Professional Documents
Culture Documents
ACM
cACM.acm.org OF THE 09/2011 VOL.54 NO.9
Protecting
Users of
the Cyber
Commons
The Future of
Wireless Data
Communications
A Breakthrough in
Algorithm Design
Realizing the Value
of Social Media
Abstracting
Abstract Machines
Association for
Computing Machinery
October 22–27, 2011
A SPLASH Conference
Hilton Portland & Executive Tower
Portland, Oregon USA
ONWARD! 2011
ACM Symposium on New Ideas in
Programming and Reflections on Software
Chair
Robert Hirschfeld
Hasso-Plattner-Institut Potsdam, Germany
chair@onward-conference.org
Papers
Eelco Visser
Delft University of Technology, The Netherlands
papers@onward-conference.org
Workshops
Pascal Costanza
Vrije Universiteit Brussel, Belgium
workshops@onward-conference.org
Essays
David West
New Mexico Highlands University, USA
essays@onward-conference.org
Films
Bernd Bruegge
Technische Universität München, Germany
films@onward-conference.org
http://onward-conference.org/
communications of the acm
Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.
Chris Stephenson, New York, NY 10121-0701 USA Gene Golovchinsky; Marti Hearst;
E
CL
PL
Executive Director T (212) 869-7440; F (212) 869-0481 Jason I. Hong; Jeff Johnson; Wendy E. MacKay Printed in the U.S.A.
NE
TH
S
I
Z
I
M AGA
Sponsorship Award
Each nomination shall be forwarded by the thesis advisor The Doctoral Dissertation Award is accompanied by a prize
and must include the endorsement of the department head. of $20,000 and the Honorable Mention Award is accompanied
A one-page summary of the significance of the dissertation by a prize of $10,000. Financial sponsorship of the award
written by the advisor must accompany the transmittal. is provided by Google.
Deadline
Submissions must be received by October 31, 2011 For Submission Procedure
to qualify for consideration. See http://awards.acm.org/html/dda.cfm
letters to the editor
DOI:10.1145/1995376.1995378
M
o s h e Y. Va r d i ’ s Edi- computability. We do not have an algorithm tell everyone else how to use it. To my
tor’s Letter “Solving the for program termination. My point was we knowledge, no legal precedent exists
Unsolvable” (July 2011) should take a sober view of unsolvability, to empower a nail maker to decree all
raised an important recognizing that many unsolvable problems builders use its products only pointy-
point—that we should can, in practice, be solved. side down.
reconsider the meaning of unsolvabil- Moshe Y. Vardi, Editor-in-Chief This is a trend (and fallacy) sancti-
ity, especially in terms of its practical fied by the software industry (and oth-
application. Even though a problem ers), claiming “It’s mine, even when
(such as the Halting Problem) may be To Program, Imagine we have it.” Absurd, of course, though
theoretically unsolvable, we should, All Contingencies it seems to function as the basis for
perhaps, still try to solve it. In his Viewpoint “Non-Myths About everything from copyright law to digi-
The proof of undecidability is based Programming” (July 2011), Morde- tal privacy.
on the possibility of self-application; chai Ben-Ari said programming re- Utterances overheard at a distance
that is, a program cannot look at itself quires logical thinking, which is cer- are not private; neither are postcards,
and decide if it is itself stuck in a loop; tainly true, but to write a program signs in the front yard, or a radio or
from a practical point of view, this sit- that interacts with anything—API, wire-line signal. A government might
uation is not relevant. Why even write device, UI—a programmer must also wish to guarantee a certain right of
such a program? The proof does not be able to imagine all contingencies privacy for some particular technolo-
say I cannot write a server program and define appropriate responses. gy, except that such a guarantee would
that looks at running applications to Such talent is orthogonal to follow- be a matter of contract law, not of
determine if any of them is in a loop. ing a theorem proof or manipulating practical expedience. The postal ser-
The same reliance on self-ap- algebraic expressions that would be vice guarantees privacy (within limits)
plication applies to the Post Corre- needed for, say, a good grade in high as part of its service. The phone com-
spondence Problem (PCP), a string- school mathematics. pany does not. I know of no service
matching problem also theoretically Tom Moran, Saratoga, CA that allows remote talking that also
unsolvable. The proof does not say PCP guarantees confidentiality. The guar-
is undecidable for any practical prob- antee is to try to ensure confidential-
lem, only for one using self-applica- Author’s Response: ity, or good faith.
tion. However, the proof does say if I try I agree the definition of logical thinking Our expectation of privacy ends
to simulate a Turing Machine program should be as broad as possible. However, it when the communication leaves our
that looks to see if it is itself in a loop, is an empirical question whether success point of control, save for specific guar-
then, as in the Halting Problem, PCP in high school mathematics predicts the antees from the final authority, in the
is theoretically unsolvable. But from logical thinking needed for programming. U.S., the Federal Government.
a string-matching point of view, this I conjecture that the correlation is positive What Wicker called “context infor-
potential insight about unsolvability is (not 1.0, but certainly not 0.0, orthogonal) mation” cannot be made private by
again hardly relevant to the program- and thus a reasonable predictor for use by definition (or the service stops). Pre-
mer. Perhaps, for all cases of practical a guidance counselor. suming protection of related content
interest, PCP is indeed solvable. Mordechai Ben-Ari, Rehovot, Israel is just silly; A gives it to B, and B may
The same point applies to the many now do whatever it wants with it or
other theorems that relate to the un- whatever it thinks it can get away
solvability of certain problems. It may Where Privacy Ends with. Wrangling legalisms about
be the problems are very difficult to Besides being a great article on its what is permitted is the equivalent of
solve; likewise, it may be very difficult subject, Stephen B. Wicker’s “Cel- rearranging deck chairs as the ship of
to devise a solution for a reasonable lular Telephony and the Question of privacy heads for the bottom.
sub-problem or solve a sub-problem in Privacy” (July 2011) also identified a David Byrd, Arlington, VA
polynomial time. In any case, the ques- game-changing direction in privacy.
tion of unsolvability might simply be a Consider that the word “privacy” is Communications welcomes your opinion. To submit a
red herring. oxymoronic when discussing radio Letter to the Editor, please limit yourself to 500 words or
less, and send to letters@cacm.acm.org.
Henry Ledgard, Toledo, OH transmission; by definition, a radio
sends our stuff to places totally be-
yond our control or authority; think
Author’s Response: postcard rather than envelope. We
I do not agree that unsolvability is a can’t give away something and still
“red herring” but a fundamental limit on claim to own it and presume we can © 2011 ACM 0001-0782/11/09 $10.00
Special rates for residents of developing countries: Special rates for members of sister societies:
http://www.acm.org/membership/L2-3/ http://www.acm.org/membership/dues.html
Please print clearly
Purposes of ACM
ACM is dedicated to:
Name
1) advancing the art, science, engineering,
and application of information technology
2) fostering the open interchange of
Address information to serve both professionals and
the public
3) promoting the highest professional and
City State/Province Postal code/Zip ethics standards
I agree with the Purposes of ACM:
Country E-mail address
Signature
Area code & Daytime phone Fax Member number, if applicable ACM Code of Ethics:
http://www.acm.org/serving/ethics.html
o ACM Professional Membership plus the ACM Digital Library: o ACM Student Membership plus the ACM Digital Library: $42 USD
$198 USD ($99 dues + $99 DL) o ACM Student Membership PLUS Print CACM Magazine: $42 USD
o ACM Digital Library: $99 USD (must be an ACM member) o ACM Student Membership w/Digital Library PLUS Print
CACM Magazine: $62 USD
DOI:10.1145/1995376.1995379
doi:10.1145/1995376.1995380 http://cacm.acm.org/blogs/blog-cacm
@ PCAST; Barbara
puter science and since NITRD was
created from the High-Performance
Computing Act of 1991 (before brows-
dress society’s and our nation’s grand back to school because she wasn’t al state. This paper was award win-
challenges; and 3) Computer science learning fast enough. She went to ning, and Liskov was invited to apply
has a rich intellectual agenda. Stanford, met John McCarthy, boldly for a position at MIT. She began there
My slides are available in .pptx and asked him for support, and ended up in the fall of 1972, one of 10 women
.pdf formats: (http://www.cs.cmu. working with him during her graduate out of a faculty of 1,000.
edu/afs/cs/usr/wing/www/talks/Wing- studies. She was the only woman in Liskov then began to look at how
Sept-2-2010.pptx) and (http://www. her class, followed by Susan Graham the partition ideas could be applied to
cs.cmu.edu/afs/cs/usr/wing/www/talks/ who entered a year later. But it was a building programs—Could you make
Wing-Sept-2-2010.pdf). Please see the very supportive environment. Liskov programming methodology into some-
Notes pages of my PowerPoint slides for eventually decided to switch out of AI thing that regular programmers would
my transcript. after finishing her thesis because she use? And Liskov began to think about
had become more interested in com- partitions as abstract data types. She
Valerie Barr puter systems. looked at material on extensible lan-
“Barbara Liskov Initially, Liskov could not find a guages and early material on hierar-
Keynote, job at an academic institution as hir- chical programming structures and
Grace Hopper ing was done by the old boys’ network. inheritance. Her work on abstract data
Conference” She went back to work at MITRE, this types was codified during the summer
http://cacm.acm.org/ time as a researcher. Going to MITRE of 1973 for a conference in 1974. She
blogs/blog-cacm/99599 rather than into academia at that point basically proposed abstract data types
Oct. 2, 2010 enabled her to switch technical areas (ADTs) as clusters with encapsulation,
Barbara Liskov, Institute Professor at without the added pressure of being a polymorphism, static type checking,
the Massachusetts Institute of Tech- new faculty member who had to think and exception handling.
nology (MIT), received the 2008 A.M. about standing for tenure in a relative- In the fall of 1973, Liskov decide to
Turing Award for her innovations to ly short period of time. proceed with language design based
designing and building computer After providing the background on ADT work. With three grad stu-
systems and her achievements in pro- information, Liskov talked about her dents, she designed the CLU language.
gramming language design that have technical work that ultimately led to Her idea was that a programming lan-
made software more reliable and easier the Turing Award. Much of her work guage would allow her to figure out
to maintain. Liskov opened her talk by was motivated by an interest in pro- whether ADTs really work in practice,
commenting that receiving the Turing gram methodology and the questions would allow her to get a precise defini-
Award had given her an opportunity to of how programs should be designed tion of ADTs, and determine whether
reflect on her meandering career path and how programs should be struc- ADTs would impact performance. So,
and the work she has done. tured. So, after receiving the Turing CLU has all these mechanisms—clus-
Liskov grew up in San Francisco in Award, she went back and reread the ter, polymorphism, exception han-
the 1950s. She was interested in math old literature, discovering anew that dling, and iterators.
and science, so she took lots of class- there is great material in old papers Finally, Liskov presented the re-
es, but she didn’t talk about it much and that her students were unaware search challenges of interest to her
because it wasn’t cool for girls to like of it. So, she is now pointing people to now:
math and science. She then went to the these papers and encouraging people ˲˲ new abstraction mechanism
University of California, Berkeley, and to read them. ˲˲ massively parallel computers—
became a math major, despite being For example, three key papers she much to be explored and learned in
one of very few women in her classes. cited are: this area;
After her undergraduate work, Liskov ˲˲ Edsger Dijkstra, “Go To Consid- ˲˲ Internet computation—a rich set
didn’t feel ready for graduate school, so ered Harmful,” Communications of the of problems; and
she moved to Boston and was offered ACM, Vol. 11, No. 3, March 1968, pp. ˲˲ storage and computation, seman-
a job as a programmer at the MITRE 147–148. tics, reliability, availability, and security.
Corp. She learned FORTRAN, and dis- ˲˲ Niklaus Wirth, “Program Develop- Liskov also discussed the ingredi-
covered she really liked programming. ment by Stepwise Refinement,” Com- ents that have to be in place in order
After a year, she moved to Harvard and munications of the ACM, Vol. 14, No. 4, to get an “ah hah” moment. You have
worked on their language translation April 1971, pp. 221–227. to be working on a problem, but also
project. This was during the period of ˲˲ David Parnas, “Information Dis- have to be able to have “off time” so
great optimism about artificial intel- tribution Aspects of Design Methodol- that the brain can work on the back
ligence (AI). Liskov maintained a large ogy,” IFIP Congress, 1971. burner. Finally, she exhorted the audi-
program written in machine language, In 1972, Liskov published “A De- ence not to get too tired because then
which was great training for becoming sign Methodology for Reliable Soft- you aren’t productive.
a computer scientist. Of course, it also ware Systems.” In this paper she pre-
gave her a great understanding of bad sented the idea of a global state in Jeannette M. Wing is a professor at Carnegie Mellon
University. Valerie Barr is the chair of the computer
code, especially since it was self-mod- which each partition owns a part of science department at Union College.
ifying code. the global state. Modules completely
Liskov eventually decided to go encapsulate their portion of the glob- © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 11
Call
Callfor
forContributions
Contributions
Designing
Designing Interactive
InteractiveSystems
Systems
2012
2012addresses
addressesdesign
design
asas
anan
integrated
integratedactivity,
activity,
showcasing
showcasingresearch
research
that
thatexplores
explores
the
the
technical,
technical,
social,
social,
cognitive,
cognitive,
organizational,
organizational,
andand
cultural
cultural
factors
factors
ofof
design.
design.
DIS
DIS
2012
2012
turns
turnsitsits
focus
focus
toto
‘In‘In
the
the
Wild’,
Wild’,promoting
promotingexchange
exchangeand
and
discussion
discussion
onon the
theopportunities,
opportunities, challenges
challengesand
and
issues
issues
ofof
interactive
interactive
systems
systems
inin
thetheeveryday
everyday practice
practice and
and
lived
lived
experience
experience
ofof
people
people
and
andinstitutions.
institutions.
Over
Overfive
five
days
days
attendees
attendees
will
will
bebeinvited
invitedtoto
share
shareresearch,
research,innovation,
innovation,
best
best
practices
practicesand
and
learning
learning
through
through a range
a rangeofofavenues
avenuesincluding
including
workshops,
workshops, demonstrations,
demonstrations,invited
invitedtalks,
talks,
andanda new
a new
addition
additionthis
this
year,
year,
design
design lunch
lunch
dates
dates
that
that
aimaimtoto
promote
promote networking
networking among
among
newer
newer andand
more
moreexperienced
experiencedmembers
members ofof
thethe
interaction
interaction
design
designcommunity.
community.
Submission
Submission
Deadlines
Deadlines
FullFull
and and
Short
Short
Papers
Papers Workshop
WorkshopProposals
Proposals Doctoral
Doctoral
Consortium
Consortiumandand
Demos
Demos
Friday
Friday20th
20th
January
January
2012
2012 Friday
Friday
9th9th
December
December
20112011 Wednesday
Wednesday 7th7th
March
March
2012
2012
N
news
S
that makes iterative solvers, such as the
ystems o f l i n e a r equa- Gary L. Miller, a professor of computer kind developed by the CMU team, more
tions are everywhere. They science at CMU and a member of the effective for the large data sets gener-
are used in telecommuni- three-person team that developed the ated by today’s applications.
cations, transportation, new algorithm. While iterative solvers eventually
manufacturing, and many SDD systems, characterized by sys- return satisfactory results, those re-
other domains. The algorithms used tem matrices in which each diagonal el- sults typically take a long time to
to solve linear systems must be able to ement is larger than the sum of the ab- produce because they require calcu-
compute solutions to equations involv- solute values of all the other elements lating many approximations. There
ing millions—or sometimes billions— in the corresponding row, are used for have been hundreds of approaches
of variables. Because calculating a wide range of purposes, from online to developing faster iterative solvers,
solutions for these systems is time- recommendation systems to industrial but one method has proved to be the
consuming on even the fastest com- simulations, materials modeling, and most effective and has become a guid-
puters, finding ways to accelerate these
computations is an ongoing challenge
for algorithm designers. Now, a group
of computer scientists at Carnegie
Mellon University (CMU) have devised
an algorithm they say might be able to
solve a certain class of linear systems
much more quickly than today’s fast-
est solvers.
The researchers say the algorithm,
which applies to a class of problems
known as symmetric and diagonally
dominant (SDD) systems, not only has
practical potential, but also is so fast it
might soon be possible for a desktop PC
to solve systems with one billion vari- A linear system designed to improve the quality of retinal image segmentation through the
ables in just seconds. “The main point use of an iterative solver technique called spectral rounding, developed at Carnegie Mellon
University and the University of Pittsburgh Medical Center. Conventional segmentation
of the new algorithm is that it is guaran- algorithms tend to fail in the presence of retinal abnormalities. On the left is the input image.
teed to work and to work quickly,” says On the right is the segmented image.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 13
news
ing principle of sorts in this area of good one is not. A reliable method for emerged as what was widely considered
research. The idea is to solve compu- finding a good preconditioner to ac- to be a breakthrough proof by Daniel
tations on a massive linear system by celerate computations on large system Spielman and Shang-Hua Teng. Spiel-
quickly running computations on a matrices is an ongoing challenge in man and Teng were able to prove that
sparser system that in some well-de- math and computer science. Methods every SDD matrix has a good and dis-
fined algebraic sense is similar to the that rely on heuristics, for example, coverable preconditioner.
larger one. The sparser system used to have been effective, but only to a lim- To put the idea into electrical terms,
set up these computations for the larg- ited extent. “Heuristic solvers are often Spielman and Teng showed that for a
er system is called the preconditioner. guided by good intuition,” says Richard given electrical network, there will be
Producing the sparse matrix re- Peng, a graduate student in the CMU one that uses fewer resistors while hav-
quires zeroing out some of the non- computer science department and a ing the same reliability and energy-con-
zero entries and increasing the weight member of the new algorithm team. sumption properties as the original.
of others in the larger matrix. “One key “However, the critical missing pieces of “The Spielman-Teng solver is asymp-
ingredient in the newer algorithms is understanding make them unreliable, totically much faster than everything
the judicious use of randomization to especially with the large and complicat- that was known before,” says Peng. “It
determine which entries are zeroed ed systems that we face today.” is faster than previous solvers for all sys-
out,” explains Miller, who likens the tems larger than a fixed size, and that
CMU algorithm’s process of sparsi- The Spielman-Teng Solver difference in speed increases as the sys-
fication to “flipping a biased coin” to The path to developing a more effective tem becomes larger.”
determine the fate of an element in the method than heuristics for finding a Building on Spielman and Teng’s
system matrix. This sparsification pro- good preconditioner dates to the early work, the CMU team developed their
cess is designed to create a represen- 1990s and a series of ideas that sug- new algorithm that, from a mathemati-
tation of the larger system matrix to gested viewing SDD systems as com- cal point of view, is more concise, tak-
generate the preconditioner that will binatorial graphs. Research projects ing only five pages to detail instead of
guide later computations. in spectral graph theory and numeri- 50. “It’s nearly optimal,” says Ioannis
While finding a preconditioner cal analysis developed these ideas in Koutis, the third member of the CMU
might seem straightforward, finding a a string of new theories that, in 2004, team and now a professor of computer
science at the University of Puerto Rico,
Rio Piedras. “We know that we can’t do
much better, if that’s possible at all.”
Due to its simplicity, along with
its promise of significant speed im-
provements over earlier algorithms,
the new solver made headlines when
it was introduced last October at the
IEEE 51st Annual Symposium on
Foundations of Computer Science
(FOCS). With an optimized imple-
mentation, the researchers say, the al-
gorithm would be some 10 to 20 times
faster than other solvers for current
problems. (The technical details of
the algorithm are in the FOCS paper;
see I. Koutis, G.L. Miller, and R. Peng,
“Approaching Optimality for Solving
SDD Linear Systems.”)
Spielman, a professor of applied
mathematics and computer science
at Yale University, says the CMU al-
gorithm represents a significant im-
provement for solving SDD systems.
“It is the first algorithm for this prob-
lem that is both provably fast in an as-
ymptotic sense and that could be fast
in practice,” he says.
Spielman explains that when he and
An application designed to improve the quality of optical coherence tomography images Teng created their initial approach to
for an automated cartilage health-assessment routine. The top images represent the this problem in 2004, their algorithm
input. The bottom images, enhanced with a linear system designed to smooth the optical
coherence tomography images, show striations in the cartilage that are indicative of was guaranteed to find solutions in
unhealthy tissue. near-linear time. However, this guaran-
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 15
news
S
o f twa r e start up Spring
Partners had 40,000 cus-
tomers in March 2010.
Fourteen months later, it
had 1.6 million.
The 3,900% increase in business
is far from unusual these days. The
Charlestown, MA-based company is
just one of thousands of mostly small,
entrepreneurial firms that have by-
passed traditional methods of develop-
ment, marketing, and distribution in
favor of the new online app stores run
by Apple, Google, and a few other soft-
ware and communications giants.
Market-research firm Gartner pre-
dicts that mobile app stores will serve
17.7 billion downloads this year, up
116% from an estimated 8.2 billion last
year, and that application downloads
will soar to 185 billion by 2014. Devel- Apps for the iPhone and other smartphones are soaring in popularity—and creating
opers will see more than $15 billion economic opportunities for countless app developers and software companies.
in revenues in 2011 from their mobile
online apps, both from download fees nies—Spring Partners, a venture cap- All versions of Springpad are free.
and advertising linked to the down- ital-backed startup; Instant Cocoa, a Spring Partners says its revenue, which
loads, according to Gartner. hobby turned two-person startup; and it won’t divulge, comes when users
Today, a stroll through the app Nuance Communications, an estab- take action on something they have
stores is a little like visiting an urban lished software company—that claim saved in the Springpad database, such
flea market, where there are first-rate success at the online app stores. as buying a book. It says 2%–3% of its
products but where low-price goods of users generate tiny slices of revenue
dubious value abound, and support is Spring Partners that way each month.
practically nonexistent. But suppliers In mid-2008 Spring Partners landed $5 Although online stores take a cut of
to app stores say the sophistication, million in venture capital and in Janu- the sales price, which is typically 30%,
utility, and price of the software is in- ary 2009 launched a free Web-based they are otherwise a free distribution
creasing, crowding out the junk. As a application called Springpad, a service mechanism for software developers,
result, the nascent business model for “saving anything you want to re- and that is perhaps the greatest enabler
can be seen as a warning to consumer member.” Things you see online, such for small startups. But, says Jeff Janer,
software companies that today sell as a recipe or a book review, can be cofounder and CEO of Spring Partners,
shrink-wrapped software and whose cataloged and saved in a personal data- it can take substantial effort to get a
development cycles are often mea- base. In March 2010, Springpad for the product high enough in a store’s rank-
sured in years. iPhone was launched at the Apple App ings to keep it from getting lost among
The financial models and philoso- Store; in May 2010 it appeared at the the competition. “We reorganized the
phies of the mobile app companies Google Android Market; in June 2010 company last summer so that every-
vary widely. But they all cite the same Spring Partners had it for the iPad; in thing we do, whether product develop-
benefits of the online stores: low op- December 2010, v2 of the Web app ment or business development or mar-
Photogra ph by Da niel Go
erating costs for development, mar- launched in the Google Chrome Web keting, is focused on getting ranked
keting, distribution, and support, and Store; and in May this year Spring Part- as high as possible. We spend a fair
low capital requirements for getting ners announced support for Google An- amount of money on public relations.”
into the game. What follows are mini- droid tablets and offline access through Springpad was developed as a sin-
profiles of three very different compa- Google’s Chrome browser. gle service, then ported as a native
application to the various mobile and ming class and for fun wrote a desk- In Memoriam
top application called Wordplay that
Robert
Web operating systems by using the
application programming interfaces would solve crossword puzzles. He
(APIs) and software development kits put it on his Web site, free of charge.
(SDKs) provided by the manufactur-
ers. In addition, the company has built
When Apple introduced the iPhone,
he started developing for iOS. “I didn’t
Morris,
connectors to more than 100 services
such as Facebook and Groupon. Eight
actually have an iPhone,” he explains.
“I just downloaded [Apple’s] SDK and 1932–2011
of the company’s 13 employees are de- wrote my first couple of apps in that.”
velopers, including Java programmers. He spent a week writing pTerm, a Cryptographer and Unix
operating system co-creator
Programmers with mobile application simple SSH (Secure Shell protocol) Robert Morris died June 26
development skills are expensive and client and terminal emulator for the in Lebanon, NH, at the age
in short supply, says Janer. iPhone, and he placed it at the Apple of 78 from complications of
dementia. Morris was a pioneer
But companies like Spring Partners App Store.
in developing operating
can catch a break on the cost of com- Meanwhile, he met a woman named systems and computer security.
puter resources by going, at least ini- Eliza Block who had written a program He also purportedly played a
tially, to a cloud service. The company for retrieving crossword puzzles and role in one of the world’s first
cyberattacks during the 1991
has no data center and uses Amazon’s solving them, and the two of them Persian Gulf War.
pay-as-you-go cloud service. “For our launched Instant Cocoa and published Morris, who started his
1.6 million users,” says Janer, “we have her product, 2 Across, with pTerm, at career as a researcher for
one person on staff to run our IT oper- the iPhone App Store. AT&T’s Bell Laboratories in
the 1960s, initially focused
ations.” Amazon’s big outage in April “The first week or two the sales were on the development of
knocked Spring Partners offline for 30 mind boggling,” Maland recalls. Four compilers that could turn
hours, which was painful, says Janer. thousand people downloaded pTerm programming instructions into
machine readable code. Later,
Still, he says if Spring Partners goes in- on the first day, and he says he now he helped develop the Unix OS,
house for processing, it will be based sells 1,500–2,000 copies a month at which now resides in a growing
on the economies of scale for a larger $4.99 each. He says 2 Across, at $5.99, spate of devices, including
company, not the risks of being based has done almost as well. He says he Apple’s OS X, the iPhone, and
Google’s Android.
in the cloud. enjoyed two big advantages: There was During the 1970s, Morris
only one other SSH client at the App played an important role in the
Instant Cocoa Store and it didn’t support terminal development of key computer
security features, including
This Seattle-based startup is not so emulation, and in 2008 he was an early
encryption and password
much a company as it is a hobby start- publisher at the App Store. protection. He continued to
ed by Eric Maland in his spare time And, he admits, “what I put out explore cryptography, eventually
while working full time at Google and there in a week, I wouldn’t put out to- unlocking an early German
encryption system. From 1986
then Twitter. But Maland, who is cur- day, because it would be embarrass- to 1994, Morris served as chief
rently unemployed, says he’s devoting ing.” He is now improving his prod- scientist for the NSA’s National
his efforts to taking Instant Cocoa to a ucts and says a month of development Computer Security Center.
new level. work is about right for products like Although his role in the
1991 Persian Gulf War remains
Several years ago while at Google, his. Software can be written quickly for classified, it has been widely
Maland took an Apple Mac program- this market, he says, because so many reported that Morris helped
launch cyberattacks against
key government and military
systems in Iraq. Experts have
Advertising Revenue speculated that these attacks
destroyed command and control
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 17
news
18 communications of th e ac m | s e ptembe r 2 0 1 1 | vo l . 5 4 | n o. 9
news
Remaking American
Medicine
Developing an IT ecosystem for health could improve
—and transform—the practice of medicine.
I
n these days when so much of
life seems to take place on a
Web site or over a smartphone,
health care is still remarkably
lacking when it comes to infor-
mation technology. Of course billing is
done mostly by computer, and in the
past few years the electronic writing
of prescriptions has soared. But most
medical records are still on paper, and
even those in digital form are not eas-
ily shared between doctors or readily
accessible to patients. Data that could
aid in understanding a patient—activ-
ity patterns or dietary habits—aren’t
captured. Patterns that might indicate
a problem with a drug or suggest a
better method of treatment aren’t no-
ticed.
A special commission, the U.S.
President’s Council of Advisors on Sci-
ence and Technology (PCAST), issued
a report last December calling for the
creation of an information technol- With Health Buddy, a patient’s medical condition can be monitored on a continuous basis
ogy infrastructure for health care in without requiring visits to a physician or hospital.
the U.S. Such an IT ecosystem starts
with the widespread adoption of elec- 80% of doctors lack even rudimentary cords could improve the quality of
tronic health records. But it could go digital records. “Of those who do use care in a number of ways. If a patient
beyond that to devices that collect data electronic systems, most do not make from Boston, for instance, is rushed to
about how people live their lives or of- full use of their potential functional- an emergency room in Seattle, doctors
fer them feedback for making healthy ity,” the report states. “The sharing could immediately find out her aller-
choices. It could include individual of health information electronically gies, what medications she’s on, or a
databases that gather information remains the exception rather than the recent surgery that might be contrib-
relevant to health from a wide variety rule.” uting to her medical condition. A com-
of sources, and collections of aggre- The report recommends that the puter might alert a doctor to potential
gated, anonymized data to aid public- government promote a universal ex- drug interactions, or send a reminder
health decisions or supplement clini- change language for health-care data, to follow-up on a lab test. Gordon
Photogra ph court esy of Ro bert Bosch Hea lth ca re
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 19
news
patient history, highlighting poten- members helped identify the link be-
tial problems, and making it easier tween the painkiller Vioxx and an in-
for doctors to share their diagnostic With an entire creased risk of heart attacks.
thinking. Although he doesn’t think nation’s health With an entire nation’s health re-
it will happen soon, someday comput- cords at their disposal, computers
ers may even guide doctors toward a records at their might also find early warnings of epi-
diagnosis. Schiff has invited the cre- disposal, computers demics or identify which treatment
ators of IBM’s Watson, the machine approaches work best. Graham points
that beat a duo of Jeopardy champi- might also find out that only major diseases that affect
ons earlier this year, to address that early warnings millions of people tend to be studied. A
possibility at the Diagnostic Error in huge database could provide valuable
Medicine conference he’s co-chairing of epidemics insights into less common disorders.
in October. or identify “It’s only possible if all of the informa-
But health information need not be tion on which that kind of insight is
limited to doctor’s visits and lab tests. which treatment based is, number one, electronic, and
A second PCAST report, “Designing a approaches number two, available,” she says.
Digital Future,” focusing on network-
ing and information technology, was work best. At-Home Monitoring
released a week after the health IT Health records could also be fed by
report. It envisions a more compre- devices that collect information about
hensive, lifelong record that includes people as they go about their lives. The
not only treatment history but also a U.S. Veterans Administration (VA) sys-
genetic profile, psychological charac- tem already uses the Health Buddy,
teristics, behavior patterns, and expo- an electronic device that plugs into a
sures to risks that might be relevant to home phone line or Ethernet socket.
health. While such a record could ben- Each day patients answer a series of
efit individual patients, it could pro- of the report’s working group. Today’s questions tailored to their particular
vide even greater value when stripped drug trials stop with the approval of a medical conditions, asking, for ex-
of personally identifying information, medication, “yet while people are tak- ample, whether they have taken their
combined with similar records, and ing these drugs there’s an accumula- medications or about their glucose
subjected to data mining algorithms. tion of experience about what the side levels. Answers are sent to the VA and
It would, for instance, create a sort effects are and what the potential ben- flagged if they show warning signs.
of extended clinical trial for approved efits are,” Graham says. The health- “Versions of that will be in every
drugs, says Susan Graham, a computer care group Kaiser Permanente has home, or at least every home where
science professor at the University of already demonstrated such a benefit; there’s a health condition that could
California, Berkeley, and a member electronic records for its 8.6 million be supported by that,” says Molly Joel
Predictions
Coye, head of the UCLA Innovates or the motion sensor in a gaming sys- public data to deduce an individual’s
Healthcare initiative at the University tem could be used to guide physical Social Security number. On the other
of California, Los Angeles. “We will therapy. “Pretty much everything we’re hand, Graham points out, prevent-
know what your blood pressure is ev- doing today could have a sensor,” Ko- ing all such correlations could mean
ery morning at 8 o’clock, or how it var- hane says. “Your scale could have an IP missing connections and patterns
ies during the day, instead of every six address.” that might improve patients’ health.
or eight months when you go to the There’s already a package of sen- Reaching the right level of data protec-
doctor.” sors that many people carry around tion, Graham says, is both a technical
Such increased monitoring could with them every day: their smartphone. challenge and a policy issue.
catch potential problems earlier, per- “People are walking around with de- Sweeney sees a lot of value in devel-
haps leading to more effective treat- vices that make it much easier to cap- oping an IT ecosystem, but is skeptical
ment or outright prevention of some ture in-the-moment data,” says Debo- about how quickly it will develop. “For
conditions. It could also reduce costs. rah Estrin, director of the Center for me, the excitement is in the sharing
The VA estimates its in-home moni- Embedded Network Sensing at UCLA. level, but we’re not there,” she says.
toring saves thousands of dollars per Analyzing patterns of a smartphone’s “We’re not apt to get there in 2015.”
patient by reducing doctors’ visits and GPS traces could reveal changes in a Computer scientists will have to
nursing home care. person’s behavior, perhaps signaling, work with doctors to figure out what
The growth of the “Internet of for example, a bout of depression or is technically feasible and how IT can
Things,” in which now-discrete devic- an increased risk of suicide. fit into the practice of medicine, says
es are networked, could provide both Estrin is a proponent of developing Graham. The capture of information
monitoring and feedback, suggests an open architecture for mHealth, the in clinical settings has to fit into the
Isaac Kohane, professor of pediatrics practice of using mobile communica- workflow, so providers don’t find it
and of health sciences and technol- tion devices for monitoring patient burdensome. And they will have to
ogy at Harvard Medical School and health. A patient telling a cellphone guide the policy makers who will make
director of informatics at Boston’s app about symptoms or pain levels the regulatory and financial decisions.
Children’s Hospital. Your refrigera- will be more accurate about how he’s “It really needs to be interdisciplin-
tor, for instance, might offer sugges- feeling right now than trying to recall ary,” Graham says. “This is not just a
tions to help you adhere to your diet, these details in a visit to the clinic days computer science topic.”
or weeks later, she says. Existing apps
already help people keep track of diet
Further Reading
With electronic and exercise, for instance, but if they
Coye, M.J., Haselkorn, A, and DeMello, S.
could feed the information back into
patient-monitoring a permanent health record available Remote patient management: Technology-
enabled innovation and evolving business
devices, “we will to the doctor, they could offer much models for chronic disease care, Health
greater benefit.
know what your Affairs 28, 1, Jan.–Feb. 2009.
Graham S., Estrin D., Horvitz, E.,
blood pressure Protecting Patient Privacy Kohane, I, Mynatt, E., and Sim, I.
If all this is to work, strong privacy Information technology research
is every morning protections will be important. Latanya challenges for healthcare: From discovery
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 21
V
viewpoints
I
magine a person who decides to trip to see the blockbuster The Twilight
make a Downfall video, using Saga: New Moon.1
a scene of Hitler receiving bad The Digital Moreover, the Copyright Office has
news to mock some current Millennium also stated that a person who used
event. Assuming this is her first screen capture software to record a
attempt at a remix, she might do some Copyright Act DVD’s output as it played would not be
searches to figure out the best way to created a trap subject to DMCA liability (though ma-
go about it. She will easily find guides jor copyright owners are not prepared
online showing her how to use various for the unwary. to agree with that conclusion—they say
software programs—many of the al- that using screen capture might violate
ternatives are free—to rip clips from a the DMCA). Under this bizarre system,
DVD and import them to her video ed- only using the standard, widely avail-
iting program to create her remix. able programs like DVD Decrypter for
Asked about copyright issues, she making clips would break the law, even
might say that what she is doing is a fair er that does not allow any copying, no if the output of the camcorder version
use allowed by copyright even without matter how minimal—was unlawful and the screen capture version looked
the owner’s permission: it is noncom- regardless of whether the purpose was the same as the decrypted version.
mercial, uses only a portion of the mov- to make a fair use. To make matters
ie she is remixing, offers new meaning worse, the DMCA applied only to par- The Digital Literacy Test
that cannot be found in the original, ticular ways of getting those fair use and the Digital Poll Tax
and does not interfere with any market clips: someone who set up a separate The DMCA created a trap for the un-
the copyright owner wants to partici- camera to film the screen on which the wary. Indeed, someone who down-
pate in. And she would be right. DVD was playing would not be violat- loaded a full unencrypted movie from
The only problem is that, until re- ing the DMCA, even if he filmed the an unauthorized source might be bet-
cently (and potentially starting again whole movie. Though the film studios ter off, legally speaking, than someone
in 2012), U.S. law made her method touted this as an alternative to circum- who circumvented the controls on a
of remixing illegal under the anticir- vention, they also pressured the federal DVD she had paid for to get 30 sec-
cumvention provisions of the Digital government and many states to enact onds’ worth of clips, because at least
Millennium Copyright Act (DMCA). laws making using a camcorder in a the former would be able to argue that
Circumventing the “access controls” theater illegal, so that one woman was fair use justified her conduct. Histori-
of a commercial DVD—the code that jailed for two days for filming her sis- cally, the literacy test required prospec-
tells it to work only on a licensed play- ter’s birthday party, which involved a tive voters to interpret an often arcane
provision of the law, asking questions involved in a remix, since each iteration era, a tripod for stability, a perfectly
irrelevant to the capacity to vote. Under involves some image degradation just dark room to prevent light pollution,
the DMCA, fair users needed to under- as it would in analog editing. For ex- and a large TV. In combination, the
stand that a digital file created in one ample, screen capture tends to produce qualitative and financial burdens im-
way is illegal, while a digital file of the dropped frames, making time editing posed by compliance with anticircum-
same movie created in another way all but impossible. Thus, the DMCA vention law erected profound barriers
is legal. Yet the issue of how to define hits hardest at transformative, critical to effective use of video clips, for any-
and identify a circumvention technol- uses by people interested in conform- one who managed to learn about them.
ogy has no relation to artistry or to fair ing with the law, and does the least None of this was difficult to predict
use—nor even to deterring copyright damage to pure copiers. when the DMCA was enacted, and from
infringement, given the alternatives The poll tax also came in the literal the beginning critics denounced its ef-
discussed previously. financial expense of using the cam- fects on fair use. Courts, however, con-
Then the digital poll tax kicked in: corder setup recommended by major sidered the structural disadvantages
remixers were supposed to use a cam- copyright owners for making clips: created by the DMCA too hypothetical
Illustration by Gluek it, Ph otograph by L eft Eyed Ph otog raph y / Sh utt erstock .c om
corder or screen capture software, both hundreds of dollars on a separate cam- and general to justify any limits on the
of which often produce degraded re- scope of the law.a
sults. We do not usually tell artists they
have to use bad materials to make their The DMCA Rulemaking as Safety Valve
creative works, even in the name of pro- This legal regime had particularly
tecting previous artists. Visual quality hits hardest damaging effects on members of
can be especially vital to cultural critics. at transformative, marginalized groups who are already
If pop culture has luscious imagery, and likely to have limited resources and to
critics have to speak in hard-to-watch critical uses by be uncertain about expressing them-
forms, their already-marginal work is people interested selves. There is a narrow avenue for
further hampered by looking incompe- relief: the DMCA provides for a trien-
tent. Ironically, camcorders and screen in conforming nial rulemaking procedure allowing
captures can work for making first-gen- with the law. the Librarian of Congress to create
eration copies that are good enough to temporary exemptions to the ban on
watch—and thus passably satisfying circumventing access controls where
for true pirates—but not good enough
to survive the multiple generations of a Universal City Studios, Inc. v. Corley, 273 F.3d
digital manipulation and editing often 429 (2nd Cir. 2001).
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 23
viewpoints
the ban is harming noninfringing There are several lessons from the
uses of copyrighted works. Although battle to keep fair use from being elim-
the Librarian initially accepted only There are several inated via technological means. The
extremely limited proposals, leaving lessons from the rulemaking process of the DMCA is far
most fair uses unprotected, in 2006 it from a panacea. Among other things,
allowed media studies and film pro- battle to keep exemptions will be lost if advocates
fessors to circumvent DVD encryption fair use from being do not show up to argue for them ev-
to use clips in teaching. Building on ery three years, or if the Copyright Of-
this exemption, representatives from eliminated via fice changes its mind about the value
the Organization for Transformative technological means. of particular uses. Also, distribution
Works (OTW)—on whose legal com- of circumvention technology remains
mittee I serve—testified in the most unlawful, even though people entitled
recent DMCA proceedings on behalf to an exemption are unlikely to be able
of noncommercial remix artists, sup- to accomplish circumvention on their
porting an exemption proposed by the own and even though the copyright in-
Electronic Frontier Foundation. vention believes and has reasonable dustries admit that this ban has failed.
