-calculus model of
concurrent systems.
-calculus, including Pierce and Turner's PICT [23]
programming language.
-calculus.
-calculus, and Sewell's [25] types for
the distributed -calculus.
Ian Wakeman - Alan Jeffrey
| The Safetynet project | |||
| Ian Wakeman | Principal Investigator | ianw@cogs.susx.ac.uk | +44-1273-678364 |
| Alan Jeffrey | Principal Investigator | alanje@cogs.susx.ac.uk | +44-1273-678526 |
| Rory Graves | PhD student | roryg@cogs.susx.ac.uk | |
| Tim Owen | PhD student | timothyo@cogs.susx.ac.uk | |
| Ben du Boulay | Dean of School | bend@cogs.susx.ac.uk | +44-1273-678324 |
Active networks extend the functionality of existing networks by opening up the computation capabilities of the switches to the network users. This allows faster roll-out of new services and new applications which have lower latency and are more scalable. However, in opening up the shared resources of the switches to running programs, existing services might suffer a performance degradation, and more dangerously, a loss of service due to buggy or malicious programs.
In our research we aim to circumvent these problems by defining appropriate policies to protect the integrity of the network, such as defining limits on TTL fields in packets, then designing these policies into the type system of an Active Network programming language. Any program which type-checks is guaranteed not to contravene our safety policies. In addition, by using a strongly typed language, we can remove many of the run-time checks required by other language models, and so improve performance.
Recent work in the foundations of programming languages has provided mathematical models of language features such as distribution, code migration, resource bounds and security. We will use these techniques to provide a formal model of Active Network programming, and to show the correctness of the type system and the safety policies.
In parallel with the theoretical work upon the semantics, we shall be developing a compiler and run-time environment for the language. These will be used to build demonstration Active Network programs, which will be tested both within an extended simulation environment built upon the VINT ns simulator, and in limited scale experiments upon real networks. It is in this strand of work that we expect any donation from the HP Pan-European Internet Initiative to have impact.
| Milestone | Date due | Description |
| Safety Policies | June 1998 | An analysis of the safety and security policies that the safetynet language should implement. |
| Core language specification | August 1998 | The syntax and draft semantics of the core language |
| Compiler | Feb 1999 | The prototype compiler and runtime system for the core language |
| Autoconfiguration Demonstration | March 1999 | A paper describing the algorithms and results from implementing auto-configuration of transcoders within safetynet |
We intend to submit papers to Sigcomm 99, to Transactions on Networking, to POPL 99 and to Journal of Functional Programming within the coming year.
Active networks allow switches within the network to execute code on behalf of some granularity of packet. However, these switches are resources shared by all who use the network, and as guardians of the common good, it is the responsibility of switch managers to be certain that the benefit of the additional services outweighs the possible damage that ANs may visit upon a switch. From private conversations, most switch managers do not view ANs with enthusiasm. They need to be sure that:
If we can ensure the network integrity, then active networks hold out the promise of developing many novel scalable low latency applications. Many distributed applications can improve latency by shifting processing closer to the bottleneck, for instance in transcoding a delivered multicast audio stream to fit over congested links [20]. We present other applications as demonstrations in our proposal..
The problems faced by ANs are not new: they are shared by many other distributed languages with mobile processes. This is a topic which has been investigated in the semantics of programming languages community, which has developed an array of mathematical techniques for proving languages to be safe. We believe that these techniques are directly relevant to ANs, and in particular that:
-calculus model of
concurrent systems.
-calculus, including Pierce and Turner's PICT [23]
programming language.
-calculus.
