Download presentation
Presentation is loading. Please wait.
Published byKristian Branden Ellis Modified over 8 years ago
1
Naftaly Minsky Rutgers University Imposing Order Over Irregular & Open Systems
2
2 N. Minsky, PUC-Rio-11/21/05 The Problem irregular systems cannot be understood. Thus, they cannot be built, and if built they cannot be managed, maintained or evolved. Open systems, whose component are unknown, are not predictable. This is strictly the case for many distributed systems—and it is effectively the case for almost all systems, if they are large enough So, how does one deal with such systems?
3
3 N. Minsky, PUC-Rio-11/21/05 Two Inspiring Analogies With Physics —the reason that the physical world is so comprehensible, and so predictable. “the great success of physics is due to a restriction of its objectives: it only endeavors to explain the regularities in the behavior of objects---called the laws of nature. …[this] may have been the greatest discovery of physics so far.” Eugene P. Wigner, in Symmetries and Reflection With Social governance— how societies function. “Law is order---good law is good order.” Aristotle, in Politics Book 7.
4
4 N. Minsky, PUC-Rio-11/21/05 The “Law-Governed Systems” Approach In the absence of natural laws of software, we can formulate artificial laws, like we do for societies. But we will enforce these laws strictly, by preventing their violations, so they can be as dependable as laws of physics. To be effective, such a mechanism should be simple, powerful, and scalable.
5
5 N. Minsky, PUC-Rio-11/21/05 The Genesis and Scope of this Work For centralized systems: (LGA) Minsky, "Law-Governed Systems", in the IEE Software Engineering Journal, 1990. This work has been dormant, and is now being revived, via aspect-oriented programming (AOP) For Distributed Systems: (LGI) Minsky, "The Imposition of Protocols Over Open Distributed Systems", in IEEE Transactions on SE, 1991. The editor advised against the use of “law” in the title. The combination of LGA+LGI is underway.
6
6 N. Minsky, PUC-Rio-11/21/05 Principles of LGI Principle 1: The law should treat the actors regulated by it as black boxes, governing only their interaction; but it should be sensitive to the history of their interaction—making the law stateful. Principle 2: Laws should be enforced, by preventing their violations; not by responding to them.
7
7 N. Minsky, PUC-Rio-11/21/05 Principle 3: LGI laws should be local. Rationale : Non-local laws are inherently ill-defined, and ambiguous— unless the entire interaction is serialized, via a central Reference monitor Example: a law that allows only agents of the same level to interact—while the level of agents might change. Question: What does “same level” mean? Locality facilitate scalability, via decentralization. Locality facilitates interoperability. There is no loss of generality: Universal conformance induces global properties. Central control can be facilitated by local laws.
8
8 N. Minsky, PUC-Rio-11/21/05 Notable Characteristics of LGI Expressive Power: domain, sensitivity & mandates The domain: An LGI law can exercise control over three types of events: (a) events involved in the passage of messages (sent & arrived); (b) exception; and (c) the coming due of an obligation, (providing proactive capability). The sensitivity: An LGI law can base its ruling regarding a given event, on: (a) the event itself, and (b) the history of interaction (which include roles). Mandating power: ruling is not limited to permit/deny decisions; it can also mandate: (a) changes to the messages being sent, or its target; (b) the initiation of new messages; and, (c) updates of the state of an agent,
9
9 N. Minsky, PUC-Rio-11/21/05 Characteristics of LGI (2) Communality: an entire community is governed by a single law. Locality + Communality Global properties Selectively Decentralized Enforcement, which implies scalability. Interoperability.
10
10 N. Minsky, PUC-Rio-11/21/05 Characteristics of LGI (3) Supports multiple law-languages. Two languages for now, based on Prolog and Java Supports Asynchronous (message passing) and Synchronous (Java RMI) Interactions. Conformance Hierarchy: Laws can be organized into a hierarchy, in which every non-root law is guaranteed to conform to its parent. Hot update of a law.
11
11 N. Minsky, PUC-Rio-11/21/05 The Nature of LGI Laws Elements: Regulated Events: e.g., sent, arrived, adopted—and few others. Control-State: a law-defined function of the history of the interaction of each agent with others. Primitive Operations, which can be mandated by the law, in its ruling. The law: a function L : E × S → O ∗ Or, L(e,s)= [o1, ….ok]=ruling This concept is meaningful, even if there is no enforcement
12
12 N. Minsky, PUC-Rio-11/21/05 Law Enforcement
13
13 N. Minsky, PUC-Rio-11/21/05 Centralized Enforcement of Communal Policies * The problems: potential congestion, and single point of failure m’ x u v y m ==> y m ==> x m Legend: P---Explicit statement of a policy. I---Policy interpreter S---the interaction state of the community P I S Reference monitor * Replication does not help, if S changes rapidly enough
14
14 N. Minsky, PUC-Rio-11/21/05 Decentralized Law-Enforcement under LGI L I S x u v y L I $9 L I SvSv L I $1 L I SuSu Move(2) Moved(2) m m ==> y m $7 $3 actor controller
15
15 N. Minsky, PUC-Rio-11/21/05 Logically decentralized, but physically centralized, Law-Enforcement x u v y L I SvSv L I SuSu L I $9 $7 L I $1 $3 Controller Pool
16
16 N. Minsky, PUC-Rio-11/21/05 Deployment of LGI via a Distributed TCB (DTCB) I I I I IIx y controller server m’ adopt(L, name) L m’’ adopt(L, name) L m ==> y
17
17 N. Minsky, PUC-Rio-11/21/05 On the basis for trust between members of a community For a pair of interlocutors to trust each other to comply with the same law, one needs to ensure: that the exchange of messages is mediated by correctly implemented controllers. that interacting controllers operate under the same law L. Such assurances are provided, basically, via certification of controllers, and the exchange of the hash of the law. xy L I CS x L I CS y m ==> y m’’ [m’,hash(L)] C x CxCx CyCy
18
18 N. Minsky, PUC-Rio-11/21/05 Conclusion LGI as a low-level foundation for Governance. It is simple, general, scalable, and very malleable. the real work, looking forward, includes. Building higher level construct, such as your scene, or our secretary. Exploring various useful “regulative patterns”. Exploring various application domains. Updating LGI itself.
19
19 N. Minsky, PUC-Rio-11/21/05 Conclusion (cont.) Some promising research avenues (with concerns for both security an software engineering): Dependability tools like CA-action (Randell and Romanowski). Application to self healing. Application to Web-Services The governance of enterprises, and of coalitions. System testing, monitoring, auditing. Self regulated evolution of laws. Finding proper balances between decentralized and centralized enforcement Providing special purpose law-languages.
20
Questions? Thank you
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.