Towards a Paradigm for Robust Distributed Programming

1
Towards a Paradigm for Robust Distributed
Programming

• Christian Scheideler
• Institute for Computer Science
• Technical University of Munich

2
Performance measures

• Classical research areaEfficient algorithms and
  data structures
• Distributed computingEfficiency is not
  everything!Robustness against adversarial
  behavior increasingly pressing issue.

Topic of this talk
3
Four Commandments of Distributed Computing

• You shall not sleep.
• You shall not lie.
• You shall not steal
• You shall not kill
• Countermeasures for violations
• Algorithmic solutions if majority is prompt.
• Secure multiparty computation, filtering.
• No intrusion possible, then cryptographic
  mechanisms protect against identity theft.
• Serious problem! Denial-of-Service attacks!

4
Fundamental Dilemma

• Scalability minimize resources needed for
  operations
• Robustnessmaximize resources needed for attack
• Scalable solutions easy to attack!!!

5
Consequence

• We need a new model!

• NOT What is the current state? Current
  distributed computing environment
  fundamentally flawed.
• What is a realizable state?
• Algorithms can be powerful advocates!

6
Towards a new paradigm

• Requirements
• Universalitywide range of comp./comm.
  environments
• Simplicitysimple to state, realize and apply
• Efficiencyinexpensive to realize and apply
• Robustness???

7
Laws of Robustness

• K. Cameron The laws of identity, D. Epp The
  eight rules of security,
• User consent and controluser should have full
  control over its resources at any time
• Minimal exposureonly give enough information to
  perform task
• Minimal authorityonly give enough authority for
  task (principle of least privilege/authority)

8
Medical privacy

• EU Rec. on Protection of Medical Data 1997,
  U.S. OCR HIPAA Regulations
• User consent and controlpatients should have
  knowledge of /control over their medical data
• Minimal exposureonly store/reveal information
  necessary for diagnosis or treatment
• Minimal authorityonly give enough authority for
  task (principle of least privilege/authority)

9
Towards a new paradigm

• Requirements
• Universalitywide range of comp./comm.
  environments
• Simplicitysimple to state, realize and apply
• Efficiencyinexpensive to realize and apply
• Robustnessthree laws

10
Universal Models

• Turing machineeasy to state and realize but not
  to apply
• von Neumann machineeasy to state but not to
  realize in distributed environment
• Pointer modelslooks like most promising
  direction

11
Subject-oriented approach

• Subjects active entities (no dynamic data!)
• Objects passive entities (no methods!)(hulls
  for dynamic data)
• no global user-accessible references to subjects
  or objects (minimizes exposure)
• Subjects and objects atomic
• Every object accessible by only one subject at
  any time and must be co-located with it
• Information exchange through exchange of objects
  along relay points

12
Subject-oriented approach

• Precursor Hewitts Actor model 1973
• Since then mostly work in programming languages
  (E Language by Miller et al.)
• Simplicity concurreny is difficult!
• ) concurrency only outside of subjects
• ) only strictly non-blocking primitives
• ) no global read and write!

13
Subject-oriented approach

• Ingredients
• Subjects threads with static data
• Objects hulls of dynamic data
• Relay points communication
• Identities objects for authorization

14
Laws of Robustness

• User consent and control- subjects objects
  are atomic, subjects tied to site and objects
  co-located with subjects - parents are
  responsible for children
• Minimal exposure- subjects objects have no
  identity, only relays- no sensitive information
  (keys) revealed
• Minimal authorityany connection/access requires
  permission

Realize these through create delete
15
Subjects

• p(s) parent of s (cannot be changed!)
• s.create(s) sp(s)
• s.delete(s) if sp(s) then delete s and all
  of its descendents

16
Relay points

• h(r) home of relay r (cannot be changed!)
• s.create(r)
• s.create(r i) if d(i)s
• s.delete(r) if h(r)s then delete r

outgoing link can not be changed
s
17
Identities

• d(i) 2 R 1 destination
• s.create(i) d(i)1 (public identity)
• s.create(i r) d(i)p(s)
• s.create(i r,i) d(i)s(i) (s source of i)
• s.delete(i)

18
First contact
19
Introduction
r
r
C
20
Objects

• We already know
• Objects are type-less hulls of dynamic data and
  co-located with their subjects
• Identities are special objects
• Further concepts
• For efficiency, only object references
  transferred in internal communication, but whole
  objects in external communication
• Migration of subjects through special objects
  called clones

21
Clones

• s(c) source, d(c) destination
• s.create(c) d(c)p(s)
• s.create(c i) d(c)s(i)
• s.create(s c)

22
Working with objects

• Initialization of objectsobj new Object
  (removes all old info)obj1 obj2 not possible
  (else access conflicts!)
• Initialization of a new variable in object
  objint obj.var1 1float obj.var2 0.2
  string obj.var3 name
• Test of defined variableif obj.name NULL then
  

var1 1
23
Working with objects

• Copy-operationobj1.name1 obj2.name2
• Move-operationobj1.name1 lt- obj2.name2
  obj2.name2 set to NULL
• Referencingapproach store variable names in
  variablesvar1 2 some lokal variable in
  subjectobj.var1 1 obj.var1 resolves
  to obj.2 var2 name obj.var2 1
  obj.var2 resolves to obj.name
• Delete-operationobj.name NULL

24
Better resource control

• Additional commands open and close.
• open(Subject s) activates s
• close(Subject s) freezes (and saves) s
• open(Relay r) activates r
• close(Relay r) freezes (and saves) r
• open(Object o) opens o for operations
• close(Object o) closes (and saves) o
• New subjects/relays/objects initially open.

25
Better resource control

• In addition, use policies
• Policies for permitted calls along links.
• Policies for resource use of subject and its
  descendents.
• Still under development

26
Nice features

• Rigorous designs of systems possible that are
  robust against identity theft and DoS attacks
• Secure grid computing
• Digital rights management
• Anonymity and privacy
• BUT How to realize subjects environment?

27
Implementation
User
Internet
ISP

• User subjects internal relay points
• ISP external relay points (quota)

28
Questions? Contact scheideler_at_in.tum.de