-calculus, and Sewell's [25] types for
the distributed -calculus.
has been a lecturer at Sussex since 1994. He researches the mathematical foundations of concurrent programming languages. In particular, he is interested in the interaction between concurrent and functional languages. He has presented an operational and denotational semantics for CMML, a concurrent functional language based on Reppy's Concurrent ML and Moggi's Monadic Meta-Language. Together with William Ferreira and Matthew Hennessy, he developed an operational semantics for Concurrent ML, and the accompanying theory of weak bisimulation. He has developed a theory of the concurrent graph reduction implementation technique for non-strict functional programming languages, and has shown that this has the same fully abstract model as the sequential tree reduction model. Dr Jeffrey received his D.Phil from Oxford University in 1992, for his work on the semantics of highly distributed timed systems.
has been a lecturer at Sussex since 1995 and was previously at UCL as a research fellow. His research has centred around networked multimedia, from developing multicast congestion control mechanisms for internet video through to conference control architectures. He currently runs projects on application level adaptation for low bandwidth networks and on developing distributed algorithms within Active Networks. He has published over twenty papers in the area.
at the University of Sussex is an interdisciplinary group looking at many aspects of CS and AI, including formal models of programming languages, designing network architecture, implementing compilers, adaptive systems, vision, neural computing and human-centered computing. The group is part of the School of Cognitive and Computing Sciencese, which also includes Psychology, Philosophy and Linguistics. There is a thriving postgraduate student body including a new M.Res in CSAI specializing in Distributed Programming Languages. CSAI is an active research group, with a 5 rating at the last RAE.
We will produce a Web page to disseminate our work and to act as a focal point within the UK. We already run a UK mailing list for active networking. The prototype implementations will be made available as public domain software for the Active Network community, and will be integrated within the ABone.
The work will be published in academic conferences and journals, both to a semantics audience and to a networks audience.
We will be providing collections of papers and running seminars on our work to our industrial sponsors and any other interested parties.
The aims of this project are:
The methodology we will use comes from an interdisciplinary approach, using techniques from both the semantics community and from the networks community.
From the semantics community, we will use well-established techniques for modelling strongly typed languages:
'
to be read `in the environment 
, program p has type t'.
' to be read `program p can evolve
to become program q'
and then 
).
To test the viability of our approach for end systems, we shall design and implement several prototype AN applications, such as a multicast congestion transcoder [20], a distributed reliable ordering multicast protocol and a distributed conference key management protocol. These will then be tested in simulation, using a network simulator such as VINT ns, and a simulated virtual machine we have already developed at Sussex [10]. In this way, we expect to be able to make comparisons not only about the network performance of the techniques, but about the relative processing requirements and the likely performance impact upon switches. We will then build our virtual machine into an ABone router, so that the our AN applications can be tested in the wild on the ABone.
UCL have offered to host an ABone router off the Cairnet, to provide direct attachment to the ABone.
Active Networks are a current area of research and bring areas of programming language design into networking.
Much of the research on ANs has been carried out in the US, for example the Switchware project at the University of Pennsylvania [11], MIT [27], Columbia [28], GSU [5] and BBN [14]. However, only the Switchware project are using the techniques of Higher Order programming [13] to ensure safe programming, and even then the language support is not as complete as our approach. As yet there has been little work in the UK, barring the thought exercises we have undertaken [18], and work towards an open switching architecture at Cambridge[24].
The UK has a large body of expertise in language design, and in the use of mathematical models to help in the design and validation of languages. In the particular area of concurrent systems, there is active work at Cambridge, Edinburgh, Oxford, Sussex and Warwick.
The field of semantics has recently moved into areas of direct
relevance to ANs, for example the -calculus [21] models
capability-based communication; Ambients [9], Distributed
[25] and D all model distributed languages with
process migration; CHOCS [26],
CML [6] all model higher-order languages;
S [8] models security and encryption.
This is a unique opportunity to take the theoretical work developed in the UK and to apply it to a real problem in active network programming.
In the first phase of the project, we shall determine the safety policies we wish to embed within the Safetynet language. We will make use of the expertise of network professionals in determining safety policies, and language theorists to translate these policies into the restrictions on program execution that will form the basis of the Safetynet type system, extending the work in [15].
We intend to design a programming language for processes in an active network. The core language will be based on existing work at Sussex on higher-order concurrent languages [6, 16, 17] and languages with explicit notions of location [12]. The user language will consist of the core language together with enough syntax sugar to make the core language easily accessible to programmers.
