under their own control, migrating from host to host. They can sense the state of the network, monitor software conditions, and interact with other agents or resources. The network-sensing tools allow our agents to adapt to the network configuration and to navigate under the control of reactive plans. In this paper we describe the design and implementation of the navigation system that gives our agents autonomy. We also discuss the intelligent and adaptive behavior of autonomous agents in distributed information-gathering tasks.
Transportable agents are autonomous programs. They can move through a heterogeneous network of computers under their own control, migrating from host to host. They can sense the state of the network, monitor software conditions, and interact with other agents or resources. The network-sensing tools allow our agents to adapt to the network configuration and to navigate under the control of reactive plans. In this paper we describe the design and implementation of the navigation system that gives our agents autonomy. We also discuss the intelligent and adaptive behavior of autonomous agents in distributed information-gathering tasks.
A new technique for computer-to-computer communication is presented that can increase the generality and performance of distributed systems. This technique, called Remote Evaluation, lets one computer send another computer a request in the form of a program. A computer that receives such a request executes the program in the request and returns the results to the sending computer. parRemote evaluation provides a new degree of flexibility in the design of distributed systems. In present distributed systems that use Remote Procedure Calls, server computers are designed to offer a fixed set of services. In a system that uses remote evaluation, server computers are more properly viewed as programmable soft abstractions. One consequence of this flexibility is that remote evaluation can reduce the amount of communication that is required to accomplish a given task.
Our thesis is that it is possible to design a remote evaluation system that permits the processing of a program to be distributed among remote computers without changing the program's semantics. In support of this thesis our proposal for remote evaluation uses the same argument passing semantics for local and remote procedure invocations (call by sharing); it provides atomic transactions to mask computer and communication failures; and it provides a static checking framework that identifies procedures that can not be relocated from computer to computer.
We discuss both the semantics of remote evaluation and our experience with a prototype implementation. The idea of a remote data type is introduced to let one computer name objects at a remote computer. A detailed discussion of the compile-time and run-time support necessary for remote evaluation is provided, along with a detailed sample application.
We present a technique for moving objects and threads among heterogeneous computers at the native code level. To enable mobility of threads running native code, we convert thread states among machine-dependent and machine-independent formats. We introduce the concept of bus stops, which are machine-independent representations of program points as represented by program counter values. The concept of bus stops can be used also for other purposes, e.g., to aid inspecting and debugging optimized code, garbage collection etc. We also discuss techniques for thread mobility among processors executing differently optimized codes.
We demonstrate the viability of our ideas by providing a prototype implementation of object and thread mobility among heterogeneous computers. The prototype uses the Emerald distributed programming language without modification; we have merely extended the Emerald runtime system and the code generator of the Emerald compiler. Our extensions allow object and thread mobility among VAX, Sun-3, HP9000/300, and Sun SPARC workstations. The excellent intra-node performance of the original homogeneous Emerald is retained: migrated threads run at native code speed before and after migration; the same speed as on homogeneous Emerald and close to C code performance. Our implementation of mobility has not been optimized: thread mobility and trans-architecture invocations take about 60% longer than in the homogeneous implementation.
We believe this is the first implementation of full object and thread mobility among heterogeneous computers with threads executing native code.
As the use of Distributed Interactive Simulations has grown, the need to support a large number of players in the environment has become apparent. DIS has not been able to support a large number of entities because of its high network bandwidth requirements and the large computational loads it places on host computers. A combination of an agent based architecture and smart networks provides a promi sing solution to these problems when implementing large-scale distributed simulations. An agent system using the remote programming paradigm, transporting the necessary parameters and the necessary code for remote execution [WHITE95], could reduce the network bandwidth requirements and large computational loads associated with a large distributed simulation. This reduction would occur by eliminating unnecessary PDU traffic through the use of mobile agents that represent the originating entity. These agents would travel to, and reside on, the host computer of other entities and provide the necessary state information for stationary entities without using network resources. Smart Networks could be used to create a flexible area of interest manager, allowing entities to specify their area of interest and the information that they require from within that area [HARR95a]. This approach allows an entity to get all of the information it requires to represent its view of the simulated world while eliminating unnecessary information processing.
