Download - Towards a Paradigm for Robust Distributed Programming

Transcript
Page 1: Towards a Paradigm for Robust Distributed Programming

Towards a Paradigm for Towards a Paradigm for Robust Distributed Robust Distributed

ProgrammingProgramming

Christian ScheidelerChristian Scheideler

Institute for Computer ScienceInstitute for Computer Science

Technical University of MunichTechnical University of Munich

Page 2: Towards a Paradigm for Robust Distributed Programming

22 Robust Distributed ProgrammingRobust Distributed Programming

Performance measuresPerformance measures

Classical research area:Classical research area:EfficientEfficient algorithms and data structures algorithms and data structures

Distributed computing:Distributed computing:Efficiency is not everything!Efficiency is not everything!

Robustness against adversarial behavior Robustness against adversarial behavior increasingly pressing issue.increasingly pressing issue.

Topic of this talk

Page 3: Towards a Paradigm for Robust Distributed Programming

33 Robust Distributed ProgrammingRobust Distributed Programming

Four Four Commandments of Commandments of Distributed ComputingDistributed Computing

1.1. You shall not sleep.You shall not sleep.2.2. You shall not lie.You shall not lie.3.3. You shall not stealYou shall not steal4.4. You shall not killYou shall not kill

Countermeasures for violations:Countermeasures for violations:1.1. Algorithmic solutions if majority is prompt.Algorithmic solutions if majority is prompt.2.2. Secure multiparty computation, filtering.Secure multiparty computation, filtering.3.3. No intrusionNo intrusion possible, then cryptographic possible, then cryptographic

mechanisms protect against identity theft.mechanisms protect against identity theft.4.4. Serious problem!Serious problem! Denial-of-Service attacks! Denial-of-Service attacks!

Page 4: Towards a Paradigm for Robust Distributed Programming

44 Robust Distributed ProgrammingRobust Distributed Programming

Fundamental DilemmaFundamental DilemmaScalability: Scalability: minimizeminimize resources needed for operations resources needed for operationsRobustness:Robustness:maximizemaximize resources needed for attack resources needed for attack

Scalable solutions easy to attack!!!Scalable solutions easy to attack!!!

Page 5: Towards a Paradigm for Robust Distributed Programming

55 Robust Distributed ProgrammingRobust Distributed Programming

ConsequenceConsequence

We need a new model!We need a new model!

NOT: What is the current state?NOT: What is the current state? Current distributed computing Current distributed computing environment environment fundamentally flawed.fundamentally flawed.

What is a realizable state?What is a realizable state?

Algorithms can be powerful advocates!Algorithms can be powerful advocates!

Page 6: Towards a Paradigm for Robust Distributed Programming

66 Robust Distributed ProgrammingRobust Distributed Programming

Towards a new paradigmTowards a new paradigmRequirements:Requirements:

Universality:Universality:wide range of comp./comm. environmentswide range of comp./comm. environmentsSimplicity:Simplicity:simple to state, realize and applysimple to state, realize and applyEfficiency:Efficiency:inexpensive to realize and applyinexpensive to realize and applyRobustness:Robustness:??????

Page 7: Towards a Paradigm for Robust Distributed Programming

77 Robust Distributed ProgrammingRobust Distributed Programming

Laws of RobustnessLaws of Robustness[K. Cameron: The laws of identity, [K. Cameron: The laws of identity,

D. Epp: The eight rules of security,…]D. Epp: The eight rules of security,…]

User consent and control:User consent and control:user should have full control over user should have full control over its resources at any timeits resources at any time

Minimal exposure:Minimal exposure:only give enough information to only give enough information to perform taskperform task

Minimal authority:Minimal authority:only give enough authority for task only give enough authority for task (principle of least privilege/authority)(principle of least privilege/authority)

Page 8: Towards a Paradigm for Robust Distributed Programming

88 Robust Distributed ProgrammingRobust Distributed Programming

Medical privacyMedical privacy[EU Rec. on Protection of Medical Data 1997, [EU Rec. on Protection of Medical Data 1997,

U.S. OCR HIPAA Regulations]U.S. OCR HIPAA Regulations]

User consent and control:User consent and control:patients should have knowledge of /patients should have knowledge of /control over their medical datacontrol over their medical data

Minimal exposure:Minimal exposure:only store/reveal information necessary only store/reveal information necessary for diagnosis or treatmentfor diagnosis or treatment

Minimal authority:Minimal authority:only give enough authority for task only give enough authority for task (principle of least privilege/authority)(principle of least privilege/authority)

Page 9: Towards a Paradigm for Robust Distributed Programming

99 Robust Distributed ProgrammingRobust Distributed Programming

Towards a new paradigmTowards a new paradigmRequirements:Requirements:

Universality:Universality:wide range of comp./comm. environmentswide range of comp./comm. environmentsSimplicity:Simplicity:simple to state, realize and applysimple to state, realize and applyEfficiency:Efficiency:inexpensive to realize and applyinexpensive to realize and applyRobustness:Robustness:three lawsthree laws

