This book follows a particular approach to mobile computation. It emphasizes the synergy between mobility and object-oriented programming, hence the title Mobile Object Systems. Mobile object systems, in our view, are self-contained and autonomous groups of objects. They carry out a computation for an end-user in some initial computational environment and may dynamically change their environment for one that is on a remote computer. There is a close relationship between mobile object systems and research on so-called mobile software agents. In both cases, the focus is software mobility, but we prefer the terms mobile computation and mobile object systems as they are more accurate descriptions of the technology, while mobile agents has a fuzzy meaning that overlaps with artificial intelligence research. The papers in this book are more concerned with problems of software mobility per se. Nevertheless, the terms are quite close and are often used interchangeably even within the present work.
The starting point of this book was a number of discussions and presentations given at the second International Workshop on Mobile Object Systems http://cuiwww.unige.ch/ (MOS'96) held in 1996 in conjunction with the European Object Oriented Programming Conference (ECOOP'96) in Linz. The core of the book is made up of reworked versions of the submitted papers. However, we wanted to broaden the scope of this volume and survey a large portion of the research in this rapidly expanding field. We invited a number of researchers to contribute reprints of important papers or to write entirely new pieces. This book is the result.
Part I of the book contains chapters giving background and motivation for the research on mobile computations. The chapter by Cardelli is a brief introduction to the issues and challenges of mobile computation. It is followed by a reprint of a paper by Tsichritzis, written twelve years ago, which describes many of the features we are looking for in mobile object systems using the animal world as a metaphor for mobile computations. The chapter by Waldo et al.was written in 1994 and convincingly argues against transparency in distributed computing. To some extent it motivates the work on mobile computations, as mobile computations naturally suggest making mobility and location visible to the programmer. The chapter by Chess et al.investigates advantages and disadvantages of mobile computations by looking at their application. The last chapter, by Tschudin, contains a philosophical and philological discussion of messages and instructions.
Part II contains descriptions of systems and concepts for mobile computations. The chapter by Cugola et al.analyzes languages that support some form of code mobility, trying to compare them and get at some of the basic principles of those languages. The chapter by Acharya et al.presents Sumatra, a Java based environment for mobile applications. The chapter by Bharat and Cardelli presents Visual Obliq, an implementation of mobile computation based on Obliq. The chapter by Tschudin presents a messenger environment. The chapter by Mira da Silva discusses the relationship between persistence and mobility. The chapter by Vitek et al.considers security for communication between object systems. The chapter by Kato looks further into security issues. The chapter by Ciancarini and Rossi presents an architecture for coordination and communication on wide area networks that can be used between mobile computations or plain Java programs.
Part III contains papers detailing implementation considerations and techniques. The chapter by Knabe looks at the trade-offs between different representations of agents and efficiency. In the second chapter, Franz presents a particular representation called Slim Binaries which is particularly well suited to mobile code, as well as a more general dynamic code optimization technique. The chapter by Dugan describes the implementation of mobility of polymorphic data in a strongly typed programming language. Finally, the paper by Dðmel discusses the implementation of a system that allows Java programs to interact with Telescript agents.
We would like to thank the program committee of the MOS'96 workshop, Joachim Baumann, Luca Cardelli, Paolo Ciancarini, and Doug Lea, for their help and excellent reviewing.
February 1997
J. Vitek and C. Tschudin
Geneva and Zurich
An environment is outlined in which programming objects collect and disseminate information, using analogies from the animal world. Objects have their own rules of behaviour. They coordinate their activities by participating in events. Objects get born, move around, communicate and receive information and, eventually, die.
Mobile agents are programs, typically written in a script language, which may be dispatched from a client computer and transported to a remote server computer for execution. Several authors have suggested that mobile agents offer an important new method of performing transactions and information retrieval in networks. Other writers have pointed out, however, that mobile agents introduce severe concerns for security. We consider the advantages offered by mobile agents and assess them against alternate methods of achieving the same function. We conclude that, while the individual advantages of agents do not represent an overwhelming motivation for their adoption, the creation of a pervasive agent framework facilitates a very large number of network services and applications.
Much of the current work in distributed, object-oriented systems is based on the assumption that objects form a single ontological class. This class consists of all entities that can be fully described by the specification of the set of interfaces supported by the object and the semantics of the operations in those interfaces. The class includes objects that share a single address space, objects that are in separate address spaces on the same machine, and objects that are in separate address spaces on different machines (with, perhaps, different architectures). On the view that all objects are essentially the same kind of entity, these differences in relative location are merely an aspect of the implementation of the object. Indeed, the location of an object may change over time, as an object migrates from one machine to another or the implementation of the object changes.
