280 likes | 302 Views
This talk by Christian Scheideler explores the topic of robust distributed programming, discussing the four commandments of distributed computing and countermeasures for violations. The talk also addresses the fundamental dilemma of scalability versus robustness and proposes a new model for distributed computing that prioritizes efficiency and universality while ensuring robustness.
E N D
Towards a Paradigm for Robust Distributed Programming Christian Scheideler Institute for Computer Science Technical University of Munich
Performance measures • Classical research area:Efficient algorithms and data structures • Distributed computing:Efficiency is not everything!Robustness against adversarial behavior increasingly pressing issue. Topic of this talk Robust Distributed Programming
Four Commandments of Distributed Computing • You shall not sleep. • You shall not lie. • You shall not steal • You shall not kill Countermeasures for violations: • Algorithmic solutions if majority is prompt. • Secure multiparty computation, filtering. • No intrusion possible, then cryptographic mechanisms protect against identity theft. • Serious problem! Denial-of-Service attacks! Robust Distributed Programming
Fundamental Dilemma • Scalability: minimize resources needed for operations • Robustness:maximize resources needed for attack Scalable solutions easy to attack!!! Robust Distributed Programming
Consequence We need a new model! NOT: What is the current state?Current distributed computing environment fundamentally flawed. What is a realizable state? Algorithms can be powerful advocates! Robust Distributed Programming
Towards a new paradigm Requirements: • Universality:wide range of comp./comm. environments • Simplicity:simple to state, realize and apply • Efficiency:inexpensive to realize and apply • Robustness:??? Robust Distributed Programming
Laws of Robustness [K. Cameron: The laws of identity, D. Epp: The eight rules of security,…] • User consent and control:user should have full control over its resources at any time • Minimal exposure:only give enough information to perform task • Minimal authority:only give enough authority for task (principle of least privilege/authority) Robust Distributed Programming
Medical privacy [EU Rec. on Protection of Medical Data 1997, U.S. OCR HIPAA Regulations] • User consent and control:patients should have knowledge of /control over their medical data • Minimal exposure:only store/reveal information necessary for diagnosis or treatment • Minimal authority:only give enough authority for task (principle of least privilege/authority) Robust Distributed Programming
Towards a new paradigm Requirements: • Universality:wide range of comp./comm. environments • Simplicity:simple to state, realize and apply • Efficiency:inexpensive to realize and apply • Robustness:three laws Robust Distributed Programming
Universal Models • Turing machine:easy to state and realize but not to apply • von Neumann machine:easy to state but not to realize in distributed environment • Pointer models:looks like most promising direction… Robust Distributed Programming
Subject-oriented approach • Subjects: active entities (no dynamic data!) • Objects: passive entities (no methods!)(hulls for dynamic data) • no global user-accessible references to subjects or objects (minimizes exposure) • Subjects and objects atomic • Every object accessible by only one subject at any time and must be co-located with it • Information exchange through exchange of objects along relay points Robust Distributed Programming
Subject-oriented approach • Precursor: Hewitt’s Actor model 1973 • Since then: mostly work in programming languages (E Language by Miller et al.) • Simplicity: concurreny is difficult! )concurrency only outsideofsubjects ) only strictly non-blocking primitives ) no global read and write! Robust Distributed Programming
Subject-oriented approach Ingredients: • Subjects: threads with static data • Objects: hulls of dynamic data • Relay points: communication • Identities: objects for authorization Robust Distributed Programming
Laws of Robustness • User consent and control:- subjects & objects are atomic, subjects tied to site and objects co-located with subjects - parents are responsible for children • Minimal exposure:- subjects & objects have no identity, only relays- no sensitive information (keys) revealed • Minimal authority:any connection/access requires permission Realize these through create & delete Robust Distributed Programming
delete s s‘ verb(args) Subjects • p(s): parent of s (cannot be changed!) • s.create(s‘):s=p(s‘) • s.delete(s‘): if s=p(s‘) then delete s‘ and all of its descendents Robust Distributed Programming
s r s s‘ i r‘ r r‘ Relay points • h(r): home of relay r (cannot be changed!) • s.create(r): • s.create(r | i): if d(i)=s • s.delete(r): if h(r)=s then delete r outgoing link can not be changed s Robust Distributed Programming
i 1 s s s i r r Identities • d(i) 2 R [1: destination • s.create(i):d(i)=1 (public identity) • s.create(i | r):d(i)=p(s) • s.create(i | r,i‘):d(i)=s(i‘) (s: source of i‘) • s.delete(i) Robust Distributed Programming
1 s s s‘ r r‘ s r‘ First contact Robust Distributed Programming
A B B r r A r‘ Introduction r r‘ C Robust Distributed Programming
Objects We already know: • Objects are type-less hulls of dynamic data and co-located with their subjects • Identities are special objects Further concepts: • For efficiency, only object references transferred in internal communication, but whole objects in external communication • Migration of subjects through special objects called clones Robust Distributed Programming
c s s s‘ Clones • s(c): source, d(c): destination • s.create(c):d(c)=p(s) • s.create(c | i):d(c)=s(i) • s.create(s‘ | c): Robust Distributed Programming
Working with objects • Initialization of objects:obj := new Object; (removes all old info)obj1 := obj2; not possible (else access conflicts!) • Initialization of a new variable in object obj:int obj.var1 := 1;float obj.var2 := 0.2; string obj.var3 := “name“; • Test of defined variable:if obj.name = NULL then … var1: 1 Robust Distributed Programming
Working with objects • Copy-operation:obj1.name1 := obj2.name2; • Move-operation:obj1.name1 <- obj2.name2; {obj2.name2 set to NULL} • Referencing:approach:store variable names in variablesvar1 := 2; {some lokal variable in subject}obj.[var1] := 1; {obj.[var1] resolves to obj.2} var2 := “name“; obj.[var2] := 1; {obj.[var2] resolves to obj.name} • Delete-operation:obj.name := NULL; Robust Distributed Programming
Better resource control Additional commands open and close. • open(Subject s): activates s • close(Subject s): freezes (and saves) s • open(Relay r): activates r • close(Relay r): freezes (and saves) r • open(Object o): opens o for operations • close(Object o): closes (and saves) o New subjects/relays/objects initially open. Robust Distributed Programming
Better resource control In addition, use policies: • Policies for permitted calls along links. • Policies for resource use of subject and its descendents. Still under development… Robust Distributed Programming
Nice features • Rigorous designs of systems possible that are robust against identity theft and DoS attacks • Secure grid computing • Digital rights management • Anonymity and privacy • … BUT: How to realize subjects environment? Robust Distributed Programming
Implementation User Internet ISP • User: subjects & internal relay points • ISP: external relay points (quota) Robust Distributed Programming
Questions? Contact scheideler@in.tum.de Robust Distributed Programming