Fair use remixes abound online, grounds for believing that circumven- Regardless, since it is easy to find cir-
and we submitted many examples. tion is necessary to fulfill the purpose cumvention technology and not un-
For nonlawyers, American University’s of the use” for certain educational uses lawful to possess it, people entitled to
Center for Social Media has developed by professors and film students, docu- circumvent can easily find the means
a set of best practices for fair use in an mentary filmmaking, and noncommer- to do so, but this remaining barrier
online video, offering comprehensible cial videos.5 Notably, that last option is a reminder of the costs of poorly
rules that require good judgment, but not only covers most YouTube remixes, thought-out lawmaking.
not a lawyer’s services, to apply.2 but also most educational uses, even The U.S. has successfully pressured
One reason so many laypeople are those not allowed by the first, limited many of its trading partners to adopt
dismissive of copyright law is because educational exemption. As long as they U.S.-style anticircumvention provisions,
it is counterintuitive and arcane, re- reasonably believe that circumvention generally without U.S.-style limitations
sulting in seeming unfairness and fu- is necessary—and given the expense and exemptions. The U.S. experience
tility; the anticircumvention provisions and flaws of the alternatives, it will rou- with DMCA overkill demonstrates that
are a good example of that. While they tinely be necessary—noncommercial the DMCA as written is not right for any-
encourage disrespect from some peo- video artists can remix at will. one, and that other countries should
ple, incomprehensible rules also deter The creativity of remix culture be wary of copying a law that suppress-
risk-averse remixers who are vaguely comes from many far-flung individu- es artists and educators. Laws will be
aware of the DMCA from making fair als, some of whom invent or reinvent made with or without the input of those
uses. Even the ones who continue remix for themselves without even who understand what technology en-
may find themselves unable to assert knowing about other remixers and ables (and threatens); the challenge is
fair use defenses for fear of DMCA li- others of whom work within existing to ensure that we do not, in aiming at
ability. Some remixers have received communities, aware in varying de- commercial pirates, hit the fans and
takedown notices and wanted to make grees of the artistic traditions they are critics who are trying to participate in a
fair use claims so their works could be updating, continuing, and disrupting. cultural conversation instead.
restored, but decided they could not But when it comes to dealing with the
because they were unsure about the effects of law on creativity, individual References
1. Bell, A. Charges against accused “The Twilight Saga:
method they used to capture the clips. creators need organized representa- New Moon” “Pirate” dropped, examiner.com, (Dec. 11,
tion. Otherwise, as copyright policy- 2009); http://www.examiner.com/x-4908-Twilight-
Examiner~y2009m12d11-Charges-against-accused--
Hiding the (Legal) Wiring making has repeatedly shown, their The-Twilight-Saga-New-Moon-pirate-dropped
The solution, as a British government interests will simply be ignored. Henry 2. Center for Social Media. Code of Best Practices
in Fair Use for Online Video; http://www.
report put it, is to “hid[e] the wiring”— Jenkins, a leading scholar on the in- centerforsocialmedia.org/sites/default/files/online_
to simplify copyright law so that it teraction of corporate and individual best_practices_in_fair_use.pdf
3. Jenkins, H. Afterword: The Future of Fandom. In J.
comes into better alignment with ordi- creativity in the digital age, argues Gray, C. Sandvoss and C.L. Harrington, Eds., Fandom:
nary logic.4 Fortunately, the Copyright that media fandom, from which many Identities and Communities in a Mediated World. New
York University Press, New York, 2007, 357–364.
Office agreed with these arguments, remixes derive, is “the experimental 4. U.K. Intellectual Prop. Office, © The Way Ahead: A
at least in part, in its most recent prototype, the testing ground for the Strategy for Copyright in the Digital Age (2009); http://
www.ipo.gov.uk/c-strategy-digitalage.pdf
rulemaking. The rulemaking allowed way media and culture industries are 5. U.S. Copyright Office, Rulemaking on Exemptions
circumvention to access content on going to operate in the future.”3 If so, from Prohibition on Circumvention of Technological
Measures that Control Access to Copyrighted Works;
DVDs “when circumvention is accom- then without further activism, “testing http://www.copyright.gov/1201/
plished solely in order to accomplish ground” might be a far-too-apt meta-
the incorporation of short portions of phor, with the copyright industries Rebecca Tushnet (rlt26@law.georgetown.edu) is a law
professor at the Georgetown University Law Center,
motion pictures into new works for the trying out their best new heavy ord- Washington, D.C.
purpose of criticism or comment, and nance—technological and legal—on
where the person engaging in circum- individual remixers. Copyright held by author.
Historical Reflections
In Praise of ‘Wilkes,
Wheeler, and Gill’
Reflections on the first textbook on programming.
S
in spring
i x t y y e a r s ag o , which it was directly based.
1951, Maurice Wilkes, Da- From the beginning, Wilkes was
vid Wheeler, and Stanley more interested in having a computer
Gill produced the first text- for practical use than in having one
book on programming: of the highest technological perfor-
The Preparation of Programs for an Elec- mance. To this end he kept the EDSAC
tronic Digital Computer.2 It was a publi- simple—conservative in electronics
cation that spearheaded the software and straightforward in design. The ma-
revolution. chine sprang to life on May 6, 1949. It
The guiding light behind the book was quickly put into operational use
was Maurice Wilkes, who died last and it was the first computer in the
November at the great age of 97 years world to provide a practical computing
old. He was best known as head of the service. EDSAC was Cambridge Univer-
computer laboratory at Cambridge sity’s principal computing resource un-
University, though he did a great deal til it was replaced by EDSAC 2 in 1958.
more. His interest in computing long Within about six weeks, Wilkes
predated the modern digital computer. made one of the most far-reaching dis-
In 1937, he became assistant director coveries of the computer age: that get-
of a newly established computing lab- ting programs right was more difficult
oratory at Cambridge University, but than it looked. As he subsequently re-
development was cut short when Brit- called, it was while he was developing
ain declared war on Germany in Sep- his very first application program that
tember 1939. The computing facilities The title page from “WWG.” “the realization came over me with full
were taken over by the military and Wil- force that a good part of the remain-
kes left Cambridge to join the scientific copying facilities, so he stayed up half der of my life was going to be spent
war effort. He worked on radar and op- the night reading it. He recognized it in finding the errors in my own pro-
erations research, which turned out to at once as “the real thing” and never grams.” Wilkes decided that making
be an ideal background for the dawn- looked back. The following summer he the programming process less error
ing of the computer age. In 1946, he re- attended the summer school organized prone would be a good project for his
turned to Cambridge with the mission by the Moore School of Electrical Engi- research student David Wheeler.
of rebuilding the computer laboratory. neering, University of Pennsylvania,
where the designers of the ENIAC and David Wheeler
Maurice Wilkes and EDSAC EDVAC unveiled the inner workings Wheeler was a brilliant student. He had
In May 1946, Wilkes got his first glimpse of the new electronic computers. Re- graduated in mathematics in 1948 as a
of John von Neumann’s famous ED- turning to England on the Queen Mary, “wrangler”—the University’s argot for
VAC Report of June 1945, which laid Wilkes began to sketch out the design the top mathematicians of a cohort.
out the design of the electronic stored of a machine he called the EDSAC, for While he was an undergraduate his in-
program computer. It was brought to Electronic Delay Storage Automatic terest in computing was piqued by the
the laboratory by a visitor who took it Calculator. The name was consciously EDSAC that was then under construc-
away the following day. Wilkes had no chosen in homage to the EDVAC, on tion and, in his own words, he pestered
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 25
viewpoints
The EDSAC subroutine library was kept in the steel cabinet on the left in the image.
Library tapes were copied mechanically onto the user’s program tape and then returned
to the cabinet.
bootstrap loader and an assembly rou- exactly like the real machine except that
ib
cr
on paper tape, consisted of a main pro- doing so. This idea was adopted, or re-
/s
rg
copied from the subroutine library. known as a program trace. It earned Gill
a
w.
The library was kept in a small steel his place as one of the triumvirate of au-
w
w
the different subroutines (there were With these programming aids it was
ht
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 27
V
viewpoints
Emerging Markets
Corporate Social Responsibility
and Global IT Outsourcing
How to improve IT outsourcing relationships while doing good for society.
G
l oba l IT Ou tsou rcing value of organization, community, and ˲˲ Philanthropy and good citizen-
(GITO) is an increasingly individual.” ship, for example, making donations
accepted business tactic, GITO buyers increasingly expect to worthy causes, such as the work of
and continues to grow at providers to deliver CSR capability as the Indian IT outsourcing firm Infosys’
healthy rates. In 2008, the both parties react to global standards Foundation;
value of the global ITO market was esti- and employee expectations. Most ma- ˲˲ Compliance with standards such
mated at between $220 to $250 billion. jor GITO providers (including the ma- as the Global Reporting Initiative
The estimate for 2009–2014 is that ITO jor Indian providers) have therefore (GRI), which is increasingly a standard
will grow by 6%–9% per annum.8 striven to meet emerging global CSR requirement in outsourcing requests
Today, corporate social responsi- standards and many have produced for proposal; and
bility (CSR) is a priority item on the elaborate CSR documents that can be ˲˲ Collaborative CSR activity where
agenda of almost every business or- downloaded from their Web sites. the outsourcing buyer and provider
ganization. Not surprisingly, leading From our research we found that work together to achieve shared so-
GITO providers have embraced it, and GITO CSR projects can be divided into cietal goals and also strengthen their
ongoing research at the University of three categories: relationship, thus “doing well by doing
Manchester suggests that some buy- good.” Most leading GITO providers
ers and providers of GITO are gaining participate in the first two CSR catego-
competitive advantage from the imple- Buyers and ries: they make contributions to good
mentation of CSR projects.1,3 causes and comply with global CSR
Elkington4 describes how CSR can providers who standards. A few providers and buyers
be integrated into every aspect of so- collaborate are engaging in collaborative CSR ac-
cial, political, and economic activity, tivity and are able to report some inter-
creating “win-win-win strategies…to on CSR initiatives esting benefits.
simultaneously benefit the company, create strong The third category is relatively new
its customers, and the environment.” to GITO relationships, and our re-
Elkington describes the “triple bot- business value in search has found within it some novel
tom line” where people, planet, and the outsourcing developments. Porter and Kramer
profits are all considerations in evalu- refer to this type of CSR activity as
ating company performance. He sug- relationship and “strategic CSR,” since companies at-
gests that “successful companies will create social value tain “greater competitiveness through
have little option but to get involved in corporate strategy by advancing social
this rapidly emerging area.” Emerson5 for the communities conditions.”7 In our research we found
similarly describes “a significant rise in which they that buyers and providers who collabo-
in the number of mainstream corpo- rate on CSR initiatives create strong
rate CEOs discussing the social and operate. business value in the outsourcing re-
environmental performance of their lationship, and create social value for
firms.” He concludes that “life is not the communities in which they oper-
driven strictly by either social or finan- ate. Porter and Kramer refer to this as
cial realities…we may use financial re- “creating shared value”6 through stra-
sources to expand and sustain the core tegic CSR.
ties: the buyer gains a more productive it stands out.”…“it is certainly linked of getting the tests done against a tight
provider; the provider gains a more to the strength of the relationship be- deadline, do you know what the guys
loyal and effective work force; society tween the two organizations which is say? Well, time to go home now or do
gains a better-equipped school with really visible to the guys in India.” they stay for midnight? These guys
students who are more likely succeed Collaborative CSR helps inspire stay until midnight and beyond and all
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 29
viewpoints
night if necessary….the school [CSR] ity of it. You’re in a world where you’re Conclusion
thing is just a little part of that—it just delivering projects and services. It’s a In light of the benefits reported in this
builds that.” fast-moving world and not all projects research, opportunities for buyers to
Similarly, this was mirrored by the go perfectly well. Good relationships work cooperatively with providers on
provider: “People stay longer, some- get you through those situations…you CSR initiatives will grow. There will be
times they’re investing a lot of their keep the clients that you have, and continued uptake of CSR practices by
time and it’s not paid, I won’t neces- that’s about strong relationships.” providers, and buyers will need to de-
sarily see it on my bottom line, but you termine their individual appetite and
will see it on the productivity of that Directions on CSR for GITO focus for working collaboratively on
project, of hitting targets, etc.” Buyers and Providers such projects.
For the outsource provider and buy- What lessons does our research pro- Finally, we should note that this
er, the enhanced trust improves organi- vide for buyers and providers of out- research is indicative of the report-
zational and individual interpersonal sourcing services? We have three sug- ed benefits of collaborative CSR but
communications. CFS managers told gestions. there are many factors at play. The
us that joint CSR agendas can be anoth- ˲˲ More providers should explore the research has highlighted potentially
er tool in building effective communi- collaborative CSR option, and seek to significant business benefits. How-
cations and business relationships. As match CSR projects with buyers in or- ever, isolating and quantifying the
one CFS executive explained: “I would der to build trust and commitment, value of collaborative CSR in substan-
just say it massively helps with our rela- reduce attrition, improve productivity, tiated financial terms has not been
tionship and how we work together, and and increase organizational and inter- fully proven. Our research is continu-
what it does when you’re working with personal communications. In addition ing to examine collaborative CSR at
people painting a classroom or clearing to shared views on CSR, buyers should CFS and at other organizations. We
a play area, you also bring in teamwork expect CSR leadership from their out- welcome comments and contribu-
and there’s so many other things that sourcing providers. tions from other organizations with
come into it, other skills, communica- ˲˲ Buyers will increasingly demand similar CSR experiences.
tion. You really get to know the people evidence of compliance with global
who you’re working with, and when you CSR standards such as the GRI and References
1. Babin, R. and Nicholson, B. Corporate social and
see them out of a techie environment, it the UN Global Compact. In a review of environmental responsibility in global IT outsourcing.
makes a huge difference.” outsource provider public profiles we MIS Quarterly Executive 8, 4 (Dec. 2009), 123–132.
2. Babin, R. and Nicholson, B. How green is my
Social networks established outside found that the large global providers outsourcer: Measuring sustainability in global IT
of the formal work environment on demonstrated mature CSR capabilities outsourcing. Strategic Outsourcing, International
Journal 4, 1 (Jan. 2011), 47–66.
CSR projects tended to lead to esteem in terms of meeting global standards, 3. Babin, R. and Nicholson B. Sustainability Practices
between individuals and friendly re- while the mid-tier or smaller outsourc- in Global IT Outsourcing. Manchester Business
School Research Paper 602, University of Manchester
lationships. Subsequently, staff from er providers are still building their CSR U.K. (June 2010); http://papers.ssrn.com/
both buyer and provider organizations capability.2 We also found that buyers abstract=1683288
4. Elkington, J. Towards the sustainable corporation:
felt able to cut through the formal orga- infrequently validate the provider CSR Win-win-win business strategies for sustainable
nizational communications hierarchy claims. So a caution to outsource buy- development. California Management Review 36, 2
(Feb. 1994), 90–100.
to solve problems rather than resort- ers: beware of unsubstantiated CSR 5. Emerson, J. The blended value proposition:
ing to formal contractual resolution. A claims, particularly from small and Integrating social and financial returns. California
Management Review 45, 4 (Apr. 2003), 35–51.
Steria executive echoed a similar senti- mid-tier providers. Several indepen- 6. Porter, M. and Kramer M. Creating shared value.
ment: “So when you’ve been to these dent consultancies are able to assist Harvard Business Review 89, 1/2 (Jan.–Feb. 2011),
62–77.
places and shared the experience with buyers with CSR audits of potential 7. Porter, M. and Kramer M. Strategy and society: The
link between competitive advantage and corporate
people, it does help form a very close outsourcing providers. social responsibility. Harvard Business Review 84, 12
relationship…Let’s face it, in outsourc- ˲˲ Although our case example fo- (Dec. 2006), 78–92.
8. Willcocks, L.P. and Lacity M. The Practice of
ing things don’t go perfectly well over cused on social responsibility, en- Outsourcing: From ITO to BPO and Offshoring.
time, they don’t and that’s the real- vironmental responsibility is also a Palgrave, London, 2009.
component of CSR concern for global
IT outsourcing buyers. Providers with Ron Babin (rbabin@ryerson.ca ) is an assistant
Opportunities for data centers and related technologies professor and associate director at the Ted Rogers
School of IT Management at Ryerson University in
must be able to demonstrate energy
buyers to work
Toronto and a doctoral candidate at the Manchester
Business School, U.K.
efficiency that exceeds the levels set by
cooperatively with buyers and required by governments. Steve Briggs (steve.briggs@cfs.coop) is the head of
Strategic Partnerships at Co-operative Financial Services
For example, a provider should be able
providers on CSR to demonstrate reduced carbon emis-
(CFS) in Manchester, U.K., where he has managed several
major outsourcing relationships, and is also a director of
The Profession of IT
Managing Time, Part 2
Masterful time management means not just tracking of messages
in your personal environment, but managing your coordination
network with others.
I
n a p r e v i ou sinstallment of Information Glut Some of that information is discre-
this column (March 2011) we Information glut is an archenemy of tionary—you asked for it by searching
took a new look at time man- productivity. When the total amount and then “pulling” search results into
agement from the perspective of information coming into your per- your environment. Pulled information
of personal productivity.2 We sonal environment passes a saturation does not seem to be as serious a threat
focused on practices you can adopt in point, your productivity starts to suf- to productivity as “pushed” informa-
your personal environment to manage fer because you can no longer make tion—sent into your environment at
your time well and productively. The sense of the information and find solid the action of others. Some common
practices are tracking, selecting, ex- grounding for your decisions. How can forms of pushed information are:
ecuting, and capacity planning. you be productive when you must sort 1. Spam, ads, and phishing—those
As useful as it is, a framework for through a lot of irrelevant, marginally who send it have no real expectation
personal management of commit- useful, or contradictory information? you will respond.
ments is not sufficient for maximum On the broadest scale, the informa- 2. Notices, newsletters, updates,
productivity. The reason is that you tion fog includes all the information and carbon copies—others keeping
depend heavily on others fulfilling you might come across in the Internet. you informed: (a) because you asked
their commitments to you before you
can complete yours. Failures or delays Figure 1. Customer C orders from a catalog of provider P. To implement the main conversa-
tion seen by the customer, the provider manages a coordination network of loops staffed by
in the other commitments can block its employees and suppliers.
your productivity, cause you to take
defense measures such as nagging,
and sometimes force you to find other
people to supply what you need. In a
prepare order form check credit
personal commitment management
framework, you have no control over
these external factors.
Interactions with others are vis-
ible in your personal framework as
points where you receive requests or
C order from catalog P
issue promises. Seeing those points
is not the same as managing the co- select items
ordination they represent. Managing
interactions is crucial for productiv-
ity of the entire group, not just you. select shipper
In this column we examine how the
large number of messages relating to ship
external coordination can produce an
information fog that can only be dis- sent items to shipper
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 31
viewpoints
them to when delegating tasks; (b) tem can support coordination, but is acting with a coordination network,
because you agreed to a subscription not sufficient to achieve coordination. your mailbox will look like a miasmic
or to the automatic “side benefits” The fundamental building block of mishmash of many messages man-
of online purchases; (c) because they coordination is the action loop. We just dating mindful ministration. You will
had other reasons to inform you even summarize it here because it has been not see the loops and will not com-
though you did not ask. well documented elsewhere.1,3,4 A loop plete them satisfactorily, causing you
3. Specific acts of coordination. connects two parties, C (customer) and lost time and ill will to fix the mis-
The normal way of minimizing type P (performer) whose actions combine takes. Your reputation may suffer in
1 information is to practice rapid de- to fulfill a shared condition of satisfac- the process.
letion (ignoring) and use spam filters. tion. It consists of the four phases: On the other hand, if you do see
Most people have this under control. C: prepares and delivers a request; that you are interacting in a network
The amount of spam or phishing expe- P: negotiates changes and promises of loops, you will want tools to help
ditions reaching their inboxes is not a to deliver; you organize your mailbox so that the
major source of productivity loss. P: completes the task and delivers loops, rather than the individual mes-
The normal way of managing type the result; and sages, are the primary units visible.
2 information is to make requests to C: reviews and accepts the delivery.
be excluded from distributions you Many messages can be exchanged Coordination Fog
do not want to be part of. If people to between P and C during each phase. Larger outcomes need a team of peo-
whom you have delegated tasks are Tracking software can record the de- ple working together to produce them.
overdoing it, you can ask them to re- sired outcome and monitor progress In fact, almost all organizations now
duce the traffic. toward completion. work in cross-functional teams, of-
That leaves type 3 information as Either primary party (C or P) may ten spread over several countries. The
the main source of pushes that can turn to secondary parties to fulfill sub- usual protocol for making these teams
hurt your productivity. At first glance, tasks for them. Thus the primary loop work is repeat the following cycle un-
it looks like this information is in the generates a coordination network of til the job is done: hold a coordination
form of email, phone, chat, messag- linked subtasks, involving other play- setup meeting and then split up to do
ing, or even wikis, and can therefore be ers. Figure 1 shows an example. individual tasks. The meetings can be
managed with the filing and calendar- If you do not see that you are inter- held in person or online with a meet-
ing tools embedded into office produc-
tivity software. Unfortunately, this view Figure 2. The left figure shows what your workspace looks like during the planning stage
of a project, when it looks like your part of the project is a pile of personal tasks to be
confuses communication of messages managed. The right figure shows that the coordination tasks between you and others
with coordination of actions. With a can generate hundreds of email messages, which look like “fog” if you cannot see the
good model of coordination, you can coordination network behind them.
make a significant improvement in
your coordination productivity in spite Collaboration with tools such
of the message traffic that coordina- Collaboration space in as File Sharing, Scheduling,
person, or virtually with tools Basecamp, Instant Messaging,
tion actions generate.
like Goto Meeting or Webex. and Yammer.
From Communication
to Coordination
Communication is concerned with
transfers of messages from senders to
recipients. Coordination is concerned
with people aligning their actions to
achieve common goals.
It is important to make the distinc-
tion because most of the work we do
is not just our own personal tasks, it is
the tasks we do together with others.
We refer to the orchestration of these
shared tasks as “coordination.” Your
productivity to a large extent depends
on your skill at coordination.
Coordination depends on the par-
ties making requests and keeping Personal Productivity Tools Hundreds of email messages are
promises. The human agreements (for example, GTD, Xobini) help generated when dealing with changes,
involved can be recorded, but not au- people manage, prioritize, and dependencies and breakdowns;
organize the things they email messages increase as the project
tomated. A single coordination gener- must get done. gets closer to fulfilling an outcome.
ates many messages among the parties
involved. A good communication sys-
ing support system. The team leader The tools that support you must at the not trust management might not wel-
directs the conversation to create a very least track all the loops you are in- come a good coordination tool.
common goal, agree on outcomes, volved in and tell you how far toward Other tools superseded The Coordi-
divide the work into tasks and mile- completion each one is. nator. Action Technologies produced
stones, and assign subtasks and mile- Metro, which mapped and tracked
stones to team members. The mem- Coordination Software entire coordination networks. Lotus
bers then go to their own locations What software exists to help us see and Notes provided a freeform system in
and time zones to carry out their parts track the coordination loops we create which separate databases would track
of the plan using their personal time in our coordination networks? conversations within a project team.
management systems. The first such tool was The Coordi- Some of the ideas such as linking
Unfortunately, as suggested in Fig- nator, produced by Action Technolo- promise due dates to calendars have
ure 2, the “personal” tasks are inter- gies in the mid-1980s.4 It was a mail been incorporated into modern sys-
dependent. Soon team members dis- client that resided on laptop PCs and tems such as Apple Mail and Microsoft
cover cases or encounter unexpected exchanged messages through a dial- Outlook. Recently, OrchestratorMail
circumstances that were not discussed in server. The Coordinator made the has been designed as an XML overlay
in the plan. Unpredictability is inevi- individual loops, which it called “con- on to any existing mail system to make
table in our constantly evolving and versations for action,” visible to the visible the coordination network gen-
changing environments. Team mem- persons engaged in them. The inter- erating the email messages.
bers turn to their email, phones, and face was different from ordinary email
other media for follow up, get further systems. For example, you would initi- Conclusion
clarifications, develop action plans ate a loop by selecting “request” from Many of us get overwhelmed by an
for the new circumstances, respond to a menu, filling in a description of the information fog of email messages,
unforeseen opportunities and threats, desired outcome and due date, and which interferes with our ability to
and the like. Email is by far the most sending it to the person you wanted as get productive work done and puts us
common medium because, with team- the performer. The recipient would see into unproductive moods such as over-
mates on the move in different time your request in a portion of the inbox whelm and anger over mis-coordinat-
zones and sometimes in different cul- labeled “incoming requests.” With a ed actions. One coordination task can
tures, it is not easy to resolve these is- menu, the recipient would select one require dozens of email messages. If
sues on the phone. The mixture gets of the four allowable responses (ac- all we can see is the email messages, it
even more complicated when partici- cept, decline, counteroffer, or defer). quickly becomes a fog. If we could see
pants fall into misunderstandings and Other menus and mailbox segments the coordination task itself, we have
then miss deadlines or otherwise mis- covered the remaining parts of unfin- much less to track and we can let the
coordinate. They generate additional ished loops. Local databases on both computer systems manage the email
email messages to overcome misun- ends tracked all open loops and their messages automatically.
derstandings and resolve mis-coor- states. It was easy to generate to-do When this is done, we become more
dinated actions. These coordination lists (promises you committed to), productive and enjoy reputations of
issues can easily produce hundreds tickler lists (undelivered promises greater trust. What a great augmenta-
of email messages. Even simple things made to you), email chains of loops, tion it can be to your personal produc-
like finding a time for a phone confer- and calendar entries from the data- tivity system to learn the language of
ence to resolve issues can take dozens base. When you dialed in to The Coor- coordination, become an observer of
of email messages. This is how unseen dinator server, the databases automat- coordination acts and state, and have
coordination generates an information ically synchronized. the tools to automatically manage the
fog that interferes with productivity. The people who used The Coordi- underlying communications.
By seeing coordination as a form of nator reported significant productiv-
conversation management and teach- ity gains: they could manage two to 10 References
ing ourselves to see the loops that are times more tasks and projects than be- 1. Denning, P. Accomplishment. Commun. ACM 46, 7
(July 2003), 19–23; DOI: 10.1145/792704.792722.
moving toward completion, we can fore. The email messages themselves 2. Denning, P. Managing time. Commun. ACM 54, 3 (Mar.
maintain a clear picture of the coordi- also became shorter because they were 2011); DOI: 10.1145/1897852.1897865.
3. Denning, P. and Dunham, R. The Innovator’s Way. MIT
nation network and dispel the fog. all linked to their parent loops; with a Press, Cambridge, MA, 2010.
4. Winograd, T. and Flores, F. Understanding Computers
The conclusion is that, for most of single click, for example, you could see and Cognition. Addison-Wesley, Reading, MA, 1987.
us, most of our time management is what request an email message that
really not “personal.” Our commit- said “I accept” was accepting.
Peter J. Denning (pjd@nps.edu) is Distinguished
ments always involve others in our A small group of critics thought The Professor of Computer Science and Director of the
networks of coordination. To master Coordinator was a form of “surveil- Cebrowski Institute for information innovation at the
Naval Postgraduate School in Monterey, CA, and is a past
your time, therefore, you need to mas- lance software” that could be abused president of ACM.
ter your ability to make requests and by unscrupulous managers who might
Ritu Raj (ritu@orchmail.com) is the founder and president
offers (which start loops), your ability watch the fine details of people’s inter- of OrchestratorMail, was a Partner at Accenture, and
to negotiate and agree on the prom- actions and penalize them for small started two successful companies Wag Hotels, and
Avasta, which was acquired by Navisite.
ised results, and your ability to deliver infractions. The lesson was that people
your results by the time you promised. in organizations where employees do Copyright held by author.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 33
V
viewpoints
Viewpoint
Realizing the Value of Social
Media Requires Innovative
Computing Research
How social media are expanding traditional research and
development topics for computer and information scientists.
S
ocial media technologies Social media present dangers too.
such as Facebook, Twitter, These include the potential for more
blogs, wikis, Flickr, and There are deep polarized discussions as users selec-
YouTube have garnered challenges in tively view only materials aligned with
more than a billion users. their world view and scientists re-
These platforms enable more than understanding treat to narrow research topics (“bal-
friendly chatter and individual ex- the benefits kanization”) that limit the healthy in-
pression; they facilitate remarkably terchange with related disciplines.16
diverse and broad participation while of social media Another risk is reduced credibility of
accelerating the formation of effec- and ameliorating online resources as rumors and mis-
tive collaborations. information spread, unfiltered by
Promising social media projects their dangers. traditional journalistic verification.
suggest that dramatic transformations Social media can distract from deep
are possible in health care, energy sus- reflection as individuals respond to
tainability, environmental conserva- frequent interruptions and collabora-
tion, disaster response, and commu- tive production methods with free dis-
nity safety.14 Some commentators even dition, a variety of U.S. and other open tribution can undermine established
see social media as a means for eco- government efforts have been launched reward systems, as journalists have
nomic revitalization through business recently to promote transparency, par- painfully discovered.6 Breaches of pri-
innovation, educational transforma- ticipation, and collaboration. For ex- vacy and security are frequently men-
tion, and civic revival.15 However, there ample, data.gov promotes access to tioned topics and so is identity theft,
are deep challenges in understanding detailed U.S. government agency perfor- online bullying, and disclosure of po-
the benefits of social media and ame- mance data and recovery.gov provides tentially damaging or embarrassing
liorating their dangers. Computer, contracting information on the county- personal information.
information, and social scientists, by-county use of stimulus money, lead-
network analysts, system developers, ing to broader discussion, plus invita- Goals and Challenges for
community managers, and many oth- tions to report fraud, abuse, and waste. Computing Research
er professionals will have important Increased participation and collabo- Realizing the full value of social me-
roles to play as they extend their dis- ration that changes the relationship dia requires research agendas that in-
ciplines with innovative research and between government agencies and clude understanding the mechanisms
development agendas. the general public is beginning with for unleashing chain reactions of hu-
The potential for social media im- challenge.gov, which invites solutions man contributions and collaborations
pact is illustrated by international up- to problems, serve.gov to expand vol- while preventing harmful outcomes
heavals such as the Iranian elections,9 unteering, and wiki-based deliberative such as privacy violations, malicious
Wikileaks information releases, and Web sites to request commentary on attacks, and misuse by terrorists, op-
Egyptian democratic movement. In ad- agency directions or regulatory plans. pressive regimes, and criminals. Evo-
lutionary patterns of activity within ho- ploration, social processing units (SPUs)
mogeneous or heterogeneous small, may be needed to enable scalable so-
medium, and large organizations Not every computing cial network analysis for computations
could be studied with network analysis scientist will be such as eigenvector centrality, com-
tools to identify highly productive in- munity clustering, and comprehen-
dividuals or groups.5,8 Understanding interested in studying sible layouts. While Moore’s Law has
the dynamics of collective action, gov- social media, but signaled the steady progress of hard-
ernance, and leadership in networked ware technologies in petaflops and
organizations can present grand sci- computing science gigahertz, new laws could describe the
entific challenges that are worthy of social media research growth of massive projects by measur-
Nobel Prize recognition, such as be- ing peta-contribs and giga-collabs.
stowed on Elinor Ostrom.11 However, can have a profound New scientific measures are also
early successes such as Wikipedia and impact on every needed for trust, empathy, responsibil-
health discussion groups generate ity, and privacy, and new mathematical
the impression that success in using discipline. operators could characterize the rela-
social media is inevitable, but the real- tionship among relevant usability and
ity is that failure is the norm and even sociability measures. The rich contex-
successful projects have problems. tual and volatile temporal dependen-
For Wikipedia, only one out of every cies among these measures mean tra-
1,000 readers registers to make contri- deeper insights into the nature of hu- ditional reductionist models need to be
butions—and even fewer participate man motivation in different contexts. enriched with inter-variable sensitivity
in durable collaborations. Higher The emerging science of online mo- analysis and informed by qualitative
rates of participation are needed for tivation draws on sociological studies studies. The motivations for early Wiki-
smaller projects to succeed. and political science theories, as well pedia users may be very different from
One model of how participation as on statistical methods, agent-based the community safety organizers who
evolves is the Reader-to-Leader Frame- simulations, linguistic sentiment anal- must develop trust and ensure privacy
work (see Figure 1), which also offers ysis, and network analysis/visualiza- over many years. Similarly, those en-
usability and sociability design guide- tion.4 For example, studying trust, in its gaged in collective intelligence projects
lines.13 This framework describes how many forms, would lead to improved may respond to very different motiva-
some of the large numbers of readers designs that facilitate collaboration so tions from those who conduct collec-
mature into contributors who offer that participants can rapidly resolve tive action initiatives. Weak ties are suf-
user-generated content such as vid- their differences and act effectively ficient for early stages and for spreading
eos, photos, reviews, and ratings. A when needed, as some environmental ideas, but strong ties also become vital
smaller segment becomes intensely groups did following the Gulf oil spill.3 for the deep commitments necessary to
involved in collaborative groups who Another research topic is the grow- produce substantial change.
discuss substantive changes and ex- ing availability of big social data,8 which Multidisciplinary network science
pansions of content. Finally, a small presents significant challenges to algo- is rapidly emerging with models of net-
group of leaders emerge to set poli- rithm designers and mathematicians work growth/decay, strategies for com-
cies, deal with attacks, resolve dis- possibly requiring innovative chip de- paring thousands of apparently similar
putes, and mentor newcomers. A ma- signs to accelerate the necessary com- networks, and algorithms for detect-
jor research effort could validate and putations. Just as graphical processing ing unusual bursts of activity.1,2,4 These
refine such frameworks, providing units (GPUs) have enabled rapid 3D ex- methods, strategies, and algorithms
Figure 1. The Reader-to-Leader Framework suggests the evolutionary path for participants in social media communities. Some users may
move smoothly through the four phases, while others may take different paths as indicated by the arrows in the figure.
All
Users Reader Contributor Collaborator Leader
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 35
viewpoints
Figure 2. Connections among Twitter users who recently mentioned GOP when queried on July 25, 2011, with vertices scaled by numbers of followers.
The clusters are created by the patterns of connections (follows, replies, and mentions) among the authors in the graph. The clusters were based on
Visua lization by M arc A. Smit h using N odeXL; ht tp:// www.co dep lex . co m/no dex l .
Clauset-Newman-Moore algorithmic analysis in which the red cluster is composed of largely GOP supporters, while the blue cluster contains largely
critics and opponents of the GOP as indicated by the content of the tweets from each cluster. Other colored or shaped nodes are not strongly affiliated
with either major cluster. Users on the bottom are not connected with any of the other Twitter users.
will benefit from coupling with natu- the efficacy of social media platforms challenges that will become even more
ral language processing and discourse (see http://www.wikitrust.net). central include context-aware systems
analysis to identify nexuses of positive While many of these topics will be that work on mobile, laptop, Web, and
collaborations as well as threatening new to computer and information sci- cloud-based platforms, and policy-
activity from hate groups, terrorists, entists, the social media will dramati- aware systems that allow successful
and criminals (see Figure 2). cally expand their traditional research operation in different cultures, lan-
Still more ambitious research goals and development topics such as large- guages, and political systems.
are to identify key influencers, success- scale heterogeneous distributed sys-
ful discussion generators, and reliable tems design, exploratory search tasks Broad Scholarly Payoffs
answer providers in discussion groups across enormous multimedia data- Not every computing scientist will be
with millions of participants while bases, and visual analytic tools with interested in studying social media,
curbing the damage caused by scam- statistical components that produce but computing science social media
mers, spammers, and troublemakers valuable insights even from volumi- research can have a profound im-
of many kinds who seek to undermine nous and noisy data. Other traditional pact on every discipline. Social media
are already restructuring the ways in species distribution, and much more
which scholars form collaborations seem within reach. However, there is
and communicate their results.10 What The next step will be also a risk that social media researchers
used to be called the invisible college of paradigm-shifting will soon confront ethical challenges as
personal scholarly communications is serious as those that the nuclear physi-
now a vast and highly visible, search- methods for cists faced in the 1950s. This time the
able, and influential infrastructure. conducting concerns will be about inequities in
These new scholarly social networks, Internet access, violations of privacy,
the visible commons, ignite hot topics, scholarly research vulnerability to attacks, as well as tech-
accelerate data sharing, and enable in the computing nical failures and social chaos during
rapid refinements to theories in ways crises. We believe the computing sci-
that were never before possible. For sciences and in ences community can rise to these chal-
example, in August 2010, when a re- every discipline. lenges and find effective solutions.
searcher claimed to have proven one
of the most profound, challenging, References
1. Barabasi, A.-L., Bursts: The Hidden Pattern Behind
and elusive problems in all of mathe- Everything We Do. Dutton, NY, 2010.
matics and computer science (P=NP?), 2. Easley, D. and Kleinberg, J. Networks, Crowds, and
Markets: Reasoning About a Highly Connected World,
blogs (such as http://rjlipton.word- Cambridge University Press, NY, 2010.
press.com), wikis, and other forms of ment; ethical issues for researchers; 3. Golbeck, J. Weaving a web of trust. Science, 321, 5896
(2008), 1640–1641.
online communication conveyed ac- design strategies for practitioners; 4. Hansen, D., Shneiderman, B., and Smith, M.A.
tive discussion about the proof—and motivational challenges for commu- Analyzing Social Media Networks with NodeXL:
Insights from a Connected World, Morgan Kaufmann
ultimately enabled a form of real-time nity managers; research infrastructure Publishers, San Francisco, CA, 2011.
“peer review” that called into question proposals; and innovative educational 5. Hendler, J. et al. Web Science: An interdisciplinary
approach to understanding the Web. Commun. ACM
the researcher’s approach. reforms (http://www.tmsp.umd.edu). 51, 7 (July 2008), 62–69.
Scientists also have begun to use Some steps in expanding research 6. Lanier, J. You Are Not a Gadget: A Manifesto, Knopf
Publishers, NY, 2010.
social media to conduct new forms of have already begun with the NSF’s 7. Latour, B. and Woolgar, S. Laboratory Life: The
Construction of Scientific Facts. Princeton University
scientific research. NASA’s use of click- Social Computational Systems pro- Press, Princeton, NJ, 1986.
workers to measure Martian craters gram (http://www.nsf.gov/pubs/2010/ 8. Lazer, D., et al. Computational social science. Science
323 (Feb. 6, 2009), 721–723.
(http://beamartian.jpl.nasa.gov) or the nsf10600/nsf10600.htm) and the Na- 9. Lichtenstein, J. Digital diplomacy. New York Times
Encyclopedia of Life’s (http://eol.org) tional Institutes of Health’s two pro- Magazine (July 18, 2010), 24–29.
10. Olson, G.M., Zimmerman, A., and Bos, N., Eds.,
integration of professional scientists grams on Social Network Analysis and Scientific Collaboration on the Internet, MIT Press,
with trained citizen scientists and na- Health (http://obssr.od.nih.gov/fund- Cambridge, MA, 2008.
11. Ostrom, E. Governing the Commons: The Evolution
ture enthusiasts are examples of even ing_opportunities/foas/faqs.aspx). of Institutions for Collective Action. Cambridge
more potent methods. Scientists can Researchers from many disciplines University Press, NY, 1990.
12. Pirolli, P., Preece, J., and Shneiderman, B., Eds.,
now engage with thousands of peers can build on the ideas generated at Technology-mediated social participation (cover
as in the GeneWiki (http://genwiki.eva. these workshops and summarized feature with seven articles). IEEE Computer 43, 11
(Nov. 2010), 20–67.
mpg.de), with serious amateurs as in here by working with funding agen- 13. Preece, J. and Shneiderman, B. The Reader-to-Leader
star surveys (http://galaxyzoo.org), or cies to restructure existing programs Framework: Motivating technology-mediated social
participation. AIS Transactions on Human-Computer
with numerous paid workers through so that social media research becomes Interaction 1, 1 (Mar. 2009), 13–32; http://aisel.aisnet.
services such as Mechanical Turk more widely supported. Evaluations org/thci/vol1/iss1/5/
14. Shirky, C. Cognitive Surplus: Creativity and Generosity
(http://mturk.com). Such large-scale of civic social media projects could in a Connected Age. Penguin Press, NY, 2010.
