09.04.2005 Trustworthy Global ComputingETAPS `05
1
namespace logic
a logic for a reflective higher-order process calculus
a logic for a reflective higher-order process calculus
L.G. Meredith1
1Djinnisys Corporation
09.04.2005 Trustworthy Global Computing ETAPS 05
2
AgendaAgenda Motivations -calculus A warm-up: replication Namespace logic Examples Conclusions and future work
Motivations -calculus A warm-up: replication Namespace logic Examples Conclusions and future work
09.04.2005 Trustworthy Global Computing ETAPS 05
3
What’s in a name?What’s in a name?
mac addressesip addressesdns entries
url’s
distributed computing is done using names
and it is essential that these names
have structure
mac addressesip addressesdns entries
url’s
distributed computing is done using names
and it is essential that these names
have structure
09.04.2005 Trustworthy Global Computing ETAPS 05
4
What’s in a name?What’s in a name?
-calculus is not a closed theory dependent upon a theory of names such a theory will at least dictate computation
of name-equality Name-equality is a computation
nowhere is there an infinite set of atomic elements available to the computer scientist
all countably infinite sets available to the computer scientist are generated from a finite presentation
perforce the elements of these sets have structure -- and this structure is used to compute equality
-calculus is not a closed theory dependent upon a theory of names such a theory will at least dictate computation
of name-equality Name-equality is a computation
nowhere is there an infinite set of atomic elements available to the computer scientist
all countably infinite sets available to the computer scientist are generated from a finite presentation
perforce the elements of these sets have structure -- and this structure is used to compute equality
09.04.2005 Trustworthy Global Computing ETAPS 05
5
What’s in a name?What’s in a name?
If interaction is to provide a foundational theory of computation, then this computation must be accounted for, too!
All realizations (e.g., implementations) of mobile process calculi face this fact Would our theory better serve our practitioners
therefore if it accounted for name structure as well?
Synchronization and Substitution play very different roles in -like mobile process calculi: requiring different computations
If interaction is to provide a foundational theory of computation, then this computation must be accounted for, too!
All realizations (e.g., implementations) of mobile process calculi face this fact Would our theory better serve our practitioners
therefore if it accounted for name structure as well?
Synchronization and Substitution play very different roles in -like mobile process calculi: requiring different computations
09.04.2005 Trustworthy Global Computing ETAPS 05
6
potential applicationspotential applications
Security: concrete realizations of network protocols use naming scheme exploiting the structure of names, subject to guessing attacks theory of interaction with a structural account
of names can facilitate reasoning about this Biology: sites in molecular biology are
decidedly not atomic locations: Ligand-binding receptors, phosphorylation sites,
etc, have extension and behavior modeling these as atomic names may miss important
behavior
Security: concrete realizations of network protocols use naming scheme exploiting the structure of names, subject to guessing attacks theory of interaction with a structural account
of names can facilitate reasoning about this Biology: sites in molecular biology are
decidedly not atomic locations: Ligand-binding receptors, phosphorylation sites,
etc, have extension and behavior modeling these as atomic names may miss important
behavior
09.04.2005 Trustworthy Global Computing ETAPS 05
7
The -calculus syntaxThe -calculus syntax Grammar
P, Q ::= 0 null processx(y).P inputx^P_ liftP|Q parallel composition _x^ drop
x,y ::= ^P_ quote
PROC denotes the set of processes generated by this grammar;
^PROC_ denotes the set of names generated by this grammar
Syntactic sugar: x[y] @ x^ _y^ _
GrammarP, Q ::= 0 null process
x(y).P inputx^P_ liftP|Q parallel composition _x^ drop
x,y ::= ^P_ quote
PROC denotes the set of processes generated by this grammar;
^PROC_ denotes the set of names generated by this grammar
Syntactic sugar: x[y] @ x^ _y^ _
09.04.2005 Trustworthy Global Computing ETAPS 05
8
The -calculus syntax - examples
The -calculus syntax - examples
0
^0_ ^0_[^0_]
^0_(^0_).0
^ ^0_[^0_] _ , ^
^0_(^0_).0 _
0
^0_ ^0_[^0_]
^0_(^0_).0
^ ^0_[^0_] _ , ^
^0_(^0_).0 _
the ur-process, everything
literally comes ex nihilo, out of
nothing!
the first name
the first output process
the first input process
some new names
Looks remarkably like machine code!
