Computing has become increasingly interconnected. Whereas before computers were discrete, unconnected units, because of the Internet as well as other networks, they are increasingly fluid, interconnected units. A computer program, which may be made up of one or more executable processes, or threads, may be mobile. For example, a thread of the program may move from computer to computer over the Internet. It may be executed in a distributed fashion over many computers, or a different instance of the thread may be run on each of many computers.
The movement of threads from computer to computer, or even to different parts within the same computer, poses new security and other risks for which there is no formal analysis mechanism. For example, a thread may be unstable, such that having it be run on a particular computer may cause the computer to crash. More so, the thread may be malicious, such as part of a virus program, such that its purpose is to compromise the computers it moves to.
More specifically, there are two distinct areas of work in mobility: mobile computing, concerning computation that is carried out in mobile devices (laptops, personal digital assistants, etc.), and mobile computation, concerning mobile code that moves between devices (agents, etc.). Mobility requires more than the traditional notion of authorization to run or to access information in certain domains: it involves the authorization to enter or exit certain domains. In particular, as far as mobile computation is concerned, it is not realistic to imagine that an agent can migrate from any point A to any point B on the Internet. Rather an agent must first exit its administrative domain (obtaining permission to do so), enter someone else's administrative domain (again, obtaining permission to do so) and then enter a protected area of some machine where it is allowed to run (after obtaining permission to do so).
Access to information is controlled at many levels, thus multiple levels of authorization may be involved. Among these levels we have: local computer, local area network, regional area network, wide-area intranet and internet. Mobile programs should be equipped to navigate this hierarchy of administrative domain, at every step obtaining authorization to move further. Laptops should be authorized to access resources depending on their location in the administrative hierarchy.
In general, a process or thread resides within a container referred to as an ambient. The ambient includes one or more processes or threads, as well as any data, etc., that move with the processes or threads. An ambient that can move is referred to as a mobile ambient. The ambient can be any type of container: a software container such as a particular part of an operating system, for example, as well as a hardware container, such as a particular computer or peripheral device.
More specifically, an ambient has the following main characteristics. First, an ambient is a bounded placed where computation happens. The interesting property here is the existence of a boundary around an ambient. Examples of ambients include: a web page (bounded by a file), a virtual address space (bounded by an addressing range), a Unix file system (bounded within a physical volume), a single data object (bounded by “self”) and a laptop (bounded by its case and data ports). Non-examples are: threads (the boundary of what is “reachable” is difficult to determine) and logically related collections of objects.
Second, an ambient is something that can be nested within other ambients. For example, to move a running application from work to home, the application must be removed from an enclosing (work) ambient and inserted in a different enclosing (home) ambient. A laptop may need a removal pass to leave a workplace, and a government pass to leave or enter a country.
Third, an ambient is something that can be moved as a whole. If a laptop is connected to a different network, all the address spaces and file systems within it move accordingly and automatically. If an agent is moved from one computer to another, its local data should move accordingly and automatically.
As mentioned, there is no formal analysis mechanism within the prior art for such mobile ambients. This means that there is no manner by which to describe formally, for example, a security policy for a given computer system, which could be applied against a mobile ambient within a formal analysis mechanism to determine if the ambient poses a security or other risk to the system. In particular, most formal analysis mechanisms, or frameworks, only provide for temporal distinction among processes and ambients, but assume that the processes and ambients are stationary—or otherwise do not provide for spatial distinction among them.
For these and other reasons, there is a need for the present invention.