DRAFT February 1979 2 Security - and Modularity

This paper addresses theoretical issues involved for the implementation of security and modularity in concurrent systems. It explicates the theory behind a mechanism for safely delegating messages to shared handlers in order to increase the modularity of concurrent systems. Our mechanism has the property that the actions caused by delegated messages are atomic. That is the handling of a message delegated by a client actor appears to be indivisible to other users of the actor. Our mechanism for delegating communications is a generalization suitable for use in concurrent systems of the subclass mechanism of SIMULA. Our mechanism has the benefit that it easily lends itself to the implementation of efficient flexible access control mechanisms in distributed systems. It is a generalization of the protection mechanisms provided by capability-based systems, access control lists, and the access control mechanisms provided by PDP-10 SIMULA. A.I. Laboratory Working Papers are produced for internal circulation, and may contain information that is, for example, too preliminary or too detailed for formal publication. Although some will be given a limited external distribution, it is not intended that they should be considered papers to which reference can be made in the literature. This report describes research done at the Artificial Intelligence Laboratory of the Massachusetts Institute of Technology. Support for this research was provided in part by the Office of Naval Research of the Department of Defense under Contract N00014-75-C-0522. -MASSACHUSETTS INSTITUTE OF TECHNOLOGY 197M Security and Modularity II -INTRODUCTION The implementation of a robust concurrent system requires very careful design. Not many conceptual or programming tools are provided to perform such a task. We address this problem by presenting some mechanisms to better structure a concurrent system. They are centered around a primitive for synchronization in message-based systems which is a further development of serializers [Atkinson and Hewitt 19781. This primitive deals with problems of protection and modularity in the implementation of concurrent systems. Protection is achieved by allowing message constructors to be given to different users. Guardians are abstractions that can implement the following functions for their resources: scheduling access, providing protection, and implementing recovery from hardware failures which manifest themselves as time-outs or data with an incorrect checksum. A guardian of protected resources will only perform tasks for messages which have been constructed by the appropriate message constructors. In a distributed system this constraint can be enforced using cryptography. Each of these messages understood by a guardian corresponds to an operation which the resource can perform. A message constructor for one of these messages can be communicated to those who are allowed to perform operation associated with the message. Serializers facilitate the implementation of efficient flexible access protection that subsumes the abilities of both capability based systems and access control systems. Two important mechanisms to support modularity in our system are delegation and inheritance. Both of them are derived from a generalization of the subclass mechanism in SIMULA. *1 DRAFT February 1979