The core language will be strongly typed, using a formally-defined type system, and will be given an operational semantics based on that of Milner's pi-calculus. There will then be two properties to prove:
The language design will evolve during the project, but we expect there to be three phases:
-calculus.
If our resources are increased, we shall be developing a suitable typed bytecode for use in the implementation virtual machine, together with a proof of correctness for the translation from the core language to the VM.
The implementation of the prototype compiler and run-time system will initially be built upon existing Java infrastructure such as the Java VM, garbage collection, communication and serialisation. This will allow easy integration with existing AN infrastructure such as the ANTS toolkit from MIT.
For each phase of the language, we will implement a compiler from the Safetynet language down to Java. Most of this activity will concentrate on the innovative use of a formally defined type system.
In the first two phases, the prototype system will pass an abstract syntax tree representation of programs, which will be compiled at each node. If available resources allow, in the final phase we shall look at ways to remove this inefficiency by producing the designed typed bytecode to pass between processes to run on a Safetynet specific Virtual Machine and runtime environment.
The runtime system for the language will be defined during the first phase, and implemented as a number of Java classes, building upon the ANTS toolkit from MIT. During each phase of the project, this runtime system will be extended to support the new functionality.
In each phase of the project we will be writing AN applications to demonstrate the applicability of our approach, such as a multicast congestion transcoder, a ordered reliable multicast applications and a distributed conference key management system. These will first be demonstrated in simulation using our adapted VINT ns simulator, and then in the wild on the ABone.
UCL have offered to provide an ABone router directly attached to Cairnet to provide connectivity. This will require the installation of ABone software on the FreeBSD machine hosted at UCL.
In this activity, we will be defining the safety policies required to protect the network and the switch resources. Network and language experts will determine what policies are feasible and practical, extending the work in [15]. The deliverable will be a set of safety policies.
As well as the safety policies, we shall develop a programming
paradigm for Active Networks, based on higher-order concurrent and
distributed langauges such as , Ambients and Concurrent ML.
This will be used to produce an initial specification of the runtime
system.
Develop a typed higher-order distributed language. Deliverables are a specification of the syntax, type system and semantics of the language.
Develop extensions to the type system to support distributed type checking. Deliverables are a further draft of the specification of the syntax, type system and semantics of the language.
Include security features such as encryption and code signing. Deliverables are a further draft of the specification of the syntax, type system and semantics of the language.
A prototype compiler will be built, in two stages. A parser and abstract syntax tree generator will be developed, and a separate code generator to turn the AST into Java.
The compiler will be extended with the appropriate run-time type checking features.
The compiler will be extended with the appropriate security features, based on Java's security libraries.
>From the requirements document, the necessary Java infrastructure will be built, including features such as dynamic process spawning and the generation of unique server Ids.
The type checking algorithm will be implemented in Java.
The infrastructure will be extended with key generation and other security manipulation features.
The implementation in Java from Activity 5.1 will be rewritten in the prototype safetynet language.
Currently the Safetynet team consists of Alan Jeffrey, Ian Wakeman, Rory Grave and Tim Owen arriving in June. We expect the team to be extended by two additional research fellows and two additional students if the proposal to the EPSRC is accepted.
All members of the team will be participating in Work Package 1. We expect to be able to ask colleagues such as Jon Crowcroft at UCL for additional input.
Alan Jeffrey (AJ) will be undertaking the work in WP1. Ian Wakeman (IW) and Tim Owen (TO) will be undertaking the work in WP3 and WP4, whilst Rory Graves (RG) will be undertaking the work in WP5.
Management will be coordinated by weekly project meeting.
Communication between the team of the syntax and semantics of the language is a core part of the project. This will be achieved through the formal use of live specifications to be handed over as deliverables from the language design work package to the compiler developer. These documents will be kept under version control and made available on the Web.
