sign in sign up
<<
Home , Coral

306

THE TEN15 PROJECT

De N E Peeling

Royal signals and Radar Establishment, UK

INTRODUCTIOX demonstration and evaluation in collaboration with industry and academia. This paper is a description of the background and progress of the Ten15 project at RSRE. The emphasis of this paper centres on the potential advantages to the software Ten15 is a product of a long-term computing engineering community of the widespread research programme at RSRE. The research team adoption of Ten15 as a kernel for software has in the past been responsible for the engineering applications. development of the first MOD standard language for real-time systems, CORAL66 (2); Ten15 Foster (1) provides an algebraic basis the first Algol68 compilation system, for software development. It has three Algo168-R Currie et a1 (3); the Queen's Award important aspects: winning Hardware Description Language, ELLA Morison et a1 (4); and the FLEX capability - First, it provides an interface that makes computer Currie et a1 (5) and advanced different computers compatible, thus ensuring Programming Support Environment Stanley (6). the portability of all programs that are written on top of Tenl5. The use of Ten15 is a part of the future support techniques developed for high level environments programme at RSRE which is aimed programming languages, such as compilation at reducing the costs and risks of software and strong type checking, means that this development for large complex distributed compatibility is achieved without information systems for the MOD. Prime compromising efficiency or integrity. technical objectives of the research include support for new models of the design process - The second major facet of Ten15 is that it (including prototyping), better software provides a powerful set of facilities for reuse, and better security and integrity. implementing and integrating system components and databases within a distributed Ten15 arose when two major strands of environment. Systems whose complexity or research within Computing Division came functionality makes them difficult to together in an unforeseen manner. The name implement on conventional operating systems Ten15 was first used for a formally defined should be significantly easier to build on intermediate language that was developed as Tenl5. Ten15 achieves this by providing part of the formal methods research facilities for dynamic and secure resource programme. The intention was to run a new allocation in mainstore, filestore and over a generation of algebraically based analysis network, within a comprehensive tools on the Ten15 algebra, and to compile that has a sound mathematical basis. The programs written in different languages into sorts of system that Ten15 will support cover the Ten15 algebra prior to analysis. many important areas: high integrity systems, secure systems, IPSE developments, expert The second major influence on the Ten15 systems, heterogeneous networks, fine grain project came from the FLEX project. FLEX is a databases, and formal methods. computer architecture with the design aims of integrity, flexibility and support for highly - Thirdly, Ten15 allows its users to preserve interactive systems. FLEX is a tagged their existing investment in software. Ten15 capability architecture with an instruction runs efficiently on conventional computers. set orientated to high-level language Ten15 can coexist with existing operating . It provides common, systems and can share data with them. Ten15 garbage-collected address spaces for programs efficiently supports most existing and backing store. The FLEX view is that programming languages and provides flexible interactive programming is essentially the mechanisms for mixed language working. This unanticipated combination of programs, and means that Ten15 provides an evolutionary that a common address space is needed to advance in software engineering practice. allow data to be Dassed freelv between programs while the capabi1iti;s provide The paper starts with a description of the control of access in order to maintain background that led up to the development of integrity. The garbage-collected common Tenl5, showing how the different threads of address space also allows FLEX to support the research programme in Computing Division, dynamically creatable procedure values, which RSRE, came together to enable the design of can be used to implement user-defined, Ten15 to be attempted. This section gives a high-level capabilities. Four hardware description of Ten15 in a "bottom-up'' manner versions of FLEX have been implemented, in and clearly shows the role serendipity has each case by microcoding; most recently on an played in the development of Tenl5. The next ICL PerqZ. section gives a summary of what Ten15 is, in the sense of what it offers its users with On top of this architecture a sophisticated an analysis of the potential application Programming Support Environment has been areas that would benefit from the use of implemented, with editors, extensible Tenl5. This is a description of Ten15 in a graphics, compilers and other tools. "top-down" form that gives an idealised Unfortunately the need to implement the FLEX description of the requirements that Ten15 architecture in microcode has cut this satisfies. The paper concludes with a summary advanced PSE off from the mainstream of of the current state of development of Ten15 software enqineers who are equipped with and the plans for its introduction, 'conventional' computer hardware: 307

During the period 1985-87 the experience and - The Ten15 algebra provides a well defined results of the FLEX work and the formal interface for mixed language working. methods work began to come together in a way which showed the way forward towards a OVERVIEW OF TEN15 portable software system with the characteristics of the FLEX PSE. The FLEX PSE This section concentrates simply on what has a system of datatypes which is used as a Ten15 is and what it can do. guide to help users, rather than as a mandatory checker, although the type Ten15 is a kernel layer of software that sits mechanism in the FLEX PSE was more extensive between all programs built on top of Ten15 than in the Ten15 algebra, as it then was, and the host computer system. This kernel because of the need to handle operating hides the host machine completely in the system values as well as just programming sense that all user code obeyed by the language values. As the FLEX type system computer system is generated by the Ten15 developed further, it was realised that the software. The definition of Ten15 contains capability checks in the microcode were being constructs that can efficiently implement all used only as a safety-net when type-checking the features of the common programming had been abused in the system programming languages, which allows compilers for language, Algol 68. It was then obvious that languages such as Ada, Pascal, , ML etc. to if the type system could be made all compile through Tenl5. Ten15 contains embracing, and was rigidly enforced, then the features for controlling all aspects of the microcode checks would become completely computer system including those not normally redundant. In this way an abstract machine reachable from conventional programming could be designed which would serve for languages e.g. backing store, databases, compilers, operating systems, editors, Local Area Networks, and the loading and databases, networks and users' programs execution of programs. alike. This machine was based oh the target Ten15 algebra and perhaps Because Ten15 completely hides the underlying unfortunately not renamed. machine, it can be thought of as a machine in its own right. It is however an abstract The concept of Ten15 is now a high-level machine in the sense that it is not tied to a abstraction of the machine (or more particular hardware implementation. Any accurately an abstraction of the languages program, including compilers and other that are used to Droaram the machine) with a hitherto machine dependent tools, written on comprehensive set'of-types and operators, top of the Ten15 machine will run unchanged extensive enough to describe the complete on any hardwaCe.cn which the Ten15 system is programming world. With the realisation that implemented. The only limitation to the cbmpleteness, integrity and efficiency were compatibility provided by Ten15 stems from simultaneously possible, came the idea that the availability of special hardware on some Ten15 could be the common intermediate systems e.g. signal processing chips and language for all compilers, and the Ten15 array processors. translator which compiled Ten15 into machine-code could be the sole machine-code It is important to be clear about the generator in a complete system. The universal relationship between Ten15 and an operating type system would provide a more refined system kernel, such as (UNIX is a access control than that of capabilities, trademark of ATCT). Ten15 could be installed with the checking done during compilation as the native kernel on a rather than being interpreted at run-time. A computer system (referred to as a "bare Ten15 translator can, like FLEX, offer a machine" implementation). A less radical single, garbage-collected address space so approach is to implement Ten15 on top of an that data can be communicated in existing operating system. The advantage of unanticipated ways. It thus provides all the this approach is that Ten15 can be used on an advantages of FLEX, but without needing a existing computer configuration; Ten15 will non-standard architecture to support it; be able to communicate with tools running on porting an implementation of a Ten15 system the host operating system, and the Ten15 to a different machine is now a matter of implementation will be able to use the rewriting the Ten15 translator to generate existing device drivers provided by the host. instructions for the new machine's The performance degradation compared with the order-code, together with the bare machine implementation is likely to be reimplementation of a Ten15 kernel that small and the trustworthiness of the system handles those aspects of the machine not should be acceptable for all but the more accessible through the order-code (network, stringent security and integrity backing-store etc.). requirements. The ability to implement Ten15 on top of an existing operating system and It can be seen that a Ten15 system not only hence access tools running on the host, solves the major problem with FLEX (the need together with the provision of compilers for for special-purpose hardware support): it existing programming languages, greatly also extends its virtues. In summary, these enhances the migration route to Ten15. improvements are: As previous efforts to define a "universal" - A full type system providing better checks abstract machine have foundered on the than the single word checks provided by grounds of unacceptable run-time performance, capabilities. Tenl5's claim to provide acceptable efficiency has to be justified. The early - A Ten15 system can coexist with existing abstract machines were attempts to abstract (conventional) systems, and can share data machine architectures and as a result were with them. low-level and machine-like. The mapping of the abstract machine to concrete - New compilers are not needed for new architectures was simple, and hence cheap, machines. but allowed little for optimal use of the features of a oarticular machine. and - The Ten15 system types are those of the hence performance ;as very inefficient system , called comoared with direct use of the underlyins Tenl5-notatio11, which is based directly on computer architectures. Ten15, on the other the Ten15 algebra. hand, is an abstraction of high-level 308

programming languages and consequently is at particular notion of privacy/integrity. a much higher level than the early abstract certainly the low-level definition of machines. Ten15 Dreserves most of the integrity enforced by Ten15 is essential for high-level structure of the programs that the user to be able to assure himself that compile into it. This information can be used any program he writes to police access to an to drive all conventional code optimisation item of data cannot be circumvented by strategies in the implementation of a another potentially malicious program. For compiler/translator from Ten15 to a the implementor of a secure system, Ten15 computer's order-Code. This means that the provides a mechanism for hiding a resource run-time performance of a program compiled behind a procedural interface. The procedures through Ten15 can be as good as that achieved in the interface can then implement a policy with a native compiler. for limiting access to that resource. Ten15 guarantees that the only route to that The attitude to performance is perhaps best resource is through the procedural interface. summed up by a target the designers of Ten15 set themselves: that no program running on a Just as Ten15 provides general purpose Ten15 system should take more than 203 longer primitives to synthesise larger to run than an equivalent program running on constructions, so are encouraged the same machine under a conventional to create general purpose components within operating system. Curcent tests indicate that their field of interest. This implies that this target is easily achievable and research the composition of general purpose components is concentrating on removing the overhead must be verv efficient. To achieve this the altogether. Ten15 has the added advantage Ten15 systei provides very fast data that many programs which take advantage of communication between the parts of a system. Tenl5's more advanced features will run very The mechanism chosen is to-run all urourams much faster when implemented on a Ten15 in the same mainstore address space; atid to system. provide sophisticated control of access, and storage allocation/deallocation. This Another potential problem for a abstract mechanism looks potentially risky from the machine that tries to be complete is that it Doint of view of inteqritv, because a mistake might grow like Topsy, ending up both large in storage access in one program might give and complex. There are a number of obvious access to another program's data. Ten15 advantages in keeping Ten15 as compact and actually provides very good mainstore simple as possible. It not only keeps the integrity and it can do this as a consequence overhead of the system code size small; it of the fact that it is a complete abstract also reduces the cost of rehosting a Ten15 machine. By denying the user any access to implementation; and given the possibility the native machine instructions it keeps (discussed later) of Ten15 being a suitable total control over memory allocation and basis for satisfying the most stringent deallocation. It backs this up with an security and/or safety requirements, it helps unbreakable type checking system that ensures to bring the Ten15 implementation within that no Ten15 operation can be applied to reach of the current capabilities for formal inappropriate data. software proof. The code size of a typical Ten15 implementation gives some idea of the The use of mathematics has played a success that the designers of Ten15 have had fundamental part in the design of Ten15 - in containing the size of Tenl5. The Ten15 particularly Goguen et a1 (7) and Martin-Lof implementation consists of two main (8). First, mathematics has been used to help components - a translator which compiles understand the structure and semantics of Ten15 constructs to the machine-code of the Ten15, and has proved invaluable in exposing host computer, and a run-time kernel that which were the most general purpose looks after peripherals, storage allocation primitives to include. As a result it should and the like. The translator on VAX/vMS (VAX be possible to produce a comprehensible and VIS are trademarks of digital equipment formal definition of Tenl5. Secondly, Ten15 corporation) occupies less than 100 Kbytes is itself a mathematical entity, having an and the kernel is less than 200 Kbytes. algebraic structure. An algebraic structure was chosen because it produces a One of the principles used to keep Ten15 representation of programs that is easy for small was to include only general purpose programs to create, analyse and manipulate. primitives.' New primitives were only The Ten15 representation of programs output considered for inclusion if they could not be by compilers is a language independent form built out of existing Ten15 features, or if on which automatic analysis and they could be implemented much more transformation can be performed. The role of efficiently by building them into the Ten15 as a syntax independent representation definition of TenlS. of program is likely to become increasingly important. One of the earliest benefits will The provision of integrity and security is be the ease with which systems can be created built on this same principle. The definition from Ten15 components that were compiled from of integrity which Ten15 implements is very a number of different languages. low-level; integrity is taken to mean the ability of the system to limit the access Potential Benefits of Ten15 that a program has to the resources of the computing system: in particular, to limit the Ten15 has an important part to play in amount of damage that program can do, no improving the software engineering process matter how maliciously it behaves. This kind "in the large". Admittedly, this view of integrity is Unarguably a property that somewhat contradicts the perceived wisdom all systems will want to share. However, it that the basic techniques of programming are does not preclude the design of a system that now a mature technology and there is little allows users to access data that offends Som. prospect of any radical improvement, such as higher level notions of privacy, such as occurred in the move from assemblers to those needed in a military secure system. The high-level programming languages. In terms of Ten15 viewpoint is that there is no universal the writing of free standing programs this higher level definition of privacy/integrity may be true. There is however great scope for that will satisfy all the requirements of improvement in the production of larger different user communities, and so the job of systems comprising many cooperating programs, Ten15 is to provide a soundly based toolkit possibly running on many machines in a which can be used to implement easily any distributed environment, with one or more 309

significant sized, complex databases. To -€ . The features achieve inter-process communication, database Ten15 offers to the builders of high manipulation and distribution one requires integrity and/or high security systems will separate programs to communicate using the make Ten15 a very good kernel for the design features provided by the operating system. Many of the system programming facilities of systems whose failure cannot be tolerated on safetv. securitv OK commercial grounds. offered by the widely available commercial This is :'fast gro;ing market: for-example, operating systems are, by programming the recent publicity surrounding fly-by-wire language standards, still at the assembler avionics systems, hackers, viruses and stage of development. A good example of this computer crime has done a lot to increase the is provided by the extensive use of byte market awareness of the value of safe and streams in UNIX for the contents of files and secure systems. One of the attractions Of pipes. Those system programming facilities Ten15 is that it can be used to build a that have advanced from this stage (e.g. portable system that can then be sold with 4GLs) have unfortunately developed notions of varying levels of cost/security: from the data structuring that are incompatible with most expensive/most secure system implemented accepted standards in programming languages. on a special purpose computer with hardware The consequence is that the effort of support for security (in military terms, implementing larger systems is now dominated capable of offering beyond A1 levels of by overcoming the restrictions imposed by the assurance) through a bare machine operating system and by the mismatch between implementaiion of Ten15 (possibly capable Of the ways the operating system and programming A1 assurance), to cheaper and still quite languages structure, communicate and store safe implementations based on secure data. Ten15 provides a framework that commercial operating systems, ending up with unifies the notions of program and data the cheapest system built on top of a between programming languages and operating standard operating system which offers systems. As a result, the effort of significant improvements to integrity while designing large integrated systems can be still being susceptible to a determined siqnificantlv reduced. This effect has attack from the untrusted host operating already been demonstrated in single language system. soecial DurDose environments such as LISP and SEIALLTAL~ sjrstems. SuDDOKt for moder DKOaK&&Qa StVl- . Ten15 -hat -hat support modern Ten15 not only increases productivity by Droqramminq-- Daradiqms. These features include providing a uniform programming environment a common ga;bage-collected address space, free from the petty restrictions, reliance on support ;or first class procedure values, low level data types, and black magic of dynamically creatable remote pKOCedUKe calls, current system programming practice, but also an intelligent demand loading system for the makes it much easier to design reusable tools code of procedures, a persistent heap and tool fragments. The ability to pass typed filestore, and a polymorphic type system. data between tools via mainstore or This means that Ten15 will support object filestore, instead of having to flatten the oriented programming languages, data into a byte stream for passing down a object-oriented databases, persistent pipe OK storing in a file, makes input and programing languages such as PS-Algol output to tools as good as for high-level Atkinson et a1 (9), polymorphic programming language procedures. Experience with systems languages such as ML and functional such as FLEX, LISP and SMALLTALK have shown programming languages. Ten15 may be a means that this encourages the development of of integrating a number of the good ideas in reusable tools. these different styles. Ten15 also provides automatic garbage collection for conventional Although Ten15 can reduce software production languages such as Ada, Pascal and C. Many of costs across the board - and in the long term the more advanced systems written in these this may be seen as its most important languages expend a great deal of effort doing property - initial uses of Ten15 are liable manual storage deallocation, a process which to be concentrated in application areas Where is very difficult to get right, very it provides more specialised benefits. This difficult to de-bug when it is incorrect and, section concludes with an analysis of the even when correct, often incurs significant niche markets where Ten15 will be most run-time overheads. attractive. Databases. The concept of filestore in Ten15 CASE tools. The Support offered for the extends programming language data structuring software engineering process will make Ten15 in an obvious way onto the backing store. an ideal base for many CASE tools. In The approach adopted is to provide general particular, any new operating system or purpose primitives which separate the idea of Integrated Project support Environment could mainstore pointers from disc pointers. benefit enormously from the use of Ten15 as Bringing a data structure from disc into its machine independent kernel. mainstore, i.e. turning a disc pointer into a mainstore pointer, has to be done explicitly. Heteroq.The compatibility between different computers that the Ten15 The mechanisms underlying the Ten15 abstract machine provides not only serves as filestore are capable of supporting Complex a portability interface for systems built on databases where individual items can, ifn Tenl5, it also allows dissimilar computers to necessary, be very small (the so-called fine cooperate with one another in a distributed grain" database). The Ten15 filestore is a environment. As well as providing a common potentially more flexible and efficient level for communication between different implementation mechanism for building computers, Ten15 includes advanced features databases than are existing technologies such for interworking within a loosely coupled as relational and entity/relationship/ (over a LAN) distributed system, such as attribute databases, and will be much easier dynamically creatable remote procedure calls. to integrate with the programming languages The problems of communication within a used to implement the system. tightly coupled, massively parallel computer system (e.g. an array of transputers) is the There is a lot of interest at the moment in subject of an ongoing research project. hypertext interfaces to databases, in which the hierarchical nature of a database is explicitly visible on the computer screen. 310

