Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....disadvantage is that if a module is sent with unused functions or a data object is sent with unused values, dynamic typing would never have checked those types. 3. 3 The Caml Programming Language In our implementation of the alien architecture, we chose to use an existing language, Objective Caml [4], as it implements all of the properties identi ed to varying degrees. We will discuss it and some of the other choices that we considered and discarded in the following sections. Objective Caml is a language from the ML [5] family of languages. It is a strongly typed, garbage collected, ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....BFIK98b] The overall architecture of SANE for a three node network is shown in Figure 7.2. The initialization of each node begins with the bootstrap. Following the successful completion of the bootstrap, the operating system is started which loads a general purpose evaluator, e.g. a Caml [Ler95] or Java[GJS96] runtime. The evaluator then starts an Active Loader which restricts the environment provided by the evaluator. Finally, the loader loads an Active Network Evaluator (ANE) which accepts and evaluates active packets, e.g. PLAN [HKM 98] Switchlet, or ANTS [WGT98] The ANE ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....[AAKS99] In particular, we defend against attacks that would deny service, seek to obtain unauthorized content, and misrepresent (spoof) identity. We explain PLAN s role in defending against these attacks below. 2. 1 PLAN PLAN [HKM 98] is a small functional language with syntax similar to ML [Ler, MTH90]. To express remote computation, it includes a primitive OnRemote (among others) that evaluates an expression at a remote node. Invoking OnRemote will result in a newly spawned packet. By design, the language has properties that prevent some attacks. PLAN is resource and expression limited, ....

....which require authorization will have the extra time and space overheads. However, there is no protection against replay attacks, and public key operations are notoriously slow. Furthermore, authentication is only unidirectional (principal to node) thus providing less confidence to the caller. We mitigate these problems by using a variant of the mutual authentication protocol described in [AAKS98] 4.2 Authorization As our policy manager, we have chosen to use the Query Certificate Manager (QCM) GJ98] which provides comprehensive security credential location and retrieval services, ....

Xavier Leroy. The Caml Special Light System (Release 1.10). http: //pauillac.inria.fr/ocaml.

....supported by treating each packet as a module, although a more typical use of the facility is to add a service used by streams of inactive packets. Among the logical services available at a node is the PLAN system described in Section 4.2. The system is currently implemented in the type safe Caml [Ler95] language, using the Linux operating system for low level services such as raw Ethernet sockets. Much of the software is available from the SwitchWare Web site, http: www.cis.upenn.edu switchware. The ALIEN system restricts access to system services using a namespace restriction scheme called ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....networking language and then set about designing a language to meet those requirements. In particular, they differ from PLAN in that they hope to use the type system to allow safe accumulation of state. They appear to be trying to avoid having any service layer at all. Java [GJS96] and ML [MTH90, Ler] and the MMM [Lou96] project) provide security through language mechanisms. More recent versions of Java provide protection domains [GS98] Protection domains were first introduced in Multics [Sch72, Sch75, MSS77, Sal74] These solutions are not applicable to programs written in other languages ....

....BFIK98, BFIK99] The overall architecture of SANE for a three node network is shown in Figure 2. The initialization of each node begins with the bootstrap. Following the sucessful completion of the bootstrap, the operating system is started which loads a general purpose evaluator, e.g. a Caml [Ler] or Java [GJS96] runtime. The evaluator then starts an Active Loader which restricts the environment provided by the evaluator. Finally, the loader loads an Active Network Evaluator (ANE) which accepts and evaluates active packets, e.g. PLAN [HKM 98] Switchlet, or ANTS [WGT98] The ANE ....

[Article contains additional citation context not shown here]

Xavier Leroy. The Caml Special Light System (Release 1.10). http://pauillac.inria.fr/ocaml.

....implementation. This provided a clear demonstration of the active nature of the Active Bridge. 3. 2 Objective Caml Because ML [MTH90] is strongly typed, is well studied by programming language semanticists, and because we have some considerable local ML expertise, we have chosen to use Caml [Ler95] an ML dialect, for our work. Caml is a language developed at INRIA based on ML. It also provides a module system and an object system. There were two primary motivations for the choice of Caml: the portable byte code that it generates and the ability to perform dynamic linking. The byte code ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....Its form is based on the simply typed lambda calculus, so it is widely used in the research community. Since its origin, SML s popularity has grown for use in general purpose applications, and a number of highly tuned compilers and standard libraries have emerged [Appel and MacQueen 1987; Leroy 1995; Berry 1991] 3.1 Language Features SML encourages a functional, or declarative, style of programming; this means that SML programs describe solutions to a problem, whereas imperative languages provide instructions to a computer. As a result, declarative languages have proven more of a ....