It is the thesis of this note that this unified view of objects is mistaken. There are fundamental differences between the interactions of distributed objects and the interactions of non-distributed objects. Further, work in distributed object-oriented systems that is based on a model that ignores or denies these differences is doomed to failure, and could easily lead to an industry-wide rejection of the notion of distributed object-based systems.
This papers explores a mode of communication that is based on instruction rather than interpretation. Starting from Shannon's (interpretative) communication model, I link instruction±based communications to mobile code (messengers), to ªsignsº as they are defined in semiotics, and to the virus theme commonly found in cell biology, computer science and literature. Virus±codes are conjectured to be more powerful that the equivalence codes studied by Shannon.
The growing importance of telecommunication networks has stimulated research on a new generation of programming languages. Such languages view the network and its resources as a global environment in which computations take place. In particular, they support the notion of code mobility. To understand, discuss, evaluate, and compare such languages, it is necessary to develop a new set of programming language concepts and/or extend the concepts that are used to deal with conventional languages. The purpose of this paper is to provide such framework. This is done hand-in-hand with a survey of a number of existing new languages.
Programs that use mobility as a mechanism to adapt to resource changes have three requirements that are not shared with other mobile programs. First, they need to monitor the level and quality of resources in their operating environment. Second, they need to be able to react to changes in resource availability. Third, they need to be able to control the way in which resources are used on their behalf (by libraries and other support code). In this chapter, we describe the design and implementation of Sumatra, an extension of Java that supports resource-aware mobile programs. We also describe the design and implementation of a distributed resource monitor that provides the information required by Sumatra programs. changes.
We present a new genre of user interface applications: applications that can migrate from one machine to another, taking their user interface and application contexts with them, and continue from where they left off. Such applications are not tied to one user or one machine, and can roam freely over the network, rendering service to a community of users, gathering human input and interacting with people. We envisage that this will support many new agent-based collaboration metaphors. The ability to migrate executing programs has applicability to mobile computing as well. Users can have their applications travel with them, as they move from one computing environment to another. We present an elegant programming model for creating migratory applications and describe an implementation. The biggest strength of our implementation is that the details of migration are completely hidden from the application programmer; arbitrary user interface applications can be migrated by a single ªmigrationº command. We address system issues such as robustness, persistence and memory usage, and also human factors relating to the application design process, the interaction metaphor and safety.
Implementation techniques for distributed applications can be positioned in a spectrum that ranges from data-exchange to code-exchange. Date-exchange means that the logic (i.e., code) of a distributed application is statically installed and that coordination is done by exchanging messages with predefined meanings. Code-exchange, on the other hand, means that coordination is achieved by sending around code fragments which alter the data that is bound to the network's hosts. Actual systems usually pick and combine several techniques that are positioned at different places in this spectrum. Sun's JAVA and the corresponding code-on-demand approach, for example, would be closer to the data-exchange viewpoint, while Stamos' and Gifford's Remote Evaluation is more in the line of mobile code because the initiator has more instructional capabilities. Mobile software agent systems are quite close to pure code-exchange, although they often mix-in classical data--exchange techniques (data streams between agents, or mailboxes). The aim of the mobile code environment M0 (m-zero) is to be as faithful as possible to the code-exchange point of view.
The rapid growth of computer networks has created an opportunity for developing massively distributed computer systems. Such systems will likely consist of loose communities of heterogeneous machines running different operating systems with different security policies. The challenge is to design a reliable, and yet efficient, infrastructure trustworthy enough for electronic commerce and flexible enough to allow software upgrades as well as new functionality to propagate in a decentralized, inherently insecure, wide area network. Mobile object systems embody a paradigm where computations, i.e. running programs, may move across the network and carry out truly distributed computations. The vision is that computations structured as autonomous systems of objects will roam the network performing complex tasks on the behalf of their human owner. These mobile systems of objects carry their data as well as their code with them during their journey; thus allowing almost unlimited extendability. Such unfettered mobility raises justified security concerns. From the host's stand point first. Can an arbitrary code fragment be entrusted with local resources? To what degree is it possible to control the behaviour of downloaded code? How can secrecy and integrity be preserved? From the sender's stand point next. Is it possible to entrust the network with mobile computations that encode valuable knowledge and are empowered to carry out commercial transactions? Even though it is technically feasible to charge foreign computations for small service such as execution time or storage [39]. The key question whether there is a way to achieve a sufficient level of security for this approach to be viable? Currently, we must answer by the negative. None of the existing mobile computation systems meet the security requirements of electronic commerce. Lack of security fosters a just say no attitude towards mobile computations in portions of the scientific and business community [38]. The proverbial ball is now in the camp of mobile computations research. It is up to us to demonstrate that mobile objects may meet the stringent security criteria of real world applications.