09.04.2005 Trustworthy Global Computing ETAPS 05
9
Structural equivalence, -equivalence and name equivalence
Structural equivalence, -equivalence and name equivalence
Clearly, we want 0 7 0|0 7 0|0|0 7 …
should ^0_7N ^0|0_ 7N ^0|0|0_ 7N …?
Name equivalence, N ^PROC_ ^PROC_ , is the smallest
equivalence relation respecting
x N ^_x^_ P 7 Q ^P_7N ^Q_
Structural equivalence, PROC PROC, is the smallest
equivalence relation, containing -equivalence, respecting P | 0 7 P 7 0 | P P | Q 7 Q | P(P | Q) | R 7 P | (Q | R )
Clearly, we want 0 7 0|0 7 0|0|0 7 …
should ^0_7N ^0|0_ 7N ^0|0|0_ 7N …?
Name equivalence, N ^PROC_ ^PROC_ , is the smallest
equivalence relation respecting
x N ^_x^_ P 7 Q ^P_7N ^Q_
Structural equivalence, PROC PROC, is the smallest
equivalence relation, containing -equivalence, respecting P | 0 7 P 7 0 | P P | Q 7 Q | P(P | Q) | R 7 P | (Q | R )
09.04.2005 Trustworthy Global Computing ETAPS 05
10
Structural equivalence, -equivalence and name equivalence
Structural equivalence, -equivalence and name equivalence
First subtlety -- a cycle in Structural equivalence structural equivalence depends on -equivalence -equivalence depends on name equality name equality depends on structural equivalence!
Each ‘recursive call’ is one level of quotes fewer Quote Depth
#(^P_) = 1+#(P) #(P) = max({ #(^Q_) | ^Q_ N(P)})
Grammar enforces strict alternation of quoting and process constructor
Calculation of structural equivalence terminates by easy induction on quote depth
First subtlety -- a cycle in Structural equivalence structural equivalence depends on -equivalence -equivalence depends on name equality name equality depends on structural equivalence!
Each ‘recursive call’ is one level of quotes fewer Quote Depth
#(^P_) = 1+#(P) #(P) = max({ #(^Q_) | ^Q_ N(P)})
Grammar enforces strict alternation of quoting and process constructor
Calculation of structural equivalence terminates by easy induction on quote depth
09.04.2005 Trustworthy Global Computing ETAPS 05
11
SubstitutionSubstitutionSyntactic substitution
A substitution is a partial map, : ^PROC_ ^PROC_ ; {^Q_/^P_} denotes the map which sends ^P_ to ^Q_; we write x for (x)
x{^Q_/^P_} = ^Q_ if x N ^P_, x otherwise.A substitution, , is uniquely extended to a map, _^ : PROC PROC
by the following recursive definition
0 _{^Q_/^P_}^ @ 0(R|S) _{^Q_/^P_}^ @ (R _{^Q_/^P_}^ ) | (S _{^Q_/^P_}^ )(x(y).R) _{^Q_/^P_}^ @ x{^Q_/^P_} (z). ((R _{z/y}^ ) _{^Q_/^P_}^ ) (x^R_) _{^Q_/^P_}^ @ x {^Q_/^P_}^R{^Q_/^P_}^ _(_x^) _{^Q_/^P_}^ @ ^Q_ if x N ^P_ , _x^ otherwise
where z is chosen distinct from the names in R, ^P_ and ^Q_
Syntactic substitutionA substitution is a partial map, : ^PROC_ ^PROC_ ; {^Q_/^P_} denotes the map which sends ^P_ to ^Q_; we write x for (x)
x{^Q_/^P_} = ^Q_ if x N ^P_, x otherwise.A substitution, , is uniquely extended to a map, _^ : PROC PROC
by the following recursive definition
0 _{^Q_/^P_}^ @ 0(R|S) _{^Q_/^P_}^ @ (R _{^Q_/^P_}^ ) | (S _{^Q_/^P_}^ )(x(y).R) _{^Q_/^P_}^ @ x{^Q_/^P_} (z). ((R _{z/y}^ ) _{^Q_/^P_}^ ) (x^R_) _{^Q_/^P_}^ @ x {^Q_/^P_}^R{^Q_/^P_}^ _(_x^) _{^Q_/^P_}^ @ ^Q_ if x N ^P_ , _x^ otherwise
