types for resource control
play

Types for Resource Control Ian Stark Laboratory for Foundations of - PowerPoint PPT Presentation

Dec 27, 2022 •342 likes •859 views

Types for Resource Control Ian Stark Laboratory for Foundations of Computer Science The University of Edinburgh Formal Methods for Components and Objects CWI, Amsterdam, 2426 October 2007 http://mobius.inria.fr Overview Mobius: Mobility,

  1. Types for Resource Control Ian Stark Laboratory for Foundations of Computer Science The University of Edinburgh Formal Methods for Components and Objects CWI, Amsterdam, 24–26 October 2007 http://mobius.inria.fr

  2. Overview Mobius: Mobility, Ubiquity and Security Proof-carrying code for Java on mobile devices FP6 Integrated Project developing novel technologies for trustworthy global computing, using proof-carrying code to give users independent guarantees of the safety and security of Java applications for mobile phones and PDAs. Innovative trust management, with digital evidence of program behaviour. Static enforcement, checking code before it starts. Modularity, building trusted applications from trusted components. Types for Resource Control This talk is about one of the underlying technologies: type systems that capture quantitative information about resource usage. Work by Mobius partners in Madrid, INRIA, Munich, and Edinburgh. Includes slides from David Aspinall, Patrick Maier and Martin Hofmann. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  3. Outline Resource control 1 Type systems 2 Heap space analysis 3 Permission analysis 4 Summary 5 Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  4. Outline Resource control 1 Type systems 2 Heap space analysis 3 Permission analysis 4 Summary 5 Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  5. Varieties of resource 1 Machine resources — implicit properties of execution heap space execution time stack height, call counting, . . . 2 Program resources — explicitly manipulated in code use-once permissions collection sizes, thread pools, . . . 3 External resources — exist outwith the JVM billable events like text messages, phone calls persistent database records, power consumption, . . . Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  6. Controlling resources Aim: quantitative analysis of resource usage. Elsewhere: patterns of access , e.g. create, open, close. Objectives: Simple, type-based treatment of useful cases Static analysis to predict behaviour Certification for PCC Benefits of resource control: Obvious security relevance. Many security breaches amount to violating resource control: exceeding allowed bounds or gaining unauthorised access to resources. Also useful beyond security: feasibility, scheduling, pricing. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  7. Classical program analysis Mobius work also includes approaches based on control flow graphs: Permissions, externally native methods assigned a permissions profile static analysis of control flow graph, check no errors INRIA Rennes: Besson, Jensen, Pichardie. see: WITS/ETAPS ’07 invited talk by Thomas Jensen Execution cost assign costs to bytecode statements (e.g., time) generate a set of cost equations on control flow graph Madrid: Albert, Arenas, Genaim, Puebla, Zanardini. see: ESOP ’07 paper by Madrid team Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  8. Outline Resource control 1 Type systems 2 Heap space analysis 3 Permission analysis 4 Summary 5 Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  9. What is a type system? A type system is a syntactically defined subset T of programs such that: P ∈ T ⇒ Compile( P ) | = φ where Compile( P ) is the object code corresponding to P and φ is some desired property of its execution. For example, T = “well-typed Java programs” φ = “methods always correctly invoked” Slogan (Robin Milner): Well-typed programs do not go wrong. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  10. Specialized type systems Modern type systems guarantee more sophisticated and interesting properties. For example: Secure information flow. Bounds on resource usage. Absence of unwanted aliasing. Legal use of dynamic deallocation. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  11. Declarative presentations of type systems An inductively defined typing judgement relates program phrases e to types τ , given an assignment Γ of types to methods and variables. Typing rules are mostly syntax-directed : Γ ⊢ x 1 : int Γ ⊢ x 2 : int , Γ ⊢ x 1 + x 2 : int except for . . . side conditions involving constraints (numerical, set-based); method types declared up front; existential metavariables, e.g. in subsumption rule: e : τ τ ≤ τ ′ e : τ ′ Type soundness: valid typing implies desired semantic property. Explaining power: simple formulation and declarative presentation. Inference: generic algorithms available to suggest appropriate types. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  12. Declarative presentations of type systems An inductively defined typing judgement relates program phrases e to types τ , given an assignment Γ of types to methods and variables. Typing rules are mostly syntax-directed : Γ ⊢ x 1 : int Γ ⊢ x 2 : int , Γ ⊢ x 1 + x 2 : int except for . . . side conditions involving constraints (numerical, set-based); method types declared up front; existential metavariables, e.g. in subsumption rule: e : τ τ ≤ τ ′ e : τ ′ Type soundness: valid typing implies desired semantic property. Explaining power: simple formulation and declarative presentation. Inference: generic algorithms available to suggest appropriate types. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  13. Declarative presentations of type systems An inductively defined typing judgement relates program phrases e to types τ , given an assignment Γ of types to methods and variables. Typing rules are mostly syntax-directed : Γ ⊢ x 1 : int Γ ⊢ x 2 : int , Γ ⊢ x 1 + x 2 : int except for . . . side conditions involving constraints (numerical, set-based); method types declared up front; existential metavariables, e.g. in subsumption rule: e : τ τ ≤ τ ′ e : τ ′ Type soundness: valid typing implies desired semantic property. Explaining power: simple formulation and declarative presentation. Inference: generic algorithms available to suggest appropriate types. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  14. Comparing types systmes with program analysis Advantages of type systems: Soundness separated from inference algorithms. No need to understand inference algorithm to grasp meaning of type system. Inherently interprocedural and modular. Interaction with user, e.g. via type annotations. Potential to connect to program logics. Disadvantages of type systems: Less experience than with program analysis. More often ad-hoc due to lack of suitable approximation theory. Sometimes typing rules become very complicated. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  15. Outline Resource control 1 Type systems 2 Heap space analysis 3 Permission analysis 4 Summary 5 Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  16. Simple type system for heap space Types are natural numbers. Assignment Σ of types to methods M . Assign types to expressions with rules like: ⊢ e : n n ≤ m ( weak ) e : m ⊢ e 1 : n 1 ⊢ e 2 : n 2 ( let ) ⊢ let x = e 1 in e 2 : n 1 + n 2 ( new ) ⊢ new C ( x 1 , . . . , x n ) : 1 Σ( M ) = n ( invoke ) ⊢ M ( x 1 , . . . , x n ) : n Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  17. Type inference Checking correctness of a derivation is easy; finding one can be harder. Assign a variable to each method. Derive “skeleton” type derivation using weak only next to invoke . Try to solve resulting constraints. Output: Typing is static evidence that program satisfies some resource bound Security model: client may refuse to execute code that has no bound, or whose bound is beyond device limits Context: Provably equivalent to graph-based analysis. Can be extended to deallocation and input-dependent bounds. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  18. Extending to deallocation Typing judgement: Γ ⊢ e : m → n . Meaning: If freelist has size s ≥ m then evaluation of e will succeed and leave freelist of size ≥ ( n + s − m ). m ′ ≥ m n ′ ≤ n + m ′ − m ⊢ e : m → n ( weak’ ) e : m ′ → n ′ ⊢ e 1 : m → k ⊢ e 2 : k → n ( let’ ) ⊢ let x = e 1 in e 2 : m → n ( new’ ) ⊢ new C ( x 1 , . . . , x n ) : 1 → 0 Σ( M ) = m → n ( invoke’ ) ⊢ M ( x 1 , . . . , x n ) : m → n Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

