Computational State Transfer: An Architectural Style for Decentralized Systems
- Author(s): Gorlick, Michael Martin
- Advisor(s): Taylor, Richard N
- et al.
A decentralized system is a distributed system that operates under multiple, distinct spheres of authority in which collaboration among the principals is characterized by mutual distrust. Now commonplace, decentralized systems appear in a number of disparate domains: commerce, logistics, medicine, software development, manufacturing, and financial trading to name but a few. These systems of systems face two overlapping demands: security and safety to protect against errors, omissions and threats; and ease of adaptation in response to attack, faults, regulatory requirements, or market demands.
We consider decentralized systems in the context of architectural style, a domain-specific set of rules or constraints that confer benefits to the system in question. COmputAtional State Transfer (COAST) is an architectural style for decentralized systems where mobile code (more specifically, the exchange of live computations) is the principal interaction among peers. COAST exchanges rely on communication by introduction, meaning that a peer x can communicate with a peer y only if peer x holds a Capability URL (CURL) for y. CURLs are cryptographic structures; they are tamper-proof and cannot be guessed or forged. Live computations received by peers via CURLs are evaluated in the context of execution sites, flexible sandboxes that confine the functional and communication capability of visiting computations.
These four fundamentals: communication by introduction, mobile code, execution sites and CURLs, are sufficient to protect against many common security threats including unwanted intrusion, resource theft, or gross abuse of capability. These same four concepts also account for a considerable degree of adaptation and flexibility. More broadly, the COAST architectural style embeds computation exchange in the object-capability model of security; both computation exchange and object-capability contribute in equal measure to security and adaptation.
To validate the twin claims of security and adaptation for COAST we constructed a \coast-compliant reference implementation comprising Motile, a language for mobile code exchange and execution, and Island, a peering infrastructure for decentralized systems. We performed four studies with the Motile and Island platform: two each directed at adaptation and security.
The first adaptation study analyzed the problem of cooperative live update of a simple server, a gold standard for adaptive systems. Modeling an individual server as an endless service loop reading and responding to service requests we constructed Motile/Island protocols for three forms of server update: live update in place, live update with hot backup in a single address space, and live remote update with hot backup in which the update is instantiated in a remote address space. This evaluation demonstrates that COAST is capable of fail-safe cooperative live update for individual services in a decentralized system.
The second adaptation study examined the problem of evolving web service APIs, in particular client-driven API evolution. Using a web bookmark service as a test case, we demonstrate a minimalist service API that is extended per-client by client-developed mobile code delivered provider-side. The client code examples illustrate that service API extension and adaptation can be shifted from a service provider to the service clients, thereby easing the burdens on a service provider and speeding the pace of service evolution. We conclude that COAST is well-suited for client-driven service extension and customization.
The first security study offers a proof, by case analysis, that COAST is authority-safe and that Motile is a capability-safe language, hence authority-safe. These results place COAST and Motile/Island squarely within the growing body of work on the security and safety of capability-safe languages and confirms that the idioms and patterns of object-capability security are available to \coast.
In the second security study we evaluated COAST with respect to architectural accountability and obtained outcomes that indicate COAST is well-suited for capability accounting, a system accounting practice in which capability is the basic unit of exchange within and among systems. Our results include a communication capability analysis of a model financial transaction system, mapping points of capability creation, exchange, and exercise to system actions, and a sample analysis of capability traces for verifying system behavior and detecting process and security faults. This preliminary experiment hints that capability accounting may be useful for debugging, behavioral analysis, or early warning of threatening security events.