where z is chosen distinct from the names in R, ^P_ and ^Q_
09.04.2005 Trustworthy Global Computing ETAPS 05
12
SubstitutionSubstitution
Semantic substitution -- same as above except for drop where the process is instantiated at substitution time
(_x^) _{^Q_/^P_}^ @ Q if x N ^P_ , _x^ otherwise
Examples
w^y[z]_ {u/z} = w^y[u]_ w[^y[z]_] {u/z} = w[^y[z]_]
w^_x^_{^Q_ /x} = w^Q_
Semantic substitution -- same as above except for drop where the process is instantiated at substitution time
(_x^) _{^Q_/^P_}^ @ Q if x N ^P_ , _x^ otherwise
Examples
w^y[z]_ {u/z} = w^y[u]_ w[^y[z]_] {u/z} = w[^y[z]_]
w^_x^_{^Q_ /x} = w^Q_
09.04.2005 Trustworthy Global Computing ETAPS 05
13
Operational semanticsOperational semantics
The operational semantics is given by a reduction relation
PROC PROC recursively specified by the following
rules.comm: xsrc N xtrgt
xsrc^P_ | xtrgt(y).Q Q _{^P_ /y}^
par: P P P | Q P | Q
equiv: P P, P Q, Q P
P Q
The operational semantics is given by a reduction relation
PROC PROC recursively specified by the following
rules.comm: xsrc N xtrgt
xsrc^P_ | xtrgt(y).Q Q _{^P_ /y}^
par: P P P | Q P | Q
equiv: P P, P Q, Q P
P Q
09.04.2005 Trustworthy Global Computing ETAPS 05
14
ReplicationReplication
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[_P | D(x)^]
=P | D(x) | x^P | D(x)_
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[_P | D(x)^]
=P | D(x) | x^P | D(x)_
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[_P | D(x)^]
=P | D(x) | x^P | D(x)_
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[_P | D(x)^]
=P | D(x) | x^P | D(x)_
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[x[__P P || D(x) D(x)^̂]]
=P | D(x) | xx^̂P P || D(x) D(x)__
Replication is defined by the following equation
D(x) = x(y).( _y^ | x[y] )
!xP = D(x) | x^P | D(x)_
x(y).( _y^ | x[y] ) | x^P | D(x)_ P | D(x) | x[x[__P P || D(x) D(x)^̂]]
=P | D(x) | xx^̂P P || D(x) D(x)__
09.04.2005 Trustworthy Global Computing ETAPS 05
15
Namespace logic -- syntaxNamespace logic -- syntax Grammar
, ::= true verity 0 nullity negation& conjunction | simultaneity _b^ descenta^_ elevationa?b activity rec X.rec X. greatest fix-pointgreatest fix-point n:n:^̂__.. quantificationquantification
a ::= ^_ indicationb
b ::= ^P_ nominationnn
Grammar , ::= true verity
0 nullity negation& conjunction | simultaneity _b^ descenta^_ elevationa?b activity rec X.rec X. greatest fix-pointgreatest fix-point n:n:^̂__.. quantificationquantification
a ::= ^_ indicationb
b ::= ^P_ nominationnn
09.04.2005 Trustworthy Global Computing ETAPS 05
16
Namespace logic -- satisfaction
Namespace logic -- satisfaction
P \ true always P \ 0 iff P 7 0P \ iff P ^ P \ & iff P \ , P \ P \ | iff P 7 P1 |P2, P1 \ , P2 \
P \ _b^ iff P 7 _b^
P \ a^_ iff P 7 Q | x^P_, x\ a, P \
a?b iff P 7 Q | x(y).P, x\ a, c. z.P{z/y} \ {c/b}
^P_ \ ^_ iff P \ x\ b iff x N b
P \ true always P \ 0 iff P 7 0P \ iff P ^ P \ & iff P \ , P \ P \ | iff P 7 P1 |P2, P1 \ , P2 \
P \ _b^ iff P 7 _b^
