Mobile Code Project

[Main]      [Overview]      [What's New]      [Members]       [Resources]

Given the acknowledged importance of existing and emerging mobile code technologies, remarkably little attention has so far been devoted to the management of mobile programs. The by far predominant model, which for example underlies the distribution of Java "applets" over the Internet, identifies dynamically linkable parts of mobile programs by a URL string. The model further assumes that the constituent parts that make up a mobile program will all be downloaded to a single location, and then verified, linked, possibly dynamically compiled, and finally executed at that very location.

It is immediately obvious that this model is far too primitive to capture the whole spectrum of meaningful distribution schemes for mobile code. Besides the obvious defects of a versioning scheme based on URLs, there are many modes of mobile-code dissemination and deployment that are likely to be highly useful, but that are badly or not at all supported by current distribution models and architectures. What is needed is an overarching architecture that can describe not only current modes of mobile-code deployment, but also all meaningful future ones.

Further, the underlying model must be enforceable by mechanical means. There should be support for fine- grained versioning, migration of mobile programs both in "target-machine independent" as well as in "native" forms (the latter case requiring a proof-carrying code approach to security), the possible physical separation of the machines performing verification, dynamic compilation, and execution, and support for the existence of multiple levels of security along the code distribution pipeline.

In this document, we propose methodical research with the dual targets of first systematically examining potential candidates until a suitable model has been identified and then implementing a prototype mobile-code distribution architecture based on this model.

1. We propose to develop a comprehensive model that can capture all meaningful modes of mobile-code deployment, including issues of code versioning, code migration, and the differentiation between code validation, dynamic code translation between instruction formats, and code execution, which potentially could occur at multiple physically disjoint sites. This model ill provide a taxonomy of mobile-code distribution modes and will be useful for anyone researching mobile-code distribution architectures.
   Further, we propose to cast this model into an actual extensible distributed safe and secure code management architecture. Finally, as a practical application of this architecture, we intend to implement a prototype system in which native code is generated at a firewall from a mobile-code distribution format and then downloaded to computationally restricted devices deployed in the theater via a secure high-bandwidth short-range wireless link.

2. A second focus is on making a greater range of security policies amenable to automatic verification, by creating source-language constructs and accompanying type systems for representing these properties directly at the source-language level. Any such policy that can be cast into a language construct not only enables the prospect of mechanical checking at the code receiver's side, but also directly exposes these policies to the programmer rather than hiding them behind an API. It thereby raises the semantic level on which mobile code can be reasoned about and enhances the programmer's understanding of the process.

Our research goal is to provide support for this and any other security property that can be cast into a programming language construct at all stages along the mobile-code transportation pipeline. We propose to systematically study existing and proposed security policies, examine how they are currently specified, and how they could be cast into programming language constructs, making them amenable to mechanical verification. We plan to augment an existing programming language with new constructs to directly support some of these additional policies at the source level under programmer control.

We will then implement a prototype mobile code transportation scheme directly supporting the extended language semantics. Our implementation will provide both a compiler from the augmented source language into a mobile code representation as well as a just-in-time compiler that not only translates from mobile code into native code, but that also verifies that the additional security policies are being met. This work will be integrated with the mobile-code management architecture described under (1).