Escolar Documentos
Profissional Documentos
Cultura Documentos
Butler Lampson
We have learned depressingly little in the last ten years about how to
build computer systems. But we have learned something about how
to do the job more precisely, by writing more precise specifications,
and by showing more precisely that an implementation meets its
specification. Methods for doing this are of both intellectual and
practical interest. I will explain the most useful such method and
illustrate it with two examples:
Connection establishment: Sending a reliable message over an
unreliable network.
Transactions: Making a large atomic action out of a sequence of
small ones.
Do it recursively
Any idea is better when made recursive (Randell)
You can’t observe the actual state of the system from outside.
All you can see is the results of actions.
replace(3, 5, 2, 3, a p p l e ) H e l p
H e l l o
I’m sorry I wrote you such a long letter; I didn’t have time to
write a short one. (Pascal)
Lampson: Turing lecture February 17, 1993 7
Reliable Messages
R
S e
e c
n put(m) get(m)
q= D C B e
d getAck(a) i
e status = ? v
r crash e
get(B) lose(B) r
get(C) lose(D)
get(D) recover
q= q= C
status = OK status = lost
f f
Y-action
y y'
drop(B)
q= C q= D# C B#
status = lost drop(D) status = ? #
unreliable
channels
B 5
sr 5
R
put(m) lasts e
msg B
c
S 3
e A e
n i
d v
e e
r r
Lampson: Turing lecture February 17, 1993 13
A Generic Protocol G (2)
Sender Receiver
actions state state actions
unreliable
channels
B 5
sr 5
5
lastr
B R
put(m) lasts get(m) e
msg B
c
S 3
e A e
n i
d 5
rs v
e OK
4 e
r lost
r
Lampson: Turing lecture February 17, 1993 14
A Generic Protocol G (3)
Sender Receiver
actions state state actions
unreliable
channels 5
5
sr 5 lastr
R
put(m) lasts get(m) e
msg B
c
S 3
e A e
n i
d getAck(a)
OK
5
rs v
e OK 4 e
r lost
r
Lampson: Turing lecture February 17, 1993 15
A Generic Protocol G (4)
Sender Receiver
actions state state actions
newr
grows(i) growr(i)
3 5
gs gr
unreliable
choose(i) channels
sr 5
R
lasts e
msg B
c
S 3
e A e
n i
d v
e e
r recs recr r
Lampson: Turing lecture February 17, 1993 16
G at Work
S gs = 4 sr = 3 gr = 3 4 5 R
e lasts =
C
lastr = 2
e
3 c
n msg = C rs = mark = + e
d
e i
r q= C status = ? v
e
crashr; recover r
(before strikeout)
get(C) crashs shrinkr(3)
(after strikeout)
4 45 3 345 4 3 345
C C
3 3 nil 2 3 nil
3
C OK + nil + C #
q old-q + cur-q
recs/r recs/r
5 gr
ir
5 5
B
R
S lasts get(m) e
e getAck(a)
5
lastr
c
n 5
e
d OK i
e sr
v
r 5
done
e
r
R
S e
e 5
lastr
c
n e
d i
e sr
v
r 5
done
cleanup e
r
X Y
Name Guard Effect 5 5
do(x := x–1)
do(a):Val (S, val) := a(S) 4 5
do(y := y+1)
4 6
X Y x y
Name Guard Effect 5 5 5 5
do(x := x–1); do(y := y+1)
do(a):Val (s, val) := a(s) 5 5 4 6
commit
commit S := s 4 6 4 6
crash s := S
crash before commit
5 5 5 5
X Y x y φ
Name Guard Effect
5 5 5 5 nil
begin φ = nil φ := run do(x := x–1); do(y := y+1)
do(a):Va φ = run (s, val) := a(s) run
5 5 4 6
l
commit
4 6 4 6 nil
commit φ = run S := s, φ := nil
crash s := S, φ := nil crash before commit nil
5 5 5 5
Note that we clean up the auxiliary state φ.
. . .
I’m sorry I wrote you such a long letter; I didn’t have time to
write a short one. (Pascal)
Lampson: Turing lecture February 17, 1993 36
Security: The Access Control Model
Guards control access to valued resources.
Do Reference
Principal Object
operation monitor
Excel
NFS Server
application
request
Operating Operating
system system
Workstation Server
Excel pr NFS
WS14 as Excel
and bwl
–1
Logged in user Kl
WS14 and bwl
Workstation –1 Server
-1 Kws
bwl Kbwl WS14 network
Kca says Kca says channel
Kbwl => bwl Kws =>WS14
Auditing
Each step is justified by
a signed statement, or
a rule
Excel pr NFS
WS14 as Excel
and bwl
Logged in user –1
Kl
WS14 and bwl
Workstation –1 Server
-1 Kws
bwl Kbwl WS14 network
Kca says Kca says channel
Kbwl => bwl Kws => WS14
Excel pr NFS
WS14 as Excel
and bwl
–1
Logged in user Kl
WS14 and bwl
Workstation –1 Server
-1 Kws
bwl Kbwl WS14 network
Kca says Kca says channel
Kbwl => bwl Kws => WS14