Papers by Daniel M Zimmerman
The concept of E2E-VIV is decades old. However, most of the required computer science and enginee... more The concept of E2E-VIV is decades old. However, most of the required computer science and engineering techniques were impractical or impossible before recent advances. Designing and building an E2E-VIV system in the face of enormous security threats remains a significant challenge. Internet voting must be end-to-end verifiable. It must also be secure, usable, and transparent. End-to-end verifiability, security, usability, and transparency are only four of many important requirements. This report contains the most complete set of requirements to date that must be satisfied by any Internet voting system used in public elections. Security is a critical requirement for Internet voting, and also one of the most challenging. An Internet voting system must guarantee the integrity of election data and keep voters' personal information safe. The system must resist large-scale coordinated attacks, both on its own infrastructure and on individual voters' computers. It must also guarantee vote privacy and allow only eligible voters to vote. Nearly all E2E-VIV protocols designed to date focus on security at the expense of usability. Election officials and voters will not adopt a secure but unusable system. Cryptographers have started to recognize usability as a primary requirement when designing new protocols, and usability is a serious challenge that any future work in this area must address. Any public Internet voting system must be usable and accessible to voters with disabilities. It is not enough for election results to be correct. To be worthy of public trust, an election process must give voters and observers compelling evidence that allows them to check for themselves that the election result is correct and the election was conducted properly. Open public review of the entire election system and its operation, including all documentation, source code, and system logs, is a critical part of that evidence. b check that the system recorded their votes correctly, b check that the system included their votes in the final tally, and b count the recorded votes and double-check the announced outcome of the election. The five key recommendations of this report are: Any public elections conducted over the Internet must be end-to-end verifiable. No Internet voting system of any kind should be used for public elections before end-to-end verifiable in-person voting systems have been widely deployed and experience has been gained from their use. End-to-end verifiable systems must be designed, constructed, verified, certified, operated, and supported according to the most rigorous engineering requirements of mission-and safety-critical systems. E2E-VIV systems must be usable and accessible. Many challenges remain in building a usable, reliable, and secure E2E-VIV system. They must be overcome before using Internet voting for public elections. Research and development efforts toward overcoming those challenges should continue. It is currently unclear whether it is possible to construct an E2E-VIV system that fulfills the set of requirements contained in this report. Solving the remaining challenges, however, would have enormous impact on the world.
Thank you to my advisor, Professor K. Mani Chandy, for giving me lots of help and support and dis... more Thank you to my advisor, Professor K. Mani Chandy, for giving me lots of help and support and displaying remarkable understanding through the various incarnations of and delays in my M.S. work. The members of my research group|Joseph Kiniry, Adam Rifkin, Paul Sivilotti, John Thornley, Eve Schooler, and Roman Ginis|have also given me useful advice and commentary, and have been generally helpful in the work leading up to this thesis. I must also acknowledge my good friends Guillaume Lessard, Gustavo Joseph, and Brian Muzas, who have provided distraction, support and sanity checking (of both my thesis and myself, in no particular order) over the past year or two and will hopefully continue to do so in the future. Finally, thank you to my parents, my brothers, and everyone else who, while not knowing quite what I was working on, still demanded regular progress updates and thus compelled me to make regular progress.
In recent years, several Grand Challenges (GCs) of com-puting have been identified and expounded ... more In recent years, several Grand Challenges (GCs) of com-puting have been identified and expounded upon by various professional organizations in the U.S. and England. These GCs are typically very difficult problems that will take many hundreds, or perhaps thousands, of man-years to solve. Re-searchers involved in identifying these problems are not go-ing to solve them. That task will fall to our students, and our students ’ students. Unfortunately for GC6, the Grand Challenge focusing on Dependable Systems Evolution, inter-est in formal methods—both by students and within com-puter science faculties—falls every year and any mention of mathematics in the classroom seems to frighten students away. So the question is: How do we attract new students in computing to the area of dependable software systems? Over the past several years at three universities we have experimented with the use of computer games as a target domain for software engineering project courses that focus on reliable s...
We describe Dynamic UNITY, a new formalism for the specification of dynamic distributed systems b... more We describe Dynamic UNITY, a new formalism for the specification of dynamic distributed systems based on the UNITY formalism. This formalism allows for the specification and proof of systems where processes may be created and destroyed, and where communication links among processes may change. It also introduces asynchronous messaging as a primitive construct, to facilitate the composition of multiple programs into a larger system. We also present an example Dynamic UNITY system that illustrates the dynamic aspects of the new formalism, and outline a correctness proof for the example.