15. Tapscott, D. and Williams, A.D. MacroWikinomics:
collaborations could produce conflict make them more reliably successful Rebooting Business and the World. Portfolio, NY, 2010.
over credit for breakthroughs unless by developing validated design guide- 16. Van Alstyne, M. and Brynjolfsson, E. Global village
or cyber-balkans? Modeling and measuring the
new strategies for supporting trust lines, effective community manage- integration of electronic communities. Management
are created.10,15 Other ethical dilem- ment strategies, advanced visual ana- Science 51, 6 (June 2005), 851–868.
mas come from the appropriateness lytic and statistical tools, and broader
of existing Institutional Review Board theories. Academics can spread this Ben Shneiderman (ben@cs.umd.edu) is a professor in the
Department of Computer Science, the founding director
oversight processes or fairness of us- new knowledge by introducing seg- of the Human-Computer Interaction Laboratory, and a
ing low-paid Web-based labor in place ments on social media into existing member of the Institute for Advanced Computer Studies
at the University of Maryland at College Park.
of traditional research assistants or ex- courses, adding new courses, and
Jennifer Preece (preece@umd.edu) is a professor and
perimental participants. planning degree programs for profes- dean of the Information School at the University of
sionals and researchers. Maryland at College Park.
Call to Action Adventurous researchers are al- Peter Pirolli (pirolli@parc.com) is a research fellow in
the Augmented Social Cognition Area at the Palo Alto
These topics provoked lively discus- ready using social media to improve or Research Center (PARC).
sions at two National Science Founda- speed their research, but the next step
tion (NSF)-funded workshops held in will be paradigm-shifting methods for We appreciate National Science Foundation support
(IIS-0956571) to conduct the two workshops and all
the past year. The final report12 covers conducting scholarly research in the the participants in those workshops. We appreciate the
descriptive, explanatory, prescriptive, computing sciences and in every dis- comments we received from the reviewers and James
Hendler.
and predictive theories; opportunities cipline. Faster paths to curing cancer,
in health care/wellness and e-govern- tracking climate change, mapping Copyright held by author.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 37
practice
doi:10.1145/1995376.1995392
current and topical matter of alterna-
Article development led by
queue.acm.org
tive numbering Whois.
The DNS root is the dictionary of
top-level domain names such as .COM
Technology business plans that assume or .US. It is managed cooperatively and
no competition—ever. transparently by a community that in-
cludes the Internet Activities Board
by Paul Vixie (IAB), which designates and recog-
nizes the Internet Assigned Number
Arrogance
Authority (IANA); the Department of
Commerce (U.S. DoC), which con-
tracts for IANA services; and Internet
Corporation for Assigned Names and
in Business
Numbers (ICANN), which operates the
IANA functions under that contract.
The IANA functions contract includes
among other things the job of editing
Planning
the DNS root zone to add new top-level
domain names such as .XXX. Each of
these entities (IAB, U.S. DoC, ICANN)
is itself a multistakeholder body that
engages with the community to gather
input to the decisions it makes about
DNS. This governance model is imper-
fect, but it has worked for a long time
and continues to evolve.
Technically speaking, every Inter-
net device using DNS to look things
up assumes there is a universal name
space with a root zone to describe the
top-level domain names, and there are
some well-known root name servers to
publish this root zone. To be universal
in this context means that every name
I n the Interne t addressing and naming market has a specific identity and will always
there is a great deal of competition, margins are mean the same thing no matter where
thin, and the premiums on good planning and good you are on the Internet when you look
that name up. The Internet Engineer-
execution are nowhere higher. To survive, investors ing Task Force (IETF) periodically re-
and entrepreneurs must be bold. Some entrepreneurs, vises the DNS protocol to add new ca-
pabilities, but this is always done in a
however, go beyond “bold” and enter the territory backward-compatible way because of
of “arrogant” by making the wild assumption that the installed base of hundreds of mil-
they will have no competitors if they create a new lions of connected devices. So while
we could discuss a possible future in
and profitable niche. So it is with those who would which new devices are connected to the
unilaterally supplant or redraw the existing Internet Internet having a broader or somehow
illustration by a licia kubista
ever since the Internet climbed down would be no way for customers to tell
from its academic ivory tower and the difference. Being first would count
became a world-changing dominat- for nothing.
ing commercial and social apparatus. This spotlights a good test for
Prior work in this area includes add-
ing a handful of new top-level names It’s a marvel why whether some technology is a candi-
date for Internet governance infra-
(.INFO, .MUSEUM, .BIZ, .XXX, and so the investors in structure: Does it have to be done co-
today’s alternative
on), and current work involves throw- operatively, or do the physics allow for
ing the doors open to hundreds or competition?
thousands of new top-level domains
(.APPLE or .MICROSOFT could soon
DNS systems Alternative Numbering Whois
exist). In addition to that, several bold didn’t ask about So far I’ve discussed the governance
(or dare I say, “arrogant”) entrepre-
neurs have tried to enter the market
copycatting. and economics of domain names,
but there is another kind of Internet
unilaterally. This is a pretty resource that has some superficial
Here is how this kind of unilateral-
ism goes: first you create your own root standard similarities to DNS: Internet number-
ing resources. Every network and ev-
zone, usually by copying the IANA root investment ery connected Internet device needs a
zone at some point in time; and then
you try to get ISPs to use your root name question. number. This article focuses on Inter-
net Protocol version 4 (IPv4) address-
servers instead of the IANA root name es, which are usually written as four
servers. If you succeed at this, then you numbers separated by three dots (e.g.,
try to sell name registrations in your al- 192.5.5.241 or 192.168.1.1). Some of
ternative name space, where your new these numbers are private and can be
names will be visible only to the ISPs used only for local communication—
you have convinced to subscribe to for example, the address 192.168.1.1 is
your system. No such alternative root used by almost every cable or DSL rout-
zone has really taken off, since this val- er in every home in the world. Hosts
ue proposition is pretty shaky—there connected to private networks rely on
is no way to manage the risk of conflict their routers to translate their private
between an alternative name and some addresses into public addresses, a pro-
future real name in the IANA system. cess known as NAT (network address
There is also no good way to align the translation). For the purpose of this ar-
interests of the people publishing the ticle, the discussion is limited to public
alternative names with the interests of IPv4 addresses that are globally unique
some population who might want to and used without NAT.
look up such names. Before the commercialization and
What’s arrogant here isn’t the will- privatization of the Internet in the
ingness to charge ahead in spite of the 1990s, the U.S. government assigned
shaky value proposition; it’s the as- blocks of IP addresses without fee or
sumption that there will be only one contract. This befits the original pur-
alternative DNS name space, even if it pose of the Internet, which was to be
is a financial success. Does anyone re- an interconnection mechanism for the
ally think that other investors and en- government and its contractors. When
trepreneurs would not follow almost commercialization and privatization
immediately, that other teams looking began, the IP address-allocation func-
for their next opportunity would say, tion was moved out of government
“Well, one is enough,” or even, “Being hands and into an regional Inter-
a late entrant into that market will be net registry (RIR) system, which now
too difficult”? I cannot think of a single consists of five registries serving the
supporting example; success breeds regions of North America and the Ca-
copycats, in all times and all places. ribbean, Africa, Europe, Asia/Pacific,
It’s a marvel why the investors in and Latin America. Each RIR is a non-
today’s alternative DNS systems didn’t profit association serving a community
ask about copycatting. This is a pret- of network operators including both
ty standard investment question. A service providers and end users. Al-
bunch of copycats who pull various location policy is set in each region by
ISPs into competing alternative DNS a public policy development process,
systems could all sell the same names and resource allocations are governed
to different DNS operators, and there by agreements that clearly describe
the allocation as being based on “dem- resources in their own names but who in different Whois systems since free-
onstrated need” for network growth. would like to hold the resources for lat- dom from transfer limitations is the
These agreements also declare that er monetization (for example, rental or stated reason for the very existence
number resources are not property. trading in futures). of the alternative systems. While any-
Legacy numbering allocations made It’s necessary to digest all of this body can start a new Whois system at
in the decades before the RIR system background information to under- any time, the operational usefulness
was put in place were very large because stand that not all interested parties and therefore the relevance of a Whois
of the technical limitations of the time. are qualified recipients by the current system depends on coherence and
The effect of this today is about half of transfer policies and not all transfer- cooperation—two properties that an
all allocated numbers are of the legacy able resources are under an explicit alternative Whois system and the al-
type even though most allocations are contract. The oft-stated concern is that ternative transfer market it supports
of the RIR type. Now that the Internet these resources will be traded outside would not have.
is running short of new IPv4 numbers the system and that the RIR records
for network growth, many network op- (called Whois) will become useless. Conclusion
erators are looking for ways to acquire Since network operators use the RIR Any proposal for a competing Whois
the rights to as many IPv4 numbers as records every day to manage and di- registry model is as doomed by design
possible so they can continue to grow agnose their networks, these records and destiny as every alternative DNS
their networks while the Internet con- should be complete and accurate. One system. Even if it succeeds at first, it
verts from IPv4 to IPv6. This makes the proposal often heard in this context is would fail after copycatting occurred.
older and larger legacy numbers very that RIRs should not regulate transfers Participants in RIR public policy de-
attractive, since the allocations were in any way and should simply record velopment would do well to remember
larger and are often held by older com- any transfer brought to them by a co- this when evaluating dire warnings of
panies and universities whose needs operating seller and buyer. A support- RIR Whois irrelevancy because of an
may be modest by current standards. ing argument for this proposal is that RIR transfer regime having a require-
The holders of legacy numbers have no Whois can be run by anybody and if ment of near-term demonstrated op-
contractually explicit rights concern- the RIRs won’t run an accurate Whois erational need. Speculators who want
ing those numbers unless they have system (which is to say, a permissive to monetize future need and network
sought safe harbor by entering into an system accepting the results of any and operators who want a forward reserve
RIR contract, but as a practical matter all transfers without limitation), then might still find ways to act outside the
anyone who is using legacy addresses somebody else will do so. This argu- system, but resources will have to come
received in the pre-RIR era can safely ment breeds arrogance. into the system when their ultimate re-
continue to do so. A strong advantage of the RIR cipients qualify to receive the resourc-
The RIR system permits designated Whois system in the eyes of network es due to then-immediate operational
transfers between address holders. operators is that it is universal. There need. The RIR system has no power to
The goal of the RIR transfer regime is is only one entry for any given netblock govern such private actions, but it need
to bring more IPv4 addresses into ac- and, therefore, effectively only one not and should not cede authority over
tive use to facilitate network growth Whois system even though each RIR the transfer policy and Whois regis-
during the IPv6 transition. Any net- independently runs its part of that sys- try—because that’s in the physics.
work operator who can demonstrate tem. Let’s assume for the purposes of
near-term operational need for num- argument, however, that an alternative
ber resources and who can negotiate Whois system is created and enough Related articles
on queue.acm.org
a transfer with the current holder of network operators trust it that this al-
those resources can simply sign an RIR ternative system becomes operational- DNS Complexity
contract and receive rights to the re- ly relevant and that a non-RIR resource Paul Vixie
http://queue.acm.org/detail.cfm?id=1242499
sources. Because this transfer regime transfer regime becomes practical.
was developed through a public policy Does anybody really believe that there What DNS Is Not
Paul Vixie
development process, which is there- would be only one alternative Whois
http://queue.acm.org/detail.cfm?id=1647302
fore bottom up rather than top down system—no copycatting? Or as in the
in nature, these rules are literally what case of alternative DNS described ear- Successful Strategies
for IPv6 Rollouts. Really.
the community of network operators lier, would not the number of potential Thomas A. Limoncelli, Vinton G. Cerf
asked for—such rules cannot be im- alternative Whois systems be limited http://queue.acm.org/detail.cfm?id=1959015
posed by any government. Some inter- only by available capital?
ested parties, however, may not be able It would be technically possible to
Paul Vixie is president of Internet Systems Consortium
to demonstrate an immediate opera- maintain a list of all alternative Whois (ISC), a nonprofit company that operates the DNS F
tional need and thus will not qualify as systems and to query them all in par- root name server and publishes the BIND software
used by 80% of the Internet for DNS publication. He is
number-resource recipients. One class allel whenever network operations also chairman of American Registry for Internet
of such parties is the network operator require knowing the details about a Numbers (ARIN), a nonprofit company that allocates
Internet number resources in the North America and
who desires a long-term forward re- block of IP addresses. Inevitably, how- Caribbean region.
serve. Another class is speculators who ever, the same network would appear
will never have need for the numbering to be registered to different operators © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 41
practice
doi:10.1145/1995376.1995391
teacher’s Volkswagon Beetle and
Article development led by
queue.acm.org
closed the doors).
Sony (probably) did not intend to
see how big a mess it could make
Did Ken, Dennis, and Brian choose wrong with the least attention to security, so
with NUL-terminated text strings? this and other such examples of false
economy will not qualify. Another
by Poul-Henning Kamp candidate could be IBM’s choice of
Bill Gates over Gary Kildall to supply
The Most
the operating system for its personal
computer. The damage from this deci-
sion is still accumulating at breakneck
speed, with StuxNet and the OOXML
Expensive
perversion of the ISO standardization
process being exemplary bookends for
how far and wide the damage spreads.
But that was not really an IT or CS deci-
One-Byte
sion. It was a business decision that, as
far as history has been able to uncover,
centered on Kildall’s decision not to
accept IBM’s nondisclosure demands.
Mistake
A better example would be the deci-
sion for MS-DOS to invent its own di-
rectory/filename separator, using the
backslash (\) rather than the forward
slash (/) that Unix used or the period
that DEC used in its operating sys-
tems. Apart from the actual damage
being relatively modest, however, this
does not qualify as a good example ei-
ther because it was not a real decision
selecting a true preference. IBM had
drives and
I nf ormation t ec h no lo g y ( IT ) bot h decided to use the slash for command
flags, eliminating Unix as a precedent,
implements the modern Western-style economy. and the period was used between file-
Thus, we regularly see headlines about staggeringly name and filename extension, making
large amounts of money connected with IT mistakes. it impossible to follow DEC’s example.
Space exploration history offers a
Which IT or CS decision has resulted in the most pool of well-publicized and expensive
expensive mistake? mistakes, but interestingly, I did not
find any valid candidates there. For-
Not long ago, a fair number of pundits were doing tran syntax errors and space shuttle
a lot of hand waving about the financial implications computer synchronization mistakes
of Sony’s troubles with its PlayStation Network, do not qualify for lack of intent. Run-
ning one part of a project in impe-
but an event like that does not count here. In my rial units and the other in metric is a
school days, I talked with an inspector from The “random act of management” that has
nothing to do with CS or IT.
Guinness Book of World Records who explained that The best candidate I have been able
for something to be “a true record,” it could not be to come up with is the C/Unix/Posix
a mere accident; there had to be direct causation use of NUL-terminated text strings.
The choice was really simple: Should
starting with human intent (such as, we stuffed the C language represent strings as an
26 high-school students into our music address + length tuple or just as the
ic _ marker format was used mostly and DEC VAX—did so in terms of the Thinking a bit about virtual mem-
in assembly programs. As the C lan- far more widespread adr+len model. ory (VM) systems settles that question
guage was a development from assem- Once Unix and C gained traction, how- for us. Optimizing the movement of a
bly to a portable high-level language, ever, the terminated string appeared known-length string of bytes can take
I have a difficult time believing Ken, on the radar as an optimization tar- advantage of the full width of memory
Dennis, and Brian gave it no thought. get, and CPU designers started to add buses and cache lines, without ever
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 43
practice
touching a memory location that is Security costs. Even if your compil- of Posix API and the NUL-terminated
not part of the source or destination er does not have hostile intent, source string of C.
string. code should be written to hold up to When your Java, Python, Ruby,
One example is FreeBSD’s libc, attack, and the NUL-terminated string or Haskell program opens a file, its
where the bcopy(3)/memcpy(3) im- has a dismal record in this respect. Ut- runtime environment passes the file-
plementation will move as much data ter security disasters such as gets(3), name as a NUL-terminated string to
as possible in chunks of “unsigned which “assume the buffer will be large open(3), and when it resolves cacm.
long,” typically 32 bits or 64 bits, and enough,” are a problem “we have rela- acm.org to an IP number, it passes
then “mop up any trailing bytes” as the tively under control.”3 the host name as a NUL-terminated
comment describes it, with byte-wide Getting it under control, however, string to getaddrinfo(3). As long
operations.2 takes additions to compilers that as you keep doing that, you retain all
If the source string is NUL terminat- would complain if the gets(3) func- the advantages when running your
ed, however, attempting to access it in tion were called. Despite 15 years of programs on a PDP/11, and all of the
units larger than bytes risks attempt- attention, over- and underrunning disadvantages if you run them on any-
ing to read characters after the NUL. If string buffers is still a preferred attack thing else.
the NUL character is the last byte of a vector for criminals, and far too often I could write a straw-man API pro-
VM page and the next VM page is not it pays off. posal here, suggest representations,
defined, this would cause the process Mitigation of these risks has been operations, and error-handling strate-
to die from an unwarranted “page not added at all levels. Long-missed no- gies, and I am quite certain it would be
present” fault. execute bits have been added to CPUs’ a perfectly good waste of a nice after-
Of course, it is possible to write memory management hardware; op- noon. Experience shows that such pro-
code to detect that corner case before erating systems and compilers have posals go nowhere because the back-
engaging the optimized code path, but added address-space randomization, ward compatibility with the PDP/11
this adds a relatively high fixed cost to often at high costs of performance; and the finite number of programs
all string moves just to catch this un- and static and dynamic analyses of written are much more important than
likely corner case—not a profitable programs have soaked up countless the ability to write the potentially infi-
trade-off by any means. hours, trying to find out if the byzan- nite number of programs in the future
If we have out-of-band knowledge tine diagnostics were real bugs or clev- in an efficient and secure way.
of the strings, things are different. er programming. Thus, the costs of the Ken, Dennis,
Compiler development cost. One Yet, absolutely nobody would be and Brian decision will keep accumu-
thing a compiler often knows about a surprised if Sony’s troubles were re- lating, like the dust that over the cen-
string is its length, particularly if it is vealed to start with a buffer overflow or turies has almost buried the monu-
a constant string. This allows the com- false NUL-termination assumption. ments of ancient Rome.
piler to emit a call to the faster mem-
cpy(3) even though the programmer Slashdot Sensation
Related articles
used strcpy(3) in the source code. Prevention Section on queue.acm.org
Deeper code inspection by the We learn from our mistakes, so let me
Massively Multiplayer Middleware
compiler allows more advanced opti- say for the record, before somebody
Michi Henning
mizations, some of them very clever, comes up with a catchy but totally http://queue.acm.org/detail.cfm?id=971591
but only if somebody has written the misleading Internet headline for this
The Seven Deadly Sins of Linux Security
code for the compiler to do it. The de- article, that there is absolutely no way Bob Toxen
velopment of compiler optimizations Ken, Dennis, and Brian could have http://queue.acm.org/detail.cfm?id=1255423
has historically been neither easy nor foreseen the full consequences of their B.Y.O.C. (1,342 Times and Counting)
cheap, but obviously Apple is hoping choice some 30 years ago, and they dis- Poul-Henning Kamp
this will change with Low-level Virtual claimed all warranties back then. For http://queue.acm.org/detail.cfm?id=1944489
Machine (LLVM), where optimizers all I know, it took at least 15 years be-
seem to come en gros. fore anybody realized why this subtle References
The downside of heavy-duty com- decision was a bad idea, and few, if 1. Computer Business Review. Partitioning and Escon
enhancements for top-end ES/9000s (1992); http://
piler optimization—in particular, op- any, of my own IT decisions have stood www.cbronline.com/news/ibm_announcements_71.
timizations that take holistic views up that long. 2. ViewVC. Contents of /head/lib/libc/string/bcopy.c
(2007); http://svnweb.freebsd.org/base/head/lib/libc/
of the source code and rearrange it In other words, Ken, Dennis, and string/bcopy.c?view=markup.
in large-scale operations—is that Brian did the right thing. 3. Wikipedia. Lifeboat sketch (2011); http://en.wikipedia.
org/wiki/Lifeboat_sketch.
the programmer must be really care-
ful that the source code specifies his But That Doesn’t Solve the Problem
Poul-Henning Kamp (phk@FreeBSD.org) has
or her complete intention precisely. To a lot of people, C is a dead lan- programmed computers for 26 years and is the inspiration
A programmer who worked with the guage, and ${lang} is the language of behind bikeshed.org. His software has been widely
adopted as “under the hood” building blocks in both open
compilers on the Convex C3800 series the future, for ever-changing transient source and commercial products. His most recent project
is the Varnish HTTP accelerator, which is used to speed up
supercomputers related his experi- values of ${lang}. The reality of the large Web sites such as Facebook.
ence as “having to program as if the situation is that all other languages
compiler was my ex-wife’s lawyer.” today directly or indirectly sit on top © 2011 ACM 0001-0782/11/09 $10.00
ACM CTO
Roundtable
on Mobile
Devices in
the Enterprise
Thin or fat client?
B l ackB e r r y? iP h o n e ? A n d ro i d ?
Carrier network or Wi-Fi? Developers of mobile
applications have many variables to consider if they
are going to be successful in a rapidly changing and
increasingly fragmentary environment.
With rapid worldwide growth and increasingly
diverse devices and networks, support- leaders in the mobile applications field
ing mobile devices in the enterprise is discuss the current challenges in sup-
becoming increasingly more challeng- porting multiple devices on multiple
ing and complex. networks for highly variable business
Application service architectures, requirements.
security, connectivity, testing, a con- —Mache Creeger
stantly changing mix of devices and
platforms, and an uncertain future are Participants
among the concerns mobile applica- Andrew Toy is past VP, mobile applica-
tion developers must face in deploying tions at a major Wall Street investment
mobile device services. Change in this bank; past VP, mobile and syndication
market is the only certainty, and devel- technology at MTV Networks; cofound-
opers must continually look ahead to er and CEO of Enterproid.
refine development and deployment André Charland is the developer of
strategies to keep up. PhoneGap; and cofounder and CEO of
In this ACM CTO Roundtable, five Nitobi.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 45
practice
George Neville-Neil is a past mem- ficult and expensive to maintain as a the lines of “you have to protect your
ber of the Paranoids group at Yahoo!; mission-critical platform. We always customers.”
and principal of Neville-Neil Consult- worried about losing email, with our We focused on such things as
ing. only recourse being to call RIM and avoiding client data loss that triggered
Carol Realini is past CEO of Chordi- demand it be fixed. financial industry-specific mandated
ant; founder and CEO of Obopay. While there are lot more device actions. Data loss required notifying
Steve Bourne is CTO, El Dorado platforms choices today, if you look each client of the breach and potential
Ventures; past president of ACM, chair at operating systems with enterprise access by anyone, including a compet-
of ACM Queue Editorial Board, and capabilities, the only real viable can- itor. The loss of a mobile device meant
chair of ACM Practitioner Board. didates are Apple iOS and, to a lesser the regulatory notification require-
Mache Creeger (Moderator) is Prin- extent, Google’s Android. ment would be triggered if data secu-
cipal, Emergent Technology Associates. Given these options, enterprise rity was not provable to some level of
customers now believe they need to technical certainty. Being able to make
CREEGER: Andrew, when you were re- support more than just the Black- that guarantee drove us to ensure that
sponsible for the use of mobile devices Berry. However, they are unsure how proper screen locks and encryption
at a major financial institution years to go from the RIM world to this new were placed on mobile devices.
ago, what were the biggest concerns? and very different place. In the RIM It is important to create a culture
TOY: We focused on the BlackBerry. environment everything is done for that does not view the security guy
The two major problems we had were you. When you take things into your as the enemy. Security should en-
our inability to customize services own hands, you recognize there are a able things otherwise not possible.
and maintaining control of service lot of issues that the BlackBerry solu- If a company wants to enable finan-
reliability. The BlackBerry presented tion used to address that are now your cial transfers, then you need security,
itself as a closed system; the NOC problem. because without it the business will
(Network Operations Center), the ser- NEVILLE-NEIL: What about compli- collapse under fraud and real-world
vices, and the server software were all ance issues? Suddenly, you’ve put a attacks. Security is not a goal but a
controlled by RIM (Research in Mo- huge amount of data that’s probably means to deliver business value and
tion). There were very few APIs to work controlled by compliance rules in the manage risk in sustainable ways.
with and because of its proprietary hands of people who are wandering REALINI: My company is about deliv-
nature, we had a limited understand- around with their devices. ering consumer-facing functionality
ing of its underlying architecture. As TOY: We found that lawyers can ad- over mobile devices, and we have pay-
Photogra phs by Tom Upton
a result, when something broke it was vise on industry-specific compliance ment and banking services at the back
hard to fix. Theoretically it was secure requirements, but in finance every- end. We deliver that functionality in
and RIM could talk about why that thing does not necessarily have hard the U.S., as well as India and Africa.
was true, but the same reasons that and fast mandated technical stan- Those environments are diverse—a
made it hard to penetrate made it dif- dards. Our experience was more along lot of dumb phones, a lot of smart-
Steve Bourne
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 47
practice
André charland
I want to stress
the minimum
viable product
approach:
What value can
we provide to
our user base
and can we do
this in the mobile
browser?
moving too fast to say that something so often because the answers change
will not change in the future. There as the market changes: Do I want a
might be a dominant player like An- thick or thin client? Which devices am
droid, but you’re never going to be I going to support? Once you answer
able discount iPhone or BlackBerry. those questions and have a strategy in
CREEGER: How do folks decide on place, you better ask those questions
appropriate application architectures again every 6 to 12 months.
and the smartphone platforms they TOY: The key underlying issue is this:
will support? Are you buying people their phones or
CHARLAND: I would focus on two are you trying to support the phones
things: the minimum viable product people purchase and bring into your
you can deliver to your users and what environment? If you mandate what is
platforms are needed to support them. used, then you can have better control.
A lot of people look at their Web stats BOURNE: Can you really mandate in
and assume that because people visit a modern enterprise, even in a large
the Web site with an iPhone, iPhone regulated financial services company?
should be the first supported plat- TOY: Because of the tight regulations
form. To prioritize a list of supported in financial services, most certainly.
platforms you must perform basic re- For a multimedia business, I’d say no.
search on your user base: poll your us- NEVILLE-NEIL: Small businesses are
ers, look at market trends, and do your in the most trouble because they’re
best to forecast what phones your us- the least likely to be providing their
ers will be buying. employees with smartphones.
REALINI: Three years ago India had CREEGER: Is virtualization going to
150 million phones, now it’s 700 mil- be a solution?
lion. Moreover, the features of these TOY: Multiple use-case profiles are
phones are changing quickly. You the way to solve the multiple-mission
could do research and then extrapo- problem. Is virtualization the best ap-
late, but you have to work quickly and proach? It is difficult to do power man-
constantly adjust to what’s really hap- agement with a hypervisor on a device
pening in the market. It is almost like with more than one operating system.
trying to track fashion or pop music. This doesn’t mean that it’s impossible
How do people plan in such a fast- or not viable, just that it’s extremely
changing environment? They have to challenging.
ask themselves two questions, and do Right now a mobile operating sys-
tem manages power and does a lot of that minimizes cost for a specific call.
things under the covers to maximize Effectively, they are creating multiple
battery life. Take away the operating profiles similar to what has been dis-
system’s direct link to the hardware, cussed, but instead of maximizing se-
and you lose the ability to effectively curity, it’s minimizing charges. In In- George Neville-Neil
manage battery life. That is a huge
blow to the value of the phone.
dia if a phone does not have dual SIM
chip modes to allow the user to change The Apple
While you could migrate power personalities, it will not sell. architecture, which
management (or the management
of any limited resource) of a mobile
Mobile phones are personal—
somebody calls me and I know it’s for is a nonsharing
phone operating system to a hypervi-
sor, you would then be stretching the
me. We all have multiple personas:
businessperson, mother…A personal
design, is the right
definition of the traditional hypervisor device must evolve to support these place to start
to something more like an operating
system of operating systems—effec-
multiple roles.
TOY: In the business world, some
in developing
tively, a very fat hypervisor. of those personas can be very tightly a next-generation
NEVILLE-NEIL: It will probably not
happen near term, but it might hap-
managed. For a company employee,
that personality can be made to func-
mobile operating
pen on Android because it has giga- tion under a formal corporate security system.
hertz phones. Apple will never let a hy- policy.
pervisor execute on an iPhone. NEVILLE-NEIL: You are going to see
TOY: A sufficient solution might be more of the iPhone architecture in
more like the Unix method of multiple most smartphones—a combination
users. You would have one box with of Jails (http://www.freebsd.org/doc/
multiple users logged in. Each user handbook/jails.html#JAILS-SYNOP-
has his or her own experience; all us- SIS) and Mac frameworks. These con-
ers run concurrently; and there is one trol structures are in Mac OSX and
kernel and one operating system. FreeBSD. While I don’t believe An-
REALINI: One of the biggest trends droid has these functions as yet, and
in emerging markets is that users RIM certainly doesn’t, smartphones
have multiple SIM (subscriber iden- will migrate to this type of approach
tity module) chips in their pockets to because virtualization is too heavy and
optimize the costs of their calls. Carri- loses control of the lowest layer.
ers have different pricing to different These Apple technologies isolate
destinations, and users pick the chip applications from each other, and
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 49
practice
all their APIs have the ability to con- treme applications with extreme secu-
trol where information flows. This rity or other situations where you have
introduces some problems when one to deal with really poor phones and
would like to share data but cannot. poor networks. It is important not to
Andrew Toy Those issues notwithstanding, the Ap- lose sight of the big swath in the mid-
Security is ple architecture, which is a nonshar-
ing design, is the right place to start in
dle, especially in North America and
Europe, with a reasonable average for
not a goal but developing a next-generation mobile phones and networks and relatively
Carol Realini
Mobile is the
hardest kind of
computing I’ve
experienced
because it is a
fragmented and
rapidly changing
device market.
You have at least
18 platforms or
operating systems,
and they’re in
tion on the phone or on its STK (SIM
constant flux.
chased. You have to help them identify
application toolkit) where the carrier the 200 or so devices that will probably
distributes the application as part of work well and the 50 or so devices that
its SIM chip. have been certified.
CREEGER: You have several different TOY: With the world changing so
ways to develop applications. How do fast, you have to make the effort to
you make those kinds of decisions? keep those buckets up to date and re-
REALINI: You have to look at things visit your categorizations frequently.
early and often because this is a mov- REALINI: There’s a cost to making
ing target. We use the 80/20 rule, with sure things are in the right buckets. We
80% of the devices providing a good to had a specific credit-card application
great user experience and the other in place when the iPad was launched.
20% providing adequate user experi- At that point, everyone was told that
ence. all iPhone applications would work
TOY: The key is to have a tiered strat- on the iPad. That falls into my second
egy and not go for the silver bullet. bucket: I think it should work because
Don’t say which device is the right one. Apple told me iPhone applications
While all devices could probably be work on iPads. Well, guess what? It
supported, you have to ask, “What is didn’t work.
the right functionality to have on each That experience taught us that we
platform, and what is the minimum have to say to our partners, such as
functionality required for any device?” the credit card company, that we think
REALINI: The CTO of my company it works, but if you want to be sure we
puts things in three buckets: better go through a three-week certifi-
˲˲ I know it works because I’ve certi- cation process.
fied it. NEVILLE-NEIL: In targeting one or
˲˲ I think it works because the device more platforms for an application set,
manufacturer said it’s totally compat- you should use minimal surface area
ible with earlier implementations. to maximal effect. Android or iOS has
˲˲ I have no idea if it works because the system-call complexity of a mod-
multiple changes have happened. ern workstation operating system—
This is important because your con- thousands and thousands of possible
sumers and/or employees have to be APIs. When trying to design portable
able to make a decision from the thou- software, use the:
sand or so devices that could be pur- ˲˲ Fewest APIs possible—this limits
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 51
practice
the complexity of porting the software familiar concept to IT departments. TOY, NEVILLE-NEIL: iPhone.
to new devices. TOY: If possible, I will go with a REALINI: Do we agree that a thin cli-
˲˲ Oldest APIs—they have been browser-based application, but it is ent has inherent advantages in the
around long enough to be supported not always a viable choice. The only right environment?
by many different device variants. platform that allows you to keep your CREEGER: Today, a thin client is de-
˲˲ Best tested APIs—they will be the application behind your firewall is sirable because the cloud is in ascen-
most reliable. BlackBerry. Yes, you can run VPN (vir- dancy and people are not sensitive to
CHARLAND: Ideally, in cross-plat- tual private network) on the iPhone, data security.
form software development projects, but iOS locks up all your other appli- TOY: For the enterprise, personal
we first target BlackBerry, as it is the cations. Plus, iPhone will not support data privacy is not a problem because
most minimal platform. We negoti- two-factor authentication, which is it is not your data; it belongs to the
ate a minimum operating system re- becoming an industry requirement. company. Enterprise IT guys are going
lease level with the customer, typically While I agree that one should look at to favor thin client. They want to keep
pushing for at least 4.6. Currently, doing a browser-based application the company’s data inside the data
BlackBerry is at version 6.0, and if that first, aka thin client, it’s a challenging center to control access better, includ-
is acceptable, it makes for a much approach and will not always work. A ing revocation.
richer application platform. lot of the time the juicy stuff you’re try- BOURNE: As mobile devices become
We focus on 4.6 because there are ing to access with your thin client is more ubiquitous, I don’t see how exist-
still a lot of enterprise users on it. We on your intranet and behind your fire- ing wireless carriers in the U.S. will be
target what we can, using the browser wall. Today only BlackBerry gives you able to make the required capital in-
as an application and build up from an easy path to get there. vestment to handle the increased de-
there to Android and iPhone. It’s im- REALINI: A thin client has inherent mand for services. Certainly that is the
portant to stick to this philosophy and advantages if the network is power- case in the next year or two. Cellphone
not start with an iPhone application ful enough to support it. Right now in data transport is limited, and in the
and try to work back to BlackBerry. the U.S. we have huge network capac- U.S. at least, carriers are not making
That approach often leads to emulat- ity issues. While you can talk about great money on those services. How
ing iPhone features on a BlackBerry, at how thin clients can get by the fire- does Wi-Fi as an alternative transport
best an extremely painful effort. wall, there is the issue of whether the layer fit in?
NEVILLE-NEIL: Apple does try to make network is going to be fast enough to NEVILLE-NEIL: The urban U.S. usually
it easy to move things from the Mac make that model viable. has good Wi-Fi coverage. Practically all
desktop environment to iOS, but it’s I think the network problem in the mobile devices have Wi-Fi, and people
not the same environment and you U.S. will be fixed and will eventually building applications would be crazy
get a poor user experience. The same be fast enough to handle the demand. not to take advantage of that.
thing will happen taking desktop/serv- So in the future, when everyone has a For the purposes of authentication,
er Linux developers and putting them smartphone and the network’s going cellular phones are attractive as each
on Android. to be fast enough, why wouldn’t we all one has a hard-to-duplicate ID. Plus,
CREEGER: Smartphones are not the want thin clients? there are many things a carrier can
only devices that we’re talking about NEVILLE-NEIL: You’re going to have to do to secure data across a cellphone
here. Not all mobile-specific devices battle for control. I want my data on network that cannot be done with ran-
are necessarily phones, such as iPads. my device and not on someone else’s dom Wi-Fi access points. Lastly, when
How can you broaden this advice for server. It makes perfect sense for sen- you touch a Wi-Fi access point, unless
those kinds of devices? sitive corporate data not to be under your data is encrypted, everybody else
NEVILLE-NEIL: We have already been my control, but it makes no sense for is touching your data as well.
through this with the Palm Pilot, and me not to have control over my own REALINI: If wireless networks don’t
in a lot of ways those lessons have been data. get better, will we get to the point
forgotten. When the Palm Pilot came REALINI: So, thin client implies that where smartphones are really just con-
out IT departments went nuts. A per- my data is in the cloud? nected Wi-Fi devices?
sonal handheld device that contained NEVILLE-NEIL: Yes. My iPad is useless as a connected
a large proprietary address book and CREEGER: And that means you’re giv- application, and I have stopped using
was subject to loss or inadvertent dis- ing your data to Google or other data it because it is too slow for some appli-
closure on an Internet site was not aggregators. cations. If we have a situation where
what they wanted to hear about. One REALINI: Everyone should care, but I users have powerful devices but the
should be careful about placing per- am not sure they will care as much as network is unreliable, they will learn
sistent proprietary data on a mobile the technical community. to roam on Wi-Fi in the same way Af-
device. NEVILLE-NEIL: There are people who ricans learned to carry two SIM chips.
CHARLAND: I want to stress the mini- care, and more will care as more data If that becomes standard practice
mum viable product approach: What compromises happen. and carriers don’t solve the problem,
value can we provide to our user base CREEGER: Is anyone pushing a fat-cli- the cellular network will diminish in
and can we do this in the mobile ent approach today that focuses on the importance. People will defect from
browser? The browser paradigm is a use of mobile-phone platform cycles? their networks and start connecting
to Wi-Fi. We’ll see a shift from cellular happy is an unsolvable problem. One will be Web-based. Tablets will play a
devices to Wi-Fi devices. needs to define tiers of service and bigger role, but they will blend more
CHARLAND: Regardless of whether decide how many tiers will be sup- with laptops, and I feel the phone will
you are doing browser-based or native ported. (2) Define the key issues that always play a bigger role than the tab-
mobile applications, you have to de- are important to your business—func- let.
sign them for a spotty connection. You tionality, security, and ubiquity are NEVILLE-NEIL: We’re going to see
can’t always assume there is network three good concerns to start with. (3) more splitting of the network space.
connection, nor should you think that For each of your tiers, define the level More people will have personal area
there’s never a network connection. of resource devoted toward the sup- networks, accessing a MiFi, their
CREEGER: What are the most impor- port of each issue and the devices you phones on the cellular network, what-
tant issues you would stress to our will be supporting at that level. Try- ever. You’re going to see devices talk-
readers? ing to make every device tier support ing to each other a lot more.
REALINI: I would stress: (1) If you every device at the maximum level is a Applications will move from the
don’t already have seasoned, in- recipe for failure. It’s fine to say that phone to the tablet. The tablet will be-
house, mobile expertise, rent or buy it the CEO must use only a BlackBerry come the primary consumption device
but don’t try to grow it organically. (2) and cannot use an iPad to access im- for media and the sweet spot for con-
Be prepared to deal with a highly frag- portant documents. It is also fine to sumers. I think kids will lead the way.
mented environment. (3) Do your best say that someone further down the In the corporate space, you won’t
to define what you will and will not do. security stack can just synchronize an see consolidation around Android or
In mobile, one has the opportunity to iPhone. Applications must fit into a di- iOS, and both will maintain a varying
achieve huge scale if the right things mension of that tiering, and perhaps percentage of the marketplace unless
are done on the right devices in the people lower on the security stack just or until somebody produces a new
right way. Making a mistake means don’t get certain applications, or any game-changing killer device.
fragmentation and getting bogged applications. Lastly, we’ll have a lot more thin cli-
down. (4) Expect dramatic change all CREEGER: How do you suggest IT ent in the enterprise space. It’s just an
the time. Along with fragmentation, manage and track information service easier way to control access to data.
mobile is moving at a much faster rate consumption and the threat environ- REALINI: Today, companies interact
than one sees in IT. (5) As you plan to ment? with customers primarily in person
develop new software, continually ask TOY: One way is to go thin and keep or on the Web. In the future, mobile
what the market is going to look like in information assets behind a firewall is going to be the most important way
6 to 12 months so you know what you in much the same way folks have done those interactions take place. Smart-
are getting into. with thin desktops. Alternatively, you phones will become richer and more
CHARLAND: (1) Define the minimum can emulate what folks have done with powerful, because we’re going to ex-
viable product for internal and exter- laptops and install end-point security pect and demand it. It’s only natural
nal customers. (2) Consciously choose products to impose control directly on that a lot of customer-facing applica-
which devices you have to support. the device. tions will be mobile. I think mobile
Don’t just say all; do the market re- NEVILLE-NEIL: You have to think is going to fundamentally change the
search, look at the market trends, talk about what data is important to your types of services that can be delivered;
to customers. (3) Determine the cross- business and its continuity. You need how efficiently those services can be
platform user experience; then pick a disaster recovery plan that is sensi- provided; and what types of custom-
the solution that allows the design to tive to different types of disasters. You ers can be engaged. I think mobile will
get close to a single application. No have to decide which data goes where, create vast new markets to broaden
application is ever totally cross plat- on which device, and to which people. the reach of commerce way beyond its
form. You will have differences and Most computer security is trying to traditional scope.
they should be documented. (4) Deter- decide those questions, and the same
mine if the application can function in will be true in mobile as well. Also, use
a Web browser (including HTML5) for the oldest, most established, and min- Related articles
on queue.acm.org
the devices being supported—if not imal API set possible. It will just make
today, then in the future (check W3C your life much easier in the end. Mobile Media: Making It a Reality
and other standards bodies). Also, re- CREEGER: Does anybody have any Fred Kitson
http://queue.acm.org/detail.cfm?id=1066066
search whether a hybrid approach such idea what the world is going to look
as PhoneGap is feasible. (5) Determine like in two to three years? Four Billion Little Brothers?: Privacy, mobile
phones, and ubiquitous data collection
your plan to test all the different devic- TOY: Tablets are the biggest work-
Katie Shilton
es on the different carriers. It is barely place changer in the next two to three http://queue.acm.org/detail.cfm?id=1597790
good enough to buy all the devices and years inside a company and on the In-
Mobile Application Development:
have one individual who can test on ev- ternet. Web vs. Native
ery device. You’ll need either to have a CHARLAND: While I don’t think na- Andre Charland, Brian LeRoux
more comprehensive testing plan or to tive applications will ever go away http://queue.acm.org/detail.cfm?id=1968203
hire a third-party testing service. completely, from a developer’s per-
TOY: (1) Trying to make everybody spective, the majority of applications © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 53
contributed articles
doi:10.1145/1995376.1995393
However, among potential rem-
Establish a global cyber “neighborhood edies, current U.S. government-led ap-
proaches appear to be going at them
watch” enabling users to take defensive piecemeal, fixing those that demand
action to protect their operations. immediate attention. Since this ap-
proach is not keeping up, it may be
By Stephen J. Lukasik useful to rethink it, seeing if there are
strategic directions more likely to de-
Protecting
liver benefits.
