namespace logic

namespace logic a logic for a reflective higher-order process calculus L.G. Meredith1 1Djinnisys Corporation Trustworthy Global Computing ETAPS `05

Agenda • Motivations • -calculus • A warm-up: replication • Namespace logic • Examples • Conclusions and future work Trustworthy Global Computing ETAPS 05

What’s in a name? mac addresses ip addresses dns entries url’s distributed computing is done using names and it is essential that these names have structure Trustworthy Global Computing ETAPS 05

What’s in a name? • -calculus is not a closed theory • dependent upon a theory of names • such a theory will at least dictate computation of name-equality • Name-equality is a computation • nowhere is there an infinite set of atomic elements available to the computer scientist • all countably infinite sets available to the computer scientist are generated from a finite presentation • perforce the elements of these sets have structure -- and this structure is used to compute equality Trustworthy Global Computing ETAPS 05

What’s in a name? • If interaction is to provide a foundational theory of computation, then this computation must be accounted for, too! • All realizations (e.g., implementations) of mobile process calculi face this fact • Would our theory better serve our practitioners therefore if it accounted for name structure as well? • Synchronization and Substitution play very different roles in -like mobile process calculi: • requiring different computations Trustworthy Global Computing ETAPS 05

potential applications • Security: concrete realizations of network protocols use naming scheme exploiting the structure of names, • subject to guessing attacks • theory of interaction with a structural account of names can facilitate reasoning about this • Biology: sites in molecular biology are decidedly not atomic locations: • Ligand-binding receptors, phosphorylation sites, etc, have extension and behavior • modeling these as atomic names may miss important behavior Trustworthy Global Computing ETAPS 05

The -calculus syntax • Grammar P, Q ::=0 null process x(y).P input x^P_ lift P|Q parallel composition _x^ drop x,y ::= ^P_ quote • PROC denotes the set of processes generated by this grammar; • ^PROC_denotes the set of names generated by this grammar • Syntactic sugar: x[y] @ x^_y^_ Trustworthy Global Computing ETAPS 05

The -calculus syntax - examples the ur-process, everything literally comes ex nihilo, out of nothing! the first name the first output process the first input process some new names 0 ^0_ ^0_[^0_] ^0_(^0_).0 ^ ^0_[^0_] _ , ^ ^0_(^0_).0 _ Looks remarkably likemachine code! Trustworthy Global Computing ETAPS 05

Structural equivalence, -equivalence and name equivalence • Clearly, we want 0 7 0|0 7 0|0|0 7 … should ^0_7N^0|0_7N^0|0|0_7N …? • Name equivalence, N  ^PROC_  ^PROC_, is the smallest equivalence relation respecting xN^_x^_ P 7 Q^P_7N^Q_ • Structural equivalence,   PROC PROC, is the smallest equivalence relation, containing -equivalence, respecting P | 0 7P7 0 | P P | Q7Q | P (P | Q) | R7P | (Q | R ) Trustworthy Global Computing ETAPS 05

Structural equivalence, -equivalence and name equivalence • First subtlety -- a cycle in Structural equivalence • structural equivalence depends on -equivalence • -equivalence depends on name equality • name equality depends on structural equivalence! • Each ‘recursive call’ is one level of quotes fewer • Quote Depth • #(^P_) = 1+#(P) • #(P) = max({ #(^Q_) | ^Q_ N(P)}) • Grammar enforces strict alternation of quoting and process constructor • Calculation of structural equivalence terminates by easy induction on quote depth Trustworthy Global Computing ETAPS 05

Substitution Syntactic substitution A substitution is a partial map, :^PROC_ ^PROC_; {^Q_/^P_} denotes the map which sends ^P_ to ^Q_; we write x for (x) x{^Q_/^P_}=^Q_ if x N^P_, x otherwise. A substitution, , is uniquely extended to a map, _^ : PROC  PROC by the following recursive definition 0_{^Q_/^P_}^@ 0 (R|S) _{^Q_/^P_}^@ (R _{^Q_/^P_}^ ) | (S_{^Q_/^P_}^ ) (x(y).R) _{^Q_/^P_}^@ x{^Q_/^P_}(z). ((R _{z/y}^) _{^Q_/^P_}^ ) (x^R_) _{^Q_/^P_}^@x {^Q_/^P_}^R{^Q_/^P_}^_ (_x^) _{^Q_/^P_}^@ ^Q_ if x N^P_ , _x^ otherwise where z is chosen distinct from the names in R, ^P_ and ^Q_ Trustworthy Global Computing ETAPS 05

Substitution • Semantic substitution -- same as above except for drop where the process is instantiated at substitution time (_x^) _{^Q_/^P_}^@ Q if x N^P_ , _x^ otherwise • Examples w^y[z]_{u/z} = w^y[u]_w[^y[z]_]{u/z} = w[^y[z]_] w^_x^_{^Q_/x} = w^Q_ Trustworthy Global Computing ETAPS 05

Operational semantics The operational semantics is given by a reduction relation   PROC  PROC recursively specified by the following rules. comm: xsrc Nxtrgt xsrc^P_ | xtrgt(y).Q Q _{^P_/y}^ par: P  P P | Q  P | Q equiv: P  P, P  Q, Q  P P  Q Trustworthy Global Computing ETAPS 05

