PEPITO WP1 Formal Models

• Models of peer-to-peer group collaboration (EPFL:6 INRIA:6 (now 10?) UCAM:10 UCL:6)
• Transactions and the semantics of failure (EPFL:10 UCAM:18 UCL:12)
• Versioning and modularity (UCAM:24)

Initial Activities, as of 2002/04/22

• Semantics of Failure
  • We are developing calculi that embody certain failure detector properties and using them to model some standard distributed algorithms. This is work towards a P2P calculus (D1.1) and study of failure semantics (D1.4). [Uwe Nestmann]

  • We are beginning work on modelling the precise failure behaviour of TCP sockets, following our earlier work on UDP. [Michael Norrish, Peter Sewell, Keith Wansbrough]

• Transactions
  • The idea of this theoretical work on transactions is to decompose in the syntax of a small language the properties that are usually required together in the definition of a transaction, namely atomicity, isolation and durability. So, in addition to the classical symbols for parallel composition, sequential composition and non-deterministic choice, the language contains a special symbol for each transactional property, as well as a symbol that expresses a crash/recovery of the system. Then we define by means of a rewriting system, convergent on ground terms, a partial order on the terms of the calculus. Informally a term t1 is smaller than a term t2 if the set of the possible behaviours of t1 contains the set of the possible behaviours of t2. Finally we say that a machine that can execute terms is `an implementation of transactions' if it treats sequential composition and non-deterministic choice in the natural way, and is sound with respect to the informal meaning of the order relation described above.

    The main result of this work would be to show that a process designed to be consistent, i.e. which is a combination of basic bricks that we know to be consistent, will actually preserve the consistency of the system, even in presence of crash/recoveries, when executed by a machine that implements the transactions. Then the next step will be to better understand the problems addressed so far and to see if this work could be useful in practice, because it is not clear yet what it really means. If so, we would like to add to the language the notion of communication, which is required for cooperation between transactions, as well as the notion of replication. Of course to be useful in this project we will also have to deal with distribution. That is what we plan to do in the next months. [Vincent Cremet, Martin Odersky]

  • We are extending our work on the Mozart transactional object store to the peer-to-peer framework. No results so far. [Peter Van Roy]

  • We are working on a model OCaml implementation of distributed transactions, with a view to identifying its semantic properties. [Peter Sewell]

• Versioning and Modularity
  • We have developed calculi showing how core dynamic rebinding mechanisms can be added to a call-by-value lambda calculus, giving a lambda-mark calculus that supports dynamic rebinding, with primitives to package values and marks to control which identifiers are dynamically rebound when they are unpackaged. This is extended with communication and concurrency to a lambda-io-mark calculus, and the same approach is used for a simple model of dynamic update of code to new versions. This is closely related to the work of Schmitt mentioned in WP3. [Gavin Bierman, Michael Hicks, Peter Sewell, Gareth Stoyle, Keith Wansbrough]

  • We have discussed the design of type-safe marshalling in the context of ML-style module systems. Again, we find an overlap with the WP3 Resource Control item. [James Leifer, Gilles Peskine, Peter Sewell]

• Models of P2P group collaboration The above should all contribute to this. In addition we have:
  • we are investigating a new framework for collaborative applications, 'merge-as-send', in which network partitioning is a normal state of affairs. Briefly, a set of collaborators is at all times partitioned into subsets of mutually-visible ones. There are two operations, LEAVE and MERGE, the first to form a new set of size one, and the second to merge two existing sets. MERGE is parameterized by the application. This framework has a simple semantics, (it seems) can be implemented efficiently, and covers many kinds of collaborative applications. [Peter Van Roy]

  • We are studying in particular anonymous communication in P2P systems, both proposing new algorithms and analysing the properties of existing algorithms. Anonymizing Censorship Resistant Systems (Serjantov) presents a design of a peer-to-peer censorship resistant system with strong anonymity properties. 1st International Workshop on Peer-to-Peer Systems (IPTPS'02). Towards an Information Theoretic Metric for Anonymity (Serjantov and Danezis) criticises the traditional notion of anonymity set and introduces a metric which takes into account that different messages may not be equally likely to be sent/received by all the parties in the anonymity set. Privacy Enhancing Technologies (PET 2002). [Andrei Serjantov, Peter Sewell]

Links

• PEPITO main page
• PEPITO INRIA