sign in sign up
<<
Home , David Gries, Maurice Wilkes, Robin Milner, Roger Needham

Monographs in Science

Editors

David Gries Fred B. Schneider

Springer Berlin Heidelberg Hong Kong London Milan Paris Tokyo Andrew Herbert Karen Spa¨rck Jones Editors

Computer Systems

Theory, Technology, and Applications

A Tribute to

With 110 Illustrations Andrew Herbert Karen Spa¨rck Jones Ltd. Computer Laboratory Roger Needham Building University of 7 JJ Thomson Avenue JJ Thomson Avenue Cambridge CB3 0FB Cambridge CB3 0FD UK UK

Series Editors: David Gries Fred B. Schneider Department of Department of Computer Science The 415 Boyd Graduate Studies 4115C Upson Hall Research Center Ithaca, NY 14853-7501 Athens, GA 30602-7404 USA USA

Library of Congress Cataloging-in-Publication Data Herbert, A.J. (Andrew J.), 1954– Computer systems: theory, technology, and applications/[edited by] Andrew J. Herbert, Karen I.B. Spa¨rck Jones p. cm. — (Monographs in computer science) Includes bibliographical references. ISBN 0-387-20170-X (alk. paper) 1. System design. 2. Computer science. I. Spa¨rck Jones, Karen I.B. II. Needham, R.M. (Roger Michael) III. Title. IV. Series.

QA276.9.S88H45 2004 005.1′2—dc21 2003066215

ISBN 0-387-20170-X Printed on acid-free paper.

© 2004 Springer-Verlag New York, Inc. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY 10010, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or here- after developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

Printed in the of America. (SBA)

987654321 SPIN 10944769

Springer-Verlag is part of Springer Science+Business Media springeronline.com Roger Needham 1935 – 2003 Contents

Preface xi Roger Needham: 50 + 5 Meeting Programme xiii Contributors xv Introduction: Roger Needham Rick Rashid 1 1 On Access Control, Data Integration, and Their Languages 9 2 Protocol Analysis, Composability and Computation Ross Anderson, Michael Bond 15 3 Access Control in Distributed Systems Jean Bacon, Ken Moody 21 4 Implementing Condition Variables with Semaphores Andrew D. Birrell 29 5 Clumps, Clusters and Classification Christopher M. Bishop 39 6 How to Implement Unnecessary Mutexes Mike Burrows 51 7 Bioware Languages Luca Cardelli 59 8 The Economics of Open Systems David D. Clark 67 9 From Universe to Global Internet Jon Crowcroft 73 10 Needham-Schroeder Goes to Court Dorothy E. Denning 77 11 The Design of Reliable Operating Systems Peter Denning 79 12 An Historical Connection between Time-Sharing and Virtual Circuits Sandy Fraser 85 13 On Cross-Platform Security Li Gong 89 14 Distributed Economics Jim Gray 93 15 The Influence David Hartley 103 16 Middleware? Muddleware? Andrew Herbert 109 17 Grand Challenges for Computing Research viii Contents

Tony Hoare 117 18 Sentient Computing 125 19 Cyber Security in Open Systems Anita Jones 133 20 Software Components: Only the Giants Survive Butler W. Lampson 137 21 Security Protocols: Who Knows What Exactly? Peter Landrock 147 22 Volume Rendering by Ray-Casting in Shear-Image Order Hugh C. Lauer, Yin Wu, Vishal Bhatia, Larry Seiler 153 23 A Conceptual Authorization Model for Web Services Paul J. Leach, Chris Kaler, Blair Dillaway, Praerit Garg, Brian LaMacchia, , John Manferdelli, Rick Rashid, John Shewchuk, Dan Simon, Richard Ward 165 24 The Trouble with Standards E. Stewart Lee 173 25 Novelty in the Nemesis Ian Leslie 177 26 A Technology Transfer Retrospective Roy Levin 185 27 An Optical LAN Derek McAuley 195 28 What’s in a Name? 205 29 The Cryptographic Role of the Cleaning Lady Bob Morris 211 30 Real Time in a Real Operating System Sape J. Mullender, Pierre G. Jansen 213 31 Zen and the Art of Research Management John Naughton, Robert W. Taylor 223 32 The Descent of BAN Lawrence C. Paulson 225 33 Brief Encounters 229 34 Retrieval System Models: What’s New? Stephen Robertson, Karen Spärck Jones 237 35 Slammer: An Urgent Wake-Up Call Jerome H. Saltzer 243 36 Caching Trust Rather Than Content M. Satyanarayanan 249 37 Least Privilege and More Fred B. Schneider 253 38 Using Sharing to Simplify System Management Michael D. Schroeder 259 Contents ix

39 An RSA-Related Number-Theoretic Surprise Gustavus J. Simmons 269 40 Application-Private Networks Jonathan M. Smith 273 41 Using the CORAL System to Discover Attacks on Security Protocols Graham Steel, Alan Bundy, Ewen Denney 279 42 On the Role of Binding and Rate Adaptation in Packet Networks David Tennenhouse 287 43 Technologies for Portable Computing Chuck Thacker 295 44 Multiple Alternative Voting David Wheeler 305 45 The Semiotics of Umbrellas John Wilkes 311 46 for Specialized Application Areas 317 Computer Security? Roger Needham 319 Roger Needham: Publications Karen Spärck Jones 327 Preface

Roger learnt that he was seriously ill late in December 2002. When he heard this, Rick Rashid, Microsoft Senior Vice-President for Research, suggested that there should be some occasion to mark Roger’s contribution to the field, and an asso- ciated publication. In response, we proposed a one-day meeting with both technical talks and a more personal session about Roger, with the presentation of a volume of papers from Roger’s many technical colleagues as the key element. There was not much time to prepare the volume. So we asked for short pa- pers on any technical topic of each contributor’s choosing likely to be of interest to Roger. The papers could be on an area of current research, a conjecture about the future, or an historical reflection. They had to be delivered in four weeks. We much appreciated the rapid and enthusiastic responses to our invitation, and were delighted with the range of topics covered and their technical interest. We were also grateful, as each editor reviewed all the papers, for the positive spirit with which our comments and suggestions were received. The meeting itself, ‘Roger Needham: 50 and 5,’ marking Roger’s fifty years in Cambridge and five at Microsoft Research, took place on February 17th, 2003. The programme is given, for reference, following this Preface. The entire proceedings were recorded, publicly available at: http://www.research.microsoft.com/needhambook We would like to thank all those who wrote for the volume, and those who spoke at the meeting. We know that Roger was very touched by how many came to the meeting, some from far away, by how many wrote for the volume and in doing so re- sponded to his interests, by the references to his work in the technical talks, and by the accounts of his roles and contributions in the presentation session. At the end of the meeting he said:

The first thing to say is thank you very much—which is sort of obvious. The next thing I want to say is one or two words about what I’ve done and what my subject is. In many sorts of engineering the theoretical background is obvious: it’s continuous mathematics which comes from the 18th century. In computing there is a theoretical background and it’s not obvious but it had to be invented, and people in the theoretical part of our subject have devoted themselves to inventing it—which is fine because you can’t expect it to hap- pen by itself and you can’t go and build computer systems with any complex- ity at all without some formalised understanding to fall back on. xii Preface

It is an odd thing that in my career I have contributed one or two bits to that, but that’s basically not what I’m about. I have the greatest respect for the people who build the theoretical underpin- nings of our subject, and I wish them every success because it will enable the people who want to get on and make things to do it better and to do it more quickly and to do it with less mistakes—and all of this is good: but at the end of the day I am a engineer— and so saying, he put on his engineer’s hard hat. He died less than two weeks later, on March 1st. Roger’s last major talk was his Clifford Paterson Lecture ‘Computer secu- rity?’ at The Royal Society in November 2002. We have included its text, which is also posthumously published in the Society’s Philosophical Transactions,as the last paper in the volume, along with a complete list of Roger’s publications. We have used the classic Needham-Schroeder authentication protocol as the cover design. The papers in this volume are as they originally appeared for the meeting, apart from some minor corrections and some modifications, necessary in the circumstances, to specific references to Roger. These papers address issues over the whole area of computer systems, from hardware through operating systems and middleware to applications, with their languages and their implementations, and from devices to global networks; also from many points of view, from designers to users, with lessons from the past or concerns for the future. Collectively, they illustrate what it means to be a com- puter system.

Acknowledgements

We are very grateful to Microsoft for supporting the celebration meeting itself, producing the volume in its original form, and for further supporting the prepara- tion of the volume for formal publication. We are also grateful to Professor Fred Schneider for facilitating the Springer publication and to Tammy Monteith for her work on formatting the material.