The main contribution of this chapter is the study of security threats inherent to communication in mobile object systems. We will study how mobile object systems communicate. Describe the dangers of traditional communication mechanisms and outline two research directions currently being investigated. The structure of the chapter is the following. Section 2 describes security issues in mobile object systems. From this general overview we will focus on communication between object systems. Section 3 more precisely describes the threats that an object systems may be faced with. Section 4 is the heart of the chapter, it describes the shortcomings of existing communication mechanisms. In particular, we give examples that show the inadequacy of the security models of languages such as Java and Telescript (examples in Appendix). Finally, Section 5 sketches on going research.
Generally, the security-related issues can be simplified if the system environment is closed, as in, say, a single-user or single-group environment. In such an environment, the system can assume that only well-tested, reliable and safe objects are processed. A very similar situation is observed in the social context; a person belonging to a community can access any resources of the community without checking, but a visitor from a foreign community can only access resources in a restricted way. Some mobile object systems in the 1980's such as Emerald [Jul88mobility] assumed a closed environment, and did not address security issues.
The mobile object systems currently attracting world-wide attention requires to be used in an open environment, for example, the Internet or a corporation-wide intranet. In an open system, differing from closed systems, the system can assume few things. This makes the implementation of the system considerably sophisticated. For example, consider the dynamic class (code) loading mechanism of the Java system. The functional of dynamic code loading is not new; several dynamic programming languages such as Lisp and Smalltalk-80 have been providing such a function. The Java system, however, provides a class verifier that verifies whether the class to be loaded causes unsecure things. Such a verifier is unnecessary in a closed environment. We discuss the mechanisms of the Java's class verifier in Section [Ref: sec:java] .
This paper surveys the techniques currently known as safe and secure execution mechanisms for mobile objects. In this paper we distinguish safety and security in the following way. Safety means that illegal resource access is inhibited and handled in a systematic way. For example, in some programming languages, safe data structures are provided (such as lists in Lisp) to permit only safe operations to be applied to the data, or an exception handling mechanism is provided for the programmers to explicitly describe fault-handling. Security means to provide protection and integrity in the presence of malicious users. Notice that security subsumes safety. Encoding of an electronic mail message is a typical means of assuring secure communication. Thus, security issues can be divided into two sets: issues covered and not covered by safety. The former in general can be dealt with by preparing only mechanisms, while the latter can be dealt with by preparing both mechanisms and policies [Silberschatz94osc]. Often, a program that attacks security is designed not to violate safety, because if it did, it would be easily detected by the system. Thus, security maintenance always requires a security policy that draws a clear line between unsecure and secure things. The security maintenance mechanism watches and verifies every operation performed by a questionable object according to the given security policy.
Interestingly, the techniques developed for safe mobile objects are useful even for nondistributed computing. We mention three areas for example. First, recent component software architecture such as Microsoft's OLE and Apple's OpenDoc provide function that dynamically combine several software modules developed by independent vendors. Second, recent programming language processors provide foreign function interfaces that permit us to dynamically or statically load and link into them user programs that may be written in another programming language. Safety mechanisms would be very useful in debugging foreign functions. Third, the operating system research community has recently devoted efforts to load safe user modules into operating system kernels [Bershad95sosp,Necula96osdi]. A safety mechanism would be necessary in developing the loaded modules. Even after the debugging process for the loaded modules is complete, a safety or security mechanism is indispensable in a multiuser environment.
In this paper, we categorize the proposed approaches for safe and secure execution mechanisms for mobile objects into three types: interpreter approaches, native code approaches, and the software-hardware hybrid approach. These are explained in Sections [Ref: sec:interpreter] , [Ref: sec:native] , and [Ref: sec:hybrid] , respectively.
Security issues of mobile object systems are vast, and this survey focuses on only the execution mechanism issues. Issues not discussed but related closely to the secure execution mechanisms are those involving language design (e.g., [GeneralMagic96safety]) and communication (e.g., [Vitek96ecoop-mos]).
