Vasco T. Vasconcelos

(1)

Francisco Martins

^†

Liliana Salvador

^‡

Vasco T. Vasconcelos

^§

Lu´ıs Lopes

^†

May 10, 2005

Abstract

We present MiKO, a distributed process calculus obtained by instantiating Boudol’s Generic Membrane Model with the TyCO language. In the membrane model, a network is composed of a collection of domains, each of which comprises an outer part, themembrane, and an inner part, thecontents. The contents of the domain is its computational core. It interacts with the outside (the other domains in the network) using the membrane as intermediary. The membrane implements all protocols required to control the flow of information between the network and the contents of the domain. We provide an operational semantics and a type system for the calculus and prove subject reduction, together with some examples.

1 Introduction

Process calculi provide powerful abstractions and an underlying theory to reason about concurrent, communication based systems. In the last decade there has been an in- creasing interest in using such calculi to model distributed systems, particularly in the presence of code or computation mobility. Allowing resources to move between the nodes of a distributed system introduces new, non-trivial, problems (e.g., binding pol- icy, marshaling, security) that must be addressed by the underlying process calculus and associated theory.

There have been many proposals of calculi to describe distributed mobile systems.

Most of the proposals came from the π-calculus community [19], namely Dπ[15], π1l[1],lsdπ[21], the Seal calculus [11], Nomadic Pict [30], and the Distributed Join calculus [13], or from the Ambient calculus community [10], notably boxed ambients [6] and safe ambients [16]. Other works comprise, for instance, KLAIM [12], based on the LINDA model.

Common to all these works is the concept of computational area, typically a named location where processes run, generically known as adomain. Another concept global to these calculi is that ofmobility, where moving entities range from processes to entire hierarchies of domains. The control of mobility is, in all cases, somehow limited. For instance, inπ1lcode mobility depends on the state of the domain, and inlsdπ,Dπ, and the Ambient calculus mobility might be controlled by means of a type system [8,

∗Work funded by EU-FET on Global Computing, project MIKADO IST–2001–32222.

†Universidade dos Ac¸ores, Departamento de Matem´atica

‡Universidade do Porto, Departamento de Ciˆencia de Computadores

§Universidade de Lisboa, Departamento de Inform´atica

1

(2)

9, 17, 18]. Still, it is not easy to program, for instance, the authentication of a client’s certificate or the forwarding of incoming messages to a third-party destination.

In the present work we try to overcome this problem by building on the notion of programmable membrane, as introduced by Boudol [3, 4, 5]. Membranes are not explicitly present in any of the works mentioned above and, as far as we are aware, has been explored in the M-calculus [23], in the calculus of Kells [24], in the Brane calculi [7], and in [14].

The key idea behind the membrane model is that each domain is bipartite into a computing body and a membrane. All exchanges between the interior and the exterior of the domain must go through the membrane for validation. The following diagram represents the process of sending a message between two domains, using the membranes of each domain as intermediates.

The model is parametric on the computational structure of the membranes, that is, the calculus that is used to implement the membrane protocols. Thus it is possible to combine the membrane model with your favorite process calculus to obtain a fully functional model for domain-based distributed computing.

In this context we present and instance of the membrane model, using the TyCO- calculus [29] to implement the behavior of both the membranes and the contents of domains. TyCO is a form of the π-calculus that features built-in objects that may respond to one of several method calls, as opposed to simple inputs as in theπ-calculus.

TyCO’s builtin objects are exactly what is needed to provide for the various services provided by the membrane interface.

At the programming level, our goal is to implement membranes as modules for which the only relevant information is the interface they provide. This approach allows to developlibrariesof membranes with distinct behaviors that may readily be used to implement applications. Thus, ideally, to program a domain one would first choose an appropriate membrane from the library and then implement the application specific contents of the domain.

Outline of the paper. The remainder of this paper is structured as follows: sections 2 to 4 describe the syntax, the semantics, and a type system for MiKO. Section 5 presents examples aiming at providing a better understanding of the capabilities of the language.

Section 6 compares work in the area. The last section concludes the paper. Detailed proofs of the results are found in the appendices.

2 Syntax

This section introduces the syntax of MiKO.

We rely on a set of namesN, and on a set of labelsL, disjoint fromN. Names are used to describedomainsandchannels; to improve readability we user, s, tto range

(3)

N ::= inaction | x{m|iP}[P] | x!M | N |N | newx N (networks) P ::= inaction | x!M | x?m | x?∗m | P |P | newx P | (processes)

A~V | in[P] | out[x, M] | mkdom[x, m|iP , P]inP

M ::= l[V~] (messages)

m ::= {li =Ai}i∈I (methods)

A ::= (~x)P (abstractions)

V ::= x | A (values)

Figure 1: Syntax of MiKO

over domain names,a, b, cto range over channel names, andx, y, zto range over both domain and channel names. Figure 1 describes the syntax of the calculus, where~x describes a sequence of namesx₁. . . x_n(n >0), and similarly for values.

MiKO is an higher-order process calculus, manipulating values that can be either namesx(channels or sites) or processes abstracted on a sequence of names(~x)P. The calculus is organized in two layers: networksandprocesses. A network consists of a collection ofdomainsandnetwork messagesrunning in parallel. For processes we use TyCO [26, 27, 29] enriched with three new constructs:in,out, andmkdom.

A domainx{m|iP}[Q]is a location namedx, composed of amembranem|iPand acontentsQ. Membranes define the interaction between the domain and the outside world, as well as between the membrane and its contents Q. The method suite m defines the interface of the domain (with the exterior and the interior), and process P is used to keep the state of the membrane. The contents Qof the domain runs the domain’s core business. A network message x!l[V~]denotes a message, labeled withland carrying valuesV~, targeted at domainx. The remaining network constructs are standard: inaction denotes the terminated network,N | Ldescribes the parallel composition of two networks N andL; andnewx N introduces a new namexin networkN.

Processes are used in the membrane and in the contents of domains. Its syntax includes objectsx?mreading messages from channelxand processing them according to the methods inm, the invocation x!l[V~] of a methodl with arguments V~ in an object or a domain x, and the application A~V of an abstractionA to a sequence of argumentsV~. An abstraction is a processP parametrized on a sequence of names~x, written(~x)P.

Processes also include three special-purpose constructs:in[P]that launches a pro- cessP in the contents part of the domain,out[x, M]that sends a messageM to domainx, andmkdom[x, m|iP , Q] inRthat creates a new domainxwith membrane m|iP and contentsQ, visible in processR.

The following example, inspired in [5], illustrates the syntax of the calculus. Con- sider a domain with a transparent membrane: a membrane that routes every message in and out of the domain. This membrane offers two methods:enterthat accepts a message from the network, and exit that routes a message to the network. Two domains, both equipped with transparent membranes, communicate via a very simple protocol:

(1) the source domain issues an exitcommand; (2) the source’sexitmethod selects the entermethod in the target domain; (3) theentermethod in the target domain launches

(4)

newx N |M ≡newx(N |M) ifx /∈fn(M) (SN-SCOPE) s{m|inewc S}[P]≡newc s{m|iS}[P] ifc /∈fn(s, m, P) (SN-MEMB) s{m|iS}[newc P]≡newc s{m|iS}[P] ifc /∈fn(s, m, S) (SN-CONT) inaction≡news s{m|iinaction}[inaction] (SN-INACT) newxnewy N≡newynewx N (SN-EXCH)

Figure 2: Structural congruence on networks

the received message in its contents area. A possible implementation of a transparent membrane is as follows.

T r a n s p a r e n t = {

e n t e r ( source , x ) = i n [ x [ ] ]

e x i t ( t a r g e t , x ) = out [ t a r g e t , e n t e r[ x ] ] {− p r i v a t e −}

}

Method exit sends an abstraction to the target domain. Methodenterapplies the received abstractionxto the empty vector[] (thus obtaining a process), and launches it in the domain contents. The membrane needs no state, as reflected byinactionbelow.

The sending of a processPfrom domainrto domainsmay be written as follows.

r{T r a n s p a r e n t|ii n a c t i o n}[ r !e x i t[ s , ( ) P ] ]

To keep the calculus simples, we do not distinguish between methods meant to be used by external (network) and by internal (membrane or contents) messages. Instead, in the examples, we mark the latter kind of methods with aprivatecomment.

3 Operational Semantics

This section introduces the operational semantics of MiKO. We define a reduction semantics on networks (Figure 4) and on processes (Figure 5) making use of simple structural congruence relations [19] for networks (Figure 2) and for processes (Fig- ure 3).

Bindings, free names, and substitution. The binding occurrences are the name x innew x N, innew x P, in mkdom[x, m|iS, P]in Q, as well as names xi in (x1. . . xn)P. Free and bound identifiers are defined as usual, and we work up toα- equivalence. The set of free names for networks, processes, and methods is denoted byfn(·). Substitution on processes, notationP[V /y], denotes the standard capture- avoiding substitution of nameyfor valueV, in processP.¹

Structural Congruence. The structural congruence relation for networks (respectively, for processes), ≡, is the least congruence relation closed under the rules in

1Substitution is not total. For example,(c!M)[A/c]confounds instantiation of abstractions with that of names. Sangiorgi shows that substitution is defined for a certain class of processes, that of well-sorted processes [22]. It should be easy to show that the same property holds for well-typed processes, as defined in Section 4.

(5)

newc P |Q≡newc(P |Q) ifc /∈fn(Q) (SP-SCOPE) inaction≡newcinaction (SP-INACT) newanewb P ≡newbnewa P (SP-EXCH)

Figure 3: Structural congruence on processes

s{m|iP}[s!M |Q]→s{m|i(m.M|P)}[Q] (RN-SEND) s{m|i(out[r, l[V~]]|S)}[P]→r!l[s~V]|s{m|iS}[P] (RN-OUT) s!M |s{m|iS}[P]→s{m|i(S|m.M)}[P] (RN-COM) s{m|i(in[P]|S)}[Q]→s{m|iS}[Q|P] (RN-IN) s{m|i(mkdom[r, m⁰|iS, P]inR|T)}[Q]→

newr(r{m⁰|iS}[P]|s{m|i(R|T)}[Q]) ifr /∈fn(s, m, T, Q) (RN-MKD) S →T

s{m|iS}[P]→s{m|iT}[P]

P →Q

s{m|iS}[P]→s{m|iS}[Q]

(RN-MEMB,RN-CONT) N →N⁰

N|L→N⁰|L

N →N⁰ newx N →newx N⁰

N⁰ ≡N N →L L≡L⁰ N⁰→L⁰

(RN-PAR,RN-RES,RN-CONG)

Figure 4: Reduction rules on networks

Figure 2 (respectively, in Figure 3) alpha-congruence, and the commutative monoidal rules.

For networks,SN-SCOPEis the usual scope extrusion rule, andSN-MEMBandSN-

CONTdescribe scope extrusion applied to domains. For processes, the rules are standard.

Reduction. The reduction rules for networks and processes are given in Figures 4 and 5, where method invocation{l_i =A_i}_i∈I.(l_j[V~])is defined as the processA_jV~, whenj ∈ I. The below diagram, depicting migration between domains, explains the first four axioms in Figure 4.

RuleRN-SENDdelivers a messagel[V~]from the contents part of the domain to its membrane, calling method lin the domain’s interface. The method may then create a processout[r, l⁰[U~]]. RulesRN-OUT adds the source domain to the message (thus

(6)

c?m|c!M →m.M (RP-COM) c?∗m|c!M →c?∗m|m.M (RP-REP) ((~x)P)V~ →P[V /~~ x] (RP-APP) P →Q

P |R→Q|R

P →Q newc P →newc Q

P⁰≡P P→Q Q≡Q⁰ P⁰ →Q⁰

(RP-PAR,RP-RES,RP-CONG)

Figure 5: Reduction rules on processes

α ::= ch(ρ) | dom(ρ) | abs(~α) | t | µt.α ρ ::= {li: α~i}i∈I

Figure 6: Syntax of types

obtaining l⁰[s ~U]), and places the message in the network. RuleRN-COMaccepts the message from the network, selecting methodl⁰in the interface of the target membrane.

The method may then create a processin[P]. Then, ruleRN-INdrives processP from the membrane to contents of the domain.

Domains can only be created from the membrane of an existing domain, via rule RN-MKD. To create a domain, we provide a domain namer, a membranem⁰|iS, the contentsP of the domain, and the scopeRof the existing domain where the new do- mainris visible. RulesRN-MEMB,RN-CONT,RN-PAR, andRN-RES allow reduction inside the membrane, the domain contents, the parallel composition, and name restriction, respectively. Finally,RN-CONGbrings structural congruence into reduction.

The rules for processes (Figure 5) are standard [29]

As an example of a reduction in MiKO, consider the domain at the end of Section 2, in parallel with a domain with a transparent membrane and empty contents, where we abbreviateinactionto0.

r{T r a n s p a r e n t|i0}[ r !e x i t[ s , ( ) P ] ] | s{T r a n s p a r e n t|i0}[ 0 ]

and using rulesRN-SEND,RN-OUT,RN-COM,RN-IN, as described in the diagram above, we successively have:

r{T r a n s p a r e n t|i0}[ r !e x i t[ s , ( ) P ] ] | s{T r a n s p a r e n t|i0}[ 0 ] → r{T r a n s p a r e n t|iout[ s ,e n t e r[ ( ) P ] ]}[ 0 ] | s{T r a n s p a r e n t|i0}[ 0 ] → r{T r a n s p a r e n t|i0 ]}[ 0 ] | s !e n t e r[ r , ( ) P ] | s{T r a n s p a r e n t|i0}[ 0 ] → r{T r a n s p a r e n t|i0 ]}[ 0 ] | s{T r a n s p a r e n t|ii n[ P ]}[ 0 ] →

r{T r a n s p a r e n t|i0 ]}[ 0 ] | s{T r a n s p a r e n t|i0}[P ]

4 The Type System

This section introduces a type system for our language and presents the main results:

subject-reduction and type safety.

(7)

Γ`sm:ρ Γ`sP|Q Γ` s:dom(ρ)

Γ`s{m|iP}[Q] (TN-DOM)

Γ`sV~ :ρ.l Γ` s: dom(ρ)

Γ`s!l[V~] (TN-MSG)

Γ`N Γ`L

Γ`N |L

Γ`N Γ` x∈ {ch( ),dom( )}

Γ\x`newx N Γ`inaction (TN-PAR,TN-RES,TN-INACT)

Figure 7: Typing networks

Types. We fix a countable set of type variables ranged over byt. The syntax of types is given in Figure 6, where the sequence of typesα₁ . . . α_n(n >0) is abbreviated to

~ α.

Types of the formch(ρ),dom(ρ), andabs(~α)denote types for channels, for domains, and for abstractions, respectively. Recordsρdescribe a collection ofn(n >0) methods labeledl_i accepting arguments of typesα~_i. Types are interpreted as rational (regular infinite) trees. A type of the formµt.α(withtguarded inα) denotes the rational tree, solution of the equationt=α. An interpretation of recursive types as infinite trees naturally induces an equivalence relation ≈on types, by putting α ≈ β if the underlying trees forαand forβare equal [20].

Typing rules. Typings, denoted byΓ are partial functions of finite domains from names to types. NotationΓ\xdenotes the typing obtained fromΓby removingxfrom its domain.

The type system is described in Figures 7–9, where{li:α~_i}i∈I.l_j = α~_j when j ∈ I. It includes four kinds of judgments: (a) judgmentΓ `N asserts that network N is well typed under typing assumptionsΓ; (b) judgmentΓ`sP means that process P is well typed under typing assumptions Γ, when running at sides; (c) judgment Γ `_sm:ρasserts that the method suitemhas typeρ, when located at sites; and (d) judgmentΓ`_sV:αassigns typeαto valueV, at sites.

To type a domains{m|iS}[P]using ruleTN-DOM, one has to type the membrane m|iSand the contentsP, both ins. Domainsmust possess the type of its interfacem.

To type a message using ruleTN-MSG, one must type the contentsV~ of the message, and make sure that the type forsis a domain-type whosel-component is the type of V~. To type a name restrictionnewx N using ruleTN-RES, we type networkN, and check whether the type for namexis a that of a channel or of a site.

When typing processes, we record (under the turnstile) the domain that hosts the process. This piece of information is relevant when typing the outoperation, since we stamp messages with the name of the sending domain. RuleTP-OBJexpresses the fact thatcmust be a channel that has a type compatible with method suitem. Rule TP-MSGis similar toTN-MSG, but herexcan be a channel or a domain, since we use the same constructor to send messages to membranes or interact with objects. To type theinconstructor in domains, we typePinsusing ruleTP-IN. RuleTP-OUTtypes the sequence of valuess~V in the target domainr, since abstractions run in the destination domain. Notice that one appends the origin domain s to the list of parameters, as prescribed by the operational semantics (ruleRN-OUT in Figure 4). To type domains

(8)

Γ`sm:ρ Γ` c:ch(ρ) Γ`_sc?m

Γ`sc?m

Γ`_sc?∗m (TP-OBJ,TP-REP) Γ`sV~ :ρ.l Γ` x∈ {dom(ρ),ch(ρ)}

Γ`sx!l[V~] (TP-MSG)

Γ`sP Γ`sin[P]

Γ`rs~V:ρ.l Γ` r:dom(ρ)

Γ`sout[r, l[V~]] (TP-IN,TP-OUT) Γ`r{m|iS}[P] Γ`sR

Γ\r`_smkdom[r, m|iS, P]inR (TP-MKD) Γ`sA:abs(~α) Γ`sV~ :~α

Γ`sA~V (TP-APP)

Γ`sP Γ`sQ Γ`_sP |Q

Γ`sP Γ` c:ch( )

Γ\c`_snewc P Γ`sinaction

(TP-PAR,TP-RES,TP-INACT)

Figure 8: Typing processes

∀i∈I, Γ`sAi:abs(~αi)

Γ`s{li=Ai}_i∈I:{li:~αi}_i∈I (TM-METH) Γ(x) =α α≈β

Γ` x: β

Γ`sP Γ` ~x:α~ Γ\~x`s(~x)P: abs(~α)

Γ`sV1:α1 . . . Γ`sVn:αn

Γ`sV₁. . . V_n:~α (TV-ID,TV-ABS,TV-SEQ)

Figure 9: Typing method suites and values

creation, ruleTP-MKDchecks that both the created domainr{m|iS}[P]and its scope R are well-typed. RuleTP-APPchecks that the arguments V~ are as expected by the abstraction A. Finally, rule TP-RES is similar to TN-RES, except that only channel restriction is possible in processes.

RuleTV-IDincorporates type equivalence in the type system. The remaining rules should be easy to understand.

Properties. Subject-Reductionasserts the invariance of typings under reduction.

Theorem 4.1 (Subject-Reduction) IfΓ`NandN →L, thenΓ`L.

Type safetyasserts that typable programs do not encounter immediate errors. To- gether with Subject-Reduction we obtain Milner’s slogan “Well-typed programs do not go wrong”.

Two things can go wrong: a) the invocation of a method non-existent in the target object or domain interface; b) the application of a wrong number of arguments to an abstraction. In the former case{li = Ai}_i∈I.(lj[V~])is not defined (that is,j /∈ I);

in the latterP[V1. . . Vk/x1. . . xn]is not defined (that is,n 6= kor P[Vi/xi] is not defined for somei). We say that a network isfaultyif

(9)

1. N≡new~x(s!M |s{m|iS}[P]|L), andm.Mis not defined; or 2. N≡new~x(s{m|iP}[s!M |Q]|L), andm.Mis not defined; or

3. N ≡ new~x(s{m|i(c?m|c!M |P)}[Q] | L), andm.M is not defined, and similarly forc?∗m; or

4. N ≡ new ~x(s{m|iP}[c?m|c!M |Q] | L), and m.M is not defined, and similarly forc?∗m; or

5. N≡new~x(s{m|i(((~y)P)V~ |R)}[Q]|L), andP[V /~~ y]is not defined; or 6. N≡new~x(s{m|iP}[((~y)P)V~ |Q]|L), andP[V /~~ y]is not defined.

Theorem 4.2 (Type-Safety) IfΓ`N, thenNis not faulty.

5 Examples

In this section we present several examples to illustrate the use of membranes, as well as the programming style we propose.

5.1 Polarised membrane

Our first example illustrates a membrane that filters messages depending on its internal state. A polarised membrane [1, 5] controls the passage of incoming and outgoing messages using a private channel named membraneStatus. If it is active (active = true), then messages flow freely from the network into the contents and vice-versa, as if the membrane were transparent (see section 2). Otherwise (active = false) all messages are discarded by the membrane.

Assuming the presence of boolean values and conditional processes, an implementation of the polarised membrane might be:

{

e n t e r( o r i g i n , process ) = membraneStatus ?{

v a l u e( a c t i v e ) =

membraneStatus !v a l u e[ a c t i v e ] | i f a c t i v e then i n[ process ] }

e x i t( targetDomain , process ) = membraneStatus ?{

membraneStatus !v a l u e[ a c t i v e ] |

i f a c t i v e then out[ targetDomain , e n t e r[ process ] ] }

p i n g( o r i g i n , r e p l y T o ) = membraneStatus ?{

membraneStatus !v a l u e[ a c t i v e ] | out[ o r i g i n , e n t e r[ r e p l y T o ! [ a c t i v e ] ] ] }

d e a c t i v a t e( ) = {− p r i v a t e −}

membraneStatus ?{

(10)

membraneStatus !v a l u e[f a l s e] }

a c t i v a t e( ) = {− p r i v a t e −}

membraneStatus ?{

membraneStatus !v a l u e[t r u e] }

a s k S t a t u s( targetDomain , r e p l y T o ) = {− p r i v a t e −}

out[ targetDomain , p i n g[ r e p l y T o ] ] }

|i membraneStatus !v a l u e[t r u e]

If we name the above membrane aspolarised, a domains, initially active, running processPmay be written as

new membraneStatus s{p o l a r i s e d}[ P ]

The domain state is maintained by a message in transit (initially with valuetrue) on channel membraneStatus. Methodsenterand exit check the state of the domain before forwarding the messages to and from the network. Methoddeactivatesets the status of the membrane tofalse.

A domain becomes unavailable when methoddeactivate gets selected. Method pinginforms external clients of the current state of the domain, and methodaskStatus checks whether a target domain that implements the “ping” protocol is active.

5.2 Quality of Service membrane

Our second example illustrates how to program a membrane that guarantees a certain quality of service (QoS) and enforces a protocol between a server and its clients. To assure the required QoS, the server allows only a fixed number of simultaneous requests. Towards this end, it keeps track of the number of concurrent active clients. The state is recorded in a private channelsessionCounterthat keeps track of the number of available sessions. The protocol forces a client first to connect to the server, then to repeatedly issue requests (and receive results back), and finally to disconnect from the server.

The server. Channelhandleris the link between the membrane and the contents of the server.

The membrane offers four methods: connect, disconnect, request, and exit. Methodconnectchecks if there are available sessions. If so, it creates a private channel sessionID, sends it to the client (via anoutoperation), interacts with the server’s contents (using theinoperation) to create an object to handle the session, and decrements the session counter. Otherwise, it informs the client that there are too many sessions opened. Methoddisconnectcloses the session by selecting thedisconnectoperation on the contents, and incrementing the session counter. Methods exitandrequestare as in the transparent membrane (Section 2), only that we have renamedentertorequestfor reasons that will become apparent below.

The server’s membrane,QoSMembrane, may then be programmed as follows.

{

connect( c l i e n t , r e p l y T o ) = s e s s i o n C o u n t e r ?{

(11)

v a l u e( a v a i l a b l e S e s s i o n s ) = i f a v a i l a b l e S e s s i o n s > 0 then

new s e s s i o n I D

out[ c l i e n t , e n t e r[ ( ) r e p l y T o !connected[ s e s s i o n I D ] ] ]| i n[ h a n d l e r !c r e a t e[ sessionID , c l i e n t ] ]

s e s s i o n C o u n t e r !v a l u e[ a v a i l a b l e S e s s i o n s − 1 ] else

out[ c l i e n t , e n t e r[ ( ) r e p l y T o !tooManySessions[ ] ] ]| s e s s i o n C o u n t e r !v a l u e[ a v a i l a b l e S e s s i o n s ]

}

d i s c o n n e c t( c l i e n t , s e s s i o n I D ) = i n[ s e s s i o n I D !d i s c o n n e c t[ ] ] | s e s s i o n C o u n t e r ?{

v a l u e( a v a i l a b l e S e s s i o n s ) =

s e s s i o n C o u n t e r !v a l u e[ a v a i l a b l e S e s s i o n s + 1 ] }

r e q u e s t ( source , x ) = i n [ x [ ] ]

e x i t ( t a r g e t , x ) = out [ t a r g e t , e n t e r[ x ] ] {− p r i v a t e −}

} |i

s e s s i o n C o u n t e r ! [ 5 ]

On the contents side, the server must provide an implementation for the shared channel handlerthat handles the various sessions. Each session is associated with a differentsessionID. ChannelsessionStatusrecords the availability of the session: a session is available until the client issues a disconnect operation. Results to client requests are first returned to the membrane, which then relays them to the corresponding client domain. The content of a generic server,QoSContents, may be implemented as follows.

h a n d l e r ?^∗{

c r e a t e( sessionID , c l i e n t ) = new s e s s i o n S t a t u s

s e s s i o n S t a t u s !v a l u e[t r u e] | s e s s i o n I D ?^∗{

{− s p e c i f i c s e r v e r methods −}

d i s c o n n e c t ( ) = s e s s i o n S t a t u s ?{

v a l u e( a l i v e ) =

s e s s i o n S t a t u s !v a l u e[f a l s e] }

} }

Then, a domain,QoSDomain, running a generic QoS server is the following domain.

new s e s s i o n C o u n t e r new h a n d l e r

QoSDomain{QoSMembrane}[ QoSContents ]

The client. The client uses a stateless membrane, and provides a simple method suit, intended to simply follow the protocol with the server. Notice that we can not use the transparent membrane (Section 2) in this case, since the client calls specific methods

(12)

on the server (connect, disconnect, andrequest), rather than the fixedentermethod provided by the transparent membrane.²

TheclientMembraneis as follows, {

e n t e r( s e r v e r , process ) = i n[ process [ ] ]

connect( s e r v e r , r e p l y T o ) = {− p r i v a t e −}

out[ s e r v e r , connect[ r e p l y T o ] ]

d i s c o n n e c t( s e r v e r , s e s s i o n I D ) = {− p r i v a t e −}

out[ s e r v e r , d i s c o n n e c t[ s e s s i o n I D ] ]

r e q u e s t( s e r v e r , c o m p u t a t i o n ) = {− p r i v a t e −}

out[ s e r v e r , r e q u e s t[ c o m p u t a t i o n ] ] }

|i i n a c t i o n

and, given processclientContents, a client domain becomes:

c l i e n t{clientMembrane}[ c l i e n t C o n t e n t s ]

A particular service. As an example of a service the server may implement we use a mathematical server [28] to illustrate the QoS client-server interaction presented above.

For the server side, a math server accepts computation request from clients, com- pute the request, and reply the results back. We provide the following two methods of thesessionIDobject, to be added to the part specific server methodsin the above QoSContentscode.

add( n , m, r e p l y T o ) = s e s s i o n S t a t u s ?{

s e s s i o n S t a t u s !v a l u e[ a l i v e ] | i f a l i v e then

QoSDomain !e x i t [ c l i e n t , ( ) r e p l y T o !v a l u e[ n+m ] ] }

neg ( n , r e p l y T o ) = s e s s i o n S t a t u s ?{

s e s s i o n S t a t u s !v a l u e[ a l i v e ] | i f a l i v e then

QoSDomain !e x i t [ c l i e n t , ( ) r e p l y T o !v a l u e[0−n ] ] }

Here is the example of a client that (1) establishes a session; (2) asks for the addition two numbers; (3) asks for the symmetric of the result; and finally (4) closes the session.

new r e p l y T o

c l i e n t !connect[ QoSDomain , r e p l y T o ] | r e p l y T o ?{

connected( s e s s i o n I D ) = new r e s u l t

c l i e n t !r e q u e s t[ QoSDomain , ( ) s e s s i o n I D !add[ 3 , 4 , r e s u l t ] ]| r e s u l t ?{

v a l u e( x ) =

2Since messages are not values, we cannot write a generic method exit(server, method) =out[server, method].

(13)

c l i e n t !r e q u e s t[ QoSDomain , ( ) s e s s i o n I D !neg[ x , r e s u l t ] ]| r e s u l t ?{

v a l u e( x ) = i o !p r i n t i[ x ] |

c l i e n t !d i s c o n n e c t[ QoSDomain , s e s s i o n I D ] }

}

tooManySessions( ) =

i o !p r i n t s[ ” c o u l d n o t connect t o t h e s e r v e r ” ] }

5.3 Members manager

Our last example presents a flavor of programmable membranes that may be reused in several scenarios. Themembers managerprovides a controlled access to a domain.

Unlike the math server that allows access to any client, we want to give permission to registered users only. So, in order to use the services offered by the domain, the client must first register (thus becoming amember) and then authenticate itself with a password. The membrane manages a set of registered users and ensures that only logged users can issue requests to the server. The members membrane may be used in some interesting cases, such as:

• in achat server: only register users can enter the chat services;

• in a“free” email provider: users first agree on an email account, setting up a user name and a password, and then access their emails privately;

• in ane-seller provider, such as a virtual library or a reserved area in a financial server;

• or even, in a refinedmath server: instead of issuing a connect operation, users first register themselves and thenloginat the server.

Our goal is to implement amembers membranein a modular way so that implementing any of the above examples would simply imply writing the service-specific contents, reusing the membrane.

The protocol between a client and themembers membraneis as follows: the first time the client accesses the server it must register himself. For that purpose, it must provide a tentativelogin ID. If the registration goes well (the login ID is not in use) it gets a password back, otherwise it is notified of the registration failure. Registered users are allowed to engage in a session with the server if the user/password pair they provide matches the information in the list of allowed users. The session proceeds with logged users sending requests to the server and receiving the replies. When leaving the server the client must issue a logout operation to close its session.

The membrane stores the information relative to registered members in a map and the users that are currently logged in a set. In the example below this information is recorded in the membrane state as two private channels namedmembersMapand loginSet. The membrane offers the following services: newMemberto register new members;loginto authenticate users and start a session;logoutto terminate a session;

requestto accept demands from clients; and exitused by the server to deliver answers for client requests.

The outline of themembersMembraneis as follows. We present and comment each method separately, assuming an implementation for maps and for sets.

(14)

{

newMember( c l i e n t , loginName , r e p l y T o ) = . . . l o g i n( c l i e n t , loginName , password , r e p l y T o ) = . . . l o g o u t( c l i e n t , loginName ) = . . .

r e q u e s t( c l i e n t , loginName , j o b , r e p l y T o ) = . . .

e x i t( c l i e n t , r e s u l t ) = . . . {− p r i v a t e −}

}

|i

memberMap?^∗ { . . . } | l o g i n S e t ?^∗ { . . . } |

. . .

To register a new member we use the following code.³ newMember( c l i e n t , loginName , r e p l y T o ) =

i f membersMap !c o n t a i n s K e y[ loginName ] then

out[ c l i e n t , e n t e r[ r e p l y T o !l o g i n N a m e E x i s t s[ ] ] ] else

new password

membersMap !p u t[ loginName , password ] |

out[ c l i e n t , e n t e r[ r e p l y T o !r e g i s t e r e d[ password ] ] ]

The implementation is straightforward. We check whether there is a member al- ready registered with the given login name. If not, we generate a password, add the new member to the map, and inform the client of its password. Otherwise, we inform the client of the failed attempt.

Next is a possible implementation of theloginoperation:

l o g i n( c l i e n t , loginName , givenPassword , r e p l y T o ) = i f membersMap !c o n t a i n s K e y[ loginName ] and

membersMap !g e t[ loginName ] = givenPassword then

out[ c l i e n t , e n t e r[ r e p l y T o !connected[ ] ] | l o g i n S e t !add[ loginName ]

else

out[ c l i e n t , e n t e r[ r e p l y T o !i n v a l i d U s e r P a s s w o r d[ ] ] ]

We check whether the client is registered and the password matches. If is everything goes well, we notify the client that the login operation was successful, otherwise we report an error.

Thelogoutoperation simply updates the login set. The implementation is as follows:

l o g o u t( c l i e n t , loginName ) = l o g i n S e t !remove[ loginName ]

There are two generic methods for accepting and replying to requests: therequest and the exitmethods. The underlying communication protocol between the client and the server is established via these two methods. The interaction with the contents part of the server is performed via shared channelhandler. For instance, a chat server may implement the ICQprotocol or a email server the IMAPprotocol, encapsulating the

3TyCO’s idiom

if membersMap!containsKey[loginName]then...

is short for [25]

newr membersMap!containsKey[loginName, r]|r ?{value (x) =ifxthen ...

(15)

messages using these two methods and providing an implementation for thehandler channel. Notice that the membrane checks that the client sending the request is logged in. All the remaining actions are assigned to the contents of the domain. The implementation is simple:

r e q u e s t( c l i e n t , loginName , j o b , r e p l y T o ) = i f l o g i n S e t !c o n t a i n s[ loginName ]

then

i n[ h a n d l e r !r e q u e s t[ c l i e n t , loginName , j o b , r e p l y T o ] ] else

out[ c l i e n t , e n t e r[ r e p l y T o !notLoggedIn[ loginName ] ] ]

e x i t( c l i e n t , r e s u l t ) =

out[ c l i e n t , e n t e r[ r e s u l t ] ]

A domain namedoscarrunning anICQprocess (not shown) that implements the AIM/ICQprotocol may be set up as:

new memberMap

new l o g i n S e t new h a n d l e r

o sc ar [ membersMembrane ]{ICQ}

6 Related Work

The introduction mentions a few process-calculi based proposals to describe mobile systems: Dπ[15],π_1l[1],lsdπ[21], the Seal calculus [11], Nomadic Pict [30], vari- ants of the Ambient calculus [10], notably boxed ambients [6] and safe ambients [16], as well as, KLAIM [12]. None of these works, however, encompasses an explicit notion of computational domain. This section concentrates on models of domains with programmable membranes.

The Mikado domain model, as presented by Boudol [3, 4, 5], constitutes the starting point of this work. In fact, MiKO is an instance of the the Mikado’s generic domain model.

The M-calculus [23], like MiKO, bases its notion of domain on locations which are composed of a controller and a content process. Unlike MiKO, locations may have sub-locations and thus the network topology is a tree. MiKO networks are flat and communication is point-to-point. In the M-calculus, interaction consists of either messages directed to resources within a remote domain or migration of processes or locations. MiKO provides a more service-oriented view of interaction since only messages directed to methods in the membranes (albeit carrying code) of remote domains are allowed. Moreover, the interface presented to the network by the membrane of a domain is the only data path to the process in the contents of that domain. In fact, this is exactly the same interface that must be used by the contents itself to interact with the network outside. We feel that this symmetric view of membranes provides a clear and modular programming paradigm. In the M-calculus, whenever a message to a resource within a domain gets cleared by predefined filters for incoming messages, it can move freely between the controller and the contents. This distinction in the treatment of outward and inward interaction is, in our view, unnatural as the symmetry of the membrane or controller should be invariant. Migration the M-calculus is based on a

“passivation” construct that freezes a process or a domain and sends it to the destination

(16)

domain. This is a very powerful feature of the calculus that allows higher order entities to be sent over the network. In MiKO we do not require such a high-level feature as the calculus has abstractions as first-class values and especially because we do not require to migrate domains (our networks are flat).

The brane calculi [7] are used to describe interaction between cells and molecules.

The communication between cells is performed through free-floating molecules that bind to the exterior or the interior of the membranes in order to cross them. If we imagine that cells possess specific receptors that bind molecules, then these receptors are the interface of the cell and therefore, the receptors are akin to the labels of our methods. MiKO and the brane calculi have different aims, MiKO being better suited to describe high-level mobile computing.

Gorla, Hennessy, and Sassone [14] present an experiment with membranes that type check the incoming code to certify that the actions it may perform are granted by the target domain. In order to keep the impact of type checking low, they explore a trusting relation between sites and check only the code that arrives from untrusted domains. A domain in MiKO is not able to check the code it receives; the decision of allowing code to pass or not through the membrane is defined only in terms of the source domain, the selected method, and the state of the domain.

7 Conclusion

In this report we presented the MiKO process calculus and associated programming language. MiKO is based on a model for distributed computing where computation happens in domains that are shielded from the remainder of the network by a membrane. The membrane implements whatever protocols are required to forward, discard or filter messages to and from the domain contents.

The original proposal for the domain model [5] makes no assumption on the computational structure (membrane and contents) of domains. MiKO uses the TyCO process calculus [29] to implement both the membrane and the contents of domains. We defined an operational semantics and a type system for the calculus that ensures that well-typed MiKO programs do engage in runtime errors.

The programming language derived from the base calculus is straightforward. Pro- grams are written a in modular way by implementing the membrane and contents as separate components. This allows the setup of general purpose membranes that implement protocols used by the service specific contents of a domain. These components can be effectively reused by applications requiring the same kind of membrane.

Currently the implementation of a compiler and run-time system for MiKO is un- derway, based on Mikado’s software framework for rapid prototyping of run-time systems for mobile calculi [2].

References

[1] R. Amadio. An asynchronous model of locality, failure, and process mobility. In Proceedings of Coordination’96, volume 1282 ofLNCS. Springer, 1997.

[2] L. Bettini, R. De Nicola, D. Falassi, M. Lacoste, L. Lopes, L. Oliveira, H. Paulino, and V. Vasconcelos. A software framework for rapid prototyping of run-time systems for mobile calculi. InGlobal Computing, volume 3267 ofLNCS, pages 179–207. Springer, 2004.

(17)

[3] G. Boudol. Core programming model, release 0. Mikado Deliverable D1.2.0, 2002.

[4] G. Boudol. A parametric model of migration and mobility, release 1. Mikado Deliverable D1.2.1, 2003.

[5] G. Boudol. A generic membrane model. InGlobal Computing Workshop, volume 3267 ofLNCS, pages 208–222. Springer, 2005.

[6] M. Bugliesi, G. Castagna, and S. Crafa. Access control for mobile agents: The calculus of boxed ambients.ACM Transactions on Programming Languages and Systems, 26(1):57–124, 2004.

[7] L. Cardelli. Brane calculi: Interactions of biological membranes. InProceedings of Computational Methods in Systems Biology’04, volume 3082 ofLNCS, pages 257–280. Springer, 2004.

[8] L. Cardelli, G. Ghelli, and A. Gordon. Mobility types for mobile ambients.

InProceedings of ICALP’99, volume 1644 ofLNCS, pages 230–239. Springer, 1999.

[9] L. Cardelli, G. Ghelli, and A. Gordon. Ambient groups and mobility types. In Proceedings of TCS’00, volume 1872 ofLNCS, pages 333–347. Springer, 2000.

[10] L. Cardelli and A. Gordon. Mobile ambients. Theoretical Computer Science, 240(1):177–213, 2000.

[11] G. Castagna and J. Vitek. Seal: A framework for secure mobile computa- tions. InInternet Programming Languages, number 1686 in LNCS, pages 47–77.

Springer, 1999.

[12] R. De Nicola, G. Ferrari, and R. Pugliese. Klaim: A kernel language for agents interaction and mobility. IEEE Transactions on Software Engineering, 24(5):315–

330, 1998.

[13] C. Fournet, G. Gonthier, J. L´evy, L. Maranget, and D. R´emy. A calculus of mobile agents. InProceedings of Concur’96, LNCS, pages 406–421. Springer, 1996.

[14] D. Gorla, M. Hennessy, and V. Sassone. Security policies as membranes in systems for global computing. InProceedings of 3rd EATCS Workshop on Founda- tions of Global Ubiquitous Computing (FGUC’04), ENTCS. Elsevier, 2004.

[15] M. Hennessy and J. Riely. Resource access control in systems of mobile agents.

Journal of Information and Computation, 173:82–120, 2002.

[16] F. Levi and D. Sangiorgi. Controlling interference in ambients. In Proc. 27th POPL, pages 352–364. ACM Press, 2000.

[17] F. Martins and A. Ravara. Typing migration control in lsdpi. InProceedings of FCS’04, volume 31, pages 1–12. Turku Centre for Computer Science, 2004.

[18] F. Martins and V. Vasconcelos. History-based access control for distributed processes. InProceedings of TGC’05, LNCS. Springer, 2005. To appear.

[19] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, part I/II.

Jornal of Information and Computation, 100:1–77, 1992.

(18)

[20] B. Pierce.Types and Programming Languages. MIT Press, 2002.

[21] A. Ravara, A. Matos, V. Vasconcelos, and L. Lopes. Lexically scoping distribu- tion: what you see is what you get. InProceedings of FGC’03, volume 85(1) of ENTCS. Elsevier, 2003.

[22] D. Sangiorgi.Expressing Mobility in Process Algebras: First-Order and Higher- Order Paradigms. PhD thesis, LFCS, University of Edinburgh, 1993. CST-99-93 (also published as ECS-LFCS-93-266).

[23] A. Schmitt and J.-B. Stefani. The m-calculus: a higher-order distributed process calculus. InPOPL, pages 50–61, 2003.

[24] J.-B. Stefani. A calculus of kells. InProceedings of FGC’03, volume 85(1).

Elsevier, 2003.

[25] V. Vasconcelos. Processes, functions, datatypes. Theory and Practice of Object Systems, 5(2):97–110, 1999.

[26] V. Vasconcelos. Core-tyco appendix to the language definition, version 0.2. Tech- nical Report 01–5, Faculty of Sciences of the University of Lisbon, 2001.

[27] V. Vasconcelos and R. Bastos. Core-tyco the language definition, version 0.1.

Technical Report 98–3, Faculty of Sciences of the University of Lisbon, 1998.

[28] V. Vasconcelos, A. Ravara, and S. Gay. Session types for functional multi- threading. InProceedings of Concur’04, volume 3170 ofLNCS, pages 497–511.

Springer, 2004.

[29] V. Vasconcelos and M. Tokoro. A typing system for a calculus of objects.1st In- ternational Symposium on Object Technologies for Advanced Software, 742:460–

474, 1993.

[30] P. Wojciechowski and P. Sewell. Nomadic pict: Language and infrastructure design for mobile agents.IEEE Concurrency, 8(2):42–52, 2000.

(19)

A Proof of Subject Reduction

This section presents the proof for Theorem 4.1. The proof uses two main auxiliary results, namely, Substitution (Lemma A.1) and Structural Congruence (Lemma A.4).

Lemma A.1 (Substitution)

1. IfΓ, x:α`rV:βandΓ`rU:α, thenΓ`r[U/x] V[U/x] :β.

2. Letρ={l1:β~1. . . ln:β~n}. IfΓ, x:α`rm: ρandΓ` U:α, thenΓ`_r[U/x]

m[U/x] :ρ.

3. IfΓ, x:α`rP andΓ` U:α, thenΓ`r[U/x]P[U/x].

4. IfΓ, x:α`NandΓ` U:α, thenΓ`N[U/x].

Proof. The proof of the first three results is by mutual induction on the typing derivation.

Substitution on Values. We proceed by case analysis on the structure ofV, tracing the last typing rule applied.

• CaseV isy

By hypothesis we derive

Γ(y) =γ γ≈β Γ, x: α` y:β and we have two cases to consider:

– x=y

SinceΓ` U:αwithα=γandγ≈βthen we concludeΓ` U:β.

– x6=y

The value is not affected by the substitution, then by ruleTV-IDΓ` y: β holds.

• CaseV is(~y)P By hypothesis

Γ, x:α`rP Γ, x:α` ~y:β~ (Γ, x:α)\ {~y} `r(~y)P:abs(β)~

SinceΓ` U:α, we apply the clause for Processes toΓ, x:α`_rP and obtain Γ `_r[U/x] P[U/x]. The names in~yare bound, so they are not affected by the substitution, then by ruleTV-ABSand by definition of substitution, we getΓ\ {~y} `_r[U/x] ((~y)P)[U/x] :abs(β)~ which concludes the case.

(20)

Substitution on Methods. By hypothesis, the following derivation tree holds.

Γ, x:α`rP1 Γ, x:α` y~1:β~1

(Γ, x:α)\ {y~₁} `_r(y~₁)P₁:abs(β~₁) . . .

Γ, x:α`rPn Γ, x:α` y~n:β~n

(Γ, x:α)\ {y~_n} `_r(y~_n)P_n:abs(β~_n) (Γ, x:α)\({y~1} ∪. . .∪ {y~n})`rm:ρ

By hypothesisΓ ` U: α. We apply the clause for Processes to Γ, x: α `_r P1, . . . ,Γ, x:α `r Pn and obtainΓ `_r[U/x] P1[U/x], . . . ,Γ `_r[U/x] Pn[U/x]. Let δ1 =abs(β~1), . . . , δn =abs(β~n). Since the names iny~1, . . . , ~ynare bound, they are not affected by substitution soΓ` y~₁:β~₁, . . . ,Γ` y~_n:β~_nhold. ByTM-METHrule, the following derivation tree holds

Γ`_r[U/x]P₁[U/x] Γ` y~₁:β~₁ Γ\ {y~₁} `_r[U/x] (y~₁)P₁[U/x] :δ₁ . . .

Γ`_r[U/x] P_n[U/x] Γ` y~_n: β~_n Γ\ {y~_n} `_r[U/x] (y~_n)P_n[U/x] :δ_n Γ\({y~₁} ∪. . .∪ {y~_n})`r[U/x]{l1= (y~₁)P₁[U/x]. . . l_n= (y~_n)P_n[U/x]}:ρ

where{l₁ = (y~₁)P₁[U/x]. . . l_n = (y~_n)P_n[U/x]}is by definition of substitution {l₁= (y~₁)P₁. . . l_n= (y~_n)P_n}[U/x].

Substitution on Processes. We proceed by case analysis on the structure ofP, tracing the last typing rule applied.

• CaseP isinaction

We derive by hypothesis,Γ, x:α`r inaction. SinceΓ` U:α, byTP-INACT

rule we concludeΓ`r[U/x]inaction.

• CaseP isy!l[V~]

By hypothesis, the following derivation holds

Γ, x:α`rV~ :ρ.l Γ, x:α` y∈ {dom(ρ),ch(ρ)}

Γ, x:α`ry!l[V~] Letβ~ =ρ.l, then the derivation ofΓ, x:α`rV~: β~is

Γ, x:α`rV₁:β₁ . . . Γ, x:α`rV_n:β_n Γ, x:α`rV~ :β~

We have two sub-cases:

– x=y

By hypothesisΓ ` U: α. We apply the clause for Values toΓ, x: α`r

V1:β1,. . .,Γ, x:α`rVn:βnand concludeΓ`_r[U/x] V~[U/x] :β. Since~ x =y, we obtainΓ ` U ∈ {dom(ρ),ch(ρ)}. By ruleTP-MSGwe conclude the sub-case.

Γ`_r[U/x]V~[U/x] :ρ.l Γ` U ∈ {dom(ρ),ch(ρ)}

Γ`_r[U/x]U!l[V~[U/x]]

that can be written asΓ`_r[U/x]U!l[V~][U/x], by definition of substitution.

(21)

– x6=y

By hypothesis Γ ` U: α. Then, we apply the clause for Values to Γ, x:α`r V1:β1,. . .,Γ, x: α`r Vn:βn, and getΓ`_r[U/x] V~[U/x] :β.~ Sincex6=y,Γ ` y ∈ {dom(ρ),ch(ρ)}holds and we conclude the sub- case by ruleTP-MSG.

Γ`_r[U/x]V~[U/x] :ρ.l Γ` y∈ {dom(ρ),ch(ρ)}

Γ`_r[U/x]y!l[V~[U/x]]

which isΓ`r[U/x]y!l[V~][U/x], by definition of substitution.

• CaseP isy?morP isy?∗m

These two cases hold in a very similar way. We illustrate the proof for the first case as an example. By hypothesis, Γ, x: α `_r y?m, so the following type derivation holds

Γ, x:α`rm:ρ Γ, x:α` y:ch(ρ) Γ, x:α`ry?m

We need to study two sub-cases:

– Casex=y

Since Γ ` U: α, we apply the clause for Methods toΓ, x:α `r m: ρ and getΓ `_r[U/x] m[U/x] : ρ. By hypothesis,Γ ` y: ch(ρ)so we get Γ` U:ch(ρ)and by ruleTP-OBJthe following type derivation holds.

Γ`_r[U/x]m[U/x] :ρ Γ` U:ch(ρ) Γ`r[U/x]U?m[U/x]

that, by definition of substitution is written asΓ`_r[U/x](U?m)[U/x].

– x6=y

By hypothesis, Γ ` U: α, and applying the clause for Methods to Γ, x:α`r m:ρ, we getΓ`rm[U/x] :ρ. Sincex6=y,yis not affected by substitution and byTP-OBJrule the following derivation tree concludes the sub-case.

Γ`r[U/x]m[U/x] :ρ Γ` y:ch(ρ) Γ`r[U/x]y?m[U/x]

that is written asΓ`r[U/x](y?m)[U/x], by definition of substitution.

• CaseP isout[y, l[V~]]

By hypothesis,

Γ, x:α`y(r ~V) :ρ.l Γ, x:α` y:dom(ρ) Γ, x:α`rout[y, l[V~]]

whereβ=ρ.land the derivation ofΓ, x:α`y(r ~V) :β~is

(22)

Γ, x:α`yr:β0 Γ, x:α`yV1:β1 . . . Γ, x:α`yVn:βn

Γ, x:α`y(r ~V) :β~ We have four sub-cases to handle:

– Casex=yandx=r

Since by hypothesis, Γ ` U: α, we apply the clause for Values to Γ, x:α `y r: β0, Γ, x: α `y V1: β1,. . .,Γ, x: α `y Vn: βn and get ΓÙ U: β0,ΓÙ V1[U/x] :β1,. . .,ΓÙ Vn[U/x] :βn. By hypothesis, Γ ` U: αandΓ, x:α` y:dom(ρ), soΓ` U:dom(ρ)holds. By rule TP-OUTwe conclude the case

Γ`U U ~V[U/x] :β~ Γ` U:dom(ρ) Γ`_U out[U, l[V~[U/x]]]

where

ΓÙ U:β0 ΓÙ V1[U/x] :β1 . . . ΓÙ Vn[U/x] :βn

Γ`U U ~V[U/x] :β~

that by definition of substitution isΓ`U out[U, l[V~]][U/x].

– Casex6=yandx=r

Since by hypothesis, we have Γ ` U: α, applying the clause for Val- ues to Γ, x: α `y r,Γ, x: α `y V1: β1, . . . ,Γ, x: α `y Vn: βn we get Γ `y U: β0, Γ `y V1[U/x] : β1, . . ., Γ `y Vn[U/x] :βn. So, we haveΓ `y (U ~V)[U/x] :β. Name~ y is not affected by the substitution so Γ` y: dom(ρ)holds. By ruleTP-OUTwe obtain the following derivation tree

Γ`_yU ~V[U/x] :β~ Γ` y:dom(ρ) Γ`U out[y, l[V~[U/x]]]

and the proof forΓ`_yU ~V[U/x] :β~is

Γ`y U:β0 Γ`yV1[U/x] :β1 . . . Γ`yVn[U/x] :βn

Γ`yU ~V[U/x] :β~

that is written asΓ`U out[y, l[V~]][U/x], by definition of substitution.

– Casex=yandx6=r

By hypothesisΓ` U: αand we apply the clause for Values toΓ, x:α`_y r: β₀,Γ, x: α `_y V₁: β₁, . . ., Γ, x: α `_y V_n: β_n and obtain Γ `_U r: β0,Γ `U V1[U/x] : β1,. . ., Γ `U Vn[U/x] : βn. Since Γ ` U: α andΓ, x: α ` y:dom(ρ), thenΓ ` U: dom(ρ). By ruleTP-OUT the following derivation holds

Γ`U r ~V[U/x] :β~ Γ` U:dom(ρ) Γ`rout[U, l[V~[U/x]]]

(23)

where

ΓÙ r:β0 ΓÙ V1[U/x] :β1 . . . ΓÙ Vn[U/x] :βn

Γ`U r ~V[U/x] :β~

that is written asΓ`rout[U, l[V~]][U/x], by definition of substitution.

– Casex6=yandx6=r

By hypothesis and the clause for Values the following derivation tree concludes the case

Γ`yr ~V[U/x] :β~ Γ` y:dom(ρ) Γ`rout[y, l[V~[U/x]]]

where

Γ`_yr:β₀ Γ`_y V₁[U/x] :β₁ . . . Γ`_y V_n[U/x] :β_n Γ`y r ~V[U/x] :β~

that is written asΓ`_rout[y, l[V~]][U/x], by definition of substitution.

• CaseP is((~y)Q)V~ By hypothesis,

Γ, x:α`rQ Γ, x:α` ~y:β~ (Γ, x:α)\ {~y} `r(~y)Q: abs(β)~

(Γ, x:α)\ {~y} `rV1:β1

...

(Γ, x:α)\ {~y} `rVn:βn

(Γ, x:α)\ {~y} `rV~ :β~ (Γ, x: α)\ {~y} `r((~y)Q)V~

Names in~yare bound, so they are not affected by the substitution andΓ` ~y: β~ holds. SinceΓ` U:α, we apply induction hypothesis toΓ, x:α`rQ, clause for Values to(Γ, x:α)\ {~y} `rV1:β1,. . .,(Γ, x:α)\ {~y} `rVn:βn, and by ruleTP-APPwe derive the following tree

Γ`r[U/x]Q[U/x] Γ` ~y:β~ Γ\ {~y} `_r[U/x](~y)Q[U/x] :abs(β)~

Γ\ {~y} `_r[U/x]V1[U/x] :β1

...

Γ\ {~y} `r[U/x]Vn[U/x] :βn

Γ\ {~y} `_r[U/x]V~[U/x] :β~ Γ\ {~y} `r[U/x]((~y)Q[U/x])V~[U/x]

that is , by definition of substitution, the same asΓ`_r[U/x]((~y)Q~V)[U/x].

• CaseP isP1|P2,Pisnewy Q, orPisin[Q].

These cases hold trivially. We illustrate the proof for the first case as an example.

By hypothesis, the following type derivation holds Γ, x:α`rP1 Γ, x:α`rP2

Γ, x:α`rP1|P2

(24)

by induction hypothesis applied toΓ, x: α `_r P₁andΓ, x: α `_r P₂, and by TP-PARwe conclude

Γ`_r[U/x]P₁[U/x] Γ`_r[U/x] P₂[U/x]

Γ`_r[U/x] P₁[U/x]|P₂[U/x]

that is, by definition of substitution,Γ`_r[U/x](P1|P2)[U/x].

• CaseΓ, x:α`rmkdom[y, m|iS, P]inR The following derivation tree holds

Γ, x:α`_ym:ρ Γ, x:α`yS|P Γ, x: α` y:dom(ρ)

Γ, x:α`y{m|iS}[P] Γ, x:α`_rR (Γ, x: α)\ {y} `_rmkdom[y, m|iS, P]inR where

Γ, x:α`y S Γ, x:α`y P Γ, x:α`yS |P

We apply induction hypothesis to Γ, x: α `y P, to Γ, x: α `y S, and to Γ, x:α`r R, and obtainΓ`y P[U/x],Γ`y S[U/x], andΓ`r[U/x] R[U/x], respectively. By the clause for Methods applied to Γ, x: α `y m: ρ we get Γ `y m[U/x] :ρand sinceyis bound,Γ ` y: dom(ρ)holds. Therefore, by TP-MKDrule we conclude the following derivation tree

Γ`_y m[U/x] :ρ Γ`y S[U/x]|P[U/x]

Γ` y:dom(ρ)

Γ`y{m[U/x]|iS[U/x]}[P[U/x]] Γ`_r[U/x]R[U/x]

Γ\ {y} `r[U/x]mkdom[y, m[U/x]|iS[U/x], P[U/x]]inR[U/x]

where

Γ`yS[U/x] Γ`yP[U/x]

Γ`yS[U/x]|P[U/x]

that isΓ`_r[U/x](mkdom[y, m|iS, P]inR)[U/x], by definition of substitution.

Substitution on Networks. The proof for the second case is also obtained by straightforward induction on the typing of Γ ` N, and analyzing the structure of N. We present only the case that is different from the first clause.

• CaseN isy{m|iS}[P]

By hypothesis

Γ, x:α`_ym:ρ

Γ, x:α`yS Γ, x:α`yP

Γ, x:α`_yS|P Γ, x:α` y:dom(ρ) Γ, x:α`y{m|iS}[P]

We have two sub-cases:

(25)

– x=y

FromΓ, x:α`_xm: ρandΓ` U:αwe apply the clause for Methods and obtainΓÙ m[U/x] :ρ. By induction hypothesis applied toΓ, x:α`yP andΓ, x: α`y S, we get, respectively,ΓÙ P[U/x]andΓ Ù S[U/x].

From Γ ` y:dom(ρ)and by hypothesis, we getΓ ` U: dom(ρ). By TN-DOMrule the following derivation tree holds

Γ`U m[U/x] :ρ

Γ`U S[U/x]

Γ`U P[U/x]

Γ`U S[U/x]|P[U/x] Γ` U:dom(ρ) Γ`U{m[U/x]|iS[t/s]}[P[t/s]]

that isΓ`(U{m|iS}[P])[U/x], by definition of substitution.

– x6=y

SinceΓ, x: α`y m: ρandΓ ` U: α, applying the clause for Methods we getΓ`ym[U/x] :ρ. By induction hypothesis applied toΓ, x:α`yP andΓ, x:α`y S, we get, respectively,Γ `y P[U/x]andΓ `y S[U/x].

Sinceyis not affected by the substitution,Γ ` y: dom(ρ)holds and the following derivation tree concludes the case byTN-DOMrule.

Γ`ym[t/s] :ρ

Γ`yS[U/x]

Γ`yP[U/x]

Γ`yS[U/x]|P[U/x] Γ` y:dom(ρ) Γ`y{m[U/x]|iS[U/x]}[P[U/x]]

that may be rewritten asΓ` (y{m|iS}[P])[U/x], by definition of substitution.

Lemma A.2 (Strengthening)

1. Ifx /∈fn(V)∪ {s}andΓ, x: α`sV:β, thenΓ`sV:β.

2. IfΓ, x:α`sm:ρandx /∈fn(m)∪ {s}, thenΓ`sm:ρ.

3. IfΓ, x:α`sP andx /∈fn(P)∪ {s}, thenΓ`sP. 4. IfΓ, x:α`Nandx /∈fn(N), thenΓ`N.

Proof. The proof of the first three results is by mutual induction on the typing derivation.

Strengthening for Values.

• CaseV isy

Sincex6=y, this case holds by hypothesis and we concludeΓ` y: β.

(26)

• CaseV is(~y)P

Γ, x:α`sP Γ, x:α` ~y:β~ (Γ, x:α)\ {~y} `_s(~y)P: abs(β)~

Sincex /∈fn(P)∪ {s}, by the clause for Processes applied toΓ, x:α`sP, we getΓ `sP. Names in~yare bound soΓ` ~y:β~ holds and by ruleTV-ABSwe conclude

Γ`sP Γ` ~y:β~ Γ\ {~y} `s(~y)P:abs(β~)

Strengthening for Methods. By straightforward induction on the derivation tree of (Γ, x:α)\({y~1} ∪. . .∪ {y~n})`rm:ρ.

By hypothesis,

Γ, x:α`sP₁ Γ, x:α` y~₁:β~₁ (Γ, x:α)\ {y~₁} `s(y~₁)P₁:abs(β~₁)

Γ, x:α`sP_n Γ, x:α` y~_n:β~_n (Γ, x: α)\ {y~_n} `s(y~_n)P_n:abs(β~_n) (Γ, x:α)\({y~1} ∪. . .∪ {y~n})`s{l1= (~y1)P1. . . ln = (y~n)Pn}:ρ Sincex /∈fn(m)∪ {s}, we concludeΓ` y~1: β~1, . . . ,Γ` y~n:β~nand applying the clause for Processes toΓ, x:α`sP1, . . . ,Γ, x:α`sPn, the following derivation tree holds.

Γ`sP1 Γ` y~1:β~1

Γ\ {y~1} `s(y~1)P1: abs(β~1)

Γ`sPn Γ` y~n: β~n

Γ\ {y~n} `s(~yn)Pn: abs(β~n) Γ\({y~₁} ∪. . .∪ {y~_n})`_s{l₁= (y~₁)P₁. . . l_n= (y~_n)P_n}:ρ

Strengthening for Processes. Proved by induction of the derivation tree of Γ `s

P. We proceed by case analysis on the structure ofP, analyzing the last typing rule applied.

• CaseP isinaction

By hypothesis,Γ, x:α`sinaction, thenΓ`sinaction.

• CaseP isy!l[V~]

Letβ~ =ρ.l. The following derivation tree holds Γ, x:α`sV1:β1

...

Γ, x:α`sVn:βn

Γ, x:α`_sV~:β~ Γ, x:α` y∈ {dom(ρ),ch(ρ)}

Γ, x: α`sy!l[V~]

Since x /∈ fn(V~)∪ {s}, we apply the clause for Values and rule TV-SEQ to Γ, x:α`_sV₁, . . .Γ, x:α`_sV_n, and obtainΓ`_sV~ :β. By hypothesis,~ x6=y, soΓ ` y ∈ {dom(ρ),ch(ρ)}holds. Applying TP-MSGrule we conclude the case.

(27)

• CaseP isy?morP isy?∗m

These two cases are proved similarly. We prove only the first case. By hypothesis,

Γ, x:α`sm:ρ Γ` y:ch(ρ) Γ, x: α`sy?m

Since,x /∈fn(m)∪ {s}, by the clause for Methods applied toΓ, x: α`_sm:ρ we getΓ `s m:ρ. By hypothesis,x6=y, soΓ ` y:ch(ρ)holds. Therefore, applyingTP-OBJrule we conclude the case

Γ`sm:ρ Γ` y:ch(ρ) Γ`sy?m

• Caseout[y, l[V~]]

Letβ~ =ρ.l.

Γ, x:α`ss:β0

Γ, x:α`sV1:β1

...

Γ, x:α`sV_n:β_n

Γ, x:α`s(s~V) :β~ Γ, x:α` y:dom(ρ) Γ, x:α`sout[y, l[V~]]

Sincex /∈ {s} ∪fn(Vi), i∈I, by the clause for values we getΓ`s(s~V) :β~and byTP-OUTrule, we conclude the case.

• CaseP is((~y)Q)V~ By hypothesis,

Γ, x:α`sQ Γ, x:α` ~y:β~

(Γ, x:α)\ {~y} `s(~y)Q:abs(β)~ (Γ, x:α)\ {~y} `sV~ :β~ (Γ, x:α)\ {~y} `s((~y)Q)V~

Since x /∈ ({s} ∪ fn(Q)∪fn(V~))\ {~y}, we apply induction hypothesis to Γ, x:α `_s Q, and the clause for Values to(Γ, x: α)\ {~y} `_s V~: β~ and de- duce, respectively,Γ `s QandΓ\ {~y} `s V~ : β. Names in~ ~y are bound, so Γ` ~y: ~βholds. Therefore, we concludeΓ`s((~y)Q)V~ by ruleTP-APP.

• CaseP isP1|P2,Pisnewy QorP isin[Q]

These cases hold trivially. We prove only the first case. By hypothesis, Γ, x:α`sP1 Γ, x:α`sP2

Γ, x:α`sP1|P2

Since by hypothesis,x /∈fn(P1)∪fn(P2)∪ {s}, we apply induction hypothesis toΓ, x: α`s P1 andΓ, x: α `s P2, and getΓ `s P1andΓ `s P2. By rule TP-PAR, we concludeΓ`sP1|P2.