The RSRE FLEX computer system (which has a Planned enhancements to the evaluation system filestore similar to Tenl5's) supports an include compilers for Ada and Standard ML. advanced hypertext user interface. The ease and retargetting to RISC aKChiteCtUKeS. These with which this interface was implemented enhancements should start becoming available suqgests that the Ten15 filestore will be in 1991. idsal for supporting such interfaces. The MOD will be using the evaluation system Formal methods . The mathematical definition to undertake demonstrator projects in the of Ten15 makes it a suitable framework in area of secure systems. RSRE are however keen which to analyse the properties of programs for other organisations outside MOD to use automatically. Ten15 provides features which the evaluation system for demonstrators in will allow the results of such analysis to be the wider context of the UK software industry communicated to the user in terms of the and advanced software engineering research. language in which the program was originally This paper should provide enough information written. Because the definition of Ten15 on the most likely areas where Ten15 could covers those features that support system provide considerable extra leverage. Any programming, Ten15 also offers the organisation, academic OK commercial, wishing possibility of analysing complete systems as to discuss this opportunity further should well as free-standing programs. contact the author. Ten15 was specifically conceived to support ACKNOWLEDGEKWZS design by transformation. In this approach, an algorithm is expressed initially in high Ten15 was designed by P W Core, I F Currie, level constructs in a clear way that can be and J M Foster. seen to be correct. It is then transformed by methods which are known to produce programs REFERENCES of equivalent effect into a version that will run with adequate efficiency. 1. Foster, J.M., 1989, "The Algebraic specification of a target machine: Formal specification languages such as Z and Tenl5", High-integrity software, ed VDM are gaining currency. Having completed a Sennett, C.T., Pitman. specification in such a language, the next step is to produce an implementation that 2. Ministry of Defence, "The Official satisfies the specification. The Coral Definition", HMSO London. implementation may be produced independently or it might be developed by a refinement ~ 3. ~urrie,I.F., Bond, S.G. and Morison, process from the specification. Ten15 J.D., 1971, "ALGOL 68-R", Algol 68 provides a formal description of the implementation, ed Peck, J.E.L., implementation which can be a basis for a North-Holland, Amsterdam, pp 21-37. formal comparison with the specification. 4. Morison, J.D., Peeling, N.E. and Thorp, CURRENT STATUS AND FUTURE PLANS. T.L., 1985, "The Design Rationale of ELLA, A Hardware Design and Description There is already a prototype translator and Language", PKOC CHDL 85, Tokyo, Japan, kernel for VAXDMS. A kernel for UNIX is pp 303-320. being produced by PRAXIS plc and a translator for Motoro~a68000 is being produced at the 5. Currie, I.F., Edwards, P.W., and Foster, University of York. RSRE are developing an J.M., 1982 "Flex: A working computer with evaluation system for Tenl5. This system an architecture based on procedure would comprise: values", RSRE Memorandum 3500. - A simple but powerful Human/Computer 6. Stanley, M., 1986, "An evaluation of,,the Interface which will be based on the Flex Programming Support Environment , experience gained with the editor from the RSRE Report 86003. RSRE FLEX PSE. This will use an advanced hypertext format and will be user-extensible. 7. Goguen, J.A.,Thatcher, J.W., Wagner, E.G. and Wright, J.B., 1976, "An initial - Compilers for Pascal, Algol68 and approach to the specification, correctness Tenl5-notation. Tenl5-notation is the main and implementation of abstract datatypes", implementation language of the evaluation Current Trends in Programming nethodology. system and serves as both an assembler for Ten15 (in that it allows text to be written 8. Martin-Lof, P., 1975, "An intuitionist that will generate exactly any piece of Ten15 theory of types: predicative part", Logic required) and as a high-level system Colloquium, 1973, ed Rose and SheperSon, programming language. North Holland, Amsterdam, pp 73-113. - A symbolic Ten15 debugger which the 9. Atkinson, M.P., Chishol!, K.J. and compilers for the different languages tailor Cockshott, W.P., 1981, PS-: An Algol to their individual syntax. with a Persistent Heap", ACM SIGPLAN Notices Vo1 18, No 7, pp 24-31. - A separate compilation system. - A framework of tools that allows the algebraic structure of Ten15 programs to be Copyright @ Controller HMSO London 1989 manipulated by user-written programs. - A PostScript (Postscript is a registered trademark of Adobe Systems inc) output for driving laser printers. A version of this evaluation system that runs on a standalone workstation (initially VAXpMS) could be available in the second half of 1990. Further releases that run initially on homogeneous, and later on heteKOgeneOUS, networks of and SUNS, could be available in the following twelve months.