The defined programme of work is ambitious for the current team strength. However since the programme of work is incremental, we are prepared to drop some of the later activities.
The critical path in each phase of the project begins with the language design package passing a language specification to the compiler implementation.
| Activity | Start | End | AJ | IW | TO | RG | Deliverables | Due |
| 1.1 | 0 | 3 | 1 | 2 | 0 | 1 | Policy specification | 3 |
| 1.2 | 0 | 3 | 0 | 1 | 0 | 2 | Runtime specification | 3 |
| 2.1 | 1 | 9 | 5 | 0 | 0 | 0 | Specification of language syntax | 5 |
| Update Runtime system requirements | 6 | |||||||
| Documentation of the semantics of Safetynet | 9 | |||||||
| 2.2 | 10 | 16 | 5 | 0 | 0 | 0 | Updated Specification of language syntax | 13 |
| Update Runtime system requirements | 13 | |||||||
| Distributed Type Checking Theory | 16 | |||||||
| 2.3 | 16 | 24 | 4 | 0 | 0 | 0 | Updated Specification of language syntax | 19 |
| Update Runtime system requirements | 19 | |||||||
| Semantics of security extensions | 24 | |||||||
| 3.1 | 4 | 12 | 0 | 0 | 4 | 0 | Prototype Compiler for A2.1 | 11 |
| 3.2 | 13 | 17 | 0 | 0 | 3 | 0 | Prototype compiler extensions for A2.2 | 17 |
| 3.3 | 19 | 24 | 0 | 0 | 3 | 0 | Prototype compiler extended to A2.3 | 24 |
| 4.1 | 3 | 11 | 0 | 4 | 5 | 0 | Runtime system for A3.1 | 11 |
| 4.2 | 11 | 17 | 0 | 2 | 2 | 0 | Runtime extensions for A3.2 | 17 |
| 4.3 | 17 | 24 | 0 | 3 | 4 | 0 | Runtime extensions for A3.3 | 24 |
| 5.1 | 0 | 8 | 0 | 0 | 0 | 6 | Software simulation | 8 |
| 5.2 | 8 | 12 | 0 | 0 | 0 | 4 | Safetynet software | 12 |
| 5.3 | 12 | 18 | 0 | 0 | 0 | 6 | Ordering software | 18 |
| 5.4 | 18 | 24 | 0 | 0 | 0 | 6 | Key distribution software | 24 |
We anticipate benefits both to the providers and users of telecommunication services. The increased speed with which new services can be deployed enables providers to quickly adapt to a rapidly changing market, and to keep pace with the development of hardware. The resulting increased sophistication in network management will aid in protecting the network. For the users, we expect active networks to enable the development of highly scalable wide area applications, such as multi-user games and virtual reality environments.
In the academic networking community, we will provide a formal basis for the network architecture that multimedia applications can run on. It is also of interest to the semantics community, since it extends existing work on typed distributed languages in ways which are both theoretically interesting and practically relevant.
HP could most obviously help us in providing a development environment to build the prototype compiler, a memory-rich environment in which we can run simulations, a separate quarantined network in which we can run our small scale experiments, and portable machines so that we can demonstrate the software and work to any interested parties. We therefore request the following equipment:
| Description | Number |
| Vectra VL with 256 MB | 4 |
| Omnibook 7100 Laptops | 2 |
| Laserjet Network Printer | 1 |
| 100 Base/T Switch | 1 |
-calculus.
Technical Report 435, Computer Laboratory, University of Cambridge,
1997.
HP Internet Philanthropic Initiative - Next Generation
Internet
Safetynet: Implementing Network-Safe Programming Languages for Active Networks
This document was generated using the LaTeX2HTML translator Version 96.1-h (September 30, 1996) Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
The command line arguments were:
latex2html -t HP Case for Support: Safetynet - Implementing Network-Safe Programming Languages for Active Networks -split 0 -no_navigation -dir . cfs-hp.
The translation was initiated by Ian Wakeman on Fri Apr 17 16:21:00 BST 1998