19th IEEE International Parallel and Distributed Processing Symposium
This paper describes a parallel algorithm for correlating or "fusing" streams of data from sensor... more This paper describes a parallel algorithm for correlating or "fusing" streams of data from sensors and other sources of information. The algorithm is useful for applications where composite conditions over multiple data streams must be detected rapidly, such as intrusion detection or crisis management. The implementation of this algorithm on a multithreaded system and the performance of this implementation are also briefly described.
2006 7th IEEE/ACM International Conference on Grid Computing, 2006
Monitoring and correlation of streaming data from multiple sources is becoming increasingly impor... more Monitoring and correlation of streaming data from multiple sources is becoming increasingly important in many application areas. Example applications include automated commodities trading, medical monitoring, and the detection of security threats such as biological and chemical weapons. Such monitoring and correlation applications are ideal for deployment on distributed computing grids, because they have high transaction throughput, require low latency, and can be partitioned into sets of small communicating computations with regular communication patterns. An important consideration in these applications is the need to ensure that, at any given time, computations are carried out on an accurate-or at least close to accuratepicture of the environment being monitored. One way of doing this, which we call "snapshot processing", is to treat collections of events that occur at approximately the same time as representing a global snapshot-a valid state-of the environment. Computation on the resulting series of snapshots is much like computation on a real-time video of the entire environment. This paper describes the concept of snapshot processing and explores algorithms for scheduling computations in shared-memory multiprocessors and distributed computing grids to perform snapshot processing on streaming data. The algorithms use concepts, such as null messages, from distributed simulation to improve their efficiency. Quantitative simulation results for multiple snapshot processing algorithms are presented.
Lecture Notes in Computer Science, 2003
In this paper we describe the implementation of the UNITY formalism as an extension of general-pu... more In this paper we describe the implementation of the UNITY formalism as an extension of general-purpose languages and show its translation to C abstract syntax using Phobos, our generic front-end in the Mojave compiler. Phobos uses term rewriting to define the syntax and semantics of programming languages, and automates their translation to an internal compiler representation. Furthermore, it provides access to formal reasoning capabilities using the integrated MetaPRL theorem prover, through which advanced optimizations and transformations can be implemented or formal proofs derived.
Lecture Notes in Computer Science, 2011
Designing unit test suites for object-oriented systems is a painstaking, repetitive, and error-pr... more Designing unit test suites for object-oriented systems is a painstaking, repetitive, and error-prone task, and significant research has been devoted to the automatic generation of test suites. One method for generating unit tests is to use formal class and method specifications as test oracles and automatically run them with developer-provided data values; for Java code with formal specifications written in the Java Modeling Language, this method is embodied in the JMLUnit tool and the JUnit testing framework on which it is based. While JMLUnit can provide reasonable test coverage when used by a skilled developer, it suffers from several shortcomings including excessive memory utilization during testing and the need to manually write significant amounts of code to generate non-primitive test data objects. In this paper we describe JML-UnitNG, a TestNG-based successor to JMLUnit that can automatically generate and execute millions of tests, using supplied test data of only primitive types, without consuming excessive amounts of memory. We also present a comparison of test coverage between JMLUnitNG and the original JMLUnit.
2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06), 2006
The availability of streaming event data, from sources ranging from sensors and RFID tags to comm... more The availability of streaming event data, from sources ranging from sensors and RFID tags to commodity exchanges and wire services, is growing rapidly. It is becoming increasingly important for enterprises to build applications that use this data to detect and react to potential threats and opportunities ("critical states"). These "stream applications" analyze events from many different sources and of many different forms-numerical, textual, and visual-to determine when a critical state exists and what the appropriate response should be. Stream applications allow the enterprise computing system to act as an "information factory"; just as industrial factories create value by transforming raw materials into finished products, information factories create value by transforming raw events into structured data. This transformation can take considerable computational resources, so it is important both to design efficient and reliable algorithms and to make the best possible use of the available computing infrastructure when executing these algorithms. This paper explores design considerations for stream applications and methods for deploying stream applications on enterprise computing systems to maximize economic efficiency. Both theoretical and quantitative results are presented.