Protecting users of the cyber com-
mons, nationally or globally, has both
top-down and bottom-up aspects.
Users of
Calls for government action to “protect
cyberspace” relate to top-down pro-
cesses that, while identifying drivers
of policy, wash out lower-level detail.
the Cyber
That is the way governments think and
what people have come to expect from
them. Protecting a national commons
would appear little different from oth-
Commons
er aspects of national security, which is
clearly a government responsibility. In
the U.S., under the recently organized
Defense Department Cyber Command,
the National Security Agency has been
designated as the U.S. cyber force,4 in-
cluding both the 24th “Air Force” and
the 10th “Fleet,” in quotes because nei-
ther is a conventional flying nor float-
ing combat unit, consisting instead of
people at computers, the newest ele-
long been a concern; recall
Cyb er protec t i o n h a s ment of net-centric warfare.
the Morris worm in 1988, widespread use of the Bottom-up processes are equally im-
portant; they are what “really happens,”
commons with the introduction of commercial email the way processes work, rich in detail,
and Web browsers in the early 1990s, and the U.S. but leave some major drivers of events
Presidential Commission on Critical Infrastructure invisible. The difference between the
two perspectives—top-down and bot-
Protection (PCCIP) in 1996.11 A Google search
yields more than 43 million articles dealing with key insights
computers and networks. This much attention, Top-down processes (such as regulation,
national strategies, federal funding, and
without dependable security for users, leads one international agreements) protecting
to wonder why the problem persists. Are computer users of the cyber commons operate
far more slowly than offensive and
vulnerabilities growing faster than measures to reduce defensive technologies.
them? Perhaps the problem is not purely a technical B ottom-up processes (such as the affinity
groups that characterize social nets)
matter, but more to do with users. Carelessness in take advantage of the character of public
networks, offering additional defensive
protecting oneself, tolerance of bug-filled software, options to protect them from abuse.
vendors selling inadequately tested products, or T hese processes mimic how the
ARPANET was created, contribute
the unappreciated complexity of network connectivity to network evolution, and share the
concept behind the IETF and other
have led today’s abuse of the commons. volunteer network mechanisms.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 55
contributed articles
regulation is enough. able transmission of information for tem and its due-process requirements
Regulation implies restrictions on their operation. If one is to protect are thus the final arbiter of regulations.
the operation of markets, possibly fore- any part of the cyber commons, the The traditional paths to circumvent
closing potentially beneficial options. command-and-control mechanism of regulation are to claim the need to ex-
There is general recognition that infra- critical infrastructures is part of what ercise reasonable business judgment,
structure services merit some degree should be done. maintain that a higher level of risk
of regulation to protect against ineq- An example of how to protect criti- than provided for in the regulation is
uitable access to service and the abuse cal infrastructure is provided by the adequate, and challenge the technical
of what can be natural monopolies. De- Federal Energy Regulatory Commis- feasibility of the regulation.
ciding what to protect defines what not sion (FERC), the regulator of the U.S. The FERC order is firm in blocking
to protect. By default, the latter are left electric-power system, consulting such arguments. With regard to busi-
to market forces. The decision of what with and coordinating its regulatory ness judgment, the Report said the
to regulate should hinge on the alloca- actions with industry groups, includ- Commission noted in the Critical In-
tion of resources to provide the great- ing the North American Electric Re- frastructure Protection Notice Of Pro-
est protection to the greatest number liability Council (NERC). The FERC posed Rule-making (CIP NOPR) that
of people. This requires analyses of us- Final Rule, issued in 2008 after a rule- “Cybersecurity standards are essential
ers, their relevance to national goals, making proceeding, is a useful start- to protecting the Bulk-Power System
and the interdependencies among ing point.3 While heretofore reliability against attacks by terrorists and others
their needs. What we currently have in was treated as desirable, and outages seeking to damage the grid. Because of
the U.S. is mandated protection of cen- were reported to FERC and analyzed the interconnected nature of the grid,
tral infrastructures and national secu- by NERC, the requirements on the in- an attack on one system can affect the
rity assets, with the rest dependent on dustry were flexible. The Final Rule entire grid. It is therefore unreason-
market forces to balance security, cost, detailed actionable security processes able to allow each user, owner or oper-
and convenience. for infrastructure protection that rec- ator to determine compliance with the
In 1997, the PCCIP identified eight ognize both the realities of computer CIP Reliability Standards based on its
critical infrastructures, and, in pre- technology and the tendency of regu- own ‘business interests.’ Business con-
paring for the expected disruption of lated entities to cut corners. venience cannot excuse compliance
computers at the beginning of 2000, Regulators attempt to force a de- with mandatory Reliability Standards.”
the U.K. identified 11 critical infra- sired level of performance, while regu- Regarding the second tactic of eva-
structures as central to the operation lated entities deploy armies of lawyers sion—operator willingness to accept
of society2; the European Commission to thwart them by bringing suit against risk—“The Commission continues to
also identified 11, though they differed the regulator. Regulatory actions, view the term ‘acceptance of risk’ as
from other lists.1 If one looks for the whether originating in independent representing an uncontrolled excep-
infrastructures common to such lists, regulatory agencies chartered by the tion from compliance that creates
along with factoring in estimates of U.S. Congress or by agencies estab- unnecessary uncertainty about the ex-
their interdependence, three emerge: lished within the executive branch, un- istence of potential vulnerabilities. Re-
telecommunications, electric power, der the separation of powers in the U.S. sponsible entities should not be able to
and transfer of funds. government, are subject to review by opt out of compliance with mandatory
Infrastructures depend on the reli- the federal judiciary. The judicial sys- Reliability Standards. The Commis-
sion, therefore, directs the ERO [Elec-
Figure 1. Users of the cyber commons.
tric Reliability Organization] to remove
acceptance of risk language from the
CIP Reliability Standards.”
Finally, regarding technical feasibil-
ity, the Final Rule said: “The Commis-
state, county, and sion adopts the CIP NOPR proposal
local governments
and directs the ERO to develop a set
The Rest of Us educational institutions of conditions or criteria that a respon-
health-care organizations
sible entity must follow when relying
U.S. Government users on the technical feasibility exception
military forces, vendors,
and contractors
corporations contained in specific Requirements of
cloud servers the CIP Reliability Standards… We note
that the Commission did not propose
infrastructure operators to eliminate references to technical
ISPs and backbone carriers
feasibility from the CIP Reliability Stan-
dards, only that the term be interpreted
narrowly and without reference to con-
siderations of business judgment.”
The Congress attempted to extend
the proceeding as far beyond the elec-
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 57
contributed articles
vate actions. Governments also play International mechanisms. Cyber to play but, like regulation and govern-
an implementation role in proposing abusers and their victims can be in dif- ment strategy, find it difficult to re-
legislation, enforcing mandates, and ferent sovereign jurisdictions. Actions spond to the needs posed by a dynamic
protecting users of the commons too against violators are supported by com- technology environment and aggres-
small or weak to function effectively on mon standards of unacceptable behav- sive and quick learners among those
their own behalf.10 ior. Rationalizing laws globally makes who would abuse the commons.
While the U.S. government relies on sense but is time consuming and even- Technology to limit abuse. The view
public-private partnerships to achieve tually limited by the speed each coun- of many is that today’s lack of security
many of its goals, the degree to which try adapts to new technical, economic, of the commons and its information
network security is worsening suggests and political circumstances. is no more than a bump on the road of
the need for new mechanisms. Since For international agreement to be technical progress, fixable by layering
commercial organizations see comput- effective, implementing mechanisms on more and better technology. Using
er security as a cost and do not value the are needed for accommodating chang- technology to fix technology is ques-
corresponding benefit, private efforts es suggested by evolving needs: moni- tionable as a response to a problem
have to date been insufficient. Both toring compliance by the signatories with roots deep in the growing com-
sides of the partnership are failing to to maintain their trust and confidence; plexity of the worldwide network.
stem the tide of abuse of the commons.7 enforcing the agreement should signa- Were technology to change more
Efforts by President Barack Obama tories depart from agreed-upon norms; slowly, such an approach might have
and his Administration suggest this resolving disputes among the signa- a chance of success. Problems arise
posture may be changing. In 2009 re- tories; addressing technical issues of when unexpected coupling between
marks, Melissa Hathaway, then acting definitions, standards, and forensic parts of large computer-based net-
senior director for cyberspace at the Na- collection; and rendering assistance works of logical processes exhibit be-
tional Security Council, representing to signatories to respond to technical havior that, while following precisely
the National Security and Homeland challenges expeditiously. However, from their programmed logic, cannot
Security Councils, said, “The Federal this process is also slow, as diverse sig- be completely anticipated. Large net-
government cannot entirely delegate natories must be convinced they need worked systems have so many internal
or abrogate its role in securing the na- to take action. states they can never all be exhaustively
tion from a cyber incident or accident. While many protective steps can tested, and proving their security ap-
The Federal government has the re- be taken without formal agreement, pears unlikely.
sponsibility to protect and defend the if global changes in security are to be Technology creates new power
country, and all levels of government achieved, a larger international frame- through enhanced performance in
have the responsibility to ensure the work will be necessary for facilitating terms of size, speed, bandwidth, ca-
safety and well-being of citizens.”6 cooperation among signatories; draw- pacity, connectivity, and functionality,
Though government leadership is ing from common international con- but, even as it “fixes” old problems and
necessary for protecting the nation texts, Sofaer and Goodman13 discussed improves functionality, the technol-
from cyber abuse, it is indirect, with elements of such a framework. ogy creates new problems, embedding
much distance between government- As with the previous three dimen- them deeply within unverifiable sys-
strategy documents and demonstra- sions of a framework for cybersecurity, tems. The matter is one of relative rates
ble security. international organizations have a role of change. If problems are fixed more
quickly than new problems are creat-
ed, one can imagine achieving a stable
balance. But when new technology in-
troduces new problems more quickly
than it fixes old ones, the resulting di-
vergent situation defies control.
Malevolence threatening the cyber
commons introduces a new rate-of-
change parameter. Attackers quickly
reverse-engineer security alerts and
patches to exploit related flaws be-
fore defenders can eliminate them.
The defender fix-install rate must be
faster than the attacker reverse-engi-
neering rate.
Cloud computing is a current ex-
ample of technological exuberance.
Users are encouraged to move their in-
formation and applications from ma-
chines under their direct inspection
and potential control and which could
regulated will
nisms (such as the Internet Engineer-
Technology is an enabler for the ing Task Force, or IETF) have served the
first three necessary components of
protection of the commons but like
accept it only after Internet well, developing protocols to
provide greater security and fostering
the others is insufficient. It is both they have avoided next-generation networks.9 Computer
part of the problem and part of the
solution. Most important, behavioral
it through every emergency response teams (CERTs),
industry-information-sharing-and-
adjustments by users of the commons possible legal and analysis centers (ISACs), informal re-
are also needed to break the cycle of
self-destructive technology: political channel gional system-administrator groups,
software vendors, and the Forum of In-
Connections. Users should revisit the available to them. cident Response and Security Teams
premise that any two devices are better (FIRST) all help but have difficulty
connected than unconnected; staying ahead of aggressive attackers.
Conceptual errors. Managers should How can voluntary defense estab-
recognize that entrusting the fixing of lish a trust mechanism? The seeds of
flaws to the people who created them today’s Internet security problems were
has natural limits, and that, perhaps, planted when the ARPANET began to
the security problem is not a matter of grow beyond its first small circle of re-
minor execution errors but of major searchers more than 40 years ago.8 Ear-
conceptual errors; ly generations of network users were
Any computer. Decision makers homogeneous, scientifically oriented,
should recognize that any computer cooperative, dedicated to developing
can be penetrated, just as any building network technology and its applica-
can be entered and any object can be tions, and had no reason to distrust or
stolen; and harm one another. With net growth has
Distrust as default. All users are well come many more users with no knowl-
advised to replace trust with distrust edge of one another and with divergent
as a default condition in all computer- agendas. Distrust should replace trust,
mediated interactions. but the means of practicing distrust are
These should not necessarily deter poorly served by network technology
technical innovation but call for ad- created to support trusted users.
justment in the expectations of man- The National Strategy to Secure Cy-
agers and users of the technologies berspace published in 2003 relied on
they adopt. the 1997 PCCIP principles: voluntary
action, public-private partnerships,
Bottom-Up Perspective public awareness, international coop-
Voluntary legal user-controlled, self- eration, and the central importance
defense efforts are also necessary but of critical infrastructure.14 It viewed
inherently on a smaller scale than their cyberattacks as crimes for which,
governmental counterparts. They are through due process, perpetrators
most easily accomplished when user would be identified, prosecuted, and
organizations are large enough and punished. Vulnerabilities were to be
smart enough to identify and imple- reduced through an unending search
ment cost-effective protection. They for flaws and their elimination through
help establish a market for protection decisions by vendors, service compa-
technologies and educate a new gener- nies, and computer owners and opera-
ation of security professionals who un- tors. It presumed software flaws could
derstand options and risks that often be reduced over time to acceptable
remain classified or proprietary and levels. The defensive concept was to
are difficult to share widely. distribute response capabilities to user
Voluntary self defense asks: Who organizations acting on their own be-
does the volunteering and the defend- half and in their own best interests.
ing? The answer depends on the tech- The security problems experienced
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 59
contributed articles
today are significantly greater than Social networks have two character- cies. A flexible, voluntary approach is
when PCCIP issued its recommenda- istics that mimic development of early required, free of contested mandates.
tions. The fixes are not working.7 There networks: respond directly as partici- Being open and voluntary, govern-
is heavy reliance on government and pants perceive value, growing in direc- ments could participate in increasing
foot-dragging over what organizations tions and at rates determined by that their effectiveness to whatever degree
will be forced to do. Another factor value; and overhead costs, typically they choose. Real-time event informa-
is the deep-seated view that security riding on the Internet, where users tion from users, private security compa-
goals cannot be achieved without sig- pay for access and where participating nies choosing to participate, and such
nificant federal R&D funding. While Web sites may be supported through public information as governments
time has been devoted to negotiating advertising income. Some central choose to contribute could enable dis-
treaties related to cybercrime, nations management is needed to maintain tributed examination of malware and
use the delay to strengthen their cyber- the integrity of the social network. Il- attacks and provide information to par-
system penetration capabilities for in- lustrative of the informal yet resilient ticipants for quick analysis.
telligence collection and to develop the nature of such networks are Facebook The arrangement would make at-
means for conducting cyberwar, aka rules to protect privacy, open source tack and ongoing probe information
“information operations.” software, user-created wikis, and apps available for the common good, the
Law-enforcement paradigms do not purchased from developers through essence of a commons. On the basis
address rapidly evolving threats well commercial sites. of such real-time information, partici-
and fail under emergency circumstanc- pating users could take such defensive
es. The prospect of zero-day attacks, en- Commons Protection Union actions as they choose; for example,
abled by current trends in viruses that Proposed here is what might be called they could reduce load, route around
evolve quickly and an aggressive mal- a Commons Protection Union (CPU) congestion, disconnect from parts of
ware industry, are relevant. Changes in or, perhaps, cyber “neighborhood the net, collect and preserve forensic
the nature of zero-day threats, the un- watch,” to recognize attacks in real information, and increase their hard-
countable vulnerabilities of systems, time and provide information to users ness level, depending on their assess-
and the motivations of cyberattackers or their service-provider proxies, en- ment of the real-time threat level and
require warning systems to detect at- abling them to disconnect from parts the criticality of their operations.
tacks with enough time to initiate pro- of the commons to contain a “distur- Carriers and Internet service provid-
tection responses. Protection must be bance” until it can be analyzed for its ers do some of this. The new elements
managed in near-real time so at least origin and characteristics and systems would be voluntary sharing, global re-
some attackers are thwarted. However, restored to full connectivity. Since cy- al-time data provided to users or their
real-time warning and response must bersecurity problems derive from con- proxies, and trusted third parties as
be on a global rather than a local basis. nectivity, managing connectivity is consolidators. The high-level nature
One possible way of doing this ex- likely part of the solution. of the traffic monitoring can be de-
ploits the nature of self-organizing so- Operating such a function can be signed to yield statistical measures for
cial networks, starting with the propo- done more responsively than is pos- automated diagnostics and decision
sition that users have a role in leading sible when response to attacks is paced making while respecting the privacy
efforts for their own protection, not by the rate of adopting intergovern- constraints placed on the informa-
simply accepting what others choose mental agreements and the implemen- tion by its contributors. Global traffic
to do, or not do, on their behalf. tation speed of national response agen- monitoring would include parameters
to assess flow pathologies and detect
Figure 2. Commons Protection Union: a social network. anomalous patterns. What is proposed
is not unlike a missile-launch-detec-
tion-and-tracking system but in which
the defensive components are distrib-
Legitimate users uted and under user control.
Voluntary How might such an addition to the
Voluntary input for analysis
consolidation and computer- and network-security envi-
legitimate users, analysis centers
such as: input for ronment be brought about? The same
Malicious users individually way many activities on the Internet
selected response
begin; someone creates something
of value, and it spreads without prod-
ding. Such an approach can poten-
infrastructure operators tially spread at the Internet speed of
other organized users social networks rather than at govern-
governments ment speed. As outlined in Figure 2,
CERTs
private security companies
the upper-left oval represents the In-
private users ternet, with legitimate users dealing
with other legitimate users, but, now,
malicious users inject themselves
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 61
VELERS INFORMATION STATIONS (G) AT 1610 kHz
contributed articles
20.010
18.068
18.168
19.990
19.995
20.005
16.36
17.41
17.48
17.55
17.97
18.03
18.78
19.02
19.68
19.80
15.6
15.8
17.9
18.9
21.0
doi:10.1145/1995376.1995395
AMATEUR SATELLITE
BROADCASTING
spectrum as consumers need it.
Space Research
STANDARD FREQUENCY & TIME SIGNAL (20,000 KHZ)
BROADCASTING
Space Research
BROADCASTING
AMATEUR
Mobile
FIXED
by Craig Partridge
MARITIME MOBILE
BROADCASTING
MARITIME MOBILE
MARITIME
MOBILE
FIXED
the Future
FIXED
FIXED
FIXED
FIXED
AMATEUR SATELLITE
STANDARD FREQ.
AMATEUR
FIXED
FIXED
Mobile
FIXED
FIXED
Communications
Wireless w ill p l ay an even greater role in future data (such as finding the right mix of pro-
communications than it does today. For ubiquity of grammable hardware to support high-
156.2475
157.0375
157.1875
162.0125
161.575
161.625
161.775
173.2
173.4
174.0
as an access protocol and seems poised to be the neglect (such as how to describe radio
behavior independent of platform
primary means by which people and machines access and how best to share spectrum). The
the Internet and its successors. research, funding, and public-policy
Wireless technology is in the midst of an important communities have hard work to do if
they are to realize the promise of wire-
stage in its technical evolution—commercial less data communications.
LAND MOBILE
Land Mobile
MOBILE
This transition could enable far more flexible radios
as well as the opportunities the future
wireless environment will bring, then
able to more fully exploit the radio spectrum to deliver
data both faster and more reliably. key insights
MARITIME MOBILE
MARITIME MOBILE
MARITIME MOBILE
LAND MOBILE
BROADCASTING
P rotocols
LAND MOBILE
The research community has envisioned this (such as WiFi and Bluetooth)
will be radio applets by about 2020.
moment since the early 1990s.10 It is now here. If an(TV CHANNELS
application 7-13)
needs more bandwidth,
Unfortunately, computer science, radio engineering, it can ask its radio to find capacity in
unused spectrum.
and public-policy advocates are all imperfectly
MARITIME MOBILE
MARITIME MOBILE
22.855
25.005
26.175
21.45
21.85
23.35
24.89
24.99
25.01
25.07
25.21
25.33
25.55
25.67
26.48
26.95
26.96
27.23
27.41
27.54
29.89
22.0
23.0
23.2
26.1
28.0
29.7
29.8
AMATEUR SATELLITE
STANDARD FREQ. AND TIME SIGNAL (25,000 kHz)
Space Research
LAND MOBILE
MOBILE**
MOBILE**
AMATEUR
MOBILE**
MOBILE**
Mobile*
MOBILE
AERONAUTICAL MOBILE (OR)
AERONAUTICAL MOBILE (R)
RADIO ASTRONOMY
MARITIME MOBILE
MARITIME MOBILE
MARITIME MOBILE
BROADCASTING
BROADCASTING
LAND MOBILE
LAND MOBILE
LAND MOBILE
LAND MOBILE
MOBILE**
FIXED
FIXED
FIXED
FIXED
AMATEUR SATELLITE
STANDARD FREQ.
AMATEUR
FIXED
FIXED
FIXED
FIXED
FIXED
FIXED
FIXED
Detail of U.S. frequency allocations of the radio spectrum. ISM – 27.12 ± .163 MHz
focus on the critical research ques-
tions we need to examine to realize (or
coding (such as *PSK and *-QAM) to
the media-access layer (such as time-
clude the Wireless Network after Next
(WNAN),c Universal Software Radio
30 M
rule out) the opportunities and make division multiplexing and carrier sense Peripheral (USRP),d and the somewhat
216.0
220.0
222.0
225.0
235.0
the policy decisions that will drive our multiple access) are determined and more expensive Microsoft Research
common wireless future. can be changed in real time by software Software (Sora) radios.e Radio chipsets
National Teleco mmu nicat ions a nd Informat ion Administ ratio n (U .S. Depa rtm ent o f Commer ce)
have become the standard technology military radios since the mid-1990s; grammable base-station products from
Radiolocation
for commercial, as well as military, ra- they are slowly transitioning into the Picochip). Following today’s trends, it
dios, employed in a range of devices,
from battery-powered sensors and
U.S. military today.b What is changing
is their cost and packaging are reach-
MOBILE
is reasonable to expect that by 2020 ful-
ly programmable radio chipsets will be
MOBILE
(such as base stations). In software ra- into non-military markets.6 In the mid- sumer products.
dios, all or virtually all functions, from 1990s a software radio was the size of a The importance of software radios is
the physical layer of frequencies and small refrigerator and could easily cost that they bring unrivaled flexibility; they
FIXED
programmability to certain functions, and ra- System (http://www.public.navy.mil/jpeojtrs/ e The Wireless Open-Access Research Platform,
dios that use DSPs programmed in C vs. radios Pages/Welcome.aspx), a family of radios that or WARP, (http://warp.rice.edu) is another
that use FPGAs programmed in VHDL. Insofar conforms to a common hardware and soft- notable platform widely used for research
as is possible, this article uses the term generi- ware architecture called the Software Commu- around the world despite being substantially
cally to include all approaches. FIXED nications Architecture, or SCA. more expensive than the other radios.
Mobile
MOBILE
ATEUR
FIXED
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 63
contributed articles
a PDA manufacturer would advertise WiFi) the next. collection of programmable compo-
nents, mixing FPGAs, DSPs, and pos-
support for Bluetooth or WiFi makes sibly an embedded processor. To pro-
no sense in a world of software radios, gram it, a software engineer writes or
as “Bluetooth” and “WiFi” would be assembles a suite of software for the
applets any PDA could run. The focus programmable components.
will be on the PDA’s radio processing Observe that the mix of components
power, expressed in digital signal pro- varies widely. The central issue is how
cessor (DSP) or field programmable to provide enough processing power,
gate array (FPGA) capabilities. often parallel processing power, to ad-
Recasting this observation as an dress streams of digital samples at the
illustrative scenario, suppose when rates required for the frequency ranges
people arrive in a foreign country their covered by the radio’s antennas.
PDAs would automatically download Designers differ over how to best
and start running the right phone and mix FPGAs, DSPs, and embedded pro-
data-communications protocols for cessors to achieve the right processing
that country. If the protocols change power. There are also larger system is-
overnight, the PDA simply loads (wire- sues; for instance, consider the filters
lessly) the new versions in the morn- used to select frequencies; better filters
ing. If the people go inside and want to yield cleaner signals, which require less
use a local wireless network, the PDA processing, but filters are more expen-
downloads the protocols from the lo- sive than DSPs and FPGAs, so some sys-
cal base station, using, perhaps, WiFi tems choose less-good filters and more
as a legacy protocol to download the processing power. While there is still
new protocols. All these steps happen plenty of room to innovate, particularly
without requiring any action by the in hardware accelerators that coexist
PDA’s user. comfortably with DSPs and FPGAs, the
Another difference is available radio-engineering community under-
bandwidth. If an application needs stands this design space, as evidenced
more wireless bandwidth, it simply by a 2010 software radio design4 that
asks the radio for more. The software cited 43 references.
radio would then scan the wireless At the other end of this design space
spectrum looking for unused frequen- for software radios is a highly configu-
cies and agree with its peer radio (such rable chip or chipset. To program the
as the base station) to employ an un- radio, the software engineer would set
used frequency to provide the neces- configuration registers in the chip to
sary bandwidth. determine what frequencies, coding,
In this future world, software ra- and media-access protocol features
dios would offer consumers wireless are used.
communication not limited at time of The conceptual difference between
purchase to a particular set of proto- the two ends of the design space is stark.
cols and data-communications band- In the programmable radio, software
HARED
IGNAL
EARCH
GATION
GATION
RATION
ration
RONOMY
Y
RMINATION
FREQUENCY
FREQUENCY
ATION SATELLITE
IGNAL SATELLITE
NS
RUM
National Teleco mmu nicat ions a nd Informat ion Administ ratio n (U .S. Depa rtm ent o f Commer ce)
3 kHz
31.0 3.1 MOBILE (OR)
3 GHz
Stand. Frequency
3 MHz
FIXED
FIXED
MOBILE
MOBILE
and Time Signal MOBILE
30 GHz
FIXED MOBILE
30 MHz
SATELLITE
300 kHz
Satellite (S-E) 3.155
MARITIME
31.3
Aeronautical
300 MHz
Radionavigation
SPACE EARTH
(Radio Beacons)
RADIO 32.0 MOBILE* FIXED
RESEARCH EXPLORATION
(RADIO BEACONS)
322.0
RADIONAVIGATION
RADIO-
ASTRONOMY (Passive) SAT. (Passive) 3.230
LOCATION
FIXED MOBILE FIXED MOBILE 325
Radiolocation
SPACE 31.8
FIXED
Radio-
335
location
FIXED
MOBILE**
RADIONAVIGATION INTER-SATELLITE MOBILE
3.4
RADIO-
Amateur
33.0 34.0
LOCATION
RADIONAVIGATION AERONAUTICAL
Radiolocation
33.4 MOBILE (R)
FIXED
MOBILE
MOBILE
3.5 FIXED MOBILE
SATELLITE
AERONAUTICAL Radio-
3.5
RADIO-
RADIOLOCATION Radiolocation RADIONAVIGATION 35.0
(Ground) LOCATION location
399.9
3.6 RADIONAVIGATION SATELLITE MOBILE SATELLITE (E-S) LAND
36.0 AERO. RADIO- RADIO- FIXED SAT. Radio-
SPACE RE. EARTH EXPL. NAV.(Ground) LOCATION (S-E) location 400.05 FIXED MOBILE
FIXED MOBILE STD. FREQ. & TIME SIGNAL SAT. (400.1 MHz)
.(Passive) SAT. (Passive) 3.65 400.15
37.0 FIXED SAT. MET. AIDS MOBILE. SPACE RES. Space Opn. MET. SAT.
MOBILE** FIXED (Radiosonde)
Mobile
(S-E) SAT. (S-E) (S-E) (S-E) (S-E) 36.0
FIXED MOBILE SPACE RESEARCH 401.0
3.7
Aeronautical
(space-to-Earth) MET. AIDS SPACE OPN. MET-SAT. EARTH EXPL Earth
Met-Satellite Expl.
Earth Expl Sat
cussed here.
(Radio- (E-S) SAT. (E-S)
AERONAUTICAL
37.6 sonde) (S-E) (E-S)
(E-S)Satellite(E-S) FIXED MOBILE
(RADIO BEACONS)
RADIONAVIGATION
AMATEUR
F I X E D MOBILE SPACE FIXED 402.0
RES. SATELLITE (S-E) MET. AIDS MET-SAT. EARTH EXPL Met-Satellite Earth Expl Sat 37.0
(Radiosonde) (E-S) SAT. (E-S) (E-S) (E-S) LAND MOBILE
38.0 37.5
FIXED FIXED 403.0 Radio Astronomy LAND MOBILE
MOBILE METEOROLOGICAL AIDS (RADIOSONDE) 38.0
SAT. (S-E) 406.0 RADIO ASTRONOMY FIXED MOBILE 38.25
(S-E)
38.6
FIXED
MOBILE SATELLITE (E-S)
FIXED
FIXED-SATELLITE FIXED MOBILE 406.1 FIXED MOBILE
SATELLITE
39.5 RADIO 39.0 4.0
F I X E D MOBILE FIXED MOBILE FIXED MARITIME MOBILE 405
FIXED MOBILE ASTRONOMY 410.0 Aeronautical Mobile RADIONAVIGATION
SATELLITE SAT. LAND MOBILE 4.063
NOT ALLOCATED
FIXED
CASTING (S-E)
MOBILE
SAT.
41.0 AERONAUTICAL 450.0 435
MOBILE
ACTIVITIES
DESIGNATIONS
BAND
WAVELENGTH
MARITIME
FIXED MOBILE RADIONAVIGATION LAND MOBILE 454.0
FREQUENCY 0
CASTING SAT. FIXED LAND MOBILE
42.5 455.0
LAND MOBILE FIXED LAND
RADIO FIXED
F I X E D M O B I L E * * SATELLITE (E-S) 4.4 456.0 4.438
ASTRONOMY FIXED LAND MOBILE MOBILE
43.5 FIXED MOBILE
4.5 LAND MOBILE
460.0 FIXED
FIXED MOBILE FIXED 43.69 MOBILE*
462.5375
Infra-sonics
SATELLITE (E-S) SATELLITE (E-S)
LAND MOBILE
RADIONAV.
10 Hz
MOBILE
MARITIME
3 x 107m
LAND MOBILE FIXED
Aeronautical
FIXED
467.7375 AERONAUTICAL MOBILE (OR)
Satellite (S-E)
Meteorological
FIXED
RADIONAV.SAT. MOB. SAT(E-S) MOBILE FIXED LAND MOBILE FIXED
MOBILE
470.0
VERY LOW
47.0 4.75
SATELLITE (S-E)
46.6
AMATEUR AMATEUR SATELLITE FIXED MOBILE MOBILE* FIXED
47.2 47.0
FX BROADCASTING 4.85
FIXED MOBILE 4.8 LAND MOBILE FIXED 495
100 Hz
SAT(E-S) (TV CHANNELS 14 - 20)
3 x 106m
48.2 FIXED MOBILE FIXED MOBILE MOBILE (DISTRESS AND CALLING)
FX 4.94 505
LAND
FIXED MOBILE 512.0 4.995
MOBILE
SAT(E-S) 50.2 FIXED MOBILE** STANDARD FREQ. AND TIME SIGNAL (5000 KHZ) MARITIME MOBILE 510
EARTH 4.99 5.003
Sonics
SPACE RESEARCH 49.6 STANDARD FREQ. Space Research
EXPLORATION RADIO ASTRONOMY Space Research (Passive) 5.005 MARITIME AERONAUTICAL 9
SATELLITE 5.0 FIXED MOBILE
ofFREQUENCY
FIXED
Audible Range
1 kHz
FI XED
50.4 AERONAUTICAL 50.0 5.060 MOBILE RADIONAVIGATION
MOBILE
3 x 105m
FIXED MOBILE SATELLITE (E-S) SATELLITE (E-S) (SHIPS ONLY) (RADIO BEACONS)
RADIONAVIGATION
3 kHz
51.4
FIXED MOBILE 5.15 525
AERO. RADIONAV. FIXED SAT (S-E) AERONAUTICAL
(VLF)
5.25 MOBILE RADIONAVIGATION
52.6
FIXED
RADIOLOCATION Radiolocation (RADIO BEACONS)
EARTH
MOBILE**
SPACE 535
EXPLORATION
AMATEUR
RESEARCH 5.35
10 kHz
SATELLITE AERONAUTICAL RADIO- Radio-
30,000 m
(Passive) (Passive) 5.45
RADIONAV. LOCATION location 54.0
54.25 5.46
SPACE RES. INTER- SAT EARTH EXPL-SAT (Passive) RADIONAVIGATION Radiolocation
BROADCASTING
the radio
55.78 5.47 AERONAUTICAL MOBILE (R)
FIXED MOBILE INTER- SAT SPACE RES. EARTH-ES MARITIME
100 kHz
SPACE Radiolocation
3,000 m
MOBILE INTER RADIONAVIGATION AIDS 5.73
Ultra-sonics
FIXED EXPLORATION
AM Broadcast
RES. - SAT 5.65 MOBILE* FIXED
SAT. (Passive) RADIOLOCATION Amateur 5.90
58.2 5.83 FIXED
SPACE EARTH MOBILE* BROADCASTING
MOBILE FIXED RESEARCH EXPLORATION RADIO- Amateur- sat (s-e) Amateur 608.0
LAND MOBILE RADIO ASTRONOMY
RADIONAVIGATION
MF
EARTH 59.0 MOBILE FIXED SAT(E-S) Amateur
RADIO- 5.925
1 MHz
300 m
EXPLORATION F I X E D M O B I L E SPACE LOC. INTER-
SAT. (Passive) RES.. SAT FIXED
59.3 FIXED SATELLITE (E-S) BROADCASTING
HF
64.0 6.525
UNLICENSED DEVICES
30 m
INTER- FIXED
10 MHz
59-64 GHz IS DESIGNATED FOR
65.0 FIXED SATELLITE (S-E)(E-S) FIXED 6.70 MARITIME MOBILE
EARTH SPACE INTER-
BROADCASTING
6.875
FM Broadcast
EXPLORATION RESEARCH F I X E D MOBILE** SATELLITE FIXED
SATELLITE MOBILE FIXED
TV BROADCASTING
66.0 SATELLITE (E-S) 6.525
LFspectrum.