Page 10: Towards a Paradigm for Robust Distributed Programming

1010 Robust Distributed ProgrammingRobust Distributed Programming

Universal ModelsUniversal Models

Turing machine:Turing machine:easy to state and realize easy to state and realize but not to applybut not to apply

von Neumann machine:von Neumann machine:easy to state easy to state but not to realizebut not to realize in in distributed environmentdistributed environment

Pointer models:Pointer models:looks like most promising direction…looks like most promising direction…

Page 11: Towards a Paradigm for Robust Distributed Programming

1111 Robust Distributed ProgrammingRobust Distributed Programming

Subject-oriented approachSubject-oriented approachSubjects: Subjects: activeactive entities (no dynamic data!) entities (no dynamic data!)Objects: Objects: passivepassive entities (no methods!) entities (no methods!)(hulls for dynamic data)(hulls for dynamic data)nono global user-accessible references to subjects global user-accessible references to subjects or objects (minimizes exposure)or objects (minimizes exposure)

Subjects and objects Subjects and objects atomicatomicEvery object accessible by only Every object accessible by only oneone subject at subject at any time and must be co-located with itany time and must be co-located with itInformation exchange through exchange of Information exchange through exchange of objects alongobjects along relay points relay points

Page 12: Towards a Paradigm for Robust Distributed Programming

1212 Robust Distributed ProgrammingRobust Distributed Programming

Subject-oriented approachSubject-oriented approach

Precursor: Precursor: Hewitt’s Actor model 1973Hewitt’s Actor model 1973

Since then:Since then: mostly work in programming mostly work in programming languages (languages (E Language E Language by Miller et al.)by Miller et al.)

Simplicity: Simplicity: concurreny is difficult!concurreny is difficult!

)) concurrency only concurrency only outsideoutside ofof subjectssubjects

)) only strictly only strictly non-blockingnon-blocking primitives primitives

)) no global read and write! no global read and write!

Page 13: Towards a Paradigm for Robust Distributed Programming

1313 Robust Distributed ProgrammingRobust Distributed Programming

Subject-oriented approachSubject-oriented approachIngredients: Ingredients:

SubjectsSubjects: threads with static data: threads with static data

Objects:Objects: hulls of dynamic data hulls of dynamic data

Relay pointsRelay points: communication : communication

IdentitiesIdentities: objects for authorization: objects for authorization

Page 14: Towards a Paradigm for Robust Distributed Programming

1414 Robust Distributed ProgrammingRobust Distributed Programming

Laws of RobustnessLaws of RobustnessUser consent and control:User consent and control:- subjects & objects are atomic, subjects tied - subjects & objects are atomic, subjects tied to site and objects co-located with subjects to site and objects co-located with subjects - parents are responsible for children- parents are responsible for children

Minimal exposure:Minimal exposure:- subjects & objects have - subjects & objects have no identityno identity, only relays, only relays- - nono sensitive information (keys) revealed sensitive information (keys) revealed

Minimal authority:Minimal authority:anyany connection/access requires permission connection/access requires permission

Realize these through create & delete

Page 15: Towards a Paradigm for Robust Distributed Programming

1515 Robust Distributed ProgrammingRobust Distributed Programming

SubjectsSubjects

p(s):p(s): parent of parent of s s (cannot be changed!)(cannot be changed!)

s.create(s‘):s.create(s‘): s=p(s‘)s=p(s‘)

s.delete(s‘):s.delete(s‘): if if s=p(s‘)s=p(s‘) then delete then delete s‘s‘ and and allall of its descendentsof its descendents

delete

verb(args)

s s‘

Page 16: Towards a Paradigm for Robust Distributed Programming

1616 Robust Distributed ProgrammingRobust Distributed Programming

Relay pointsRelay pointsh(r):h(r): home of relay home of relay r r (cannot be changed!)(cannot be changed!)s.create(r):s.create(r):

s.create(r | i):s.create(r | i): if if d(i)=sd(i)=s

s.delete(r):s.delete(r): if if h(r)=sh(r)=s then delete then delete rr

s

r

s s‘r‘r‘i r

outgoing link can not be changed

s

Page 17: Towards a Paradigm for Robust Distributed Programming

1717 Robust Distributed ProgrammingRobust Distributed Programming

IdentitiesIdentitiesd(i) d(i) 22 R R [[ 11:: destination destinations.create(i):s.create(i): d(i)=d(i)=11 ( (public public identity)identity)

s.create(i | r):s.create(i | r): d(i)=p(s)d(i)=p(s)s.create(i | r,i‘):s.create(i | r,i‘): d(i)=s(i‘) (s: d(i)=s(i‘) (s: source ofsource of i‘) i‘)

s.delete(i)s.delete(i)

sri r

ssi 1

Page 18: Towards a Paradigm for Robust Distributed Programming

1818 Robust Distributed ProgrammingRobust Distributed Programming

First contactFirst contact

s s‘

s1

r‘r

r‘s

Page 19: Towards a Paradigm for Robust Distributed Programming

1919 Robust Distributed ProgrammingRobust Distributed Programming

IntroductionIntroduction

C

A B

r‘ArB r r r‘

Page 20: Towards a Paradigm for Robust Distributed Programming

2020 Robust Distributed ProgrammingRobust Distributed Programming

ObjectsObjectsWe already know:We already know:

Objects are type-less hulls of dynamic data and Objects are type-less hulls of dynamic data and co-located with their subjectsco-located with their subjectsIdentities are special objectsIdentities are special objects

Further concepts:Further concepts:For efficiency, only object references transferred For efficiency, only object references transferred in internal communication, but whole objects in in internal communication, but whole objects in external communicationexternal communicationMigration of subjects through special objects Migration of subjects through special objects called clonescalled clones

Page 21: Towards a Paradigm for Robust Distributed Programming

2121 Robust Distributed ProgrammingRobust Distributed Programming

ClonesClones

s(c):s(c): source, source, d(c):d(c): destination destination

s.create(c):s.create(c): d(c)=p(s)d(c)=p(s)

s.create(c | i):s.create(c | i): d(c)=s(i)d(c)=s(i)

s.create(s‘ | c):s.create(s‘ | c):

s

s

c

s‘

Page 22: Towards a Paradigm for Robust Distributed Programming

2222 Robust Distributed ProgrammingRobust Distributed Programming

Working with objectsWorking with objectsInitialization Initialization of objectsof objects::obj := new Object; (removes all old info)obj := new Object; (removes all old info)obj1 := obj2; not possible (else access conflicts!)obj1 := obj2; not possible (else access conflicts!)

InitializationInitialization of a new variable in object obj: of a new variable in object obj:int obj.var1 := 1;int obj.var1 := 1;float obj.var2 := 0.2; float obj.var2 := 0.2; string obj.var3 := “name“;string obj.var3 := “name“;

TestTest of defined variable: of defined variable:if obj.name = NULL then …if obj.name = NULL then …

var1: 1

Page 23: Towards a Paradigm for Robust Distributed Programming

2323 Robust Distributed ProgrammingRobust Distributed Programming

Working with objectsWorking with objectsCopyCopy-operation:-operation:obj1.name1 := obj2.name2;obj1.name1 := obj2.name2;

MoveMove-operation:-operation:obj1.name1 <- obj2.name2; {obj2.name2 set to NULL}obj1.name1 <- obj2.name2; {obj2.name2 set to NULL}

Referencing:Referencing:approach:approach: store variable names in variablesstore variable names in variablesvar1 := 2; {some lokal variable in subject}var1 := 2; {some lokal variable in subject}obj.[var1] := 1; {obj.[var1] resolves to obj.2} obj.[var1] := 1; {obj.[var1] resolves to obj.2} var2 := “name“; var2 := “name“; obj.[var2] := 1; {obj.[var2] resolves to obj.name}obj.[var2] := 1; {obj.[var2] resolves to obj.name}

DeleteDelete-operation:-operation:obj.name := NULL;obj.name := NULL;

Page 24: Towards a Paradigm for Robust Distributed Programming

2424 Robust Distributed ProgrammingRobust Distributed Programming

Better resource controlBetter resource control

Additional commands Additional commands openopen and and close.close.

open(Subject s): activates sopen(Subject s): activates s

close(Subject s): freezes (and saves) sclose(Subject s): freezes (and saves) s

open(Relay r): activates ropen(Relay r): activates r

close(Relay r): freezes (and saves) rclose(Relay r): freezes (and saves) r

open(Object o): opens o for operationsopen(Object o): opens o for operations

close(Object o): closes (and saves) oclose(Object o): closes (and saves) o

New subjects/relays/objects initially open.New subjects/relays/objects initially open.

Page 25: Towards a Paradigm for Robust Distributed Programming

2525 Robust Distributed ProgrammingRobust Distributed Programming

Better resource controlBetter resource control

In addition, use policies:In addition, use policies:

Policies for permitted calls along links.Policies for permitted calls along links.

Policies for resource use of subject and its Policies for resource use of subject and its descendents.descendents.

Still under development…Still under development…

Page 26: Towards a Paradigm for Robust Distributed Programming

2626 Robust Distributed ProgrammingRobust Distributed Programming

Nice featuresNice featuresRigorous designs of systems possible that Rigorous designs of systems possible that are robust against identity theft and DoS are robust against identity theft and DoS attacksattacksSecure grid computingSecure grid computingDigital rights managementDigital rights managementAnonymity and privacyAnonymity and privacy……

BUT:BUT: How to realize subjects environment? How to realize subjects environment?

Page 27: Towards a Paradigm for Robust Distributed Programming

2727 Robust Distributed ProgrammingRobust Distributed Programming

ImplementationImplementation

Internet ISP

User

• User: subjects & internal relay points

• ISP: external relay points (quota)

Page 28: Towards a Paradigm for Robust Distributed Programming

2828 Robust Distributed ProgrammingRobust Distributed Programming

Questions?

Contact [email protected]