In this chapter we are going to analyze mobile code issues in the perspective of object oriented systems in which thread migration is not supported. This means that both object's code and data can be transmitted from a place to another but not the current execution state (if any) associated to the object. This is the case with the Java language which is often used in the WWW for developing applets which are little applications downloaded on the fly and executed in the client machine. While this mechanism is quite useful for enhancing HTML documents with sound and animation, we think that this technology can give its best in the field of distributed-cooperative work, both in the perspective of Internet and Intranet connectivity. Java is indeed a concurrent, multithreaded language, but it offers little help for distributed programming. Thus, we introduce Jada, a coordination toolkit for Java where coordination among either concurrent threads or distributed Java objects is achieved via shared object spaces. By exchanging objects through tuple spaces, Java programs and applets can exchange data or synchronize their actions over a single host, a LAN, or even the Internet.
The access to an object space is performed using a set of methods of the ObjectSpace class. Such operations are \Out (to put an object in the object space), \In and \Read (to get or to read associatively an object from the object space), and others, mostly inspired by the Linda language.
Jada does not extends the syntax of Java because it is a set of classes. We show how it changes the way we design multiuser, distributed applications (such as the ones based on the WWW) allowing easy interactions between software components and agents.
Under this perspective we can outline a system of any scale which uses the dynamic linking capability of Java to distribute the code and the coordination facility of Jada to handle distributed entities inter-relations.
The use of larger and more complex mobile agents in distributed applications has created a need for agent programming systems that deliver better performance. The implementation of Extended Facile, a mobile agent language, uses several strategies to boost performance. We review four main techniques: allowing agents to use different transmissible representations, optimistically transmitting machine code with agents, stripping agents of data and code that can be found at their recipients before transmitting them, and performing agent compilation lazily. Quantitative measurements show that these methods can boost absolute and relative performance.
We are designing and implementing a flexible infrastructure for mobile-object systems. Two fundamental innovations distinguish our architecture from other proposed solutions. First, our representation of mobile code is based on adaptive compression of syntax trees. Not only is this representation more than twice as dense as Java byte-codes, but it also encodes semantic information on a much higher level than linear abstract-machine representations such as p-code or Java byte-codes. The extra structural information that is contained in our mobile-code format is directly beneficial for advanced code optimizations. Second, our architecture achieves superior run-time performance by integrating the activity of generating executable code into the operating system itself. Rather than being an auxiliary function performed off-line by a stand-alone compiler, code generation constitutes a central, indispensable service in our system. Our integral code generator has two distinct modes of operation: instantaneous load-time translation and continuous dynamic re-optimization. In contrast to just-in-time compilers that translate individual procedures on a call-by-call basis, our system's integral code-generator translates complete code-closures in a single burst during loading. This has the apparent disadvantage that it introduces a minor delay prior to the start of execution. As a consequence, to some extent we have to favor compilation speed over code quality at load time. But then, the second operation mode of our embedded code generator soon corrects this shortcoming. Central to our run-time architecture is a thread of activity that continually optimizes all of the already executing software in the background. Since this is strictly a re-compilation of already existing code, and since it occurs completely in the background, speed is not critical, so that aggressive, albeit slow, optimization techniques can be employed. Upon completion, the previously executing version of the same code is supplanted by the newly generated one and re-optimization starts over. By constructing globally optimized code-images from mobile software components, our architecture is able to reconcile dynamic composability with the run-time efficiency of monolithic applications.
Dynamic linking provides functionality that is necessary for secure flexible use of mobile programs but it introduces a new class of runtime errors - unbound procedure names. In this chapter, we present a compiler-directed technique for safe dynamic linking for mobile programs. Our technique guarantees that linking failures can occur only when a program arrives at a new execution site and that this failure can be delivered to the program as an error code or an exception. We use interprocedural analysis to identify the set of names that must be linked at the different sites the program executes on. We use a combination of runtime and compile-time techniques to identify the calling context and to link only the names needed in that context. Our technique is able to handle recursive programs as well as separately compiled code that may itself be able to move. We discuss language constructs for controlling the behavior of dynamic linking and the implication of some of these constructs for application structure.
Several languages have been designed and implemented for programming mobile computations. This chapter describes a mobile code language based on extending the popular ML language. The language design, and its implementation, are distinguished by the use of run-time type information for computation. This is intended to motivate the use of run-time types in implementations of languages intended for distributed programming and mobile computations, particularly languages such as ML that provide type polymorphism.
Peter Doemel
This chapter gives an introduction into the two object-oriented programming environments Telescript and Java which both allow to write mobile code. It illustrates some of the more interesting features of these languages as platforms for mobile object systems. Further emphasis lies on the cooperation of agents in these two object-oriented worlds. Moreover, several descriptions of some higher-level agents scenarios are given.