RADIO- RADIO FIXED 7.025
MOBILE FIXED SAT (E-S)
VHF
MOBILE INTER- AERONAUTICAL MOBILE (R)
MOBILE
MAGNIFIED ABOVE
7.075
3m
NAVIGATION SATELLITE NAVIGATION SATELLITE
100 MHz
SATELLITE MOBILE FIXED 698 6.685
P
7.125 AERONAUTICAL MOBILE (OR)
71.0 6.765
FIXED MOBILE BROADCAST
Fixed
FIXED
FIXED
UHF
7.19 FIXED MOBILE BROADCAST 7.0
FIXED SPACE RESEARCH (E-S)
1 GHz
30 cm
7.235 AMATEUR AMATEUR SATELLITE
MARITIME MOBILE
7.25
(E-S)
(E-S)
FIXED
FIXED
MOBILE
S C
MOBILE
MOBILE
FIXED SATELLITE (S-E) Fixed FIXED MOBILE 72.0 AMATEUR
SATELLITE
SATELLITE (S-E)
SATELLITE
7.30 776 FIXED MOBILE
FIXED SATELLITE (S-E) FIXED Mobile Satellite (S-E) 7.3
73.0 FIXED
FIXED BROADCASTING
BROADCASTING
X
7.45 Mobile
Mobile 7.35 19.95
SHF
FIXED MET. Mobile FIXED RADIO ASTRONOMY
3 cm
SATELLITE (S-E) SATELLITE (S-E) FIXED Satellite (S-E) MOBILE BROADCAST
10 GHz
Microwaves
74.0 7.55 74.6 STANDARD FREQ. AND TIME SIGNAL (20 kHz)
FIXED MOBILE FIXED Mobile FIXED MOBILE
SATELLITE (E-S) FIXED FIXED Satellite (S-E) 794 74.8 20.05
75.5 SATELLITE (S-E) AERONAUTICAL RADIONAVIGATION
7.75 FIXED MOBILE 75.2
AMATEUR AMATEUR SATELLITE FIXED MOBILE
Mobile
EHF
RADIOLOC. FIXED MOBILE LAND MOBILE FIXED 76.0
77.0 Fixed
Radar
Bands
SATELLITE (E-S)
0.3 cm
SATELLITE (E-S)
Radar
RADIOLOC. Amateur
100 GHz
Amateur Sat. 77.5 8.025 821
RADIOLOC. FIXED EARTH EXPL. Mobile LAND MOBILE
AMATEUR AMATEUR SAT 78.0 FIXED 824
300 GHz
RADIO- Amateur SATELLITE (E-S) SATELLITE(S-E) Satellite (E-S) LAND MOBILE FIXED 8.1
8.175 849 FIXED
FIXED MARITIME
MARITIMEMOBILE
MOBILE
LOCATION Amateur Satellite EARTH EXPL. FIXED MET. Mobile AERONAUTICAL MOBILE 8.195
81.0 SAT. (S-E) SATELLITE FIXED SATELLITE Satellite (E-S) 851
(E-S) (E-S) (no airborne) LAND MOBILE FIXED
FIXED 8.215 866
MOBILE EARTH EXPL. FIXED Mobile Satellite
1 THz
FIXED MOBILE SATELLITE FIXED LAND MOBILE 869
0.03 cm
SATELLITE SATELLITE SATELLITE (S-E) (E-S)(no airborne)
FIXED
Sub-Millimeter
SPACE RESEARCH (S-E) FIXED
MARITIME
1013Hz
86.0 9.0
INFRARED
3 x 105Å
AERONAUTICAL RADIOLOCATION Amateur 8.815
Infrared
RADIONAVIGATION Radiolocation 88.0
9.2 928 AERONAUTICAL MOBILE (R)
MARITIME Radiolocation FIXED 8.965
RADIONAVIGATION 929 AERONAUTICAL MOBILE (OR) 30
RADIO
SPACE
EARTH
9.3 9.040
(Passive)
(Passive)
LAND MOBILE FIXED
SATELLITE
Meteorological 930
RESEARCH
ISM – 915.0 ± 13 MHz
RADIONAVIGATION
ASTRONOMY
Radiolocation
EXPLORATION
Aids MOBILE FIXED 931 FIXED
9.5
92.0
1014Hz
3 x 104Å
LAND MOBILE FIXED 932
FIXED 9.4
RADIO- SATELLITE
FIXED 935 FIXED BROADCASTING
FIXED MOBILE LOCATION 9.5
Visib le
(E-S) RADIOLOCATION Radiolocation LAND MOBILE FIXED 940
95.0 LAND MOBILE FIXED
VISIBLE
941
(AM RADIO)
FIXED
1015Hz
RADIO- 960
3 x 103Å
Radiolocation Amateur 9.9
Radio-
LOCATION
location
RADIO-
RADIO-
30
MOBILE
MOBILE
10.45 FIXED
SATELLITE
SATELLITE
NAVIGATION
NAVIGATION
Amateur 9.995
(FM RADIO)
f http://www.picochip.com
100.0 Satellite 10.5 10.003
BROADCASTING
1016Hz
EARTH EXPL. RADIO
3 x 102Å
FIXED 10.15
FIXED SATELLITE (Passive) SAT. (Passive) ASTRONOMY
(S-E) 10.68
Ultraviolet
10.7
RADIONAVIGATION
108.0
ULTRAVIOLET
FIXED
Mobile*
1017Hz
3 x 10Å
1215
(S-E)
FIXED
FIXED
11.175
RADIO
RADIONAVIGATION
SPACE
EARTH
FIXED
(Passive)
(Passive)
SATELLITE
SATELLITE
RESEARCH
ASTRONOMY
SATELLITE (S-E) 11.275
EXPLORATION
1240
AERONAUTICAL MOBILE (R)
11.7 11.4
FIXED
11.6
3Å
RADIOLOCATION Amateur FIXED BROADCASTING
1018Hz
MARITIME MOBILE
AERONAUTICAL
116.0 11.65
RADIONAVIGATION
1300
(S-E)
FIXED
X-RAY
F I X E D MOBILE SATELLITE
(Passive)
AERONAUTICAL AERONAUTICAL
(Passive) Radiolocation 12.05
X-ray
119.98 12.2 RADIONAVIGATION
1019Hz
BILE RES. EXPL .SAT FIXED MOBILE RADIOLOCATION AERONAUTICAL MOBILE FIXED
3 x 10 -1Å
120.02 BROADCASTING FIXED 1390 123.0875
INTER- SPACE EARTH FIXED-SAT (E-S) AERONAUTICAL MOBILE 12.23
SATELLITE FIXED MOBILE ** 1392 123.5875
Gamma-ray
FIXED RADIO ASTRONOMY EARTH EXPL SAT (Passive) SPA CE RESEARCH ( Passive)
1400 MOBILE (R)
MOBILE FIXED 1427 13.2
SATELLITE (E-S) AERONAUTICAL MOBILE (OR)
1020Hz
LAND MOBILE Fixed (TLM) 128.8125 13.26
3 x 10 -2Å
12.75 1429.5
SPACE FIXED AERONAUTICAL AERONAUTICAL MOBILE (R)
FIXED (TLM) 13.36
FIXED
INTER-
LAND MOBILE (TLM)
RADIO-
RESEARCH (S-E)
MOBILE
SATELLITE MOBILE FIXED MOBILE (R) RADIOASTRONOMY
LOCATION
SATELLITE
(Deep Space) 1430 132.0125 13.41
(E-S) FIXED-SAT (S-E) FIXED (TLM) LAND MOBILE (TLM) FIXED
13.25
GAMMA-RAY
AERONAUTICAL RADIONAV. Space Research (E-S) 1432 AERONAUTICAL MOBILE (R) Mobile* 13.57
134.0 13.4 FIXED** MOBILE 136.0 FIXED BROADCASTING
Standard RADIO- Radio- 1435 AERONAUTICAL MOBILE (R) 13.6 59
Freq. and LOCATION location MOBILE (AERONAUTICAL TELEMETERING) BROADCASTING
1021Hz
1525 137.0 STANDARD FREQ. AND TIME SIGNAL (60 kHz)
3 x 10 -3Å
MOB. SAT. (S-E) SPACE RES. (S-E) SPACE OPN. (S-E) MET. SAT. (S-E) 13.8
Space
Satellite (E-S) Mobile ** (Space to Earth) Mob. Sat. (S-E) SPACE RES. (S-E) SPACE OPN. (S-E) MET. SAT. (S-E) Mobile* 13.87
LOCATION SAT.(E-S) location
14.0
Radio-
137.175
ISM – 13.560 ± .007 MHz
RADIO-
MOBILE
MOBILE
MARITIME MOBILE SAT. MOBILE SAT. Mobile MOB. SAT. (S-E) SPACE RES. (S-E) SPACE OPN. (S-E) MET. SAT. (S-E) 14.0
SATELLITE
RADIO
SATELLITE
NAVIGATION Space FIXED Land Mobile (Space to Earth) (Space to Earth) (Aero. TLM) 137.825
NAVIGATION
NAVIGATION SAT. (E-S) Satellite (E-S) 1535 Mob. Sat. (S-E) SPACE RES. (S-E) SPACE OPN. (S-E) MET. SAT. (S-E) AMATEUR AMATEUR SATELLITE
Research MARITIME MOBILE SATELLITE 138.0 14.25
142.0 14.2 (space to Earth) MOBILE SATELLITE (S-E) AMATEUR
1544 14.35
AMATEUR FIXED Land Mobile FIXED MOBILE
1022Hz
AMATEUR SATELLITE 144.0
Mobile** SATELLITE (E-S) Satellite (E-S) MOBILE SATELLITE (S-E)
FIXED
144.0
3 x 10 -4Å
RADIO- 1545
MOBILE
Amateur Amateur Satellite AERONAUTICAL MOBILE SATELLITE (R) AMATEUR AMATEUR SATELLITE FIXED Mobile*
LOCATION Mobile Satellite (S- E) 146.0
MARITIME
1023Hz
MOBILE Fixed FIXED LAND MOBILE
3 x 10 -5Å
151.0 1610
15.1365 AERO. RADIONAVIGATION RADIO DET. SAT. (E-S) M O B I L E S A T ( E - S ) 152.855
1610.6 BROADCASTING
FIXED Mobile Space Research AERO. RADIONAV. RADIO DET. SAT. (E-S) MOBILE SAT. (E-S) RADIO ASTRONOMY LAND MOBILE
15.35 AERO. RADIONAV. RADIO DET. SAT. (E-S) MOBILE SAT. (E-S) Mobile Sat. (S-E)
1613.8
SPACE RESEARCH EARTH EXPL. SAT. 1626.5 154.0 15.6
RADIO ASTRONOMY (Passive) (Passive) LAND MOBILE FIXED BROADCASTING
FIXED 15.8
(S-E)
15.4
Cosmic-ray
FIXED
FIXED
156.2475
FIXED
COSMIC-RAY
1024Hz
3 x 10 -6Å
AERO RADIONAV FIXED SAT (E-S) MARITIME MOBILE
FIXED
157.1875
Radiolocation
1025Hz
3 x 10 -7Å 170.0 RADIO ASTRONOMY AIDS (RADIOSONDE) 17.41 BROADCASTING
INTER- 17.2 1670 162.0125
FIXED MOBILE SATELLITE Earth Expl Sat Space Res. Radioloc. FIXED 17.48
RADIOLOC.
174.5 17.3 MOBILE** FIXED FIXED BROADCASTING
SPACE EARTH BCST SAT. FX SAT (E-S) Radiolocation 1675 17.55
RESEARCH INTER- 17.7 METEOROLOGICAL METEOROLOGICAL
FIXED MOBILE SATELLITE EXPLORATION FIXED SATELLITE (E-S) FIXED BROADCASTING 1705
(Passive) SAT. (Passive) SATELLITE (s-E) AIDS (Radiosonde)
FIXED
FIXED
182.0
RADIO-
MET. SAT.
18.8
MOBILE
21.2 1900
FIXED
MOBILE
21.4 MOBILE SATELLITE (E-S) STAND. FREQ. & TIME SIG. Space Research
RADIO-
RADIO-
MOBILE
MOBILE
RADIONAVIGATION Radiolocation
SATELLITE
NAVIGATION
(E-S)
MOBILE
FIXED
FIXED
2180
MARITIME
21.85
SATELLITE
24.0 SPACE RES..(S-E) FIXED MOBILE** 225.0 23.0 MARITIME MOBILE (TELEPHONY)
RADIO
2194
SPACE
EARTH
2300
(Passive)
(Passive)
FIXED Mobile*
SATELLITE
RESEARCH
Amateur
ASTRONOMY
2305 23.2
EXPLORATION
MOBILE
FIXED
235.0 Earth Expl. RADIO- Radio- Mobile Radio- Fixed BCST-SATELLITE
SPACE RES. EARTH EXPL. Satellite Amateur
FIXED MOBILE SATELLITE(S-E) (Passive) SAT. (Passive) LOCATION location location 2345 24.89
(Active) AMATEUR SATELLITE
FIXED
238.0 AMATEUR
MOBILE
190
MOBILE
RADIO-
MOBILE
FIXED 26.175
MOBILE
26.95
PLEASE NOTE: THE SPACING ALLOTTED THE SERVICES IN THE SPEC-
FIXED
std Exploration
freq e-e-sat BCST - SAT. MOBILE** FIXED
FIXED
(E-S)
FIXED
27.23
MOBILE
FIXED
MOBILE
MOBILE
time e-e-sat
(S-S) (s-s) MOBILE E-Expl Sat Radio Ast Space res.
NAVIGATION ASTRONOMY
MOBILE SATELLITE
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m
Satellite (S-S) SATELLITE FIXED MOBILE
27.5 28.0
FIXED MOBILE FIXED AMATEUR AMATEUR SATELLITE 2850
SAT (E-S) AERONAUTICAL METEOROLOGICAL Radiolocation
Maritime
275
29.5 AIDS 29.7 AERONAUTICAL Aeronautical
RADIONAVIGATION LAND MOBILE Radionavigation
FIXED
MOBILE
FIXED SATELLITE (E-S) MOBILE SATELLITE (E-S) 29.8 AERONAUTICAL RADIONAVIGATION Mobile (Radio Beacons) 285
2900 FIXED
ISM – 27.12 ± .163 MHz
FIXED
300 kHz
3 GHz
300 MHz
RADIONAVIGATION
30 MHz
30 GHz
65
designers are beginning to migrate the
results into software radios.13 that the central feature of software ra- yond specifying what the radio does,
Another green issue concerns dis- dios is their ability to change behavior, the specification also describes how
posable radios. With lower energy con- one might imagine a lot of practical the radio might scan the spectrum to
sumption, we envision radios with such and theoretical work has been done on learn what frequencies are available.
long operating lives it may be simpler how to tell a radio how to behave and A different approach is that a stan-
to replace than to recharge them. But how a radio can describe its own behav- dards body registers names for each
if such radios are to be ubiquitous, how ior. However, rather stunningly, little protocol in use, an approach that
can we keep them from adding to our work has targeted this problem. works best with a small set of protocols
trash? One research effort in the Cen- To appreciate the inadequate state and assumes that each radio has the
ter for Wireless Sensor Networks at Up- of research, consider how a PDA might software (or configuration informa-
psala University seeks to make radios learn what software to download; all tion) for all protocols pre-loaded. It is
biodegradable.h possible choices are poorly understood. roughly what the Joint Tactical Radio
Processors vs. chipsets radios. While One scenario is that there’s a stan- System (JTRS) uses, but the JTRS team
this article takes the view that there is a dard radio channel (or set of channels) has sought to reduce the list of ap-
substantial difference between a radio continuously transmitting the right proved protocols, suggesting the ap-
built from programmable components software for a particular region. In a proach is limited.i
and one built on a highly configurable poorly designed world, this channel Approved use of the spectrum.
chipset, I would be remiss if I did not repeatedly broadcasts the software for Software radios have the potential to
mention an alternative perspective. each product. So, for consumers who dramatically change how the radio
There is an argument that fully pro- own a Nokia device, their PDA would spectrum is used, unsettling some
grammable and chipset radios are not listen until the Nokia software is trans- regulators and spectrum licensors.
very different. The core observation is mitted. This solution has one benefit: Regulators worry that a software device
that RF signaling and propagation is a the local spectrum regulator is able will be programmed (intentionally or
mature field. Radio engineers know a to track what software is being broad- accidentally) to interfere with existing
lot about RF physics. Many of today’s cast and ensure only “safe” protocols approved uses of particular frequen-
protocols, especially for the physical are distributed. Otherwise, the system cies. An oft-cited example is a software
layer (frequencies and coding), repre- wastes valuable spectrum, repeatedly radio that decides to use a frequency
sent sweet spots for high-quality data transmitting software for every pos- reserved for emergency services (often
channels. sible radio, and radios may have to idle), interfering with authorized trans-
From this perspective, it is perfectly wait a long time before their software missions in an emergency.
reasonable to assume there is a limited is transmitted and available. Likewise, spectrum licensors with
set of reasonable choices for radio com- A much better version of this sce- exclusive rights to use particular fre-
munications and entirely plausible that nario, for software engineers and con- quencies, often finding it difficult to
a radio engineer could implement all sumers alike, would be if all PDAs used fill those frequencies with traffic, wor-
the reasonable permutations in a chip- the same software. Imagine something ry that software radios will be used to
set. If this assumption holds up, then like Java for radio protocols. The soft- “squat” on their frequencies without
the difference between chipset radios ware channel described earlier trans- paying the incumbent.
and radios built from programmable mits only a handful of protocol imple- On paper, at least, these fears are
components is practically nil. mentations running on all devices. The baseless. There appears to be mul-
Unfortunately, this is a paper argu- dual challenges are that creating pro- tiple ways to protect the spectrum
ment. No one has attempted to build a gramming languages to program phys- from improper or unauthorized use.
sufficiently rich chipset radio, so we do ics is difficult1 and finding a program- Unfortunately, but for some small and
not know if it is possible. ming abstraction that works equally unpublished experiments, no one has
well for DSPs, FPGAs, configurable actually confirmed that the paper solu-
Realizing the World chipsets, and any given mix of them is, tions work in the real world.
of Software Radios perhaps, even more difficult. All proposed solutions assume
Recall that in the PDA scenario de- A variation is the local channel some executive component or termi-
scribed earlier, the PDA downloads broadcasts specifications of radio nal reconfiguration manager within
the “right” protocols whenever it protocols. Now imagine a common each radio ensuring the radio obeys
needs them, but how exactly would language describing the physical layer the rules. The reconfiguration man-
that work? How does the PDA’s radio (such as frequencies used, coding, and ager can take many forms. Consider-
ensure it does not load rogue software power rules) and the media-access ing a few representative examples,
that would interfere with, say, a public- layer (such as time division vs. code it is useful to assume that national
safety radio channel? This is an essen- division and packet formats). A radio spectrum authorities and spectrum
tial research problem relating to both receiving this specification would con- licensors can digitally sign informa-
how to exploit the spectrum and how to vert the specification into a configura-
address regulatory concerns. tion (chipset radios) or compile it into
i http://www.public.navy.mil/jpeojtrs/Pages/
Describing radio behavior. Given software that drives the radio. Some Welcome.aspx lists nine approved wave-
work has been done in this area,15,17 forms, reduced from an originally planned
h http://www.wisenet.uu.se/ with one nice concept being that be- 32 waveforms.
tion using public keys and a radio’s from the national spectrum author-
reconfiguration manager can check ity and from licensors), creating a
these signatures. protocol able to best use the avail-
The simplest solution is to have able spectrum. A slight variation is
each radio download a table of ac-
ceptable configurations, digitally The key problem there’s both a reasoner (not trusted)
and a validator (trusted), with the
signed by the spectrum authorities. is how a radio reasoner creating a protocol and the
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 67
contributed articles
same band as a strong signal, as in a time to do the research. Needed in- References
TV broadcast, so regular users do not stead is an evolving research plan. 1. Ashley-Rollman, M.P., Lee, P., Goldstein, S.C., Pillai, P.,
and Campbell, J.D. A Language for large ensembles
see interference, but collaborating It helps to start with what is go- of independently executing nodes. In Proceedings of
radios distinguish between the differ- ing right. Radio engineers are well the International Conference on Logic Programming
(Pasadena, CA). Springer Verlag, Berlin, 2009,
ent transmissions. Needed are richer on the way to having wonderful radio 265–280.
measurement studies that test more platforms on which to run software, 2. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg,
J., McGarvey, C., Ondrusek, B., Rajamani, S.K., and
locations and cover enough detail so with USRP, WNAN, and Sora leading Ustuner, A. Thorough static analysis of device drivers.
software and radio engineers are able the way. In Proceedings of the First ACM Sigops/Eurosys
European Conference on Computer Systems (Leuven,
to estimate what sharing mechanisms Regulators are beginning to provide Belgium, Apr. 18–21). ACM Press, New York, 2006,
will work well and how much band- spectrum for experimentation with 73–85.
3. Dai, L. and Basu, P. Energy and delivery capacity of
width a particular radio can access and these radios. Ireland’s spectrum regula- wireless sensor networks with random duty-cycles. In
use; a first example of such a study ap- tor ComReg leads here, having both li- Proceedings of the IEEE International Conference on
Communications (Istanbul, June). IEEE Press, 2006,
peared in 2010.7 More are needed. censed spectrum for research and pub- 3503–3510.
Observe an important, though licly declared its willingness in 2006 to 4. Dutta, P., Kuo, Y.-S., Ledeczi, A., Schmid, T., and
Volgyesi, P. Putting the software radio on a low-
often-ignored, point in the last para- make more spectrum available.8 calorie diet. In Proceedings of ACM HOTNETS
graph. The nature of wireless research The most pressing need is research 2010 (Monterey, CA). ACM Press, New York, 2010,
20:1–20:6.
is changing. The idea of simply testing into languages to describe radio behav- 5. IEEE Std 802.11e-2005. IEEE Standard for
how a standardized wireless protocol ior. Most visibly, software engineers Information Technology. Telecommunications and
Information Exchange Between Systems. Local and
works under certain conditions (such need ways to describe a protocol to Metropolitan Area Networks. Specific Requirements.
as urban vs. rural) is rarely useful re- heterogeneous radios in the field such Part 11: Wireless LAN Medium Access Control and
Physical Layer Specifications. Amendment 8: Medium
search. In a world in which radios can that they can immediately run the pro- Access Control Quality of Service Enhancements.
change their protocols in seconds, we tocol. It should be possible to write a IEEE, Nov. 11, 2005.
6. Kaul, A. Software-defined radio: The transition from
must discover which protocol should new protocol and deploy it to radios defense to commercial markets. In Proceedings of the
Software Defined Radio Forum Technical Conference
run in those conditions and how a ra- from multiple manufacturers in min- (Denver, Nov. 5–9, 2007); http://data.memberclicks.
dio might learn about its environment utes (or at most hours, if regulatory ap- com/site/sdf/sdr07-13.0-001_InvitedPaper_Kaul.pdf
7. Kone, V., Yang, L., Yang, A., Zhao, B.Y., and Zheng,
so it can instantiate the protocol. proval is needed). H. On the feasibility of effective opportunistic
But even before these more sophis- Research is also needed in ways to spectrum access. In Proceedings of the ACM Internet
Measurement Conference (Melbourne, Australia, Oct.
ticated measurements are done, it is allow software radios to use the spec- 20–22). ACM Press, New York, 2010, 151–164.
safe to say the current perceived short- trum appropriately. Researchers have 8. Lillington, K. Overcrowded airwaves mean it’s time to
hop ahead. The Guardian, (Mar. 2, 2006).
age of wireless bandwidth is, in large several paper solutions but only one 9. McHenry, M.A. NSF Spectrum Occupancy
part, a function of our inability to ex- implemented approach (incorporated Measurements: Project Summary. Shared Spectrum
Co., Arlington, VA, Aug. 15, 2005.
ploit a hugely underused spectrum. into products from Shared Spectrum 10. Mitola, J. Software radios: Survey, critical evaluation,
http://www.sharedspectrum.com/), and future directions. In Proceedings of the National
Telesystems Conference (May). IEEE Press, 1992.
Conclusion but there is only limited experience. 11. Perich, F. Policy-based network management for next-
Wireless is a vital piece of our data- Such an important problem needs generation spectrum access control. In Proceedings
of the Second IEEE International Symposium on
communications present and will be more attention. New Frontiers in Dynamic Spectrum Access Networks
an even more vital piece of the future, Government research agencies (Dublin, Apr. 17–20). IEEE Press, 2007, 496ff.
12. Redi, J. Energy-Conserving Protocols for Wireless Data
with software in commercial radios need to fund a few efforts to build a Networks. Ph.D. Thesis, Boston University, 1998.
13. Redi, J., Kolek, S., Manning, K., Partridge, C., Rosales-
able to maximize that future. chipset radio. As outlined here, several Hain, R., Ramanathan, R., and Castineyra, I. JAVeLEN:
Yet, looking over this article, I hope challenging problems look like they An ultra-low energy ad hoc wireless network. Ad Hoc
Networks 6, 1 (Jan. 2008), 108–126.
it is clear that we (computer science, ra- might be easier to solve on a chipset 14. Santivanez, C., Ramanathan, R., Partridge, C.,
dio engineering, manufacturing, and radio–if we can only just build one. Krishnan, R., Condell, M., and Polit, S. Opportunistic
spectrum access: Challenges, architecture, protocols.
consumer and public-policy advocates) There is also a need for research- In Proceedings of the Second Annual International
suffer from myopia. For most key top- ers to perform richer measurements Wireless Internet Conference (Boston, Aug. 2–5). ACM
Press, New York, 2006.
ics, including radio behavior, approved of the available spectrum to better un- 15. Sutton, P.D., Lotze, J., Lahlou, H., Fahmy, S.A., Nolan,
use of the spectrum, and even how derstand how much of it is used world- K.E., Ozgul, B., Rondeau, T.W., Noguera, J., and Doyle,
L.E. Iris: An architecture for cognitive radio networking
poorly the spectrum is used today, we wide. Furthermore, we need to under- testbeds. IEEE Communications Magazine 48, 9 (Sept.
have sometimes barely enough infor- stand how much available bandwidth 2010), 114–122.
16. Ye, W., Heidemann, J., and Estrin, D. Medium access
mation to be excited about it and not the underused spectrum represents, control with coordinated adaptive sleeping for
enough to make an informed decision meaning experiments that do not sim- wireless sensor networks. IEEE/ACM Transactions on
Networking 12, 3 (June 2004), 493–506.
about how best to realize it. The point ply measure energy but that also esti- 17. Zhong, S., Dolwin, C., Strohmenger, K., and Steinke, B.
worth repeating is we are ill-prepared mate what protocols would work best Performance evaluation of the functional description
language in an SDR environment. In Proceedings
to make decisions about future use of in a given location and the data rates of the Software Defined Radio Forum Technical
Conference (Denver, Nov. 5–9, 2007).
wireless data communications. they could provide.
We must move briskly, however, or If done in the next five years, this re-
Craig Partridge (craig@bbn.com) is Chief Scientist for
risk missing the untapped promise of search would provide the information Networking Research at Raytheon BBN Technologies, an
the wireless spectrum. Research is the we need to make informed choices ACM Fellow, and former chair of ACM SIGCOMM.
way to fill the information gap, but in about how to unlock the wireless spec-
a world where low-cost software radios trum for data communications. We
are beginning to appear, there’s little must not delay. © 2011 ACM 0001-0782/11/09 $10.00
Satisfiability
Modulo
Theories:
Introduction and
Applications
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 69
contributed articles
Figure 1. Encoding job-shop scheduling. ≥ ti,j + di,j; this inequality states that the
start-time of task j + 1 must be greater
than or equal to the start time of task j
di,j Machine 1 Machine 2 Encoding plus its duration. A resource constraint
Job 1 2 1 ( t1, 1 ≥ 0) ∧ ( t1, 2 ≥ t1, 1 + 2) ∧
( t1, 2 + 1 ≤ 8) ∧ between two tasks from different jobs
Job 2 3 1 ( t2, 1 ≥ 0) ∧ ( t2, 2 ≥ t2, 1 + 3) ∧
( t2, 2 + 1 ≤ 8) ∧ i and i′ requiring the same machine j is
Job 3 2 3 ( t3, 1 ≥ 0) ∧ ( t3, 2 ≥ t3, 1 + 2) ∧
( t3, 2 + 3 ≤ 8) ∧ encoded using the formula (ti,j ≥ ti′,j + di′,j)
(( t1, 1 ≥ t2, 1 + 3) ∨ ( t2, 1 ≥
t1, 1 + 2)) ∧ ∨ (ti′,j ≥ ti,j + di,j), stating the two tasks do
max = 8 (( t1, 1 ≥ t3, 1 + 2) t1, 1 +
∨ ( t3, 1 ≥ 2)) ∧ not overlap. The start time of the first
(( t2, 1 ≥ t3, 1 + 2) ∨ ( t3, 1 ≥ t2, 1 + 3)) ∧ task of every job i must be greater than
Solution (( t1, 2 ≥ t2, 2 + 1) ∨ ( t2, 2 ≥ t1, 2 + 1)) ∧
or equal to zero, so the result is ti,1 ≥ 0. Fi-
t1,1 = 5, t1,2 = 7, (( t1, 2 ≥ t3, 2 + 3) ∨ ( t3, 2 ≥ t1, 2 + 1)) ∧
t2,1 = 2, t2,2 = 6,
nally, the end time of the last task must
(( t2, 2 ≥ t3, 2 + 3) ∨ ( t3, 2 ≥ t2, 2 + 1))
t3,1 = 0, t3,2 = 3
be less than or equal to max, hence ti,m
+di,m ≤ max. Figure 1 is an instance of
the job-scheduling problem, its encod-
ing as a logical formula, and a solution.
with domains (such as those studied in ing21 where verification focuses on as- The logical formula combines logical
convex optimization and term-manipu- sertion checking. connectives (conjunctions, disjunction,
lating symbolic systems). They involve Progress in the past four years in and negation) with atomic formulas in
the decision problem, completeness SMT solvers has enabled their use in the form of linear arithmetic inequali-
and incompleteness of logical theories, diverse applications, including inter- ties. We call it an SMT formula. The so-
and complexity theory. Here, we explore active theorem provers and extended lution in Figure 1 is a satisfying assign-
the field of SMT and some of its applica- static checkers, as well as in scheduling, ment, a mapping from variables ti,j to
tions. planning, test-case generation, model- values that make the formula true.
Increased attention has led to enor- based testing and program develop-
mous progress in constraint-satisfac- ment, static program analysis, program SMT-Solving Techniques
tion problems that can be solved due synthesis, and run-time analysis. Modern SMT solvers use procedures
to innovations in core algorithms, data We begin by introducing an applica- for deciding the satisfiability of con-
structures, heuristics, and the care- tion we use as a running example. junctions of literals, where a literal is
ful use of modern microprocessors. Scheduling. Consider the classical an atomic formula or the negation of
Modern SAT27 procedures can check job-shop-scheduling decision prob- an atomic formula. Throughout this ar-
formulas with hundreds of thousands lem, involving n jobs, each composed ticle, we call these procedures “theory
of variables. Similar progress has been of m tasks of varying duration that must solvers.” The scheduling application
observed for SMT solvers for more com- be performed consecutively on m ma- demonstrates that this kind of proce-
monly occurring theories, including chines. The start of a new task can be dure alone is not sufficient in practice,
such state-of-the art SMT solvers as Bar- delayed as long as needed in order for a because the encoding contains disjunc-
celogic,8 CVC,3,7 MathSAT,10 Yices,18 and machine to become available, but tasks tive sub-formulas, as in
Z3.14 cannot be interrupted once they are
The annual competitions for SAT started. The problem involves essential- (t1,1 ≥ t2,1 + 3) ∨ (t2,1 ≥ t1,1 + 2)
(http://www.satcompetition.org) and ly two types of constraints:
SMT (http://www.smtcomp.org) are a Precedence. Between two tasks in the SMT solvers handle sub-formulas like
key driving force.4 An important ingre- same job; and this by performing case analysis, which
dient is a common interchange format Resource. Specifying that no two dif- is in the core of most automated de-
for benchmarks, called SMT-LIB,33 and ferent tasks requiring the same ma- duction tools. Most SMT solvers rely
the classification of benchmarks into chine are able to execute at the same on efficient satisfiability procedures
various categories, depending which time. for propositional logic (SAT solvers) for
theories are required. Conversely, a Given a total maximum time max performing case analysis efficiently. A
growing number of applications can and the duration of each task, the standard technique for integrating SAT
generate benchmarks in the SMT-LIB problem consists of deciding whether solvers and theory solvers1,5,15,20,30 is de-
format to further improve SMT solvers. there is a schedule such that the end- scribed next.
There is a relatively long tradition time of every task is less than or equal SAT: A propositional core. Proposi-
dating to the late-1970s of using SMT to max time units. We use di,j to denote tional logic is a special case of predicate
solvers in specialized contexts. One pro- the duration of the j-th task of job i. A logic in which formulas are built from
lific case is theorem-proving systems schedule is specified by the start-time Boolean variables, called atoms, and
(such as ACL226 and PVS32) that use de- (ti,j) for the j-th task of every job i. The composed using logical connectives
cision procedures to discharge lemmas job-shop-scheduling problem can be (such as conjunction, disjunction, and
encountered during interactive proofs. encoded in SMT using the theory of lin- negation). The satisfiability problem for
SMT solvers have also been used for the ear arithmetic. A precedence constraint propositional logic is famously known
past 15 years in the context of program between two consecutive tasks ti,j and as an NP-complete problem12 and
verification and extended static check- ti,j+1 is encoded using the inequality ti,j+1 therefore in principle computationally
intractable. Yet recent advances in ef- DPLL procedure must backtrack and that cannot be completed in eight time
ficient propositional logic algorithms try a different branch value. If a conflict units:
have moved the boundaries for what is is detected and there are no decisions to
intractable when it comes to practical backtrack, then the formula is unsatis- task 1/job 1 → task 1/job 2 →
applications.27 fiable; that is, it does not have a model. task 1/job 3 → task 2/job 3
Most successful SAT solvers are Many significant improvements to this
based on an approach called “system- basic procedure have been proposed Recall that the scheduling problem in
atic search.” The search space is a tree over the years, with the main ones be- Figure 1 is satisfiable but requires as-
with each vertex representing a Bool- ing lemma learning, non-chronological signing a different combination of at-
ean variable and the out edges repre- backtracking, and efficient indexing oms to true.
senting the two choices (true and false) techniques for applying the unit-clause Interfacing solvers with SAT. We’ve
for this variable. For a formula contain- rule and preprocessing techniques.27 outlined a theory solver for difference
ing n Boolean variables, the tree has A solver for difference arithmetic. arithmetic and now describe how a
2n leaves. Each path from the root to a The job-shop-scheduling decision SAT procedure interacts with this the-
leaf corresponds to a truth assignment. problem can be solved by combining a ory solver. The key idea is to create an
A model is a truth assignment that SAT solver with a theory solver for dif- abstraction that maps the atoms in an
makes the formula true. We also say ference arithmetic. Difference arithme- SMT formula into fresh Boolean vari-
the model satisfies the formula, and tic is a fragment of linear arithmetic, ables p1, . . . , pn; for example, the formu-
the formula is satisfiable. where predicates are restricted to be la ¬(a ≥ 3) ∧ (a ≥ 3 ∨ a ≥ 5) is translated
Most search-based SAT solvers are of the form t − s ≤ c and where t and s into ¬p1 ∧ (p1 ∨ p2), where the atoms a
based on the DPLL/Davis-Putnam- are variables and c a numeric constant ≥ 3 and a ≥ 5 are replaced by the Bool-
Logemann-Loveland algorithm.13 The (such as 1 and 3). Every atom in Figure ean variables p1 and p2, respectively.
DPLL algorithm tries to build a model 1 can be put into this form; for example, The new abstract formula can then be
using three main operations: decide, the atom t3,1 ≥ t2,1+3 is equivalent to the processed by a regular SAT procedure.
propagate, and backtrack. The atom t2,1−t3,1 ≤ −3. For atoms of the form If the SAT procedure finds the abstract
algorithm benefits from a restricted s ≤ c and s ≥ c, a special fresh variable z is formula to be unsatisfiable, then so,
representation of formulas in conjunc- used. We say z is the zero variable, and too, is the SMT formula. On the other
tive normal form, or CNF. CNF formu- the atoms are represented in difference hand, if the abstract formula is found
las are restricted to be conjunctions of arithmetic as s − z ≤ c and z − s ≤ − c, re- to be satisfiable, the theory solver is
clauses, with each clause, in turn, a dis- spectively; for example, the atom t3,2 + 3 used to check the model produced by
junction of literals. Recall that a literal ≤ 8 is represented in difference arithme- the SAT procedure. The idea is that any
is an atom or the negation of an atom; tic as t3,2 − z ≤ 5. A set of difference arith- model produced by the SAT procedure
for example, the formula ¬p ∧ (p ∨ q) metic atoms can be checked efficiently induces a set of literals; for example,
is in CNF. The operation decide heu- for satisfiability by searching for nega- {p1 → false, p2 → true} is a model for
ristically chooses an unassigned atom, tive cycles in weighted directed graphs. the formula ¬p1 ∧ (p1 ∨ p2), inducing the
assigning it to true or false, and is also In the graph representation, each vari- set of literals {¬(a ≥ 3), a ≥ 5} that is un-
called branching or case-splitting. The able corresponds to a node, and an in- satisfiable in the theory of arithmetic.
operation propagate deduces the equality of the form t − s ≤ c corresponds Therefore, the formula (clause) a ≥ 3∨
consequences of a partial truth assign- to an edge from s to t with weight c. Fig- ¬(a ≥ 5) is valid in the theory of arithme-
ment using deduction rules. The most ure 2 is a subset of atoms (in difference tic. The abstraction of this formula is
widely used deduction rule is the unit- arithmetic form) from the example in the clause p1 ∨ ¬p2. We say it is a “theory
clause rule, stating that if a clause has Figure 1, along with the corresponding lemma,” and since it is based on a valid
all but one literal assigned to false and graph. The negative cycle, with weight formula from the theory of arithmetic,
the remaining literal l is unassigned, −2, is shown by dashed lines. The cycle we can then add it to our original for-
then the only way for the clause to eval- corresponds to the following schedule mula, obtaining the new formula:
uate to true is to assign l to true.
Let C be the clause p ∨ ¬q ∨ ¬r, and M Figure 2. Example of difference arithmetic.
the partial truth assignment {p → false,
r → true}, then the only way for C to t1, 1
evaluate to true is by assigning q to false.
Given a partial truth assignment M and –2
0
z − t1, 1 ≤ 0
a clause C in the CNF formula, such that z − t2, 1 ≤ 0
all literals of C are assigned to false in 0
z − t3, 1 ≤ 0 t2, 1 z
M, then there is no way to extend M to t3, 2 − z ≤ 5
a complete model M′ that satisfies the t3, 1 − t3, 2 ≤ –2 –3
0
given formula. We say this is a conflict, t2, 1 − t3, 1 ≤ –3
–2
and C is a conflicting clause. A conflict t1, 1 − t2, 1 ≤ –2 t3, 2 t3, 1
5
indicates some of the earlier decisions
cannot lead to a truth assignment that
satisfies the given formula, and the
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 71
contributed articles
ference atoms. The negation of these then, by theory propagation, the atom
¬p1 ∧ (p1 ∨ p2) ∧ (p1 ∨ ¬p2) atoms corresponds to the following t2,1 − t3,1 ≤ −3 can be assigned to false,
valid clause in difference arithmetic: thus avoiding the inconsistency (nega-
The SAT solver is executed again, tak- tive cycle) in Figure 2.
ing the new formula as input, and finds ¬(t3,1 − t3,2 ≤ −2) ∨ ¬(t2,1 − t3,1 ≤ −3) ∨
the new formula to be unsatisfiable, ¬(t1,1 − t2,1 ≤ −2) ∨ ¬(z − t1,1 ≤ 0) ∨ SMT in Software Engineering
proving the original formula ¬(a ≥ 3) ∧ ¬(t3,2 − z ≤ 5) Software developers use logical for-
(a ≥ 3 ∨ a ≥ 5) is also unsatisfiable. In mulas to describe program states and
practice, many theory lemmas are cre- This integration scheme is also known transformations between program
ated until this process converges. Note, as the “lazy offline” approach and in- states, a procedure at the core of most
too, this process always converges be- cludes many refinements; one is to software-engineering tools that ana-
cause there is a finite number of atoms, have a tighter integration between the lyze, verify, or test programs. Here, we
and, consequently, there is a finite two procedures, where the theory solv- describe a few such applications:
number of theory lemmas that can be er is used to check partial truth assign- Dynamic symbolic execution. SMT
created using them. ments being explored by the SAT solver solvers play a central role in dynamic
Given an unsatisfiable set of theory (online integration). In it, additional symbolic execution. A number of tools
literals S, we say a justification for S performance gains can be obtained if used in industry are based on dynamic
is any unsatisfiable subset J of S. Any the theory solver is incremental (new symbolic execution, including CUTE,
unsatisfiable set S is, of course, also a constraints can be added at minimal Klee, DART, SAGE, Pex, and Yogi,23 de-
justification for itself. We say a justifi- cost) and backtrackable (constraints signed to collect explored program
cation J is non-redundant if there is no can be removed at minimal cost). The- paths as formulas, using solvers to
strict subset J′ of J that is also unsatis- ory deduction rules can also be used to identify new test inputs that can steer
fiable. It is desirable to have a theory prune the search space being explored execution into new branches. SMT solv-
solver that produces non-redundant by the DPLL solver (theory propaga- ers are a good fit for symbolic execution
justifications, as they may drastically tion). In difference arithmetic, theory because the semantics of most program
reduce the search space. This observa- propagation can be implemented by statements are easily modeled using
tion follows from the fact that smaller computing the shortest distance be- theories supported by these solvers. We
sets produce smaller theory lemmas tween two nodes. Returning to the ex- later introduce the various theories that
(clauses) and consequently have fewer ample in Figure 2, assume the inequal- are used, but here we focus on connect-
satisfying assignments. ity t2,1 − t3,1 ≤ −3 is not there. Thus, the ing constraints with a solver. To illus-
Returning to the example in Figure graph on the right-hand side will not trate the basic idea of dynamic symbolic
2, the negative cycle corresponds to a contain an edge from t3,1 to t2,1 and, execution, consider the greatest com-
non-redundant unsatisfiable set of dif- consequently, the negative cycle. The mon divisor in Program 3.1, taking the
shortest distance between the nodes inputs x and y and producing the great-
Program 3.1. Greatest common divisor t2,1 and t3,1 is 1 by following the path est common divisor of x and y.
program.
Program 3.2 represents the static
t2,1 → t1,1→ z → t3,2→ t3,1 single assignment unfolding corre-
sponding to the case where the loop is
i n t GCD (int x, int y)
while (true) { This fact implies that t3,1−t2,1 ≤ 1, and exited in the second iteration. Asser-
int m = x % y; one can verify the result by adding the tions are used to enforce that the condi-
if (m == 0) return y; inequalities associated with each edge. tion of the if statement is not satisfied
x = y;
y = m;
The inequality t3,1−t2,1 ≤ 1 is equivalent in the first iteration and is in the second
} to t2,1−t3,1 ≥ −1, implying ¬(t2,1 − t3,1 ≤ iteration. The sequence of instructions
} −3). Therefore, if the SAT solver has as- is equivalently represented as a formula
signed the atoms t1,1 − t2,1 ≤ −2, z − t1,1 where the assignment statements have
≤ 0, t3,2 − z ≤ 5 and t3,1 − t3,2 ≤ −2 to true, been turned into equations.
The resulting path formula is satis-
Program 3.2. Greatest common divisor path formula. fiable. One satisfying assignment that
can be found using an SMT solver is of
the form:
int GCD (int x0, int y0) {
int m0 = x0 % y0; (m0 = x0 % y0) ∧ x0 = 2, y0 = 4, m0 = 2, x1 = 4, y1 = 2, m1 = 0
assert (m0 != 0); ¬(m0 = 0) ∧
int x1 = y0; (x1 = y0) ∧ It can be used as input to the origi-
int y1 = m0; (y1 = m0) ∧ nal program; in this example, the call
int m1 = x1 % y1; (m1 = x1 % y1) ∧ GCD(2,4) causes the loop to be entered
assert (m1 == 0); (m1 = 0)
twice, as expected.