Replication • Replication is defined by the following equation D(x) = x(y).(_y^ | x[y] ) !xP=D(x)| x^P | D(x)_ x(y).(_y^ | x[y] ) |x^P | D(x)_  P | D(x) | x[_P | D(x)^] =P |D(x) | x^P | D(x)_ • Replication is defined by the following equation D(x) = x(y).(_y^ | x[y] ) !xP=D(x)| x^P | D(x)_ x(y).(_y^ | x[y] ) |x^P | D(x)_  P | D(x) | x[_P | D(x)^] =P |D(x) | x^P | D(x)_ • Replication is defined by the following equation D(x) = x(y).(_y^ | x[y] ) !xP=D(x)| x^P | D(x)_ x(y).(_y^ | x[y] ) |x^P | D(x)_  P | D(x) | x[_P | D(x)^] =P |D(x) | x^P | D(x)_ Trustworthy Global Computing ETAPS 05

Namespace logic -- syntax • Grammar  , ::=true verity 0 nullity  negation & conjunction  | simultaneity _b^ descent a^_ elevation a?b activity rec X. greatest fix-point n:^_. quantification a ::= ^_ indication b b ::= ^P_ nomination n Trustworthy Global Computing ETAPS 05

Namespace logic -- satisfaction P \ true always P \ 0 iff P 7 0 P \ iff P ^ P \& iff P \ , P \ P \ | iff P 7 P1|P2, P1\ , P2\ P \_b^ iff P 7_b^ P \ a^_ iff P 7 Q | x^P_, x\ a, P\ a?b iff P 7 Q | x(y).P, x\ a, c. z.P{z/y}\ {c/b} ^P_\^_ iff P \ x\ b iff x N b Trustworthy Global Computing ETAPS 05

Examples • P insists all next requests are from the namespace ^_ P \ ^_?btrue&  ^_?btrue (think: all next requests must come from this range of addresses and ports) • P only takes requests from the namespace ^_ P \ rec  . ^_?b  &  ^_?btrue (think: all requests must come from this range of addresses and ports) • P enjoys balanced i/o P \ rec  .(0 n:^true_. (n?b||n^_)) (think: no starved requests, no unsent replies) • x enjoys well-formed internal structure x \^ rec  .(0 n:^true_. (rec  .n?b (_b^| |n^0_))  n^_ |) _ (think: every <tag> has a corresponding </tag>) Trustworthy Global Computing ETAPS 05

XML in Namespace logic - dom • x conforms to dom x \^m:^true_. m^rec  .n:^true_. (0 n^_  rec  .n:^true_.n?b( )  |) __ • Document root • Element • Sequencing • Grouping Trustworthy Global Computing ETAPS 05

XML in Namespace logic - schema • x conforms to schema s • e is an element( n, s ) x \^m:^[n]_.m^[s]__ • s is sequence( e0, …, eN ) x \^n:^[n0]_. n?b ([so] |(…n:^[nn]_. n?b ([sn])…))_ • s is a choice( s0, …, sN ) x \^[so] … [sn]_ • s is a group( s0, …, sN ) x \^[so]|…|[sn]_ • s is a repetition left as an exercise -- note ,with ‘|’ min and max can be done • if x conforms to s then x should model dom • \ [s]dom Trustworthy Global Computing ETAPS 05

180 6x104 6x1010 Operational semantics revisited An alternative operational semantics may be given by commannihil: R.(Pchan| Pcochan *R)R  *0 ^Pchan_^P_ | ^Pcochan_(y).Q Q _{^P_/y}^ Trustworthy Global Computing ETAPS 05

Conclusions and future work • Presented a higher-order asynchronous message-passing calculus built on a notion of quoting • Provides an account of structured names • Presented a logic for reasoning about namespaces • Work underway on • Proof system • Type system • Model-checker Trustworthy Global Computing ETAPS 05

namespace logic BACKUP Trustworthy Global Computing ETAPS `05

Encoding the -calculus • Paper presents a ‘distributed’ encoding in which par-ands are mapped to separate namespaces • Below we present a centralized encoding (due to Radestock) in which there is a single resource against which all -requests are synchronized • Both encodings use a trick for free names: build a -calculus with the name set ^PROC_ Let h be a name not in fn(P), e.g. h=^m fn(P)m[^0_] _ [P]=[P](h) | h [^h[^0_] _] [(x)P](h)=h(x). (h^x[^0_]_ | [P](h)) [! x(y).P](h)=h(z).(h^z[^0_]_ | z^x(y).(D(z) | [P](h))_ | D(z)) where z fn(P) and D(z) as in replication Trustworthy Global Computing ETAPS 05

Correctness of the encoding names are global in the -calculus… • -calculus contexts can make observations that -calculus contexts cannot • to prove correctness of the encoding one must restrict to name-sets visible in -calculus contexts an observation relation, N, parameterized in a set of names, N, is given by x N y P N x or Q N x y[v] N x P | Q x an P N x if there is a Q s.t. P*Q and Q N x an N-barbed bisimulation, SN, is a symmetric relation s.t. P  P implies Q *Q , PSN Q P N x implies Q N x P 3N Q if there is an N-barbed bisimulation, SN , P SN Q THM: P 1Q iff [P]3FN(P)FN(Q)[Q] Trustworthy Global Computing ETAPS 05

namespace logic

namespace logic

Presentation Transcript

Encoder Logic Logic Logic 10 Output Logic Binary

Namespace

Handle System Namespace and Service Definition

System.Security.policy Namespace

namespace Smear {…}

RealNames An example of Common Name Namespace

Distributed Namespace Status Phase I - Remote Directories

control statement review namespace function

System.Security.Policy namespace

Namespace in XML

Resource Priority Namespace for ECRIT

The System.Security.Cryptography Namespace

Namespace in XML

System.Security.Permissions namespace

Emergency rph namespace follow-up

How to Use Namespace in PHP

Friends and Namespace

Namespace Function Recursive function Call by value

NAMESPACE

System.Security.Permissions namespace

Namespace and Variable Scope in Python