  19. Certification with type systems Applying this to PCC for trustworthy computing: Typing derivations can be used directly as certificates. But: need to believe or understand type soundness. Likewise, successful runs of a program analysis, perhaps in condensed form can be used as certificates. But: need to believe or understand correctness of analysis. Two better options: Formally prove correctness of analysis / type system Translate typing judgements into judgements of a formalised program logic, translate typing derivations into proofs of those translations. Ian Stark — Types for Resource Control FMCO ’07 — CWI Amsterdam 2007-10-24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Resource and Admission Control Resource and Admission Control for Next Generation Networks for

Resource and Admission Control Resource and Admission Control for Next Generation Networks for

I nternational Telecom m unication Union ITU-T Resource and Admission Control Resource and Admission Control for Next Generation Networks for Next Generation Networks Hui-Lan Lu, Ph.D. Q.4/ 13 Rapporteur Bell Labs, Lucent Technologies I

229 views • 10 slides
D Dominant Resource Fairness (DRF) i t R F i (DRF) Fair Allocation of Multiple Resource Types

D Dominant Resource Fairness (DRF) i t R F i (DRF) Fair Allocation of Multiple Resource Types

D Dominant Resource Fairness (DRF) i t R F i (DRF) Fair Allocation of Multiple Resource Types Ali Ghodsi , Matei Zaharia Benjamin Hindman, Andy Konwinski, B j i Hi d A d K i ki Scott Shenker, Ion Stoica University of California, Berkeley

781 views • 51 slides
Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation

Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation

RSVP 1 Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation policing: hold sources to committed resources scheduling: isolate flows, guarantees resource reservation: establish flows October 30,

389 views • 35 slides
Dominant Resource Fairness: Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei

Dominant Resource Fairness: Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei

Dominant Resource Fairness: Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei Zaharia, Benjamin Hindman, Andy Konwinski, Scott Shenker, Ion Stoica UC Berkeley Introduction: Resource Allocation There is a need to design fair,

604 views • 22 slides
Dominant Resource Fairness : Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei

Dominant Resource Fairness : Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei

Dominant Resource Fairness : Fair Allocation of Multiple Resource Types Ali Ghodsi, Matei Zaharia, Benjamin Hindman, Andy Konwinski, Scott Shenker, Ion Stoica University of California, Berkeley Talk by: Yael Amsterdamer Introduction Why

800 views • 22 slides
Combining Different Types of Control Lecture 6: We have studied local control laws.

Combining Different Types of Control Lecture 6: We have studied local control laws.

Combining Different Types of Control Lecture 6: We have studied local control laws. Three-Level Architectures Each law makes simple local assumptions Tightly-coupled closed-loop control CS 344R/393R: Robotics How do we

253 views • 6 slides
Section 6.1: Resource Allocation Issues Chapter 6: Congestion Control and Resource Allocation

Section 6.1: Resource Allocation Issues Chapter 6: Congestion Control and Resource Allocation

Section 6.1: Resource Allocation Issues Chapter 6: Congestion Control and Resource Allocation CS/ECPE 5516: Comm. Network Prof. Abrams Spring 2000 CS/ECPE5516 1 2 CS/ECPE5516 Whats wrong with doing How to prevent traffic jams

311 views • 6 slides
Types & Bandwidth is the throughput of a communication resource, Types & measured in

Types & Bandwidth is the throughput of a communication resource, Types & measured in

One-Slide Summary A type is a (possibly infinite) set of values. Each type supports a set of valid operations . Types can be latent or manifest, static or dynamic, strong or weak. We can change the Charme interpreter to support manifest

448 views • 13 slides
Types & Bandwidth is the throughput of a communication resource, Types & measured in

Types & Bandwidth is the throughput of a communication resource, Types & measured in

One-Slide Summary A type is a (possibly infinite) set of values. Each type supports a set of valid operations . Types can be latent or manifest, static or dynamic, strong or weak. We can change the Charme interpreter to support manifest

698 views • 14 slides
HPC Architectures Types of resource currently in use Reusing this material This work is licensed

HPC Architectures Types of resource currently in use Reusing this material This work is licensed

HPC Architectures Types of resource currently in use Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

667 views • 27 slides
Advanced Aeration Control Systems at Water Resource Recovery Facilities (WRRFs) An event from the

Advanced Aeration Control Systems at Water Resource Recovery Facilities (WRRFs) An event from the

Advanced Aeration Control Systems at Water Resource Recovery Facilities (WRRFs) An event from the Municipal Resource Recovery & Design Committee (MRRDC) Alex Doody John Manning CDM Smith Freese & Nichols, Inc. Part 1: Purpose of

1.12k views • 63 slides
On Dynamic Resource Management Contents Mechanism using Control Theoretic Approach for Wide-Area

On Dynamic Resource Management Contents Mechanism using Control Theoretic Approach for Wide-Area

On Dynamic Resource Management Contents Mechanism using Control Theoretic Approach for Wide-Area Grid Computing Introduction Resources management in Grid computing Modeling as feedback control Hiroyuki Ohsaki Dynamic resource

177 views • 4 slides
Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access

Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access

Access control types for agents Rohit Chadha and Matthew Hennessy University of Sussex Access control types for agents p.1/20 Overview: an agent calculus We consider an extension of -calculus It has two named entities Channels used

498 views • 20 slides
Chapter 6 Cloud Resource Management and Scheduling Contents Resource management and

Chapter 6 Cloud Resource Management and Scheduling Contents Resource management and

Chapter 6 Cloud Resource Management and Scheduling Contents Resource management and scheduling. Policies and mechanisms. Applications of control theory to cloud resource allocation. Stability of a two-level resource allocation

1.47k views • 39 slides
Control, Functions, Classes Weve used built-in types like int and double as well as the

Control, Functions, Classes Weve used built-in types like int and double as well as the

Control, Functions, Classes Weve used built-in types like int and double as well as the standard class string and the streams cin and cout Each type supports certain operations and has a specific range of values What are these for

484 views • 36 slides
1 Types of Power-Saving MACs Types of Power-Saving MACs (cont.) Scheduled contention: nodes

1 Types of Power-Saving MACs Types of Power-Saving MACs (cont.) Scheduled contention: nodes

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

388 views • 7 slides
INC 541 Modern Control Theory Using State Space Methods

INC 541 Modern Control Theory Using State Space Methods

INC 541 Modern Control Theory Using State Space Methods Lecture#1: Control background and basic mathemaBcs Assoc. Prof. Benjamas PanomruIanarug benjamas.pan@kmuI.ac.th

344 views • 5 slides
On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer

On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer

On the synthesis of provably correct discrete controllers Jri Vain Dept. of Computer Science/Institute of Cybernetics Tallinn University of Technology Eesti arvutiteaduse teooriapev, sgis 2004 1 Controller synthesis problem (I)

393 views • 25 slides
James A. Mynderse This talk introduces Lawrence Tech, the MSMSE curriculum, our program

James A. Mynderse This talk introduces Lawrence Tech, the MSMSE curriculum, our program

Mechatronic S Systems E Engineering ( (MSMSE) at Lawrence Technological University James A. Mynderse This talk introduces Lawrence Tech, the MSMSE curriculum, our program challenges, and our successes Lawrence Tech MSMSE curriculum Theory

600 views • 27 slides
Toward a Curry-Howard Correspondence for Linear, Reversible Computation Reversible Computation

Toward a Curry-Howard Correspondence for Linear, Reversible Computation Reversible Computation

Toward a Curry-Howard Correspondence for Linear, Reversible Computation Reversible Computation 2020 Kostia Chardonnet 1 , 2 Alexis Saurin 2 Benot Valiron 1 1 Universit Paris Saclay 2 Universit de Paris Classical vs Quantum Control Known :

638 views • 48 slides
QoS and Energy Management Coordination using Discrete Controller Synthesis . . . . . Nol

QoS and Energy Management Coordination using Discrete Controller Synthesis . . . . . Nol

. . QoS and Energy Management Coordination using Discrete Controller Synthesis . . . . . Nol De Palma Gwenal Delaval Eric Rutten Grenoble University, INRIA Grenoble nov. 29, 2010 GCM 2010, Bangalore Motivation Reactive systems

738 views • 39 slides
Priority-Based Smart Household Power Control Miroslav Prmek, Masaryk University, Brno, Czech

Priority-Based Smart Household Power Control Miroslav Prmek, Masaryk University, Brno, Czech

Priority-Based Smart Household Power Control Miroslav Prmek, Masaryk University, Brno, Czech republic aim & motivation harmonize power supply & demand by control on the consumption side small scale - household, block of houses

422 views • 14 slides
QML: A functional quantum programming language quantum control and orthogonality Jonathan

QML: A functional quantum programming language quantum control and orthogonality Jonathan

QML: A functional quantum programming language quantum control and orthogonality Jonathan Grattage with Thorsten Altenkirch & Alex Green sneezy.cs.nott.ac.uk/qml School of Computer Science & IT, The University of Nottingham QML: A

1.05k views • 68 slides
A real example: clustering electrical signals from neurons amplifier filters software A/D

A real example: clustering electrical signals from neurons amplifier filters software A/D

Artificial Intelligence: Representation and Problem Solving 15-381 April 26, 2007 Clustering (including k-nearest neighbor classification, k-means clustering, cross-validation, and EM, with a brief foray into dimensionality reduction with

456 views • 34 slides

More recommend