Towards a Paradigm for Robust Distributed Programming

1. Towards a Paradigm for Robust Distributed Programming Christian Scheideler Institute for Computer Science Technical University of Munich

2. Performance measures • Classical research area:Efficient algorithms and data structures • Distributed computing:Efficiency is not everything!Robustness against adversarial behavior increasingly pressing issue. Topic of this talk Robust Distributed Programming

3. Four Commandments of Distributed Computing • You shall not sleep. • You shall not lie. • You shall not steal • You shall not kill Countermeasures for violations: • Algorithmic solutions if majority is prompt. • Secure multiparty computation, filtering. • No intrusion possible, then cryptographic mechanisms protect against identity theft. • Serious problem! Denial-of-Service attacks! Robust Distributed Programming

4. Fundamental Dilemma • Scalability: minimize resources needed for operations • Robustness:maximize resources needed for attack Scalable solutions easy to attack!!! Robust Distributed Programming

5. Consequence We need a new model! NOT: What is the current state?Current distributed computing environment fundamentally flawed. What is a realizable state? Algorithms can be powerful advocates! Robust Distributed Programming

6. Towards a new paradigm Requirements: • Universality:wide range of comp./comm. environments • Simplicity:simple to state, realize and apply • Efficiency:inexpensive to realize and apply • Robustness:??? Robust Distributed Programming

7. Laws of Robustness [K. Cameron: The laws of identity, D. Epp: The eight rules of security,…] • User consent and control:user should have full control over its resources at any time • Minimal exposure:only give enough information to perform task • Minimal authority:only give enough authority for task (principle of least privilege/authority) Robust Distributed Programming

8. Medical privacy [EU Rec. on Protection of Medical Data 1997, U.S. OCR HIPAA Regulations] • User consent and control:patients should have knowledge of /control over their medical data • Minimal exposure:only store/reveal information necessary for diagnosis or treatment • Minimal authority:only give enough authority for task (principle of least privilege/authority) Robust Distributed Programming

9. Towards a new paradigm Requirements: • Universality:wide range of comp./comm. environments • Simplicity:simple to state, realize and apply • Efficiency:inexpensive to realize and apply • Robustness:three laws Robust Distributed Programming

10. Universal Models • Turing machine:easy to state and realize but not to apply • von Neumann machine:easy to state but not to realize in distributed environment • Pointer models:looks like most promising direction… Robust Distributed Programming

11. Subject-oriented approach • Subjects: active entities (no dynamic data!) • Objects: passive entities (no methods!)(hulls for dynamic data) • no global user-accessible references to subjects or objects (minimizes exposure) • Subjects and objects atomic • Every object accessible by only one subject at any time and must be co-located with it • Information exchange through exchange of objects along relay points Robust Distributed Programming

12. Subject-oriented approach • Precursor: Hewitt’s Actor model 1973 • Since then: mostly work in programming languages (E Language by Miller et al.) • Simplicity: concurreny is difficult! )concurrency only outsideofsubjects ) only strictly non-blocking primitives ) no global read and write! Robust Distributed Programming

13. Subject-oriented approach Ingredients: • Subjects: threads with static data • Objects: hulls of dynamic data • Relay points: communication • Identities: objects for authorization Robust Distributed Programming

14. Laws of Robustness • User consent and control:- subjects & objects are atomic, subjects tied to site and objects co-located with subjects - parents are responsible for children • Minimal exposure:- subjects & objects have no identity, only relays- no sensitive information (keys) revealed • Minimal authority:any connection/access requires permission Realize these through create & delete Robust Distributed Programming

15. delete s s‘ verb(args) Subjects • p(s): parent of s (cannot be changed!) • s.create(s‘):s=p(s‘) • s.delete(s‘): if s=p(s‘) then delete s‘ and all of its descendents Robust Distributed Programming

16. s r s s‘ i r‘ r r‘ Relay points • h(r): home of relay r (cannot be changed!) • s.create(r): • s.create(r | i): if d(i)=s • s.delete(r): if h(r)=s then delete r outgoing link can not be changed s Robust Distributed Programming

17. i 1 s s s i r r Identities • d(i) 2 R [1: destination • s.create(i):d(i)=1 (public identity) • s.create(i | r):d(i)=p(s) • s.create(i | r,i‘):d(i)=s(i‘) (s: source of i‘) • s.delete(i) Robust Distributed Programming

18. 1 s s s‘ r r‘ s r‘ First contact Robust Distributed Programming

19. A B B r r A r‘ Introduction r r‘ C Robust Distributed Programming

20. Objects We already know: • Objects are type-less hulls of dynamic data and co-located with their subjects • Identities are special objects Further concepts: • For efficiency, only object references transferred in internal communication, but whole objects in external communication • Migration of subjects through special objects called clones Robust Distributed Programming

21. c s s s‘ Clones • s(c): source, d(c): destination • s.create(c):d(c)=p(s) • s.create(c | i):d(c)=s(i) • s.create(s‘ | c): Robust Distributed Programming

22. Working with objects • Initialization of objects:obj := new Object; (removes all old info)obj1 := obj2; not possible (else access conflicts!) • Initialization of a new variable in object obj:int obj.var1 := 1;float obj.var2 := 0.2; string obj.var3 := “name“; • Test of defined variable:if obj.name = NULL then … var1: 1 Robust Distributed Programming

23. Working with objects • Copy-operation:obj1.name1 := obj2.name2; • Move-operation:obj1.name1 <- obj2.name2; {obj2.name2 set to NULL} • Referencing:approach:store variable names in variablesvar1 := 2; {some lokal variable in subject}obj.[var1] := 1; {obj.[var1] resolves to obj.2} var2 := “name“; obj.[var2] := 1; {obj.[var2] resolves to obj.name} • Delete-operation:obj.name := NULL; Robust Distributed Programming

24. Better resource control Additional commands open and close. • open(Subject s): activates s • close(Subject s): freezes (and saves) s • open(Relay r): activates r • close(Relay r): freezes (and saves) r • open(Object o): opens o for operations • close(Object o): closes (and saves) o New subjects/relays/objects initially open. Robust Distributed Programming

25. Better resource control In addition, use policies: • Policies for permitted calls along links. • Policies for resource use of subject and its descendents. Still under development… Robust Distributed Programming

26. Nice features • Rigorous designs of systems possible that are robust against identity theft and DoS attacks • Secure grid computing • Digital rights management • Anonymity and privacy • … BUT: How to realize subjects environment? Robust Distributed Programming

27. Implementation User Internet ISP • User: subjects & internal relay points • ISP: external relay points (quota) Robust Distributed Programming

28. Questions? Contact scheideler@in.tum.de Robust Distributed Programming