Mobile agents are active, autonomous objects, which are able to movebetween locations in a so-called agent system, a distributed abstractionlayer providing security of the underlying systems on one hand and theconcepts and mechanisms for mobility and communication on the otherhand. In this paper, the mobility, the communication concepts and thearchitecture of Mole, an agent system developed at the University of Stuttgart, are presented.
Active networks allow their users to inject customized programs into the nodes of the network. An extreme case, in which we are most interested, replaces packets with `capsules' -- program fragments that are executed at each network router/switch they traverse.
Active architectures permit a massive increase in the sophistication of the computation that is performed within the network. They will enable new applications, especially those based on application-specific multicast, information fusion, and other services that leverage network-based computation and storage. Furthermore, they will accelerate the pace of innovation by decoupling network services from the underlying hardware and allowing new services to be loaded into the infrastructure on demand.
In this paper, we describe our vision of an active network architecture, outline our approach to its design, and survey the technologies that can be brought to bear on its implementation. We propose that the research community mount a joint effort to develop and deploy a wide area ActiveNet.
Active networks are a novel approach to network architecture in which the switches of the network perform customized computations on the messages flowing through them. This approach is motivated by both lead user applications, which perform user-driven computation at nodes within the network today, and the emergence of mobile code technologies that make dynamic network service innovation attainable. In this article, the authors discuss two approaches to the realization of active networks and provide a snapshot of the current research issues and activities.
Facile is an experimental concurrent functional programming language intended to support applications that require a combination of physical distribution and complex computation. This report gives an introduction to programming with Facile. Examples are based on the Facile Antigua release, which makes distributed programming over a network possible.
An environment is outlined in which programming objects collect and disseminate information, using analogies from the animal world. Objects have their own rules of behaviour. They coordinate their activities by participating in events. Objects get born, move around, communicate and receive information and, eventually, die.
This papers explores a mode of communication that is based on instruction rather than interpretation. Starting from Shannon's (interpretative) communication model, I link instruction-based communications to mobile code (messengers), to ``signs'' as they are defined in semiotics, and to the virus theme commonly found in cell biology, computer science and literature. Virus-codes are conjectured to be more powerful that the equivalence codes studied by Shannon.
Implementation techniques for distributed applications can be positioned in a spectrum that ranges from data-exchange to code-exchange. Date-exchange means that the logic (i.e., code) of a distributed application is statically installed and that coordination is done by exchanging messages with predefined meanings. Code-exchange, on the other hand, means that coordination is achieved by sending around code fragments which alter the data that is bound to the network's hosts. Actual systems usually pick and combine several techniques that are positioned at different places in this spectrum. Sun's JAVA and the corresponding code-on-demand approach, for example, would be closer to the data-exchange viewpoint, while Stamos' and Gifford's Remote Evaluation is more in the line of mobile code because the initiator has more instructional capabilities. Mobile software agent systems are quite close to pure code-exchange, although they often mix-in classical data-exchange techniques (data streams between agents, or mailboxes). The aim of the mobile code environment M (m-zero) is to be as faithful as possible to the code-exchange point of view.
Mobile code systems provide a flexible and powerful platform to build distributed applications in an Internet scale, but they rise strong requirements from the security point of view. Security issues include au thentication of the different remote parties involved and protection of the execution environments from malicious agents. Nonetheless, the most diffcult task is to protect roaming agents from execution environments. This paper presents a new mechanism based on execution tracing and cryptography that allows an agent owner to determine if some site in the route followed by the agent tried to tamper with the agent state or code.
This book presents a collection of papers dealing with different aspects of mobile computations. Mobile computations are computations that are not bound to single locations, but may move at will to best use the computer network's resources. In this view, the network becomes a single, vast, programmable environment. Among computer scientists, many feel that this approach will have a profound effect on the way we design and implement distributed applications, and they agree that we are witnessing a paradigm change. However, this new and exciting paradigm requires advances, both theoretical and applied, in fields such as programming languages (where we need a sound semantic foundation and efficient implementations), operating systems and software safety and security. Some of the first steps towards a programmable Internet are documented here.
Mobile software agents are computational entities acting on the behalfof a user which may move from computer to computer over a heterogeneousnetwork, draw on local resources, and interact with other agents. This extended abstract discusses agent communication and its implications for security.
Ensuring secure information flow within programs in the context of multiple sensitivity levels has been widely studied. Especially noteworthy is Denning's work in secure flow analysis and the lattice model . Until now, however, the soundness of Denning's analysis has not been established satisfactorily. We formulate Denning's approach as a type system and present a notion of soundness for the system that can be viewed as a form of noninterference. Soundness is established by proving, with respect to a standard programming language semantics, that all well-typed programs have this noninterference property.
One way to provide fault isolation among cooperating software modules is to place each in its own address space. However, for tightly-coupled modules, this solution incurs prohibitive context switch overhead. In this paper, we present a software approach to implementing fault isolation within a single address space. Our approach has two parts. First, we load the code and data for a distrusted module into its own fault domain, a logically separate portion of the application's address space. Second, we modify the object code of a distrusted module to prevent it from writing or jumping to an address outside its fault domain. Both these software operations are portable and programming language independent.
Our approach poses a tradeoff relative to hardware fault isolation: substantially faster communication between fault domains, at a cost of slightly increased execution time for distrusted modules. We demonstrate that for frequently communicating modules, implementing fault isolation in software rather than hardware can substantially improve end-to-end application performance.
Much of the current work in distributed, object-oriented systems is based on the assumption that objects form a single ontological class. This class consists of all entities that can be fully described by the specification of the set of interfaces supported by the object and the semantics of the operations in those interfaces. The class includes objects that share a single address space, objects that are in separate address spaces on the same machine, and objects that are in separate address spaces on different machines (with, perhaps, different architectures). On the view that all objects are essentially the same kind of entity, these differences in relative location are merely an aspect of the implementation of the object. Indeed, the location of an object may change over time, as an object migrates from one machine to another or the implementation of the object changes.
It is the thesis of this note that this unified view of objects is mistaken. There are fundamental differences between the interactions of distributed objects and the interactions of non-distributed objects. Further, work in distributed object-oriented systems that is based on a model that ignores or denies these differences is doomed to failure, and could easily lead to an industry-wide rejection of the notion of distributed object-based systems.
In this paper, we discuss our work on an active network architecture in which passive packets are replaced with active capsules -- encapsulated program fragments that are executed at each switch they traverse. This approach allows application-specific processing to be injected into the network. The accessibility of computation and storage ``within'' the network provides a substrate that can be tailored to build global applications, including those that invoke customized multicast and merge processing.
We describe an extension to the IP options mechanism that supports the embedding of program fragments in datagrams and the evaluation of these fragments as they traverse the Internet. The ACTIVE option provides a generic approach to the extension of the IP network service.
Choosing a model for agent migration is a key decision in the design of a Java mobile agent system. Two major models have been proposed for implementing mobile agent migration: one which captures the entire execution state of a running agent, and one which captures only object state. In this paper we compare the two models from the perspective of both the system programmer and the application programmer, in the context of Agent Java, a part of the D'Agents system developed at Dartmouth College. From the system programmer's perspective, we consider such issues as difficulty and complexity of implementation, while from the application programmer's perspective we examine the level of convenience, naturalness and functionality each method provides. Ideally, we would also like to compare the two methods in terms of performance, but time constraints and technical difficulties have prevented us from obtaining accurate results. Nevertheless, we present the results we were able to gather.