## Section: Scientific Foundations

### Semantics of mobility and security

Mobility has become an important feature of computing systems and networks, and particularly of distributed systems. Our project is more specifically concerned with the notion of a mobile code, a logical rather than physical notion of mobility. An important task in this area has been to understand the various constructs that have been proposed to support this style of programming, and to design a corresponding programming model with a precise (that is, formal) semantics.

The models that we have investigated in the past are mainly the -calculus of Milner and the Mobile Ambients calculus of Cardelli and Gordon. The first one is similar to the -calculus, which is recognized as a canonical model for sequential and functional computations. The -calculus is a model for concurrent activity, and also, to some extent, a model of mobility: -calculus processes exchange names of communication channels, thus allowing the communication topology to evolve dynamically. The -calculus contains, up to continuation passing style transforms, the -calculus, and this fact establishes its universal computing power. The Mobile Ambient model focusses on the migration concept. It is based on a very general notion of a domain – an Ambient –, in which computations take place. Domains are hierarchically organized, but the nesting of domains inside each other evolves dynamically. Indeed, the computational primitives consist in moving domains inside or outside other domains, and in dissolving domain boundaries. Although this model may look, from a computational point of view, quite simple and limited, it has been shown to be Turing complete. In the past we have studied type systems and reasoning techniques for these models. We have, in particular, used models derived from the -calculus for the formalization and verification of cryptographic protocols.

We are now studying how to integrate the model of reactive programming, described below, into a "global computing" perspective. This model looks indeed appropriate for a global computing context, since it provides a notion of time-out and reaction, allowing a program to deal with the various kinds of failures (delays, disconnections, etc.) that arise in a global network. We have started the design and implementation of a core programming language that integrates reactive programming and mobile code, in the context of classical functional and imperative programming. In this setting, we use standard techniques to address security issues: for instance, we use type and effect systems to statically ensure the properties of integrity and confidentiality of data manipulated by concurrent programs. We also use static analysis techniques to ensure that the mobile code does not use computational resources beyond fixed limits.