P \ a^_ iff P 7 Q | x^P_, x\ a, P \
a?b iff P 7 Q | x(y).P, x\ a, c. z.P{z/y} \ {c/b}
^P_ \ ^_ iff P \ x\ b iff x N b
09.04.2005 Trustworthy Global Computing ETAPS 05
17
ExamplesExamples P insists all next requests are from the namespace
^_P \ ^_?btrue& ^_?btrue
(think: all next requests must come from this range of addresses and ports)
P only takes requests from the namespace ^_P \ rec . ^_?b & ^_?btrue
(think: all requests must come from this range of addresses and ports)
P enjoys balanced i/oP \ rec .(0 n:^true_. (n?b||n^ _))
(think: no starved requests, no unsent replies) x enjoys well-formed internal structure
x \ ^ rec .(0 n:^true_. (rec .n?b ( _b^| |n^0_)) n^_ |) _
(think: every <tag> has a corresponding </tag>)
P insists all next requests are from the namespace ^_
P \ ^_?btrue& ^_?btrue(think: all next requests must come from this range of addresses and ports)
P only takes requests from the namespace ^_P \ rec . ^_?b & ^_?btrue
(think: all requests must come from this range of addresses and ports)
P enjoys balanced i/oP \ rec .(0 n:^true_. (n?b||n^ _))
(think: no starved requests, no unsent replies) x enjoys well-formed internal structure
x \ ^ rec .(0 n:^true_. (rec .n?b ( _b^| |n^0_)) n^_ |) _
(think: every <tag> has a corresponding </tag>)
09.04.2005 Trustworthy Global Computing ETAPS 05
18
XML in Namespace logic - dom
XML in Namespace logic - dom
x conforms to domx \ ^m:^true_. mm^̂ rec .n:^true_.
(0 nn^̂__ rec rec . .nn::^̂truetrue__.nn?b?b(( )) ||) ___
Document rootDocument root ElementElement SequencingSequencing GroupingGrouping
x conforms to domx \ ^m:^true_. mm^̂ rec .n:^true_.
(0 nn^̂__ rec rec . .nn::^̂truetrue__.nn?b?b(( )) ||) ___
Document rootDocument root ElementElement SequencingSequencing GroupingGrouping
09.04.2005 Trustworthy Global Computing ETAPS 05
19
XML in Namespace logic - schema
XML in Namespace logic - schema
x conforms to schema s e is an element( n, s ) x \ ^m:^[n]_.m^[s]__
s is sequence( e0, …, eN ) x \ ^n:^[n0]_. n?b ( [so] |(…n:^[nn]_. n?b ( [sn])…))_
s is a choice( s0, …, sN ) x \ ^[so] … [sn]_
s is a group( s0, …, sN ) x \ ^[so]|…|[sn]_
s is a repetitionleft as an exercise
-- note ,with ‘|’ min and max can be done if x conforms to s then x should model dom
\ [s]dom
x conforms to schema s e is an element( n, s ) x \ ^m:^[n]_.m^[s]__
s is sequence( e0, …, eN ) x \ ^n:^[n0]_. n?b ( [so] |(…n:^[nn]_. n?b ( [sn])…))_
s is a choice( s0, …, sN ) x \ ^[so] … [sn]_
s is a group( s0, …, sN ) x \ ^[so]|…|[sn]_
s is a repetitionleft as an exercise
-- note ,with ‘|’ min and max can be done if x conforms to s then x should model dom
\ [s]dom
09.04.2005 Trustworthy Global Computing ETAPS 05
20
Operational semantics revisited
Operational semantics revisited
An alternative operational semantics may be given by
commannihil: R.(Pchan | Pcochan * R)R *0 ^Pchan
_^P_ | ^Pcochan_(y).Q Q _{^P_
/y}^
An alternative operational semantics may be given by
commannihil: R.(Pchan | Pcochan * R)R *0 ^Pchan
_^P_ | ^Pcochan_(y).Q Q _{^P_
/y}^
180 6x104 6x1010
09.04.2005 Trustworthy Global Computing ETAPS 05
