You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To help debugging concurrent programs, one can use a special primitive $\code{\_setProcessDebuggingName}$ that
308
+
takes a string argument and uses that string when reporting errors in the process. By design, there is no mechanism
309
+
for reading the process name other than causing an error; this prevents using process names to leak information.
306
310
307
311
\section{Information flow control}
308
312
\label{sec:infoflow}
@@ -404,16 +408,20 @@ \subsection{Monitoring for information flow}
404
408
we also carry the information about the chosen branch into the type label.
405
409
406
410
\paragraph{Implicit flows and I/O}
407
-
The implicit information flows are further propagated between processes,
408
-
as one can see in this modification of the previous example.
411
+
The implicit information flows are further propagated between processes.
412
+
In the mailbox, each message is additionally tagged with a label that
413
+
corresponds to the blocking level of the sender at the time when the message was sent.
414
+
Troupe supports filtering messages based on these tags.
415
+
In the following example, \code{rcvp} is a form of receive statement that selects messages
416
+
where the pc-tag set to the provided label argument.
409
417
410
418
\begin{lstlisting}
411
419
let val x = 10 raisedTo {secret}
412
420
val p = self()
413
421
val _ = spawn ( fn () => if x > 0
414
422
then send (p, 1)
415
423
else send (p, 0) )
416
-
in receive [ hn x => x ]
424
+
in rcvp ({secret}, [ hn x => x ])
417
425
end
418
426
\end{lstlisting}
419
427
\begin{verbatim}
@@ -565,6 +573,53 @@ \subsubsection{Declassification of the blocking level}
565
573
\code{pinipop} dynamically scope the part of the execution for which the blocking label is declassified.
566
574
567
575
576
+
\subsection{Information flow control with I/O primitives}
577
+
This section may be omitted upon first read as it has a number of information flow subtleties that
578
+
can be omitted when first starting to use the system.
579
+
\subsubsection{Generalized receive and mailbox clearances}
580
+
581
+
I/O operations such as send and receive introduce additional concerns w.r.t.
582
+
information flow control. In particular, because mailbox acts as a mutable state, an extra
583
+
care needs to be taken to control information flows through the mailbox structure.
584
+
585
+
586
+
Every message in a mailbox carries an extra label -- the blocking level of the sender.
587
+
Receiving a value furthermore propagates the taint of the blocking level from the sender to the receiver.
588
+
In order to constrain a receive operation from an accidental raise of the blocking level, Troupe
589
+
provides a general receive primitive in the form
590
+
\code{rcv(lev1,lev2,hns)}. Here, \code{lev1} and \code{lev2}
591
+
indicate the to and from-levels of the pc-tags on the messages, and \code{hns} is the list of
592
+
handlers as before.
593
+
The \code{receive} operation we introduced earlier is equivalent to \code{rcvp}
594
+
at the level of the current pc label.
595
+
596
+
While such a form of general receive over an interval of levels is useful, it is also too powerful
597
+
and needs to be further constrained. Consider the following snippet
598
+
599
+
600
+
\begin{lstlisting}
601
+
let val _ = if (secret) then rcv ({}, {alice}, [hn x => x] else ()
602
+
in val x = rcv ({}, {}, [hn x => x ])
603
+
end
604
+
\end{lstlisting}
605
+
606
+
Because the receive in the high branch is on an interval, the value of \code{x} may
607
+
depend on the secret value. In general, one can encode an entire secret in the structure
608
+
of the mailbox. To prevent such programs, Troupe provides a special notion of \emph{mailbox clearance}
609
+
that constrains receives on an interval. The mailbox clearance is a proxy for an authority.
610
+
It can be raised using a dedicated command \code{raisembox (lev)} that returns a lowering
611
+
capability and lowered with command \code{lowermbox(c, authority)}.
612
+
There are a few constraints related to the mailbox clearance.
613
+
614
+
\begin{enumerate}
615
+
\item In order to receive on an interval $(\ell_1, \ell_2)$ under $\mathit{pc}$
616
+
with mailbox clearance $\ell_{\mathit{clear}}$ it must hold that $\ell_2\sqcup\mathit{pc} \sqsubseteq\ell_1\sqcup\ell_{\mathit{clear}}$.
617
+
This constraint ensures that the mailbox clearance is sufficient for the interval receives. When mailbox clearance is $\bot$ -- as it is in the beginning of the program -- only point intervals of the form $(\ell, \ell)$ where $\mathit{pc} \sqsubseteq\ell$ are allowed.
618
+
619
+
\item The $\mathit{pc}$-label of the program point where the mailbox clearance is raised affects the lower bound of the intervals. In particular, if the clearance is raised when the $\mathit{pc}$ counter is $\mathit{pc}_{\mathit{raise}}$, the mailbox structure cannot be influenced by receives that are not as restrictive as $\mathit{pc}_{\mathit{raise}}$; in other words: $\mathit{pc}_\mathit{raise} \sqsubseteq\mathit{pc} \sqcap\ell_1$, where $\ell_1$ is the lower bound of the interval receive.
620
+
\item If the process mailbox clearance is raised in a branch, it must be lowered back before reaching the join point of the branch.
621
+
\end{enumerate}
622
+
568
623
569
624
570
625
@@ -613,7 +668,16 @@ \subsubsection{Registering and looking up processes}
613
668
end
614
669
\end{lstlisting}
615
670
671
+
\subsubsection{Aliases}
672
+
Aliases is a mechanism that allows us to avoid having hardcoded node identifiers in the source code.
673
+
The alias mechanism operates in the way of the traditional Unix hosts files.
674
+
To use this mechanism, we need to provide the path to a special alias file that contains a mapping between
675
+
alias strings and network identifiers. In the text of the program, an alias string must start with character~"@".
\item [Description] Lowers the clearance of the current process' mailbox.
764
+
\item [Arguments] A tuple of the raise capability and authority
765
+
\item [Returns] Unit.
766
+
\item [Failure behavior] Fails if the type of the argument is invalid (dynamic type checking). Fails if the authority is insufficient for this lowering, or the provided capability does not match the stack scoping discipline.
767
+
\end{description}
768
+
698
769
699
770
\subsubsection{\code{mkuuid}}
700
771
\begin{description}
@@ -775,6 +846,16 @@ \subsubsection{\code{send}}
775
846
\end{description}
776
847
777
848
849
+
\subsubsection{\code{\_setProcessDebuggingName}}
850
+
\begin{description}
851
+
\item [Description] Sets the process name that is used in debugging.
852
+
\item [Argument] A string value.
853
+
\item [Returns] Unit.
854
+
\item [Failure behavior] Fails if the type of the argument is invalid (dynamic type checking).
0 commit comments