Object-oriented distributed computing is becoming increasingly important for critical infrastructure in society. In standard object-oriented models, objects synchronize on method calls. These models may be criticized in the distributed setting for their tight coupling of communication and synchronization; network delays and instabilities may locally result in much waiting and even deadlock. The Creol model targets distributed objects by a looser coupling of method calls and synchronization. Asynchronous method calls and high-level local control structures allow local computation to adapt to network instability. Object variables are typed by interfaces, so communication with remote objects is independent from their implementation. The inheritance and subtyping relations are distinct in Creol. Interfaces form a subtype hierarchy, whereas multiple inheritance is used for code reuse at the class level. This paper presents the Creol syntax, operational semantics, and type system. It is shown that runtime type errors do not occur for well-typed programs.

MoMi (Mobile Mixins) is a coordination language for mobile processes that communicate and exchange object-oriented code in a distributed context. MoMi's key idea is structuring mobile object-oriented code by using mixin-based inheritance. Mobile code is compiled and typed locally, and can successfully interact with code present on foreign sites only if its type is subtyping-compliant with the type of what is expected by the receiving site. The key feature of the paper is the definition of this subtyping relation on classes and mixins that enables a significantly flexible, yet still simple, communication pattern. We show that communication by subtyping is type safe in that exchanged code is merged into local code without requiring further type analysis and recompilation.

We discuss a basic process calculus useful for modelling applications over global computing systems and present the associated semantic theories as determined by some basic notions of observation. The main features of the calculus are explicit distribution, remote operations, process mobility and asynchronous communication through distributed data spaces. We introduce some natural notions of extensional observations and study their closure under operational reductions and/or language contexts to obtain barbed congruence and may testing. For these equivalences, we provide alternative tractable characterizations as labelled bisimulation and trace equivalence. We discuss some of the induced equational laws and relate them to design choices of the calculus. In particular, we show that some of these laws do not hold any longer if the language is rendered less abstract by introducing (asynchronous and undetectable) failures or by implementing remote communications via process migrations and local exchanges. In both

This paper presents O'Klaim (Object-Oriented Klaim), a linguistic extension of the higher-order calculus for mobile processes Klaim with object-oriented features. Processes interact by an asynchronous communication model: they can distribute and retrieve resources, sometimes structured as incomplete classes, i.e., mixins, to and from distributed tuple spaces. This mechanism is coordinated by providing a subtyping relation on classes and mixins, which become polymorphic items during communication. We propose a static typing system for: (i) checking locally each process in its own locality; (ii) decorating object-oriented code that is sent to remote sites with its type. This way, tuples can be dynamically retrieved only if they match by subtyping with the expected type. If this pattern matching succeeds, the so retrieved code can be composed with local code, dynamically and automatically, in a type-safe way. Thus a global safety condition is guaranteed without requiring any additional information on the local reconfiguration of local and foreign code, and, in particular, without any further type checking. Finally, we present main issues concerning the implementation of O'Klaim.

The paper introduces the Cama (Context-Aware Mobile Agents) framework intended for developing large-scale mobile applications using the agent paradigm. Cama provides a powerful set of abstractions, a supporting middleware and an adaptation layer allowing developers to address the main characteristics of the mobile applications: openness, asynchronous and anonymous communication, fault tolerance, device mobility. It ensures recursive system structuring using location, scope, agent and role abstractions. Cama supports system fault tolerance through exception handling and structured agent coordination. The applicability of the framework is demonstrated using an ambient lecture scenario- the first part of an ongoing work on a series of ambient campus applications.

Abstract. We introduce an ambient-based calculus that combines ambient mobility with process mobility, uses group names to collect ambients with homologous features, and exploits co-moves and runtime type checking to implement flexible policies for controlling process activities. Types rely on group names and, to support dynamicity, may depend on group variables. Policies can dynamically change also through installation of co-moves. The compliance with ambient policies can be checked locally to the ambients and requires no global assumptions. We prove that the type assignment system and the operational semantics of the calculus are ‘sound’, and define a sound and complete type inference algorithm which, when applied to terms whose type decorations only express the desired policies, computes the minimal type annotations required for their execution. As an application of our calculus, we present a couple of examples and linger on the setting up of policies for controlling the activities of the entities involved. 1

We introduce a quantitative approach to the analysis of distributed systems which relies on a linear operator based network semantics. A typical problem in a distributed setting is how information propagates through a network, and a typical qualitative analysis is concerned with establishing whether some information will eventually be transmitted from one node to another node in the network. The quantitative approach we present allows to obtain additional information such as an estimation of the probability that some data is transmitted within a given interval of time. We formalise situations like this using a probabilistic version of a process calculus which is the core of KLAIM, a language for distributed and mobile computing based on interactions through distributed tuple spaces. The analysis we present exploits techniques based on Probabilistic Abstract Interpretation and is characterised by compositional aspects which greatly simplify the inspection of the nodes interaction and the detection of the information propagation through a computer network. 1

We introduce cKlaim, a process calculus that can be thought of as a variant of the #-calculus with process distribution, process mobility and asynchronous communication through distributed repositories. Upon it, we develop a semantic theory to reason about programs. More precisely, we introduce a natural contextually defined behavioural semantics, give a coinductive characterization in terms of a labelled bisimulation and illustrate some significant laws. Then, we smoothly tune the theory to model two more concrete settings obtained by explicitly considering failures and node connections, two low-level features that in real life can a#ect the underlying network infrastructure and, hence, the ability of processes to perform remote operations.

An ad-hoc network is a collection of wireless nodes which adhere to a communication principle without fixed infrastructure or a centralised control component. Instead, nodes have to rely on each other in order to forward packages to others beyond direct transmission range. Developing reliable routing protocols for these networks is a hard task, especially when studied in an untrusted environment. But new protocols are predominantly validated by an interpretation of simulation results, thus lacking a rigid formal analysis necessary for ensuring security. We present a step in the direction of formal protocol verification in this setting by proposing a quantitative extension to the process calculus CBS that allows us to model the behaviour of ad-hoc networks. We apply our development to the DSR routing protocol and develop a static analysis defined by a flow logic in order to track the messages sent in a network. The analysis is then used to evaluate the sensitivity of the network to the presence of an attacker trying to disrupt communication.

I certify that this dissertation, and the research to which it refers, are the product of my own work, and that any ideas or quotations from the work of others are properly acknowledged. Signed: Date: Mobile ad-hoc networks consist of mobile wireless devices which autonomously organise their communication infrastructure. Because of the simple network deployment this networking paradigm offers much convenience, but security turns out to be an important concern when considering the threats implied in using the wireless medium. In order to eliminate such concerns, formal specification and analysis techniques have to be used so that the employed communication protocols can be proved secure or their vulnerabilities exposed. While many such frameworks have been proposed for the analysis of classical security protocols, the challenges of the new setting prevent these from being applied directly. The main complication stems from the fact that the actions of intermediate