Mobility Types for Mobile Ambients

An ambient is a named cluster of processes and subambi-ents, which moves as a group. The untyped ambient calculus is a process calculus in which ambients model a variety of concepts such as network nodes, packets, channels, and software agents. In these models, some am-bients are intended to be mobile, some immobile; and some are intended to be ephemeral, some persistent. We describe type systems able to formalize these intentions: they can guarantee that an ambient will remain immobile, and that an ambient will not be dissolved by its environment. These guarantees could help establish security properties of models, for instance. A novel feature of our type systems is their distinction between mobile and immobile processes. 1 Motivation The ambient calculus CG98] is a process calculus that focuses primarily on process mobility rather than process communication. An ambient is a named location that may contain processes and subambients, and that can move as a unit inside or outside other ambients. Processes within an ambient may cause their enclosing ambient to move, and may communicate by anonymous asyn-chronous messages dropped into the local ether. Moreover, processes may open subambients, meaning that they can dissolve an ambient boundary and cause the contents of that ambient to spill into the parent ambient. The ability to move and open ambients is regulated by capabilities that processes must possess by prior knowledge or acquire by communication. In earlier work CG99] we studied type systems for the ambient calculus that control the exchange of values during communication. Those type systems are designed to match the communication primitives of the ambient calculus, but are able to express familiar typings for processes and functions. They are therefore successful in showing that the typed ambient calculus is as expressive as typed process and function calculi. Still, those type systems say nothing about process mobility: they guarantee that communication is well-typed wherever it may happen, but do not constrain the movement of ambients. In this paper we study type systems that control the movement of ambi-ents through other ambients. Our general aim is to discover type systems that can be useful for constraining the mobility behavior of agents and other entities that migrate over networks. Guarantees provided by a type system for