}
Fuzz testing is a software-testing
technique that provides invalid or unex-
pected data to a program. The program
72 communications of th e ac m | s e ptembe r 2 0 1 1 | vo l . 5 4 | n o. 9
contributed articles
symbolic execution finds input that can propositional logic which is equivalent to checking unsat-
guide execution into bugs. This method
alone does not guarantee that programs
(SAT solvers) for isfiability of the negation
are free of all the errors being checked performing case count == old _ count ∧
for. The goal of program model check-
ing tools is to automatically check for analysis efficiently. count+1 == old _ count
freedom from selected categories of The theorem says if the current value of
errors. The idea is to explore all pos- b is true, then after executing the state-
sible executions using a finite and suf- ment count = count + 1, the value of
ficiently small abstraction of the pro- b will be false. Note that if b is false,
gram state space. The tools BLAST,25 then neither of the following conjec-
SDV,2 and SMV from Cadencea perform tures is valid:
program model checking. Both SDV
and SMV are used as part of commercial count != old _ count →
tool offerings. The program fragment in count+1 == old _ count
Program 3.3 is an example of finite-state count != old _ count →
abstraction, accessing requests using count+1 != old _ count
GetNextRequest. The call is protect-
ed by a lock. A question is whether it is In each, an SMT solver will produce a
possible to exit the loop without having model for the negation of the conjec-
a lock. The program has a very large, po-
tentially unbounded, number of states, Program 3.3. Processing requests using
locks.
since the value of the program variable
count can grow arbitrarily.
do {
However, from the point of view
lock ();
of locking, the actual values of count old_count = count;
and old _ count are not interesting. request = GetNextRequest();
On the other hand, the relationship if (request != NULL) {
unlock();
between these program variables con- ProcessRequest(request);
tains useful information. Program 3.4 count = count + 1;
is a finite-state abstraction of the same }
locking program. The Boolean vari- }
while (old_count != count);
able b encodes the relation count == unlock();
old _ count. In it, we use the symbol
∗ to represent a Boolean expression that
nondeterministically evaluates to true
or false. The abstract program contains Program 3.4. Processing requests using
locks, abstracted.
only Boolean variables, thus a finite
number of states. We can now explore
the finite number of branches of the do {
lock ();
abstract program to verify the lock is al- b = true;
ways held when exiting the loop. request = GetNextRequest();
SMT solvers are used for construct- if (request != NULL) {
unlock();
ing finite-state abstractions, like the ProcessRequest(request);
one in Program 3.4. Abstractions can if (b) b = false; else b = ∗;
}
be created through several approaches; }
in one, each statement in the program while (!b);
unlock();
a http://www.kenmcmil.com
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 73
contributed articles
ture. Therefore, the model is a counter- C#, and C/C++) all use fixed-width bit- Figure 3. Axioms for sub.
example of the conjecture, and when vectors as representation for values of
the current value of b is false, nothing type int, meaning the accurate theory
can be said about its value after the ex- for int is two-complements modular ( ∀x: sub(x, x))
ecution of the statement. The result arithmetic. Assuming a bit-width of ( ∀x,y,z: sub(x, y) ∧ sub(y, z) → sub(x, z))
of these three proof attempts is then 32b, the maximal positive 32b integer ( ∀x,y: sub(x, y) ∧ sub(y, x) → x = y)
used to replace the statement count = is 231−1, and the smallest negative 32b
( ∀x,y,z: sub(x, y) ∧ sub(x, z) → sub(y, z) ∨ sub(z, y))
count + 1; by if (b) b = false; else integer is −231. If both low and high are
( ∀x,y: sub(x, y) → sub(array-of(x), array-of(y)))
b = *;. A finite state model checker can 230, low + high evaluates to 231, which is
now be used on the Boolean program treated as the negative number −231. The
and will establish that b is always true presumed assertion 0 ≤ mid < high does
when control reaches this statement, therefore not hold. Fortunately, several static checking uses the methods de-
verifying that calls to lock() are bal- modern SMT solvers support the theory veloped for program verification but in
anced with calls to unlock() in the of “bit-vectors,” accurately capturing the more limited context of checking
original program. the semantics of modular arithmetic. absence of runtime errors. The SMT
Static program analysis. Static pro- The bug does not escape an analysis solver Simplify16 was developed in the
gram analysis tools work like dynamic- based on the theory of bit-vectors. Such context of the extended static-checking
symbolic-execution tools, checking analysis would check that the array read systems ESC/Modula 3 and ESC/Java.21
feasibility of program paths. On the arr[mid] is within bounds during the This work was and continues to be
other hand, they never require execut- first iteration by checking the formula the inspiration for several subsequent
ing programs and can analyze software verification tools, including Why19 and
libraries and utilities independently of (low > high ∨ 0 ≤ low < high < arr.length) Boogie.3 These systems are actively
how they are used. One advantage of ∧ (low ≤ high → 0 ≤ (low + high)/2 < arr. used as bridges from several different
using modern SMT solvers in static pro- length) front ends to SMT-solver back ends; for
gram analysis is they accurately capture example, Boogie is used as a back end
the semantics of most basic operations As in the case of code fragment 3.5, the for systems that verify code from lan-
used by mainstream programming lan- formula is not valid. The values low = guages (such as an extended version of
guages. The program fragment in Pro- high = 230, arr.length = 230+1 pro- C# called Spec#), as well as low-level
gram 3.5 illustrates the need for static vide a counterexample. The use of SMT systems code written in C. Current
program analysis to use bit-precise rea- solvers for bit-precise static-analysis practice indicates that a lone software
soning, searching for an index in a sort- tools is an active area of research and developer can drive these tools to ver-
ed array arr containing a key. development in Microsoft Research. ify properties of large codebases with
The assert statement is a precon- Integration with the solver Z314 and the several hundred thousand lines of
dition for the procedure, restricting the static analysis tool PREfix led to the au- code. A more ambitious project is the
input to fall within the bounds of the tomatic discovery of several overflow- Verifying C-Compiler system,11 target-
array arr. The program performs sev- related bugs in Microsoft’s codebase. ing functional correctness properties
eral operations involving arithmetic, so Program verification. The ideal of of Microsoft’s Viridian Hyper-Visor.
a theory and corresponding solver that verified software is a long-running The Hyper-Visor is a relatively small
understands arithmetic is arguably a quest since Robert Floyd and C.A.R. (100,000 lines) operating-system layer,
good match. However, it is important Hoare introduced (in the late 1960s) yet formulating and establishing cor-
for software-analysis tools to take into program verification by assigning logi- rectness properties is a challenge. The
account that languages (such as Java, cal assertions to programs. Extended entire verification effort for this layer is
estimated by Microsoft to take around
Program 3.5. Binary search. 60 programmer years.
Program-verification applications
often use theories not already sup-
int binary_search(
ported by existing specialized solvers
int[] arr, int low, int high, int key) {
assert (low > high || 0 <= low < high); but that are supported indirectly using
while (low <= high) { axiomatizations with quantifiers. As an
//Find middle value example of such a theory, in object-ori-
int mid = (low + high)/2;
ented-type systems used for Java and
assert (0 <= mid < high);
int val = arr[mid]; C#, it is the case that objects are relat-
//Refine range ed using a single inheritance scheme;
if (key == val) return mid; that is, every object inherits from at
if (val > key) low = mid+1;
most one unique immediate parent.
else high = mid–1;
} To illustrate the theory, let array-of(x)
return –1; be the array type constructor for arrays
} of values of type x. In some program-
ming languages, if x is a subtype of y,
then array-of(x) is a subtype of array-
of(y). In this case, we say arrays behave In Figure 4(a), we spelled out a DAG
in a monotone way with respect to in- for all terms in the example; in Figure
heritance. Using first-order axioms, we 4(b), the equivalences a = b and b = c are
specify in Figure 3 that the inheritance represented by dashed lines; in Figure
relation sub(x, y) is a partial order sat-
isfying the single inheritance property SMT solvers are 4(c), nodes g(a) and g(c) are congruent
because a = c is implied by the first two
and that the array type constructor
array-of(x) is monotone with respect to
a good fit for equalities; and finally, in Figure 4(d),
nodes f(a, g(a)) and f(b, g(c)) are also
inheritance. symbolic execution congruent, hence the example is unsat-
The theory of object inheritance il-
lustrates why SMT solvers targeted at
because the isfiable due to the required disequality
f(a, g(a)) ≠ f(b, g(c)).
expressive program analysis benefit semantics of Modeling. SMT solvers represent
from general support for quantifiers.
All the applications we have treat-
most program an interesting opportunity for high-
level software-modeling tools. In some
ed so far also rely on a fundamental statements are contexts these tools use domains from
theory we have not described: the the-
ory of equality and free functions. The easily modeled mathematics (such as algebraic data-
types, arrays, sets, and maps) and have
axioms used for object inheritance using theories also been the subject of long-running
used the binary predicate sub and the
function array-of. All we know about supported by research in the context of SMT solvers.
Here, we introduce the array domain
array-of is that it is monotone over
sub, and, for this reason, we say the
these solvers. that is frequently used in software
modeling.
function is free. Decision procedures The theory of arrays was introduced
for free functions are particularly im- by John McCarthy in a 1962 paper28
portant because it is often possible to as part of forming a broader agenda
reduce decision problems to queries for a calculus of computation. It in-
over free functions. Given a conjunc- cluded two functions: read and write.
tion of equalities between terms using The term read(a, i) produces the val-
free functions, a congruence closure ue of array a at index i, and the term
algorithm can be used to represent the write(a, i, v) produces an array equal
smallest set of implied equalities. This to a, except for possibly index i, which
representation can help check if a mix- maps to v. To make the terminology
ture of equalities and disequalities are closer to how arrays are read in pro-
satisfiable, checking that the terms on grams, we write a[i] instead of read(a,
both sides of each disequality are in i). These properties are summarized
different equivalence classes. Efficient through two equations:
algorithms for computing congruence
closure are the subject of long-running write(a, i, v)[i] = v
research17 in which terms are repre- write(a, i, v)[j] = a[j] for i ≠ j
sented as directed acyclic graphs, or
DAGS. Figure 4 outlines the operation They state that the result of reading
of a congruence closure algorithm on write(a, i, v) at index j is v for i = j. Read-
the following limited example ing the array at any other index produc-
a = b, b = c, f(a, g(a)) ≠ f(b, g(c)) es the same value as a[j]. Consider, for
example, the program swap, swapping
Figure 4. Example of congruence closure. the entries a[i] and a[j].
g g g g {
int tmp = a[i];
a b c a b c a[i] = a[j];
a[j] = tmp;
(c) f f (d) f f }
g g g g
The statement that a[i] contains the
a b c a b c previous value of a[j]can be expressed
as
a[j] = write(write(a, i, a[j]), j, a[i])[i]
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 75
contributed articles
The advent in the late-1990s of ef- theories for quantifier reasoning, and 16. Detlefs, D., Nelson, G., and Saxe, J.B. Simplify: A
theorem prover for program checking. Journal of the
ficient methods for propositional various extensions to the basic search ACM 52, 3 (May 2005), 365–473.
search allowed viewing the theory method. 17. Downey, P.J., Sethi, R., and Tarjan, R.E. Variations on
the common subexpression problem. Journal of the
combination problem from a differ- ACM 27, 4 (Oct. 1980), 758–771.
ent, more advantageous perspective. b http://www.eecs.berkeley.edu/~sseshia/ 18. Dutertre, B. and de Moura, L. A fast linear-arithmetic
solver for DPLL(T). In Proceedings of the 16th
The delayed theory combination9 research/embedded.html
International Conference on Computer Aided
method creates one atomic equal- Verification, Vol. 4144 of LNCS (Seattle, Aug. 17–20).
Springer-Verlag, Berlin, 2006, 81–94.
ity for every pair of variables shared References 19. Filliâtre, J.-C. Why: A Multi-Language Multi-Prover
1. Audemard, G., Bertoli, P., Cimatti, A., Kornilowicz, A.,
between solvers. These additional and Sebastiani, R. A SAT-based approach for solving
Verification Tool. Technical Report 1366, Université
Paris Sud, 2003.
atomic equalities are assigned to formulas over Boolean and linear mathematical 20. Flanagan, C., Joshi, R., Ou, X., and Saxe, J.B. Theorem
propositions. In Proceedings of the Conference proving using lazy proof explication. In Proceedings of
true or false by a SAT solver. In this on Automated Deduction, Vol. 2392 of LNCS the 15th International Conference on Computer Aided
approach, the SAT solver is used to (Copenhagen, July 27–30). Springer-Verlag, Berlin, Verification (Boulder, CO, July 8–12). Springer-Verlag,
2002. Berlin, 2003, 355–367.
guess the correct equalities between 2. Ball, T. and Rajamani, S.K. The SLAM project: 21. Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson,
shared variables. If the theory solvers Debugging system software via static analysis. G., Saxe, J.B., and Stata, R. Extended static checking
(Symposium on Principles of Programming for Java. In Proceedings of the ACM SIGPLAN
disagree with the (dis)equalities, then Languages). SIGPLAN Notices 37, 1 (Jan. 16–18, Conference on Programming Language Design and
the conflict causes the SAT solver to 2002), 1–3. Implementation (Berlin, June 17–19). ACM Press,
3. Barnett, M., Leino, K.R.M., and Schulte, W. The Spec# New York, 2002, 234–245.
backtrack. The approach is oblivious programming system: An overview. In Proceedings 22. Ghilardi, S., Nicolini, E., and Zucchelli, D. A
to whether or not theories are convex. of the International Workshop on Construction and comprehensive framework for combined decision
Analysis of Safe, Secure and Interoperable Smart procedures. In Proceedings of the Fifth International
Delayed theory combination poten- Devices, LNCS 3362 (Marseille, Mar. 10–13). Springer- Workshop on Frontiers of Combining Systems, Vol.
tially pollutes the search space with Verlag, Berlin, 2005, 49–69. 3717 of LNCS, B. Gramlich, Ed. (Vienna, Sept. 19–21).
4. Barrett, C., de Moura, L., and Stump, A. Design and Springer-Verlag, Berlin, 2005, 1–30.
a large number of mostly useless new results of the first Satisfiability Modulo Theories 23. Godefroid, P., de Halleux, J., Nori, A.V., Rajamani, S.K.,
atomic equalities. The “Model-based Competition. Journal of Automated Reasoning 35, 4 Schulte, W., Tillmann, N., and Levin, M.Y. Automating
(Nov. 2005), 372–390. software testing using program analysis. IEEE
theory combination” method14 al- 5. Barrett, C., Dill, D., and Stump, A. Checking Software 25, 5 (Sept./Oct. 2008), 30–37.
lows more efficient handling of con- satisfiability of first-order formulas by incremental 24. Grieskamp, W., Kicillof, N., MacDonald, D., Nandan,
translation to SAT. In Proceedings of the International A., Stobie, K., and Wurden, F.L. Model-based quality
vex and non-convex theories, asking Conference on Computer Aided Verification assurance of Windows protocol documentation. In
the solvers to generate a model. The (Copenhagen, July, 27–31). Springer-Verlag, Berlin Proceedings of the First International Conference
2002, 236–249. on Software Testing, Verification, and Validation
atomic equality predicates are cre- 6. Barrett, C., Sebastiani, R., Seshia, S.A., and Tinelli, C.
(Lillehammer, Norway, Apr. 9–11). IEEE Computer
ated only if two shared variables are Society Press, 2008, 502–506.
Satisfiability Modulo Theories, Vol. 185 of Frontiers in
25. Henzinger, T.A., Jhala, R., Majumdar, R., and Sutre, G.
Artificial Intelligence and Applications, Chapter 26.
equal in a model. IOS Press, Feb. 2009, 825–885.
Software verification with blast. In Proceedings of
the 10th International SPIN Workshop, Vol. 2648 of
7. Barrett, C. and Tinelli, C. CVC3. In Proceedings of the
LNCS, T. Ball and S. R. Rajamani, Eds. (Portland, May
19th International Conference on Computer Aided
Conclusion Verification, Vol. 4590 of LNCS, W. Damm and H.
9–10). Springer-Verlag, Berlin, 2003, 235–239.
26. Kaufmann, M., Manolios, P., and Moore, J.S. Computer-
Over the past 10 years, SMT has be- Hermanns, Eds. (Berlin, July 3–7). Springer-Verlag,
Aided Reasoning: An Approach. Kluwer Academic,
Berlin, 2007, 298–302.
come the core engine behind a range 8. Bofill, M., Nieuwenhuis, R., Oliveras, A., Rodríguez
June 2000.
27. Malik, S. and Zhang, L. Boolean satisfiability from
of powerful technologies and an active, Carbonell, E., and Rubio, A. The Barcelogic SMT Solver.
theoretical hardness to practical success. Commun.
In Proceedings of the 20th International Conference
exciting area of research with many on Computer Aided Verification, Vol. 5123 of LNCS,
ACM 52, 8 (Aug. 2009), 76–82.
28. McCarthy, J. Towards a mathematical science of
practical applications. We have pre- A. Gupta and S. Malik, Eds. (Princeton, July 7–14).
computation. In Congress of the International
Springer-Verlag, Berlin, 2008, 294–298.
sented some of the basic ideas but did 9. Bozzano, M., Bruttomesso, R., Cimatti, A., Junttila, T.A.,
Federation for Information Processing, 1962, 21–28.
29. Nelson, G. and Oppen, D.C. Simplification by
not cover many details and heuristics; Ranise, S., van Rossum, P., and Sebastiani, R. Efficient
cooperating decision procedures. ACM Transactions
satisfiability modulo theories via delayed theory
other recent topics in SMT research6 combination. In Proceedings of the International
on Programming Languages and Systems 1, 2 (Oct.
1979), 245–257.
include proof-checking, integration Conference on Computer Aided Verification, Vol.
30. Nieuwenhuis, R., Oliveras, A., and Tinelli, C. Solving
3576 of LNCS, K. Etessami and S. K. Rajamani, Eds.
with first-order quantifiers, quantifier SAT and SAT modulo theories: From an abstract
(Edinburgh, July 6–12). Springer-Verlag, Berlin, 2005,
Davis–Putnam–Logemann–Loveland procedure
elimination methods, and extraction 335–349.
to DPLL(T). Journal of the ACM 53, 6 (Nov. 2006),
10. Bruttomesso, R., Cimatti, A., Franzén, A., Griggio, A.,
of so-called Craig interpolant formu- 937–977.
and Sebastiani, R. The MathSAT 4 SMT Solver. In
31. Oppen, D.C. Complexity, convexity and combinations of
Proceedings of the 18th International Conference
las from proofs. We also did not cover on Computer Aided Verification, Vol. 5123 of LNCS.
theories. Theoretical Computer Science 12, 3 (1980),
291–302.
several existing and emerging appli- Springer-Verlag, Berlin, 2008.
32. Owre, S., Rushby, J.M., and Shankar, N. PVS: A
11. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach,
cations, including sophisticated run- D., Moskal, M., Santen, T., Schulte, W., and Tobies, S.
prototype verification system. In Proceedings of
the 11th International Conference on Automated
time analysis of real-time embedded VCC: A practical system for verifying concurrent C.
Deduction (Saratoga, NY, June 15–18). Springer-
In Proceedings of the International Conference on
systems,b estimating asymptotic run- Theorem Proving in Higher Order Logics (Munich, Aug.
Verlag, Berlin, 1992, 748–752.
33. Ranise, S. and Tinelli, C. The Satisfiability Modulo
time bounds of programs, and pro- 17–20). Springer-Verlag. Berlin, 2009, 23–42.
Theories Library (SMT-LIB), 2006; http://www.SMT-
12. Cook, S.A. The complexity of theorem-proving
gram synthesis. procedures. In Proceedings of the Third Annual ACM
LIB.org
34. Tinelli, C. and Zarba, C.G. Combining nonstably infinite
SMT-solving technologies have had Symposium on Theory of Computing (May 3–5). ACM
theories. Journal of Automated Reasoning 34, 3 (Apr.
Press, New York, 1971, 151–158.
a positive effect on a number of ap- 13. Davis, M., Logemann, G., and Loveland, D. A machine
2005), 209–238.
plication areas, providing rich feed- program for theorem proving. Commun. ACM 5, 2
(July 1962), 394–397.
back in terms of experimental data. 14. de Moura, L. and Bjørner, N. Z3: An efficient SMT Leonardo de Moura (leonardo@microsoft.com) is a
The progress in the past six years has solver. In Proceedings of the International Conference senior researcher in the Software Reliability Research
on tools and algorithms for the Construction and group at Microsoft Research, Redmond, WA.
relied heavily on experimental evalua- Analysis of Systems, Vol. 4963 of LNCS, C.R.
tions that uncovered new theoretical Ramakrishnan and J. Rehof, Eds. (Budapest, Mar. 29– Nikolaj Bjørner (nbjorner@microsoft.com) is s senior
Apr. 6). Springer-Verlag, Berlin, 2008, 337–340. researcher in the Foundations of Software Engineering
challenges, including better repre- 15. de Moura, L. and Rueß, H. Lemmas on demand group at Microsoft Research, Redmond, WA.
for satisfiability solvers. In Proceedings of the
sentations and algorithms, efficient International Conference on Theory and Applications
methods for combining procedures, of Satisfiability Testing (Cincinnati, May 6–9, 2002). © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 77
review articles
doi:10.1145/1995376.1995396
usage of computational resources on a
Timed automata and their extensions allow chip for durations of nano-seconds to
the weekly, monthly, or longer-range
for analysis of a wide range of performance reactive planning in a factory or a sup-
and optimization problems. ply chain.
These problems have been subject
by Patricia Bouyer, Uli Fahrenberg, Kim G. Larsen, to substantial research for decades
and Nicolas Markey by different communities such as op-
erational research, computer systems
Quantitative
performance evaluation as well as
planning and scheduling, witnessed
by large communities such as ACM
SIGMETRICS. In this article we argue
Analysis of
the formalism of timed automata to-
gether with recent extensions provides
an alternative framework with com-
plementary, yet competitive, results
Real-Time
in terms of modeling capabilities and
efficiency of analysis.
Timing: Twenty years ago, R. Alur
and D. Dill introduced the notion of
Systems
timed automata. As a witness for the
importance of the formalism one may
consider the 2008 Computer-Aided
Verification Award given to Alur and
Dill for their seminal 1990 article Au-
Using Priced
tomata for modeling real-time systems,5
which provided the theoretical founda-
tion for the computer-aided verifica-
tion of real-time systems.
Timed
Real-time systems and resource al-
key insights
Automata
T imed automata and their priced
and game extensions provide a
mathematically beautiful formalism for
modeling real-time systems, allowing
constraints on quantitative aspects such
as time, power, memory, and bandwidth
to be easily expressed.
Prominent examples range from reliability and E mbedded software engineers should
be following the potential capabilities
efficient use of communication resources in a of priced timed automata and their
algorithmic support, as it paves the
telecommunication network to the allocation of tracks way for the effective handling of
quantitative constraints in model-driven
in a continental railway network, from scheduling the development of real-time systems.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 79
review articles
Figure 1. Several refinements of a model (a) of the working mathematician according to Erdős: after insertion of a coin into the coffee
dispenser, coffee can be collected, and the scientist can go back to work. In the timed-automaton model (b), precisely five time units pass
between coin insertion and coffee collection, and the time which passes between coin insertion and going back to work is less than 10
time units. In the priced timed automaton (c), cost rates (modeling, for example, energy consumption) are associated with the three states.
In the timed game (d), uncertainty as to precisely when coffee is delivered is modeled as an uncontrolled edge.
location problems have manifested timed automata has been put forward valued variables called clocks. These
themselves under different names in as a formalism allowing for such addi- clocks all increase at the same rate,
application domains such as manu- tional and time-dependent quantities and their values can be used to re-
facturing, transport, communication to be modeled, without hampering ef- strict availability of transitions and
networks, embedded systems, and ficient analysis and even permitting how long one can stay in a location
digital circuits, and have been treated optimization. (or state). Also, clocks can be reset
using theories and methods in several Uncertainty: Classical models for to zero when a transition is taken. To
disciplines. Most of these applications scheduling in manufacturing, such this end, each transition has associ-
involve distributed, reactive systems as job-shop problems, are somewhat ated with it a guard (which must be
of considerable complexity, and with detached from industrial practice and satisfied for the transition to be en-
a number of real-time constraints in reality. They assume that the duration abled) and a set of clocks to be reset,
the sense that correctness not only de- of every step as well as the arrival times and each location carries an invariant
pends on the logical ordering of events are fixed and known with certainty; in that must be continuously satisfied
of the systems, but also on the relative practice however, it is rarely the case when the system is in the location.
timing between these. that a schedule is executed as planned. Below we show an example of a timed
State-based models have been For solving problems related to automaton with two clocks x and y,
the basis of a wide range of success- expected time and performance proper- and label set {a, b, c, d, e}. Note that
ful computer-supported verification ties, stochastic process models have been no time can elapse in location l1 due
methodologies allowing the efficient very successful. When aiming at guar- to the invariant ( y = 0); locations with
prediction of functional properties, anteed time and performance proper- this property are called urgent.
for example, absence of deadlock or ties under uncertainty, so-called timed 2 =2
memory overflow. However, many of games may be used instead. They provide
≤2 :=0
the models used in this methodology efficient offline algorithms for synthe- 0 1
are purely discrete and their treatment sizing reactive schedulers with perfor- ( =0)
=2
of time is purely qualitative, that is, be- mance guarantees. Such algorithms 3
haviors are just sequences of events ap- can plan for the best or worst case, but Guards and invariants are given
pearing one after the other but without the scheduling strategies they produce as comparisons x ≤ a or x < a, or the
any quantitative timing information are adaptive and can take advantage, reverse relations, of a clock value with
about the duration of actions and the for example, of the fact that a task has an integer constant, or as conjunctions
time between events. Timed automata terminated before it was expected to. of these. Sometimes also so-called
allow such timing constraints to be ex- In this article we present the formal- diagonal constraints x − y ≤ a (or < or
pressed, while being amenable to com- ism of timed automata and its priced other) are allowed, but other exten-
puter-aided analysis methods such as and game extension as a unifying sions quickly lead to undecidability
simulation, verification, optimization, mathematical framework for the mod- issues, see below.
and controller synthesis. eling, analysis, optimization, and syn- A configuration of the system is
Performance: In all of the above thesis of real-time related phenomena. made of a location and a clock valua-
applications, an explicit constraint Figure 1 shows some simple examples tion (in our case, values for both clocks
on timing is only one of a number of of these formalisms; later we provide x and y). A possible execution in our
quantitative aspects of importance. more elaborate and realistic examples example is:
Within embedded systems addition- and case studies.
al key quantities include energy and
memory consumption, in communi- Timed Automata
cation networks required bandwidth A model for time. Timed automata5
is a key quantity, and within the facto- are a powerful model for represent-
ry and supply chain applications need ing and reasoning about systems
for storage and overall cost for a given where the notion of time is essen-
production are crucial quantities. The tial. They are an extension of classi- where the first component of a configu-
extended notion of priced or weighted cal finite-state automata with real- ration is the location and the second
80 communications of th e ac m | s e pt e m b e r 2 0 1 1 | vo l . 5 4 | n o. 9
review articles
and third components give the values ing of the state space such that states Hence, verification of those properties
of clocks x and y, respectively. This within a given region are bisimilar, that on the original timed automaton can
execution corresponds to a delay of 1.3 is, behaviorally indistinguishable. be transferred to the finite region au-
time units in l0, the firing of transition The precise definition of regions tomaton and then checked using stan-
a (which is enabled because the value is such that inside a region, integral dard algorithms.
of clock x is less than two; clock y is parts of clock values do not change, The limits of the region abstrac-
then set to 0), the firing of transition and also the ordering of clocks accord- tion. Not all properties can be decided
c (which occurs without delay as l1 is ing to their values’ fractional parts on timed automata using the region
urgent), etc. stays the same. Special consideration abstraction, and problems such as
In the context of verification, sev- has to be given to the cases where one checking inclusion (“Are all real-time
eral problems are of interest, like the or more clock values are integers, and behaviors of a timed automaton also
model-checking of safety properties finiteness of the region partitioning is behaviors of another timed automa-
(“Can a distinguished set of states be ensured by considering as equivalent ton?”) and universality (“Can all real-
avoided?”), reachability/liveness prop- all clock values that exceed the maxi- time behaviors be realized in a given
erties (“Can/will a distinguished goal mal constant appearing in guards and timed automaton?”) are undecidable.
state be reached?”), or more involved invariants of the timed automaton in Also, the set of real-time behaviors
properties such as response properties question. In the left part of Figure 2 exhibited by timed automata is not
(“Is any request eventually granted?”). we show the 44 regions for two clocks closed under complement, and not
As a model for real-time systems, these x and y with maximal constant equal all timed automata are determinizable.
properties can include quantitative to two. In this two-clock case, regions As a counterexample for these proper-
constraints, for instance time-bounded can be points (both clocks have integer ties, one can use the following timed
reachability, or time-bounded response values), open line segments (one clock automaton:
properties (“Is any request granted has integer value, or their fractional
within two minutes?”). It is also rel- parts are equal), open triangles, or :=0 =1
evant to compute optimal time bounds open unbounded rectangles. 0 1
Figure 2. The region abstraction is a finite representation of all possible behaviors of the timed automaton. Consider the timed automaton
on top of the picture, and assume we enter location l1 with clock values (x0, y0) for which 0 < y0 < x0 < 1 (a point in the red triangle, see the
picture on the left); as clock y has value strictly less than 1, we have the option to switch to location l2, which would reset clock x and end
up in the purple region. We also have the option to delay in 1; in that case, we exit the red triangle and reach the orange line. Here again we
have two options: switching to l2, or delaying to the yellow clock region. In case we still decide to wait in that region, we reach the green
line. From that region on, the transition to l2 is not enabled anymore. This description of the possible behaviors starting from the red region,
which has been represented on the picture to the right, does not depend on the precise values of the clocks: region equivalence preserves
enough information to encode exactly the behaviors of the underlying timed automaton.
s e pt e m b e r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m u n i c at i o n s o f t he acm 81
review articles
Algorithms that have shown to be be implemented very efficiently (in Task graph scheduling: time opti-
feasible, even efficient, in practice time cubic in the number of clocks): mality. A task graph problem involves a
are based on the so-called zone graph zones are usually represented using number of tasks T1, …, Tm, a number of
abstraction30: a zone is a set of clock difference-bound matrices, or DBMs. machines or processors P1, …, Pn, and a
valuations defined by a clock con- The DBM representation of a zone (partial) mapping d giving, for each task
straint and can hence be represented on a set of k clocks has (k + 1) × (k + Ti and processor Pj, the time d(i,j) for
by such; the zone graph has as vertices 1) entries, where an entry ci,j repre- computing Ti on Pj. In addition there
pairs of locations and zones that satisfy sents a clock constraint xi − xj ≤ ci,j is a partial order on the tasks used for
the location’s invariant, and its edges and an extra clock x0 is added to rep- describing dependencies. Figure 3 is an
are derived from the transitions of the resent absolute clock constraints example of a task graph problem.
given timed automaton. The number xi ≤ ci0. DBMs in turn can be repre- We want to determine a schedule
of zones is unbounded, so unlike the sented as directed weighted graphs; of when to start the execution of tasks,
region graph, the zone graph is infi- see below for an example of a zone and on which processors, that mini-
nite. Finiteness can be enforced using and its DBM (graph) representation. mizes the total execution time while
a technique known as normaliza- Canonical representations of zones being feasible in respecting the follow-
tion12; however, the number of zones can be obtained using shortest-path ing conditions: (a) a task can be exe-
is still much larger than the number of closure or shortest-path reduction cuted only if all its predecessors have
regions, and moreover the same zone of their DBM graphs, and delay and completed; (b) each machine can pro-
can be represented using many differ- reset operations on zones can be cess at most one task at a time; (c) tasks
ent clock constraints. efficiently implemented on the DBM cannot be preempted.
The reason for zone-based algo- representations. Task graph scheduling problems
rithms to be efficient in practice is may be easily modeled as networks
twofold: First, the algorithms used −4 of timed automata so that every run
1 ≤3
have no need to explore all of the 1 2 corresponds to a feasible schedule
1− 2 ≤ 10
zone graph (they work on-the-fly), 10 and the fastest run gives the time-
1− 2 ≥4 3 2
and zones are commonly bigger = 2 optimal schedule: for each processor
than regions, hence the part of the 1− 3 ≤2 we construct a small timed automaton
zone graph to be explored is smaller. 3− 2 ≤2 0 3
able—when idle—to handle within
5
Second, operations on zones can 3 ≥ −5 the appropriate amount of time the
Figure 3. Task graph problem with six tasks, where each task corresponds to the computation of a given sub-expression of the term
(D × (C × (A + B) ) + ( (A + B) + (C × D) ). Given the execution platform with two processors, P1 and P2, and corresponding computation times
for addition and multiplication, as well as their energy consumption, Sch1–Sch3 provide three feasible schedules, where Sch2 is in fact
time-optimal, and Sch3 is energy-optimal.
requests from the tasks. For the proces- stopwatch automata), even basic prop- 2 =2
+1
sors of Figure 3, these are as follows: erties such as safety or liveness are ≤2 :=0 +10
=2 =3
undecidable.29 0 1
+1
1: On the other hand, the model of +5 ( =0)
+7
done1 done1 3 =2
+ idle × hybrid automata,29 though suffering
add1 mult1
( ≤2) ( ≤3) from the same undecidability problems A decoration +10 on a location indi-
:=0 :=0
as mentioned for other classes above, cates that cost increases by 10 units per
=5 =7
2: has emerged as a popular formalism for time unit in the location; a decoration
done2 done2 which semi-decision and approxima- +7 on a transition indicates that taking
+ idle ×
add2 mult2 tion procedures have been developed. the transition increases overall cost by
( ≤5) ( ≤7)
:=0 :=0
The model of priced timed automata, 7 units (locations and transitions with-
which we shall discuss next, form an out cost indication have cost 0). The
Each task is modeled as a timed intermediate class between timed and executions of such an automaton are
automaton waiting to be served by hybrid automata for which some of the those of the underlying timed automa-
either of the processors, conditioned good decidability properties of timed ton. The total cost of the example exe-
by the completion of its predecessors automata are retained. Other inter- cution given earlier (delaying 1.3 time
(indicated by Boolean variables t1–t5). mediate classes of models have been units in l0, 0.7 time units in l3, and end-
Tasks T4 and T5 of our example can be investigated, including linear hybrid ing in the rightmost location) can be
represented as follows: automata29 and integration graphs,33 pro- computed as
viding semi-decidability in general and
4:
1∧ 2 4 :=1 decidability under certain restrictions. 1.3 × (+5) + 0.7 × (+1) + 7 = 14.2
add done
5: Priced Timed Automata Optimizing the resources. Natural op-
3 5 :=1
A model for resources. Time is not timization questions can be posed on
add done
the only quantitative notion of inter- that model, for example, the optimal
est when designing embedded sys- reachability problem (minimum cost
Extensive experiments on bench- tems; other quantities such as energy for reaching a given goal), the mean-
marks have demonstrated that the or memory consumption, required cost optimization problem (mean cost
above timed automata approach to task bandwidth, or accumulated cost can used in the long run), or the discounted-
graph scheduling is competitive com- be important to measure in such cost optimization problem (where costs
pared with more traditional approaches systems. are discounted exponentially as time
from operations research (for example, These notions are intimately con- elapses).
mixed-integer linear programming) nected to time, because the longer As an example, we compute the mini-
as well as specialized, heuristic algo- the device is operating, the more mum cost that is required for reaching
rithms from planning and scheduling.1 resources it consumes. This makes location ☺ in the previous example.
Furthermore, the generic approach of timed automata the model of choice There are two families of executions:
timed automata admits easy incorpo- to reason about those quantities, those that go through l2 and those that
ration of more specialized features (for and has led to the definition of priced go through l3. Furthermore, in each fam-
example, release times, deadlines) to timed automata,6,10 extending timed ily, there is a single parameter t: the time
the models and scheduling. automata with cost (which is the gen- elapsed in location l0; everything else is
Extensions of timed automata. eral name we will use in the sequel to determined by the guards in the autom-
Timed automata are a rich extension of refer to the various quantities that can aton. Hence the minimum cost is:
classical automata with efficient tool be modeled within this formalism; in
support and several successful indus- some other literature, this is referred
trial applications, as we will discuss to as reward). (1)
later. As such, they are often cited as A priced timed automaton is
the model of choice for representing hence a timed automaton with extra
and reasoning about embedded and information indicating how the cost where the expressions 5t + 10(2 − t) + 1
real-time systems. is evolving in locations and during and 5t + (2 − t) + 7 give the cost of execu-
This success has led to several transitions. To avoid the undecid- tions going through l2 respectively l3
extensions of the model, for instance ability problems of hybrid automata, after delaying t time units in location l0.
with more general guards or resets cost information cannot be used to The standard region construction
being allowed (for example, additive guard transitions; the cost is only an is not accurate enough to properly
guards11 or non-deterministic updates observer variable, and whether a tran- keep track of cost information, and
of clocks12), or with more involved sition is enabled only depends on tim- a refinement of the region abstrac-
dynamics measuring other quantities ing information, not cost value. An tion, the corner-point abstraction,13 has
than time. Unfortunately, these exten- example of a priced timed automaton, to be used to solve the optimization
sions quickly lead to undecidability; extending the timed automaton of the problems mentioned above. For this
for example, for timed automata in previous section, is depicted below abstraction, regions are refined by dis-
which clocks can be stopped (so-called (labels omitted): tinguishing their corner points. As an
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 83
review articles
Figure 4. The corner-point abstraction refines the region abstraction by also keeping track of the corner point close to which an execution runs.
This is needed to measure costs: for instance, if we are in location 1 and in the red region where 0 < y < x < 1, the price of delaying depends on
the value of the clocks. From (a), where both x and y are arbitrarily close to 0, we can let almost one time-unit elapse and reach (b). The resulting
cost is arbitrarily close to +3. O n the other hand, from (c), where x and y are arbitrarily close to 1 and 0, respectively, letting time elapse takes us
to the subsequent region, so that the cost is arbitrarily close to 0. (Notice that for readability, some resetting transitions have been omitted.)
example, the two-dimensional region edges have label +3, and all zero time- steps is modeled as cost in the priced
depicted below is refined into three unit edges get label 0. Edges coming timed automaton model, and optimal
region-corner pairs; the meaning of a from discrete transitions are labeled reachability techniques can be used for
region-corner pair is that the current with the cost of the transition (+5 in finding an energy-optimal schedule.
clock valuation is arbitrarily close to the example). For the task graph scheduling
the distinguished corner: The corner-point abstraction can be instance of Figure 3, energy consump-
used to solve many optimization prob- tion of the two processors is reflected
lems, as it can be shown that in these in the respective timed automata by
cases, optimal total cost is obtained suitable cost-rates in the locations
(a) (b) (c) for runs that always take transitions corresponding to the processor being
close to integer clock values. Hence idle or in use. The processors can then
Similar to the refinement of the optimization problem reduces to a be represented by the following two
regions, the transitions in the region problem on a finite graph that can be priced timed automata:
automaton have to be refined to keep solved using different standard tech-
=2 =3
track of the corners. In the example niques. This is the case for the mean- 1 : +90 +10 +90
done1 done1
above, there is a (delay) transition from cost optimization problem13 and the + idle ×
add1 mult1
region-corner pair (a) to (b), whereas discounted-cost problem.25 For opti- ( ≤2) ( ≤3)
:=0 :=0
(c) cannot be reached neither from (a) mal reachability, another technique
=5 =7
nor from (b). Figure 4 illustrates the (priced regions) has been used10 that 2 : +30 +20 +30
corner-point abstraction of an exam- also extends to a setting of more than done2 done2
+ idle ×
ple priced timed automaton. This one cost variable.34 add2 mult2
( ≤5) ( ≤7)
:=0 :=0
graph has two types of delay edges: As for algorithm and tool support,
either within a region, from one corner the zone-based approach has been suc-
to another one, or from a corner of a cessfully extended to solve the optimal Managing the resources. Up to this
region to the corresponding corner in reachability problem,35 by introducing point we have only employed priced
the subsequent region. The first case priced zones, and tool support is avail- timed automata as a formalism for
corresponds to a delay of “almost” able in Uppaal Cora. For mean-cost modeling time-dependent consump-
one time unit, while the second case and discounted-cost optimization, tion of resources. However, in several
corresponds to a delay of “almost” active research is being conducted in situations resources may not just
zero time units. In addition, there are developing efficient zone-based algo- be consumed but also occasionally
edges representing transitions of the rithms, or alternatively showing that regained, for example, in autonomous
timed automaton (which reset clock no such algorithms exist. robots with rechargeable batteries, or
x in our example of Figure 4). In that Task graph scheduling: energy opti- in tanks which may not only be emp-
case as well, there is a natural mapping mality. Reconsidering our running tied but also filled. Extending priced
between corners. task graph scheduling problem, cost- timed automata to allow for both
The edges of the corner-point ab- optimal reachability for priced timed positive (regaining) and negative (con-
straction are labeled with discrete cost automata may be used to provide sumption) rates provides a natural
information: if the cost rate in the cur- energy-optimal schedules. The energy modeling formalism.21
rent location is +3, all one time-unit needed for performing computation However, a new question now
emerges related to the appropriate mean abstractions like the above are Dashed edges belong to the environ-
management of resources: “Is it pos- insufficient. As an example, consider ment (they are uncontrollable): when
sible to maintain the level of resources the following priced timed automaton: they are fireable, the system cannot pre-
within fixed bounds?” Such resource- vent (nor force) them to be fired. Here,
=1 :=0
bound problems are highly relevant to the system cannot decide whether it
the analysis of several embedded sys- =1 :=0 goes through l2 or through l3.
0 1 2
tems, for example, it is natural to plan −3 For simple correctness criteria, for
+2 +2 +4
the usage of a device with rechargeable example, reachability or safety, the set
batteries so that one never runs out of winning states (that is, states from
of energy, nor exceeds the maximum Assuming that we start with ini- which the system can be controlled
capacity for energy storage. Figure 5 tial cost 0, this automaton has exactly under the safety constraint) and also
shows a priced timed automaton one feasible execution in which the winning strategies (that is, policies for
together with some resource manage- cost level remains non-negative: after how to control the system) can be com-
ment problems. spending one time unit in location l0, puted using the region abstraction.8
Few results have been obtained on we alternately spend half a time unit in Also computability of time-optimal
this problem so far: only the case of l1 and half a time unit in l2. Any other strategies,7 as well as strategies under
one-clock priced timed automata has execution eventually violates the lower partial observability, has been dem-
been investigated.15 This restriction bound. Hence in this case, runs satis- onstrated. For the latter, decisions are
has two important consequences: fying the lower bound cannot be found based on discrete observations giving
cycle detection can be done statically, using the corner-point abstraction. only partial information of the system
as each resetting transition leads to a state, depending on the availability
configuration with clock value 0, and Priced Timed Games and precision of sensors.19 For efficient
the region automaton can be coars- A model for uncertainties. The sys- algorithms, a zone-based approach for
ened so that the partition consists of tems we have considered so far are solving timed games with reachability
intervals with end-points given by the closed in the sense that we have a com- and safety objectives has been devel-
constants in the automaton’s guards. plete description of the system. This is oped,18, 38 and tool support is available
As a consequence, there are only poly- not sufficient to model embedded sys- in Uppaal-Tiga.
nomially many regions. tems where interaction with the envi- Task graph scheduling: timing
Under the additional assumption ronment is crucial, or systems with uncertainty. Returning to our running
that the cost cannot be updated dur- some imprecision. These can be mod- task graph scheduling example, we
ing transitions (hence cost evolves only eled using (two-player) timed games,8 can use the formalism of timed games
in locations), it can be shown15 that for in which some actions are triggered to model uncertainty in precisely how
finding runs that satisfy a global lower- by the environment (we can think of much time a certain computation on
bound constraint, with or without soft signals received by sensors, or of unex- a given processor takes. Previously, we
upper bound, one can restrict oneself pected events). The aim is to control, or modeled computation times by precise
to look for runs with integral delays. guide, the system so that it will be safe numbers, whereas we now can make
Hence, the corner-point abstraction or correct regardless of the way the the model more realistic by only pro-
can be used for this, and the problems environment interferes. An example of viding interval bounds within which
are solvable in polynomial time. a timed game is depicted below: computation times are prescribed to
For priced timed automata with lie. The timed game models below pro-
more than one clock, no results are 2 =2 vide versions of the processors P1 and
≤2 :=0
known, but even for one-clock autom- 0 1 P2 from Figure 3 in which computa-
ata with cost updates during transi- ( =0) tion times are prescribed to lie in the
3 =2
tions, there are some difficulties that intervals [1, 2] for addition and [1, 3]
Figure 5. The resource management problem asks whether it is possible to maintain the cost level within fixed bounds. There can be
a lower bound only (a), a lower and an upper bound (b, c), or a lower bound and a soft upper bound above which cost level cannot increase.
Figures (a), (b), and (d) represent solutions to the respective problems for the priced timed automaton depicted on the left: there is
an infinite run that satisfies the global constraint. In case (a) for instance, we have depicted a possible schedule for the first cycle, and
this run can be repeated because at the start of the second cycle, the cost level is larger than at the start of the first cycle. In Figure (c),
the proposed schedule violates the lower bound, and it can be shown that there exists no infinite run which maintains cost level within
the specified bounds.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 85
review articles
for multiplication on P1, and similarly egies, even in case of one-clock priced applied to the clock synchronization
for P2. timed games. algorithm currently used in a wireless
≥1 ≥1
Generally, priced timed games are sensor network that has been devel-
1: much more difficult to analyze than oped by the Dutch company CHESS.37
done1 done1
+ idle mult1
× priced timed automata. Using reduc- Here it is shown that in certain cases a
add1
( ≤2) ( ≤3) tions from the Halting problem for two- static, fully synchronized network may
:=0 :=0
counter machines, one can show that eventually become unsynchronized if
2:
≥3 ≥2 cost-optimal strategies are undecid- the current algorithm is used, even in
done2 done2 able,17 even when restricted to priced a setting with infinitesimal clock drifts.
+ idle ×
add2 mult2 timed games with only three clocks. During the last years, timed au-
( ≤2) ( ≤3)
:=0 :=0 Decidability has been shown for tomata modeling of multitasking ap-
classes of priced timed games with plications running under real-time
Using these models, a computed strong conditions on the cost evolu- operating systems has received sub-
time-optimal schedule will no longer tion3 and for one-clock priced timed stantial research effort. Here the goals
be a simple fixed assignment of tasks games.14 The reason for the latter are multiple: to obtain less pessimis-
and time slots to processors, but rather is the same as for one-clock priced tic worst-case response time analysis
a flexible dynamic assignment, where timed automata above: resetting the compared with classical methods for
task scheduling can be adapted online clock leads to a configuration with a single-processor systems40; to relax the
according to actual completion times known clock valuation. constraints of period task arrival times
of previous tasks. (Hence, we cannot of classical scheduling theory to task
display the solution here.) Applications and Tools arrival patterns that can be described
Cost-optimal strategies. It is natu- Timed automata and their extensions using timed automata26; to allow for
ral to extend the timed game frame- have been applied to the modeling, schedulability analysis of tasks in
work with cost information, hence analysis, and optimization of numer- terms of concurrent objects executing
making it possible to model uncer- ous real-time applications. Here, we on multiprocessor or distributed plat-
tainty as well as resource use, and to give a few examples, not aiming at be- forms (for example, MPSoC).22
ask for controllability under resource ing exhaustive but rather to illustrate Just as symbolic reachability check-
constraints, or for optimal control- the wide range of application domains. ing of finite-state models has led to
lability. The model of priced timed A variety of mature tools are very efficient planning and schedul-
games is a synthesis of priced timed available that provide important ing algorithms, reachability checking
automata and timed games; we show computer-aided support for appli- for (priced) timed automata has dem-
an example below: cations. Well-known tools include onstrated competitive and comple-
Uppaal, Kronos, and HyTech, but mentary performance with respect to
2 =2
+1 there is a large number of other tools classical approaches such as MIPL on
+10
0
≤2 :=0
1
available. The electronic version of this optimal scheduling problems involv-
+5 ( =0) +1 article contains an extra section that ing real-time constraints, for example,
+7 aims to give an overview together with job-shop and task-graph scheduling1,9
3 =2
references to the individual tools. and aircraft landing problems.35 In
The timed automata formalism is fact a translation of the variant PDDL3
In this example we may, for exam- now routinely applied to the model- of PDDL (Planning Domain Definition
ple, want to compute the minimum ing and analysis of real-time control Language) into priced timed autom-
cost for reaching location ☺ regard- programs, including a wide class ata has been made24 allowing optimal
less of the moves of the environment of programmable logic controller planning questions to be answered by
(which is in charge of the edges out of (PLC) control programs23,36 and tim- cost-optimal reachability checking.
l1 as before). As the system cannot con- ing analysis and code generation of Industrial applications include plan-
trol whether execution goes through l2 vehicle control software,39 and the ning a wafer scanner from semicon-
or l3, the minimum cost is given by the timed automaton approach has also ductor industry28 and computation of
term demonstrated its viability to the tim- optimal paper paths for printers.31
ing analysis of certain classes of asyn- Most recently, computation of win-
chronous circuits.16 ning strategies for timed games has
Similarly, numerous real-time com been applied to controller synthesis
munication protocols have been for embedded systems, including syn-
analyzed using timed automata thesis of most general non-preemptive
where t is the delay spent in location technology, often with inconsisten- online schedulers for real-time sys-
l0. Solving this, one arrives at a mini- cies being revealed: for example, using tems with sporadic tasks,2 synthesis
mum cost of , which is attained for real-time model checking, the cause of of climate control for pig stables pro-
. As this is not an integer, one sees a 10-year-old bug in the IR-link proto- vided by the company Skov A/S,32 and
that techniques based on the corner- col used by Bang & Olufsen was iden- automatic synthesis of robust and
point abstraction are not sufficient for tified and corrected.27 Most recently, near-optimal controllers for industrial
computing optimal-reachability strat- real-time model checking has been hydraulic pumps.20
Conclusion Lecture Notes in Computer Science 443, implementable real-time automata. Theor. Comput.
Springer, 1990, 322–335. Sci. 253, 1 (2001), 61–93.
Timed automata and their priced and 6. Alur, R., La Torre, S., Pappas, G.J. Optimal paths in 24. Dierks, H. Finding optimal plans for domains with
game extensions provide a uniform weighted timed automata. In Proceedings continuous effects with Uppaal Cora. In Proceedings
of the 4th International Workshop on Hybrid of the ICAPS ’05 Workshop on Verification and
and expressive formalism for dynamic Systems: Computation and Control (HSCC ’01), Validation of Model-Based Planning and Scheduling
resource allocation problems with Lecture Notes in Computer Science 2034, Systems, 2005.
Springer, 2001, 49–62. 25. Fahrenberg, U., Larsen, K.G. Discount-optimal
hard real-time constraints, that is, 7. Asarin, E., Maler, O. As soon as possible: infinite runs in priced timed automata.
timing constraints that must be satis- Time optimal control for timed automata. Electron. Notes Theor. Comput. Sci. 239 (2009),
In Proceedings of the 2nd International Workshop 179–191.
fied under all circumstances. This is in on Hybrid Systems: Computation and Control 26. Fersman, E. et al. Schedulability analysis of
contrast to soft real-time constraints, (HSCC ’99), Lecture Notes in Computer Science fixed-priority systems using timed automata.
1569, Springer, 1999, 19–30. Theor. Comput. Sci. 354, 2 (2006), 301–317.
which only need to be met with a cer- 8. Asarin, E. et al. Controller synthesis for timed 27. Havelund, K. et al. Formal modeling and analysis
automata. In Proceedings of IFAC Symposium on of an audio/video protocol: An industrial case
tain probability, .999 say, and which study using Uppaal. In Proceedings of the 18th
System Structure and Control, Elsevier Science,
require stochastic modeling formal- 1998, 469–474. IEEE Real-Time Systems Symposium (RTSS ’97),
9. Behrmann, G. et al. Efficient guiding towards IEEE Computer Society Press, 1997, 2–13.
isms such as discrete-time or contin- cost-optimality in Uppaal. In Proceedings of 28. Hendriks, M., van den Nieuwelaar, B.,
uous-time Markov chains, queueing the 7th International Conference on Tools and Vaandrager, F.W. Model checker aided design
Algorithms for the Construction and Analysis of a controller for a wafer scanner. STTT 8,
models. While hard real-time focuses of Systems (TACAS ’01), Lecture Notes in 6 (2006), 633–647.
on worst-case analysis, soft real-time Computer Science 2031, Springer, 2001, 29. Henzinger, Th.A. et al. What’s decidable about
174–188. hybrid automata? J. Comput. Syst. Sci. 57, 1
addresses more refined properties 10. Behrmann, G. et al. Minimum-cost reachability (1998), 94–124.
such as average-case performance. for priced timed automata. In Proceedings of the 30. Henzinger, Th.A. et al. Symbolic model-checking
4th International Workshop on Hybrid Systems: for real-time systems. Inf. Comput. 111, 2 (1994),
However, within the setting of hard Computation and Control (HSCC ’01), Lecture 193–244.
real-time, timed automata and their Notes in Computer Science 2034, Springer, 2001, 31. Igna, G. et al. Formal modeling and scheduling
147–161. of datapaths of digital document printers. In
extensions allow for analysis of a wide 11. Bérard, B., Dufourd, C. Timed automata and additive Proceedings of the 6th International Conference on
collection of performance and optimi- clock constraints. Inf. Process. Lett. 75, 1–2 (2000), Formal Modeling and Analysis of Timed Systems
1–7. (FORMATS ’08), Lecture Notes in Computer Science
zation problems, with results competi- 12. Bouyer, P. Forward analysis of updatable timed 5215, Springer, 2008, 170–187.
tive with respect to more traditional automata. Form. Methods Syst. Des. 24, 3 (2004), 32. Jessen, J.J. et al. Guided controller synthesis for
281–320. climate controller using Uppaal-Tiga. In Proceedings
approaches such as mixed-integer lin- 13. Bouyer, P., Brinksma, E., Larsen, K.G. of the 5th International Conference on Formal
Modeling and Analysis of Timed Systems (FORMATS
ear programming or others. Optimal infinite scheduling for multi-priced
’07), Lecture Notes in Computer Science 4763,
timed automata. Form. Methods Syst. Des. 32,
Particularly challenging prob- 1 (2008), 2–23. Springer, 2007, 227–240.
33. Kesten, Y. et al. Decidable integration graphs. Inf.
lems remaining to be settled include 14. Bouyer, P. et al. Almost optimal strategies in one-
Comput. 150, 2 (1999), 209–243.
clock priced timed automata. In Proceedings of
decidability of synthesis for priced the 26th Conference on Foundations of Software 34. Larsen, K.G., Rasmussen, J.I. Optimal reachability
Technology and Theoretical Computer Science for multi-priced timed automata. Theor. Comput. Sci.
timed games under partial observ- 390, 2–3 (2008), 197–213.
(FSTTCS ’06), Lecture Notes in Computer Science
ability, as well as a range of resource 4337, Springer, 2006, 345–356. 35. Larsen, K.G. et al. As cheap as possible: Efficient
15. Bouyer, P. et al. Infinite runs in weighted timed cost-optimal reachability for priced timed automata.
management problems in the setting In Proceedings of the 13th International Conference
automata with energy constraints. In Proceedings
of priced timed automata and games of the 6th International Conference on Formal on Computer Aided Verification (CAV ’01), Lecture
Modeling and Analysis of Timed Systems Notes in Computer Science 2102, Springer, 2001,
with both consumption and regaining (FORMATS ’08), Lecture Notes in Computer 493–505.
of resources. Science 5215, Springer, 33–47. 36. Mader, A., Wupper, H. Timed automaton models
16. Bozga, M. et al. Verification of asynchronous for simple programmable logic controllers. In
circuits using timed automata. Electron. Notes Proceedings of the 11th Euromicro Conference on
Acknowledgments Theor. Comput. Sci. 65, 6 (2002), 47–59. Real-Time Systems (ECRTS ’99), IEEE Computer
17. Brihaye, Th., Bruyère, V., Raskin, J.-F. On Society, 1999, 106–113.
The authors are partly supported by optimal timed strategies. In Proceedings of the 37. Schuts, M. et al. Modelling clock synchronization
the European project Quasimodo 3rd International Conference on Formal Modeling in the Chess gMAC WSN protocol. CoRR,
and Analysis of Timed Systems (FORMATS abs/0912.1901, 2009.
(FP7-ICT-STREP-214755). The French ’05), Lecture Notes in Computer Science 3821, 38. Tripakis, S., Altisen, K. Controller synthesis for
discrete and dense-time systems. In Proceedings
authors are supported by project Springer, 2005, 49–64.
of the World Congress on Formal Methods in the
18. Cassez, F. et al. Efficient on-the-fly algorithms for
DOTS (ANR-06-SETI-003). The Danish the analysis of timed games. In Proceedings of the Development of Computing Systems (FM ’99), Lecture
Notes in Computer Science 1708, Springer, 233–252,
authors are supported by the Danish 16th International Conference on Concurrency Theory
1999.
(CONCUR ’05), Lecture Notes in Computer Science
Center of Excellence MT-LAB. 3653, Springer, 39. Tripakis, S., Yovine, S. Timing analysis and code
2005, 66–80. generation of vehicle control software using Taxys.
19. Cassez, F. et al. Timed control with observation based Electron. Notes Theor. Comput. Sci. 55, 2 (2001),
and stuttering invariant strategies. In Proceedings 277–286.
References 40. Waszniowski, L., Hanzálek, Z. Formal verification
1. Abdeddaïm, Y., Asarin, E., Maler, O. Scheduling with of the 5th International Symposium on Automated
of multitasking applications based on timed automata
timed automata. Theor. Comput. Sci. 354, 2 (2006), Technology for Verification and Analysis (ATVA ’07),
model. Real-Time Syst. 38, 1 (2008), 39–65.
272–300. Lecture Notes in Computer Science 4762, Springer,
2. Altisen, K. et al. A framework for scheduler synthesis. 2007, 192–206.
In IEEE Real-Time Systems Symposium, 1999, 20. Cassez, F. et al. Automatic synthesis of robust and
154–163. optimal controllers—An industrial case study. In Patricia Bouyer (bouyer@lsv.ens-cachan.fr), LSV–CNRS
3. Alur, R., Bernadsky, M., Madhusudan, P. Optimal Proceedings of the 12th International Workshop on & ENS Cachan, France.
reachability in weighted timed games. In Proceedings Hybrid Systems: Computation and Control (HSCC
of the 31st International Colloquium on Automata, ’09), Lecture Notes in Computer Science 5469, Uli Fahrenberg (uli@cs.aau.dk), Department of Computer
Languages and Programming (ICALP ’04), Lecture Springer, 2009. Science, Aalborg Universitet, Aalborg, Denmark.
Notes in Computer Science 3142, Springer, 2004, 21. Chakrabarti, A. et al. Resource interfaces.
In Proceedings of the 3rd International Workshop Kim G. Larsen (kgl@cs.aau.dk), Department of Computer
122–133.
on Embedded Software (EMSOFT ’03), Lecture Science, Aalborg Universitet, Aalborg, Denmark.
4. Alur, R., Courcoubetis, C., Dill, D.L. Model-checking
for real-time systems. In Proceedings of the 5th Notes in Computer Science 2855, Springer,
Nicolas Markey (markey@lsv.ens-cachan.fr), LSV-CNRS
Annual Symposium on Logic in Computer Science January 2003.
& ENS Cachan, France.
(LICS ’90), IEEE Computer Society Press, 1990, 22. David, A. et al. Model-based framework for
414–425. schedulability analysis using Uppaal 4.1, chapter 4.
5. Alur, R., Dill, D.L. Automata for modeling Model-Based Design for Embedded Systems.
real-time systems. In Proceedings of the G. Nicolescu and P.J. Mosterman, eds. CRC
17th International Colloquium on Automata, Press, Boca Raton, FL, 2009, 93–119.
Languages and Programming (ICALP ’90), 23. Dierks, H. PLC-automata: A new class of © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 87
careers
Michigan State University Ozarks Technical Community College http://www.providence.edu/About+PC/
Tenure-Stream Faculty - Programmer Employment+Opportunities/
Computer Science and Engineering
The Programmer is responsible for the design, Preference will be given to applications com-
The Department of Computer Science and Engi- implementation, maintenance, and monitoring pleted by November 30, 2011. Providence Col-
neering (CSE) at Michigan State University invites of complex systems on the college’s Student In- lege is a Roman Catholic four-year liberal arts
applications for a tenure-stream faculty position formation System (SIS). The Programmer imple- institution conducted under the auspices of the
in the area of computer vision, image processing, ments and maintains assigned modules on the Dominican Friars and seeks candidates who can
and its applications to biometric recognition. SIS. The Programmer coordinates with other ar- affirm and contribute to its Mission. An AA/EOE,
Candidates at all ranks will be considered. The eas of Information Technology to integrate exter- the College especially encourages applications of
appointment starts in August 2012. nal systems with the data contained on the SIS. women and minorities.
The CSE Department conducts leading-edge Bachelors Degree in Computer Science or a
research in many areas, with particular strength related program from a regionally accredited in-
in software engineering and formal methods, stitution of higher learning or 3 years of object Texas State University-San Marcos
computer networks and security, computer oriented programming experience. Significant Department of Computer Science
graphics and visualization, bioinformatics and experience in a modern programming language
digital revolution, data mining, machine learning such as Java, .NET or C# (Applicants may be re- Applications are invited for a tenure-track posi-
and pattern recognition, and natural language quired to demonstrate programming proficiency) tion at the rank of Assistant Professor. Applicants
processing. The department’s external research Significant experience with relational databases. must have completed all requirements for a PhD
awards have nearly doubled in the last couple of Effective communication skills. with specialization in software engineering by
years. Multidisciplinary research across a broad Apply URL: http://www.otc.edu/jobs/jobs.php start of employment. Consult the department re-
range of disciplines is strongly encouraged and is cruiting page at http://www.cs.txstate.edu/recruit-
being actively pursued by the faculty. Partnering ment/faculty_recruit.php for job duties, qualifi-
with several other departments and universities, OZ Management cations, application procedures, and information
the CSE department is a major contributor and SharePoint Developer about the university and the department.
plays an important role in the NSF Science and Texas State University-San Marcos will not
Technology Center for the study of Evolution in SharePoint Developer, New York, NY. Oversee discriminate against any person in employment
Action (BEACON) on our campus. SharePoint architecture w/in firm, & design, or exclude any person from participating in or re-
Candidates should have a Ph.D. in Computer dvlp & implement individual projects incl infor- ceiving the benefits of any of its activities or pro-
Science or a closely related field with evidence of mation portals, self service portals, document grams on any basis prohibited by law, including
research accomplishments, teaching skills, and libraries, BI portals, & forms-based workflows. race, color, age, national origin, religion, sex, dis-
an ability to work effectively with other research- Requires Master’s degree in Comp Sci or for- ability, veterans’ status, or on the basis of sexual
ers. The successful candidate will be expected to eign equiv w/3 yrs web dvlpt exp, focused on MS orientation. Texas State University-San Marcos is
develop an externally funded research program of SharePoint (in lieu of Master’s and 3 years, em- a member of the Texas State University System.
national prominence that includes fundamental ployer will accept Bachelor’s degree or foreign
research, publications in high quality conferences equivalent in Comp Sci w/5 yrs progressively
and journals, and training graduate students. Lead- resp web dvlpt exp, of which at least 3 must have Toyota Technological Institute Chicago
ership is expected in development of educational focused on Microsoft SharePoint). Exp must incl Computer Science at TTI Chicago
programs to provide state-of-the-art knowledge to proficiency w/MS SharePoint 2003/2007 & MOSS Faculty Positions at All Levels
both undergraduate and graduate students. 2007 platform incl: creating page layouts & mas-
MSU enjoys a large, park-like campus with ter pages, site definitions & templates, Features Toyota Technological Institute at Chicago (TTIC)
outlying research facilities and natural areas. The & Solutions, web parts, dash-boarding & BI & is a philanthropically endowed degree-granting
greater Lansing area has approximately 450,000 BDC. Solid understanding of SP Object Model, institute for computer science located on the
residents. The local communities have excellent Solution Framework, Administration, Configur- University of Chicago campus. Applications are
school systems and place a high value on educa- ing SP Webservices , Design & programming exp. being accepted in all areas, but we are particu-
tion. The University is proactive in exploring op- using C#, ASP.net, CAML, CSS, XSLT, Windows larly interested in machine learning, speech pro-
portunities for the employment of spouses, both Workflow Foundation. Expertise in .NET Frame- cessing, computational linguistics, Computer
inside and outside the University. work, SQL Server 2000/2005, SSRS, SP Designer, vision, computational biology and optimization.
Candidates should submit an application for InfoPath, IIS & Active Directory reqd. Mail CV Positions are available at all ranks, and we have a
this position through: https://jobs.msu.edu/. Re- to OZ Management LP, ref job code: “ACMkr” large number of three year limited term positions
fer to posting #4905. Closing date is December 1, Attn: K. Cubberly, 9 West 57th St, 39th Fl., NY, currently available. For all positions we require a
2011. Applications will be reviewed on a continu- NY 10019. Ph.D. Degree or Ph.D. candidacy, with the degree
ing basis until the position is filled. For full con- conferred prior to date of hire. Submit your appli-
sideration, applications should be received by the cation electronically at:
closing date. Providence College http://ttic.uchicago.edu/facapp/
MSU is an affirmative action, equal opportu- Assistant Professor of Computer Science
nity employer. MSU is committed to achieving ex- Toyota Technological Institute at Chicago is an
cellence through cultural diversity. The university The Mathematics and Computer Science Depart- Equal Opportunity Employer
actively encourages applications and/or nomina- ment at Providence College invites applicants
tions of women, persons of color, veterans and for a tenure-track Assistant Professor position in
persons with disabilities. Computer Science, commencing Fall 2012. Candi- U.S. Air Force Academy
Faculty Search Committee date must hold a Ph.D. from an accredited institu- Distinguished Visiting Professor
Department of Computer Science and Engi- tion in computer science (or earn one by August 1,
neering 2012). Preference will be given to a candidate who U. S. AIR FORCE ACADEMY Department of Com-
3115 Engineering Building specializes in database management. The position puter Science is accepting applications for the
Michigan State University requires a commitment to undergraduate teach- 2012-2013 Distinguished Visiting Professor posi-
East Lansing, Michigan 48824-1226 ing (9 credit hours per semester) and continuing tion. See http://www.usafa.edu/df/dfcs/index.cfm
Apply at: https://jobs.msu.edu/ scholarship. Details and application instructions or call (719) 333-7377 for details. U.S. Citizenship
http://www.cse.msu.edu are available on the College website at: required.
p. 100 p. 101
Technical Abstracting Abstract Machines
Perspective
Abstracting A Systematic Approach to
Abstract Machines Higher-Order Program Analysis
By Olivier Danvy and By David Van Horn and Matthew Might
Jan Midtgaard
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m un i c at i o n s o f t he acm 89
research highlights
doi:10.1145/1995376.1 9 9 5 3 9 7
Technical Perspective
Making Browser
Extensions Secure
By Christopher Kruegel
The World Wide Web has grown tremen- for security vulnerabilities that are in general, it is particularly difficult
dously over the last years. To make the the result of potentially unsafe data for programs written in JavaScript.
rich and dynamic content on the Web flows. That is, the system scans the The reason is that JavaScript is a very
accessible to end users, Web brows- JavaScript code of an extension for dynamic language. It can execute
ers have evolved rapidly as well, and program paths over which untrusted code dynamically; that is, some parts
new functionalities, often in the form input, possibly controlled by an at- of the program that will be executed
of extensions and plug-ins, are added tacker, might reach security-relevant during runtime do not exist in the
continuously. As is frequently the case functions. If such a path exists, it source code. Instead, they are built
with software, the significant increase could be possible for an attacker to by the application while it is running.
in the size and complexity of the code craft malicious input that tricks the Moreover, a Firefox extension does
that drives browsers and their exten- security-relevant function to do some- not work in isolation, but is tightly in-
sions has resulted in an increase of thing that was not intended by the de- tegrated with the browser. This means
program flaws (bugs). Some bugs sim- veloper. For example, attackers could it calls many functions offered by the
ply crash the browser. Others, unfor- include malicious code in inputs, and browser, for example, to access Web
tunately, are security vulnerabilities this code is later executed by the ex- pages. Thus, the static analysis can-
that attackers can use to compromise tension in the context of the browser. not look at the program in isolation
end users’ machines, install malware, This can lead to all kinds of security but must take into account these in-
and steal sensitive information. In- problems—for example, the attacker teractions with the browser as well.
deed, browser and extension vulner- could steal a cookie and take over the I encourage you to read this paper to
abilities have become the primary session between the victim and an discover how the authors achieved
venue through which cyber criminals online banking site, or the attacker this analysis.
compromise the security of Web users could steal passwords directly from Static analysis is great because it
and, ultimately, earn money. form fields, or he could display a con- covers all program paths. However,
To prevent attackers from exploit- vincing phishing site to the user. Of sound static analysis is also known to
ing program flaws, it is critical to course, VEX does not find all possible raise many false positives (that is, the
identify and fix bugs before the soft- security vulnerabilities, but it covers system claims there is a vulnerabil-
ware is deployed. This is particularly an important class of common and ity when there is none). VEX strives to
important as users are slow in upgrad- critical bugs. As always with security, strike a balance between trying to cov-
ing, even when patches are eventually there is no single approach that solves er as many vulnerabilities as possible
made available. Expecting developers everything, and this system is an im- while making sure that false alarms
to write software that is free of any portant step into the right direction. are minimized. That is, although mis-
errors is unrealistic. Hence, we need The crucial challenge the creators takes are possible, the false positive
tools that can automatically detect of VEX had to overcome is that static rates are low. This makes the system
bugs, especially those that can be ex- code analysis is a difficult problem. useful in practice. After all, for each
ploited by attackers. While precise static analysis is hard alert, a human must manually investi-
The following paper describes VEX, gate the reported problem.
a system that specifically focuses on The authors have demonstrated
the identification of security vulner- A tool such as VEX that VEX works well in practice by run-
abilities in browser extensions for ning it over 2,460 extensions. The sys-
Firefox. These extensions are Java- is of particular tem found a number of security prob-
Script add-ons that provide new func- importance to lems, including seven vulnerabilities
tionality or augment existing features that were previously unknown. Exam-
for the Firefox browser. In contrast to ensure a secure ples of these bugs, as well as the details
the core browser, extensions are often Web experience. of VEX, are detailed in the paper.
developed by programmers who have
less experience in writing secure, robust Christopher Kruegel (chris@cs.ucsb.edu) is an
associate professor and holder of the Eugene Aas Chair
code. Thus, a tool such as VEX is of par- in Computer Science at the University of California,
ticular importance to ensure a secure Santa Barbara.
Web experience.
At the core of VEX is a static source
code analysis component that checks © 2011 ACM 0001-0782/11/09 $10.00
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he ac m 91
research highlights
obfuscate extension functionality, but we assume the devel- document, which can run with full chrome privileges.
oper could write incorrect code that contains vulnerabilities. Firefox has APIs for extension code to communicate
We use two attack models. First, we consider attacks that across protection domains and these interactions are one
originate from Web sites, and we assume the attacker can cause of extension security vulnerabilities. As the Mozilla
send arbitrary HTML and JavaScript to the user’s browser, developer site explains, “One of the most common security
modeling the usage model that assumes the user can navi- issues with extensions is execution of remote code in privi-
gate to any page on the internet. We focus on attacks where leged context. A typical example is an RSS reader extension
this untrusted data can lead to code injection or privilege that would take the content of the RSS feed (HTML code),
escalation through buggy extensions. In the second attack format it nicely and insert into the extension window. The
model, we assume the same model as above, but we consider issue that is commonly overlooked here is that the RSS feed
certain Web sites as trusted. For example, if an extension could contain some malicious JavaScript code and it would
gleans information from the Facebook Web site, we assume then execute with the privileges of the extension—meaning
that the Facebook data will not include arbitrary HTML and that it would get full access to the browser (cookies, history,
JavaScript, but only well formatted and trusted data. etc.) and to user’s files” [sic].
According to the Mozilla developer site, Mozilla has We characterize these cross-protection-domain interac-
a team of volunteers who help vet extensions manually. tions as information-flow patterns from JavaScript objects
They run new and updated extensions isolated in a virtual that include page content (untrusted sources) to JavaScript
machine to test the user experience. The editors also use a objects and methods that execute content with chrome
validation tool, which uses grep to look for key indicators of privileges (executable sinks). In this section we discuss the
bugs. Many of the patterns they search for involve interac- sources and sinks that Vex tracks. Flows between these
tions between extensions and Web pages, and they use their sources and sinks are sometimes benign, and represent
understanding of these patterns to help guide their inspec- an incomplete list of possible extension security bugs, but
tion of the code. Our goal is to help automate this process, these are the patterns that Vex considers suspicious.
so that analysts can quickly hone in on particular snippets
of code that are likely to contain security vulnerabilities. 3.1. Untrusted sources
Figure 1 shows our overall work flow for using Vex: when We now describe the untrusted JavaScript objects that exten-
extensions are subject to analysis by Vex, it reports precise sions can access. Untrusted objects might contain foreign
code paths from untrusted sources to executable sinks in scripts that can lead to attacks if run with chrome privileges.
the extensions’ code, which an expert must manually exam- The JavaScript content-document object (window.
ine to check whether they can be used to mount an attack. content.document) accesses the browser’s content page
directly, and hence is an untrusted source. Also, the browser
3. VEX INFORMATION FLOW PATTERNS sets JavaScript pop-up nodes (document.popupNode)
Firefox has two privilege levels: page for the Web page when the user right-clicks on document object model (DOM)
displayed in the browser’s content pane, and chrome for elements. If this DOM element is part of the page content,
elements belonging to Firefox and its extensions. Page privi- then it includes untrusted page content.
leges are more restrictive than chrome privileges. For exam- One API that extensions use to access persistent state is
ple, a page loaded from illinois.edu can only access the Resource Description Framework (RDF). RDF is a model
content from illinois.edu. Firefox code and extensions for describing hierarchical relationships between browser
run with full chrome privileges, which enable them to access resources17 and is used by the browser to store persistent
all browser states and events, OS resources like the file sys- data, like bookmarks. Extension developers can store per-
tem and network, and all Web pages. Extensions also can sistent extension data in an RDF file, or access browser
include their own user-interface components via a chrome resources stored in RDF format. However, RDF data can
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m u n i c at i o n s o f t he acm 93
research highlights
be a heap location (if the property points to another object), The loops in the program are unrolled a bounded number of
a function declaration, a security type, or a primitive value. times and function calls are inlined for a bounded unrolling
Security types keep track of taints; a sink object’s security of recursive calls, and every path of the resulting program is
type acquires a taint associated with a source object, if there explored. Thus Vex may overlook certain flows, as discussed
is an explicit flow from the source object to the sink object. in Section 4.3. The static analysis does not evaluate the con-
A security type is modeled as a pair (taint value, source ditions in conditional statements of the program because
string); the taint value could either be low or High and the of the abstraction. Whenever it reaches a conditional state-
taint source is a string identifying the source object of the ment, both branches are traversed, in a depth-first manner,
taint. The primitive string values are preserved and propa- to ensure that the entire program is covered. The analysis is
gated through string operations, whenever they evaluate to flow-sensitive and, due to inlining, also context-sensitive.
constant strings. All other primitive values are abstracted. Prototypes: JavaScript uses prototype-based inheritance.9
Figure 2 gives an example of a sample JavaScript heap Every object in the JavaScript heap has a special @Proto
computed using the Vex analysis. Every object and function property, which is used to specify inheritance chains.
in the JavaScript program is represented as a node in the heap, Additionally, every function (that can be used as a construc-
while the properties of the object are represented using edges tor in new) has a prototype property. This prototype
in the graph. In the figure, the global object loc_Global property is used to instantiate the @Proto property when
has five properties ObjectProt,FunctionProt, a new object is created using the function constructor. An
Array, ArrayProt, and array_instance pointing to object inherits all the properties of its @Proto and of all the
the nodes loc_ObjProt,loc_FunProt,loc_1,loc_ objects in the prototype’s @Proto chain.
ArrayProt, and loc_4 respectively. Every node in the Figure 2 illustrates how Vex handles prototype-based
heap is associated with a taint value, High or low—High rep- inheritance. The Array object in JavaScript is represented
resenting the untrusted objects and low representing the as the node loc_1 in the figure. Since the Array object is
trusted objects. High taints and low taints are represented a constructor, which can be used to create new instances of
by red and blue nodes, respectively, in the figures (all nodes the array, it has a prototype field pointing to the object,
in Figure 2 are low). Figure 3 shows the initial abstract ArrayProt, represented in the graph by the node loc_
heap representation of the window.content.document ArrayProt. A new Array instance, array_instance
object and the window.document object; notice that one object, is created in the program using the statement: array_
of the nodes loc_document has a high taint. instance = new Array (). In Figure 2, loc_4 repre-
The analysis: Vex analysis is based on a set of rules that trans- sents the array_instance object. The @Proto field of this
form abstract heaps according to each statement in the pro- object points to the object loc_ArrayProt. Therefore, the
gram, and it works by essentially over-approximating the push method is accessible to the array_instance object
effect of the statements on the abstract heap. These rules and can be called using the array_instance.push.
closely follow the small-step operational semantics proposed
by Maffeis et al.,13 which covers the ECMA-262 standard for 4.2. Handling other features of JavaScript
JavaScript. JavaScript core objects and functions are sum- Function and object summaries: Natively supported func-
marized to have only the essential functionality; an example tions and objects are replaced with stubs that summarize
summary is given in Section 4.2. Variables and functions
that are not initialized in the current program execution or Figure 3. window.content.document object.
through summaries, are initialized to point to placeholder
dummy objects with High taints. The default taint of an object loc_Global
created in the extension is set to low unless the analysis
explicitly sets the value to High or a variable is uninitialized.
Window
Figure 2. Sample JavaScript heap—Array object.
loc_Global loc_window
Array array_instance
_content Content Document
FunctionProt loc_1 ArrayProt loc_4
loc_content loc_doc
ObjectProt @Proto Prototype @Proto @FScope
loc_FunProt loc_ArrayProt
Document
loc_document
loc_ObjProt loc_2
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 95
research highlights
Overall, our choices were determined mainly by the com- extensions with known vulnerabilities. The random sample
plexity of JavaScript analysis and our aim at building a useful and the popular extensions had 74 extensions in common,
tool, which in turn led us to sacrifice soundness. for a total of 2460 extensions. Our suite includes multiple
versions of some extensions, allowing cross-version compari-
5. EVALUATION sons. For instance, we found a new version of the Fizzle (see
Vex is implemented in Java (∼7000 LOC), and utilizes a Bandhakavi et al.2), to be vulnerable even though its authors
JavaScript parser built using the ANTLR parser generator tried to fix the vulnerabilities in the previous version.
for the JavaScript 1.5 grammar provided by ANTLR.1 ANTLR We extracted the JavaScript files from these extensions
outputs Java-based Abstract Syntax Trees (AST) for JavaScript and ran Vex on them, using a 2.4 GHz 64 bit × 86 processor
sources obtained from the pre-processing of the extension’s with a maximum heap size of 16GB for the JVM.
XUL and JavaScript files. The XUL files add different UI ele- To evaluate the effectiveness of Vex, we perform two
ments to the browser’s chrome. When any one of the user- kinds of experiments. First, we run Vex on the downloaded
interface elements is invoked and clicked, the corresponding extensions and check if any of them have one of the mali-
event is triggered and the event-handler is called. We extract cious flow patterns. Second, we check if Vex can detect
all such calls to the event-handlers from the XUL files and known extension vulnerabilities.
run them using Vex’s abstract operational semantics.
During the execution of the program using the abstract 5.2. Experimental results
operational semantics outlined in Section 4, if the program Finding flows from injectible sources to executable sinks:
reaches a vulnerable sink, it checks if the inputs or assign- Figure 5 summarizes the experimental results for flows
ments to the sink are tainted. If they are tainted, Vex reports that are from injectible sources to executable sinks (flows
the occurrence of the flow along with the source objects and for which the sinks are eval and innerHTML). Of the 2460
sink locations in the code. The source objects are the objects extensions analyzed by Vex, a grep showed that a total
described in Section 3 and the sink locations are the points of 977 extensions had the occurrence of either the string
where the sinks described in Section 3 are encountered during “eval” or the string “innerHTML” or both.
the execution. The rest of this section summarizes our results. The first column of Figure 5 indicates the exact source
The number of loop unrollings can be set as a parameter to sink flow pattern checked by Vex. The second column
in the Vex analysis engine (in our experiments, a bound of indicates the number of extensions on which Vex reports
just one was used). The Vex implementation has a number an alert with corresponding flows. On an average, Vex took
of optimizations to improve memory usage and speed. To 11.5 s per extension. It took about a week to analyze all the
save memory, abstract heaps are freed when backtracking extensions with flows from untrusted sources to eval and
in the depth-first search. But to save time, abstract heaps at innerHTML sinks.
join points are cached and compared when other paths hit To look for potential attacks, we manually analyzed the
these points, to avoid exploring paths unnecessarily. extensions with suspect flows found by Vex, spending about
20 min per extension on average. The next column reports
5.1. Evaluation methodology the number of extensions on which we could engineer an
The extensions we analyzed were chosen as follows. First, attack based on the flows reported by Vex. We were able to
in October 2008, we built a suite of extensions using a ran- attack nine extensions, of which only two extensions (Fizzle
dom sample of 1827 extensions from the Mozilla add-ons version 0.5 and Beatnik v-1.0) were already known to be
Web site, by downloading the first extensions in alphabetical vulnerable. The rest of the attacks are new.
order for all subject categories. This extension suite had two The next column shows the extensions where the source
extensions with known vulnerabilities. In November 2009, is provided either by the extension user or the extension
we downloaded 699 of the most popular extensions and 8 developer or computed from the system parameters by the
96 communications of th e ac m | s e ptemb er 2 0 1 1 | vo l . 5 4 | n o. 9
extension. The values are either stored in the preferences or appendChild. infoRSS has flows from nsIRDFService
in a local file. Since we trust the users and extension devel- to appendChild. Sage has flows from BookmarksUtils
opers in our trust model, these extensions are considered to an object accessing the local file system using the nsI-
to be non-vulnerable. However, if the preferences file or the File interface.
local file system is corrupted in any way, these extensions The remaining five extensions have flow vulnerabilities
can be attacked. but were not found by Vex for the following reasons. For
The fifth column shows the extensions where the FeedSidebar v< 3.2, FireBug v-1.01, Scribefire v<= 3.4.2,
source is code from a Web site, and where an attack is and Update Scanner V< 3.0.3 the trigger of the flow was
possible provided the Web site can be attacked. In other in an event handler or a function call which was called out-
words, these extensions rely on a trusted Web site assump- side the extension’s code base. In Yoono version ≤ 6.1.1 an
tion (e.g., that the code on the Facebook Web site is safe). un-sanitized JavaScript element like an image or link is ren-
We think that these are valid warnings that users of an dered in the chrome context. However, it was difficult to find
extension (and Mozilla) should be aware of; trusted Web the source and sink objects from its source code.
sites can after all be compromised, and the code on these Finally, there were three extension vulnerabilities (for
sites can be changed leading to an attack on all users of which we had the source) that cannot be found by Vex
such an extension. because they are not flow vulnerabilities. These vulner-
Not all flows lead to attacks—the next set of columns abilities include attacks on a file server (e.g., FireFTP
describe the alerts that we were unable to convert to con- V < 0.97.2, < 1.04), and directory traversal attacks (e.g.,
crete attacks. Some extensions were not exploitable as the Navigational Sounds version-1.0.2, Ajax Yahoo Mail
input is sanitized correctly (either by the extension or the Viamatic Webmail version-0.9) when a chrome package is
browser), preventing JavaScript injection. Other extensions “flat” rather than contained in a jar. In both the above cases,
were not exploitable as the sinks were not in chrome execut- an attacker can escape from the extension’s directory and
able contexts. These extensions are noted in the next two read files in a predictable location on the disk. Since such
columns. Finally, Vex, being a static flow-analysis tool, does attacks are not related to chrome privilege escalations, and
report alerts about flows that do not actually exist—there Vex does not handle them.
were very few of these, and are noted under the column
“Nonexistent flows.” Section 5.4 discusses the flows that do 5.3. Successful attacks
not lead to attacks. Attack scripts: All our attack scenarios involve a user who
New vulnerabilities discovered: The number of security vul- has installed a vulnerable extension who visits a malicious
nerabilities discovered is shown in column 3 in Figure 5, of page, and either automatically or through invoking the
which 7 are new. Wikipedia Toolbar versions V-0.5.7 and extension, triggers script written on the malicious page to
V-0.5.9 have flows from window.content. document to execute in the chrome context. Figure 6 illustrates an attack
eval, which leads to attacks. Mouse Gestures Redox payload that can be used in such attacks: this script displays
v-2.0.3 has flows from nsIPrefService to eval, which the folders and files in the root directory.
also led to an attack. Beatnik V-1.2, Fizzle v-0.5.1, and The attack payloads could be much more dangerous,
Fizzle v-0.5.2 are also attackable, and have flows from where the attacker could gain complete control of the affected
nsIRDFService to innerHTML. Kaizou v-0.5.8 has a computer using XPCOM API functions. More examples of
flow from window.content.document to innerHTML such payloads are enumerated in the white-paper given
which leads to attacks. Section 5.3 gives some details about in Freeman and Liverani7 In this section, we illustrate a few
the flows and the attacks in some of the vulnerable exten-
sions. Details about Fizzle (and Beatnik) vulnerabilities Figure 6. Attack script to display directories.
can be found in the previous version of this article.2
Known vulnerabilities detected: Apart from the new vul- <script>
nerabilities found by Vex, there are several extensions var root = Components.classes
that have been reported to be vulnerable in the past. In the ["@mozilla.org/file/local;1"].createInstance
(Components.interfaces.nsILocalFile);
course of our research, we found 18 unique extensions that try {
were reported to be vulnerable in various databases like root.initWithPath("/."); // for Linux or Mac
CVE, Secunia, etc. Of these 18, we did not find the source } catch (er){
code for 5 extensions (Greasemonkey v ≤ 0.3.5, Wizz Rss root.initWithPath("\\\\."); // for Windows
v < 3.1.0.0, Skype v ≤ 3.8.0.188, MouseoverDictionary }
var drivesEnum = root.directoryEntries, drives
v < 0.6.2, POW v < 0.0.9), so we did not analyze them. Of the = [];
remaining 13 extensions, we found that 10 of them can while (drivesEnum.hasMoreElements()) {
potentially be found using explicit information flow analy- drives.push(drivesEnum.getNext().
sis techniques, like Vex. QueryInterface(Components.interfaces.
nsILocalFile).path);
Currently, Vex can detect 5 of the above 10 known
}
extension that have flow-based vulnerabilities: Fizzle alert(drives);
v-0.5, Beatnik V-1.0, CoolPreviews v-2.7, 2.7.2, </script>
infoRSS V-<=1.1.4.2, and Sage v- < 1.3.9, <=1.4.3.
CoolPreviews has flows from document.popupNode to
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m m u n i c at i o n s o f t he acm 97
research highlights
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t he acm 99
research highlights
doi:10.1145/1995376.1 9 9 5 3 9 9
Technical Perspective
Abstracting
Abstract Machines
By Olivier Danvy and Jan Midtgaard
The goal of program analysis is to stati- 3. What is a relevant set of equa- ˲˲ They then refactor each abstract
cally predict runtime properties of pro- tions? Ideally, each equation should machine into a non-deterministic
grams without running them. The se- mimic the friendly semantics as closely state-transition system with a finite
mantic approach to program analysis as possible. state space.
originates in Cousot’s path-breaking 4. What is the best representation of Their methodology is concretely
work on abstract interpretation: start equations and the most efficient way useful: it enables program-analysis
from a formal mathematical model of to solve them? This is an algorithmics designers to start from an existing ab-
program execution—a semantics—and problem. stract machine rather than from an ad
approximate it with Galois connec- Effective answers to each of these hoc, tailored one, and then factor it
tions (or similar means) into a com- questions have been found before, but uniformly into an abstraction-friendly
putable model based on lattices of it is like each of them is a tour de force. semantic artifact. Their methodol-
runtime properties that accounts for In the following paper, David Van ogy is effective: it scales to a variety
all possible execution paths. Each pro- Horn and Matthew Might take a radi- of computational situations involv-
gram gives rise to a collection of equa- cal bet of simplicity and effectiveness: ing realistic programming-language
tions that are then typically solved by ˲˲ Since most semantic artifacts are constructs, for example, exceptions.
fixed-point iteration. inter-derivable, without loss of gener- Their methodology is structural and
Semantics-based program analysis ality, they select abstract machines— generic: it enables program-analysis
therefore requires one to (1) start from deterministic state-transition systems designers to concentrate on what is
a “friendly” semantics; design a “con- with potentially infinite state spaces— specific to their analysis and is still dif-
genial” lattice of runtime properties; as their friendly semantics. ficult—their lattice of runtime proper-
(3) associate a “relevant” set of equa- ties, their widening operator, how to
tions to a program; and (4) solve these represent their equations, and how to
equations efficiently. We find Van Horn solve them efficiently—instead of be-
Each of these requirements is ing forced to perform one global tour
fraught with difficulties: and Might’s scientific de force after another, from scratch,
1. Among the varieties of formal se- contribution to be every time.
mantics that exist (operational, deno- As such, we find Van Horn and
tational, axiomatic, among others) and an effective tutorial Might’s scientific contribution to be a
their sub-varieties (for example, small on how to develop significant stepping stone conceptual-
step or big step), where is your friendly ly and practically as well as an effective
semantics? Ideally, it should lend itself a higher-order tutorial on how to develop a higher-or-
to a good approximation into a com- program analysis der program analysis by abstracting an
putable model. abstract machine. We also found their
2. What is a congenial lattice of run- by abstracting article a pleasure to read.
time properties? How wide should it an abstract machine.
be? How high? Ideally, it should lend Olivier Danvy (danvy@cs.au.dk) is an associate professor
and Jan Midtgaard (jmi@cs.au.dk) is a post-doctoral
itself to a good widening operator that researcher in the Department of Computer Science at
accelerates the convergence of fixed- Aarhus University, Aarhus, Denmark.
Abstract are too often far removed from their programming lan-
Predictive models are fundamental to engineering reli- guage counterparts and take the form of constraint
able software systems. However, designing conservative, languages specified as relations on sets of program
computable approximations for the behavior of programs fragments.12, 18, 25 These approaches require significant
(static analyses) remains a difficult and error-prone process ingenuity in their design and involve complex construc-
for modern high-level programming languages. What anal- tions and correctness arguments, making it difficult
ysis designers need is a principled method for navigating to establish soundness, design algorithms, or grow
the gap between semantics and analytic models: analysis the language under analysis. Moreover, such analytic
designers need a method that tames the interaction of com- models, which focus on “value flow,” i.e., determin-
plex languages features such as higher-order functions, ing which syntactic values may show up at which pro-
recursion, exceptions, continuations, objects and dynamic gram sites at run-time, have a limited capacity to reason
allocation. about many low-level intensional properties such as mem-
We contribute a systematic approach to program analy- ory management, stack behavior, or trace-based proper-
sis that yields novel and transparently sound static analy- ties of computation. Consequently, higher-order program
ses. Our approach relies on existing derivational techniques analysis has had limited impact on large-scale systems,
to transform high-level language semantics into low-level despite the apparent potential for program analysis to aid
deterministic state-transition systems (with potentially in the construction of reliable and efficient software.
infinite state spaces). We then perform a series of sim- In this paper, we describe a systematic approach to pro-
ple machine refactorings to obtain a sound, computable gram analysis that overcomes many of these limitations by
approximation, which takes the form of a non-determin- providing a straightforward derivation process, lowering
istic state-transition systems with finite state spaces. The verification costs and accommodating sophisticated lan-
approach scales up uniformly to enable program analysis guage features and program properties.
of realistic language features, including higher-order func- Our approach relies on leveraging existing tech-
tions, tail calls, conditionals, side effects, exceptions, first- niques to transform high-level language semantics into
class continuations, and even garbage collection. abstract machines—low-level deterministic state-tran-
sition systems with potentially infinite state spaces.
Abstract machines,11 and the paths from semantics to
1. INTRODUCTION machines,5, 7, 20 have a long history in the research on pro-
Software engineering, compiler optimizations, program gramming languages.
parallelization, system verification, and security assur- From an abstract machine, which represents the ide-
ance depend on program analysis, a ubiquitous and cen- alized core of a realistic run-time system, we perform a
tral theme of programming language research. At the series of basic machine refactorings to obtain a non-deter-
same time, the production of modern software systems ministic state-transition system with a finite state space.
employs expressive, higher-order languages such as Java, The refactorings are simple: (1) variable bindings and the
JavaScript, C#, Python, Ruby, etc., implying a growing control stack are redirected through the machine’s store
need for fast, precise, and scalable higher-order program and (2) the store is bounded to a finite size. Due to finite-
analyses. ness, store updates must become merges, leading to the
Program analysis aims to soundly predict proper- possibility of multiple values residing in a single store
ties of programs before being run. (Sound in program location. This in turn requires store look-ups be replaced
analysis means “conservative approximation”: if a by a non-deterministic choice among the multiple val-
sound analysis says a program must not exhibit behav- ues at a given location. The derived machine computes a
ior, then that program will not exhibit that behavior; sound approximation of the original machine, and thus
but if a sound analysis says a program may exhibit a forms an abstract interpretation of the machine and the
behavior, then it may or may not exhibit that behav- high-level semantics.
ior.) For over 30 years, the research community has The approach scales up uniformly to enable pro-
expended significant effort designing effective analy- gram analysis of realistic language features, including
ses for higher-order programs.13 Past approaches have
focused on connecting high-level language seman-
The original version of this paper was published in
tics such as structured operational semantics, deno-
Proceedings of the 15th ACM SIGPLAN International
tational semantics, or reduction semantics to equally
Conference on Functional Programming.
high-level but dissimilar analytic models. These models
higher-order functions, tail calls, conditionals, side effects, parameter replaced by the value. The expression on the left-
exceptions, first-class continuations, and even garbage col- hand side is a known as a redex and the right-hand side is its
lection. Thus, we are able to refashion semantic techniques contractum.
used to model language features into abstract interpreta- Reduction can occur within a context of an evaluation
tion techniques for reasoning about the behavior of those context, defined by the following grammar:
very same features.
Background and notation: We present a brief introduc- E = [ ] | (Ee) | (vE).
tion to reduction semantics and abstract machines. For
background and a more extensive introduction to the con- An evaluation context can be thought of as an expression with
cepts, terminology, and notation employed in this paper, a single “hole” in it, which is where a redex may be reduced.
we refer the reader to Semantics Engineering with PLT Redex.7 It is straightforward to observe that for all programs, either
the program is a value, or it decomposes uniquely into an
2. FROM SEMANTICS TO MACHINES AND MACHINES evaluation context and redex, written E[( (λx.e)v)]. Thus the
TO ANALYSES grammar as given specifies a deterministic reduction strat-
In this section, we demonstrate our systematic approach egy, which is formalized as a standard reduction relation on
to analysis by stepping through a derivation from the programs:
high-level semantics of a prototypical higher-order pro-
gramming language to a low-level abstract machine, and E[e] av E[e¢], if e v e¢.
from the abstract machine to a sound and computable
analytic model that predicts intensional properties of The evaluation of a program is defined by a partial function
that machine. As a prototypical language, we choose the relating programs to values (p. 67 of Felleisen et al.7):
call-by-value λ-calculus,19 a core computational model
for both functional and object-oriented languages. We →v v, for some v,
eval(e) = v if e a
choose to model program behavior with a simple opera-
tional model given in the form of a reduction seman- where a →v denotes the reflexive, transitive closure of the
tics. Despite this simplicity, reduction semantics scale standard reduction relation.
to full-fledged programming languages,22 although the We have now established the high-level semantic basis
choice is somewhat arbitrary since it is known how to for our prototypical language. The semantics is in the form
construct abstract machines from a number of seman- of an evaluation function defined by the reflexive, transi-
tic paradigms.5 In subsequent sections, we demonstrate tive closure of the standard reduction relation. However,
the approach handles richer language features such as the evaluation function as given does not shed much light
control, state, and garbage collection, and we have suc- on a realistic implementation. At each step, the program is
cessfully employed the same method to statically reason traversed according to the grammar of evaluation contexts
about language features such as laziness, exceptions, and until a redex is found. When found, the redex is reduced and
stack-inspection, and programming languages such as the contractum is plugged back into the context. The pro-
Java and JavaScript. In all cases, analyses are derived fol- cess is then repeated, again traversing from the beginning
lowing the systematic approach presented here. of the program. Abstract machines offer an extensionally
equivalent but more realistic model of evaluation that short-
2.1. Reduction semantics cuts the plugging of a contractum back into a context and
To begin, consider the following language of expressions: the subsequent decomposition.6
In this way, evaluation contexts form a program stack: mt is = {ς̂ | inj (e) a ς̂ }.
CEK(e) CEK CEK
the empty stack, and ar and fn are frames.
States of the CEK machine are triples consisting of an 1. Soundness is achieved by showing transitions preserves
expression, an environment that closes the control string, approximation, so that if ς aCEK ς ¢ and ς̂ approximates
and a continuation: ς , then there exists an abstract state ς̂ ¢ such that
ς̂ aCEK
ςˆ¢ and ς̂ ¢ approximates ς ¢.
ς ∈ å = Exp × Env × Cont 2. Decidability is achieved by constructing the approxi-
v ∈ Val = (λx.e) mation in such a way that the state space of the
r ∈ Env = Var →fin Val × Env abstracted machine is finite, which guarantees that for
k ∈ Cont = mt | ar(e, r, k) | fn(v, r, k). is finite.
any program e, the set CEK(e)
The transition function for the CEK machine is defined An attempt at approximation: A simple approach to abstract-
in Figure 1. The initial machine state for a program e is given ing the machine’s state space is to apply a structural abstrac-
by the injCEK function: tion, which lifts approximation across the structure of a
machine state, i.e., expressions, environments, and continu-
injCEK (e) = áe, 0/, mtñ. ations. The problem with the structural abstraction approach
for the CEK machine is that both environments and continu-
Evaluation is defined by the reflexive, transitive closure of ations are recursive structures. As a result, the abstraction
the machine transition relation and a “real” function (p. 129 yields objects in an abstract state space with recursive struc-
of Plotkin19) that maps closures to the term represented: ture, implying the space is infinite.
Focusing on recursive structure as the source of the
evalCEK (e) = real(v, r), where injCEK (e) a
→v áv, r, mtñ, problem, our course of action is to add a level of indirec-
tion, forcing recursive structure to pass through explicitly
which is equivalent to the eval function of Section 2.1: allocated addresses. Doing so unhinges the recursion in the
machine’s data structures, enabling structural abstraction
Lemma 1 (CEK Correctness7) evalCEK = eval. via a single point of approximation: the store.
The next section covers the first of the two steps for refac-
We have now established a correct low-level evaluator for toring the CEK machine into its computable approxima-
our prototypical language that is extensionally equivalent tion: a store component is introduced to machine states and
to the high-level reduction semantics. However, program variable bindings and continuations are redirected through
analysis is not just concerned with the result of a computa- the store. This step introduces no approximation and the
tion, but also with how it was produced, i.e., analysis should constructed machine operates in lock-step with the CEK
predict intensional properties of the machine as it runs a machine. However, the machine is amenable to a direct
program. We therefore adopt a reachable states semantics structural abstraction.
that relates a program to the set of all its intermediate steps:
2.3. CESK* machine
→CEK ς}.
CEK(e) = {ς | injCEK (e) a The states of the CESK* machine extend those of the CEK
machine to include a store, which provides a level of indi-
Membership in the set of reachable states is straight- rection for variable bindings and continuations to pass
forwardly undecidable. The goal of analysis, then, is to through. The store is a finite map from addresses to stor-
construct an abstract interpretation4 that is a sound and able values, which includes closures and continuations, and
computable approximation of the CEK function. environments are changed to map variables to addresses.
When a variable’s value is looked-up by the machine, it is
Figure 1. CEK machine. now accomplished by using the environment to look up the
variable’s address, which is then used to look up the value.
→CEK ς
ς−
To bind a variable to a value, a fresh location in the store
x, ρ, κ v, ρ, κ where ρ(x) = (v, ρ) is allocated and mapped to the value; the environment is
(e0e1), ρ, κ e0, ρ, ar(e1, ρ, κ) extended to map the variable to that address.
To untie the recursive structure associated with continua-
v, ρ, ar(e, ρ, κ) e, ρ, fn(v, ρ, κ)
tions, we likewise add a level of indirection through the store
v, ρ, fn((λx.e), ρ, κ) e, ρ[x →
(v, ρ)], κ and replace the continuation component of the machine
with a pointer to a continuation in the store. We term the
resulting machine the CESK* (control, environment, store,
continuation pointer) machine. the store is finite, locations may need to be reused and
when multiple values are to reside in the same location;
ς ∈ å = Exp × Env × Store × Addr the store will have to soundly approximate this by joining
s ∈ Storable = Val × Env + Cont the values.
k ∈ Cont = mt | ar(e, r, a) | fn(v, r, a). In our concrete machine, all that matters about an
allocation strategy is that it picks an unused address. In
The transition function for the CESK* machine is the abstracted machine however, the strategy will all but
defined in Figure 2. The initial state for a program is given certainly have to reuse previously allocated addresses. The
by the injCESK* function, which combines the expression with abstract allocation strategy is therefore crucial to the design
the empty environment and a store with a single pointer to of the analysis—it indicates when finite resources should
the empty continuation, whose address serves as the initial be doled out and decides when information should delib-
continuation pointer: erately be lost in the service of computing within bounded
resources. In essence, the allocation strategy is the heart of
injCESK*(e) = áe, 0/, [a0 a mt], a0 ñ. an analysis.
For this reason, concrete allocation deserves a bit more
An evaluation function based on this machine is defined attention in the machine. An old idea in program analysis
following the template of the CEK evaluation given in is that dynamically allocated storage can be represented by
Section 2.2: the state of the computation at allocation time10; Section
1.2.2 of Midtgaard.13 That is, allocation strategies can
evalCESK*(e) = real(v, r, s ), where be based on a (representation) of the machine history.
→ CESK* áv, r, s, a0ñ,
inj CESK*(e) a Since machine histories are always fresh, we call them
time-stamps.
where the real function is suitably extended to follow the A common choice for a time-stamp, popularized by
environment’s indirection through the store. Shivers,21 is to represent the history of the computation as
We also define the set of reachable machine states: contours, finite strings encoding the calling context. We
present a concrete machine that uses a general time-stamp
→CESK*ς}.
CESK*(e) = {ς| injCESK*(e) a approach and is parameterized by a choice of tick and alloc
functions.
Observe that for any program, the CEK and CESK*
machines operate in lock-step: each machine transitions, 2.4. Time-stamped CESK* machine
by the corresponding rule, if and only if the other machine The machine states of the time-stamped CESK* machine
transitions. include a time component, which is intentionally left
unspecified:
Lemma 2 CESK* (e) CEK (e)
t, u ∈ Time
The above lemma implies correctness of the machine. ς ∈ å = Exp × Env × Store × Addr × Time.
Lemma 3 (CESK* Correctness) evalCESK* = eval. The machine is parameterized by the functions:
Addresses, abstraction and allocation: The CESK* tick : å → Time alloc : å → Addr.
machine, as defined in Figure 2, nondeterministically
chooses addresses when it allocates a location in the The tick function returns the next time; the alloc function
store, but because machines are identified up to consis- allocates a fresh address for a binding or continuation. We
tent renaming of addresses, the transition system remains require of tick and alloc that for all t and ς, t tick(ς) and
deterministic. alloc(ς) ∉ s where ς = á_, _, s, _, tñ.
Looking ahead, an easy way to bound the state space The time-stamped CESK* machine is defined in Figure 3.
of this machine is to bound the set of addresses. But once Note that occurrences of ς on the right-hand side of this
definition are implicitly bound to the state occurring on the
Figure 2. CESK* machine. left-hand side. The evaluation function evalCESK*t and reach-
able states CESK*t are defined following the same outline as
ς −→CESK∗ ς , where κ = σ(a), b ∈ dom(σ) before and omitted for space. The initial machine state is
defined as
x, ρ, σ, a v, ρ, σ, a where (v, ρ) = σ(ρ(x))
injCESK*t (e) = áe, 0/, [a0 a mt], a0, t0ñ.
(e0e1), ρ, σ, a e0, ρ, σ[b → ar(e1, ρ, a)], b
v, ρ, σ, a
Satisfying definitions for the parameters are
if κ = ar(e, ρ, c) e, ρ , σ[b → fn(v, ρ, c)], b
if κ = fn((λx.e), ρ, c) e, ρ[x → b], σ[b → (v, ρ)], c
Time = Addr =
a0 = t0 = 0 tická_, _, _, _, tñ = t + 1 allocá_, _, _, _, tñ = t.
x, ρ, σ, a, t v, ρ, σ, a, u where (v, ρ) = σ(ρ(x)) x, ρ, σ̂, a, t v, ρ, σ̂, a, uwhere (v, ρ) ∈ σ̂(ρ(x))
(e0e1), ρ, σ, a, t e0, ρ, σ[b → ar(e1, ρ, a)], b, u (e0e1), ρ, σ̂, a, t e0, ρ, σ̂ [b → ar(e1, ρ, a)], b, u
v, ρ, σ, a, t v, ρ, σ̂, a, t
if κ = ar(e, ρ, c) e, ρ, σ[b → fn(v, ρ, c)], b, u if κ = ar(e, ρ, c) e, ρ, σ̂[b → fn(v, ρ, c)], b, u
if κ = fn((λx.e), ρ, c) e, ρ[x → b], σ[b → (v, ρ)], c, u
if κ = fn((λx.e), ρ, c) e, ρ[x → b], σ̂ [b → (v, ρ)], c, u
Theorem 2 (Decidability)
*(e) is decidable.
Membership of ς̂ in CESK t
context E[(set! x [ ])] is represented by set(a0, a1), where a0
Proof. The state space of the machine is non-recur- is the address of x’s value and a1 is the address of the rep-
sive with finite sets at the leaves on the assumption that resentation of E.
addresses are finite. Hence reachability is decidable since First-class control is introduced by adding a new base
the abstract state space is finite. value callcc which reifies the continuation as a new kind of
applicable value. Denoted values are extended to include
3. ABSTRACT STATE AND CONTROL representations of continuations. Since continuations are
We have shown that store-allocated continuations make store-allocated, we choose to represent them by address.
abstract interpretation of the CESK* machine straight- When an address is applied, it represents the application
forward. In this section, we want to show that the tight of a continuation (reified via callcc) to a value. The continu-
correspondence between concrete and abstract persists ation at that point is discarded and the applied address is
after the addition of language features such as condi- installed as the continuation.
tionals, side effects, and first-class continuations. We The resulting grammar is
tackle each feature, and present the additional machin-
ery required to handle each one. In most cases, the path e ∈ Exp = . . . | (if e e e) | (set! x e)
from a canonical concrete machine to pointer-refined k ∈ Cont = . . . | if (e, e, r, a) | set(a, a)
abstraction of the machine is so simple we only show the v ∈ Val = . . . | #f | callcc | a.
abstracted system. In doing so, we are arguing that this
abstract machine-oriented approach to abstract inter- We show only the abstract transitions (Figure 6), which
pretation represents a flexible and viable framework for result from store-allocating continuations, time-stamping,
building program analyses. and abstracting the concrete transitions for conditionals,
To handle conditionals, we extend the language with a mutation, and control. The first three machine transitions
new syntactic form, (if e e e), and introduce a base value #f, deal with conditionals; here we follow the Scheme tradi-
representing false. Conditional expressions induce a tion of considering all non-false values as true. The fourth
new continuation form: if (e0¢, e1¢, r, a), which represents the and fifth transitions deal with mutation.
evaluation context E[(if [ ] e0 e1)] where r closes e0¢ to repre- The remaining three transitions deal with first-class
sent e0, r closes e1¢, to represent e1, and a is the address of the control. In the first of these, callcc is being applied to
representation of E. a closure value v. The value v is then “called with the
Side effects are fully amenable to our approach; we current continuation,” i.e., v is applied to a value that
introduce Scheme’s set! for mutating variables using the represents the continuation at this point. In the sec-
(set! x e) syntax. The set! form evaluates its subexpression e ond, callcc is being applied to a continuation (address).
and assigns the value to the variable x. Although set! expres- When this value is applied to the reified continuation, it
sions are evaluated for effect, we follow Felleisen et al. and aborts the current computation, installs itself as the cur-
specify set! expressions evaluate to the value of x before rent continuation, and puts the reified continuation “in
it was mutated (p. 166 of Felleisen et al.7). The evaluation the hole.” Finally, in the third, a continuation is being
Similarly, in the abstract semantics, continuations are interpreted on the CESK machine.
deallocated as soon as they become unreachable, which
often corresponds to when they would be popped. We say 6. CONCLUSIONS AND PERSPECTIVE
often, because due to the finiteness of the store, this cor- We have demonstrated a derivational approach to program
respondence cannot always hold. However, this approach analysis that yields novel abstract interpretations of lan-
gives a good finite approximation to infinitary stack analy- guages with higher-order functions, control, state, and gar-
ses that can always match calls and returns. bage collection. These abstract interpreters are obtained
by a straightforward pointer refinement and structural
5. RELATED WORK abstraction that bounds the address space, making the
The study of abstract machines for the λ-calculus began abstract semantics safe and computable. The technique
with Landin’s SECD machine,11 the systematic con- allows concrete implementation technology, such as gar-
struction of machines from semantics with Reynolds’s bage collection, to be imported straightforwardly into that
definitional interpreters,20 the theory of abstract interpre- of static analysis, bearing immediate benefits. More gener-
tation with the seminal work of Cousot and Cousot,4 and ally, an abstract machine based approach to analysis shifts
static analysis of the λ-calculus with Jones’s coupling of the focus of engineering efforts from the design of complex
abstract machines and abstract interpretation.9 All have analytic models such as involved constraint languages back
been active areas of research since their inception, but to the design of programming languages and machines,
only recently have well-known abstract machines been from which analysis can be derived. Finally, our approach
connected with abstract interpretation by Midtgaard and uniformly scales up to richer language features such as lazi-
Jensen.14, 15 We strengthen the connection by demonstrat- ness, stack-inspection, exceptions, and object-orientation.
ing a general technique for abstracting abstract machines. We speculate that store-allocating bindings and continua-
The approximation of abstract machine states for the tions is sufficient for a straightforward abstraction of most
analysis of higher-order languages goes back to Jones,9 existing machines.
who argued abstractions of regular tree automata Looking forward, a semantics-based approach opens
could solve the problem of recursive structure in envi- new possibilities for design. Context-sensitive analysis can
ronments. We reinvoked that wisdom to eliminate the have daunting complexity,24 which we have made efforts
recursive structure of continuations by allocating them to tame,17 but modular program analysis is crucial to over-
in the store. come the significant cost of precise abstract interpreta-
Midtgaard and Jensen present a 0CFA for a CPS lan- tion. Modularity can be achieved without needing to design
guage.14 The approach is based on Cousot-style calcula- clever approximations, but rather by designing modular
tional abstract interpretation,3 applied to a functional semantics from which modular analyses follow system-
language. Like the present work, Midtgaard and Jensen atically.23 Likewise, push-down analyses offer infinite state
start with a known abstract machine for the concrete space abstractions with perfect call-return matching while
semantics, the CE machine of Flanagan et al.,8 and employ retaining decidability. Our approach expresses this form of
a reachable-states model. They then compose well-known abstraction naturally: the store remains bounded, but con-
Galois connections to reveal a 0CFA with reachability in tinuations stay on the stack.
the style of Ayers.1 The CE machine is not sufficient to
interpret direct-style programs, so the analysis is special- Acknowledgments
ized to programs in continuation-passing style. We thank Matthias Felleisen, Jan Midtgaard, Sam Tobin-
Although our approach is not calculational like Hochstadt, and Mitchell Wand for discussions, and the
Midtgaard and Jensen’s, it continues in their vein by anonymous reviewers of ICFP¢10 for their close reading and
applying abstract interpretation to well-known machines, helpful critiques; their comments have improved this paper.
extending the application to direct-style machines to Van Horn’s work is supported by the National Science
obtain a parameterized family of analyses that accounts Foundation under grant 0937060 to the Computing Re
for polyvariance. search Association for the CIFellow Project. Might’s
Static analyzers typically hemorrhage precision in the research is based upon work supported by the National
presence of exceptions and first-class continuations: they Science Foundation under Grant No. 1035658.
jump to the top of the lattice of approximation when these
features are encountered. Conversion to continuation- and References model for static analysis of
exception-passing style can handle these features without 1. Ayers, A.E. Abstract analysis and programs by construction or
optimization of Scheme. PhD approximation of fixpoints.
forcing a dramatic ascent of the lattice of approximation.21 thesis, Massachusetts Institute of In POPL ´77: Proceedings of the
The cost of this conversion, however, is lost knowledge— Technology (1993). 4th ACM SIGACT-SIGPLAN
2. Biernacka, M., Danvy, O. A concrete Symposium on Principles of
both approaches obscure static knowledge of stack struc- framework for environment machines. Programming Languages (New York,
ture, by desugaring it into syntax. ACM Trans. Comput. Logic 9, 1 (2007) 1977), ACM, 238–252.
1–30. 5. Danvy, O. An analytical approach
Might and Shivers introduced the idea of using abstract 3. Cousot, P. The calculational design of a to program as data objects. DSc thesis,
garbage collection to improve precision and efficiency in generic abstract interpreter. In M. Broy Department of Computer Science,
and R. Steinbrüggen. eds. Calculational Aarhus University (October, 2006).
flow analysis.16 They develop a garbage collecting abstract System Design. NATO ASI Series F. 6. Danvy, O., Nielsen, L.R. Refocusing in
IOS Press, Amsterdam (1999). reduction semantics. Research Report
machine for a CPS language and prove it correct. We extend 4. Cousot, P., Cousot, R. Abstract BRICS RS-04-26, Department of
abstract garbage collection to direct-style languages interpretation: A unified lattice Computer Science, Aarhus University
Puzzled
Solutions and Sources
Last month (Aug. 2011, p. 120) we posted a trio of brainteasers, including one
as yet unsolved, concerning divisibility of numbers. Here, we offer solutions
to two of them and a remark about the third. How did you do?
2.
numbers with base-10 representations m” in American Mathematical Monthly
containing only zeroes and ones, so un- Multiples that are 67 (1960), 525–532.
less there is some good reason why not, Fibonacci numbers.
3.
lots of them ought to be multiples of n. Solution. Does every n divide some Fi-
But how to prove it? bonacci number? Again, since there Perfect number m.
One clever way was suggested by are infinitely many Fibonacci num- Solution. The problem was to
Muthu Muthukrishnan of Rutgers Uni- bers, it seems plausible that the answer determine whether there are any odd
versity: Consider the numbers 1, 11, would be “yes.” We can tackle it the perfect numbers, a famously difficult
111, 1111, etc. up to 111... 1, where the same way as in the first solution, using question. But why has it attracted so
last number has n+1 digits. Call these remainders mod n. much attention over the centuries?
numbers m1, m2, ... , mn+1. Each has a This time, it makes sense to keep One possible answer is that the odd-
remainder when divided by n, and two track of remainders mod n for each perfect-number problem is an example
of these remainders must be the same. consecutive pair of Fibonacci num- of looking for ways in which numbers
Why? Because there are n+1 of them bers. Note, if the remainders are, say, do, or do not, behave randomly. But
but only n values a remainder can take. r and s, then the remainders for the maybe the best answer is that such
This is an application of the famous next (overlapping) pair of Fibonacci a question is like a disease to which
and useful “pigeonhole principle”; numbers are s and r+s mod n, and the some of us are immune and others
that is, if n+1 items are put into n box- remainders for the previous pair of Fi- highly susceptible. You probably know
es, some box must contain at least two bonacci numbers are r and s-r mod n. in which category you belong.
items. Now try this for n = 7; the remainder
Suppose the two numbers with the pairs are (1,1); (1,2); (2,3); (3,5); (5,1); Peter Winkler (puzzled@cacm.acm.org) is William
Morrill Professor of Mathematics and Computer Science
same remainder are mi and mj, with i < j. (1,6); (6,0)... Having hit a zero, you now at Dartmouth College, Hanover, NH.
Now subtract the smaller from the larg- have our multiple of 7.
er. The resulting number, mi − mj, con- How do you know you will eventu- All readers are encouraged to submit prospective
sisting of j – i ones followed by i zeroes, ally hit a zero? It follows from three puzzles for future columns to puzzled@cacm.acm.org.
se pt e mbe r 2 0 1 1 | vo l . 5 4 | n o. 9 | c o m mu n ic at i o n s o f t h e ac m 111
last byte
Scaling Up
less convinced that cellular connectiv-
ity is the best solution for rural areas
since Wi-Fi is cheaper to implement.
Eric Brewer talks about infrastructure, connectivity, The strong urban success of cellu-
lar means that many rural folks have
and computing for developing nations. phones, even if their village does not
have coverage. Some use these phones
T h e U n ive r s i ty of California, Berke- when in coverage, others use them as
ley’s Eric Brewer has covered a lot of FM radios, and still others have them
ground in his 20-year career. He was mostly as a status symbol. Nonethe-
among the earliest to recognize the less, the demand for rural cellular is
need for large-scale Web services, very clear, and the phones are often al-
building scalable servers with clusters ready there and waiting.
of commodity nodes and laying the
foundation for contemporary cloud Much of your work is done through
computing. He co-founded Inktomi, a Technology and Infrastructure for
search engine startup that peaked at Emerging Regions, or TIER, a research
$241 per share and $300 million in an- group you founded at the University of
nual revenue in 2000 before collapsing California, Berkeley. How did TIER get
as clients like Exodus filed for bank- started?
ruptcy. (It was sold to Yahoo! in 2003.) The biggest influences on the found-
He has also been deeply involved ing of TIER came out of Inktomi. First,
with Information and Communication I was traveling quite a bit, and I’d been
Technologies for Development, spear- invited to the World Economic Forum,
heading projects to bring telemedicine where I had the privilege of meeting a
to Indian villages and develop long-dis- wide variety of very sharp people from
tance Wi-Fi networks in rural areas. In developing nations. Many of these
May, he began yet another chapter with folks were articulate about the prob-
a two-year assignment at Google, where lems in their country, and almost all
he is working on developing the com- the time my reaction was that technol-
pany’s next-generation infrastructure. ogy had a role to play in solving them.
flat area, and you need a very tall tower And another factor was that Inktomi
For the past 10 years, you’ve been in- to get coverage. had done so well that I was, at least on
volved with a number of computing The base station we’re building takes paper, extremely wealthy, and starting
projects that benefit developing coun- only roughly 50 watts, which means it to think more seriously about address-
tries. Tell us about your recent work in can be run on solar or wind power and ing some of these problems. Of course,
that domain. can be located up on a hill, in a place I don’t have that money anymore, so
One of the things we’re working on that has good visibility to villages. I decided to focus on solutions via re-
is building a low-cost GSM base station search by creating a community within
that’s appropriate for rural villages. Ru- Does it leverage your previous work on computer science that could address
ral connectivity is expensive. Base sta- low-cost, long-distance Wi-Fi? these great challenges.
tions take a lot of power, so you need Our previous work in solar solutions
a big diesel generator. Then you need and long-distance Wi-Fi are both very What’s your process for finding new
Photogra ph by P eter Bura nzo n
to bring diesel to the generator, which relevant as they greatly reduce the cost projects?
means you need a road—often, you’ve of the power system and backhaul so- I tend to prefer infrastructure prob-
got to build it—and you need trucks to lution; we use long-distance Wi-Fi in- lems. I like to have at least half of my
bring the diesel to the generator. On stead of microwave links to backhaul students working on core infrastruc-
top of that, if you’re building a road, the traffic into an urban area that has ture, things like connectivity and power
you probably want to be in a relatively relatively low-cost bandwidth. in particular. I [co ntin ued o n p. 1 1 1 ]
Industry Chair
Bogdan Franczyk,
Universität Leipzig, Germany
>>>>> www.aosd.net/2012