This invention relates generally to mobile ambients and processes, and more specifically to ambient calculus-based modal logics for such ambients and processes.
Computing has become increasingly interconnected. Whereas before computers were discrete, unconnected units, because of the Internet as well as other networks, they are increasingly fluid, interconnected units. A computer program, which may be made up of one or more executable processes, or threads, may be mobile. For example, a thread of the program may move from computer to computer over the Internet. It may be executed in a distributed fashion over many computers, or a different instance of the thread may be run on each of many computers.
The movement of threads from computer to computer, or even to different parts within the same computer, poses new security and other risks for which there is no formal analysis mechanism. For example, a thread may be unstable, such that having it be run on a particular computer may cause the computer to crash. More so, the thread may be malicious, such as part of a virus program, such that its purpose is to compromise the computers it moves to.
More specifically, there are two distinct areas of work in mobility: mobile computing, concerning computation that is carried out in mobile devices (laptops, personal digital assistants, etc.), and mobile computation, concerning mobile code that moves between devices (agents, etc.). Mobility requires more than the traditional notion of authorization to run or to access information in certain domains: it involves the authorization to enter or exit certain domains. In particular, as far as mobile computation is concerned, it is not realistic to imagine that an agent can migrate from any point A to any point B on the Internet. Rather an agent must first exit its administrative domain (obtaining permission to do so), enter someone else""s administrative domain (again, obtaining permission to do so) and then enter a protected area of some machine where it is allowed to run (after obtaining permission to do so).
Access to information is controlled at many levels, thus multiple levels of authorization may be involved. Among these levels we have: local computer, local area network, regional area network, wide-area intranet and internet. Mobile programs should be equipped to navigate this hierarchy of administrative domain, at every step obtaining authorization to move further. Laptops should be authorized to access resources depending on their location in the administrative hierarchy.
In general, a process or thread resides within a container referred to as an ambient. The ambient includes one or more processes or threads, as well as any data, etc., that move with the processes or threads. An ambient that can move is referred to as a mobile ambient. The ambient can be any type of container: a software container such as a particular part of an operating system, for example, as well as a hardware container, such as a particular computer or peripheral device.
More specifically, an ambient has the following main characteristics. First, an ambient is a bounded placed where computation happens. The interesting property here is the existence of a boundary around an ambient. Examples of ambients include: a web page (bounded by a file), a virtual address space (bounded by an addressing range), a Unix file system (bounded within a physical volume), a single data object (bounded by xe2x80x98Itselfxe2x80x99) and a laptop (bounded by its case and data ports). Non-examples are: threads (the boundary of what is xe2x80x9creachablexe2x80x9d is difficult to determine) and logically related collections of objects.
Second, an ambient is something that can be nested within other ambients. For example, to move a running application from work to home, the application must be removed from an enclosing (work) ambient and inserted in a different enclosing (home) ambient. A laptop may need a removal pass to leave a workplace, and a government pass to leave or enter a country.
Third, an ambient is something that can be moved as a whole. If a laptop is connected to a different network, all the address spaces and file systems within it move accordingly and automatically. If an agent is moved from one computer to another, its local data should move accordingly and automatically. As mentioned, there is no formal analysis mechanism within the prior art for such mobile ambients. This means that there is no manner by which to describe formally, for example, a security policy for a given computer system, which could be applied against a mobile ambient within a formal analysis mechanism to determine if the ambient poses a security or other risk to the system. In particular, most formal analysis mechanisms, or frameworks, only provide for temporal distinction among processes and ambients, but assume that the processes and ambients are stationaryxe2x80x94or otherwise do not provide for spatial distinction among them.
For these and other reasons, there is a need for the present invention.
The invention relates to ambient calculus-based modal logics for mobile ambients. That is, the invention provides for formal analysis mechanisms or frameworks with which mobile ambients can be described, and within which policies such as security policies can be tested against those ambients. In one embodiment, a computer-implemented method receives at least one container, where each container has at least one process. The containers can in one embodiment be referred to as ambients, and the processes as threads. The method applies the containers, including their resident processes, against a predetermined modal logic. The modal logic is based on ambient calculus, and provides for spatial relationships among the processes of the containers. The containers and their processes are then output, as they have been applied against the logic. As used herein, the phrase xe2x80x9capplied against the logicxe2x80x9d refers to testing for conformance against a policy or formula of the logic.
In differing embodiments of the invention, the modal logic has one or more of the following aspects, characteristics and qualities: a structural congruence relation between processes; reduction semantics; logical formulae such as true, negation, disjunction, inaction, location, composition, universal quantification over names, sometime modality, somewhere modality, location adjunct, and composition adjunct; derived connectives such as false, conjunction, implication, logical equivalence, decomposition, every component satisfaction, some component satisfaction, existential quantification over names, everytime modality, everywhere modality, and unsatisfiability; valid formulas, sequents and/or logical inference rules; quantales; and, intuitionistic linear logic.
Embodiments of the invention provide for advantages over the prior art. The modal logic can be used to formally describe a given mobile ambient, as well as a policy, such as a security policy, of a given computer. The mobile ambient can then be analyzed against the policy within the framework provided by the modal logic. Since the modal logic provides for spatial relationships among different processes of ambients, embodiments of the invention are particularly well suited for analysis of such mobile computing problems.
Embodiments of the invention include computer-implemented methods, computer-readable media, and computerized systems of varying scope. Still other embodiments, advantages and aspects of the invention will become apparent by reading the following detailed description, and by reference to the drawings.