Leroy, X. 1995. The Caml Special Light System (Release 1.10). INRIA, France.

....and array bounds checking. We discuss why strong typing provides safety advantages in some detail in Section 5.1.2. Because ML [MTH90] is strongly typed, is well studied by programming language semanticists, and because we have some considerable local ML expertise, we have chosen to use Caml [Ler95] an ML dialect, for our work. Caml also has two additional advantages for our work: byte codes and dynamic linking. The byte code format provided by Caml provides us with a machine independent format that is compact for transmitting switchlets over the network. Dynamic linking provides the ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....final property which we require is the ability to dynamically load programs. Clearly, if we intend to run programs that arrive over the net, we must have a way to link those programs into the running system and evaluate them. Dynamic loading gives us this ability. The Caml programming language [Ler95] provides these features. Caml additionally provides us with a threads interface and static type checking. The former allows a natural programming style and precludes the need to implement a scheduler. We have, however, discovered that the scheduler imposes an unexpectedly high overhead. See ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

....The final property which we require is the ability to dynamically load programs. Clearly, if we intend to run programs that arrive over the net, we must have a way to link those programs into the running system and evaluate them. Dynamic loading gives us this ability. The Caml programming language [30] provides these features. Caml additionally provides us with a threads interface and static type checking. The former allows a natural programming style and precludes the need to implement a scheduler. The latter pushes many of the costs associated with the type system to compile time. Thus, ....

Xavier Leroy, The Caml Special Light System (Release 1.10), INRIA, France, November 1995.

....installation protocol B PLAN packet core services Figure 1: PLANet s security architecture. The contents of the dashed box are available to all incoming packets, while the dotted boxes encapsulate service packages available only to select users. in common with Haskell [17] Scheme [36] and ML [28, 25]. It differs most importantly from these in that it includes a primitive OnRemote (among others) for evaluating an expression at a remote node. Invoking OnRemote will result in a newly spawned packet. PLAN also has some desirable security properties, which we will mention below. PLAN s Security ....

Xavier Leroy. The Caml Special Light System (Release 1.10). http://pauillac.inria.fr/ocaml.

....system and evaluate them. Dynamic loading gives us this ability. Other systems may use other approaches; for example, an Active node that uses memory protection to isolate processes would probably start a new process and execute the received code in that context. The Caml programming language [40] provides these features. Caml additionally provides us with a threads interface and static type checking. The former allows a natural programming style and precludes the need to implement a scheduler. The latter pushes many of the costs associated with the type system to compile time. Thus, ....

Xavier Leroy, The Caml Special Light System (Release 1.10), INRIA, France, November 1995.

....handling security at the scale necessary for today s Internet. These mechanisms are coming under increasing strain from the development and deployment of systems that increase the programmability of the Internet. Moreover, this increased flexibility through programmability trend seems to be accelerating with the advent of proposals such as Active Networking and Mobile Agents. The trust management approach to distributed system security was developed as an answer to the inadequacy of traditional authorization mechanisms. Trust management engines avoid the need to resolve identities in an ....

....approach in mobile code security, active networking, nd distributed access control. 3.1 Active Networks There has been a great deal of interest in the problem of exposing the ability to control of network infrastructure. Much of this interest has been driven by a the desire to accelerate service creation. Sometimes services can be created using features of existing systems. One of the most aggressive proposals is the notion of programmable network infrastructure or active networking. In an active network, the operator or user has facilities for directly modifying the ....

[Article contains additional citation context not shown here]

Xavier Leroy. The Caml Special Light System (Release 1.10). http://pauillac.inria.fr/ocaml.

....the values are subsequently unused (for example, because only certain values out of an unmarshaled structure are actually used) a net increase in critical path processing time is possible. 2. 2 The Objective Caml Language In alien, we chose to use an existing language, Objective Caml Language [Ler95] as it implements all of the properties identified in Section 2.1 to varying degrees. We will discuss it and some of the other choices that we considered and discarded in the following sections. 2.2.1 Objective Caml Objective Caml is a language from the ML [MTH90] family of languages. It is a ....

Xavier Leroy. The Caml Special Light System (Release 1.10). INRIA, France, November 1995.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC