Professional Documents
Culture Documents
ACM
cACM.acm.org OF THE 05/2011 VOL.54 NO.5
Brain-Computer
Interfaces
Weapons of
Mass Assignment
Online Advertising,
Behavioral Targeting,
and Privacy
The Future of
Microprocessors
I, Domestic Robot
Proving Program
Termination
Association for
Computing Machinery
8th ACM Conference on
General Chair:
Ashok Goel
Program Co-Chairs:
Ashok Goel, Georgia Institute of Technology, USA
Fox Harrell, Massachusetts Institute of Technology, USA
Brian Magerko, Georgia Institute of Technology, USA
Yukari Nagai, Japan Advanced Institute of Science and Technology, Japan
Jane Prophet, Goldsmiths College, University of London, UK
THE ACM A. M. TURING AWARD
by the community ◆ from the community ◆ for the community
LESLIE G. VALIANT
for transformative contributions to the theory of computation,
including the theory of probably approximately correct (PAC)
learning, the complexity of enumeration and of algebraic compu-
tation, and the theory of parallel and distributed computing.
“Leslie Valiant’s research in the theory of computa- “Google joins in honoring Leslie Valiant for his profound
tion has revolutionized both machine learning and impact on computer science research and his inspired
artificial intelligence, making machines almost innovations in machine learning, an area of growing
think. His approach invites comparison with importance in computing. We are pleased to sponsor
Alan Turing himself—a novel formulation starting this award, which motivates and recognizes the great
from a deep fundamental insight. Intel is pleased advances in computing that together have had such a
to support this year’s ACM Turing Award.” beneficial impact on the world.”
For more information see www.intel.com/research. For more information, see http://www.google.com/corporate/
index.html and http://research.google.com/.
Financial support for the ACM A. M. Turing Award is provided by Intel Corporation and Google Inc.
communications of the acm
Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.
CL
PL
T (212) 869-7440; F (212) 869-0481 Jason I. Hong; Jeff Johnson; Wendy E. MacKay Printed in the U.S.A.
NE
TH
S
I
Z
I
M AGA
DOI:10.1145/1941487.1941489
M
any thanks for Cyn- What came through clearly in “Re- In addition, the assignment of oldTop
thia Dwork’s article “A birth of Worlds” is the author’s nostal- at line 13 creates a reference to the top
Firm Foundation for gia for the experience of those worlds— node, keeping it alive until the return
Private Data Analysis” their realities and possibilities. Such from the function.
(Jan. 2011), explaining compelling emotional, perceptual, ex- This is of interest because if any of
why, in trying to formalize what is per- istential content may indeed be gone these constraints is not true, the pop
fect privacy, we cannot use the late Uni- for good. Loss of an appealing game operation would not work. In particu-
versity of Stockholm economist Tore world is lamentable, but it is even more lar, if one would naively implement
E. Dalenius’s criterion that asking al- disheartening with engineering and a push-and-pop mechanism along
lowed queries of a statistical database, scientific content, where we require the these lines in a language like C++, and
we should not be able to learn new (pri- durability and reproducibility of our in- let the clients provide the object to be
vate) information about a particular teractive 3D digital content—models, pushed, and returned that object to
individual. When preparing to discuss behaviors, worlds, and scenarios—for the clients when the pop occurred, the
Dwork’s article at a recent colloquium decades to come. program would be wrong. This is be-
in our computer science department, Enterprise-scale adopters, along cause after fetching oldTop (line 13)
we came up with an even simpler expla- with many others, also feel the pain of and newTop (line 17) other threads
nation of such an impossibility: virtual-world babelization, as develop- could remove the top node, remove
One important purpose of collect- ing and maintaining innovative assets or push other nodes, then push the
ing statistical data is to help identify like worlds, avatars, and business log- top node again. The compareAnd-
correlations between, say, weight and ic across platforms become increas- Set would then succeed, even though
blood pressure. Suppose, for exam- ingly complex. Content models and newTop was no longer the correct new
ple, it turns out that blood pressure network protocols are fragmented, value. Similarly, if the implementation
is equal to weight, and we know that making it difficult to create integrated allocated a node in push, and freed it in
person A (not in this database) weighs information spaces and a compelling pop, the program would be wrong be-
180 pounds. Without the database, A’s user experience. In the tumult of pro- cause the freed-node storage might be
blood pressure might be private, but prietary virtual-world technology, lack reused in a subsequent push, leading
once we learn the perfect correlation of reuse is a major obstacle to achiev- to the same error.
from it, we can conclude that A’s blood ing improved efficiencies and econo- The Java implementation also in-
pressure is 180. mies of scale. volves hidden costs, including allo-
In real life, we never see such perfect In the face of this market churn is cation and garbage collection of the
correlation, but, by analyzing the data- a proven path for interactive 3D envi- node objects and concurrency control
base and discovering some correlation, ronments that includes royalty-free, required in the memory-allocation
we know more about the probability of extensible content models designed system to make it work. These costs
different values of blood pressure than for the Web and semantic integration. must be considered, as they are essen-
we would otherwise know. Consumers and computer profession- tial to the correctness of the program.
Vladik Kreinovich and Luc Longpre, als alike should therefore demand and Be warned about not using apparently
El Paso, TX participate in the development of in- identical algorithms that do not satisfy
ternational standards needed to raise the hidden constraints.
the greatest common denominator of Marc Auslander,
Recall the Lost Frontiers future-proof 3D content. Yorktown Heights, NY
of Virtual Worlds Nicholas F. Polys (president of
The Future Tense essay “Rebirth of Web3D Consortium), Blacksburg, VA
Worlds” (Dec. 2010) lamented the de- Protect Software Consumers
mise of historic, online interactive 3D Like Everyone Else
destinations. Since 1997 when they first Let Implementation I regret that Joel F. Brenner responded
appeared on the Web, virtual worlds Semantics Unlock the Pop to my letter to the editor “Hold Manu-
have inspired artists, engineers, and The lock-free pop operation Nir Shavit facturers Liable” (Feb. 2011) concern-
scientists alike to explore and build the described in his article “Data Struc- ing his Viewpoint “Why Isn’t Cyber-
emerging frontiers of cyberspace. As tures in the Multicore Age” (Mar. 2011) space More Secure?” (Nov. 2010) with
Rumilisoun (a.k.a William Sims Bain- depends on the semantics of the Java two strawman arguments and one out-
bridge) wrote, despite the wonderful implementation in an important way. right misstatement.
destinations across entertainment, The push operation allocates a new Brenner said software “is sold pur-
education, and community, we are left node object during the call, and it is suant to enforceable contracts.” As
to ask, “How can I still get there?” this object that is placed on the stack. the Viewpoint “Do You Own the Soft-
ware You Buy?” by Pamela Samuelson means toward the end of meeting the
(Mar. 2011) made clear, software is not basic standards of non-harm and re-
“sold.” Every EULA insists software is li- liability taken as a given for all other
censed and only the media on which it products. In any case, Brenner did not
is recorded are sold; a series of court de- say why he thinks a different process
cisions, of which the Vernor v. Autodesk should be used for setting functional
decision Samuelson cited is the most safety and reliability standards for soft-
recent and one of the most conclusive, ware than for other consumer goods.
have upheld this stance. Simply asserting “software is different”
This mischaracterization by Brenner is not a reasoned argument.
is one of the keys to understanding how L Peter Deutsch, Palo Alto, CA
manufacturers of such shoddy goods
get off essentially scot-free. If software
were actually sold, the argument that Author’s Response:
it should be exempt from the protec- Thanks to Deutsch for correcting my error.
tions of the Uniform Commercial Code Software is of course licensed rather
would be much more difficult to main- than sold. As Deutsch says, this is why
tain, in addition to other benefits thor- UCC product-liability standards for
oughly discussed elsewhere (including purchased goods haven’t improved
by Samuelson in her column). software quality. But his point strengthens
Even though EULAs have been held my argument. I was explaining, not
enforceable, such a determination defending, the status quo, which is
comes at the expense of the consumer. lamentable precisely because liability
Almost without exception, EULAs have is weak. I cannot fathom why Deutsch
the effect of stripping the consumer of thinks I’m indifferent to higher engineering
essentially all reasonable rights and ex- standards for software. They represent the
pectations, compared with other goods only basis on which a liability regime can ACM’s
and services. And while click-through be founded, even for licensed products.
interactions
and shrink-wrap EULAs have indeed Joel F. Brenner, Washington, D.C.
been found to be enforceable, many magazine explores
reasonable people (including me) be- critical relationships
lieve it should not be the case, since Correction between experiences, people,
the vast majority of consumers do not Sarah Underwood’s news story “Brit-
read these “contracts” and do not un- ish Computer Scientists Reboot” (Apr. and technology, showcasing
derstand their consequences. Brenner 2011) incorrectly attributed statements emerging innovations and industry
apparently does not consider them a by King’s College London professor leaders from around the world
significant problem. Michael Luck to King’s College Lon-
Finally, Brenner simply reiterated don professor Andrew Jones. This has across important applications of
his assertion that “Congress shouldn’t been corrected in the online article. We design thinking and the broadening
decide what level of imperfection is apologize for the error. field of the interaction design.
acceptable.” I agree. There are basic
Our readers represent a growing
consumer protections that apply to Communications welcomes your opinion. To submit a
all other goods, as embodied in the Letter to the Editor, please limit your comments to 500
words or less and send to letters@cacm.acm.org.
community of practice that
UCC. Neither a further act of Congress is of increasing and vital
nor detailed specifications of product © 2011 ACM 0001-0782/11/05 $10.00
global importance.
construction are required to give con-
sumers the right to expect, say, a stove, Coming Next Month in
properly used and maintained, will
not burn down their house. The corre-
Communications
e
Les Valiant.
rg
cause (as Brenner seems to believe) I Also, the latest news on digital
ht
DOI:10.1145/1941487.1941490
Challenges and Business Is Open Source Security a Myth? Invisible Work in Standard
Models for Mobile Location-based Guido Schryen Bibliometric Evaluation
Services and Advertising During the past few decades we became of Computer Science
Subhankar Dhar and Upkar Varshney accustomed to acquiring software by Jacques Wainer, Siome Goldenstein,
Location-based services have attracted procuring licenses for a proprietary or and Cleo Billa
considerable attention due to their binary-only immaterial object. We regard Multidisciplinary committees routinely
potential to transform mobile software as a product we have to pay make strategic decisions, rule on subjects
communications and the potential for, just as we would pay for material ranging from faculty promotion to grant
for a range of highly personalized and objects. However, in more recent years, awards, and rank and compare scientists.
context-aware services. Since the days of this widely cultivated habit has begun Though they may use different criteria
early location-tracking functionalities to be accompanied by a software model for evaluations in subjects as disparate as
introduced in Japan in 2001 and in some characterized by software that comes history and medicine, it seems logical for
U.S. networks, location-based services have with a compilable source code. This type academic institutions to group together
made considerable progress. of software is referred to as open source mathematics, computer science, and
The potential for location-based software (OSS). electrical engineering for comparative
services is evident from powerful and While there is consensus that opening evaluation by these committees.
ubiquitous wireless devices that are up source code to the public increases These evaluations will be more frequent
growing in popularity. Many surveys the number of reviewers, the impact as the number of scientists increases. Since
predict billions of dollars in revenues of open source on software security the number of funding sources grows more
for mobile advertising. Mobile network remains controversial. While the security slowly, and research practices vary among
operators are well positioned to take up a discussion is rife with beliefs and different subjects, using the same criteria
significant percentage of this advertising guesses, only a few quantitative models in different areas may produce notable
revenue as they negotiate deals with and some empirical studies appear in injustices. The ongoing discussion on CS
content providers. Recent deals between the literature; and most of those studies research evaluation helps build the case for
media companies, advertising agencies, examine only one or a few packages. the CS community defending itself from
and the Internet/software industry also This article presents a comprehensive expected injustices in future comparative
demonstrate significant optimism for empirical investigation of published evaluations.
future growth. vulnerabilities and patches of 17 Traditional assessment criteria
However, there are many challenges widely deployed open source and are based on Thomson Reuters’ Web
that have slowed down the deployment, closed source software packages. The of Science (WoS) indexing service,
offering, and wide-scale adoption of empirical analysis uses comprehensive quantifying the production and number of
location-based services. The challenges vulnerability data contained in the NIST citations of individual scientists, university
include emerging technologies, suitable National Vulnerability Database and a departments, whole universities, countries,
applications, and business models. This newly compiled data set of vulnerability and scientific areas.
article addresses both technical- and patches. Based on these comprehensive Here, the authors provide some
business-related challenges in location- data sets, this study is capable of quantitative evidence of unfairness,
based services, specifically in mobile providing empirical evidence that open defining researchers’ invisible work
advertising. The authors explore how source and closed source software as an estimation of all their scientific
location-based mobile advertising can development do not significantly differ publications not indexed by WoS or
generate revenues and sustain successful in terms of vulnerability disclosure Scopus. Thus, the work is not counted as
business models. However, they are quick and vendors’ patching behavior—a part of scientists’ standard bibliometric
to note that while mobile advertising will phenomenon that has been widely evaluations. To compare CS invisible
become more pervasive and profitable, it assumed, but hardly investigated. work to that of physics, mathematics, and
will not happen before key technical and electrical engineering, they generated a
business challenges are addressed. controlled sample of 50 scientists from
each of these fields and focused on the
distribution of invisible work rate for each
of them using statistical tests.
doi:10.1145/1941487.1941491 http://cacm.acm.org/blogs/blog-cacm
Data Warehouses
on disk. A typical business intelligence
query requires half-a-dozen attributes
or less (e.g., find me the average price of
widgets by store by month for the past
Data warehouses are not only increasing in size two years). A row store will read all 200
and complexity, but also in their importance to business. attributes, even though only six are re-
Michael Stonebraker shares 10 key ideas on the topic. quired. In contrast, a DBMS that orga-
nized data by column will read only the
six required, a savings of a factor of 33.
Michael Stonebraker (what), along with attributes of the sale Since fact tables are getting fatter
From “My Top 10 (e.g., price, sales tax, credit card, etc.). over time as business analysts want ac-
Assertions About One should organize such data as cess to more and more information, this
Data Warehouses” shown in the figure here. Such a sche- architectural difference will become in-
http://cacm.acm.org/ ma is called a star schema, with a cen- creasingly significant. Even when “skin-
blogs/blog-cacm/98136 tral fact table and surrounding dimen- ny” fact tables occur or where many at-
Data warehouses, business intelli- sion tables. If stores are organized into tributes are read, a column store is still
gence, business analytics, and complex divisions, then the star schema has an- likely to be advantageous because of its
analytics are the subject of increasingly other table between store and fact, and superior compression ability.
intense marketing wars, seemingly ac- becomes a snowflake schema. Star and For these reasons, over time, col-
celerated by Oracle’s introduction of snowflake schemas are clean, simple, umn stores will clearly win.
the Exadata appliance. Here is my spin easy to parallelize, and usually result in 3. The vast majority of data warehous-
on the situation. Please note that I have very high-performance database man- es are not candidates for main memory
a financial interest in several database agement system (DBMS) applications. or flash memory.
companies, and may be biased in a If you are a data warehouse design- Data warehouses are increasing in
number of ways. The reader should al- er and come up with something other size faster than storage is getting cheap-
ways keep this in mind. than a snowflake schema, you should er. Business analysts have an appetite
1. Star and snowflake schemas are a probably rethink your design. for as much attribute data as they can
good idea in the data warehouse world. However, you will often come up get their hands on, and want to keep
In short, data warehouses store with a design having a large number increasingly long periods of history.
a large collection of facts. The over- of attributes in the fact table; 40 at- Hence, data warehouse problems are
whelming majority of these facts are tributes are routine and 200 are not getting “net harder,” not “net easier.”
the “five Ws” (who, what, where, when, uncommon. Current data warehouse Put differently, most data warehouses
and why) along with a collection of at- administrators usually stand on their are measured in Gbytes today, Tbytes
tributes about the fact. For example, a heads to make “fat” fact tables perform tomorrow, and Pbytes the next day.
typical retail organization stores facts on current relational database man- 4. Massively parallel processor (MPP)
about historical transactions. These agement systems (RDBMSs). systems will be omnipresent in this
facts include the customer (who), the 2. Column stores will dominate the market.
retail store (where), the time of the sale data warehouse market over time, re- Massively parallel processor sys-
(when), and the purchased product placing row stores. tems are the only kind of computer ar-
chitecture that will scale to Pbytes. All pliances are a packaging exercise—i.e., task. Hence, HA is used for recovery,
vendors, with a very few exceptions, are preconfigure general-purpose hard- not the DBMS log. Obviously, this re-
or will soon support MPP. Don’t bet on ware and preload the DBMS on it. This quires the DBMS to support HA; oth-
anything that is not in the MPP camp. results in a software-only appliance. erwise, it is a manual DBA hassle to ac-
5. “No knobs” is the only thing that 7. Hybrid workloads are not optimized complish the same thing in user code.
makes any sense. by “one size fits all.” 9. DBMSs should support online re-
It is pretty clear that human opera- If one has a workload that is part on- provisioning.
tional costs dominate the cost of run- line transaction processing (OLTP) and Not always, but often, I hear a re-
ning a data warehouse. This is mainly part data warehouse, then he or she quest for online reprovisioning. In
the system administration and data- has two options: 1) Run a general-pur- other words, one initially allocates 10
base administration that is involved in pose RDBMS that stores both kinds of nodes to accomplish warehouse pro-
keeping a MPP system up and in man- data; and 2) Run two systems, an OLTP cessing. The load later rises, and the
aging a Pbyte-sized warehouse. Data- engine and a data warehouse engine, desire is to allocate 20 nodes to the task
base administrator (DBA) costs include coupled together with a high-speed originally done by 10. This requires the
designing schemas, reprovisioning da- interchange to move operational data database to be repartitioned over dou-
tabases to add or drop resources, add- into the data warehouse. ble the number of nodes.
ing and dropping users, etc. Row stores are not good at data ware- Hardly anybody wants to take the re-
Almost all DBMSs have 100 or more house applications (see #1). Column quired amount of downtime to dump
complicated tuning “knobs.” This re- stores are optimized for data warehous- and reload the DBMS. A much better
quires DBAs to be “4-star wizards” and es and are not good at OLTP. Hence, nei- solution is for the DBMS to support re-
drives up operating costs. The only thing ther is a good candidate for a one-size- provisioning, without going offline.
that makes sense is to have a program fits-all implementation. Instead, there 10. Virtualization often has perfor-
that adjusts these knobs automatically. are a number of interesting new ideas to mance problems in a DBMS world.
In other words, look for “no knobs” as accelerate OLTP, including main-mem- I hear many users say their long-term
the only way to cut down DBA costs. ory SQL engines, main memory caches, goal is to move to the cloud, whether us-
6. Appliances should be “software only.” and flash systems. When coupled with a ing the public cloud or inside the fire-
In my 40 years of experience as a column store in a two-system configura- wall on “an enterprise cloud.” Here, a
computer science professional in the tion, I assert the result will be a factor of collection of servers is allotted to sev-
DBMS field, I have yet to see a special- 50 or so faster than solution 1. eral-to-many DBMS applications inside
ized hardware architecture—a so- 8. Essentially all data warehouse in- an enterprise firewall. Often, such sys-
called database machine—that wins. stallations want high availability (HA). tems are managed by using virtualiza-
In other words, one can buy gener- If there is data corruption in a 10 tion software to present virtual nodes
al-purpose CPU cycles from the major Tbyte warehouse, recovering the da- to the DBMS and its applications.
chip vendors or specialized CPU cycles tabase from the database log will take My experience is that CPU resources
from a database machine vendor. Since a very long time. Of course, the exact can be virtualized with modest over-
the volume of the general-purpose ven- amount of time depends on log for- head (say, 10%). However, data ware-
dors are 10,000 or 100,000 times the mats, number of disks allocated to the houses entail disk-based data. In this
volume of the specialized vendors, log, and so on. However, restoring a 10 world, all MPP DBMSs “move the query
their prices are an order of magnitude Tbyte dump from 10 disks is likely to to the data.” Obviously, this requires
under those of the specialized vendor. take hours, not minutes, and then one knowing the physical data distribution.
To be a price-performance winner, the has to perform a roll forward from the Virtualization will destroy this knowl-
specialized vendor must be at least a dump. Hardly anybody is interested in edge, and turn what were originally
factor of 20−30 faster. taking this kind of downtime. reads to a local disk into reads to non-
I have never seen a specialized hard- Instead, most installations use rep- local disks. In other words, local I/O
ware architecture that is faster by this lication and fail over to a replica if there gets replaced by remote I/O, with an ob-
amount. is data corruption. Then, the corrupted vious significant performance hit.
Put differently, I think database ap- copy can be rebuilt as a background Until better and cheaper network-
ing makes remote I/O as fast as local
A Diagram of a Star Schema. I/O at a reasonable cost, one should be
very careful about virtualizing DBMS
software.
Customer (c-key, c-attributes) Time (t-key, t-attributes) Of course, the benefits of a virtual-
ized environment are not insignificant,
and they may outweigh the perfor-
Fact (c-key, s-key, t-key, p-key, attributes)
mance hit. My only point is to note that
virtualizing I/O is not cheap.
Store (s-key, s-attributes) Product (p-key, p-attributes)
Michael Stonebraker is an adjunct professor at the
Massachusetts Institute of Technology.
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 11
cacm online
ACM
Member
News
DOI:10.1145/1941487.1941492 Scott E. Delman Judith S. Olson
Named 2011–2012
T
he number of photos on
the Internet is large and rap-
idly getting larger. The pho-
to-hosting Web site Flickr
uploaded its five-billionth
picture on September 18, 2010, and
Pingdom, a Swedish company that
monitors Internet performance, esti-
mated last year that Facebook is add-
ing photos at a rate of 30 billion a year.
Such numbers present both a chal-
lenge and an opportunity for scien-
tists focused on computer vision. The
challenge lies in figuring out how to
MIT’ s Visual dictiona ry by Antonio Torralba , Hector J. Berna l, R ob F ergu s a nd Ya ir We iss
“In the old days we used to do image Fei-Fei Li, an assistant professor at the the next objective will be to recognize
matching,” says Nuno Vasconcelos, Stanford Vision Lab, starting develop- associations between those objects.
head of the Statistical Visual Comput- ing such a dataset in ImageNet, along Noticing context can aid in object rec-
ing Laboratory at the University of Cali- with Kai Li, a computer scientist at ognition, she explains. “If we see a car
fornia, San Diego. Computers would Princeton University. on the road, we don’t keep thinking ‘Is
derive some statistical model of an ex- They started with WordNet, a hier- it a boat? Is it an airplane?’ ”
ample image and then look for match- archical database of English words in
es with other images. “It works to which distinct concepts are grouped Using Human Recognition
some extent,” says Vasconcelos, “but it into sets of synonyms called synsets; The Visual Dictionary project at the
doesn’t work very well.” The programs there are 80,000 synsets just for nouns. Massachusetts Institute of Technol-
would find low-level matches, based The researchers entered each of the ogy (MIT) also seeks to develop a large
on factors such as color or texture. A synonyms into Internet search engines dataset of labeled images, but relies
beach scene, all sand and sky, might be to collect about 10,000 candidate im- on the fact that humans can recognize
matched with a picture of a train, with ages per synset. Then, using labor pro- images even when they’re only 32 × 32
an equal amount of sky and a color vided by Amazon Mechanical Turk, in pixels. A Web page displays a mosaic
similar to sand. which people earn small payments for representing 7.5 million images asso-
Nowadays, Vasconcelos says, the em- tasks that require human input, they ciated with 53,464 terms, with closely
phasis is on trying to understand what had people verify whether a candidate related words placed near each other
the image is about. Starting with a set of image contained the object listed in on the mosaic. Each tile on the mosaic
images labeled by humans, a machine the synset. The goal is to have 500 to shows the average color of all the pic-
learning algorithm develops a statisti- 1,000 images per synset. So far, they’ve tures found for that term, and clicking
cal model for an entire class of images. amassed more than 11 million labeled on it displays a box containing a defini-
The computer calculates the probability images in about 15,500 categories, put- tion and a dozen associated images. As
that a picture is a beach scene—based ting them between a third and halfway people click on each tiny picture to ver-
on labels such as “beach,” “sand,” toward their goal. ify that it matches the word, the com-
“ocean,” and “vacation”—and then About 100 people participated in puter records those labels. In another
matches the picture with other images the ImageNet Challenge last summer MIT project, LabelMe, the labeling gets
with the same probability. to see if they could use the dataset to even more specific, identifying not just
To train such algorithms, scien- train computers to recognize objects a person, but heads, legs, and torsos, as
tists need large sets of labeled images. in 1,000 different categories, from well as roads, cars, doors, and so on.
While datasets with a few thousand “French fries” to “Japanese pagoda The small size of these photos helps
photos exist, the algorithms become tree.” Once the computers have shown keep down the demand on computing
more accurate with much larger sets. they can identify objects, Fei-Fei says capacity, but it also reveals something
Milestones
I, Domestic Robot
With recent advances in laser rangefinders, faster algorithms,
and open source robotic operating systems, researchers are increasing
domestic robots’ semantic and situational awareness.
I
n dus t r i a l robots, f ixe d - lo- ed range of likely valid facial height
cat i o n and single-function helps the Bonn researchers discern
machines, have long been sta- false positive returns.
ples of advanced manufactur- Steve Cousins, CEO of Willow Ga-
ing settings. Medical robots, rage, which manufactures the open
which can help surgeons operate with platform general-purpose PR2 robot,
smaller incisions and cause less blood says further advances in perceptual ca-
loss than traditional surgical methods, pabilities may be even more likely with
are making fast inroads in metropoli- the recent debut of sensing technology
tan and suburban hospitals. Rescue ro- that enables a computer to analyze an
bots, included wheeled and snake-like area in three dimensions and then to
robots, are increasingly common, and create what the technology’s manufac-
were deployed in the search for survi- turer, PrimeSense, calls a synchronized
vors in the aftermath of the earthquake depth image. The technology sells for
and tsunami that recently struck Ja- less than 1/20th of the de facto stan-
pan. On the other hand, the promise of dard research rangefinder, which costs
multipurpose domestic assistance ro- about $5,000. Both Cousins and Kemp
bots, capable of a wide range of tasks, believe the low cost of the PrimeSense
has been a distant goal. sensor (it is a key component of Micro-
However, recent advances in hard- soft’s Kinect gaming system) may lead
ware such as laser rangefinders, open to a surge in situational and semantic
source robotic operating systems, and Willow Garage’s PR2, an open source robotic research. Kemp says his team
faster algorithms have emboldened re- robotics research and development platform. recently installed one of the new sen-
searchers. Robots are now capable of sors to its PR2.
folding laundry, discerning where to semantic tags on common objects In essence, Kemp says its real-time
place an object on cluttered surfaces, such as light switches, and by combin- technology greatly simplifies a robot’s
and detecting the presence of people ing sensor data taken from both two- data-gathering process.
in a typical room setting. dimensional camera data and three- Prior to installing the new sensor,
“It’s easy for me to be optimistic, dimensional point clouds gathered by on projects such as the work on mak-
but if robots aren’t actually being use- laser rangefinders. ing the robot discern clutter, he says
ful and fairly widespread in 10 years, University of Bonn researchers Jörg “we had to tilt the laser rangefinder
then I will be fairly disappointed,” says Stückler and Sven Behnke also dem- up and down, then snap a picture and
Charles Kemp, assistant professor of onstrated success, using a combina- relate those two things. That’s a pretty
biomedical engineering at Georgia tion of 2D laser and camera sensors. slow process and really expensive.”
Tech University. They programmed a mobile service
robot to combine laser rangefinder A Semantic Database
Sensors Enable Awareness data that hypothesizes the presence of Kemp says there are two distinct re-
In recent months, numerous research a person’s legs and torso with 2D fron- search areas for similar problem sets
teams have published papers detail- tal and profile images of the detected in domestic robotics: those related to
ing advances in robots’ perceptual ca- face. perceptual problem sets, and those
pabilities. These perceptual advances Stückler and Behnke also mod- related to mechanical awareness. For
PhotoGra ph court esy of Willow Ga rage
enable the robots’ mechanical compo- eled the semantic probability of de- example, a roving robot meant to help
nents to complete domestic tasks hith- tecting a person’s presence in dif- a person with basic housekeeping
erto impossible. ferent locations of a room—high chores must not only know how to dif-
Kemp and his research team have probability in a chair and low prob- ferentiate a refrigerator door handle
pioneered semantic and situational ability on a bookshelf, for instance— from a light switch, but it must also be
awareness in robots through several and supplied the robot with that able to calculate which approach its
methods, including the creation of knowledge. The prior knowledge of arms must take, and how firmly it must
radio frequency identification (RFID) the room semantics and precalculat- grip the respective levers.
In the experiment using RFID tags, lizing a new approach: rather than rely process and bring the price down. A
Kemp created a semantic database heavily upon onboard perceptual data, single app won’t be enough.”
the robot could refer to after identify- Abbeel has performed parallel compu- Cousins says the combination of
ing an object. The database contains tations on the Amazon cloud on mesh falling hardware prices for devices
instructions on how the robot should models. Those models, he says, are such as the PrimeSense sensor, and
act upon an object. For example, under “triangles essentially put together like the blooming ROS ecosystem might be
“actions,” after a robot identifies and people using computer graphics or analogous to the personal computer
contacts a light switch, the commands physics-based simulations. Once you research of the early 1970s, specifically
are “off: push bottom” and “on: push have that mesh model, you can do a comparing the PR2 to the iconic Xerox
top.” Each of these actions is further simulation of how this article of cloth- Alto desktop computer. List price on
sub-programmed with a force thresh- ing would behave depending on where the PR2 is $400,000.
old the robot should not exceed. you pick it up.” “Right now the PR2 is the platform
Kemp is also investigating another The new approach, he says, relies to work on if you want to do mobile
approach to providing robots with on observations that the bottommost manipulation research,” Cousins says.
such situational awareness that entails point of any hanging article is usually “It’s a little expensive, but in today’s
equipping human subjects with touch a corner. Two consecutive grasps of a dollars it’s about the same as the Alto.
sensors. The sensors are held during towel, he says, will be highly likely to It’s not going to be the robot you put
the completion of common tasks such yield two diagonally opposed corners. into your grandmother’s home, but the
as opening refrigerators and cabinet For t-shirts, he says, likely consecutive software we develop on the PR2 will
doors in multiple settings. The infor- grasps will be at the end of two sleeves likely be a key component of the mar-
mation on the kinematics and forces of for a long-sleeved shirt or the end of ket. I think ROS is going to be driving
such actions is then entered into a da- one sleeve and diagonally across at the those future personal robots.”
tabase a service robot can access when hip for a short-sleeved shirt.
it approaches one of these objects en “There are a few of these configura-
route to performing a task. tions you are very likely to end up in, Further Reading
“If the robot knows it is a refrigera- then all you need to do perception-wise Stückler, J. and Behnke, S.
tor, it doesn’t have to have worked with is to differentiate between these very Improving people awareness of service
that specific refrigerator before,” he few possibilities,” Abbeel says. robots by semantic scene knowledge,
says. “If the semantic class is ‘refrigera- Proceedings of RoboCup International
Symposium, Singapore, June 25, 2010.
tor’ it can know what to expect and be ROS is Boss
more intelligent about its manipula- Another hallmark advance of the do- Maitin-Shepard, J., Cusumano-Towner, M.,
Lei, J., and Abbeel, P.
tion. This can make it more robust and mestic robot community is the growth Cloth grasp point detection based on
introduces this notion of physically of an open-source ecosystem, built multiple-view geometric cues with
grounded common sense about things around the BSD-licensed Robot Operat- application to robot towel folding, 2010
like how hard you should pull when ing System (ROS), largely maintained by IEEE International Conference on Robotics
opening a door.” Willow Garage and Stanford University. and Automation, Anchorage, AK, May 3–8,
2010.
Offboard computation akin to the “Our goal has basically been to set
kinematic database is also being done the foundation for a new industry to Schuster, M.J., Okerman, J., Nguyen, H.,
Rehg, J.M., and Kemp, C.C.
to improve already successful robotic start,” Cousins says. “We want two
Perceiving clutter and surfaces for object
tasks. A team of researchers led by Pi- people to be able to get together in a placement in indoor environments, 2010
eter Abbeel, an assistant professor of garage and get a robotics business off IEEE-RAS International Conference on
computer science at the University of the ground really quickly. If you have Humanoid Robots, Nashville, TN, Dec. 6–8,
California, Berkeley, programmed a to build software as well as hardware 2010.
general-purpose Willow Garage PR2 ro- from scratch, it’s nearly impossible to Yamazaki, A., Yamazaki, K., Burdelski, M.,
bot to fold towels randomly laid down do that.” Kuno, Y., and Fukushima, M.
Coordination of verbal and non-verbal
on a tabletop by using a dense optical Abbeel says the ROS ecosystem may
actions in human–robot interaction at
flow algorithm and high-resolution go a long way to taking the robots out museums and exhibitions, Journal of
stereo perception of the towels’ edges of the lab and into real-world locations. Pragmatics 42, 9, Sept. 2010.
and likely corners. Abbeel’s experiment “In order for these robots to make Attamimi, M., Mizutani, A., Nakamura, T.,
yielded a perfect 50-out-of-50-attempt their way into houses and become Sugiura, K., Nagai, T., Iwahashi, N.,
success rate; the robot was able to recal- commercially viable, there will need Okada, H., and Omori, T.
culate failures in the 22 instances that to be some sort of bootstrapping,” Ab- Learning novel objects using out-of-
vocabulary word segmentation and object
were not initially successful by dropping beel says. “It will be very important
extraction for home assistant robots, 2010
the towel, regrasping a corner, and car- for people to do some applications ex- IEEE International Conference on Robotics
rying on until the task was completed. tremely well, and there has to be more and Automation, Anchorage, AK, May 3–8,
Abbeel says his team has been able than one. So I hope what may be hap- 2010.
to greatly reduce the amount of time pening, with robots in different places,
necessary to fold each towel in subse- is that different schools will develop a Gregory Goth is an Oakville, CT-based writer who
specializes in science and technology.
quent experiments, from 25 minutes true sensibility for the robot, and these
to approximately four minutes, by uti- things could potentially bootstrap the © 2011 ACM 0001-0782/11/05 $10.00
Data Optimization in
Developing Nations
Artificial intelligence and machine learning could expand
access to health care, improve the quality of education, and respond
effectively to natural disasters in the developing world.
B
y now, many scientists and
CEOs have begun to seize the
opportunities that lie within
the exabytes of data being
generated each day. Banks
trawl data to detect criminal fraud,
marketers to spot emerging trends, re-
searchers to uncover new patterns, and
governments to reduce crime and pro-
vide better services.
Most data analyses thus far have
focused on developed societies. Yet, a
growing community of computer sci-
entists is calling for new applications
that would harness these data-analysis
methods to improve the lives of people
in developing nations. Machine learn-
ing and artificial intelligence, they say,
are perfectly poised to promote socio-
economic development, respond more
effectively to natural disasters, expand
access to health care, and improve the Nathan Eagle (above), Eric Horvitz, and others are creating an Artificial Intelligence for
quality of education. Now, thanks to the Development community to address problems in economically developing countries.
efforts of Eric Horvitz, a distinguished
scientist at Microsoft Research, and Na- Development (SIGDEV), which held economic indicators like income and
than Eagle, a researcher who lives in Ke- its first conference at the University of education? As it turns out, they did:
nya and holds faculty appointments at London in December. What Horvitz, Regions with a higher volume of geo-
the Massachusetts Institute of Technol- Eagle, and others aim to do is foster the graphically diverse calls scored lower
ogy (MIT) Media Lab and Northeastern creation of a subfield within ICT-D to on the Index of Multiple Deprivation, a
University, a small but diverse group of address these deficiencies. The name statistical study that covers factors like
computer scientists is banding togeth- they’ve proposed for it: Artificial Intel- employment, crime, and health care.
er to share ideas and information, and ligence for Development, or AI-D. Horvitz was intrigued. “I’m passion-
to define itself as a community. It began two years ago at a Princeton ate about machine intelligence and its
Interest about the developing world University conference called Study- applications,” he explains. “And I real-
has been growing in the field of Infor- ing Society in a Digital World, which ized there’s a lot we can do to stimulate
mation and Communication Technol- was organized by Edward W. Felton, thought.” Horvitz was president for the
ogy for Development (ICT-D), which director of the university’s Center for Association for the Advancement of Ar-
encompasses projects that range from Information Technology Policy. Eagle tificial Intelligence (AAAI); with Eagle’s
managing the delivery of basic services presented a paper about using large help, he set up an AAAI symposium
like health care and education to devel- data sets—in this case, phone calls in titled Artificial Intelligence for Devel-
oping network infrastructure, but ICT- Britain—to test American sociologist opment at Stanford University, which
Photogra ph by J ef f K ubina
D has rarely focused on opportunities Mark Granovetter’s “The Strength of took place last March.
to apply artificial intelligence or mine Weak Ties” theory, which argues that “Our idea was that we have so
data from developing nations. Last innovation often travels most effec- much data, and the majority of it is
year, ICT-D experts set out to rectify tively via weak social connections. Did being generated by people in the de-
that situation with the formation of the factors like the geographical distance veloped world,” says Eagle. “There’s
ACM Special Interest Group on Global between callers correlate with socio- a real opportunity for us to repurpose
18 communications of th e ac m | m ay 2 0 1 1 | vo l . 5 4 | n o. 5
news
a real opportunity for us to repur- cratic Republic of the Congo from three that customizing each student’s experi-
pose that data and serve these under- years of mobile phone data in neigh- ence could increase her or his engage-
served communities.” boring Rwanda. “By watching anoma- ment by reducing the likelihood that a
The diverse set of projects pre- lous call behavior, we could infer the single student dominated the game.
sented at the Artificial Intelligence epicenter of the earthquake,” Horvitz
for Development symposium under- explains. The researchers could then Constraints, Costs, Challenges
scored his point. Much of the research make inferences about which areas in While AI-D research methods may be
was preliminary, but the initial re- the Lac Kivu region were likely to have the same as they are in mainstream
sults were promising. Shawndra Hill, suffered the greatest damage and be Western science, other factors in de-
an assistant professor in Operations of higher priority for emergency assis- veloping nations are quite different.
and Information Management at the tance workers. Eagle has used the same First and foremost are the technol-
Wharton School of the University of data to better understand the dynam- ogy constraints. Access to electricity,
Pennsylvania, who has also taught at ics of urban slums and model the ef- computers, and the Internet is limit-
Addis Ababa University (AAU), spoke fects of social networks on infectious ed in many areas. Language presents
of efforts to improve Ethiopia’s road disease outbreaks. And University of another barrier, as does cost. “The
safety. Ethiopia has the world’s high- California, Berkeley postdoctoral re- design considerations are much dif-
est rate of traffic fatalities, according search fellow Emma Brunskill spoke of ferent,” says Lakshmi Subramanian,
to the World Health Organization, using traveling salesman techniques to an assistant professor at the Courant
with a reported 114 deaths per 10,000 help community health workers in the Institute of Mathematical Sciences
vehicles per year. By comparison, the developing world—some of whom can at New York University. Subrama-
U.K. has one death per 10,000 vehicles be responsible for up to 4,000 people— nian’s research includes the use of
per year. improve the efficiency and timing of document classification and focused
“The Ethiopian Traffic Enforce- their visits to patients in rural areas. crawling methods to build offline
ment Agency collects data on every ac- The data analysis was exploratory, but educational portals, and computer
cident that’s reported,” Hill explains. Brunskill says she is encouraged by vision techniques to detect diabetic
“Where did the accident happen, what the potential of existing techniques. retinopathy, the world’s leading cause
did the intersection look like, what’s Another area she finds promising is of adult blindness. Yet, according to
the road quality, was it raining, and so education. Schools in developing na- Subramanian, constraints are what
on.” Working with AAU lecturer Tibebe tions often rely on a single computer make the problems interesting. “If
Beshah, Hill investigated the role of per classroom. In experimental trials in you can only use SMS, what can you
road-related factors in accident sever- Bangalore, India, Brunskill and a team do? Turns out, you can do a lot, thanks
ity. The researchers tested classifica- of researchers built on foundational to semantic compression and other
tion models to predict the severity of studies in multi-input interfaces to test tools,” he says. “In fact, we’ve built an
more than 18,000 car accidents and the efficacy of an adaptive multi-user SMS search engine in Kenya.”
used a projective adaptive resonance learning game. Initial trials suggested Gaining access to useful data can
theory algorithm to identify the data’s also be a challenge. “There’s no cul-
significant patterns. One research ture of data like there is in the West,”
finding: Severe physical injuries were “Our idea was says Hill. “Even businesses in Ethiopia
more likely to occur on straight, flat aren’t collecting data like we are.” As a
roads than on all other types of roads that we have so result, one of Horvitz and Eagle’s pri-
in the same area. much data, and the orities is to create a central data reposi-
“The methods don’t change,” says tory to support new research projects.
Hill. “You could do the same analysis majority of it is being They began by compiling a list of useful
with data from the United States.” In generated by people resources at the AI-D symposium Web
a country that has the highest rate of site, http://www.ai-d.org, from orga-
traffic fatalities in the world, howev- in the developed nizations like the World Bank, World
er—and those accidents being among world,” says Nathan Trade Organization, and UNICEF. They
the nation’s leading causes of death— are also working with regional organi-
the potential socioeconomic impact is Eagle. “There’s a zations, such as telephone companies,
huge. In the future, Hill and her fellow real opportunity to share additional data.
researchers hope to develop new pre- “We’re trying to set up a Switzerland
dictive models that combine road data for us to repurpose for data sets,” says Horvitz.
with driver information, and develop a that data and serve Beyond that, Horvitz and Eagle
decision support tool for the Ethiopian hope to get more computer scientists
Traffic Office. these underserved involved. Not surprisingly, in such a
At the Artificial Intelligence for De- communities.” young field, there are differences of
velopment symposium, Eagle and Hor- opinion about research, strategies,
vitz presented research in which they and direction. “There is a tension in-
deduced the impact of seismic activ- herent in this area, as in the broader
ity in the Lac Kivu region of the Demo- computing for development com-
Cybersecurity
20 communications of th e ac m | m ay 2 0 1 1 | vo l . 5 4 | n o. 5
AdvAnCe Your CAreer wiTh ACM TeCh PACkS…
For Serious
Computing Professionals.
Deus Ex Machina
Computational metaphysics is helping philosophers
answer age-old questions, such as whether God exists.
A
fa m o us ly tr icky argu-
ment for the existence of
God proposed by the Brit-
ish theologian Anselm in
the 11th century recently
got simpler with help from an automat-
ed reasoning engine. In a forthcom-
ing paper in the Australasian Journal
of Philosophy, Stanford philosophers
Paul Oppenheimer and Edward Zalta
discuss how they used a program called
Prover9 to not only validate Anselm’s
ontological argument from its admit-
tedly dubious premises, but also greatly
reduced the number of premises neces-
sary to reach that conclusion.
This result is one of the more in-
teresting discoveries in the new field
of computational metaphysics, which
uses computers to reason through
problems in metaphysics. “Lots of
fields are using computers to explore
outstanding questions, and that’s true
in philosophy no less than in other can work from (and then interpreting tight. “In philosophy you’re not always
fields,” says Zalta, a senior research the program’s output). But accom- sure that’s true,” says Fitelson, noting
scholar at Stanford University’s Center plishing that is a nontrivial process, that metaphysics can be difficult to rea-
for the Study of Language. says Fitelson. Since statements in son about with the kind of intuition one
Philosophers have used computers metaphysics use second-order logic, might apply to, say, geometry.
before Oppenheimer and Zalta did, for which there is no guarantee of a Zalta had no doubt when Anselm’s
but its application is remarkable in proof for valid claims, “you’re outside premises were fed into Prover9 that it
metaphysics, a branch of philosophy the realm of being able to do things would find a valid proof. “However,
dealing with the ultimate nature of re- mechanically at all,” Fitelson explains. when we looked at the actual proof the
ality. Lofty questions about existence, To get around this problem of undecid- machine spit out, we saw that it didn’t
causation, and identity might seem ability, metaphysicians who want the use all three premises!” Prover9 had
too abstruse for automated reasoning; aid of computers must first translate found a way to derive Anselm’s conclu-
however, when formulated with math- higher-order claims into the first-order sion using just one premise.
ematical precision, metaphysical prop- claims of classical logic. But that usu- Whether Anselm’s argument is sound,
ositions become ideal candidates for ally leads to complicated sets of formu- as opposed to merely valid, depends on
computer-assisted proofs in much the las that are hard for humans to work whether that premise itself is true—a
same way that mathematical theorems with. What’s more, philosophers must question that philosophers will con-
are, says Rutgers University philoso- represent those formulas in the syntax tinue to debate. Nonetheless, having
pher Branden Fitelson, who’s used au- of their automated reasoning system. one premise gives would-be refuters a
tomated reasoning in his specialties, From there, by using tree search al- much clearer target. And, says Zalta, as
logic and the philosophy of science. gorithms, the software can reliably find philosophers develop more results us-
When software is doing the philoso- a proof or show a counterexample. And ing automated reasoning, the tools’ use
Illust ratio n by gwen vanh ee
pher’s work of axiomatic reasoning— there’s no beating the rigor that com- should become more widespread.
stepping logically from the premises puters provide to philosophers, finding
to the desired conclusion—much of logical holes that might not otherwise Based in San Francisco, Marina Krakovsky is the
co-author of Secrets of the Moneylab: How Behavioral
what’s left for the philosopher is the be apparent. Because a computer stops Economics Can Improve Your Business.
task of translating the airy language once it hits a gap in the logic, for it to val-
of philosophy into a form the software idate a proof the argument has to be air- © 2011 ACM 0001-0782/11/05 $10.00
E
ve r si n ce World Wide Web science at the University of Southamp-
inventor Sir Tim Berners- ton, who is one of the cofounders of the
Lee announced the Web Sci- Web Science Research Initiative and
ence Research Initiative in now the managing director of its suc-
2006, researchers have been cessor, the Web Science Trust.
trying to map the boundaries of Web Like so many good ideas, the idea for
science, which spans a dizzying range the workshop originated over drinks at
of disciplines including computer sci- a hotel bar. Hall remembers having a
ence, economics, government, law, lively conversation with network theo-
and psychology. rist Manuel Castells during a meeting
Complicating matters further has of the European Research Council.
been the parallel evolution of a mark- “We realized that we were coming at
edly similar-sounding field: Network the same thing from different angles,”
science, whose devotees explore the Hall says. Soon afterward, Castells in-
characteristics of all types of networks, troduced Hall to Contractor, initiating
from neural networks to social net- a series of conversations that led to the
works to, yes, the Web. Northwestern workshop.
Where do these two emerging fields The workshop organizers hoped to
overlap? Where do they diverge? These frame a new research agenda by leverag-
are some of the questions a group of ing the commonalities and distinctive
scholars broached in the Third Inter- Collaboration network map of the participants
contributions of Web science and net-
national Workshop on Network Theo- of the Northwestern University workshop. work science, and to formulate ques-
ry, hosted last March at Northwestern tions of interest to both communities.
University. Contractor, “but aspirationally, they The two-day conference covered a
“In one sense, Web science is a are not different.” wide range of broadly related topics
subset of network science. In another Given their overlapping areas of in- such as debating the merits of network
sense, network science is a subset of terest, it might seem surprising that science’s “pure” scientific approach vs.
Web science,” says workshop co-chair many of the leading researchers in the more applied, engineering-oriented
Noshir Contractor, a professor of be- each field remained largely unaware tactics of Web science; analyzing the ef-
havioral sciences at Northwestern. of the others’ work before they met fects of scale on network behaviors; ex-
Proponents of the former view ar- for the first time at the Northwestern ploring questions of causality, correla-
Visua liz aton Created by Yun H ua ng, © SON IC at N orthwest ern Univ ersit y 2 011
gue that the Web is just one network workshop. tion, and inference; and discussing the
among many that share certain com- “This was a coming together of two possibility of a Web index, an idea cur-
mon properties; for example, they are different communities,” says Dame rently being promoted by Berners-Lee.
open, scale-free, and exhibit emergent Wendy Hall, a professor of computer Looking ahead, plenty of room ex-
properties like power laws. Proponents ists for continuing dialogue between
of the latter view tend to argue that the the two camps, who will almost cer-
Web is fundamentally different from Where do these two tainly continue to probe each other’s
other networks in that it encompasses boundaries while searching for com-
a broad range of human concerns that emerging fields mon ground.
have little to do with a macro under- overlap? Where do “Is Web science a subset of net-
standing of networks, such as issues work science or is it the same thing?”
of government policy, commerce, and they diverge? asks Hall. “The answer is, It doesn’t
human factors. matter.”
“In practice, Web science is fo-
cused on how we could do things bet- Alex Wright is a writer and information architect based in
Brooklyn, NY.
ter, while network science is more
focused on how things work,” says © 2011 ACM 0001-0782/11/05 $10.00
The Apps are freely available to download from the Apple iTunes Store, but users must be registered
individual members of ACM with valid Web Accounts to receive regularly updated content.
http://www.apple.com/iphone/apps-for-iphone/ http://www.apple.com/ipad/apps-for-ipad/
ACM TechNews
V
viewpoints
Economic and
Business Dimensions
Online Advertising, Behavioral
Targeting, and Privacy
Studying how privacy regulation might impact
economic activity on the advertising-supported Internet.
D
ata o n t h e online behavior
of consumers has allowed
companies to deliver online
advertising in an extraor-
dinarily precise fashion.
For example, a Lexus dealership can
target advertising so that its ads are
shown only to people who have been
recently browsing high-end cars on
auto Web sites. Such behavioral tar-
geting has obvious benefits to adver-
tisers because fewer ad impressions
are wasted. Instead, advertisers focus
their resources on the consumers
most likely to be influenced by the ads.
For consumers, however, ads that are
behaviorally targeted can appear un-
authorized and even creepy. As a result
there have been calls in the U.S. and
elsewhere for new regulation to re-
strict the collection and use of online
Illust ratio n by gluekit
Education
Reaching Learners Beyond
our Hallowed Halls
Rethinking the design of computer science courses and broadening
the definition of computing education both on and off campus.
T
he vast majority of
our efforts able programs? Put simply, software
in computing education re- written by informally trained pro-
volve around formal learn- These end-user grammers has a user base, and coding
ing environments. By virtue programmers provide mistakes can cost valuable resources.
of where computing courses The educational and training needs of
and programs are offered, much of our a canonical example this significant group of learners ap-
work is centered on the undergraduate of people engaged in pear largely underserved by academic
curriculum in colleges and universi- institutions today.
ties. Recently, increased attention has informal computing
been given to computing education education. An Example in Graphic
throughout elementary and secondary and Web Design
education in efforts to broaden par- Over the course of the last five years,
ticipation in the field and address con- my colleagues and I have conducted a
cerns about the student pipeline. How- series of studies to better understand
ever, by focusing exclusively on these other than computing. Their knowl- how to support the educational needs
formal settings, we may be missing an edge of the computing fundamentals, of a group of informally trained pro-
opportunity to reach the millions of and more specifically programming, grammers. We have focused our atten-
people who find computing outside of is built largely from self-taught experi- tion on professional graphic and Web
academia’s hallowed halls and are left ences and advice from peers. designers who actively write code in
to teach themselves through informal Why should we be interested in some aspect of their job.3 With educa-
educational activities. these domains? At the very least, tional backgrounds rooted in art and
In this column, I focus on adults these informally trained individuals visual communication (and notably,
actively working in a traditionally non- account for a substantial portion of very little STEM), the participants in
computing discipline who, nonethe- the “computing pie.” Estimates for our studies represent a unique outer
less, develop scripts or programs as the U.S. suggest there will soon be bound of those who have a need for
part of their activities. These end-user more than 13 million self-described computing/programming later in life.
programmers provide a canonical ex- programmers in the workplace, com- It seems quite natural to require pro-
ample of people engaged in informal pared to fewer than three million gramming instruction for engineering
computing education. Examples in- professionally trained programmers.5 majors, but rarely are similar require-
clude accountants who write spread- The difficulties of learning to program ments considered for art students.
sheet formulas and macros, biolo- are well documented, and informal One of the most striking observa-
gists who create programs to simulate learners are left to grapple with these tions about our study participants was
models or facilitate data analysis, and challenges in an environment very dif- the variety of their educational back-
graphic designers who produce scripts ferent from what best practices in edu- grounds. Even though those we inter-
to automate repetitive and tedious cation recommend. We have the same viewed shared similar job descriptions,
tasks. Disciplinary differences aside, concerns for these programmers as they were trained in a wide variety of
a common characteristic of people we have for those who are professional academic disciplines ranging from
in these examples is that their formal software developers. For example, do graphic design (as one might expect) to
academic training is in something they create correct, robust, and reus- the humanities and the social scienc-
es. Further, very few of these designers tails. Despite the inherent problems looking for information. However,
had ever taken a course on program- and inefficiencies in learning this way, search results related to programming
ming or scripting as part of their sec- the designers we interviewed consis- questions can be difficult to interpret.
ondary, post-secondary, or even pro- tently preferred learning from code ex- When asked to read and modify a piece
fessional development activities. An amples to more general resources like of program code, participants often
intriguing (but admittedly anecdotal) books. Of utmost importance, then, is spent significant amounts of time
observation was that our participants the instructive quality of the examples studying search results that pointed
appeared considerably more gender being used (that is, with good explana- them to irrelevant code written in other
balanced and ethnically diverse than tions) and how obviously relevant the programming languages. Sometimes a
most demographic data reported for examples are. search might lead a user to a conceptu-
computer science. ˲˲ The Web as the Primary Resource. ally correct algorithm for their problem
Obviously this diversity poses a Closely related to the role of examples but implemented in an unfamiliar lan-
number of challenges for efforts to ad- is a heavy reliance on the Internet as the guage. This dissimilarity may cause the
dress the educational needs of these first line of support. Our participants example to be discarded altogether, or
designers in the future. That aside, we perceived the Internet as a complete cause the learner difficultly in making
took away two important lessons about resource—anything they might want the necessary adaptations to the cur-
current informal learning practices: must be in there somewhere. Given the rent context. The primary issues in us-
˲˲ Example-Driven Learning. The low cost associated with searching, the ing the Web as a resource for informal
main driver for our participants to Web is an attractive first option when learning about programming can be
learn something new about program- tied to difficulties in devising appropri-
ming derives directly from the needs ate search terms and judging the rele-
of the designer’s current project. With- The educational and vance of the resulting examples.4
in that context, the designer actively One underlying cause for these
seeks out examples related to the end training needs of this difficulties could be tied to our par-
goal in a somewhat piecemeal fashion. significant group ticipants’ lack of sufficient general,
Ideally, the designer learns as he or she abstract knowledge of the computing
sees examples that make use of new of learners appear and/or programming structures at play.
programming features. Unfortunately, largely underserved When a search based on purely syntac-
this doesn’t always happen due to the tic constructs fails, an expert would
unavailability of relevant examples, by academic fall back to a more general conceptual
Illust ratio n by F ra zer Huds o n
differences between the current goal institutions today. term (such as “exception handling”).
and that of the example, and the lack of The ability to see similarities between
explanation accompanying examples. algorithms implemented in different
The explanations found rarely draw languages often requires an ability to
out the computer science ideas used, abstract away from the concrete syn-
instead favoring specific practical de- tax. A recognized problem of highly
doi:10.1145/1941487.1941500 Tim Wu
I
n e a rly 1 9 3 5,a man named
Clarence Hickman had a secret
machine, about six feet tall,
standing in his office. Hickman
was an engineer at Bell Labs,
and his invention was, at the time, a de-
vice without equal on earth, way ahead
of its time. Here’s how it worked: in the
event you called and Hickman was out,
the machine would beep and a record-
ing device would come on allowing the
caller to leave a message.
What was truly interesting about
Hickman’s answering machine was
not just the idea of a machine that an-
swered calls, but rather, what was in its
guts. For inside Hickman’s machine
was something new to the world: mag-
netic recording tape. Recall that be-
fore magnetic storage there were few
low-cost means to store sound other
than by pressing a record or making a
piano roll. Over the long run, magnetic
recording technology would not just
herald audiocassettes and videotapes,
but when used with the silicon chip,
make computer storage a reality. Mag-
netic recording technology must be
counted, in fact, as one of the most im-
portant inventions of the 20th century.
For, from the 1980s onward, firms from
Microsoft to Google—and by implica-
tion all the world—would become ut-
terly dependent on magnetic storage, light on central questions of innova- tance a technological age increasingly
otherwise referred to as the hard disk. tion in the 20th century that remain dominated by large firms like Google,
Yet, there is something different central in the 21st century. The history Microsoft, and Facebook.
about this story—the answering ma- of the answering machine forces us to
chine would not appear in American confront the costs and benefits of mo- Bell Labs
homes until the 1980s. What happened nopoly in the information industries. That Bell Labs played a major role in
in the meantime, as we shall see, sheds It is also a question of growing impor- inventing magnetic recording tape
is, to any historian of technology, no force for good. It is the kind of thing,
surprise. Founded in 1925 for the spe- in fact, that gives monopoly a good
cific purpose of improving telephony, name. In current-era usage, the word
Bell Labs made good on their mis- “monopoly” is a scary concept, one
sion (saving AT&T billions with inven- that few would dare endorse publicly.
tions as simple as plastic insulation But AT&T was, in its time, a proud mo-
for telephone wires) and then some. nopolist, and even a critic is forced to
ACM By the 1920s the laboratories had ef- admit a system run by a beneficent mo-
fectively developed a mind of their nopolist had its advantages. While to
Transactions on own, carrying their work beyond better
telephones and into basic research to
some degree Bell Labs served AT&T’s
interests, it was also run, in part, out
Accessible become the world’s preeminent corpo-
rate-sponsored scientific body. It was
of a kind of noblesse oblige. For in a
corporate setting, it is often difficult
Interview
An Interview with
Steve Furber
Steve Furber, designer of the seminal BBC Microcomputer System
and the widely used ARM microprocessor, reflects on his career.
S
tephen Byram Furber is the a founder. I went along to the very first
ICL Professor of Com- meetings and started building com-
puter Engineering in the The BBC Micro was puters for fun, which was fairly scary
School of Computer Sci- just the front end in those days because the components
ence at the University of had to be ordered from California by
Manchester, U.K. Furber is renowned of something that mail order using a credit card. I was a
for his work at Acorn Computers Ltd., was designed as student so credit cards were fairly scary
where he was a principal designer of then; using them internationally was
the BBC Microcomputer System and a dual processor even scarier. But we got the micropro-
the ARM microprocessor, both of from the outset. cessors. My first machine was based
which have achieved unique historical on the Signetics 2650, which not many
significance. people have heard of these days. It
The BBC Micro platform was funda- had a full kilobyte of static RAM main
mental to computing in British educa- memory. I assembled the circuit board
tion in the 1980s and directly led to the using Verowire, which is a little wiring
development of the ARM architecture. of the information age (see http://www. pen where you hand-wired the things
The ARM architecture is the most wide- computinghistory.org.uk/.) A video of together; you soldered it, which melted
ly used 32-bit RISC architecture and the the interview is available at http://www. the insulation and made the connec-
ARM processor’s power efficiency—per- computinghistory.org.uk/det/5438/ tions. I understand it gave off carcino-
forming the same amount of work as Steve-Furber-Interview-17-08-2009/; a genic vapor, but it hasn’t got me yet.
other 32-bit processors while consum- condensed version of the interview is That’s how I built these things. I
ing one-tenth the amount of electric- presented here. built myself a small rack—I couldn’t
ity—has resulted in the widespread afford a commercial rack, so I made
dominant use of the ARM processor in I’d like to talk to you about your in- one and got the 2650 system going.
mobile devices and embedded systems. volvement with Acorn, and what it’s In the Processor Group, enthusiasts
Furber is a Fellow of the Royal Acad- led to today. exchanged notes with each other. I re-
emy of Engineering, of the Royal So- I was at the University [in Cam- member Sophie Wilson coming to my
ciety, the IEEE, the British Computer bridge]; I read maths as an under- house for one meeting of the Proces-
Society and the Institution of Engi- graduate and I went on to do a Ph.D. sor Group, looking at my machine and
neering and Technology (IET), and was in aerodynamics. During my Ph.D. I poking away at it—finding faults in
appointed Commander of the Order of got interested in aspects of flight, and the memory and stuff like that. Then
the British Empire (CBE) in 2008. then I heard about the formation of while I was still a Ph.D. student in the
Jason Fitzpatrick, a computer his- the Cambridge University Processor Engineering Department, Hermann
torian and the curator at the Centre Group. I thought maybe I should join Hauser came knocking on my door and
for Computing History at Suffolk, up with these guys and see if I could explained that he and Chris Curry were
U.K., conducted an extensive interview build myself a flight simulator or some- thinking of starting a consultancy com-
with Furber on behalf of the museum, thing like that. I was involved in the pany in the microprocessor business.
which is dedicated to creating a perma- University Processor Group from its They had been looking to the Univer-
nent public exhibition telling the story foundation although I wasn’t actually sity Processor Group as the source of
technical people who might be able to you interfered with it, it should defi- think the Altair had probably appeared
help them; he asked me if I was inter- nitely not pay out. The things were about this time in the States.
ested. I said, “Well, I’m just a hobbyist. tested by plugging a mains adapter In the University Processor Group,
I’ve been doing this for fun. But if you into the wall, plugging the fruit ma- the real men built computers with TTL.
think I can help, I’m willing to give it a chine into one socket, and an arc weld- It was only the wimps like me that used
go.” That’s how I joined the embryonic ing transformer into the other. Some- newfangled microprocessors, which
Acorn, before it was Acorn. body welded metal together while you were kind of cheating because you got
operated the fruit machine to see if the too much functionality in one package.
Was it based inside Sinclair’s building thing was robust to sparking. But yes, microprocessors were just en-
at the time? tering the public consciousness, so the
Yes, the first things we did were in Fantastic! The feeling at that time was MK14 from Science of Cambridge was
the Science of Cambridge Building in very much of the hobbyist. You just en- an example of a microprocessor on a
King’s Parade. Chris Curry was set up joyed doing that kind of thing, and the printed circuit board with a hexadeci-
running Science of Cambridge with whole industry has pretty much come mal keypad and seven segment display;
Clive. Hermann and Chris did bits of out of that. Is that fair to say? you could put assembly code into it and
Acorn work in there. In fact the first Yes, that’s right. We are talking about make it run. Sophie saw the MK14 and
thing I did for Acorn was actually not for the late 1970s before the IBM PC started, said something which she said many
Acorn, it was for Science of Cambridge. before the Apple II had appeared. There times—basically, “I could do better
I hand-built the prototype MK14; I got were some very basic box machines. I than that.”— and she went home over
a circuit diagram and built one using
Verowire, soldering in my front room.
The MK14 was basically a copy of the
National Semiconductor SC/MP devel-
opment kit. They had taken what was
a masked program ROM from the de-
velopment kit and copied it into two
fusible link PROMS for the MK14, and
they managed to copy it wrong. So I de-
bugged this thing in my front room. That
was the first piece of work I did for them.
Then Chris and Hermann got a con-
tract to do some development work
on microprocessor controlled fruit
machines, which were very new at that
time. Up to that date fruit machines had
all been controlled by relays and so on;
this was an early attempt to do micro-
processor stuff. We used two SC/MPs
in a rack to control the fruit machine.
In fact, the software for that was boot-
strapped from the 2650 machine I built
in the Processor Group; it was used as
a dumb terminal into the SC/MP devel-
opment kit, and we brought this fruit
machine controller up. The main chal-
lenge in those days was to make these
things robust. Very early on people had
discovered if you just sparked electron-
ic cigarette lighters next to the fruit ma-
chine, they would often pay out.
Easter holiday and came back with a neither Z80 nor CP/M, although a couldn’t let them in. Nobody was ex-
design she called the Hawk, which was little bit later you could buy a Z80 sec- pecting this, either.
6502-based. Hermann looked at this ond processor to run CP/M; we kind of The machine was first sold in Jan-
and thought he could sell it; that be- met the spec in the end. But no, they uary of 1982, so this may have been
came the Acorn System 1. The name were sufficiently convinced by what later in 1982.
Acorn was introduced originally just we could do with the 6502 that they
as a trading name. The company was moved the spec to the machine that And that was the first time you thought
called Cambridge Processor Unit Ltd. Acorn had already begun to get on the this is big?
drawing board. The Proton was always Well, this is when you first felt the
If you look at those machines today, designed as a dual processor. The fact scale of public interest. People were
the System 1 and the MK14, they are the BBC Micro had a second proces- prepared to hire a coach from Birming-
what most people would describe now sor connection was actually because ham to hear this bunch of techies, who
as unusable. But these things sold in a the BBC Micro was just the front end probably didn’t know how to speak in
big way. of something that was designed as a public, say something about this hob-
The System 1 and the MK 14 sold dual processor from the outset. byist computer thing. Of course, we
faster than people could put the kits to- I remember that when the BBC always had the education market in
gether. I think the System 1 was mainly was talking to Acorn—I wasn’t in- mind, but this was much bigger than
sold as a kit, so you got the parts and volved in the commercial discus- just the education market in terms of
you had to solder it together. But there sions, I was just a techie—they were interest. We actually went on tour with
was lots of interest. It was really the confident this machine would sell, this seminar. We gave it twice more
only way the general public could get and on the back of their programs at the IET to soak up demand. We did
their hands on anything that looked we’d sell 12,000 of these machines. a tour of the U.K. and Ireland. Every-
like a computer at that time. Real com- That was big numbers to Acorn. Not where we went there was a big turnout.
puters cost a million pounds, lived in huge numbers—we’d probably sold There was real, real interest.
clean rooms, and were only touched several thousand Atoms—but it was
by men in white coats; whereas these really worth going for. Nobody imag- What sort of people were coming to
things you could buy for £100 or £200 ined that that estimate would be off this?
and play with at home. by a factor of a hundred—one and A wide range of people. I think it is the
a half million were shipped in the same phenomenon as with the System 1
It was just the want to own and control end—because nobody really antici- but on a bigger scale. It was a bunch of
one of these things. A lot of it was driv- pated the wave of interest. people who recognized that computers
en by science fiction… I really realized that this was a phe- were about to come within their reach,
Of course, the real science-fiction nomenon when Sophie, Chris Turn- when they’d been behind closed doors
aspect is they got used as props in TV er, and I agreed to do a seminar at the throughout past history. There were
shows as well. So the Acorn System IET in Savoy Place in London. It has lots of companies building machines
1 was featured as the computer on a big central amphitheatre that sits at the time. We’ve mentioned Sinclair,
“Blake’s 7.” There was quite a lot of about 500 or 600 people. They asked but if you go and look at the machines
competition between Acorn and Sin- us to do a seminar on the BBC Micro. coming out, the 1980s was a real era of
clair at the time. Clive Sinclair had We went down there thinking this is diversity. Wonderful quirky machines of
proudly boasted that you could control a big room, I wonder if they’ll fill it? all shapes and flavors, all coming out of
a nuclear power station with his ZX81. Three times the number of people companies a bit like Acorn: small start-
Well, this was nothing compared with they could get in the room turned ups; enthusiasts the public couldn’t
controlling a 21st century interstellar up. People booked coaches from Bir- perhaps fully trust. Unless you were a
cargo ship [on the “Blake’s 7” televi- mingham; they had to be sent home hobbyist and a real enthusiast yourself,
sion program] with an Acorn System 1. because Health and Safety said they you didn’t know who to trust.
Then the BBC put their name on
You win, hands down. this machine from Acorn. I think that
That’s right! [laughs] We always had the really was the key to the success of
the BBC Micro, even though by the
Going forward to the BBC Micro, obvi- education market in standards of the competition it was
ously the BBC came to Acorn with the
specification for a machine? How did
mind, but this was a slightly expensive machine. It was
slightly higher spec and that was part-
that change things at Acorn? The Atom much bigger than just ly the BBC’s requirements. The BBC
was out and it was selling well. Then all
of a sudden you were shot into fame in
the education market imposed—no, imposed is the wrong
word—encouraged us to go with a par-
the computing industry. in terms of interest. ticular spec. The spec was all negoti-
The BBC Micro was a huge phe- ated and agreed; there was no imposi-
nomenon. Of course, when the BBC tion. But they were tough negotiations.
came their spec was a Z80 machine The BBC had a pretty clear idea of what
running CP/M. The BBC Micro was they wanted. The fact that we pushed
We also realized the price point very involved in this. We were already
was quite good for schools and pro- thinking the BBC Micro has been a big
fessional users, but it was too high success; we need to build on this. We
for hobbyist and most home users, could put second processors on, which
so we developed the Electron, which tided us over for a bit. But really we
was a cost-reduced BBC Micro - not needed to be thinking about the next
ACM an entirely happy story. There wasn’t
much wrong with the machine, but
big machine. It was clear that we were
going to step up from 8 bits. 16-bit pro-
erably by the Berkeley and Stanford try as it catches up. But if we set about they didn’t know what to do with it.
RISC work, but also by what she under- doing this, we’ll learn something, we’ll
stood of the 6502, and also what was understand something about what it So we’re talking about a chip now that
needed to write a good BASIC inter- takes to build a good microprocessor; is in something like 92% of mobile de-
preter. Sophie had written several BA- and then we’ll be better at recognizing vices today?
SIC interpreters by then for the Atom, a good one when we see it. We didn’t Yes. Around the end of 2007, the
for the BBC Micro, for the 32016 sec- expect this to go through. To us, build- ten-thousand-millionth ARM had been
ond processor, and so on. She sketched ing microprocessors was a black art. shipped, so there are more ARMs than
out an instruction set. The big companies had hundreds of people on the planet. I believe produc-
Then in October 1983 Sophie and I people, and it took them 10 revs of the tion is currently running at about 10
went to visit the Western Design Center chip before it started to work sensibly. It million a day. It is projected to rise to
in Phoenix, Arizona. They were design- just looked like a black hole, and Acorn about one per person on the planet per
ing a slightly extended 6502, the 24-bit couldn’t afford that size of black hole. year within two or three years.
address 6502 that became the 65C816. But we got on with it. It turned out
We went in expecting to find big, shiny there is no magic. Microprocessors They’re mind-blowing numbers.
American office buildings with lots of are just a lump of logic, like everything Looking at all this and seeing how it’s
glass windows and fancy coffee ma- else we’d designed, and there are no changed us as people -to have this com-
chines. What we found was a bungalow formidable hurdles. The RISC idea puting power in our pockets has com-
in the suburbs of Phoenix. They hired was a good one; it made things much pletely changed the way we are and the
school kids during the summer vaca- simpler. Eighteen months later, af- way we live our lives. And you played an
tion to do some of the basic cell design. ter about 10 or 12 man-years of work, absolute key part in that. So what does
Yes, they’d got some big equipment, we had a working ARM in our hands, it feel like, to know that you played a
but they were basically doing this on which probably surprised us as much big part in it?
Apple IIs. My strong memory is walk- as it surprised everybody else. It’s kind of magic, isn’t it? I mean
ing out of there saying to each other, In July 1985, we’d had the proces- it’s largely serendipity. I spent some
“Well, if they can design a micropro- sor on our bench running for a couple of my last two years at Acorn trying to
cessor, so can we.” of months; we decided it was time to work out how to build a business plan
We went back and from the tinker- say something to the public. I rang a for a company that could take ARM
ing that Sophie had been doing with journalist and said, “We’ve been work- out. Acorn’s desktop PC business was
instruction set design, which Her- ing on this microprocessor design and not big enough to support proper pro-
mann had entirely supported and ap- we’ve got it working.” He said, “I don’t cessor development; we needed a big-
proved of, we put the project on an of- believe you. If you’d been doing this, ger market, so I tried to work out how
ficial footing. I’d have known.”, and put the phone to spin out a company. I could never
The other infrastructure aspect of down. [laughs] We’d actually done this get the numbers to work. You have to
this is that Andy Hopper from the Cam- in considerable secrecy; the secrecy was sell millions before the royalties start
bridge Computer Lab, who was a direc- so good that we couldn’t even persuade paying the bills. We couldn’t imagine
tor at Acorn, had persuaded Hermann people when we got the working silicon selling millions of these things, let
that if he was serious about staying in in our hands. In terms of timescale, this alone billions, which is where we are
the computer business, he needed to was all happening at exactly the time now. But a lot has happened to make
get serious about chip design. Andy when Acorn was going bust and being that happen—it hasn’t gone there on
advised Hermann to get chip design rescued by Olivetti. I believe Olivetti its own. When the company was spun
tools from VSLI Technology, and Apol- wasn’t told about the ARM when they out, Robin Saxby was brought in, and
lo workstations. They recruited IC de- bought Acorn. When they bought it, he and the team evolved this business
signers, a group led by Robert Heaton. we thought, maybe it’s time to own up: model, which has been instrumental
I can’t remember precisely the order in its success. Had Apple not come
they came in, but Jamie Urquhart came knocking at the door wanting the ARM
early, Dave Howard, Harry Oldham— My strong memory for the Newton, and Robin Saxby not
all names still associated with ARM. So been brought in to head it up...You
we’d got these tools and the IC design- is walking out of know, there are lots of ifs.
ers, but no chips to design. Sophie and there saying to If these things hadn’t happened,
I were thinking we should have a go at we wouldn’t be where we are today.
designing our own microprocessor. each other, “Well, But where are we today? I’ve been try-
We looked at this RISC stuff, and if they can design ing to work this out. I suspect there’s
thought this is kind of obvious, this is more ARM computing power on the
a good idea. So we’ll set off using these a microprocessor, planet than everything else ever
ideas and try to put something together. so can we.” made put together. The numbers are
But it’s clear that big industry has got far just astronomical.
more resources; they’re going to pick up
on these ideas too, we’re just going to Copyright © 2011 The Centre for Computing History;
get squashed underfoot by big indus- http://www.computinghistory.org.uk
Viewpoint
The Importance of
Reviewing the Code
Highlighting the significance of the often overlooked
underlying software used to produce research results.
C
o n t ributo rs to jou rnal s, Nowadays, the use of software is can refer and that you can cite when
as well as researchers and essential in many different research you use the data. It is possible to create
politicians, are currently fo- fields. It is possible to access a vast your own scripts and code in order to
cused on such subjects as amount of research data thanks to the work with the data, study the results,
open access, data mining, use of computers, software, and stor- and formulate a hypothesis about the
and the growth of the Internet and in- age facilities. If you work in the field cause(s) of a phenomenon. In some
formation technologies together with of geosciences—as I do—you probably cases, you might also use software
their associated problems and solu- rely on the use of satellite data collect- packages that have been developed
tions. At the same time, there is one ed for use by governmental or intergov- and released by others, such as spread-
extremely significant topic in scientific ernmental agencies that has under- sheets and statistical programs. You
research and computing that is rarely gone rigorous testing. Normally, there might also use the functions that are
addressed: the importance of the code. is a peer-reviewed paper to which you available in your commercially released
high-level programming language that
make your daily programming tasks
easier. When you have computed your
results you might use them to publish
a paper. Yet how often do reviewers or
editors ask about the software used
during research? You might receive a
large amount of criticism about the
statistics, methods, and data when you
submit papers for publication, but how
often do you receive comments about
the software—who cares about that?
Given the lack of comments on soft-
ware, the issue arises as to whether we
are systematically violating basic princi-
ples of the scientific method. One such
principle is that experiments should
be reproducible. Yet it is often the case
that reviewers, editors, and other scien-
tists who read your paper cannot repro-
duce your experiment because they do
Photogra ph by Vasily Smirnov
It is arguable that
by independent programmers or agen-
cies. If such certification were available, Calendar
when using proprietary
it would suffice when submitting a pa-
per for publication to indicate that cer-
tified software had been used.
of Events
software it is a In order to realize the state of af- May 16–20
question of faith to rely fairs described here, the most desir- International Parallel and
Distributed Processing
able choice is to use free software (see
on the results, because http://www.gnu.org/philosophy/free-
Symposium,
Anchorage, AK,
it is not possible sw.html). Free software lets you go into Contact: Alan Sussman,
Email: als@cs.umd.edu
the code and check it. Using free soft-
to check the code. ware also follows the spirit of science,
May 16–20
in that scientists can disseminate any 5th International ICST
modifications they make to the code Conference on Performance
within the scientific community. Evaluation Methodologies and
Tools Communications,
Clearly, the challenges involved in Paris, France,
the same program can make the same applying the framework described in Contact: Lasaulce Samson,
computation in different ways, that is, this Viewpoint will vary between dif- Email: Samson.lasaulce@lss.
by using different algorithms, some of ferent fields of research. However, the supelec.fr
which will yield results with different amount of work entailed should not May 16–20
degrees of precision or accuracy. It is be seen as an excuse for not doing it. The Twelfth ACM International
generally the case that people are sim- Furthermore, it can be argued that in Symposium on Mobile Ad Hoc
ply too willing to believe the results of some fields of study, the possibility Networking and Computing,
Paris, France,
computations, especially in view of the of investigating a phenomenon using Sponsored: SIGMOBILE,
frequency with which bugs are present different approaches and theories, Contact: Philippe Jacquet,
in most commonly used programs. In- obtaining similar results, and test- Email: philippe.jackquet@
inria.fr
deed, it is arguable that when using pro- ing similar hypotheses should be suf-
prietary software it is a question of faith ficient to render the type of software May 19–21
to rely on the results, because it is not used unimportant. Yet to argue in this Computer Personnel Research
possible to check the code (see http:// way would be to miss the point. What Conference,
San Antonio, TX,
www.gnu.org/philosophy/categories. if the results differ? How do we explain Sponsored: SIGMIS,
html#ProprietarySoftware). the discrepancy? One possibility is Contact: Cindy K.
In light of the foregoing, we may well that the difference lies in the software Riemenschneider,
ask whether we should call for software code used. Thus, doing things in the Email: c_riemenschneider@
baylor.edu
specifications and code reviewers in sci- right way, by using free software, will
entific publishing. In fact, publishing bear fruit. At least it is something we May 21–28
the software specifications should be should aspire to, along with what we International Conference on
a requirement for authors and journal could call the scientific ideal. Software Engineering,
Waikiki, Honululu,
editors. The author’s own source code Sponsored: SIGSOFT,
should be published, at least on the In- Acknowledgments Contact: Richard N. Taylor,
ternet, along with the research results, The author would like to thank Rich- Email: taylor@uci.edu
and that source code should be acces- ard M. Stallman from the Free Software
May 23–25
sible to referees. This does not mean Foundation, Michael McIntyre from International Symposium on
that reviewers should be required to the Department of Applied Mathemat- Technology and Society,
study the code in detail before accept- ics and Theoretical Physics at the Uni- Chicago, IL,
Contact: Keith Miller,
ing a paper, because this would require versity of Cambridge, Gerald J. Suss- Email: miller.keith@uis.edu
too much work to be viable. However, man from the Computer Science and
having the source code available to Artificial Intelligence Laboratory at May 23–26
those who are interested would be a big MIT, and Brian Gough and José E. Mar- 5th International Conference
on Pervasive Computing
step forward. In fact, a relatively quick chesi from the GNU Project for their Technologies
check of the software code by an expert useful comments and suggestions. for Healthcare,
would be beneficial and would encour- Dublin, Ireland,
age authors to place greater emphasis Contact: John O’Donoghue,
Juan Antonio Añel (j.anhel@uvigo.es) is Ángeles Alvariño
Email: john.odonoghue@ucc.ie
on the reliability of the software they Researcher in the Environmental Physics Laboratory at
the Universidade de Vigo at Ourense, Spain.
use. This principle should clearly apply
to code that one writes oneself. In ad- This Viewpoint was accepted for publication in February
dition, prepackaged software (whether 2010; in the intervening time prior to publication
other material addressing this topic has appeared in
commercial or not) should be tested, Communications.
verified, and certified with its code filed
and accessible, and checked in detail Copyright held by author.
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 41
ACM, Advancing Computing as
ACM, Advancing
a Science and Computing
a Professionas
a Science and a Profession
Dear Colleague,
Dear Colleague,
The power of computing technology continues to drive innovation to all corners of the globe,
bringing with it opportunities for economic development and job growth. ACM is ideally positioned
The
to help power of computing
computing technology
professionals worldwidecontinues to driveininnovation
stay competitive to all
this dynamic corners of the globe,
community.
bringing with it opportunities for economic development and job growth. ACM is ideally positioned
to provides
ACM help computing
invaluableprofessionals worldwide
member benefits stayyou
to help competitive in this
advance your dynamic
career community.
and achieve success in your
chosen specialty. Our international presence continues to expand and we have extended our online
ACM provides
resources invaluable
to serve needs that member benefits to help
span all generations you advance
of computing your careereducators,
practitioners, and achieve success in and
researchers, your
chosen
students. specialty. Our international presence continues to expand and we have extended our online
resources to serve needs that span all generations of computing practitioners, educators, researchers, and
students.
ACM conferences, publications, educational efforts, recognition programs, digital resources, and diversity
initiatives are defining the computing profession and empowering the computing professional.
ACM conferences, publications, educational efforts, recognition programs, digital resources, and diversity
initiatives areare
This year we defining the computing
launching professionlearning
Tech Packs, integrated and empowering
packages onthecurrent
computing professional.
technical topics created and
reviewed by expert ACM members. The Tech Pack core is an annotated bibliography of resources from the
This year weACM
renowned are launching Tech–Packs,
Digital Library integrated
articles learning
from journals, packages
magazines, on current
conference technical topics
proceedings, created
Special and
Interest
reviewed by expert ACM members. The Tech Pack core is an annotated bibliography of resources
Group newsletters, videos, etc. – and selections from our many online books and courses, as well an non- from the
renowned ACM where
ACM resources Digitalappropriate.
Library – articles from journals, magazines, conference proceedings, Special Interest
Group newsletters, videos, etc. – and selections from our many online books and courses, as well an non-
ACM resources where
BY BECOMING AN ACM appropriate.
MEMBER YOU RECEIVE:
Timely
BY accessAN
BECOMING toACMrelevant
MEMBER information
YOU RECEIVE:
Communications of the ACM magazine • ACM Tech Packs • TechNews email digest • Technical Interest Alerts and
Timely access• to
ACM Bulletins ACM relevant
journalsinformation
and magazines at member rates • full access to the acmqueue website for practi-
Communications
tioners • ACM SIG the ACM magazine
of conference discounts• ACM
• theTech PacksACM
optional • TechNews email digest • Technical Interest Alerts
Digital Library
and ACM Bulletins • ACM journals and magazines at member rates • full access to the acmqueue website for
practitioners
Resources that• ACM SIGenhance
will conference discounts
your career• and
the optional
follow youACM toDigital
newLibrary
positions
Career & Job Center • online books from Safari® featuring O’Reilly and Books24x7® • online courses in multiple
Resources
languages •that will
virtual enhance
labs your career
• e-mentoring servicesand follow you
• CareerNews emailtodigest
new positions
• access to ACM’s 34 Special Interest
Career
Groups&•Job Center • email
an acm.org The Learning
forwardingCenter • online
address withbooks
spamfrom Safari® featuring O’Reilly and Books24x7® •
filtering
online courses in multiple languages • virtual labs • e-mentoring services • CareerNews email digest • access to
ACM’s36
ACM’s worldwide network
Special Interest of more
Groups than
• an 97,000
acm.org members
email rangesaddress
forwarding from students to seasoned
with spam filtering professionals and
includes many renowned leaders in the field. ACM members get access to this network and the advantages that
come worldwide
ACM’s from their expertise
network of to more
keep you
thanat100,000
the forefront of the
members technology
ranges world. to seasoned professionals and
from students
includes many renowned leaders in the field. ACM members get access to this network and the advantages that
Pleasefrom
come taketheir
a moment
expertise to to
consider
keep youtheatvalue of an ACM
the forefront membership
of the your career and your future in the
technologyforworld.
dynamic computing profession.
Please take a moment to consider the value of an ACM membership for your career and your future in the
Sincerely,computing profession.
dynamic
Sincerely,
Alain Chesnais
President
Alain Chesnais
Association for Computing Machinery
President
Association for Computing Machinery
Special rates for residents of developing countries: Special rates for members of sister societies:
http://www.acm.org/membership/L2-3/ http://www.acm.org/membership/dues.html
Please print clearly
Purposes of ACM
ACM is dedicated to:
Name
1) advancing the art, science, engineering,
and application of information technology
2) fostering the open interchange of
Address information to serve both professionals and
the public
3) promoting the highest professional and
City State/Province Postal code/Zip ethics standards
I agree with the Purposes of ACM:
Country E-mail address
Signature
Area code & Daytime phone Fax Member number, if applicable ACM Code of Ethics:
http://www.acm.org/serving/ethics.html
o ACM Professional Membership plus the ACM Digital Library: o ACM Student Membership plus the ACM Digital Library: $42 USD
$198 USD ($99 dues + $99 DL) o ACM Student Membership PLUS Print CACM Magazine: $42 USD
o ACM Digital Library: $99 USD (must be an ACM member) o ACM Student Membership w/Digital Library PLUS Print
CACM Magazine: $62 USD
The One-
Second
War
T hanks to a secretive conspiracy working mostly population, sunrise, midday, and sun-
set were plenty precise for all relevant
below the public radar, your time of death may be a purposes.
minute later than presently expected. But don’t expect Timekeeping became a problem for
non-astronomers only when ships start-
to live any longer, unless you happen to be responsible ed to navigate where they could not see
for time synchronization in a large network of land. Finding your latitude is easy: mea-
computers, in which case this coup will lower your sure the height of the midday sun over
the horizon, look at the table in your al-
stress level a bit every other year or so. manac, done. Finding your longitude is
We’re talking about the abolishment of leap possible only if you know the time of day
precisely, and the sun will not tell you
seconds, a crude hack added 40 years ago to paper over that unless you know your longitude.
the fact that planets make lousy clocks compared with If you know your longitude, however,
quantum mechanical phenomena. the sun will tell you the time very pre-
cisely. Using that time, you can make
Timekeeping used to be astronomers’ work, and the tables of other nonsolar astronomical
trouble it caused was very academic. To the rural events—for example, the transits of the
ter to know what time it was. Harrison’s in 1900,” neither a very practical nor January 1, 1972.2 In practice, this works
chronometer just told you, any time you very reproducible definition. by astronomers sending the rest of the
wanted to know.4 Louis Essen’s atomic clock won that world a telegram twice a year to tell us
Ever since, astronomers have lost battle, and SI (International System of how long the last minute of June and
ground as “time lords.” Units) seconds became 9,192,631,770 December will be: 59, 60, or 61 seconds.
Time zones, made necessary by periods of hyperfine radiation from a There is a certain irony in the fact
that the UTC (Universal Time Coordi- ure. Or it might do something entirely and all sorts of secret scientific broth-
nated) time scale depends on the rota- different. Some systems have resorted erhoods, from AAU to CCTF, have had
tion of one particular rock in the less to slowing down the clock by 1/3600th their chance to weigh in. Many have, but
fashionable western part of the galaxy. for the last hour before the leap second, few have clear-cut positions.
I am pretty sure that, should humans hoping that nobody notices that sec-
ever colonize other rocks, leap seconds onds suddenly are 277 microseconds What is the Problem
will not be in the luggage. long. with Leap Seconds?
That’s in theory. In practice it de- The problem is that more systems care
How Leap Seconds pends on the systems getting notice about time at the second level.
Became a Problem of the leap second and handling it as Air Traffic Control systems perform
Until the advent of big synchronized intended. In this context systems are anti-collision tests many times a second
networks of computers, leap seconds also the NTP servers from which the because a plane moves 300 meters in a
bothered nobody. Many computers rest of the computers get their time: at second. A one-second hiccup in input
used the frequency of the electrical grid the 2008 leap second, more than one in data from the radar is not trivial in a
to count time, and most had their time seven in the public NTP pool servers got tightly packed airspace around a major
initially set from somebody’s wrist- it wrong. airport.
watch. The number of people who ac- Medical products and semiconduc-
tually cared probably numbered fewer The Effort to “Fix” Leap Seconds tors are produced in time-critical pro-
than two dozen worldwide. By early 2005 when the first leap sec- cesses in complex continuous produc-
Therefore, Unix didn’t bother with ond in seven years finally began to look tion facilities. On December 8, 2010,
leap seconds. In the time _ t defini- likely, some people started to worry a 70-msec power glitch hit a Toshiba
tion from Unix, all minutes have 60 about a “Y2K-lite” event. Some bright flash chip manufacturing facility, and
seconds, all hours 3,600 seconds, and person inside the U.S. military-indus- 20% of the products scheduled to ship
all days 86,400 seconds. This defini- trial complex thought, “Wait a minute, in January and February 2011 had to
tion carried over to Posix and The Open why do we need leap seconds in the first be scrapped: “Once the line is stopped,
Group where it is presumably gold-plat- place?” and proposed to the ITU-R (In- we can’t just resume production,” said
ed for all eternity. ternational Telecommunication Union, Toshiba spokesman Hiroko Yamazaki.5
Then something shifted deep under Radiocommunication Sector) that they Technically, there is no problem with
the surface of the earth. We can only be abolished, preferably before Decem- leap seconds that we IT professionals
guess what it might have been, but there ber 2005. cannot tolerate. We just have to make
was no need for leap seconds for seven Nice try, but one should never under- sure that all computers know about
straight years: from the end of 1998 to estimate the paper tiger in a UN organi- leap seconds and that all programs, op-
the end of 2005. This was, more or less, zation. erating systems, and applications know
the time when the Internet happened The December 2005 leap second how to deal with them.
and everybody bought PCs with Win- came, Armageddon did not, but it was The first part of that problem is we
dows. Most of the people who hacked painfully obvious to everybody who have only six months to tell all comput-
Perl to implement the dot-com revolu- paid attention that there were massive ers and software about leap seconds,
tion had never heard of leap seconds. amounts of software that needed fixing, because that is all the warning we get
This is what Microsoft had to say on before leap seconds would not cause from the astronomers. In practice, we
the subject of leap seconds: “[...]after trouble. Even the HBG time signal from often have 10 months’ notice; for ex-
the leap second occurs, the NTP (Net- the Swiss time reference system did it ample, we were told on February 2 that
work Time Protocol) client that is run- wrong. there will be no leap second in Decem-
ning Windows Time service is one sec- Another leap second occurred in De- ber of this year.1
ond faster than the actual time.”3 cember 2008, and the situation had not Unfortunately, this advantage is ne-
Unix systems running NTP will pa- changed in any measurable way, but at gated by some time signals—for exam-
per over the leap second, but there is no least the Swiss got it right this time. ple, the DCF77 signal from Germany,
standard that says how this should be Since then the proposal, known to in- announcing the leap second only one
done. Your system might do one of the siders as TF.460-7, has been the subject hour ahead of time.
scenarios shown in the accompany fig- of “further study” in “Study Group 7A,” The other part of the problem—
changing time _ t to know about leap
Sensitivities in leap seconds. seconds—has nasty results: time is
suddenly not a fixed radix quantity any-
23:59:57 23:59:57 23:59:57 more. How much code finds the cur-
23:59:58 23:59:58 23:59:58 rent day by d = t/86400 or tests if two
23:59:59 23:59:59 23:59:59 events are further apart than a minute
23:59:59 00:00:00 (halt for 1 sec) by if (t1 >= t2 + 60)? Nobody
00:00:00 00:00:00 00:00:00 knows. How much of such code needs
00:00:01 00:00:01 00:00:00 to be fixed if we change the time _ t
definition? Nobody knows.
The Y2K experience indicates it
would be expensive to find out, because noon on the clock will be midnight in
relative to Y2K, the questions are a lot the sky some 3,000 years from now, un-
harder than “2 digits or 4 digits.” less we fix that by adjusting our time
How do we tell if code that does s += zones.
3600 intends this to mean “one hour
from now” or “same time, next hour?” There is no Actually, the sun is not due south at
noon, and certainly not with a second’s
The original programmer did not ex-
pect there to be any difference, so the
problem with leap precision, for more than an infinitesi-
mal number of people who are probably
documentation will not tell us. seconds that we totally unaware of it. Our system of one-
to do: test, fix, hope, or shut down. all programs, the year when their government has de-
cided to have daylight saving time—al-
Unsurprisingly, many plants and
systems simply give up trying to predict
operating systems, though that could possibly put a select
few of those who lost on the first crite-
what their multivendor heterogeneous and applications rion back in luck during that part of the
systems will do with a leap second,
and they sidestep the issue by moving
know how to deal year. Finally, it is really only a couple of
times a year that the sun is precisely due
or scheduling planned maintenance with them. south, for interesting orbital and geo-
downtime to cover the leap second. physical reasons.
For them, that is the cheapest way to The people who really do care about
make sure that no robot arms get out of UTC time being synchronized to earth
sync with the assembly line and that no rotation are those who use UTC time as
space-shuttle computers hiccup while an estimator for earth rotation: those
in space. who point things on earth at things in
I’m told from usually reliable sourc- the sky—in other words, astronomers
es that the entire U.S. nuclear deterrent and their telescopes, and satellite op-
is in “a special mode” for one hour on erators and their antennae. Actually,
either side of a leap second and that the that should more accurately be some
cost runs into “two-digit million dol- of those people: many of them have
lars.” long since given up on using UTC as an
earth rotation estimator, because the +/-
But What Do Leap Seconds 1-second tolerance is not sufficient for
Actually Do? their needs. Instead, they pick up Bul-
Leap seconds make sure the sun is due letin A or B from the IERS FTP server,
south at noon by adjusting noon to hap- which gives daily values with microsec-
pen when the sun is due south at the ref- ond precision.
erence location. This very important job
is handled by the International Earth The Cost-Benefit Equation
Rotation Service (IERS). Most of those involved on the “Abolish
Leap seconds are not a viable long- Leap Seconds” side of the debate claim
term solution because the earth’s rota- a cost-benefit equation that essentially
tion is not constant: tides and internal says: “cost of fixing all computers to
friction cause the planet to lose mo- deal correctly with leap seconds = infini-
mentum and slow down the rotation, ty” over “benefits of leap seconds = next
leading to a quadratic difference be- to nothing.” QED: case closed.
tween earth rotation and atomic time. The vocal leaders of the “Preserve
In the next century we will need a leap the Leap Seconds” campaign (not to
second every year, often twice every year; be confused with the “Campaign for
and 2,500 years from now we will need a Real Time”) have a different take on
leap second every month. the equation: “cost of unknown conse-
On the other hand, if we stop plug- quences of decoupling civil time from
ging leap seconds into our time scale, earth rotation = [a lot...infinity]” over
“programmers should fix their past mis- ITU-R in January 2012, and if it, modulo the entire plane off and on again before
takes for free.” QED: case closed. amendments, collects a supermajority we can start all the motors.”
Not a lot of common ground there, of 70% of the votes, leap seconds would As a time-nut, a small and crazy fra-
and not a lot of data supporting either cease beginning in approximately 2018. ternity that thinks running an atomic
proposition, although Y2K experience, If the proposal fails to gain 70% of the clock in your basement is a require-
as well as the principles of a capitalist votes, then leap seconds will continue, ment for a good life (let me know if
economy, dictate that getting program- and we had better start fixing comput- you need a copy of my 400GB record-
mers to handle leap seconds correctly ers to deal properly, or at least more pre- ing of the European VLF spectrum
will be expensive. dictably, with them. during a leap second…), I would miss
As I understand the voting rules of leap seconds. They are quaint and
A Possible Compromise? ITU-R, only country representatives can interesting, and their present rate of
Warner Losh, a fellow time-and-com- vote, one vote per country. If my experi- one every couple of years makes for
puter nerd, and I both have extensive ence is anything to go by, finding out a wonderful chance to inspire young
hands-on experience with leap-second who votes on behalf of your country nerds with tales of wonders in physics
handling in critical systems, and we and how they intend to vote may not be and geophysics.
have tried to suggest a compromise on immediately obvious to the casually in- But once every couple of years is not
leap seconds that would vastly reduce quiring citizen. nearly often enough to ensure that IT
the costs and risks involved: schedule systems handle them correctly.
the darn things 20 years in advance in- The Philosophical Issues I wish we could somehow get the
stead of only six months in advance. One of my Jewish friends explained to 20-year horizon compromise on the ta-
If we know when leap seconds are to me that all the rules Jews must follow ble next January, but failing that, if the
occur 20 years in advance, we can code are not meant to make sense; they are choice is only between keeping leap sec-
them into tables in our operating sys- meant to make life so difficult that you onds or abolishing leap seconds, they
tems, and suddenly 99.9% of our com- never take it for granted. In the same will have to go—before they kill some-
puters will do the right thing when leap spirit, Van Halen used brown M&Ms to body through bad standards writing
seconds happen, because they know test for lack of attention, and I use leap and bad programming.
when they will happen. The remaining seconds: if a system has not document-
0.1% of the systems, involving ready, ed and tested what happens on leap
cold spares on shelves, autonomous seconds, I don’t trust it to get anything Related articles
on queue.acm.org
computers on the South Pole, and else right, either.
similar systems, get 20 years to update But Linus Torvalds’ observation Principles of Robust Timing
stored tables rather than six months to over the Internet
that “95% of all programmers think
Julien Ridoux, Darryl Veitch
do so. they are in the top 5%, and the rest are http://queue.acm.org/detail.cfm?id=1773943
The astronomical flip side of this certain they are above average” should
You Don’t Know Jack about
proposal is that the difference between not be taken lightly: very few program- Network Performance
earth rotation and UTC time would like- mers have any idea what the difference Kevin Fall, Steve McCanne
ly exceed the current one-second toler- is between “wall-clock time” and “in- http://queue.acm.org/detail.cfm?id=1066069
ance limit, at least until geophysicists terval time,” and leap seconds are way Fighting Physics: A Tough Battle
get a better understanding of the cur- past rocket science for them. (For ex- Jonathan M. Smith
rently not understood fluctuations in ample, Posix defines only a pthread _ http://queue.acm.org/detail.cfm?id=1530063
earth rotation. cond _ timedwait(), which takes
The IT flip side is that we would still wall-clock time but not an interval-time References
have a variable radix time scale: most version of the call.) 1. International Earth Rotation and Reference Systems
Service. Information on UTC-TAI; http://data.iers.org/
minutes would be 60 seconds, but a few When a large fraction of the world products/16/14433/orig/bulletinc-041.txt.
would be 61 seconds, and code that re- economy is run by the creations of lousy 2. International Earth Rotation and Reference Systems
Service. Relationship between TAI and UTC; http://
ally cares about time intervals would programmers, and when embedded hpiers.obspm.fr/eop-pc/earthor/utc/TAI-UTC_tab.
have to do the right thing instead of just systems are increasingly capable of kill- html.
3. Microsoft. How the Windows Time service treats a
adding 86,400 seconds per day. ing people, do we raise the bar and de- leap second (2006). (November 1); http://support.
So far, nobody has tried, or if they mand that programmers pay attention microsoft.com/kb/909614.
4. Sobel, D. Longitude. Walker and Company, 2005.
tried, they failed to inject this idea into to pointless details such as leap sec- 5. Williams, M. Power glitch hits Toshiba’s flash memory
the official standards process in ITU-R. onds, or do we remove leap seconds? production line. ComputerWorld (Dec. 2010); http://
www.computerworld.com/s/article/9200738/Power_
It is not clear to me that it would even be As an old-timer in the IT business, glitch_hits_Toshiba_s_flash_memory_production_line.
possible to inject this idea unless a na- I’m firmly for the first option: we should
tional government, seconded by anoth- always strive to do things better, and do Poul-Henning Kamp (phk@FreeBSD.org) has
er, officially raises it at the ITU plenary them right, and pointless details makes programmed computers for 26 years and is the inspiration
behind bikeshed.org. His software has been widely
assembly. for good checkboxes. As a frequent user adopted as “under the hood” building blocks in both open
of technological marvels built by the source and commercial products. His most recent project
is the Varnish HTTP accelerator, which is used to speed up
What Happens Next? lowest bidder, however, the second op- large Web sites such as Facebook.
Proposal TF-460-7 to abolish leap sec- tion is not unattractive—particularly
onds will come up for plenary vote at the when the pilots tell us they “have to turn © 2011 ACM 0001-0782/11/05 $10.00
Mobile
Application
Development:
Web vs. Native
years ago, most mobile devices were, for
A f ew s h o r t
want of a better word, “dumb.” Sure, there were some
early smartphones, but they were either entirely email
focused or lacked sophisticated touch screens that
could be used without a stylus. Even fewer shipped
with a decent mobile browser capable of displaying
anything more than simple text, links, There are two problems with this
and maybe an image. This meant if line of thinking. First, building a differ-
you had one of these devices, you were ent app for each platform is very expen-
either a businessperson addicted to sive if written in each native language.
email or an alpha geek hoping that this An indie game developer or startup
would be the year of the smartphone. may be able to support just one device,
Then Apple changed everything with likely the iPhone, but an IT department
the release of the iPhone, and our ex- will have to support the devices that its
pectations for mobile experiences were users have that may not always be the
completely reset. latest and greatest. Second, the perfor-
The original plan for third-party mance argument that native apps are
iPhone apps was to use open Web tech- faster may apply to 3D games or image-
nology. Apple even released tooling processing apps, but there is a negligi-
for this in its Dashcode project.4 Fast- ble or unnoticeable performance pen-
forward three years and native apps are alty in a well-built business application
all the rage, and—usually for perfor- using Web technology.
mance reasons—the mobile Web is be- For its part, Google is betting on
ing unfavorably compared. Web technology to solve the platform
fragmentation. Vic Gundotra, VP of supports. PhoneGap is an open source common user-interface controls and
engineering at Google, claimed that framework that provides developers experiences. No two platforms have the
“even Google was not rich enough to with an environment where they can same, or even similar, user-interface
support all of the different mobile plat- create apps in HTML, CSS, and JavaS- paradigms, let alone APIs to instanti-
forms from Apple’s App Store to those cript and still call native device fea- ate and access them. The Web plat-
of the BlackBerry, Windows Mobile, tures and sensors via a common JS API. form is consistent, for the most part,
Android, and the many variations of The PhoneGap framework contains but the number of built-in or SDK-
the Nokia platform,”6 and this was be- the native-code pieces to interact with included controls is limited. You have
fore HP webOS, MeeGo, and other plat- the underlying operating system and to roll your own. Sometimes the differ-
forms emerged. pass information back to the JavaScript ences among browsers can cause pain,
In this article we discuss some of app running in the Webview container. but—at least in the modern smart-
the strengths and weaknesses of both Today there is support for geolocation, phone world—most devices sport the
Web and native approaches, with spe- accelerometer, and more. very capable WebKit rendering engine,
cial attention to areas where the gap is What is native code exactly? Usually and only small differences prevail.
closing between Web technologies and it’s compiled, which is faster than in- Unfortunately for the Web, those
their native counterparts. terpreted languages such as JavaScript. small differences are becoming a big
Webviews and browsers use HTML and deal. For example, on iOS, the CSS posi-
Native Code vs. Web Code CSS to create user interfaces with vary- tion property does not properly support
Implementing a software app begins ing degrees of capability and success. a value of “fixed.” (This was a problem
with code. In the case of native code, With native code, we paint pixels di- in Android, but has been corrected in
most often these days the developer rectly on a screen through proprietary the latest Android 2.2 code.) BlackBerry
typically writes in a C dialect, as in the APIs and abstractions for common operating systems earlier than version
case of the iPhone. In our work at Nitobi user-interface elements and controls. 6.0 sport a completely arcane browser
(http://nitobi.com/) and on PhoneGap In short, we’re pitting JavaScript for which there has been much suffer-
(http://www.phonegap.com/), we have against compiled languages. These ing and toil at unfathomable cost to
had plenty of experience wrestling with days, JavaScript is holding its own. Web developer sanity. Fortunately, RIM
the various mobile platforms from a This isn’t surprising—JavaScript virtu- has addressed a lot of this in 6.0, and in
native development perspective. al machine technology is the new front general, things are getting better.
Of course, for various market or or- line for the browser wars. Microsoft, Some operating systems include
ganizational reasons most developers Google, Apple, Opera, and Mozilla are something called hardware accelera-
or teams must support apps on mul- all iterating furiously to outperform tion. The iOS stack famously supports
tiple smart platforms. Want to write an competing implementations.5 Right this concept in CSS transforms, which
app in native code and hit every single now, by some benchmarks (http:// is how some Web frameworks achieve
mobile operating system? No problem arewefastyet.com/), Mozilla’s Spider- silky smooth transitions between view
if your team has the skill sets shown in Monkey is closing in on Google’s V8 states. It’s a technique first uncovered
the accompanying table. engine. JavaScriptCore by Apple, found in Dashcode. It was painstakingly re-
What makes things even more com- in most WebKit browsers (which is on verse engineered by David Kaneda,
plicated are the differences among the most mobile devices), is somewhere pioneered in jQTouch (http://jqtouch.
actual platform SDKs (software devel- in-between. The bottom line is that com/), and released later in Sencha
opment kits). There are different tools, heavy spending by all the major play- Touch (http://www.sencha.com/). Both
build systems, APIs, and devices with ers is fueling this JavaScript arms race. are incredible Web projects and exam-
different capabilities for each plat- The benchmark by Ars Technica shown ples of what can be done when develop-
form. In fact, the only thing these oper- in Figure 1 is an example of how these ers push the boundaries.
ating systems have in common is that companies are marketing themselves. When we first started tapping into
they all ship with a mobile browser that JavaScript is rapidly getting faster— these next-generation mobile brows-
is accessible programmatically from so fast, in fact, that HP Palm webOS ers, no framework worked properly
the native code. 2.0 rewrote its services layer from Java across devices. Today there are more
Each platform allows us to instan- to the extremely popular node.js plat- than 20 mobile frameworks, and sup-
tiate a browser instance, chromeless, form (http://nodejs.org/), which is built port is being rapidly added to existing
and interact with its JavaScript inter- on Google’s V8 engine to obtain better DOM (Document Object Model) librar-
face from native code. From within performance at a lower CPU cost (and ies—not the least of which is John Re-
that Webview we can call native code therefore longer battery life). The trend sig’s jQuery (http://jquery.com/) and
from JavaScript. This is the hack that we’re seeing is the Web technology jQuery Mobile (http://jquerymobile.
became known as the PhoneGap tech- stack running at a low level, and it’s in com/); that code is improving and add-
nique pioneered by Eric Oesterle, Rob production today on millions of devices. ing support for more devices every day.
Ellis, and Brock Whitten for the first With tools like these, it’s getting easier
iPhone OS SDK at iPhoneDevCamp in User Interface Code and easier to support multiple targets
2008. This approach was later ported Things aren’t as pretty when it comes from a single Web-oriented code base.
to Android, BlackBerry, and then to to the user interface. Most native plat- Rapid execution and beautiful user
the rest of the platforms PhoneGap forms have wonderful abstractions for interfaces aren’t the whole story when
contrasting the Web technology stack integration with platform features such capability (processing power, storage,
to native code. Web technology lives as accelerometer data or notifications. antennae, and so on.).
in a sandbox, which is also a jail from The context in which your applica- The combination of these properties
lower-level APIs that native code can tion will be used affects users’ expec- greatly impacts how your application
access—APIs that can access device tations. The context for a single appli- will appear, and the range of possible
storage, sensors, and data. But this cation may be radically different from ways the user might choose to inter-
gap is being bridged, too. Most mobile one user to the next, even on a single act with it. If a particular combination
browsers support geolocation today, platform. We’re not really talking doesn’t exist today, it very well could to-
for example, and iOS recently added about a context; we’re actually talking morrow. A successful application must
Accelerometer and a slew of other about multiple contexts. Let’s look at account for the habits associated with
HTML5 APIs. Given that the W3C has the things that define the contexts to all of these hardware devices.
a Device API Working Group (http:// which a successful mobile application Platform conventions. Each plat-
www.w3.org/2009/dap/), it’s likely we must adapt. form has its own user-interface conven-
will be seeing many more APIs reach Hardware. The Android device eco- tions, typically described in a human
the browser in the near future. If the system (Figure 2) is a fantastic example interface guideline doc and evidenced
near future isn’t soon enough, you can of this variety of contexts, with devices in the operating-system interface. The
use PhoneGap (http://docs.phonegap. varying significantly in terms of dis- variety of mobile Web browsers pro-
com/) to access these APIs today. play (physical size, color depth, screen vides a prime example of how different
Of course, the Web technology stack resolution, pixel density, aspect ratio); these conventions can be:
(HTML/CSS/JS) is itself implemented input (trackball, touchscreen, physical A common user expectation is the
in native code. The distance between keyboard, microphone, camera); and ability to “go back” in the browser. iOS
the native layer and the browser is just
one compile away. In other words, if Required skill sets for nine mobile OSs.
you want to add a native capability to
a browser, then you can either bridge
it or recompile the browser to achieve Mobile OS Type Skill Set Required
that capability. If a browser does not sup- Apple iOS C, Objective C
port a native capability, it’s not because Google Android Java (Harmony flavored, Dalvik VM)
it can’t or that it won’t; it just means it RIM BlackBerry Java ( J2ME flavored)
hasn’t been done yet. Symbian C, C++, Python, HTML/CSS/JS
Windows Mobile .NET
User Experience: Window 7 Phone .NET
Context vs. Implementation HP Palm webOS HTML/CSS/JS
Another area that has a big effect on MeeGo C, C++, HTML/CSS/JS
both native and Web mobile applica- Samsung bada C++
tion development is user experience,
the term we use for the overall experi-
ence a user has with a software applica-
tion. User experience can even extend
outside the app. For example, we can Figure 1. JavaScript performance: Android 2.2 vs. iOS 4.
use push notifications to wake up an
application under certain conditions,
SunSpider V8
such as a location change, or to spawn Milliseconds (lower is better) (Higher is better)
a new purpose-built application to
handle different application aspects.
Obviously, a successful user experi-
ence is crucial for successful applica- iOS 4 on iOS 4 on 67
tion adoption. iPhone 4 iPhone 4
Generally speaking, a mobile soft-
ware project user experience can be di-
vided into two primary categories:
˲˲ The context—elements that must
be understood but cannot be changed
or controlled. These include hardware Android 2.2 on 5,795.2 287
affordances, platform capabilities and Nexus One
UI conventions, and the environment
in which your application is used.
˲˲ The implementation—elements
that can be controlled in an applica- Source: Ars Technica
tion, such as performance, design, and
satisfies this with a virtual button; An- Is the user standing or sitting? Stand- tify performance? Latency is a form of
droid and BlackBerry devices rely on a ing still or in motion? One or two performance. Execution, the time an
physical hardware back button; webOS hands free? In a busy place? The vari- operation takes to perform, is another.
uses a back button and a back gesture. ables are endless. We’ll address these separately.
Whatever the method, users expect Where does that leave us? Expecta- Latency is a huge consideration
that they will be able to “go back” in tions borne out of the context are not in the mobile world. Be it a native or
your application. inherently cross platform. Both native a Web application, there is a perfor-
Users also expect context menus. and Web implementations must pro- mance penalty to downloading an app
In the default Android and BlackBerry vide designs and code that support and the data it consumes or publishes
browser, the context menu is accessed these expectations. The good news for through the network. Obviously, the
through a physical button found at the Web developers is that they can fall smaller the payload, the faster the app.
bottom of the screen, close to the natu- back on a familiar paradigm in the Using JavaScript Object Notation
ral position of the thumbs. On iOS and Web technology stack to satisfy user (JSON)-formatted data is a good idea as
webOS the context menu is accessed expectations. it tends to result in a smaller data pay-
through a persistent virtual tab bar po- Implementation. To produce the load compared with an equivalent XML
sitioned close to the thumb at the bot- best possible user experience, imple- payload, depending on how the XML
tom of the screen. The persistent tab mentations must deliver designs and is formatted. On the other hand, XML
bar at the bottom of the screen on de- code that support expectations set out data can make sense when returning
vices other than iOS and webOs often by a user’s particular context. HTML fragments that are to be inserted
produces a poor experience because into a Web page rather than returning
users can easily accidentally hit their Performance: The Hobgoblin JSON-formatted data that, while small-
context menu or back buttons, causing of Software Development er over the wire, needs to be converted
an app to close unexpectedly. These are Without a doubt, performance is a cor- to an HTML fragment using JavaScript.
limitations with which both native and nerstone of a great user experience. Your mileage will vary. Benchmarking
Web apps must contend. Like security, it is the most misunder- is the only way to know for sure.
Developers must consider ap- stood and oft-used scapegoat of the Another latency issue can be the ini-
proaches that make good sense for software developer. It’s not uncom- tialization of code. Once we actually get
both data and users. HTML5 does sup- mon to hear developers reject ideas the code into memory, it still needs to
port the concept of a menu element with a flippant, “We can’t do that, it be parsed. There can be a noticeable
so a common abstraction is possible will negatively impact performance.” performance penalty in this process.
here, but the work has yet to be done. Rarely quantified and frequently cited, We can fake it and enhance the percep-
Environment is the greatest wild performance is the hobgoblin of soft- tion of performance with determinate
card of all! Is it daytime or nighttime? ware development. How do we quan- or indeterminate progress indicators.
Execution time is, of course, a key
facet of performance. When interpret-
ing code (as we do for the Web with Ja-
vaScript), the more there is to interpret,
the longer the execution time. Here the
Web technology stack has some catch-
ing up to do. JavaScript, for all its leaps
in performance, is still slower than na-
tive counterparts. On the other hand,
the time it takes a programmer to write
comparable logic in a native compiled
Figure 2. Variety of contexts across Android devices. language on multiple mobile devices
may be worth the time penalty for ex-
ecution; however, this will certainly
require more maintenance than one
code base written in JavaScript that can
run on multiple devices, maybe some
tweaks per platform. Less code often
leads to less and easier maintenance.
That said, the benefit of less code
doesn’t matter to the end user, who
expects a responsive interface. The de-
veloper tradeoff is a larger code base—
often vastly larger, considering support
for multiple native platforms. In the
world of native code, the main chal-
Figure 3. The variety of mobile Web browsers. lenge is reimplementing to multiple
targets. In the world of the Web, the Lovely Bounces and bate based on an application’s primary
main challenge is limiting your foot- Beautiful Design objectives, development and business
print as much as possible to produce a Of course, beautiful design matters. realities, and the opportunities the
responsive user experience. That’s not From aesthetics to intangibles such as Web will provide in the not-so-distant
to say that one user interface can suf- the structure of a good program, soft- future. The good news is that until all
fice in all environments, rather that the ware designers must commit to great of this technology makes it into the
majority of the application logic is in design and to building on solid practic- browser, hacks such as PhoneGap can
one code base and then specific device- es already in place. Scrolling via kinetic help bridge the divide. I encourage de-
specific UI idioms can be implemented physics, lovely bounces, easing, and so velopers not simply to identify software
with conditional code. You therefore forth create reactive interfaces that feel development trends but to implement
might want to implement slightly dif- real and are a delight to use. This is an them! If the Web doesn’t fulfill a capa-
ferent functionality and user experienc- area where native controls are particu- bility your particular application re-
es appropriate to the expectations of larly good. quires, you’re presented with an excit-
the users of a particular device. For ex- We have yet to solve the problem ing opportunity to contribute and close
ample, Android and BlackBerry devices of native scrolling satisfactorily with the Web/native chasm in the process.
have physical back and menu buttons, Web technology.1 There have been
whereas an iOS device does not. many attempts: iScroll (http://cubiq.
Another key point to remember is org/iscroll), TouchScroll (http://uxebu. Related articles
that even though the mobile industry com/blog/2010/04/27/touchscroll-a- on queue.acm.org
is quickly converging on WebKit as the scrolling-layer-for-webkit-mobile/), Case Study: UX Design
de facto standard for HTML render- GloveBox (https://github.com/purple- and Agile: A Natural Fit?
http://queue.acm.org/detail.cfm?id=1891739
ing engines, every device and operat- cabbage/GloveBox), Sencha (http://
ing system has a slightly different fla- www.sencha.com/), and jQuery Mobile Enterprise-Grade Wireless
vor of WebKit. This means you should (http://jquerymobile.com/). All of these Bruce Zenel and Andrew Toy
http://queue.acm.org/detail.cfm?id=1066065
expect development to be similar to address the scrolling issue but do not
cross-browser Web development today. solve it as well as a native device. Even Energy Management on Handheld Devices
Marc A Viredaz, Lawrence S. Brakmo,
Thankfully, there are many libraries such the Google mobile team is working on William R. Hamburgen
as jQuery Mobile, Sencha Touch, and releasing a solution for this problem.3 http://queue.acm.org/detail.cfm?id=957768
SproutCore that seek to address this. Without a doubt, this is the most com-
All of this discussion of latency mon complaint the PhoneGap team
References
and execution of code means taking hears, but we’re one bug fix in WebKit 1. Ecker, C. Ars iPad application redux: where we’re going,
a tough look at the business goals of away from it being a nonissue. The 2010; http://arstechnica.com/apple/news/2010/11/ars-
application-redux-where-were-going.ars.
your application development initia- Google Mobile team has recently re- 2. Fioravanti, R. Implementing a fixed-position iOS Web
tive. Favoring data over decor is the leased its solution and code for Web- application, 2010; http://code.google.com/mobile/
articles/webapp_fixed_ui.html.
most pragmatic approach. Gradients, Kit-based browsers and platforms.2 3. Google Mail Blog. Gmail in Mobile Safari; now even
drop shadows, bevels, embossing, Here’s the rundown. The Web tech- more like a native app, 2010; http://googlemobile.
blogspot.com/2010/10/gmail-in-mobile-safari-now-
highlights, rounded corners, and Per- nology stack has not achieved the level even-more.html.
lin noise do not make an application of performance we can attain with na- 4. Lee, W-M. Build Web apps for iPhone using Dashcode,
2009; http://mobiforge.com/developing/story/build-
useful or usable—they don’t fulfill a tive code, but it’s getting close. We’re web-apps-iphone-using-dashcode.
business requirement—but they do confident that Web technologies will 5. MSDN, IEBlog. HTML5, and real-world site
performance: Seventh IE9 platform preview available
impact performance. CSS gradients, become indistinguishable from native for developers, 2010; http://blogs.msdn.com/b/ie/
archive/2010/11/17/html5-and-real-world-site-
in particular, are real devils for perfor- experiences. In the meantime, Web de- performance-seventh-ie9-platform-preview-available-
mance in the mobile world. You need velopers must focus on delivering data for-developers.aspx.
6. Nuttall, C. App stores are not the future, says
to decide what your objective is: look- while working diligently on improving Google. FT Tech Hub, 2009; http://blogs.ft.com/
ing neat or providing a useful interface the decor. fttechhub/2009/07/app-stores-are-not-the-future-
says-google.
for data publishing and acquisition.
You win some of these capabilities on Looking to the Future
Andre Charland is the co-founder and CEO at Nitobi
some platforms with optimized (often As much as native and Web are pitted Inc. He’s been at the forefront of Web 2.0 software
hardware-accelerated) pixel painting against one another in this debate, development for almost a decade and is an expert on the
next-generation Web. He is an advocate for usability and
with native code. It’s not that these the likely outcome is a hybrid solu- user experience and speaks regularly about how to keep
effects are impossible to achieve, but tion. Perhaps we’ll see computing as users engaged and active on Web sites or Web-based
application. He is the co-author of Enterprise Ajax (Prentice
they should be used judiciously and inherently networked and (this is my Hall) and lead blogger for O’Reilly’s InsideRIA.com.
only when they enhance and do not sincere hope) free for anyone to access.
Brian LeRoux is the lead architect at Nitobi Software
distract from the user experience. It is We already see signs of a native Web: with the prestigious title SPACELORD. He also has the
possible to deliver a great user experi- WebGL recently proved that in-browser dubious distinction of being the creator of wtfjs.com
and crockfordfacts.com. He is also responsible for leading
ence that succeeds in the market; it 3D gaming is possible, even running the direction on the PhoneGap free software project
just requires proper mobile Web devel- Quake III (http://media.tojicode.com/ that has the ambitious goal to provide a Web platform
complete with Device APIs for nearly all smartphone
opment techniques and good user-ex- q3bsp/)! operating systems.
perience skills that take into account In the meantime, software makers
the constraints of the environment. must balance the Web-vs.-native de- © 2011 ACM 0001-0782/11/05 $10.00
Weapons
make applications more secure.
Diaspora is written against Ruby
on Rails 3.0, a popular modern Web
framework. Most Rails applications
of Mass
run as very long-lived processes within
a specialized Web server such as Mon-
grel or Thin. Since Rails is not thread-
safe, typically several processes will
Assignment
run in parallel on a machine, behind a
threaded Web server such as Apache or
nginx. These servers serve requests for
static assets directly and proxy dynam-
ic requests to the Rails instances.
Architecturally, Diaspora is de-
signed as a federated Web applica-
tion, with user accounts (seeds) col-
lected into separately operated services
(pods), in a manner similar to email
accounts on separate mail servers. The
In May 2010 , during a news cycle dominated by users’ primary way end users access their Di-
widespread disgust with Facebook privacy policies, aspora accounts is through a Web in-
terface. Pods communicate with each
a team of four students from New York University other using encrypted XML messages.
published a request for $10,000 in donations to build Unlike most Rails applications,
Diaspora does not use a traditional
a privacy-aware Facebook alternative. The software, database for persistence. Instead, it
Diaspora, would allow users to host their own social uses the MongoMapper ORM (object-
networks and own their own data. The team promised relational mapping) to interface with
MongoDB, which its makers describe
to open-source all the code they wrote, guaranteeing as a “document-oriented database”
the privacy and security of users’ data by exposing the that “bridges the gap between key/
value stores and traditional relational
code to public scrutiny. With the help of front-page databases.” MongoDB is an example of
coverage from the New York Times, the team ended what are now popularly called NoSQL
up raising more than $200,000. They anticipated databases.
While Diaspora’s architecture is
launching the service to end users in October 2010. somewhat exotic, the problems with
On September 15, Diaspora (https://joindiaspora. the developer preview release stemmed
from very prosaic sources.
com/) released a “pre-alpha developer preview” of its
source code (https://github.com/diaspora/diaspora). Security in Ruby on Rails
I took a look at it, mostly out of curiosity, and was Web application security is a very broad
and deep topic, and is treated in detail in
struck by numerous severe security errors. I spent the the official Rails security guide (http://
next day digging through the code locally and trying to guides.rubyonrails.org/security.html)
the order of a half-dozen critical errors, actions on the server used parameters to a Diaspora seed and knew the ID
affecting nearly every class in the sys- from the HTTP request to identify of any photo on the pod, changing
tem. There were three main genres, de- pieces of data they were to operate on, the URL of any destroy action visible
tailed below. All code samples pulled without checking that the logged-in to include the ID of any other user’s
from Diaspora’s source at launch user was actually authorized to view or photo would let you delete that second
(note: I have forked the Diaspora pub- operate on that data. photo. Rails makes such exploits very
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 55
practice
easy, since URLs to actions are trivially of how associations scope to the human being, as opposed to the login
easy to guess, and object IDs “leak” all user _ id). This will instantly gener- associated with one email address
over the place. Do not assume than an ate an ActiveRecord exception, stop- (the User). Calling something up-
object ID is private. ping any potential nastiness before it date _ profile when it is really up-
Diaspora, of course, does attempt starts. date _ person is a good way to hide
to check credentials. It uses Devise, a the security implications of such code
library that handles authentication, to Mass Assignment from a reviewer. Developers should be
verify that you get to the destroy action Will Ruin Your Day careful to name things correctly.
only if you are logged in. As shown in We have learned that if we forget au- This means that by changing a Per-
the previous code example, however, thorization, then a malicious user can son’s owner _ id, one can reassign
Devise does not handle authoriza- do arbitrary bad things to people. In the Person from one account (User)
tion—checking to see that you are, in the example in Figure 1, since the user to another, allowing one not only to
fact, permitted to do the action you update method is insecure, an attack- deny arbitrary victims their use of the
are trying to do. er could meddle with their profiles. service, but also to take over their ac-
Impact. When Diaspora shipped, But is that all we can do? counts. This allows the attacker to
an attacker with a free account on any Unseasoned developers might as- impersonate them, access their data
Diaspora node had, essentially, full sume that an update method can only at will, and so on. This works because
access to any feature of the software update things on the Web form prior the “one” method in MongoDB picks
vis-à-vis someone else’s account. That to it. For example, the form shown in the first matching entry in the DB it
is quite a serious vulnerability, but it Figure 2 is fairly benign, so one might can find, meaning that if two Persons
combines with other vulnerabilities in think that all someone can do with have the same owner _ id, the own-
the system to allow attackers to com- this bug is deface the user’s profile ing User will nondeterministically
mit more subtle and far-reaching at- name and email address: control one of them. This lets the at-
tacks than merely deleting photos. This is dangerously wrong. tacker assign your Person#owner _
How to avoid this scenario. Check Rails by default uses something id to be his #owner _ id, which gives
authorization prior to sensitive ac- called mass update, where update _ the attacker a 50-50 shot at gaining
tions. The easiest way to do this (aside attributes and similar methods ac- control of your account.
from using a library to handle it for cept a hash as input and sequentially It gets worse: since the attacker can
you) is to take your notion of a logged- call all accessors for symbols in the also reassign his own data’s owner _
in user and access user-specific data hash. Objects will update both da- id to a nonsense string, this delinks
only through that. For example, De- tabase columns (or their MongoDB his personal data from his account,
vise gives all actions access to a cur- analogs) and will call parameter _ which will ensure that his account is
rent _ user object, which is a stand- name= for any :parameter _ linked with the victim’s personal data.
in for the currently logged-in user. If name in the hash that has that method It gets worse still. Note the seri-
an action needs to access a photo, it defined. alized _ key column. If you look
should call current _ user.pho- Impact. Let’s take a look at the Per- deeper into the User class, that is its
tos.find(params[:id]). If a mali- son object in the following code to see serialized public/private encryption
cious user has subverted the params what mischief this lets an attacker key pair. Diaspora seeds use encryp-
hash (which, since it comes directly do. Note that instead of updating the tion when talking with each other so
from an HTTP request, must be con- profile, update _ profile updates the prying eyes of Facebook can’t read
sidered “in the hands of the enemy”), the Person: Diaspora’s internal no- users’ status updates. This is Diaspo-
that code will find no photo (because tion of the data associated with one ra’s core selling point. Unfortunately,
an attacker can use the combination
Figure 1. Weaknesses in user update method. of unchecked authorization and mass
update silently to overwrite the user’s
key pair, replacing it with one the user
#users_controller.rb
generated. Since the attacker now
def update
@user = User.find_by_id params[:id] # <-- No authorization check. knows the user’s private key, regard-
prep_image_url(params[:user]) less of how well implemented Diaspo-
ra’s cryptography is, the attacker can
@user.update_profile params[:user] # <-- Pass untrusted input to @user then...
respond_with(@user, :location => root_url)
read the user’s messages at will. This
end compromises Diaspora’s core value
proposition to users: that their data
#user.rb will remain safe and in their control.
def update_profile(params)
if self.person.update_attributes(params) # <-- insert input directly to DB. This is what kills most encryption
#omitted for clarity systems in real life. You don’t have
end to beat encryption to beat the sys-
end
tem; you just have to beat the weak-
est link in the chain around it. That
almost certainly isn’t the encryption
algorithm—it is probably some inad- prevents this class of attack. In addi- mature. For example, the canonical
equacy in the larger system added by tion, attr _ accessible documents attack against SQL databases is SQL
a developer in the mistaken belief that programmers’ assumptions about injection: using the user-exposed in-
strong cryptography means strong se- security explicitly in their application terface of an application to craft arbi-
curity. Crypto is not soy sauce for se- code: as a whitelist, it is a known point trary SQL code and execute it against
curity. of weakness in the model class, and it the database.
This attack is fairly elementary to will be examined thoroughly by any se-
execute. It can be done with a tool no curity review process. def self.search(query)
more complicated than Firefox with This is extraordinarily desirable, Person.all(‘$where’ =>
Firebug installed: add an extra param- so it’s a good idea for developers to “function()
eter to the form, switch the submit make using attr _ accessible { return this.diaspora _ han-
URL, and instantly gain control of any compulsory. This is easy to do: simply dle.match(/^#{query}/i) ||
account you wish. Of particular note call ActiveRecord::Base.attr _ this.profile.first _ name.
to open source software projects and accessible(nil) in an initializer, match(/^#{query}/i) ||
other scenarios where the attacker and all Rails models will automati- this.profile.last _ name.
can be assumed to have access to the cally have mass assignment disabled match(/^#{query}/i); }”)
source code, this vulnerability is very until they have it explicitly enabled by #Permits code injection to
visible: the controller in charge of attr _ accessible. Note that this MongoDB.
authorization and access to the user may break the functionality of com- end
objects is a clear priority for attackers mon Rails gems and plugins, because
because of the expected gains from they sometimes rely on the default. Impact. The previous code snippet
subverting it. A moderately skilled at- This is one way in which security is a allows code injection into MongoDB,
tacker could find this vulnerability problem of the community. effectively allowing an attacker full
and create a script to weaponize it in a An additional mitigation method, read access to the database, includ-
matter of minutes. if your data store allows it, is to explic- ing to serialized encryption keys.
How to avoid this scenario. This par- itly disallow writing to as much data as Observe that because of the magic of
ticular variation of the attack could be is feasible. There is almost certainly string interpolation, the attacker can
avoided by checking authorization, no legitimate reason for owner _ id cause the string including the JavaS-
but that does not by itself prevent all to be reassignable. ActiveRecord lets cript to evaluate to virtually anything
related attacks. An attacker can cre- you do this with attr _ readonly. the attacker desires. For example, the
ate an arbitrary number of accounts, MongoMapper does not currently sup- attacker could inject a carefully con-
changing the owner _ id on each to port this feature, which is one danger structed JavaScript string to cause the
collide with a victim’s legitimate user of using bleeding-edge technologies first regular expression to terminate
ID, and in doing so successfully delink for production systems. without any results, then execute arbi-
the victim’s data from his or her login. trary code, then comment out the rest
This amounts to a denial-of-service at- NoSQL Doesn’t Mean of the JavaScript.
tack, since the victim loses the utility No SQL Injection We can get one bit of data about
of the Diaspora service. The new NoSQL databases have a any particular person out of this find
After authentication has been few decades less experience getting call—whether the person is in the re-
fixed, write access to sensitive data exploited than the old relational da- sult set or not. Since we can construct
should be limited to the maximum tabases we know and love, which the result set at will, however, we can
extent practical. A suitable first step means that countermeasures against make that a very significant bit. JavaS-
would be to disable mass assignment, well-understood attacks are still im- cript can take a string and convert it
which should always be turned off in
a public-facing Rails app. The Rails
team presumably keeps mass assign-
ment on by default because it saves
many lines of code and makes the
15-minute blog demo nicer, but it is
a security hole in virtually all applica-
tions.
Luckily, this is trivial to address:
Rails has a mechanism called attr _
accessible, which makes only the
listed model attributes available for
mass assignment. Allowing only safe
attributes to be mass-assigned (for ex-
ample, data you would expect the end
users to be allowed to update, such
as their names rather than their keys) Figure 2. (Hardly) benign update method.
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 57
practice
to a number. The code for this is left of MongoDB and the Ruby wrappers preview: there were publicly acces-
as an exercise for the reader. With for it. Typical application developers sible Diaspora servers where any user
that JavaScript, the attacker can run are insufficiently skilled to evaluate could trivially compromise the ac-
repeated find queries against the da- parts of the stack operating at those count of another user. Moreover, even
tabase to do a binary search for the se- levels: it is essentially the same as if one assumes the server operators
rialized encryption key pair: asking them whether their SQL que- understand what they are doing, their
“Return Patrick if his serialized key ries would allow buffer overruns if users and their users’ friends who
is more than 2512. OK, he isn’t in the executed against a database compiled are invited to join “The New Secure
result set? Alright, return Patrick if his against an exotic architecture. Rather Facebook” are not capable of evaluat-
key is more than 2256. He is in the re- than attempting to answer this ques- ing their security on Diaspora. They
sult set? Return him if his key is more tion, sensible developers should treat trust that, since it is on their browser
than 2256 + 2255. …” any injection attack as allowing a total and endorsed by a friend, it must be
A key length of 1,024 bits might system compromise. safe and secure. (This is essentially
strike a developer as likely to be very How to avoid this scenario. Do not the same process through which they
secure. If we are allowed to do a binary interpolate strings in queries sent joined Facebook prior to evaluating
search for the key, however, it will take to your database. Use the MongoDB the privacy consequences of that ac-
only on the order of 1,000 requests equivalent of prepared statements. If tion.)
to discover the key. A script execut- your database solution does not have The most secure computer system
ing searches through an HTTP client prepared statements, then it is insuf- is one that is in a locked room, sur-
could trivially run through 1,000 ac- ficiently mature to be used in public- rounded by armed guards, and pow-
cesses in a minute or two. Compro- facing products. ered off. Unfortunately, that is not a
mising the user’s key pair in this man- feasible recommendation in the real
ner compromises all messages the Be Careful When Releasing world: software needs to be developed
user has ever sent or will ever send on Software to End Users and used if it is to improve the lives of
Diaspora, and it would leave no trace One could reasonably ask whether se- its users. Could Diaspora have simul-
of intrusion aside from an easily over- curity flaws in a developer preview are taneously achieved a public-preview
looked momentary spike in activity an emergency or merely a footnote in release without exposing end users to
on the server. A more patient attacker the development history of a product. its security flaws? Yes. A sensible com-
could avoid leaving even that. Owing to the circumstances of its cre- promise would have been to release
This is probably not the only vul- ation, Diaspora never had the luxury the code with the registration pages
nerability caused by code injection. It of being both publicly available but elided, forcing developers to add new
is very possible that an attacker could not yet exploitable. As a highly antici- users only via Rake tasks or the Rails
execute state-changing JavaScript pated project, Diaspora was guaran- console. That would preserve 100% of
through this interface, or join the Per- teed to (and did) have publicly acces- the ability of developers to work on the
son document with other documents sible servers available within literally project and for news outlets to take
to read out anything desired from hours of the code being available. screenshots—without allowing tech-
the database, such as user password People who set up servers should nically unsophisticated people to sign
hashes. Evaluating whether these at- know enough to evaluate the security up on Diaspora servers.
tacks are feasible requires in-depth consequences of running them. This The Diaspora community has
knowledge of the internal workings was not the case with the Diaspora taken some steps to reduce the harm
of prematurely deploying the soft-
Figure 3. A mischievous ‘Person.’ ware, but they are insufficient. The
team curates a list of public Diaspora
#Person.rb
seeds (https://github.com/diaspora/
class Person diaspora/wiki/), including a bold dis-
#omitted for clarity claimer that the software is insecure,
key :url, String but that sort of passive posture does
key :diaspora_handle, String, :unique => true
key :serialized_key, String #Public/private key pair for encryption. not address the realities of how social
software spreads: friends recommend
key :owner_id, ObjectId #Extraordinarily security sensitive because… it to friends, and warnings will be un-
seen or ignored in the face of social
one :profile, :class_name => ‘Profile’
many :albums, :class_name => ‘Album’, :foreign_key => :person_id pressure to join new sites.
belongs_to :owner, :class_name => ‘User’ #... changing it reassigns account
ownership! Could Rails Have Prevented
end
These Issues?
Many partisans for languages or
#User.rb frameworks argue that “their” frame-
one :person, :class_name => ‘Person’, :foreign_key => :owner_id
work is more secure than alternatives
and that some other frameworks are
by nature insecure. Insecure code can
of the Diaspora
that will always be secure. only one input for which the program
That said, defaults and community fails to compromise the security of the
matter. Rails embodies a spirit of con-
vention over configuration, an exam-
prerelease revealed system.
It would not matter if everything
ple of what the team at 37signals (the on the order of a else in Diaspora were perfectly imple-
original authors of Rails) describes
as “opinionated software.” Rails con-
half-dozen critical mented; if the search functionality
still allowed code injection, that alone
ventions are pervasively optimized for errors, affecting would result in total failure of the
programmer productivity and happi-
ness. This sometimes trades off with nearly every class project’s core goals.
Brain-Computer
alpha rhythm. This and other obser-
vations showed the electroencepha-
logram (EEG) could serve as an index
Interfaces for
of the gross state of the brain. Despite
Berger’s careful work many scientists
were initially skeptical, with some
suggesting that the EEG might repre-
Communication
sent some sort of artifact. However,
subsequent work demonstrated con-
clusively that the EEG is indeed pro-
duced by brain activity.23
and Control
Electrodes on the surface of the
scalp are at some distance from brain
tissue, separated from it by the cover-
ings of the brain, skull, subcutaneous
tissue, and scalp. As a result, the signal
is considerably degraded, and only the
synchronized activity of large numbers
of neural elements can be detected,
limiting the resolution with which
brain activity can be monitored. More-
over, scalp electrodes pick up activ-
Brain activity produces electrical signals detectable ity from sources other than the brain,
on the scalp, on the cortical surface, or within the including environmental noise (such
as 50Hz or 60Hz activity from power
brain. Brain-computer interfaces (BCIs) translate lines) and biological noise (such as ac-
these signals into outputs that allow users to tivity from the heart, skeletal muscles,
communicate without participation of peripheral and eyes). Nevertheless, since the time
of Berger, many studies have used the
nerves and muscles36 (see Figure 1). Because they do EEG to gain insight into brain function,
not depend on neuromuscular control, BCIs provide with many of them using averaging to
separate EEG from superimposed elec-
options for communication and control for people trical noise.
with devastating neuromuscular disorders (such as
amyotrophic lateral sclerosis, or ALS, brainstem stroke, key insights
cerebral palsy, and spinal cord injury). The central B rain-computer interfaces provide a
new communication-and-control option
purpose of BCI research and development is to enable for individuals for whom conventional
methods are ineffective.
these users to convey their wishes to caregivers, use
word-processing programs and other software, and even C urrent BCI technology is slow,
benefiting only those with the most
control a robotic arm or neuroprosthesis. Speculation severe disabilities.
has suggested that BCIs could be useful even to people R esearch may greatly expand the
number of people who would benefit
with lesser, or no, motor impairment. from the technology.
EEG research reflects two major 1970s based on visual evoked-poten- negative and positive peaks, and the
paradigms: evoked potentials and tials.34 His users viewed a diamond- numbers indicating the approximate
oscillatory features. Evoked poten- shape red checkerboard illuminated latency in msec.
tials are transient waveforms, or brief with a xenon flash. By attending to dif- Vidal’s achievement was an in-
perturbations in the ongoing activ- ferent corners of the flashing checker- teresting demonstration of proof of
ity, that are phase-locked to an event board, they could generate right, up, principle. In the early 1970s, it was far
(such as a visual stimulus). They are left, and down commands, enabling from practical, given that it depended
typically analyzed by averaging many them to move through a maze present- on a time-shared system with limited
similar events in the time-domain. ed on a graphics terminal. An IBM360 processing capacity. Vidal34 also in-
Although oscillatory features in an mainframe digitized the data, and cluded in his system online removal
EEG may occur in response to specific an XDS Sigma 7 computer controlled of ocular artifacts to prevent them
events, they are usually not phase- the experimental events. Users first from being used for control. A decade
locked and typically studied through provided data to train a stepwise lin- earlier, Edmond Dewan6 of the Air
spectral analysis. Historically, most ear discriminant function, then navi- Force Cambridge Research Lab, Bed-
EEG studies have examined phase- gated the maze online in real time. ford MA, instructed users to explicitly
locked evoked potentials. Both these Thus, Vidal34 used signal-processing use eye movements to modulate their
major paradigms have been applied techniques to realize real-time analy- brain waves, showing that subjects
Photogra ph by L a rs Ba hl
in BCIs.36 sis of the EEG with minimal averag- could learn to transmit Morse code
The term “brain-computer inter- ing. The waveforms showed by Vidal34 messages using EEG activity associ-
face” can be traced to Jacques Vidal of suggested his BCI used EEG activity in ated with eye movement.
the University of California, Los An- the timeframe of the N100-P200 com- The fact that both Vidal’s and De-
geles who devised a BCI system in the ponents, with the N and P indicating wan’s BCIs depended on eye move-
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 61
contributed articles
ment made them somewhat less in- use of a P300-based spelling device bet and several other symbols, focus-
teresting from a scientific or clinical (see Figure 2b) in which a positive po- ing attention on the desired selection,
point of view, since they required ac- tential around 300msec after an event as the rows and columns of the ma-
tual muscle control or eye movement, significant to the subject is consid- trix were repeatedly flashed to elicit
simply using EEG to reflect the result- ered a “cognitive” potential since it is visual evoked potentials. Farwell and
ing gaze direction. generated in tasks where the subject Donchin7 found their users were able
discriminates among stimuli. Far- to spell the word “brain” through the
Varieties of BCI Signals well’s and Donchin’s7 users viewed a P300 spelling device; in addition, they
Farwell and Donchin7 reported the first 6×6 matrix of the letters of the alpha- did an offline comparison of detection
algorithms, finding the stepwise linear
Figure 1. Basic design and operation of a BCI system.
discriminant analysis was generally
best. The fact that the P300 potential
Signal Acquisition Translation
reflects attention rather than simply
and Processing Signal Features Algorithm Device Commands gaze-direction implied this BCI did not
depend on muscle, or eye-movement,
control, thus representing a significant
advance. Several groups have since fur-
ther developed this BCI method.13
Wolpaw et al.38 reported the first use
of sensorimotor rhythms (SMRs) for
cursor control (see Figure 2a), or EEG
rhythms that change with movement
or imagination of movement and are
spontaneous in the sense they do not
require specific stimuli to occur. Peo-
ple learned to vary their SMRs to move
a cursor to hit one of two targets on the
top or bottom edge of a video screen.
Signals from the brain are acquired by electrodes on
the scalp or head and processed to extract specific Cursor movement was controlled by
signal features reflecting the user’s intent. These SMR amplitude (measured by spectral
features are translated into commands to operate analysis). A distinctive feature of this
a device. Users must develop and maintain good
task is that it required users to rapidly
correlation between their intent and the BCI’s signal
features. The BCI must select and extract features switch between two states to select a
the user can control, translating them into device particular target. The rapid bidirec-
commands (adapted from Wolpaw et al.36). tional nature of the Wolpaw et al.38
paradigm made it distinct from prior
studies that produced long-term uni-
A and B are noninvasive, and C is invasive. A. In a sensorimotor rhythm BCI, scalp EEG is
recorded over sensorimotor cortex; users control the amplitude of rhythms to move a cursor
to a target on the screen. B. In a P300 BCI, a matrix of choices is presented on screen, and
scalp EEG is recorded as these choices flash in succession. C. In a cortical neuronal BCI,
electrodes implanted in the cortex detect action potentials of single neurons; users learn to
control the neuronal firing rate to move a cursor on screen (adapted from Wolpaw et al.36).
(a) Sensorimotor Rhythms (b) P300 Evoked Potential (c) Cortical Neuronal Activity
Power
Pz Induction Transmitter
4 –50
Cement
other choices Skull Bone Gold wire
3 Top Target 0
Amplitude (μV)
Voltage (a/d u)
desired choice
Cortex
2 50 Neurites
Glass
cone
100 μV
1 sec
Bottom Target
directional changes in brain rhythms; encephalography (MEG),20 functional by the algorithm the BCI is using. It
for example, users were required to magnetic resonance imaging (fMRI),28 is thus not possible to predict results
maintain an increase in the size of an and near-infrared systems (fNIR).4 precisely from offline analyses that
EEG rhythm for minutes at a time. In Current technology for recording cannot account for these effects.
a series of subsequent studies, this MEG and fMRI is both expensive and Blankertz et al.3 identified several
group showed that the signals control- bulky, making it unlikely for practical trends in the results of a BCI data-
ling the cursor were actual EEG activity applications in the near term; fNIR is classification competition. Most win-
and that covert muscle activity did not potentially cheaper and more com- ning entries used linear classifiers,
mediate this EEG control.18,31 pact. However, both fMRI and fNIR are the most popular being Fisher’s dis-
These initial SMR results were sub- based on changes in cerebral blood criminant and linear support vector
sequently replicated by others21,24 and flow, an inherently slow response.11 machines (SVMs). The winning entries
extended to multidimensional con- Electrophysiological features repre- for data sets with multichannel oscil-
trol.37 These P300 and SMR BCI stud- sent the most practical signals for BCI latory features often used common
ies together showed that noninvasive applications today. spatial patterns. In their review of the
EEG recording of brain signals can literature on BCI classifiers, Lotte et
serve as the basis for communication- System Design al.16 concluded that SVMs are particu-
and-control devices. Communication-and-control applica- larly efficient, attributing the efficien-
A number of laboratories have ex- tions are interactive processes requir- cy to their regularization property and
plored the possibility of developing ing users observe the results of their immunity to the curse of dimensional-
BCIs using single-neuron activity de- effort to maintain good performance ity. They also concluded that combina-
tected by microelectrodes implanted and correct mistakes. For this reason, tions of classifiers seem efficient, not-
in the cortex12,30 (see Figure 2c). Much BCIs must run in real time and provide ing a lack of comparison of classifiers
of the related research has been done real-time feedback to users. While within the same study using otherwise
in non-human primates, though trials many early BCI studies satisfied this identical parameters.
have also been done with humans.12 requirement,24,38 later studies were Muller and Blankertz21 advocated a
Other studies have shown that record- often based on offline analyses of pre- machine-learning approach to BCIs in
ings of electrocorticographic (ECoG) recorded data1; for example, the Lotte which a statistical analysis of a calibra-
activity from the surface of the brain et al.16 review of studies evaluating BCI tion measurement is used to train the
can also provide signals for a BCI15; signal-classification algorithms found system. The goal is to develop a “zero-
to date they indicate that invasive re- most used offline analyses. Indeed, training” method providing effective
cording methods can also serve as the the current popularity of BCI research performance from the first session,
basis for BCIs. Meanwhile, important is probably due in part to the ease of- contrasting it with one based on train-
issues concerning their suitability for fline analyses are performed on pub- ing users to control specific features
long-term human use have yet to be licly available data sets. While such of brain signals.38 A system that can
resolved. offline studies may help guide actual be used without extensive training is
Earlier studies demonstrating oper- online BCI investigations, there is no appealing since it requires less initial
ant conditioning of single units in the guarantee that offline results will gen- effort on the part of both the BCI user
motor cortex of primates,9 hippocam- eralize to online performance. Users’ and the system operator. Operation
pal theta rhythm of dogs,2 and senso- brain signals are often affected by BCI of such a system is based on the as-
rimotor rhythm in humans29 showed outputs that are in turn determined yet uncertain premise that users can
brain activity could be trained with
operant techniques. However, these Figure 3. Three approaches to BCI design.
studies were not demonstrations of
BCI systems for communication and
Let the Machines Run Operant Conditioning Optimized Co-Adaptation
control since they required subjects
to increase brain activity for periods
of many minutes, showing that brain User User User
activity could be tonically altered in
a single direction through training.
However, communication-and-control
devices require that users be able to
select from at least two distinct alter-
natives; that is, there must be at least BCI System BCI System BCI System
one bit of information per selection.
Effective communication-and-control
devices require users to rapidly switch
between multiple alternatives. Arrows indicate the element that adapts; the BCI, the user, or both adapt
to optimize and maintain BCI performance (adapted from McFarland et al.17).
In addition to electrophysiological
measures, researchers have also dem-
onstrated the feasibility of magneto-
repeatedly and reliably maintain the suggested that cognitive tasks (such ger necessary to operate a sensorimo-
specified correlations between brain as navigation and auditory imagery) tor rhythm-based BCI. As is typical
signals and intent. Figure 3 outlines might be more useful in driving a BCI of many simple motor tasks, perfor-
three different conceptualizations of than motor imagery. However, senso- mance becomes automatized through
where adaptation might take place to rimotor rhythm-based BCIs may pro- extended practice. Automatized per-
establish and maintain good BCI per- vide several advantages over systems formance may be less likely to inter-
formance: In the first, the BCI adapts that depend on complex cognitive op- fere with mental operations users
to the user; in the second, the user erations; for example, the structures might wish to engage in concurrent
adapts to the BCI; and, in the third, involved in auditory imagery are also with their BCI use; for example, com-
user and system adapt to each other. likely to be driven by auditory sen- posing a manuscript is much easier
A number of BCI systems are de- sory input. Wolpaw and McFarland37 if the writer does not need to think
signed to detect user performance of reported that with extended practice extensively about each individual key-
specific cognitive tasks. Curran et al.3 users report motor imagery is no lon- stroke.
As noted, EEG recording may be
Figure 4. BCI2000 design consists of four modules: operator, source, signal processing,
contaminated by non-brain activity
and application.
(such as line noise and muscle activ-
ity); see Fatourechi et al.8 for a review.
Operator
Activity recorded from the scalp rep-
resents the superposition of many
System Configuration Visualization
signals, some originating in the brain,
some elsewhere. These signals include
potentials generated by retinal dipoles,
or eye movement and blinks, and facial
muscles. It is noteworthy that mental
Source effort is often associated with changes
Brain Signals Signal Control Signals User in eye-blink rate and muscle activity.35
Processing Application BCI users might generate these arti-
Event Markers Event Markers
Storage facts without being aware of what they
are doing simply by making facial ex-
pressions associated with effort.
Event Markers Facial muscles can generate sig-
Operator deals with system configuration and online presentation of results to the
nals with energy in the spectral bands
investigator; during operation, information is communicated from source to signal processing used as features in an SMR-based
to user application and back to source (adapted from Schalk et al.25). BCI18 Muscle activity can also modu-
late SMR activity; for example, users
can move their right hands in order
to desynchronize the mu rhythm over
the left hemisphere. This sort of me-
diation of the EEG through peripheral
muscle movements was a concern in
the early days of BCI development.
As noted earlier, Dewan6 trained us-
ers to send Morse code messages us-
ing occipital alpha rhythms modu-
lated by voluntary movements of eye
muscles. For this reason, Vaughan
et al.33 recorded EMG from 10 distal
limb muscles, while BCI users used
central mu or beta rhythms to move
a cursor to targets on a video screen.
EMG activity was very low in these
well-trained users. Most important,
the correlations between target po-
sition and EEG activity could not be
accounted for through EMG activity.
Similar studies have been done with
BCI users moving a cursor in two di-
mensions,37 showing that SMR modu-
Figure 5. Hardware in the Wadsworth Center’s home BCI system, including 16-channel
electrode cap for signal recording, solid-state amplifier, laptop, and additional monitor
lation does not require actual move-
as user display. ments or muscle activity.
and coordination of these modules is (Jan. 1970), 15–24. Applications, and Related Fields, Fifth Edition, E.
3. Blankertz, B., Muller, K-R, Krusienski, D.J., Schalk, G., Neidermeyer and F. Lopes da Silva, Eds. Lippincott
accomplished through a fourth opera- Wolpaw, J.R., Schlogl, A., Pfurtscheller, G., Millan, J., Williams and Wilkins, Philadelphia, 2005, 1–15.
tor module; several source modules, Schroder, M., and Birbaumer, N. The BCI competition 24. Pfurtscheller, G., Flotzinger, D., and Kalcher, J. Brain-
III: Validating alternative approaches to actual BCI computer interface: A new communication device
signal-processing modules, and user problems. IEEE Transactions on Neural Systems for handicapped persons. Journal of Microcomputer
applications have been created for the and Rehabilitation Engineering 14, 2 (June 2006), Applications 16, 3 (July 1993), 293–299.
153–159. 25. Schalk, G., McFarland, D.J., Hinterberger, T.,
BCI2000 standard (see http://www. 4. Coyle, S.M., Ward, T.E., and Markham, C.M. Brain- Birbaumer, N., and Wolpaw, J.R. BCI2000: A general-
bci2000.org/BCI2000/Home.html). computer interface using a simplified functional purpose brain-computer interface (BCI) system.
near-infrared spectroscopy system. Journal of Neural IEEE Transactions on Biomedical Engineering 51
The Wadsworth Center recently be- Engineering 4, 3 (Sept. 2007), 219–226. (2004), 1034–1043.
gan developing a system for home use 5. Curran, E., Sykacek, P., Stokes, M., Roberts, S.J., 26. Scherer, R., Muller, G.R., Neuper, C., Graimann, B.,
Penny, W., Johnsrude, I., and Owen, A. Cognitive Pfurtschheller, G. An asynchronously controlled EEG-
by individuals with severe motor im- tasks for driving a brain-computer interface: A pilot based virtual keyboard: Improvement of the spelling
study. IEEE Transactions on Neural Systems and rate. IEEE Transactions on Biomedical Engineering 51,
pairments.32 Its basic hardware (see Rehabilitation Engineering 12, 1 (Mar. 2003), 48–54. 6 (June 2004), 979–984.
Figure 5) consists of a laptop comput- 6. Dewan, E.M. Occipital alpha rhythm eye position 27. Singer, E. Brain games. Technology Review 111, 4
and lens accommodation. Nature 214, 5092 (June 3, (July/Aug. 2008), 82–84.
er with 16-channel EEG acquisition, a 1967), 975–977. 28. Sitaram, R., Caria, A., Veit, R., Gaber, T., Rota, G.,
second screen placed in front of the 7. Farwell, L.A. and Donchin, E. Talking off the top of Kuebler, A., and Birbaumer, N. fMRI brain-computer
your head: Toward a mental prosthesis utilizing event- interface: A tool for neuroscientific research
user, and an electrode cap; software is related brain potentials. Electroencephalography and and treatment. Computational Intelligence and
provided by the BCI2000 general-pur- Clinical Neurophysiology 70, 6 (Dec. 1988), 510–523. Neuroscience (2007).
8. Fatourechi, M., Bashashati, A., Ward, R.K., and Birch, 29. Sterman, M.B., MacDonald, L.R., and Stone, R.K.
pose system.25 The initial users had G.E. EMG and EOG artifacts in brain-computer Biofeedback training of sensorimotor EEG in man and
late-stage ALS, with little or no volun- interface systems: A survey. Clinical Neurophysiology its effect on epilepsy. Epilepsia 15, 3 (Sept. 1974),
118, 3 (Mar. 2007), 480–494. 395–416.
tary movement, and found conven- 9. Fetz, E.E. Operant conditioning of cortical unit activity. 30. Taylor D.A., Tillery S., and Schwartz, A.B. Direct
tional assistive communication de- Science 163, 870 (Feb. 28, 1969), 955–958. cortical control of 3D neuroprosthetic devices.
10. Galan, F., Nuttin, M., Lew, E., Ferrez, P.W., Vanacker, Science 296, 5574 (June 7, 2002), 1829–1832.
vices inadequate for their needs. The G., Philips, J., and Millan, J.d.R. A brain-actuated 31. Townsend, G., LaPallo, B.K., Boulay, C.B., Krusienski,
P300-based matrix speller is used for wheelchair: Asynchronous and noninvasive brain- D.J., Frye, G.E., Hauser, C.K., Schwartz, N.E., Vaughan,
computer interfaces for continuous control of T.M., Wolpaw, J.R., and Sellers, E.W. A novel P300-
these applications due to its relatively robots. Clinical Neurophysiology 119, 9 (Sept. 2008), based brain-computer interface stimulus presentation
high throughput for spelling and sim- 2159–2169. paradigm: Moving beyond rows and columns. Clinical
11. He, B. and Liu, Z. Multimodal functional neuroimaging: Neurophysiology 121, 7 (July 2010), 1109–1120.
plicity of use. A 49-year-old scientist Integrating functional MRI and EEG/MEG. IEEE 32. Vaughan, T.M., McFarland, D.J., Schalk, G., Sarnacki,
with ALS has used this BCI system on Reviews in Biomedical Engineering 1 (Nov.2008), W.A., Krusienski, D.J., Sellers, E.W., and Wolpaw,
23–40. J.R. The Wadsworth BCI research and development
a daily basis for approximately three 12. Hochberg, L.R., Serruya, M.D., Friehs, G.M., Mukand, program: At home with BCI. IEEE Transactions
J.A., Saleh, M., Caplan, A.H., Branner, A., Penn, D.R.D., on Rehabilitation Engineering 14, 2 (June 2006),
years, finding it superior to his eye- and Donoghue, J.P. Neuronal ensemble control of 229–233.
gaze system (a letter-selection device prosthetic devices by a human with tetraplegia. 33. Vaughan, T.M., Miner, L.A., McFarland, D.J., and
Nature 442, 7099 (July 13, 2006), 164–171. Wolpaw, J.R. EEG-based communication: Analysis of
based on eye-gaze direction) and us- 13. Krusienski, D.J., Sellers, E.W., McFarland, D.J., concurrent EMG activity. Electroencephalography and
ing it from four to six hours per day Vaughan, T.M., and Wolpaw, J.R. Toward enhanced Clinical Neurophysiology 107, 6 (Dec. 1998), 428–433.
P300 speller performance. Journal of Neuroscience 34. Vidal, J.J. Real-time detection of brain events in EEG.
for email and other communication Methods 167, 1 (Jan. 15, 2008), 15–21. Proceedings of the IEEE 65, 5 (May 1977), 633–641.
purposes.32 14. Leeb, R., Friedman, D., Muller-Putz, G.R., Scherer, 35. Whitham, E.M., Lewis, T., Pope, K.J., Fitzbibbon, S.P.,
R., Slater, M., and Pfurtscheller, G. Self-paced Clark, C.R., Loveless, S., DeLosAngeles, D., Wallace,
How far BCI technology will go and (asynchronous) BCI control of a wheelchair in virtual A.K., Broberg, M., and Willoughby, J.O. Thinking
how useful it will be depend on future environments: A case study with a tetraplegic. activates EMG in scalp electrical recordings. Clinical
Computational Intelligence and Neuroscience 79642 Neurophysiology 119, 5 (May 2008), 1166–1175.
research developments. However, it is (2007). 36. Wolpaw, J.R., Birbaumer, N., McFarland, D.J.,
apparent that BCIs can serve the ba- 15. Leuthardt, E.C., Schalk, G., Wolpaw, J.R., Ojemann, Pfurtscheller, G., and Vaughan, T.M. Brain-computer
J.G., and Moran, D.W. A brain-computer interface interfaces for communication and control. Clinical
sic communication needs of people using electrocorticographic signals in humans. Neurophysiology 113, 6 (June 2002), 767–791.
whose severe motor disabilities pre- Journal of Neural Engineering 1, 2 (June 2004), 37. Wolpaw, J.R. and McFarland, D.J. Control of a
63–71. two-dimensional movement signal by a noninvasive
vent them from using conventional 16. Lotte, F., Congedo, M., Lecuyer, A., Lamarche, F., and brain-computer interface. Proceedings of the
augmentive communications devices, Arnaldi, B. A review of classification algorithms for National Academy of Science 101, 51 (Dec. 21, 2004),
EEG-based brain-computer interfaces. Journal of 17849–17854.
all of which require muscle control. Neural Engineering 4, 2 (June 2007), 1–13. 38. Wolpaw, J.R., McFarland, D.J., Neat, G.W., and
17. McFarland, D.J., Krusienski, D.J., and Wolpaw, J.R. Forneris, C.A. An EEG-based brain-computer interface
Brain-computer interface signal processing at the for cursor control. Electroencephalography and
Acknowledgments Wadsworth Center: Mu and sensorimotor beta Clinical Neurophysiology 78, 3 (Mar. 1991), 252–259.
This work was supported in part by rhythms. Progress in Brain Research 159 (2006),
411–419.
grants from the National Institutes of 18. McFarland, D.J., Sarnacki, W.A., Vaughan, T.M.,
Health HD30146 (NCMRR, NICHD) and Wolpaw, J.R. Brain-computer interface (BCI) Dennis J. McFarland (mcfarlan@wadsworth.org) is a
operation: Signal and noise during early training research scientist in the Laboratory of Neural Injury and
and EB00856 (NIBIB & NINDS) and the sessions. Clinical Neurophysiology 116 (2005), 56–62. Repair at the Wadsworth Center of the New York State
James S. McDonnell Foundation. We 19. McFarland, D.J. and Wolpaw, J.R. Brain-computer Department of Health, Albany, NY.
interface operation of robotic and prosthetic devices.
thank Chad Boulay and Peter Brun- Computer 41, 10 (Oct. 2008), 48–52.
ner for their comments on the manu- 20. Mellinger, J., Schalk, G., Braun, C., Preissl, H., Jonathan R. Wolpaw (wolpaw@wadsworth.org) is a
Rosenstiel, W., Birbaumer, N., and Kubler, A. An MEG- research physician in the Laboratory of Neural Injury and
script. based brain-computer interface (BCI). Neuroimage Repair in the Wadsworth Center of the New York State
36, 3 (July 1, 2007), 581–593. Department of Health, Albany, NY.
21. Muller, K.-R., and Blankertz, B. Towards noninvasive
brain-computer interfaces. IEEE Signal Processing
References
Magazine 23, 1 (Sept. 2006), 125–128.
1. Bell, C.J., Shenoy, P., Chalodhorn, R., and Rao, R.P.N. 22. Muller, K.-R., Tangermann, M., Dornhege, G.,
Control of a humanoid robot by a noninvasive brain- Krauledat, M., Curio, GT., and Blankertz, B. Machine
computer interface in humans. Journal of Neural learning for real-time single-trial EEG-analysis:
Engineering 5, 2 (June 2008), 214–220. From brain-computer interfacing to mental-state
2. Black, A.H., Young, G.A., and Batenchuk, C. Avoidance monitoring. Journal of Neuroscience Methods 167, 1
training of hippocampal theta waves in flaxedilized (Jan. 15, 2008), 82–90.
dogs and its relation to skeletal movement. Journal 23. Neidermeyer,. E. Historical aspects. In
of Comparative and Physiological Psychology 70, 1 Electroencephalography: Basic Principals, Clinical © 2011 ACM 0001-0782/11/05 $10.00
The Future
of
Microprocessors
next two decades, diminishing tran- vent new ideas and solutions address
sistor-speed scaling and practical en- how to sustain computing’s exponen-
ergy limits create new challenges for tial improvement.
continued performance scaling. As Microprocessors (see Figure 1) were
a result, the frequency of operations invented in 1971,28 but it’s difficult to-
will increase slowly, with energy the day to believe any of the early inventors
key limiter of performance, forcing could have conceived their extraor-
designs to use large-scale parallel- dinary evolution in structure and use
ism, heterogeneous cores, and accel- over the past 40 years. Microprocessors
erators to achieve performance and today not only involve complex micro-
energy efficiency. Software-hardware
partnership to achieve efficient data key insights
orchestration is increasingly critical in
the drive toward energy-proportional M oore’s Law continues but demands
computing. radical changes in architecture and
software.
Our aim here is to reflect and proj-
ect the macro trends shaping the fu- A rchitectures will go beyond
ture of microprocessors and sketch in homogeneous parallelism, embrace
heterogeneity, and exploit the bounty
broad strokes where processor design of transistors to incorporate
is going. We enumerate key research application-customized hardware.
challenges and suggest promising
research directions. Since dramatic S oftware must increase parallelism
and exploit heterogeneous and
changes are coming, we also seek to application-customized hardware
inspire the research community to in- to deliver performance growth.
architectures and multiple execution 20 Years of Exponential dimensions by 30% every generation
engines (cores) but have grown to in- Performance Gains (two years) and keeping electric fields
clude all sorts of additional functions, For the past 20 years, rapid growth in constant everywhere in the transis-
including floating-point units, caches, microprocessor performance has been tor to maintain reliability. This might
memory controllers, and media-pro- enabled by three key technology driv- sound simple but is increasingly diffi-
cessing engines. However, the defin- ers—transistor-speed scaling, core mi- cult to continue for reasons discussed
ing characteristics of a microprocessor croarchitecture techniques, and cache later. Classical transistor scaling pro-
remain—a single semiconductor chip memories—discussed in turn in the vided three major benefits that made
embodying the primary computation following sections: possible rapid growth in compute per-
(data transformation) engine in a com- Transistor-speed scaling. The MOS formance.
puting system. transistor has been the workhorse for First, the transistor dimensions are
Because our own greatest access decades, scaling in performance by scaled by 30% (0.7x), their area shrinks
and insight involves Intel designs and nearly five orders of magnitude and 50%, doubling the transistor density
data, our graphs and estimates draw providing the foundation for today’s every technology generation—the fun-
heavily on them. In some cases, they unprecedented compute performance. damental reason behind Moore’s Law.
may not be representative of the entire The basic recipe for technology scaling Second, as the transistor is scaled, its
industry but certainly represent a large was laid down by Robert N. Dennard of performance increases by about 40%
fraction. Such a forthright view, solidly IBM17 in the early 1970s and followed (0.7x delay reduction, or 1.4x frequen-
grounded, best supports our goals for for the past three decades. The scal- cy increase), providing higher system
this article. ing recipe calls for reducing transistor performance. Third, to keep the elec-
tric field constant, supply voltage is re-
Figure 1. Evolution of Intel microprocessors 1971–2009. duced by 30%, reducing energy by 65%,
or power (at 1.4x frequency) by 50%
(active power = CV2f). Putting it all to-
gether, in every technology generation
transistor integration doubles, circuits
are 40% faster, and system power con-
sumption (with twice as many transis-
tors) stays the same. This serendipi-
tous scaling (almost too good to be
true) enabled three-orders-of-magni-
tude increase in microprocessor per-
formance over the past 20 years. Chip
Intel 4004, 1971 Intel 8088, 1978 Intel Mehalem-EX, 2009
1 core, no cache 1 core, no cache 8 cores, 24MB cache
architects exploited transistor density
23K transistors 29K transistors 2.3B transistors to create complex architectures and
transistor speed to increase frequency,
achieving it all within a reasonable
power and energy envelope.
Figure 2. Architecture advances and energy efficiency. Core microarchitecture tech-
niques. Advanced microarchitectures
have deployed the abundance of tran-
Die Area FP Performance (X)
Integer Performance (X) Int Performance/Watt (X) sistor-integration capacity, employing
a dizzying array of techniques, includ-
386 to 486
4 ing pipelining, branch prediction,
out-of-order execution, and specula-
486 to Pentium tion, to deliver ever-increasing perfor-
3 mance. Figure 2 outlines advances in
microarchitecture, showing increases
Increase (X)
vance (such as introducing an on-die caused designers to forego many of Unaddressed, the memory-latency gap
cache by comparing 486 to 386 in 1μ these microarchitecture techniques. would have eliminated and could still
technology and superscalar microar- As Pollack’s Rule broadly captures eliminate most of the benefits of pro-
chitecture of Pentium in 0.7μ technol- area, power, and performance trade- cessor improvement.
ogy with 486). offs from several generations of mi- The reason for slow improvement
This data shows that on-die caches croarchitecture, we use it as a rule of DRAM speed is practical, not tech-
and pipeline architectures used tran- of thumb to estimate single-thread nological. It’s a misconception that
sistors well, providing a significant performance in various scenarios DRAM technology based on capacitor
performance boost without compro- throughout this article. storage is inherently slower; rather, the
mising energy efficiency. In this era, Cache memory architecture. Dy- memory organization is optimized for
superscalar, and out-of-order archi- namic memory technology (DRAM) density and lower cost, making it slow-
tectures provided sizable performance has also advanced dramatically with er. The DRAM market has demanded
benefits at a cost in energy efficiency. Moore’s Law over the past 40 years but large capacity at minimum cost over
Of these architectures, deep-pipe- with different characteristics. For ex- speed, depending on small and fast
lined design seems to have delivered ample, memory density has doubled caches on the microprocessor die to
the lowest performance increase for nearly every two years, while perfor- emulate high-performance memory
the same area and power increase as mance has improved more slowly (see by providing the necessary bandwidth
out-of-order and speculative design, Figure 4a). This slower improvement and low latency based on data locality.
incurring the greatest cost in energy in cycle time has produced a memory The emergence of sophisticated, yet
efficiency. The term “deep pipelined bottleneck that could reduce a sys- effective, memory hierarchies allowed
architecture” describes deeper pipe- tem’s overall performance. Figure 4b DRAM to emphasize density and cost
line, as well as other circuit and mi- outlines the increasing speed dispar- over speed. At first, processors used a
croarchitectural techniques (such as ity, growing from 10s to 100s of proces- single level of cache, but, as processor
trace cache and self-resetting domino sor clock cycles per memory access. It speed increased, two to three levels of
logic) employed to achieve even high- has lately flattened out due to the flat- cache hierarchies were introduced to
er frequency. Evident from the data is tening of processor clock frequency. span the growing speed gap between
that reverting to a non-deep pipeline
reclaimed energy efficiency by drop- Figure 3. Increased performance vs. area in the same process technology follows
Pollack’s Rule.
ping these expensive and inefficient
techniques.
When transistor performance in- 10.0
creases frequency of operation, the Performance ~ Sqrt(Area)
performance of a well-tuned system
Integer Performance (X)
386 to 486
generally increases, with frequency Pentium to P6
486 to Pentium
subject to the performance limits of
1.0 P6 to Pentium 4
other parts of the system. Historically,
Pentium 4 to Core
microarchitecture techniques exploit-
Slope =0.5
ing the growth in available transistors
have delivered performance increases
empirically described by Pollack’s 0.1
processor and memory.33,37 In these area devoted to cache, and most of the architecture-improvement cycle has
hierarchies, the lowest-level caches available transistor budget was devot- been sustained for more than two
were small but fast enough to match ed to core microarchitecture advances. decades, delivering 1,000-fold perfor-
the processor’s needs in terms of high During this period, processors were mance improvement. How long will it
bandwidth and low latency; higher lev- probably cache-starved. As energy be- continue? To better understand and
els of the cache hierarchy were then came a concern, increasing cache size predict future performance, we decou-
optimized for size and speed. for performance has proven more en- ple performance gain due to transistor
Figure 5 outlines the evolution of ergy efficient than additional core-mi- speed and microarchitecture by com-
on-die caches over the past two de- croarchitecture techniques requiring paring the same microarchitecture
cades, plotting cache capacity (a) and energy-intensive logic. For this reason, on different process technologies and
percentage of die area (b) for Intel more and more transistor budget and new microarchitectures with the previ-
microprocessors. At first, cache sizes die area are allocated in caches. ous ones, then compound the perfor-
increased slowly, with decreasing die The transistor-scaling-and-micro- mance gain.
Figure 6 divides the cumulative
Figure 5. Evolution of on-die caches. 1,000-fold Intel microprocessor per-
formance increase over the past two
10,000 60% decades into performance delivered by
50% transistor speed (frequency) and due to
On-die cache (KB)
40%
100 30%
of-magnitude of this performance in-
crease is due to transistor speed alone,
20%
10 now leveling off due to the numerous
10%
challenges described in the following
1 0%
sections.
1u 0.5u 0.25u 0.13u 65nm 1u 0.5u 0.25u 0.13u 65nm
(a) (b)
The Next 20 Years
Microprocessor technology has deliv-
ered three-orders-of-magnitude per-
Figure 6. Performance increase separated into transistor speed and microarchitecture
formance improvement over the past
performance. two decades, so continuing this tra-
jectory would require at least 30x per-
formance increase by 2020. Micropro-
10,000 10,000
Integer Performance Floating-Point Performance
Transistor Performance Transistor Performance Table 1. New technology scaling
1,000 1,000
challenges.
Relative
Relative
100 100
10 10
Decreased transistor scaling benefits:
Despite continuing miniaturization, little
performance improvement and little
1 1
reduction in switching energy (decreasing
1.5u 0.5u 0.18u 65nm 1.5u 0.5u 0.18u 65nm
performance benefits of scaling) [ITRS].
(a) (b)
Flat total energy budget: package
power and mobile/embedded computing
drives energy-efficiency requirements.
300
continued feature scaling, process
innovations, and packaging innovations.
200
Need for increasing locality and
reduced bandwidth per operation:
100
as performance of the microprocessor
increases, and the data sets for
0 applications continue to grow.
2002 2006 2010 2014 2008
60 he
achieve, then the power consumption Siz
e Case C 10
50MT Logic
of the chips would be prohibitive (see 6MB Cache 8
40
Figure 7). Chip architects must limit
6
frequency and number of cores to keep
4
power within reasonable bounds, but 20
in microprocessor performance. 0 0
Case B
Consider the transistor-integration 0 20 40 60 80
This design point matches the dual- If this analysis is performed for fu- capacitance, then the results will be
core microprocessor on 45nm technol- ture technologies, assuming (our best as they appear in Table 1. Note that
ogy (Core2 Duo), integrating two cores estimates) modest frequency increase over the next 10 years we expect in-
of 25 million transistors each and 6MB 15% per generation, 5% reduction in creased total transistor count, follow-
of cache in a die area of about 100mm2. supply voltage, and 25% reduction of ing Moore’s Law, but logic transistors
increase by only 3x and cache transis-
Figure 9. Three scenarios for integrating 150-million logic transistors into cores. tors increase more than 10x. Apply-
ing Pollack’s Rule, a single processor
core with 150 million transistors will
provide only about 2.5x microarchitec-
5 MT 2 3
Large-Core Large-Core ture performance improvement over
2 25MT
25 MT today’s 25-million-transistor core,
5 MT 2 3 well shy of our 30x goal, while 80MB of
cache is probably more than enough
3 4 for the cores (see Table 3).
The reality of a finite (essentially
fixed) energy budget for a microproces-
5 6 sor must produce a qualitative shift in
how chip architects think about archi-
30 20 tecture and implementation. First, en-
ergy-efficiency is a key metric for these
Large-Core Homogeneous Small-Core Homogeneous Small-Core Homogeneous designs. Second, energy-proportional
Large-core 1 Large-core Large-core 1 computing must be the ultimate goal
throughput throughput throughput for both hardware architecture and
Small-core Small-core Pollack’s Rule Small-core Pollack’s Rule software-application design. While
throughput throughput (5/25)0.5=0.45 throughput (5/25)0.5=0.45 this ambition is noted in macro-scale
Total 6 Total 13 Total 11 computing in large-scale data cen-
throughput throughput throughput
ters,5 the idea of micro-scale energy-
(a) (b) (c) proportional computing in micropro-
cessors is even more challenging. For
microprocessors operating within a
finite energy budget, energy efficiency
Figure 10. A system-on-a-chip from Texas Instruments. corresponds directly to higher perfor-
mance, so the quest for extreme energy
efficiency is the ultimate driver for per-
C64x+ DSP Display Subsystem
and video
formance.
accelerators LCD Video 10-bit DAC In the following sections, we out-
Controller Enc 10-bit DAC
ARM
(3525/3530 only) line key challenges and sketch poten-
Cortex tial approaches. In many cases, the
A8 challenges are well known and the
Camera I/F
CPU
2D/3D Graphics subject of significant research over
(3515/3530 only) Image
Pipe Parallel I/F many years. In all cases, they remain
critical but daunting for the future of
microprocessor performance:
Organizing the logic: Multiple cores
and customization. The historic mea-
L3/L4 Interconnect
sure of microprocessor capability is
the single-thread performance of a
traditional core. Many researchers
Peripherals Connectivity System have observed that single-thread per-
USB 2.0 HS USB Host Timers formance has already leveled off, with
GP x12
OTG Controller Controller x2
WDT x2 only modest increases expected in the
coming decades. Multiple cores and
Program/Data Storage
customization will be the major driv-
Serial Interfaces
ers for future microprocessor perfor-
McBSP x5 I2C x3 UART x2 HDQ/1-wire SDRC MMC/SD/SDIO
x3 mance (total chip performance). Mul-
McSPI x4 UART w/ GPMC tiple cores can increase computational
IRDA
throughput (such as a 1x–4x increase
could result from four cores), and cus-
tomization can reduce execution la-
Table 3. Extrapolated transistor ber of cores, and the related choices ity in smartphone system-on-a-chip
integration capacity in a fixed power in a multicore processor with uniform (SoC). As outlined in Figure 10, such
envelope. instruction set but heterogeneous im- an SoC might include as many as 10
plementation are an important part to 20 accelerators to achieve a supe-
Logic
of increasing performance within the rior balance of energy efficiency and
Transistors transistor budget and energy envelope. performance. This example could also
Year (Millions) Cache MB Choices in hardware customization. include graphics, media, image, and
2008 50 6 Customization includes fixed-function cryptography accelerators, as well as
2014 100 25 accelerators (such as media codecs, support for radio and digital signal
2018 150 80 cryptography engines, and composit- processing. As one might imagine,
ing engines), programmable accelera- one of these blocks could be a dynami-
tors, and even dynamically customiz- cally programmable element (such as
able logic (such as FPGAs and other an FPGA or a software-programmable
tency. Clearly, both techniques—mul- dynamic structures). In general, cus- processor).
tiple cores and customization—can tomization increases computational Another customization approach
improve energy efficiency, the new performance by exploiting hardwired constrains the types of parallelism
fundamental limiter to capability. or customized computation units, cus- that can be executed efficiently, en-
Choices in multiple cores. Multiple tomized wiring/interconnect for data abling a simpler core, coordination,
cores increase computational through- movement, and reduced instruction- and memory structures; for example,
put by exploiting Moore’s Law to rep- sequence overheads at some cost in many CPUs increase energy efficiency
licate cores. If the software has no generality. In addition, the level of par- by restricting memory access structure
parallelism, there is no performance allelism in hardware can be custom- and control flexibility in single-instruc-
benefit. However, if there is parallel- ized to match the precise needs of the tion, multiple-data or vector (SIMD)
ism, the computation can be spread computation; computation benefits structures,1,2 while GPUs encourage
across multiple cores, increasing over- from hardware customization only programs to express structured sets
all computational performance (and when it matches the specialized hard- of threads that can be aligned and ex-
reducing latency). Extensive research ware structures. In some cases, units ecuted efficiently.26,30 This alignment
on how to organize such systems dates hardwired to a particular data repre- reduces parallel coordination and
to the 1970s.29,39 sentation or computational algorithm memory-access costs, enabling use of
Industry has widely adopted a mul- can achieve 50x–500x greater energy large numbers of cores and high peak
ticore approach, sparking many ques- efficiency than a general-purpose reg- performance when applications can
tions about number of cores and size/ ister organization. Two studies21,22 of a be formulated with a compatible par-
power of each core and how they co- media encoder and TCP offload engine allel structure. Several microprocessor
ordinate.6,36 But if we employ 25-mil- illustrate the large energy-efficiency manufacturers have announced future
lion-transistor cores (circa 2008), the improvement that is possible. mainstream products that integrate
150-million-logic-transistor budget Due to battery capacity and heat- CPUs and GPUs.
expected in 2018 gives 6x potential dissipation limits, for many years Customization for greater energy
throughput improvement (2x from energy has been the fundamental or computational efficiency is a long-
frequency and 3x from increased log- limiter for computational capabil- standing technique, but broad adop-
ic transistors), well short of our 30x
goal. To go further, chip architects Table 4. Logic organization challenges, trends, directions.
to deploying the feasible 150 million Software Explicit partition and mapping, Hardware-based state adaptation
transparency virtualization, application management and software-hardware partnership
logic transistors, as in Table 1. In Fig- for management
ure 9, option (a) is six large cores (good Lower-power Heterogeneous cores, vector extensions, Deeper, explicit storage hierarchy within
single-thread performance, total po- cores and GPU-like techniques to reduce the core; integrated computation in
tential throughput of six); option (b) is instruction- and data-movement cost registers
30 smaller cores (lower single-thread Energy Hardware dynamic voltage scaling Predictive core scheduling and selection
management and intelligent adaptive management, to optimize energy efficiency and
performance, total potential through-
software core selection and scheduling minimize data movement
put of 13); and option (c) is a hybrid
Accelerator Increasing variety, library-based Converged accelerators in a few
approach (good single-thread perfor- variety encapsulation (such as DX and OpenGL) application categories and increasing
mance for low parallelism, total poten- for specific domains open programmability for the
tial throughput of 11). accelerators
tion has been slowed by continued the performance advantage might path toward increased performance
improvement in microprocessor sin- soon be overtaken by advances in the or energy efficiency (see Table 4). But
gle-thread performance. Developers of traditional microprocessor. With slow- such software customization is diffi-
software applications had little incen- ing improvement in single-thread per- cult, especially for large programs (see
tive to customize for accelerators that formance, this landscape has changed the sidebar “Decline of 90/10 Optimi-
might be available on only a fraction of significantly, and for many applica- zation, Rise of 10x10 Optimization”).
the machines in the field and for which tions, accelerators may be the only Orchestrating data movement:
Memory hierarchies and intercon-
Figure 11. On-die interconnect delay and energy (45nm).
nects. In future microprocessors, the
energy expended for data movement
10,000 2 1,000
will have a critical effect on achiev-
On-die network energy per bit able performance. Every nano-joule
100
1,000 1.5 of energy used to move data up and
Wire Delay
down the memory hierarchy, as well
Delay (ps)
pJ/Bit 10
(pJ)
Measured
100 Wire Energy 1 as to synchronize across and data be-
1
tween processors, takes away from the
10 0.5 0.1
Extrapolated limited budget, reducing the energy
0.01 available for the actual computation.
1 0
0 5 10 15 20 0.5u 0.18u 65nm 22nm 8nm In this context, efficient memory hi-
On-die interconnect length (mm) erarchies are critical, as the energy to
(a) (b)
retrieve data from a local register or
cache is far less than the energy to go
to DRAM or to secondary storage. In
addition, data must be moved between
Figure 12. Hybrid switching for network-on-a-chip. processing units efficiently, and task
placement and scheduling must be
optimized against an interconnection
C C C C network with high locality. Here, we
C C C C
examine energy and power associated
Bus
R Bus
R
Bus Bus with data movement on the processor
C C C C die.
C C C C
Today’s processor performance is
C C C C on the order of 100Giga-op/sec, and
C C C C C C
R
Bus R
Bus a 30x increase over the next 10 years
Bus Bus Bus
would increase this performance to
C C C C
C C C C C C 3Tera-op/sec. At minimum, this boost
requires 9Tera-operands or 64b x
Bus to connect Second-level bus to connect Second-level router-based
a cluster clusters (hierarchy of busses) network (hierarchy of networks) 9Tera-operands (or 576Tera-bits) to be
moved each second from registers or
memory to arithmetic logic, consum-
ing energy.
Table 5. Data movement challenges, trends, directions. Figure 11(a) outlines typical wire
delay and energy consumed in moving
one bit of data on the die. If the oper-
Challenge Near-Term Long-Term ands move on average 1mm (10% of
Parallelism Increased parallelism Heterogeneous parallelism and die size), then at the rate of 0.1pJ/bit,
customization, hardware/runtime
placement, migration, adaptation
the 576Tera-bits/sec of movement con-
for locality and load balance sumes almost 58 watts with hardly any
Data Movement/ More complex, more exposed hierarchies; New memory abstractions and energy budget left for computation. If
Locality new abstractions for control over mechanisms for efficient vertical most operands are kept local to the ex-
movement and “snooping” data locality management with low ecution units (such as in register files)
programming effort and energy
and the data movement is far less than
Resilience More aggressive energy reduction; Radical new memory technologies
compensated by recovery for resilience (new physics) and resilience techniques 1mm, on, say, the order of only 0.1mm,
Energy Fine-grain power management in packet Exploitation of wide data, slow clock, then the power consumption is only
Proportional fabrics and circuit-based techniques around 6 watts, allowing ample energy
Communication budget for the computation.
Reduced Energy Low-energy address translation Efficient multi-level naming and Cores in a many-core system are
memory-hierarchy management
typically connected through a net-
work-on-a-chip to move data around
the cores.40 Here, we examine the ef-
fect of such a network on power con- Figure 13. Improving energy efficiency through voltage scaling.
sumption. Figure 11(b) shows the en-
ergy consumed in moving a bit across
a hop in such a network, measured in 104
65nm CMOS, 50° C
102 450
65nm CMOS, 50° C
101
Subthreshold Region
103 101
300 1
tions. If only 10% of the operands move
250
over the network, traversing 10 hops 102 1
200
320mV
on average, then at the rate of 0.06pJ/ 150 10 –1
101 10 –1
bit the network power would be 35 100
320mV 50 320mV
watts, more than half the power bud- 0
1 10 –2 10 –2
get of the processor. 0.2 0.4 0.6 0.8 1.0 1.2 1.4 0.2 0.4 0.6 0.8 1.0 1.2 1.4
As the energy cost of computation is Supply Voltage (V) Supply Voltage (V)
reduced by voltage scaling (described
later), emphasizing compute through-
put, the cost of data movement starts
to dominate. Therefore, data move- Table 6. Circuits challenges, trends, directions.
ment must be restricted by keeping
data locally as much as possible. This
restriction also means the size of local Challenge Near-Term Long-Term
storage (such as a register file) must Power, energy Continuous dynamic voltage and Discrete dynamic voltage and frequency
increase substantially. This increase efficiency frequency scaling, power gating, reactive scaling, near threshold operation,
power management proactive fine-grain power and energy
is contrary to conventional thinking of management
register files being small and thus fast. Variation Speed binning of parts, corrections with Dynamic reconfiguration of many cores
With voltage scaling the frequency of body bias or supply voltage changes, by speed
operation is lower anyway, so it makes tighter process control
sense to increase the size of the local Gradual, Guard-bands, yield loss, core sparing, Resilience with hardware/software
storage at the expense of speed. temporal, design for manufacturability co-design, dynamic in-field detection,
intermittent, diagnosis, reconfiguration and repair,
Another radical departure from and permanent adaptability, and self-awareness
conventional thinking is the role of faults
the interconnect network on the chip.
Recent parallel machine designs have
been dominated by packet-switch-
ing,6,8,24,40 so multicore networks ad- traditional parallel-machine approach also reduces, but energy efficiency in-
opted this energy-intensive approach. (see Table 5). creases. When the supply voltage is
In the future, data movement over The role of microprocessor archi- reduced all the way to the transistor’s
these networks must be limited to con- tect must expand beyond the proces- threshold, energy efficiency increases
serve energy, and, more important, sor core, into the whole platform on by an order of magnitude. Employing
due to the large size of local storage a chip, optimizing the cores as well as this technique on large cores would
data bandwidth, demand on the net- the network and other subsystems. dramatically reduce single-thread
work will be reduced. In light of these Pushing the envelope: Extreme performance and is hence not recom-
findings on-die-network architectures circuits, variability, resilience. Our mended. However, smaller cores used
need revolutionary approaches (such analysis showed that in the power-
as hybrid packet/circuit switching4). constrained scenario, only 150 mil- Figure 14. A heterogeneous many-core
system with variation.
Many older parallel machines used lion logic transistors for processor
irregular and circuit-switched net- cores and 80MB of cache will be af-
works31,41; Figure 12 describes a re- fordable due to energy by 2018. Note
turn to hybrid switched networks for that 80MB of cache is not necessary
on-chip interconnects. Small cores in for this system, and a large portion of Single-thread
Large-Core Large-Core
close proximity could be interconnect- the cache-transistor budget can be uti- performance
ed into clusters with traditional bus- lized to integrate even more cores if it
ses that are energy efficient for data can be done with the power-consump- Throughput
movement over short distances. The tion density of a cache, which is 10x performance
f/2 f/4 f f/2
clusters could be connected through less than logic. This approach can be Energy
wide (high-bandwidth) low-swing (low- achieved through aggressive scaling of f/4 f f/2 f/4 efficient with
fine-grain
energy) busses or through packet- or supply voltage.25 f f/2 f/4 f power
circuit-switched networks, depending Figure 13 outlines the effective- management
on distance. Hence the network-on-a- ness of supply-voltage scaling when
chip could be hierarchical and hetero- the chip is designed for it. As the
geneous, a radical departure from the supply voltage is reduced, frequency
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 75
contributed articles
for throughput would certainly benefit given core are individually controlled advanced interpretive and compiler
from it. Moreover, the transistor bud- such that the total power consumption technologies, as well as increasing use
get from the unused cache could be is within the power envelope. Many of dynamic translation techniques. We
used to integrate even more cores with small cores operate at lower voltages expect these trends to continue, with
the power density of the cache. Aggres- and frequency for improved energy ef- higher-level programming, extensive
sive voltage scaling provides an avenue ficiency, while some small cores oper- customization through libraries, and
for utilizing the unused transistor-in- ate near threshold voltage at the lowest sophisticated automated performance
tegration capacity for logic to deliver frequency but at higher energy effi- search techniques (such as autotun-
higher performance. ciency, and some cores may be turned ing) will be even more important.
Aggressive supply-voltage scaling off completely. Clock frequencies need Extreme studies27,38 suggest that
comes with its own challenges (such not be continuous; steps (in powers of aggressive high-performance and ex-
as variations). As supply voltage is re- two) keep the system synchronous and treme-energy-efficient systems may
duced toward a transistor’s threshold simple without compromising perfor- go further, eschewing the overhead of
voltage, the effect of variability is even mance while also addressing variation programmability features that soft-
worse, because the speed of a circuit tolerance. The scheduler dynamically ware engineers have come to take for
is proportional to the voltage over- monitors workload and configures the granted; for example, these future sys-
drive (supply voltage minus threshold system with the proper mix of cores tems may drop hardware support for
voltage). Moreover, as supply voltage and schedules the workload on the a single flat address space (which nor-
approaches the threshold, any small right cores for energy-proportional mally wastes energy on address manip-
change in threshold voltage affects the computing. Combined heterogene- ulation/computing), single-memory
speed of the circuit. Therefore, varia- ity, aggressive supply-voltage scaling, hierarchy (coherence and monitoring
tion in the threshold voltage mani- and fine-grain power (energy) manage- energy overhead), and steady rate of
fests itself as variation in the speed ment enables utilization of a larger execution (adapting to the available
of the core, the slowest circuit in the fraction of transistor-integration ca- energy budget). These systems will
core determines the frequency of op- pacity, moving closer to the goal of 30x place more of these components un-
eration of the core, and a large core is increase in compute performance (see der software control, depending on in-
more susceptible to lower frequency Table 6). creasingly sophisticated software tools
of operation due to variations. On the Software challenges renewed: Pro- to manage the hardware boundaries
other hand, a large number of small grammability versus efficiency. The and irregularities with greater energy
cores has a better distribution of fast end of scaling of single-thread perfor- efficiency. In extreme cases, high-per-
and slow small cores and can better mance already means major software formance computing and embedded
even out the effect of variations. We challenges; for example, the shift to applications may even manage these
next discuss an example system that symmetric parallelism has created per- complexities explicitly. Most architec-
is variation-tolerant, energy-efficient, haps the greatest software challenge tural features and techniques we’ve
energy-proportional, and fine-grain in the history of computing,12,15 and discussed here shift more responsi-
power managed. we expect future pressure on energy- bility for distribution of the computa-
A hypothetical heterogeneous pro- efficiency will lead to extensive use of tion and data across the compute and
cessor (see Figure 14) consists of a heterogeneous cores and accelerators, storage elements of microprocessors
small number of large cores for single- further exacerbating the software chal- to software.13,18 Shifting responsibility
thread performance and many small lenge. Fortunately, the past decade has increases potential achievable energy
cores for throughput performance. seen increasing adoption of high-level efficiency, but realizing it depends on
Supply voltage and the frequency of any “productivity” languages20,34,35 built on significant advances in applications,
compilers and runtimes, and operat-
Table 7. Software challenges, trends, directions.
ing systems to understand and even
predict the application and workload
behavior.7,16,19 However, these ad-
Challenge Near-Term Long-Term
vances require radical research break-
1,000-fold Data parallel languages and “mapping” New high-level languages,
software of operators, library and tool-based compositional and deterministic
throughs and major changes in soft-
parallelism approaches frameworks ware practice (see Table 7).
pretty good new days, as progress predict whether some form of scaling with YCSB. ACM Symposium on Cloud Computing
(June 2010).
continues—will be more difficult, (perhaps energy) will continue or there 17. Dennard, R. et al. Design of ion-implanted MOSFETs
with Moore’s Law scaling producing will be no scaling at all. The pretty with very small physical dimensions. IEEE Journal of
Solid State Circuits SC-9, 5 (Oct. 1974), 256–268.
continuing improvement in transis- good old days of scaling that processor 18. Fatahalian, K. et al. Sequoia: Programming the memory
tor density but comparatively little design faces today are helping prepare hierarchy. ACM/IEEE Conference on Supercomputing
(Nov. 2006).
improvement in transistor speed and us for these new challenges. More- 19. Flinn, J. et al. Managing battery lifetime with energy-
energy. As a result, the frequency of over, the challenges processor design aware adaptation. ACM Transactions on Computer
Systems 22, 2 (May 2004).
operation will increase slowly. Energy will faces in the next decade will be 20. Gosling, J. et al. The Java Language Specification,
will be the key limiter of performance, dwarfed by the challenges posed by Third Edition. Addison-Wesley, 2005.
21. Hameed, R. et al. Understanding sources of inefficiency
forcing processor designs to use large- these alternative technologies, render- in general-purpose chips. International Symposium on
Computer Architecture (2010).
scale parallelism with heterogeneous ing today’s challenges a warm-up exer- 22. Hoskote, Y. et al. A TCP offload accelerator for 10Gb/s
cores, or a few large cores and a large cise for what lies ahead. Ethernet in 90-nm CMOS. IEEE Journal of Solid-State
Circuits 38, 11 (Nov. 2003).
number of small cores operating at 23. International Technology Roadmap for
low frequency and low voltage, near Acknowledgments Semiconductors, 2009; http://www.itrs.net/
Links/2009ITRS/Home2009.htm
threshold. Aggressive use of custom- This work was inspired by the Exas- 24. Karamcheti, V. et al. Comparison of architectural
ized accelerators will yield the highest cale study working groups chartered in support for messaging in the TMC CM-5 and Cray T3D.
International Symposium on Computer Architecture
performance and greatest energy effi- 2007 and 2008 by Bill Harrod of DAR- (1995).
ciency on many applications. Efficient PA. We thank him and the members 25. Kaul, H. et al. A 320mV 56W 411GOPS/Watt ultra-low-
voltage motion-estimation accelerator in 65nm CMOS.
data orchestration will increasingly and presenters to the working groups IEEE Journal of Solid-State Circuits 44, 1 (Jan. 2009).
be critical, evolving to more efficient for valuable insightful discussions 26. The Khronos Group. OpenCL, the Open Standard for
Heterogeneous Parallel Programming, Feb. 2009;
memory hierarchies and new types of over the past few years. We also thank http://www.khronos.org/opencl/
interconnect tailored for locality and our colleagues at Intel who have im- 27. Kogge, P. et al. Exascale Computing Study:
Technology Challenges in Achieving an Exascale
that depend on sophisticated software proved our understanding of these is- System; http://users.ece.gatech.edu/mrichard/
to place computation and data so as to sues through many thoughtful discus- ExascaleComputingStudyReports/exascale_final_
report_100208.pdf
minimize data movement. The objec- sions. Thanks, too, to the anonymous 28. Mazor, S. The history of microcomputer-invention and
evolution. Proceedings of the IEEE 83, 12 (Dec. 1995).
tive is ultimately the purest form of reviewers whose extensive feedback 29. Noguchi, K., Ohnishi, I., and Morita, H. Design
energy-proportional computing at the greatly improved the article. considerations for a heterogeneous tightly coupled
multiprocessor system. AFIPS National Computer
lowest-possible levels of energy. Het- Conference (1975).
erogeneity in compute and commu- References
30. Nvidia Corp. CUDA Programming Guide Version 2.0,
June 2008; http://www.nvidia.com/object/cuda_home_
nication hardware will be essential to 1. Advanced Vector Extensions. Intel; http://en.wikipedia.
new.html
org/wiki/Advanced_Vector_Extensions
optimize for performance for energy- 2. AltiVec, Apple, IBM, Freescale; http://en.wikipedia.org/
31. Pfister, G. et al. The research parallel processor
prototype (RP3): Introduction and architecture.
proportional computing and coping wiki/AltiVec
International Conference on Parallel Processing (Aug.
3. Amdahl, G. Validity of the single-processor approach
with variability. Finally, programming to achieving large-scale computing capability. AFIPS
1985).
32. Pollack, F. Pollack’s Rule of Thumb for Microprocessor
systems will have to comprehend Joint Computer Conference (Apr. 1967), 483–485.
Performance and Area; http://en.wikipedia.org/wiki/
4. Anders, M. et al. A 4.1Tb/s bisection-bandwidth
these restrictions and provide tools 560Gb/s/W streaming circuit-switched 8x8 mesh
Pollack’s_Rule
33. Przybylski, S.A. et al. Characteristics of performance-
and environments to harvest the per- network-on-chip in 45nm CMOS. International Solid
optimal multi-level cache hierarchies. International
State Circuits Conference (Feb. 2010).
formance. Symposium on Computer Architecture (June 1989).
5. Barroso, L.A. and Hölzle, U. The case for energy-
34. Richter, J. The CLR Via C#, Second Edition, 1997.
While no one can reliably predict proportional computing. IEEE Computer 40, 12 (Dec.
35. Ruby Documentation Project. Programming Ruby: The
2007).
the end of Si CMOS scaling, for this Pragmatic Programmer’s Guide; http://www.ruby-doc.
6. Bell, S. et. al. TILE64 processor: A 64-core SoC with
org/docs/ProgrammingRuby/
future scaling regime, many electrical mesh interconnect. IEEE International Solid-State
36. Seiler, L. et al. Larrabee: Many-core x86 architecture
Circuits Conference (2008).
for visual computing. ACM Transactions on Graphics
engineers have begun exploring new 7. Bienia, C. et. al. The PARSEC benchmark suite:
27, 3 (Aug. 2008).
Characterization and architectural implications.
types of switches and materials (such The 17th International Symposium on Parallel
37. Strecker, W. Transient behavior of cache memories.
ACM Transactions on Computer Systems 1, 4 (Nov.
as compound semiconductors, carbon Architectures and Compilation Techniques (2008).
1983).
8. Blumrich, M. et. al. Design and Analysis of the Blue
nanotubes, and graphene) with dif- Gene/L Torus Interconnection Network. IBM Research
38. Sarkar, V. et al. Exascale Software Study:
Software Challenges in Extreme-Scale
ferent performance and scaling char- Report, 2003.
Systems; http://users.ece.gatech.edu/mrichard/
9. Borkar, S. Designing reliable systems from unreliable
acteristics from Si CMOS, posing new components: The challenges of transistor variability
ExascaleComputingStudyReports/ECSS%20report%20
101909.pdf
types of design and manufacturing and degradation. IEEE Micro 25, 6 (Nov.–Dec. 2005).
39. Tartar, J. Multiprocessor hardware: An architectural
10. Borkar, S. Design challenges of technology scaling.
challenges. However, all such technol- IEEE Micro 19, 4 (July–Aug. 1999).
overview. ACM Annual Conference (1980).
40. Weingold, E. et al. Baring it all to software: Raw
ogies are in their infancy, probably not 11. Borkar, S. et al. Parameter variations and impact
machines. IEEE Computer 30, 9 (Sept. 1997).
on circuits and microarchitecture. The 40th Annual
ready in the next decade to replace sili- Design Automation Conference (2003).
41. Wulf, W. and Bell, C.G. C.mmp: A multi-miniprocessor.
AFIPS Joint Computer Conferences (Dec. 1972).
con but will pose the same challenges 12. Catanzaro, B. et. al. Ubiquitous parallel computing
from Berkeley, Illinois, and Stanford. IEEE Micro 30, 2
with continued scaling. Quantum (2010).
13. Cray, Inc. Chapel Language Specification. Seattle, WA, Shekhar Borkar (Shekhar.Y.Borkar@intel.com) is an
electronics (such as quantum dots) Intel Fellow and director of exascale technology at Intel
2010; http://chapel.cray.com/spec/spec-0.795.pdf
are even farther out and when realized 14. Chien, A. 10x10: A general-purpose architectural Corporation, Hillsboro, OR.
will reflect major challenges of its own, approach to heterogeneity and energy efficiency. The
Third Workshop on Emerging Parallel Architctures Andrew A. Chien (Andrew.Chien@alum.mit.edu) is
with yet newer models of computation, at the International Conference on Computational former vice president of research at Intel Corporation and
Science (June 2011). currently adjunct professor in the Computer Science and
architecture, manufacturing, variabil- 15. Chien, A. Pervasive parallel computing: An historic Engineering Department at the University of California,
ity, and resilience. opportunity for innovation in programming and San Diego.
architecture. ACM Principles and Practice of Parallel
Because the future winners are far Programming (2007).
from clear today, it is way too early to 16. Cooper, B. et al. Benchmarking cloud serving systems © 2011 ACM 0001-0782/11/05 $10.00
Privacy-
lengthen the effective lifetime of de-
fense mechanisms.
Compelling though this line of
thinking may be, there is a natural ten-
Preserving
sion between the need for attribution
and user expectations of privacy. While
the public generally appreciates that
criminal acts should be subject to scru-
Network
tiny, civil libertarians are considerably
less sanguine about exposing identify-
ing information as a matter of course.
Indeed, a recently leaked document, of
Forensics
allegedly International Telecommuni-
cations Union provenance, lends cre-
dence to libertarian fears, motivating
the need for network-level “IP trace-
back” capabilities via a government’s
desire to identify anonymous political
opponents.12 Though this is but one
example, it is time to explore techni-
cal solutions that balance the enforce-
ment interests of the state and the pri-
vacy interests of individuals.
We seek to achieve such a balance
by introducing a new network-layer
Research in ne t wo r k security has traditionally capability we call privacy-preserving
focused on defense—mechanisms designed to forensic attribution. We propose a
packet-level cryptographic signature
impede an adversary. However, paraphrasing security
expert Butler Lampson, practical security requires key insights
a balance between defense and deterrence. While A n anonymous Internet protects the
privacy of people’s Internet activity
defense may block an adversary’s current attacks, only but means criminal activity could go
an effective deterrent can prevent the adversary from unattributed.
choosing to attack in the first place. But creating such A fully attributed, non-anonymous
Internet linking all Internet traffic back
a deterrent is usually predicated on an effective means to its source would help monitor and
track criminal activity but could also
of attribution—tying an individual to an action. compromise the privacy of everyday
users.
In the physical world, this link is established
through concrete evidence (such as DNA, fingerprints, A ll Internet packets are inherently
anonymous but, with appropriate
and writing samples), but the Internet has no such credentials, authorized parties can
revoke that anonymity and attribute
robust forensic trail. Indeed, functional anonymity is packets back to their source.
lenges of building a privacy-preserving sic attribution, encouraging wider con- received from a corporal in the Rhode
forensic-attribution capability. This sideration of our approach. Island State Police Department: “We
illuminating experience revealed the are currently attempting to locate an
architectural requirements of our ap- Motivating Scenarios international fugitive who is wanted
proach while forcing us to confront Forensic attribution would create a for [a violent crime]. We have identi-
the challenges of the underlying cryp- fundamentally new network-layer ca- fied a Pocket PC device attached to the
Internet which the [fugitive] is appar- ets back to their source,17,19 but their screen and, upon examination, a range
ently using...” approaches are motivated by network of hair and skin samples beneath the
Though unable to discuss the de- operational needs and focus on deliv- keyboard. If this laptop were found, it
tails of the case publicly, we can con- ering topological path information, an could be unambiguously linked to one
sider the model: The police have a even more abstract property than an IP of the authors via DNA or fingerprint
single packet trace known to be from address. comparisons;
the fugitive’s device (perhaps a threat- More important, IP addresses are Per-packet granularity. The best de-
ening email message) and now seek to not unique identifiers, even when terrence is when attribution is univer-
determine if other threatening mes- used as intended. An IP address repre- sal, applied equally to every packet.
sages were also sent from the same de- sents a topological location in the net- Moreover, by providing this capabil-
vice, thereby identifying the fugitive’s work for the purpose of routing, not as ity at the network layer, attribution is
current IP address and, hence, geo- a way to specify a physical endpoint. transparently provided to all higher-
graphic area of operation. It is common for protocols (such as layer protocols and applications. That
Also increasingly common is for DHCP, Mobile IP, and NAT) to dynam- is, there is an inherent benefit in not
authorities to recover computer equip- ically change the mapping between tying forensic attribution to any par-
ment when suspects are taken into cus- IP address and physical machine as ticular higher-level network construct.
tody. Tying it to other online actions, part of their normal use. While some Forensic attribution is most effective
especially beyond a reasonable doubt, mappings are logged, this data is com- when provided as a fundamental build-
is challenging absent a strong forensic monly retained for only a limited pe- ing block on which arbitrary higher-
identifier. A strong forensic identifier riod. “The Internet,” David Aucsmith level protocols, services, and applica-
would allow a recovered laptop to be wrote, “provides criminals two of the tions can be built;
directly and unambiguously bound to most coveted qualities: anonymity Unimpeachability. While we would
particular messages logged by law en- and mobility.”3 be satisfied if a new attribution capa-
forcement. While we are unaware of other pub- bility simply offered investigative value
lished attempts to provide network- for those pursuing criminals, we hope
Background and Related Work level forensic attribution to physical that any attribution mechanism would
The value of forensic attribution—use hosts, a number of related research be accepted as sufficiently accurate
of technical means to establish the projects make similar use of crypto- and trustworthy to provide evidentiary
presence of a person or object at a crime graphic mechanisms. The source-au- value in the courtroom as well. We
scene after the fact—has a long history thentication systems, or “packet pass- therefore seek strong cryptographic
in law enforcement, dating to the late ports,” of Liu et al.14 and “Accountable mechanisms that are not easily repudi-
19th century.a Lacking an eyewitness Internet Protocol” of Andersen et al.1 ated; and
to a crime, forensic methods often be- both use cryptographic identifiers. Indefinite lifetime. On the Internet,
come a critical tool in an investigation. However, these systems focus on en- as in the physical world, many crimes
Forensic professionals, security re- suring the consistency and topological are not detected until long after they
searchers, and Internet industry lead- validity of the IP source address itself are committed. Placing unnecessary
ers alike recognize that Internet crime to prevent address spoofing and do not restrictions on the time window for fo-
poses a special challenge for forensic address either user privacy concerns or rensic discovery will undoubtedly be ex-
attribution. Unlike physical evidence the need for long-term physical link- ploited by criminals to their advantage.
(such as fingerprints and DNA), digital age required for forensic attribution. Even today, many online criminals are
objects are, prima facie, not unique. savvy about the practical investigatory
The Internet architecture places no Design Goals delays imposed by different bilateral
technical restrictions on how a host Clue reflects the following basic re- mutual legal assistance treaties, lo-
generates packets, so every bit of a quirements: cating their data accordingly. Thus, it
packet can be trivially manipulated in Physical names. Attribution must should be possible to examine a packet
subtle ways to hide its provenance. provide a link to a physical object and unambiguously attribute its origin
Indeed, criminals have long (such as the sending computer). A long after the packet is received—even
spoofed the source address of their physical computer can have an associ- months or years later.
Internet traffic to conceal their activ- ated owner and permit association via These requirements bring us to an
ity.7,16 While a range of systems has sales-and-maintenance records. More- architecture in which each packet is
been proposed to detect and/or block over, given continuous ownership, a self-identifying—tagged with a unique
IP source-address spoofing, such sys- physical computer may be reused in nonforgeable signature identifying the
tems are deployed inconsistently, and multiple attacks. Identifying this com- physical machine that sent it. While
none are foolproof, even in their ideal puter allows the attacks to be linked, such attribution does not definitively
embodiment. A long line of literature even if the physical computer is never identify the person originating a pack-
has focused on tracing spoofed pack- recovered. Finally, a physical computer et, it is the critical building block for
accretes physical forensic evidence as a subsequent forensic analysis, investi-
a The city of Calcutta first systematically used hu-
side effect of its use. Indeed, much of gation, and correlation, as it provides
man fingerprints for criminal records in 1897, this article was written on a laptop with a beachhead onto the physical scene
followed by Scotland Yard in Britain in 1901. extensive fingerprint evidence on the of the crime. We presuppose that sites
with sufficient risk and/or value at ate the keying material to validate the
stake will check such signatures, as- origin of a signature; for example, in
sociate them with higher-level trans- the U.S., both the Department of Jus-
actions, and log them for enough time tice and the American Civil Liberties
to cover their risk. Building such a ca-
pability is straightforward using con- Unlike physical Union might be required to agree an in-
vestigation is warranted. However, this
ventional digital signatures and some
form of public-key infrastructure, al-
evidence (such as approach also involves a critical vulner-
ability. Since, by design, a normal ob-
beit with some performance cost—and fingerprints and server cannot extract information from
one significant drawback: complete
lack of privacy.
DNA), digital objects a packet signature, nothing prevents
adversaries from incorrectly signing
Privacy requirements. The ap- are, prima facie, their packets, or random “signatures.”
proach we’ve just described would al-
low anyone receiving such a packet to
not unique. Any attempt at post-hoc authentication
is useless. Thus, to be practical, our at-
attribute its physical origin. There is tribution architecture is motivated by a
also a history of vigorous opposition to final requirement:
such capabilities. For example, in ear- Attributability. To enforce the attri-
ly 1999, Intel Corporation announced bution property, any observer on the
that new generations of its popular network must be empowered to verify
Pentium microprocessors would in- a packet signature—to prove that the
clude a new feature—the Processor packet could be attributed if necessary,
Serial Number (PSN)—a per-processor though the process of performing the
unique identifier intended as a build- proof must not reveal any information
ing block for future security applica- about the physical originator itself.
tions. Even though this feature was This requirement has a natural fate-
completely passive, public-interest sharing property, since choosing to
groups quickly identified potential verify a packet is made by the recipient
risks to privacy stemming from an with a future interest in having an attri-
available globally unique identifier. In bution capability.
April 2000, Intel abandoned plans to Remaining challenges. As impor-
include PSN in future versions of its tant as our design goals are, so, too,
microprocessors. are our non-goals—what we do not
We thus posit another critical re- attempt to accomplish. For one, our
quirement for a practical forensics work is not designed to address IP-
tool: address spoofing. While there is op-
Privacy. To balance the need for fo- erational value in preventing spoofing
rensic attribution against the public’s or allowing easier filtering of DDoS at-
interest in privacy, packet signatures tacks, the virtual nature of IP address-
must be non-identifying, in a strong es makes them inherently ill-suited for
sense, to an unprivileged observer. forensic purposes. More significant,
Moreover, the signatures must not our work is limited to attributing the
serve as an identifier (even an opaque physical machine that sent a particu-
one). As such, distinct packets sent lar packet and not necessarily the com-
from the same source must carry differ- plete causal chain of events leading to
ent signatures. Internet users should the packet being generated. This dis-
have at least the same expectation of tinction is common to most kinds of
anonymity they have today, except for forensic investigations (such as unrav-
authorized investigations. eling offshore shell accounts in foren-
A strawman solution to this problem sic accounting or insider communica-
is to digitally sign each packet using a tion in securities fraud investigations)
per-source key that is in turn escrowed but can manifest easily in the Internet
with a trusted third party. Indeed, the context; for example, an attack might
ill-fated Clipper chip used such an ap- be laundered through one or more in-
proach. If a single third party is not termediate nodes, either as part of a le-
widely trusted (likely, given past experi- gitimate anonymizing overlay network
ence), then the scheme may accommo- (such as Tor) or via proxies installed on
date multiple third parties responsible compromised hosts, botnets, or other
for different sets of machines and/or a intermediaries.
secret sharing approach in which mul- In practice, unraveling complex
tiple third parties collaborate to gener- dependencies is simultaneously criti-
cally important and fundamentally The two principal security proper- material and, by virtue of fate sharing,
challenging. Previous work explored ties for group signature schemes—full- need not be part of the trusted comput-
how such “stepping-stone” relation- anonymity and full-traceability—imply ing base.
ships may be inferred in the network,20 other properties, including unforge- Design. An implementation of
and a similar approach—attributing ability, exculpability, and framing-re- group-signature-based packet attribu-
each causal link hop-by-hop—could sistance.5 A group signature scheme is tion must address several other chal-
be employed with our architecture as CCA-fully anonymous if a set of collud- lenges before deployment is practical:
well. However, unambiguously estab- ing members cannot learn information Replay. The basic approach we’ve
lishing such causality is not possible about the signers’ identity i, even when outlined does not prevent an adversary
at the network layer alone and will adversaries are allowed to Open the from replaying messages sent (and
ultimately require both host support signatures of all the messages besides signed) by other legitimate parties or
and, inevitably, manual investigation. the target message-signature pair. A shuffling the order in which a node
While we have a vision for how such group-signature scheme is fully trace- receives the messages from other le-
host services should be structured, able if a set of colluding members can- gitimate parties. In some cases, such
it represents future work beyond the not create a valid message-signature replayed packets are immediately dis-
scope of this article. pair (m, σ) that the group manager can- carded by the receiving protocol stack
not trace back to one of the colluding or application (such as due to mis-
Architecture parties; that is, either Verify(pk, m, σ) aligned sequence numbers or routing
While these requirements appear chal- fails, meaning the signature is invalid, information). On the other hand, an
lenging, there is a well-known crypto- or Open(msk, m, σ) returns the identity adversary might be able to mount an
graphic tool—a group signature11— of one of the colluding members. untraceable DoS attack or maliciously
that unties this particular Gordian Basic packet attribution. We apply change application behaviors by re-
knot. Here, we briefly review the prop- group signatures to our problem in playing or shuffling others’ packets
erties of group signatures, describ- the following way: Each machine is a over time. We therefore desire some
ing their basic application to forensic member of some group and provided mechanism to bind these packets to a
packet attribution and the design is- with a secret signing key. Exactly how particular point in time.
sues resulting from this architecture. groups are constructed, and who is au- A possible solution would involve
Group signatures. A group signa- thorized to open resulting signatures, having the sender include a monotoni-
ture provides the property that if a is very much a policy issue, but one cally increasing counter in each packet
member of a group signs a message, pragmatic approach is that each com- and the receiver discard any packets
anyone can verify that the signature puter manufacturer defines a group with duplicate sources and counters.
was created by a group member but across the set of machines it sells. Be- However, the naive implementation
cannot determine which one, without ing manufacturer-centered is particu- of such an approach might require
the cooperation of a privileged third larly appealing because it sidesteps the the receiver to maintain the list of
party, the group manager. key distribution problem, as manufac- source-counter pairs (such as through
We describe group signatures us- turers now commonly include trusted reboots). We assume loosely synchro-
ing the formalized model of Bellare platform modules that encode unique nized clocks; the signer includes the
et al.,5 as well as a definitional exten- cryptographic information in each of current time in each outgoing packet,
sion due to Boneh et al.8 Specifically, their machines. Moreover, a tamper- and the receiver validates freshness di-
a group-signature scheme assumes a resistant implementation is useful for rectly. To handle jitter and network de-
group manager and a group of n un- preventing theft of a machine’s signing lays, as well as possible inconsistencies
privileged members, denoted 1, 2, . . . , key. This approach would also imply among different devices’ perception of
n. The group manager has a secret key the manufacturer would act as group time, one might employ a hybrid ap-
msk, each group member i ε {1, . . . , n} manager in any investigation, execute proach, including both a counter and
has its own secret signing key sk[i], Open under subpoena, or escrow its the time in each packet.
and there is a single public signature- msk (or shares thereof) to third parties. Revocation. To ensure that verifiable
verification key pk. Given a secret signing key, each packets are attributable back to a sin-
The group manager uses a Key- machine uses it to sign the packets it gle physical machine, we assume the
Gen operation to create pk, msk, sk, sends. This signature covers all non- group-signature secret keys are stored
distributing them appropriately. Sub- variant protocol fields and payload in tamper-resistant hardware and not
sequently, if a group member i uses data. The name of the group and the copyable to other devices. However,
its secret key sk[i] to Sign a message per-packet signature are included in a we anticipate that some secret signing
m and gets back a signature σ, anyone special packet header field that is part keys will inevitably be compromised.
with access to the global signature-ver- of the network layer. Any recipient can There are two general frameworks for
ification key pk can Verify that (m, σ) examine the header, using Verify revoking these secret signing keys (due
is a valid message-signature pair under to validate that a packet was correctly to Ateniese2 and Camenisch and Ly-
the secret key of a group member. The signed by a member of the associated syanskaya9). Since most parties in our
group manager can use msk to recover group (and hence could be authenti- system are both signers and verifiers,
the identity i of the signer using the cated by the group manager). The ver- we adopt the Camenisch-Lysyanskaya9
Open operation. ify step does not require protected key approach in which secret keys are re-
voked by globally updating the group Pairing-Based Cryptography (PBC) Li- of an IP packet;
public key and locally updating each brary15 for group-signature operations ˲˲ Strips the Clue trailer from the end
unrevoked party’s secret signing key. that in turn uses the GNU Multiple Pre- of the packet;
In this scheme, the verifiers need not cision arithmetic library (GMP). To ex- ˲˲ Feeds the resulting data and signa-
maintain a list of individual revoca- plore group signatures in the context of ture to the group signature library; and
tions, but public-key updates must be real network packets, we implemented ˲˲ Pushes the original packet to one
applied universally to ensure all subse- Clue as a module in the Click Modular of two output ports, depending wheth-
quent signatures can be verified. Router.13 As PBC and GMP are designed er verification was successful.
Middlebox modification. Middle- as user-mode libraries, Clue employs Clue implements Boneh et al.’s
boxes, like network address transla- Click as a user-mode process rather revocation scheme,8 polling a well-
tors (NATs), create a conundrum. In than as a Linux or BSD kernel module. known revocation service. As might
our architecture, senders sign all non- While this architecture incurs some be expected, cryptographic operation
volatile contents of outgoing packets, performance penalty on its own, the overhead can be high and dominate
including source address. Thus, any cryptographic operations dominate most performance measures. While
packets traversing a NAT will no lon- the user-mode transitions in practice, we have little doubt that more-efficient
ger verify, as their contents have been and the user-mode penalty does not group-signature schemes will emerge
changed. While some might consider interfere with fundamental system- with faster implementations and that
this a shortcoming, it is a requirement design issues. hardware implementation provides
of true attribution; signers can attest Figure 1 outlines the packet trailer more capacity, here we focus on the op-
only to contents they transmitted. The used by the current prototype. The timization opportunities arising from
only other option in our framework is Clue module is mostly a straightfor- the interaction between the dynamics
to deem the source address volatile ward packet-transformation element. of network protocols themselves and
and exclude it from the packet signa- When signing, the module performs the underlying cryptographic primi-
ture. To do so would imply the source the following four tasks: tives. We first describe the particular
address has no significance beyond ˲˲ Collects nonvolatile elements of group-signature construction we use
being a routing locater, though, unfor- an IP packet; and then a series of optimizations
tunately, this is not the case in today’s ˲˲ Adds an 8B local NTP-derived time- we’ve implemented.
Internet, where end hosts use source stamp to implement replay detection; BBS short-group signatures. The
addresses to demultiplex incoming ˲˲ Feeds the resulting data as input to Clue prototype uses the Boneh et
connections, as well as to associate the group-signature library to generate al.8 short-group-signature scheme,
flows, with the appropriate IPsec asso- a signature; and which exhibits comparatively short
ciations. ˲˲ Appends the signature (and ad- signatures relative to group-signature
This tension has been observed ditional optimization information) to schemes based on the Strong-RSA as-
many times in the past, yielding two the original packet, adjusting the IP sumption of Baric and Pfitzmann.4 We
architecturally pure alternatives: fu- length field accordingly. also refine the BBS group-signature
ture Internet architectures can either Tasks like recalculating check- scheme for use with Clue’s optimiza-
remove end host dependence on IP sums are left to other, standard Click tions. The following paragraph sum-
source addresses or make the presence elements in the pipeline performing marizes the basic BBS scheme at a level
of middleboxes explicit. For the time these functions. Similarly, when verify- sufficient to understand our optimiza-
being, deployments requiring NAT-like ing, the module performs the follow- tions:
functionality must make a trade-off be- ing five tasks: The BBS Sign algorithm (on input a
tween deployability and completeness, ˲˲ Validates a packet’s freshness group public key pk, the signer’s secret
choosing between removing source ad- from its timestamp; key sk[i], and a message m) first ob-
dresses from the signature—thereby ˲˲ Collects the nonvolatile elements tains a source of randomness ν, derives
limiting the scope of the attribution—
and encapsulating the original, signed Figure 1. Clue packet-trailer format; shaded fields are explained in the section
on optimizations.
packets in an IP-in-IP tunnel, exposing
the middlebox to the receiver.
Related questions concern virtual- 16B
ization technologies. In a virtualized
environment, the underlying machine h (for windowed verification)
must sign packets. Though technically
feasible, we do not expand on specific
Length Timestamp
approaches here.
values for the variables T1, T2, T3, R1, R2, Deriving the R′j values from pk and σ with verification; for example, rather
R3, R4, R5 from σ and pk, then computes creates a significant fixed overhead for than wait until Verify completes on
the value c as c ← H (m, T1, T2, T3, R1, R2, Verify independent of the amount of a TCP packet before sending an ACK,
R3, R4, R5) where ← denotes assignment signed data. When using Verify on TCP can first optimistically send an
from right to left, and H is a hash func- the receiver, the attribution layer can ACK back to the sender to overlap the
tion; for the security proofs, BBS model accumulate a window of packets (such ACK with the Verify computation.
H is a random oracle.6,8 The signing al- as a flight of TCP segments) and ver- Implementing this feature is inher-
gorithm then outputs ify them all together to amortize per- ently a layer violation since the Clue
packet verification overhead. We stress prototype allows TCP ACK processing
σ ← (T1, T2, T3, c, sα, sβ, sχ, sδ1, sδ7) , (1) that the signer signs every window of to proceed independent of IP layer
k packets, even overlapping windows, verification, but Clue prevents unveri-
where sα, sβ, sχ, sδ1, sδ7 are functions of c, and that the verifier has the option of fied data packets from being passed to
ν, and sk[i]. The BBS Verify algorithm, either verifying the packets individual- the application.
on input a group public key pk, a mes- ly or verifying any window of its choos- Incremental verification (for receiv-
sage m, and a signature σ = (T1, T2, T3, c, ing. However, this verification optimi- er). Given the computational costs as-
sα, sβ, sχ, sδ1, sδ7), derives R′1, R′2, R′3, R′4, zation slightly increases the length of a sociated with the Verify algorithm,
R′5 from pk and σ, computes c′ as c′ ← H signature. under some circumstances (such as
(m, T1, T2, T3, R′1, R′2, R′3, R′4, R′5), accept- To accommodate this scenario, we DoS attacks), Clue may wish to be able
ing the signature as valid exactly when modify the BBS scheme as follows: Us- to quickly reject packets that might
c = c′. None of Clue’s optimizations or ing our modified scheme, a verifier can not be attributable. While the Clue
extensions modify the BBS KeyGen or choose to verify the signature on the prototype cannot completely erase the
Open algorithms; we therefore do not j-th packet Pj in isolation (such as when cost for verification, it can decrease the
survey their details here. no other packets are waiting to be veri- amount of time to reject a nonverifi-
Optimizations. The following opti- fied or when there is packet loss) or ver- able packet by a factor of approximate-
mizations exploit artifacts of the BBS ify in batch the signature on a window ly three, at the expense of increased
scheme itself, as well as properties of of k packets Pj−k+1, . . . , Pj. Clue achieves signature sizes; we make Verify in-
network protocols and clients; some this goal by, on the signing side, first crementally verifiable. The average
of these optimizations may be of inde- hashing the initial k −1 packets Pj−k+1, time to process and reject a nonattrib-
pendent interest. . . ., Pj−1 to a value h, then signing h⏐⏐Pj utable packet decreases, though the
Precomputation (for sender). Clue is as before finally including h in the re- time to accept a legitimate packet re-
able to take advantage of client work- sulting signature tuple; here ⏐⏐ denotes mains essentially unchanged.
loads to improve the overhead of Sign string concatenation, and the hash Clue’s incrementally verifiable
in the sending critical path. The Sign function to compute h is H′ ≠ H, and Pj version of the BBS group signature
operation has two components, com- is implicitly prefixed with a fixed-width scheme builds on our earlier observa-
puting the Tj and Rj values, indepen- length field. To avoid trivial hash colli- tion that (1) the bulk of the computa-
dent of packet data, using these values sions in h, when hashing the packets tion in Verify is spent computing R′1,
to sign a packet. The Tj and Rj compu- Pj−k+1, . . . , Pj−1, Clue also prepends each . . ., R′5, and (2) an implementation can
tation step by far dominates the over- packet with a 4B length field, then con- derive R′1, . . . , R′5 in parallel. Techni-
head of Sign. If Clue takes the Tj and catenates the resulting length fields cally, we change Equation 1 to
Rj computation out of the critical send- and packets together. Including h in
ing path by precomputing them, Clue the signature allows the receiver to ver- σ ← (T1, T2, T3, c, sα, sβ, sχ, sδ1, sδ7, R1,
can greatly improve the throughput ify the signature over the j-th packet Pj R2, R3, R4, R5).
of using Sign. Most client workloads in isolation (by verifying the signature
consist of applications with low aver- over h⏐⏐Pj). To verify the signature over We then revise the Verify algo-
age sending rates (such as email, Web the entire window Pj−k+1, . . . , Pj, the re- rithm to, on input a signature σ, set c′′
browsing, and remote login), allowing ceiver first recomputes h. ← H(m, T1, T2, T3, R1, R2, R3, R4, R5), and
signature precomputation to overlap In the Clue prototype the window immediately reject if c′′ ≠ c. The modi-
I/O. Indeed, over long time scales, the size k is a parameter provided to the fied verification algorithm would then
CPU load of clients and servers alike IP layer. We modified our TCP imple- derive the variables R′1, R′2, R′3, R′4, R′5
is dominated by idle time—an effect mentation to adaptively set k to match from pk and T1, T2, T3, c, sα, sβ, sχ, sδ1, sδ7
further magnified by multicore proces- the sender’s congestion window. This in random order, immediately reject-
sors. Thus, periods of idleness can be setting maximizes performance, as it ing if R′j ≠ Rj. Finally, the modified al-
exploited to buffer signature precur- reflects the largest number of packets gorithm would accept the signature as
sors for subsequent periods of activity. that can be amortized together without valid, since failure to reject implies c =
Windowed verification (for receiver). expecting a packet loss (losing the ben- H(m, T1, T2, T3, R′1, R′2, R′3, R′4, R′5).
Clue takes advantage of the streaming efit of amortized verification). Other potential optimizations. A large
nature of network protocols like TCP Asynchronous verification (for re- class of related optimizations relax se-
to amortize verification over multiple ceiver). The Clue prototype can also curity guarantees in exchange for per-
packets of data to reduce the overhead overlap computation with network formance; for example, the receiver
of Verify in the receive critical path. delay to reduce protocol serialization could randomly verify a packet with
of accountability,
have not yet explored protocol-specific ify and their variants, as described
fate-sharing optimizations (such as earlier. The table here outlines the av-
only signing and verifying TCP SYN
packets). Such optimizations could
the normal social erage time taken across 100 iterations
of these operations on the receiver. The
dramatically reduce overhead, albeit processes that first column of results for “1 packet”
in exchange for some increased risk
of nonattributability (such as via TCP
disincentivize are overheads when executing on a
single 1,277B packet as input; we chose
connection hijacking). criminal behavior 1,277, since the combination of the
operation, introducing negligible CPU ets is a key mechanism for reducing warder at typical Internet RTTs. While
overhead in the common case. In con- receive overhead. In the experiments privacy-preserving attribution has a
trast, “corrupted incremental verify” discussed in the following section, we non-negligible effect on bulk through-
measures the average time required show that large windows combined put on today’s client systems, the cost
to reject a corrupted signature. Using with precomputed signatures can dra- is not prohibitive and will continue
incremental verification Clue achieves matically improve performance over decreasing over time, as CPU perfor-
a 70% reduction in overhead over the basic Sign and Verify alone. mance increases more quickly than
original scheme. TCP throughput. Bulk TCP through- typical Internet bandwidth.
The only significant difference be- put is an important performance met- We conduct ttcp benchmarks be-
tween the eight-packet times and the ric for many Internet applications. Ex- tween the sender and receiver, requir-
single-packet times occurs when sign- perimentally, our goal is to evaluate the ing them to forward traffic through a
ing a packet using precomputed values effect of attribution on TCP through- delay host. For every test configura-
arising as a result of hashing the extra put in our Clue prototype. We measure tion, we run each individual transfer
data in the additional packets. Note, the TCP throughput performance of for at least 20 seconds. We require the
however, that this cost is still roughly the attribution implementation rela- sender to transfer all its data before
two orders of magnitude less than any tive to various baseline configurations it closes the connection, timing the
other operation, so we do not observe across a range of network round-trip transfer from when the sender con-
any additional impact on bulk through- times (RTTs). In Clue, the implementa- nects to the receiver to when the send-
put. As a result, amortizing the attribu- tion of attribution achieves a through- er receives the FIN from the receiver.
tion operations over multiple pack- put within a factor of 1.2 of a Click for- Figure 2 outlines the results of the
experiments for a number of configu-
Figure 2. TCP throughput performance for combined optimizations; y-axis is in log scale. rations. We vary the roundtrip time
(RTT) between sender and receiver
on the x-axis and plot the throughput
1,000 achieved using the ttcp application
Linux benchmark on the the y-axis; note the
Proxy
Precomp+Async+Win-64 y-axis is a log scale, each point is the
Precomp+Async+AdaptiveWin
Precomp+Async+Win-8 average of five runs, and error bars
100 Sign+Verify show the standard deviation.
As an upper bound, the“Linux”curve
Throughput (Mbps)
ing, Clue’s implementation of the de- be attributed to its minimalist archi- practical: A paradigm for designing efficient protocols.
In Proceedings of the ACM Conference on Computer
fault “Sign+Verify” attribution process tecture. However, the related archi- and Communications Security (Fairfax, VA, Nov. 3–5).
restricts bulk TCP throughput to ap- tectural freedoms also represent ripe ACM Press, New York, 1993, 62–73.
7. Bellovin, S.M. Security problems in the TCP/
proximately 0.33Mbps independent of vulnerabilities for adversaries trying to IP protocol suite. ACM SIGCOMM Computer
the RTT. exploit the network to their own ends. Communication Review 19, 2 (Apr. 1989), 32–48.
8. Boneh, D., Boyen, X., and Shacham, H. Short group
The poor performance of Chief among them is the lack of ac- signatures. In Advances in Cryptology CRYPTO 2004,
“Sign+Verify” motivates the optimi- countability for user actions. Without M. Franklin, Ed. (Santa Barbara, CA, Aug. 15–19).
Springer-Verlag, Berlin, 2004, 41–55.
zations described earlier. While pre- a plausible threat of accountability, the 9. Camenisch, J. and Lysyanskaya, A. Dynamic
accumulators and applications to efficient revocation
computation dramatically decreases normal social processes that disincen- of anonymous credentials. In Advances in Cryptology
the overhead at the sender, it has only tivize criminal behavior cannot func- CRYPTO 2002, M. Yung, Ed. (Santa Barbara, CA, Aug.
18–2). Sringer-Verlag, Berlin, Germany, 2002, 61–76.
modest effect in isolation on TCP tion. We suggest modifying the Inter- 10. Carson, M. and Santay, D. NIST Net: A Linux-based
throughput, as performance is still net architecture to proactively enable network-emulation tool. ACM SIGCOMM Computer
Communication Review 33, 3 (July 2003), 111–126.
receiver-limited. Similarly, asynchro- network forensics while preserving the 11. Chaum, D. and van Heyst, E. Group signatures. In
nous verification allows the receiver to privacy of network participants under Advances in Cryptology EUROCRYPT ‘91, D.W. Davies,
Ed. (Santa Barbara, CA, Apr. 8–11). Springer-Verlag,
issue ACKs immediately, but the po- normal circumstances. Berlin, 1991, 257–265.
tential for improvement is bounded by Our approach ensures: authorized 12. International Telecommunications Union. Traceback
Use Cases and Requirements; http://politechbot.com/
the effective decrease in flow RTT. In- parties can determine the physical docs/itu.traceback.use.cases.requirements.091108.txt
deed, precomputation and asynchro- identity of hardware originating any 13. Kohler, E., Morris, R., Chen, B., Jannotti, J., and
Kaashoek, M.F. The Click modular router. ACM
nous verification are most effective given IP packets; no other party can Transactions on Computer Systems 18, 3 (Aug. 2000),
when combined with windowed veri- determine the identity of the originat- 263–297.
14. Liu, X., Yang, X., Weatherall, D., and Anderson, T.
fication and has the potential to move ing physical hardware; and all network Efficient and secure source authentication with packet
the performance bottleneck back to participants can simultaneously verify passports. In Proceedings of the Second Workshop on
Steps to Reducing Unwanted Traffic on the Internet
the sender. that a packet is well-formed and attrib- (San Jose, CA, July 7). USENIX, Berkeley, CA, 2006.
15. Lynn, B. Pairing-Based Cryptography Library. Stanford
The line in Figure 2 labeled utable by the trusted authority. While University, Palo Alto, CA, 2006; http://crypto.stanford.
“Precomp+Async+Win-8” is the per- still some distance from being practi- edu/pbc/
16. Moore, D., Voelker, G.M., and Savage, S. Inferring
formance of the Clue prototype when cable, our technique may be a viable Internet denial of service activity. In Proceedings of
combining the three optimizations and promising foundation for future the USENIX Security Symposium (Washington, D.C.,
Aug. 13–17). USENIX, Berkeley, CA, 2001, 9–22.
while using a fixed window size of research. A separate research strand 17. Savage, S., Wetherall, D., Karlin, A.R., and Anderson,
eight packets. In theory, the larger must still consider the broader contex- T. Practical network support for IP traceback. In
Proceedings of the ACM SIGCOMM Conference
the window size, the less overhead tual issues surrounding such a solu- (Stockholm, Aug. 28–Sept. 1), ACM Press, New York,
verification imposes. Indeed, pro- tion, ranging from the role of manufac- 2000, 295–306.
18. Shalunov, S. TCP Over WAN Performance Tuning and
gressively increasing the window turers to international law. Troubleshooting, 2005; http://shlang.com/writing/tcp-
size continues to increase through- perf.html
19. Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones,
put performance—to a point; most Acknowledgments C.E., Tchakountio, F., Schwartz, B., Kent, S.T., and
benefits are achieved with a win- We thank Hovav Shacham of the Uni- Strayer, W.T. Single-packet IP traceback. IEEE/
ACM Transactions on Networking 10, 6 (Dec. 2002),
dow of 64 packets, as indicated by versity of California, San Diego, for 721–734.
the line “Precomp+Async+Win-64” advice and comments. This work is 20. Zhang, Y. and Paxson, V. Detecting stepping stones.
In Proceedings of the USENIX Security Symposium
in Figure 2, exceeding 17.5Mbps at funded in part by National Science (Denver, Aug. 14–17). USENIX, Berkeley, CA, 2000,
171–184.
20ms. Recall that windowed verifica- Foundation grants CNS-0627157 and
tion proceeds only in the absence of CNS-0722031.
loss; if a packet is lost in a window, Mikhail Afanasyev (mafanasyev@gmail.com) is
a postdoctoral fellow in the Autonomous Systems
the remaining packets must be veri- Laboratory of the Australian Commonwealth Scientific
References
fied individually, negating any po- and Research Organization (CSIRO), Brisbane, Australia.
1. Andersen, D., Balakrishnan, H., Feamster, N., Koponen,
tential for improvement. Hence, our T., Moon, D., and Shenker, S. Accountable Internet Tadayoshi Kohno (yoshi@cs.washington.edu) is an
Protocol. In Proceedings of the ACM SIGCOMM assistant professor in the Computer Science and
Clue implementation dynamically Engineering Department of the University of Washington,
Conference (Seattle, Aug. 19–21). ACM Press, New
adjusts the window size to match the York, 339–350. Seattle, WA.
sender’s TCP congestion window. The 2. Ateniese, G., Tsudik, G., and Song, D. Quasi-efficient Justin Ma (jtma@eecs.berkeley.edu) is a postdoctoral
revocation of group signatures. In Financial scholar in the AMP Lab of the University of California,
“Precomp+Async+AdaptiveWin” line Cryptography, M. Blaze, Ed. (Southampton, Bermuda, Berkeley.
in Figure 2 shows its performance ap- Mar. 11–14). Springer-Verlag, Berlin, 2002, 183–197.
3. Aucsmith, D. The digital crime scene: A software Nicholas Murphy (nmurphy@eecs.harvard.edu) is a
proaches the baseline for all but the prospective. In Proceedings of the CyberCrime and doctoral candidate in the School of Engineering and
smallest RTTs; at an RTT of 80ms— Digital Law Enforcement Conference (New Haven, CT, Applied Sciences of Harvard University, Cambridge, MA.
Mar. 26–28, 2004).
typical of TCP connections on the In- Stefan Savage (savage@cs.ucsd.edu) is a professor in
4. Baric, N. and Pfitzmann, B. Collision-free accumulators the Computer Science and Engineering Department of the
ternet18—this combination achieves a and fail-stop signature schemes without trees. In University of California, San Diego.
throughput of 9.6Mbps, within a fac- Advances in Cryptology EUROCRYPT ‘97, W. Fumy,
Ed. (Konstanz, Germany, May 11–15). Springer-Verlag, Alex C. Snoeren (snoeren@cs.ucsd.edu) is an associate
tor of 1.2 of “Proxy” itself, and exceeds Berlin, 1997, 480–494. professor in the Computer Science and Engineering
Department of the University of California, San Diego.
the capacity of most consumer broad- 5. Bellare, M., Micciancio, D., and Warinschi, B.
Foundations of group signatures: Formal definitions, Geoffrey M. Voelker (voelker@cs.ucsd.edu) is a professor
band links. simplified requirements, and a construction based in the Computer Science and Engineering Department of
on general assumptions. In Advances in Cryptology the University of California, San Diego.
EUROCRYPT ‘03, E. Biham, Ed. (Warsaw, May 4–8).
Conclusion Springer-Verlag, Berlin, 2003, 614–629.
Much of the Internet’s success can 6. Bellare, M. and Rogaway, P. Random oracles are © 2011 ACM 0001-0782/11/05 $10.00
Proving
answer on at least one of the inputs.
No number of extra processors nor
terabytes of storage nor new sophisti-
cated algorithms will lead to the devel-
Program
opment of a true oracle for program
termination.
Unfortunately, many have drawn
too strong of a conclusion about the
Termination
prospects of automatic program ter-
mination proving and falsely believe
we are always unable to prove termi-
nation, rather than more benign con-
sequence that we are unable to always
prove termination. Phrases like “but
that’s like the termination problem”
are often used to end discussions that
might otherwise have led to viable par-
tial solutions for real but undecidable
problems. While we cannot ignore
T he program t e rmin ati o n problem, also known termination’s undecidability, if we
as the uniform halting problem, can be defined as develop a slightly modified problem
follows: statement we can build useful tools.
In our new problem statement we will
Using only a finite amount of time, determine still require that a termination prov-
whether a given program will always finish running ing tool always return answers that
are correct, but we will not necessarily
or could execute forever. require an answer. If the termination
This problem rose to prominence before the prover cannot prove or disprove termi-
invention of the modern computer, in the era of nation, it should return “unknown.”
Using only a finite amount of time,
Hilbert’s Entscheidungsproblem:a the challenge to determine whether a given program
formalize all of mathematics and use algorithmic will always finish running or could
means to determine the validity of all statements. execute forever, or return the answer
“unknown.”
In hopes of either solving Hilbert’s challenge, or
showing it impossible, logicians began to search key insights
for possible instances of undecidable problems. For decades, the same method was used
for proving termination. It has never been
Turing’s proof38 of termination’s undecidability is applied successfully to large programs.
Illust ratio n by Matthew co oper
the most famous of those findings.b A deep theorem in mathematical logic,
based on Ramsey’s theorem, holds the
The termination problem is structured as an infinite key to a new method.
may 2 0 1 1 | vo l . 5 4 | n o. 5 | c o m m u n ic ati o n s o f t he ac m 89
review articles
This problem can clearly be solved, provable using termination proving adapting the techniques to other do-
as we could simply always return “un- techniques.12,29 With every month, we mains. We also discuss current work
known.” The challenge is to solve this now see more powerful applications and possible avenues for future inves-
problem while keeping the occurrenc- of automatic termination proving. As tigation. Concepts and strategies will
es of the answer “unknown” to within an example, recent work has demon- be introduced informally, with cita-
a tolerable threshold, in the same way strated the utility of automatic ter- tions to original papers for those inter-
that we hope Web browsers will usu- mination proving to the problem of ested in more detail. Several sidebars
ally succeed to download Web pages, showing concurrent algorithms to be are included for readers with back-
although we know they will sometimes non-blocking.20 With further research grounds in mathematical logic.
fail. Note that the principled use of and development, we will see more
unknown in tools attempting to solve powerful and more scalable tools. Disjunctive Termination Arguments
undecidable or intractable problems We could also witness a shift in the Thirteen years after publishing his
is increasingly common in computer power of software, as techniques from original undecidability result, Turing
science; for example, in program anal- termination proving could lead to proposed the now classic method of
ysis, type systems, and networking. tools for other problems of equal dif- proving program termination.39 His
In recent years, powerful new ter- ficulty. Whereas in the past a software solution divides the problem into two
mination tools have emerged that re- developer hoping to build practical parts:
turn “unknown” infrequently enough tools for solving something related to Termination argument search: Find
that they are useful in practice.35 These termination might have been fright- a potential termination argument in
termination tools can automatically ened off by a colleague’s retort “but the form of a function that maps every
prove or disprove termination of many that’s like the termination problem,” program state to a value in a math-
famous complex examples such as perhaps in the future the developer ematical structure called a well-order.
Ackermann’s function or McCarthy’s will instead adapt techniques from We will not define well-orders here,
91 function as well as moderately sized within modern termination provers the reader can assume for now that we
industrial examples such as Windows in order to develop a partial solution are using the natural numbers (a.k.a.
device drivers. Furthermore, entire to the problem of interest. the positive integers).
families of industrially useful termi- The purpose of this article is to fa- Termination argument checking:
nation-like properties—called live- miliarize the reader with the recent Proves the termination argument to
ness properties—such as “Every call to advances in program termination be valid for the program under con-
lock is eventually followed by a call proving, and to catalog the underly- sideration by proving that result of the
to unlock” are now automatically ing techniques for those interested in function decreases for every possible
program transition. That is, if f is the
termination argument and the pro-
and Disjunctive
(Readers with a background in logic
may be interested in the formal expla-
nation contained in the sidebar here.)
Well-Foundness A well-order can be thought of as a
terminating program—in the exam-
Formally proving program termination amounts to proving the program’s transition ple of the natural numbers, the pro-
relation R to be well-founded. If (S, ≥) is a well-order then > is a well-founded relation. gram is one that counts from some
Furthermore, any map f into S defines a well-founded relation, by lifting > via f, that
is, {(s, t) | f (s) > f (t)}. Turing’s method39 of proving a program’s transition relation R initial value in the natural numbers
well-founded amounts to finding a map f into a well-order, which defines a termination down to 0. Thus, no matter which ini-
argument T = {(s, t) | f (s) > f (t)}. To prove the validity of T we must show R ⊆ T. From the tial value is chosen the program will
well-foundedness of T and the fact that every sub-relation of a well-founded relation is
well-founded follows that R is well-founded.
still terminate. Given this connection
In this article we are using the phrase disjunctive termination argument to refer to between well-orders and terminat-
a disjunctively well-founded transition invariant.31 This is a finite union T1 ∪ . . . ∪ Tn of ing programs, in essence Turing is
well-founded relations that contains R+, which is the transitive closure of the transition proposing that we search for a map
relation of the program, as a superset, such as, R+ ⊆ T1 ∪ . . . ∪ Tn.
Usually, each T1, . . . , Tn will be constructed as above via some map into a well-order. from the program we are interested in
Note that the non-reflexive transitive closure (the + in R+) is crucial. It is not sufficient proving terminating into a program
to show that R ⊆ T1 ∪ . . . ∪ Tn,, as the union of well-founded relations is not guaranteed known to terminate such that all steps
to be well-founded. It is the transitive closure that makes checking the subset inclusion
in the first program have analogous
more difficult in practice.
The recent approaches for proving termination for general programs3,4,9,12,14,32 are steps in the second program. This
based on the proof rule of disjunctively well-founded transition invariants. The proof map to a well-order is usually called a
rule itself is based on Ramsey’s theorem,34 and it has been developed in the effort to progress measure or a ranking function
give a logical foundation to the termination analysis based on size-change graphs.24 The
principle expressed by the proof rule appears implicitly already in previously developed in the literature. Until recently, all
termination algorithms for rewrite systems and logic and functional programs, see known methods of proving termina-
refs10, 15, 17, 24. tion were in essence minor variations
on the original technique.
The problem with Turing’s meth- rem,34 and it has been developed in code fragment in Figure 1. In this code
od is that finding a single, or mono- the effort to give a logical foundation the collection of user-provided input is
lithic, ranking function for the whole to the termination analysis based on performed via the function input().
program is typically difficult, even for size-change graphs.24 We will assume the user always enters
simple programs. In fact, we are often The principle it expresses appears a new value when prompted. Further-
forced to use ranking functions into implicitly in previously developed ter- more, we will assume for now that vari-
well-orders that are much more com- mination algorithms for rewrite sys- ables range over possibly negative in-
plex than the natural numbers. Luck- tems, logic, and functional programs, tegers with arbitrary precision (that is,
ily, once a suitable ranking function see refs 10,15,17,24. mathematical integers as opposed to
has been found, checking validity is in The advantage to the new style of 32-bit words, 64-bit words, and so on).
practice fairly easy. termination argument is that it is Before reading further, please answer
The key trend that has led toward usually easier to find, because it can the question: “Does this program ter-
current progress in termination prov- be expressed in small, mutually in- minate, no matter what values the user
ing has been the move away from the dependent pieces. Each piece can be gives via the input() function?” The
search for a single ranking function found separately or incrementally us- answer is given below.c
and toward a search for a set of rank- ing various known methods for the Using Turing’s traditional method
ing functions. We think of the set as a discovery of monolithic termination we can define a ranking function from
choice of ranking functions and talk arguments. As a trade-off, when using program variables to the natural num-
about a disjunctive termination argu- a disjunctive termination argument, a bers. One ranking function that will
ment. This terminology refers to the more difficult validity condition must work is 2x + y, though there are many
proof rule of disjunctively well-found- be checked. This difficulty can be mit- others. Here we are using the formula
ed transition invariants.31 The recent igated thanks to recent advances in as- 2x + y as shorthand for a function
approaches for proving termination sertion checking tools (as discussed in that takes a program configuration
for general programs3,4,9,12,14,26,32 are a later section). as its input and returns the natural
based on this proof rule. The proof Example using a monolithic termina- number computed by looking up the
rule itself is based on Ramsey’s theo- tion argument. Consider the example value of x in the memory, multiply-
ing that by 2 and then adding in y’s
Figure 1. Example program. value—thus 2x + y represents a map-
ping from program configurations to
1 x : = input();
natural numbers. This ranking func-
2 y : = input(); tion meets the constraints required
3 while x > 0 and y > 0 do to prove termination: the valuation of
4 if input() = 1 then 2x + y when executing at line 9 in the
5 x : = x – 1;
6 y : = y + 1; program will be strictly one less than
7 else its valuation during the same loop
8 y : = y – 1; iteration at line 4. Furthermore, we
9 fi
10 done
know the function always produces
natural numbers (thus it is a map into
User-supplied inputs are gathered via calls to the function input(). We assume that the variables a well-order), as 2x + y is greater than
range over integers with arbitrary precision (in other words, not 64-bit or 32-bit integers). Assuming 0 at lines 4 through 9.
that the user always eventually enters in a value when prompted via input(), does the program
terminate for all possible user-supplied inputs? (The answer is provided in a footnote below.) Automatically proving the valid-
ity of a monolithic termination argu-
ment like 2x + y is usually easy using
tools that check verification condi-
Figure 2. Example program. tions (for example, Slam2). However,
as mentioned previously, the actual
search for a valid argument is fa-
1 x := input();
mously tricky. As an example, consid-
2 y := input();
3 while x > 0 and y > 0 do er the case in Figure 2, where we have
4 if input () = 1 then replaced the command “y := y + 1;”
5 x := x × 1; in Figure 1 with “y := input();”. In
6 y := input();
7 else
this case no function into the natural
8 y := y – 1; numbers exists that suffices to prove
9 fi termination; instead we must resort
10 done
to a lexicographic ranking function
This program is similar to Figure 1 where the command “y := y + 1;” replaced with (a ranking function into ordinals, a
“y := input();”. No ranking function into the natural numbers exists that can prove the more advanced well-order than the
termination of this program. naturals).
Example using a disjunctive termi- gram in Figure 2, where we replaced “y ther x goes down by at least one and
nation argument. Following the trend := y + 1;” with “y := input();.” On x is greater than 0 or y goes down by
toward the use of disjunctive termina- every possible unrolling of the loop we at least one and y is greater than 0.
tion arguments, we could also prove will still see that either x or y has gone Yet, the program does not guarantee
the termination of Figure 1 by defin- down and is larger than 0. termination. As an example input se-
ing an argument as the unordered To see why we cannot use the same quence that triggers non-termination,
finite collection of measures x and validity check for disjunctive termina- consider 5, 5, followed by 1, 0, 1, 0, 1,
y. The termination argument in this tion arguments as we do for monolith- 0, …. If we consider all possible unroll-
case should be read as: ic ones, consider the slightly modified ings of the loop, however, we will see
example in Figure 3. For every single that after two iterations it is possible
x goes down by at least 1 and is larger than 0. iteration of the loop it is true that ei- (in the case that the user supplied the
or
y goes down by at least 1 and is larger than 0 Figure 3. Another example program.
cally prove. In the case of Figure 1 we Encoding of termination argument validity using the program from Figure 1 and the termination
can prove the more complex condition argument “x goes down by at least one and is larger than 0.” The black code comes directly from
using techniques described later. Figure 1. The code in red implements the encoding of validity with an assertion statement.
Note that this same termination ar-
gument now works for the tricky pro-
considering any possible unrolling of the paths. A plethora of recently devel- we reached the current state from the
the loop. After some state has been re- oped techniques now make this pos- recorded one. That is: this is the unroll-
corded, from this point out the termi- sible. Many recent assertion checkers ing found that demonstrates that the
nation argument is checked using the are designed to produce a path to a bug assertion statement can fail. What we
recorded state and the current state. In in the case that the assertion statement know is that the termination argument
this case the assertion can fail, mean- cannot be proved. For example, a path does not currently cover the case where
ing that the termination argument is leading to the assertion failure is 1 → this path is repeated forever.
not valid. 2 → 3 → 4 → 5 → 7 → 8 → 9 → 10 → See Figure 6 for a version using the
If we were to attempt to check this 11 → 12 → 16 → 17 → 4 → 5 → 6. This same encoding, but with the valid ter-
condition in a naïve way (for example, path can be broken into parts, each mination argument:
by simply executing the program) we representing different phases of the ex-
would never find a proof for all but the ecution: the prefix-path 1 → 2 → 3 → x goes down by at least 1 and is larger than 0
most trivial of cases. Thus, assertion 4 is the path from the program initial or
checkers must be cleverly designed to state to the recorded state in the failing y goes down by at least 1 and is larger than 0.
find proofs about all possible execu- pair of states. The second part of the
tions without actually executing all of path 4 → 5 → . . . 5 → 6 represents how This assertion cannot fail. The fact
that it cannot fail can be proved by a
Figure 7. Program prepared for abstract interpretation. number of assertion verification tools.
that the argument indeed represents a Recall Figure 5, which encoded the
set of measures. In other cases, such invalid termination argument for the
as Lee et al.24 or Manolios and Vroon,26 program in Figure 1, and the path lead-
the tool makes a one-time guess as to ing to the failure of the assertion: is 1
the termination argument and then
checks it using techniques drawn from In recent years, → 2 → 3 → 4 → 5 → 7 → 8 → 9 → 10
→ 11 → 12 → 16 → 17 → 4 → 5 → 6.
abstract interpretation.
Consider the modified program
powerful new Recall this path represents two phases
of the program’s execution: the path
in Figure 7. The termination strat- termination tools to the loop, and some unrolling of the
egy described in Berdine et al.3 and
Podelski and Rybalchenko32 essen-
have emerged that loop such that the termination con-
dition doesn’t hold. In this case the
tially builds a program like this and return “unknown” path 4 → 5 → . . . 6 represents how we
then applies a custom program analy-
sis to find the following candidate ter-
infrequently enough reached the second failing state from
the first. This is a counterexample to
mination argument: that they are useful the validity of the termination argu-
tial programs that operate over math- automatically discover the shapes of programs use variables that range
ematical numbers, we are now in the data-structures) and then to create over fixed-width numbers, such as
position to begin proving termination new auxiliary variables in the program 32-bit integers or 64-bit floating-
of more complex programs, such as that track the sizes of those data struc- point numbers, with the possibility
those with dynamically allocated data tures, thus allowing for arithmetic of overflow or underflow. If a program
structures, or multithreading. Fur- ranking functions to be more easily uses only fixed-width numbers and
thermore, these new advances open expressed (examples include refs4,5,25). does not use dynamically allocated
up new potential for proving proper- The difficultly with this approach is memory, then termination proving is
ties beyond termination, and finding that we are now dependent on the ac- decidable (though still not easy). In
conditions that would guarantee ter- curacy and scalability of current shape this case we simply need to look for a
mination. We now discuss these av- analysis tools—to date the best known repeated state, as the program will di-
enues of future research and develop- shape analysis tool40 supports only verge if and only if there exists some
ment in some detail. lists and trees (cyclic and acyclic, sin- state that is repeated during execu-
Dynamically allocated heap. Con- gly and doubly linked) and scales only tion. Furthermore, we cannot ignore
sider the C loop in Figure 8, which to relatively simple programs of size the fixed-width semantics, as over-
walks down a list and removes links less than 30,000 LOC. Furthermore, flow and underflow can cause non-
with data elements equaling 5. Does the auxiliary variables introduced by termination in programs that would
this loop guarantee termination? methods such as Magill et al.25 some- otherwise terminate, an example is
What termination argument should times do not track enough informa- included in Figure 9. Another com-
we use? tion in order to prove termination (for plication when considering this style
The problem here is that there are example, imagine a case with lists of of program is that of bit-level opera-
no arithmetic variables in the program lists in which the sizes of the nested tions, such as left- or right-shift.
from which we can begin to construct lists are important). In order to im- Binary executables. Until now we
an argument—instead we would want prove the state of the art for termina- have discussed proving termination of
to express the termination argument tion proving of programs using data programs at their source level, perhaps
over the lengths of paths to NULL via structures, we must develop better in C or Java. The difficulty with this
the next field. Furthermore, the pro- methods of finding arguments over strategy is the compilers that then take
grammer has obviously intended for data structure shapes, and we must these source programs and convert
this loop to be used on acyclic sin- also improve the accuracy and scal- them into executable artifacts can in-
gly linked lists, but how do we know ability of existing shape analysis tools. troduce termination bugs that do not
that the lists pointed to by head will Bit vectors. In the examples used exist in the original source program.
always be acyclic? The common solu- until now we have considered only Several potential strategies could help
tion to these problems is to use shape variables that range over mathemati- mitigate this problem: We might try to
analysis tools (which are designed to cal numbers. The reality is that most prove termination of the executable
binaries instead of the source level
Figure 10. Example of multi-threaded terminating producer/consumer program. programs, or we might try to equip
the compiler with the ability to prove
1 while x > 0 do that the resulting binary program pre-
2 x := x – 1; 1 while y > 0 do serves termination, perhaps by first
3 lock(lck) 2 lock (lck) proving the termination of the source
4 b := x; 3 y:=b;
5 unlock(lck) 5 unlock(lck)
program and then finding a map from
6 done 6 done the binary to the source-level program
and proving that the composition with
To prove that the thread on the left terminates we must assume that the thread on the right always
the source-level termination argument
calls unlock when needed. To prove that the thread on the right always calls unlock when needed,
we must prove that the thread on the left always calls unlock when needed, and so on. forms a valid termination argument
for the binary-level program.
Non-linear systems. Current ter-
mination provers largely ignore non-
Figure 11. Collatz program. linear arithmetic. When non-linear
updates to variables do occur (for ex-
1 while x > 1 do ample x := y * z;), current termina-
2 if x is divisible by 2 then tion provers typically treat them as
3 x := x=2;
if they were the instruction x := in-
4 else
5 x := 3x + 1; put();. This modification is sound—
6 fi meaning when the termination prover
7 done returns the answer “terminating,” we
We assume that x ranges over all natural numbers with arbitrary precision (that is, neither 64-bit
know the proof is valid. Unfortunately,
vectors nor 32-bit vectors). A proof of this program’s termination or non-termination is not known. this method is not precise: the treat-
ment of these commands can lead to
the result “unknown” for programs
be converted into questions of fair ter- Conclusion 19. Giesl, J. Thiemann, R., Schneider-Kamp, P. and Falke,
S. Automated termination proofs with AProVE. In
mination—termination proving were This article has surveyed recent ad- Proceedings of RTA, 2004.
certain non-terminating executions vances in program termination prov- 20. Gotsman, A., Cook, B., Parkinson, M. and Vafeiadis, V.
Proving that non-blocking algorithms don’t block. In
are deemed unfair via given fairness ing techniques for sequential pro- Proceedings of POPL, 2009.
constraints, and thus ignored. Cur- grams, and pointed toward ongoing 21. Gupta, A., Henzinger, T., Majumdar, R., Rybalchenko, A.,
and Xu, R. Proving non-termination. In Proceedings of
rent tools, in fact, either perform this work and potential areas for future POPL, 2008.
reduction, or simply require the user to development. The hope of many tool 22. Jones, C.B. Tentative steps toward a development
method for interfering programs. ACM Trans. Program.
express liveness constraints directly as builders in this area is that the current Lang. Syst., 1983.
the set of fairness constraints.12,29 Nei- and future termination proving tech- 23. Jula, H., Tralamazza, D., Zamfir, C. and Candea, G.
Deadlock immunity: Enabling systems to defend
ther approach is optimal: the reduc- niques will become generally avail- against deadlocks. In Proceedings of OSDI, 2008.
tion from liveness to fairness is ineffi- 24. Lee, C.S., Jones, N.D. and Ben-Amram, A.M.. The
able for developers wishing to directly size-change principle for program termination. In
cient in the size of the conversion, and prove termination or liveness. We also Proceedings of POPL, 2001.
25. Magill, S., Berdine, J., Clarke, E. and Cook, B.
fairness constraints are difficult for hope that termination-related appli- Arithmetic strengthening for shape analysis. In
humans to understand when used di- cations—such as detecting livelock at Proceedings of SAS, 2007.
26. Manolios, P. and Vroon, D. Termination analysis with
rectly. An avenue for future work would runtime or Wang’s tiling problem— calling context graphs. In Proceedings of CAV, 2006.
be to directly prove liveness properties, will also benefit from these advances. 27. McMillan, K.L. Circular compositional reasoning about
liveness. In Proceedings of CHARME, 1999.
perhaps as an adaption of existing ter- 28. Misra, J and Chandy, K.M. Proofs of networks of
mination proving techniques. Acknowledgments processes. IEEE Trans. Software Eng., 1981.
29. Pnueli, A., Podelski, A., and Rybalchenko, A. Separating
Dynamic analysis and crash dumps The authors would like to thank Lu- fairness and well-foundedness for the analysis of fair
for liveness bugs. In this article we have cas Bourdeaux, Abigail See, Tim Har- discrete systems. In Proceedings of TACAS, 2005.
30. Podelski, A, and Rybalchenko, A. A complete method
focused only on static, or compile-time, ris, Ralf Herbrich, Peter O’Hearn, and for the synthesis of linear ranking functions. In
proof techniques rather than tech- Hongseok Yang for their reading of Proceedings of VMCAI, 2004.
31. Podelski, A, and Rybalchenko, A. Transition invariants.
niques for diagnosing divergence dur- early drafts of this article and sugges- In Proceedings of LICS, 2004.
ing execution. Some effort has been tions for improvement. 32. Podelski, A. and Rybalchenko, A. Transition predicate
abstraction and fair termination. In Proceedings of
placed into the area of automatically POPL, 2005.
33. Podelski, A., Rybalchenko, A., and Wies, T. Heap
detecting deadlock during execution References assumptions on demand. In Proceedings of CAV, 2008.
time. With new developments in the 1. Babic, D., Hu, A.J., Rakamaric, Z., and Cook, B. Proving 34. Ramsey, F. On a problem of formal logic. London Math.
termination by divergence. In SEFM, 2007. Soc., 1930.
area of program termination proving 35. Stix, G. Send in the Terminator. Scientific American
2. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg,
we might find that automatic methods J., McGarvey, C., Ondrusek, B., Rajamani, S.K. and (Nov. 2006).
Ustuner, A. Thorough static analysis of device drivers. 36. Strachey, C. An impossible program. Computer
of discovering livelock could also now In Proceedings of EuroSys, 2006. Journal, 1965.
be possible. Temporary modifications 3. Berdine, J., Chawdhary, A., Cook, B., Distefano, D. 37. Tiwari, A. Termination of linear programs. In
and O’Hearn, P. Variance analyses from invariance Proceedings of CAV, 2004.
to scheduling, or other techniques, 38. Turing, A. On computable numbers, with an application
analyses. In Proceedings of POPL, 2007.
might also be employed to help pro- 4. Berdine, J., Cook, B., Distefano, D. and O’Hearn, P. to the Entscheidungsproblem. London Mathematical
Society, 1936.
grams not diverge even in cases where Automatic termination proofs for programs with
39. Turing, A. Checking a large routine. In Report of a
shape-shifting heaps. In Proceedings of CAV, 2006.
they do not guarantee termination or 5. Bouajjani, A., Bozga, M., Habermehl, P., Iosif, R., Moro,
Conference on High Speed Automatic Calculating
Machines, 1949.
other liveness properties. Some pre- P. and Vojnar, T. Programs with lists are counter
40. Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B.,
automata. In Proceedings of CAV, 2006.
liminary work has begun to emerge Distefano, D. and O’Hearn, P. Scalable shape analysis
6. Bradley, A., Manna, Z. and Sipma, H. Termination of for systems code. In Proceedings of CAV, 2008.
in this area (see Jula et al.23) but more polynomial programs. In Proceedings of VMCAI, 2005.
7. Bradley, A., Manna, Z. and Sipma, H.B. Linear ranking
work is needed. with reachability. In Proceedings of CAV, 2005.
Scalability, performance, and preci- 8. Bradley, A., Manna, Z. and Sipma, H.B. The polyranking Byron Cook is a Principal Researcher at Microsoft’s
principle. In Proceedings of ICALP, 2005. research laboratory at Cambridge University, and a
sion. Scalability to large and complex professor of computer science at Queen Mary, University
9. Chawdhary, C., Cook, B., Gulwani, S., Sagiv, M. and
programs is currently a problem for of London, England.
Yang, H. Ranking abstractions. In Proceedings of
modern termination provers—cur- ESOP, 2008.
Andreas Podelski is a professor of computer science at
10. Codish, M., Genaim, S., Bruynooghe, M., Gallagher, J.
rent techniques are known, at best, to the University of Freiburg, Germany.
and Vanhoof, W. One loop at a time. In Proceedings of
scale to simple systems code of 30,000 WST, 2003.
Andrey Rybalchenko is a professor of computer science
11. Colón, M. and Sipma, H. Synthesis of linear ranking at the Technische Universität München, Germany.
lines of code. Another problem we face functions. In Proceedings of TACAS, 2001.
is one of precision. Some small pro- 12. Cook, B., Gotsman, A., Podelski, A., Rybalchenko, A.
and Vardi, M. Proving that programs eventually do
grams currently cannot be proved ter- something good. In Proceedings of POPL, 2007.
minating with existing tools. Turing’s 13. Cook, B., Gulwani, S., Lev-Ami, T., Rybalchenko, A.
and Sagiv, M. Proving conditional termination. In
undecidability result, of course, states Proceedings of CAV, 2008.
that this will always be true, but this 14. Cook, B., Podelski, A. and Rybalchenko, A. Termination
does preclude us from improving pre- proofs for systems code. In Proceedings of PLDI, 2006.
15. Dershowitz, N., Lindenstrauss, N., Sagiv, Y. and
cision for various classes of programs Serebrenik, A. A general framework for automatic
and concrete examples. The most fa- termination analysis of logic programs. Appl. Algebra
Eng. Commun. Comput., 2001.
mous example is that of the Collatz’ 16. Farkas, J. Uber die Theorie der einfachen
problem, which amounts to proving Ungleichungen. Journal für die reine und angewandte
Mathematik, 1902.
the termination or non-termination 17. Geser, A. Relative termination. PhD dissertation, 1990.
of the program in Figure 11. Currently 18. Giesl, J., Swiderski, S., Schneider-Kamp, P. and
Thiemann, R. Automated termination analysis
no proof of this program’s termination for Haskell: From term rewriting to programming
behavior is known. languages. In Proceedings of RTA, 2006. © 2011 ACM 0001-0782/11/05 $10.00
p. 108 p. 109
Technical Self-Similarity-based
Perspective
Images Everywhere Image Denoising
Looking for Models By Antoni Buades, Bartomeu Coll, and Jean-Michel Morel
By Guillermo Sapiro
Technical Perspective
Complex Financial Products:
Caveat Emptor
By David C. Parkes
The flow of capital in the financial in- consider Akerlof’s famous “lemons choose how to package together assets
dustry relies on the packaging of assets problem.” Suppose that 80% of second- into derivatives.
into products that can be reliably valued hand cars are good, and worth $1,000 The authors establish the intracta-
and then sold to global investors. For to buyers, while the rest are lemons bility of detecting rigged financial prod-
example, many home mortgages were and worth $0. Without the ability for a ucts for the kinds of CDOs that arise in
packaged into products known as Col- seller to credibly signal the quality of a the financial industry. The penalty for
lateralized Debt Obligations (CDOs) in car, buyers will only pay $800 and trades the realism of their model is that the
the run-up to the sub-prime mortgage of good cars by sellers with values in hardness assumption that they require
crisis of 2007. An investor in a CDO buys the range [$800, $1,000] are forfeited. is not as standard as P vs NP; rather
the rights to a share of the principal and If all sellers of good cars want close to the results assume the intractability
interest payments collected from home- $1,000 then the effect of information of finding planted dense subgraphs in
owners. By pooling assets and promising asymmetry between buyers and sellers random graphs. The seller is doing the
to pass along payments before making is much worse—only lemons remain “planting” in this case, by placing a dis-
payments to other investors, new finan- in the market and there is complete proportionate number of assets from
cial products offering lower risk than market collapse! Still, a seller with 100 one class into some subset of products.
the underlying assets can be construct- cars, each correctly known by a buyer Under this assumption, CDOs cannot
ed. CDOs are examples of financial de- to be a lemon with probability 0.2, can alleviate the lemons problem: either
rivatives, with a value that depends on make a new deal: the right to use up to buyers are fooled and sellers make ex-
the underlying assets—mortgages in 80 of the cars. Because it is highly likely cess profits, or buyers know not to trust
this case—with which they are linked. that at least this many cars will be good, sellers. Many believe the planted dense
These kinds of complex financial this deal can be priced at about $80,000, subgraph problem is hard, and this has
products are the cause célèbre of the fi- around the price at which it would trade been considered a plausible conjecture
nancial crisis, and many have called for without information asymmetry. The before this paper was published. Still,
their regulation or even elimination. same thing happens in a simple model it is possible this hardness assumption
In the following paper, Arora, Barak, of CDOs, in which a seller packages as- is false, and this should be studied by
Brunnermeier, and Ge provide new sets into a single derivative that can be computer scientists.
insight into the problem: a complexity- accurately priced and sold. This provocative paper should be re-
theoretic explanation for how sellers Now consider a seller with 1,000,000 quired reading for commentators and
can hide bad assets in these derivatives. cars, with the cars partitioned into financial regulators alike. Among the
Even when buyers are fully informed, classes, and the association with a class questions it raises: Are sellers using
with correct beliefs about the probabil- known to buyers. Each class is a “lem- this information asymmetry to their ad-
ity with which underlying mortgages ons class” with some probability, in vantage in packaging “booby-trapped”
are likely to default, sellers can pack- which case it contains only lemons, and CDOs and other financial derivatives?
age a disproportionate number of bad otherwise is a “good class” and contains Given that buyers and ratings agencies
assets into some products, and do so a mixture of good cars and lemons. may not be aware of their own com-
without detection. The reason is the in- The probability of a lemons class, and putational limitations, is there a role
tractability of checking whether or not the fraction of lemons in a good class, for regulation in protecting buyers by
this manipulation has occurred. By fo- is known to buyers. The seller again banning complex financial products
cusing on this missing angle of compu- constructs deals, each deal this time that are provably untrustworthy? Do
tational complexity, this paper starts to consisting of 100 cars drawn from one there exist derivatives that cannot be
bridge the gap between the common or more classes. But whereas a buyer manipulated by strategic sellers, thus
view that derivatives can be rigged and knows only the distributional prop- avoiding this new lemons cost due to
a viewpoint from economics that this erties of the classes, the seller knows computational complexity?
is impossible when buyers are fully which are lemons and which are good Buyers might like to reflect on the
informed. Computationally bounded classes. The new problem is this infor- implications of their bounded rational-
buyers may end up significantly over- mation asymmetry allows a seller to as- ity. Caveat emptor!
paying, and a trustworthy seller cannot sign a disproportionate number of cars
even prove that financial products have from lemons classes to some deals, and David C. Parkes (parkes@eecs.harvard.edu) is Gordon
McKay Professor of Computer Science in the School of
not been rigged. to do so without detection by a computa- Engineering and Applied Sciences at Harvard University,
To understand the reason to sell tionally bounded buyer! The same story where he founded the EconCS research group.
derivatives in the first place, we can applies for CDOs, where a big bank can © 2011 ACM 0001-0782/11/05 $10.00
Computational Complexity
and Information Asymmetry
in Financial Products
By Sanjeev Arora, Boaz Barak, Markus Brunnermeier, and Rong Ge
example) two parties to exchange information over an open And we show in this note that pricing certain financial deriva-
channel in a way that an eavesdropper can extract no informa- tives may require solving problems that are believed to be intrac-
tion from it—not even distinguish it from a randomly gener- table, hence placing it beyond the reach of any real-life agent.
ated sequence of symbols. More generally, in computational
complexity we consider a computational task infeasible if the 2. THE “LEMONS PROBLEM” IN ECONOMICS
resources needed to solve it grow exponentially in the length of To understand the theoretical benefits of financial deriva-
the input, and consider it feasible if these resources only grow tives it is useful to recall the lemons problem, introduced
polynomially in the input length. in Akerlof’s classic 1970 paper.1 The simplest setting is as
Computational complexity immediately implies the exis- follows. You are in the market for a used car. A used car in
tence of hard-to-price derivatives, albeit unnatural ones. working condition is worth $1000. However, 20% of the used
Consider for example a derivative whose contract contains cars are lemons (i.e., are useless, even though they look fine
a 10,000 digit integer n and has a nonzero payoff iff the unem- on the outside) and their true worth is $0. Thus if you could
ployment rate next January, when rounded to the nearest pick a used car at random then its expected worth would
integer, is the last digit of a factor of n. A relatively unsophis- be only $800 and not $1000. Now consider the seller’s per-
ticated seller can generate such a derivative together with spective. Suppose sellers know whether or not they own a
a fairly accurate estimate of its yield (to the extent that unem- lemon. A seller who knows he has a non-lemon would be
ployment rate is predictable), yet even a sophisticated investor unwilling to sell for $800, and would therefore withdraw
like Goldman Sachs would have no idea what to pay for it. This from the market. The market would be left only with lem-
example shows both the difficulty of pricing arbitrary deriva- ons, and knowing this, buyers would refuse to buy any car.
tives and the possible increase in asymmetry of information Thus the market grounds to a halt. Akerlof’s paper goes
via derivatives. on to analyze reasons why used cars do sell in real life. We
While this “factoring derivative” is obviously far removed will be interested in one of the reasons, namely, that there
from anything used in current markets, in this work we could be a difference between what a car is worth to a buyer
show that similar effects can be obtained in simpler and versus a seller. In the above example, the seller’s value for a
more popular classes of derivatives that are essentially the working car might be $200 less than the buyer’s—perhaps
ones used in real life in securitization of mortgages and because the seller is moving across the country and needs
other forms of debt. The person selling the derivative can the cash—thus allowing trade to occur. In this case we say
structure (“rig”) the derivative in a way such that it has low that the “lemon cost” of this market is $200. Some authors
yield, but distinguishing it from a normal (“unrigged”) refer to the lemon cost as a wedge. Generally, the higher this
higher yield derivative is computationally intractable. Thus cost, the less efficient the market.
any efficient pricing mechanism would either overvalue the The lemons problem can potentially arise in almost every
rigged derivative or undervalue the unrigged one, hence area of the economy, and a large body of work in information
creating an inefficiency in the market. economics describes how it can be ameliorated. Akerlof’s
Densest subgraph problem: Our result relies on the conjec- original paper already described signaling mechanisms
ture that there does not exist a tractable algorithm to detect by which a seller can reliably communicate his private
large dense subgraphs in random graphs. This is a more information—namely, prove that his car is not a lemon—
specialized assumption than the familiar P ¹ NP conjecture. to the buyer. For example, a used car dealer can show the
We needed this assumption because we needed to exhibit buyer repair records, or provide a warranty for 6 months, or
the intractability of “real-life” derivatives, and the setting point out to his stellar reputation and rating from the Better
there naturally leads to random graphs, as will be clear in Business Bureau.
the description in Section 4.
Computational complexity and “bounded rationality”: 3. FINANCIAL DERIVATIVES AND CDOs
Computational complexity can be related to the bounded The lemons problem also arises in the financial industry
rationality concept in economics. Simon14 proposed the and the usual mechanisms for dealing with lemons prob-
notion of bounded rationality to recognize that in decision lems (as identified by Akerlof) have also flowered: borrower
making, real-life agents are limited by their cognitive ability FICA ratings (a.k.a. credit scores), ratings of individual
to process information and the finite amount of time they securities by agencies such as Moody’s, etc. Financial deriva-
have. Simon postulates that agents use heuristics instead tives provide another mechanism for dealing with the lem-
of time-consuming and complex optimizing behavior. ons problem. Below we will illustrate this with a common
Experimental evidence on behavioral biases supports this derivative called the collateralized debt obligation or CDO.
notion (e.g. Kahneman,13 etc.). On the other hand, economic It is not commonly known, but the humble home mort-
experiments also suggest that as the stakes rise and people gage is actually a very complex instrument that presents
face similar situations repeatedly, they behave more delib- great risks for lenders. The payoff structure is complicated;
eratively in a way that approaches rationality. In particular risk of default is fairly high (compared say to a U.S. trea-
this is the case in the setting of finance, where stakes are high sury bond); and there is high risk of prepayment at times of
and traders have access to cutting edge technology. However, low interest rates, which is precisely when the mortgage’s
even the most sophisticated traders cannot escape the limita- locked-in higher rate is most valuable to the lender. CDOs
tions of computational complexity, since no physically realiz- are financial devices that allow many mortgages to be aggre-
able computational device can solve intractable problems. gated into a security that has a supposedly much more
0.8
from economic theory. Now we explain at an intuitive level
Probability Density
0.35
0.3 0.7
0.6
0.25
0.5
0.2
0.4
0.15 0.3
0.1 0.2
c
The exact threshold here depends on a number of factors, including default
0.05 0.1
0 0 rate and discount factor. The discount factor shows how much the seller pre-
0 2 4 6 8 10 12 14 16 18 20
fers cash to assets. The threshold can be computed exactly using methods
Aggregating mortgages gives in DeMarzo.11
an asset with predictable yields d
A nonzero difference in valuation or wedge between the bank and buyer
arises because the buyer holds cash and the bank holds the mortgages, and
the bank prefers cash to mortgages because of regulatory or other reasons.
300
set of lemon classes is uniformly picked among all classes.
200 However, the bank has additional information: it knows
precisely which classes are lemons (this implies that it
100 knows the number of lemons as well). This is the asymmet-
ric information.
0 Since the expected number of lemon classes is n, each
0.40 0.45 0.50 0.55 0.60 0.65 with payoff 0 and the remaining N – n good classes have
ProportionOfHeads payoff 1/2, a buyer purchasing the entire portfolio would
be willing to pay the expected yield, which is (N – n)/2. Thus
a wedge à la Akerlof arises for banks who discover that the
In addition to their value as limiting distributions for the number of lemons is lower than the expectation, and they
sum of independent random variables, Gaussians arise would either exit the market, or would need to prefer cash by
in one other way in finance: often the payoffs of assets an amount that overcomes the wedge.
themselves are assumed to be Gaussians. The joint distri- Of course, DeMarzo’s theorem allows this lemons prob-
bution of these Gaussian valued assets is the well-known lem to be ameliorated, via securitization of the entire
Gaussian copula: portfolio into a single CDO. As already mentioned, we are
interested in the case where the number of assets held by
Gaussian copula Density of Gaussian copula the bank is large, and so, rather then using a single CDO, the
bank partitions them into multiple CDOs. Now how does the
1.8
1 1.6 bank’s extra information affect the sale? Clearly, it has new
0.8 1.4
1.2
cherry-picking possibilities, involving which asset to pack-
0.6 1 age into which CDO. We will assume that all transactions
0.4 0.8
0.6 are public and visible to all buyers, which means that seller
0.2
0
0.4
0.2
must do any such cherry picking in full public view.e
1
1 0 Now let us show that in principle derivatives should still
1
0.5 0.6 0.8 allow buyers to rule out any significant cherry picking, thus
0.4 0.5
0.2 0.8 1
0 0 0 0 0.2 0.4 0.6 ameliorating the lemon wedge. Consider the following:
the seller creates M new financial products, each of them
Although in the illustrative example we assumed binary
payoffs for a single asset, similar results hold for asset e
This assumption of transparency only makes our negative results stron-
yields that form a Gaussian copula with the same mean, ger. It also may be a reasonable approximation if buyers are well-informed,
variance, and covariance. and recent financial regulation has mandated more transparency into the
market.
f
This is a so-called synthetic binary option. The more popular CDO derivative
described above behaves in a similar way, except that if there are defaults
above the threshold (in this case ) then the payoff is not 0 but
the defaults are just deducted from the total payoff. We call this a “tranched
CDO” to distinguish it from the binary CDO.
g
The non-booby trapped CDOs will have a slightly smaller probability of
default than in the untampered (i.e., random) case, but a simple calculation
shows that this will only contribute a negligible amount to the yield.
graph from one in which the bank has “planted” the dense 5. DISCUSSION
subgraph (a.k.a. boobytrap). Formally, the two kinds of The notion that derivatives need careful handling has been
graphs are believed to be computationally indistinguishable extensively discussed before. Coval et al.10 show that pric-
for polynomial-time algorithms and this was the basis of ing (or rating) a structured finance product like a CDO is
a recent cryptosystem proposed by Applebaum et al.3 extremely fragile to modest imprecision in evaluating
The conjecture is that even quite large boobytraps may underlying risks, including systematic risks. The high level
be undetectable: the expected yield of the entire portfolio idea is that these everyday derivatives are based upon the
could be much less than say V – n1.1 and yet the buyer may not threshold function, which is highly sensitive to small pertur-
be able to distinguish it from a truly random (i.e., honestly bations of the input distribution. Indeed, empirical stud-
constructed) portfolio, whose yield is V – o(n). ies suggest that valuations for a given financial product by
We conclude that if buyers are computationally different sophisticated investment banks can be easily 17%
bounded, then introducing derivatives into the picture not apart6 and that even a single bank’s evaluations of different
only fails to reduce the lemon wedge, but paradoxically, “tranches” of the same derivative may be mutually incon-
amplifies it even beyond the total value 2n of all lemon sistent.12 Thus one imagines that banks are using different
assets. Though the above example is highly simplified, it models and assumptions in evaluating derivatives.
can be embedded in settings that are closer to real life and The question studied in our work is: Is there a problem
similar results are obtained. with derivatives even if one assumes away the above possi-
bilities, in other words the yield of the underlying asset exactly
4.1. Can the cost of complexity be mitigated? fits the stochastic model assumed by the buyer? Economic
In Akerlof’s classic analysis, the no-trade outcome dictated theory suggests the answer is “No”: informed and rational
by lemon costs can be mitigated by appropriate signal- buyers need not fear derivatives. (Recall our discussion of
ing mechanism—e.g., car dealers offering warranties to DeMarzo’s theorem.)
increase confidence that the car being sold is not a lemon. The main contribution of our work has been to formal-
In the above setting, however, there seems to be no direct ize settings in which this prediction of economic theory
way for seller to prove that the financial product is untam- may fall short (or even be falsified), and manipulation is
pered i.e., free of boobytraps. (It is believed that there is possible and undetectable by all real-life (i.e., computation-
no simple way to prove the absence of a dense subgraph; ally bounded) buyers. We have worked within existing con-
this is related to the NP ¹ coNP conjecture.) Furthermore, ceptual frameworks for asymmetric information. It turns
we can show that for suitable parameter choices the tam- out that the seller can benefit from his secret information
pering is undetectable by the buyer even ex post. The buyer (viz., which assets are lemons) by using the well-known fact
realizes at the end that the financial products had a much that a random election involving n voters can be swung with
lower yield than expected, but would be unable to prove significant probability by making voters vote the same
that this was due to the seller’s tampering. Nevertheless, way; this was the basis of the boobytrap described earlier.
we do show in our paper5 that one could use ideas from The surprising fact is that a computationally limited buyer
computer science in designing derivatives that are tam- may not have any way to distinguish such a tampered CDO
perproof in our simple setting. from untampered CDOs. Formally, the indistinguishabil-
ity relies upon the conjectured intractability of the planted
4.2. Complexity ranking dense s ubgraph problem.h
Recently, Brunnermeier and Oehmke9 suggested that trad- The model in our more detailed paper has several nota-
ers have an intuitive notion of complexity for derivatives. ble features:
Real-life markets tend to view derivatives such as CDO2
(a CDO whose underlying assets are CDOs like the one 1. The largeness of the market—specifically, the fact that
described earlier) as complex and derivatives like CDO3 sellers are constructing thousands of financial prod-
(a CDO whose underlying assets are CDO2) as even more so. ucts rather than a single product as was the case in the
One might think that the number of layers of removal from model of DeMarzo11—allows sellers to cherry pick in
a simple underlying real asset could be a natural measure such a way that cannot be detected by feasible rational
of complexity. However, as Brunnermeier and Oehmke9 (computationally bounded) buyers—i.e., all real-world
point out, such a definition might not be appropriate, buyers—while it can be detected by fully rational (com-
since it would rank e.g. highly liquid stocks of investment putationally unbounded) buyers.
banks, which hold CDO2s and other complex assets, as one 2. The possibility of cherry picking by sellers creates an
of the most complex securities. Our paper5 proposes an Akerlof-like wedge between buyer’s and seller’s valua-
alternative complexity ranking which is based on the above tions of the financial product. We call this the lemon
discussed notion of lemon cost due to complexity. This rank- cost due to computational complexity. In our detailed
ing also confirms the standard intuition that CDO2s are paper we can quantify this wedge for several classes of
more complex than CDOs. Roughly speaking, the cherry- derivatives popular in securitization. This allows a par-
picking possibilities for sellers of CDOs described in this
paper become even more serious for derivatives such as h
Note that debt-rating agencies such as Moody’s or S&P currently use simple
CDO2 and CDO3. simulation-based approaches to evaluate derivatives, which certainly do not
attempt to solve something as complicated as densest subgraph.
In sum, our approach of combining insights from computer Sanjeev Arora (arora@cs.princeton.edu), Markus Brunnermeier (markus@
Department of Computer Science, princeton.edu), Department of Economics,
science with economic questions allows one to formally Center for Computational Intractability, Bendheim Center for Finance,
study phenomena, such as complexity and bounded ratio- Princeton University, Princeton, NJ. Princeton University, Princeton, NJ.
nality, that are of first-order importance but were difficult
to capture in formal economic models. These new insights Boaz Barak (boaz@microsoft.com), Rong Ge (rongge@cs.princeton.edu),
Microsoft Research New England, Department of Computer Science, Center
should help shape future regulation and the post-2008 Princeton University, Princeton, NJ. for Computational Intractability,
financial architecture. Princeton University, Princeton, NJ.
ACM has partnered with MentorNet, the award-winning nonprofit e-mentoring network in engineering,
science and mathematics. MentorNet’s award-winning One-on-One Mentoring Programs pair ACM
student members with mentors from industry, government, higher education, and other sectors.
• Communicate by email about career goals, course work, and many other topics.
• Spend just 20 minutes a week - and make a huge difference in a student’s life.
• Take part in a lively online community of professionals and students all over the world.
Self-Similarity-based
Image Denoising
By Antoni Buades, Bartomeu Coll, and Jean-Michel Morel
The application of a denoising algorithm should not while flat and textured regions are degraded.
alter the non-noisy images. So the method noise should Total Variation Minimization: The total variation minimi-
be very small when some kind of regularity for the image zation was introduced by Rudin et al.39 Given a noisy image
is assumed. If a denoising method performs well, the v(x), these authors proposed to recover the original image
method noise must look like a noise even with non-noisy u(x) as the solution of the minimization problem:
images and should contain as little structure as possible.
Since even good quality images have some noise, it makes TVFλ(v) = arg min
u
TV(u) + λ∫ |v(x) − u(x)|2dx,
sense to evaluate any denoising method in that way, with-
out the traditional “add noise and then remove it” trick. where TV (u) denotes the total variation of u and λ is a given
We shall list formulas permitting to compute and analyze Lagrange multiplier. The minimum of the above minimi-
the method noise for several classical local smoothing fil- zation problem exists and is unique. The parameter λ is
ters: the Gaussian filtering,27 the anisotropic filtering,2, 35 related to the noise statistics and controls the degree of fil-
the total variation minimization,39 and the neighborhood tering of the obtained solution.
filtering.46 The formal analysis of the method noise for the
frequency domain filters falls out of the scope of this paper. Theorem 3. The method noise of the total variation mini-
These method noises can also be computed but their inter- mization is
pretation depends on the particular choice of the wavelet
or Fourier basis.
0.2
0.15
0.1
0.05
2 4 6 8
-0.05
-0.1
In Section 2, we have computed explicitly the method The full statement of the hypothesis of the theorem and
noise of the local smoothing filters. These formulas are its proof can be found in a more general framework in
corroborated by the visual experiments of Figure 3. This Roussas.38 This theorem tells us that the NL-means algo-
figure displays the method noise for the standard image rithm corrects the noisy image rather than trying to separate
Boat, that is, the difference u − Dh(u), where the parameter the noise (oscillatory) from the true image (smooth).
h is been fixed in order to remove a noise with standard In the case that an additive white noise model is assumed,
deviation 2.5. The method noise helps us in understand- the next result shows that the conditional expectation is the
ing the performance and limitations of the denoising algo- function of V (Ni \{i}) that minimizes the mean square error
rithms, since removed details or texture correspond to a with the true image u.
large method noise. We see in Figure 3 that the NL-means
method noise does not present noticeable geometrical Theorem 6. Let V, U, N be random fields on I such that
structures. Figure 4 explains this property since it shows V = U + N, where N is a signal-independent white noise. Then,
how the NL-means algorithm chooses a weighting con- the following statements hold good.
figuration adapted to the local and nonlocal geometry of
the image. (i) E[V(i) | Xi = x] = E[U(i) | Xi = x] for all i ∈ I and x ∈ Rp.
(ii) The expected random variable E[U(i ) | V (Ni\{i})] is the
4. NL-MEANS CONSISTENCY function of V (Ni\{i}) that minimizes the mean square
Under stationarity assumptions, for a pixel i, the NL-means error
algorithm converges to the conditional expectation of i once
observed a neighborhood of it. In this case, the stationarity min
g
E[U(i) − g (V(Ni \{i}))]2
conditions amount to say that as the size of the image grows,
we can find many similar patches for all the details of the Similar optimality theoretical results have been obtained in
image. Ordentlich et al.34 and presented for the denoising of binary
Let V be a random field and suppose that the noisy images.
image v is a realization of V. Let Z denote the sequence of
random variables Zi = {Yi , Xi} where Yi = V (i) is real valued and 5. DISCUSSION AND EXPERIMENTATION
Xi = V (Ni \{i}) is Rp valued. The NL-means is an estimator of In this section, we compare the local smoothing filters, the
the conditional expectation r (i) = E[Yi|Xi = v(Ni \{i})]. wavelet thresholding algorithms,17 sliding DCT Wiener fil-
ter,46 and the NL-means algorithm. The wavelet threshold-
Theorem 5 (Conditional Expectation Theorem). ing and the sliding DCT algorithms yield state-of-the-art
Let Z = {V (i), V(Ni\{i})} for i = 1, 2, . . . be a strictly stationary results among frequency domain filters.
and mixing process. Let NLn denote the NL-means algorithm For computational purposes of the NL-means algo-
applied to the sequence Zn = {V(i), V(Ni\{i})}ni =1. Then for j ∈ rithm, the search of similar windows was restricted to a
{1, . . . , n}, larger “search window” with size S × S pixels. In all experi-
ments, the search window has 21 × 21 pixels and the simi-
|NLn( j ) − r( j )| → 0 a.s. larity square neighborhood 3 × 3 pixels for color images
and 5 × 5 pixels for gray images. When denoising a color
Figure 3. Image method noise. From left to right and from top to bottom: original image, Gaussian convolution, anisotropic filtering, total
variation minimization, neighborhood filter, translation invariant wavelet thresholding, DCT sliding window Wiener filter, and the NL-means
algorithm. The parameters have been set for each method to remove a method noise with variance s2 = 2.52.
Figure 7. Denoising experience on a natural image. From left to right Figure 8. Denoising experience on a natural image. From left to right
and from top to bottom: noisy image (standard deviation s = 20), and from top to bottom: noisy image (standard deviation 35), total
Gaussian convolution (h = 1.8), anisotropic filter (h = 2.4), total variation variation minimization, neighborhood filter, translation invariant
(l = 0.04), the Yaroslavsky neighborhood filter (r = 7, h = 28), and the wavelet thresholding, DCT sliding window Wiener filter, and NL-means.
NL-means algorithm. Parameters have been set for each algorithm so that
the removed quadratic energy is equal to the energy of the added noise.
The algorithm favors pixels with a similar local configura- and Wiener filtering.
tion, as the similar configurations move, so do the weights. The NL-means algorithm has also expanded to most
Thus, the algorithm is able to follow the similar configura- image processing tasks: Demosaicking, which is the opera-
tions when they move without any explicit motion compu- tion that transforms the “R or G or B” raw image in each
tation (see Figure 10). This is not the case of classical movie camera into an “R and G and B” image;10, 30 movie coloriza-
denoising algorithms, which are motion compensated (see tion21, 26; image inpainting by proposing a nonlocal image
Buades et al.9 for more details on this discussion). The very inpainting variational framework with a unified treatment
same idea on movie denoising can be applied for super-res- of geometry and texture3 (see also Wong and Orchard44);
olution, an image zooming method by which several frames Zooming by a fractal like technique where examples are
from a video, or several low resolution photographs, can be taken from the image itself at different scales18; movie flicker
fused into a larger image.20, 37 stabilization16 that compensates spurious oscillations in
Improvements or adaptations of the NL-means algo- the colors of successive frames.
rithm have been proposed for the denoising of several NL-means is a computationally demanding algorithm.
types of data: in fluorescence microscopy,5 cryon micro Several papers have proposed fast and extremely fast (lin-
scopy,15 magnetic resonance imaging (MRI),31 and 3D data ear) implementations, by block preselection,29 by Gaussian
set points.47 KD-trees to classify image blocks,1 by SVD,33 by using the FFT
Most successful improvement of NL-means combine to compute correlation between blocks43, and by statistical
the nonlocal principle with former classic algorithms and arguments.13 The statistical validity of the NL-means algo-
have indeed shown an improved denoising performance. rithm is wide open. See Ebrahimi and Vrscay,18 Kervrann
Probably the best performing methods so far are the hybrid et al.,24 and Thacker et al.41 (where a Bayesian interpreta-
method BM3D proposed in Dabov et al.14 and the NL-PCA tion is proposed) or Xu et al.45 (where a bias of NL-means is
proposed in Zhang et al.48 Both algorithms combine not corrected).
less than block-matching, a linear transform thresholding, The relationship of neighborhood filters to classic
Take Advantage of
ACM’s Lifetime Membership Plan!
ACM Professional Members can enjoy the convenience of making a single payment for their
entire tenure as an ACM Member, and also be protected from future price increases by
taking advantage of ACM's Lifetime Membership option.
ACM Lifetime Membership dues may be tax deductible under certain circumstances, so
becoming a Lifetime Member can have additional advantages if you act before the end of
2011. (Please consult with your tax advisor.)
Lifetime Members receive a certificate of recognition suitable for framing, and enjoy all of
the benefits of ACM Professional Membership.
8 Ph.D. students
(monthly stipends 1450-1650 Euro)
2 Postdocs (monthly stipend 1850 Euro)
Positions will be available starting October 1, 2011.
The stipends are not subject to income tax.
Successful candidates will be notified by September 15, 2011 and are expected
to enroll into the program on October 1, 2011.
Puzzled
Games, Roles, Turns
Welcome to three new puzzles. Solutions to the first two will be
published next month; the third is (as yet) unsolved. In each, the issue
is how your intuition matches up with the mathematics.
The theme is games. The twist possible legal moves are C
MY
CMY
All readers are encouraged to submit prospective puzzles for future columns to puzzled@cacm.acm.org.
Peter Winkler (puzzled@cacm.acm.org) is Professor of Mathematics and of Computer Science and Albert Bradley
Third Century Professor in the Sciences at Dartmouth College, Hanover, NH.
ONWARD! 2011
ACM Symposium on New Ideas in
Programming and Reflections on Software
Chair
Robert Hirschfeld
Hasso-Plattner-Institut Potsdam, Germany
chair@onward-conference.org
Papers
Eelco Visser
Delft University of Technology, The Netherlands
papers@onward-conference.org
Workshops
Pascal Costanza
Vrije Universiteit Brussel, Belgium
workshops@onward-conference.org
Essays
David West
New Mexico Highlands University, USA
essays@onward-conference.org
Films
Bernd Bruegge
Technische Universität München, Germany
films@onward-conference.org
http://onward-conference.org/
The 2012 ACM Conference on C
Computer Supported Cooperative Work S
)(
2
0
1
C
February 11-15, 2012 | Seattle, Washington 2 W
Sponsored by
http://www.cscw2012.org