Andrew Herbert, Karen Spärck Jones Roger Needham: 50 + 5 Meeting Programme

Title Presenter Time

11 am Introduction Andrew Herbert, Microsoft Research TECHNICAL TALKS 11.05 am Location Aware Computing Andy Hopper, Cambridge University 11.30 am How Software Components Grew Up and Butler Lampson, Conquered the World Microsoft Research 12 noon Thoughts on Network Protocol Engineering Jonathan Smith, University of Pennsylvania 12.30 pm Lunch

1.30 pm Online Science: Putting All Science Data Jim Gray, Online and Putting Analysis Tools Online. Microsoft Research 2 pm Logics and Languages for Access Control Martin Abadi, UCSC 2.30 pm Protocol Analysis, Composability and Ross Anderson, Computation Cambridge University 3.00 pm Coffee 3.30 pm Information and Classification Karen Spärck Jones, Cambridge University Clumps, Clusters and Classification Christopher Bishop, Microsoft Research IN HONOUR OF ROGER NEEDHAM 4.10 pm Early Days Maurice Wilkes, Cambridge University 4.20 pm Head of Department, Computer Laboratory Ian Leslie, Cambridge University 4.30 pm PARC/DEC-SRC Activities Mike Schroeder, Microsoft Research 4.40 pm Pro Vice-Chancellor, Public Service Alec Broers, Cambridge University 4.45 pm Microsoft Managing Director Rick Rashid, Microsoft Research 4.55 pm Presentation Andrew Herbert Microsoft Research 5pm Reception Contributors

Martín Abadi Ewen Denney University of California, Santa Cruz, QSS Group Inc, NASA, Moffet Field, CA, USA CA, USA

Ross Anderson Dorothy Denning , Naval Postgraduate School, Monterey, CA, USA Jean Bacon University of Cambridge, England Peter Denning Naval Postgraduate School, Monterey, Andrew Birrell CA, USA Microsoft Research—Silicon Valley, CA, USA Sandy Fraser Bernardsville, NJ, USA Christopher Bishop Microsoft Research Ltd, Cambridge, Li Gong England Sun Microsystems, Santa Clara, CA, USA Michael Bond University of Cambridge, England Jim Gray Microsoft Research, San Francisco, Alan Bundy CA, USA , Scotland David Hartley Mike Burrows Cambridge, England Google Research, Mountain View, CA, USA Andrew Herbert Microsoft Research Ltd, Cambridge, Luca Cardelli England Microsoft Research Ltd, Cambridge, England Microsoft Research Ltd, Cambridge, David Clark England MIT, Cambridge, MA, USA Andy Hopper John Crowcroft University of Cambridge, England University of Cambridge, England xvi Contributors

Pierre Jansen Sape Mullender , Enschede, Lucent Technologies, Murray Hill, NJ, The Netherlands USA

Anita Jones John Naughton University of Virginia, Charlottesville, Open University, Milton Keynes, Eng- VA, USA land

Butler Lampson Lawrence Paulson Microsoft Research, Redmond, WA, University of Cambridge, England USA Brian Randell Peter Landrock, University of Newcastle, England Århus University, Denmark Rick Rashid, Hugh Lauer Microsoft Research, Redmond, WA, TeraRecon, Inc., Concord, MA, USA USA

Paul Leach Stephen Robertson Microsoft Corporation, Redmond, WA, Microsoft Research Ltd, Cambridge, USA England

Stewart Lee Jerome Saltzer Orillia, Ontario, Canada MIT, Cambridge, MA, USA

Ian Leslie Mahadev Satyanarayanan University of Cambridge, England Carnegie Mellon University, Pitts- burgh, PA, USA Roy Levin Microsoft Research—Silicon Valley, Fred Schneider CA, USA Cornell University, Ithaca, NY, USA

Derek McAuley Intel Research, Cambridge, England Microsoft Research—Silicon Valley, CA, USA Robin Milner University of Cambridge, England Gustavus Simmons Sandia Park, NM, USA Ken Moody University of Cambridge, England Jonathan Smith University of Pennsylvania, Bob Morris Philadelphia, PA, USA Dartmouth College, Hanover, NH, USA Karen Spärck Jones University of Cambridge, England Contributors xvii

Graham Steel David Wheeler University of Edinburgh, Scotland University of Cambridge, England

Robert Taylor John Wilkes Woodside, California, USA HPLabs,PaloAlto,CA,USA

David Tennenhouse Maurice Wilkes Intel Research, Santa Clara, CA, USA University of Cambridge, England

Chuck Thacker Microsoft Corporation, Redmond, WA, USA