21
Conclusions and future workConclusions and future work
Presented a higher-order asynchronous message-passing calculus built on a notion of quoting Provides an account of structured names
Presented a logic for reasoning about
namespaces
Work underway on Proof system Type system Model-checker
Presented a higher-order asynchronous message-passing calculus built on a notion of quoting Provides an account of structured names
Presented a logic for reasoning about
namespaces
Work underway on Proof system Type system Model-checker
09.04.2005 Trustworthy Global ComputingETAPS `05
22
namespace logic
BACKUPBACKUP
09.04.2005 Trustworthy Global Computing ETAPS 05
23
Encoding the -calculusEncoding the -calculus Paper presents a ‘distributed’ encoding in which par-ands are mapped
to separate namespaces Below we present a centralized encoding (due to Radestock) in which
there is a single resource against which all -requests are synchronized Both encodings use a trick for free names: build a -calculus with the
name set ^PROC_
Let h be a name not in fn(P), e.g. h = ^m fn(P) m[^0_] _
[P] = [P](h) | h [^h[^0_] _][( x)P](h) = h(x). (h^x[^0_]_ | [P](h))[! x(y).P](h) = h(z).(h^z[^0_]_ | z^x(y).(D(z) | [P](h))_ |
D(z))
where z fn(P) and D(z) as in replication
Paper presents a ‘distributed’ encoding in which par-ands are mapped to separate namespaces
Below we present a centralized encoding (due to Radestock) in which there is a single resource against which all -requests are synchronized Both encodings use a trick for free names: build a -calculus with the
name set ^PROC_
Let h be a name not in fn(P), e.g. h = ^m fn(P) m[^0_] _
[P] = [P](h) | h [^h[^0_] _][( x)P](h) = h(x). (h^x[^0_]_ | [P](h))[! x(y).P](h) = h(z).(h^z[^0_]_ | z^x(y).(D(z) | [P](h))_ |
D(z))
where z fn(P) and D(z) as in replication
09.04.2005 Trustworthy Global Computing ETAPS 05
24
Correctness of the encodingCorrectness of the encodingnames are global in the -calculus… -calculus contexts can make observations that -calculus
contexts cannot to prove correctness of the encoding one must restrict to name-
sets visible in -calculus contexts
an observation relation, N, parameterized in a set of names, N, is given by
x N y P N x or Q N x
y[v] N x P | Q x
an P N x if there is a Q s.t. P*Q and Q N xan N-barbed bisimulation, SN, is a symmetric relation s.t.
P P implies Q * Q , P SN Q
P N x implies Q N x
P 3N Q if there is an N-barbed bisimulation, SN , P SN Q
THM: P 1 Q iff [P] 3FN(P)FN(Q)[Q]
names are global in the -calculus… -calculus contexts can make observations that -calculus
contexts cannot to prove correctness of the encoding one must restrict to name-
sets visible in -calculus contexts
an observation relation, N, parameterized in a set of names, N, is given by
x N y P N x or Q N x
y[v] N x P | Q x
an P N x if there is a Q s.t. P*Q and Q N xan N-barbed bisimulation, SN, is a symmetric relation s.t.
P P implies Q * Q , P SN Q
P N x implies Q N x
P 3N Q if there is an N-barbed bisimulation, SN , P SN Q
THM: P 1 Q iff [P] 3FN(P)FN(Q)[Q]