2011 24th IEEE-CS Conference on Software Engineering Education and Training (CSEE&T), 2011
Providing useful feedback to students about both the functional correctness and the internal stru... more Providing useful feedback to students about both the functional correctness and the internal structure of their submissions is the most labor-intensive part of teaching programming courses. The former can be automated through test scripts and other similar mechanisms; however, the latter typically requires a detailed inspection of the submitted code. This paper introduces AutoGradeMe, a tool that automates much (but not all) of the work required to grade the internal structure of a student submission in the Java programming language. It integrates with the Eclipse IDE and multiple third-party plug-ins to provide instructors with an easy-touse grading environment. More importantly, unlike other automatic grading tools currently in use, it gives students continuous feedback about their work during the development process. 1 We originally named the tool AutoGrader; however, we modified the name after discovering that another Java-based tool of the same name had already been released.
2009 Ninth International Conference on Quality Software, 2009
Design by Contract (DBC) is an oft-cited, but rarely followed, programming practice that focuses ... more Design by Contract (DBC) is an oft-cited, but rarely followed, programming practice that focuses on writing formal specifications first, and writing program code that fulfills those specifications second. The development of static analysis tools over the past several years has made it possible to fully embrace DBC in Java systems by writing, type checking, and consistency checking rich behavioral specifications for Java before writing any program code. This paper discusses a DBC-based, verification-centric software development process for Java that integrates the Business Object Notation (BON), the Java Modeling Language, and several associated tools including the BON compiler BONC, the ESC/Java2 static checker, a runtime assertion checker, and a specification-based unit test generator. This verification-centric process, reinforced by its rich open source tool support, is one of the most advanced, concrete, open, practical, and usable processes available today for rigorously designing and developing software systems.
Parallel Computing, 1998
£2 Eh i j %k il 1m bn do ¡p q ¡q Ep 7q )& ¡I 7& 52 £ #2 3( £Ë" W( G6 E ' s' G4 1" © 6 d )( £ " © ... more £2 Eh i j %k il 1m bn do ¡p q ¡q Ep 7q )& ¡I 7& 52 £ #2 3( £Ë" W( G6 E ' s' G4 1" © 6 d )( £ " © Tr £Ë6 7( £2 Es Ai j k Al Tp 7m ¡q 7n t u v Pt ep dw Xx !n m 5y zq rI 1& 5 dS T R 9 A t& 5 " tI e )( £ " © " ¯ I 7& 52 £ " 1 " ©7( 9 P & £ es " R i j tS 8k } %t d• 7n )q l ©Ţp Em 3p 7q )& ¡6 E4 ©2 3( £ ' ¹6 E Ë6 7( £ # " ©2 G $ I ©& 5 C6 EË2 £2 £Ë2 e$ % & e4 12 £{ " I 7& 52 £ " 1 " 17( 9 P & £ C2 dY º d» g¼ ½ 1¾ z¿ gÀ gÁ C zÁ C¾ {à 1» Ä Å eÁ T d¾ d½ » gà 1AE aÇ Á VÈ ¡É @½  )Ê ¤¾ Ë Ì u m %Í cÎ Vw p Em TÏ q e} t d• 7n q l ©Ţp Em 3p h #2 B h( £7& 5' Ð6 E " ©¨R C F( £¦ ©' s ( 5 )& £ ( £ Ñ& 57I ©& ¡Ë2 £Ë" W( F( £¦ ©Ë Ë6 7( 3& 5 " 1 6 " W( £7& ¡$ 6 E 7( 9 PËË" Ò f' s ( 5 )& £ 04 ©" © t( @ " R t( £2 @Ë" VS C t& ¡ " ©' sË" V( EY 0¥ §¦ © 2 F¦ V4 1' " TÓ
Hawaii International Conference on System Sciences, 2009
This paper discusses the design and implementation of a Service Generator Toolkit (SGT) that allo... more This paper discusses the design and implementation of a Service Generator Toolkit (SGT) that allows Web services researchers to easily create large numbers of Web services. When developing a Web services tool, such as a service broker, it is necessary to obtain a large collection of Web services for testing and benchmarking purposes. Since it is difficult to manually create
IEEE Internet Computing, 1997
everal companies riding the current wave of popularity of Java want to let you play in the mobile... more everal companies riding the current wave of popularity of Java want to let you play in the mobile agent sandbox. Each claims that mobile agent technologies are going to change the way we live and work, and each wants to be the company that provides the breakthrough system we all end up using. What do these agent systems actually do and, more importantly, what distinguishes one agent system from another? To help answer these questions, we downloaded three of the leading commercial systems-General Magic's Odyssey, IBM's Aglets, and ObjectSpace's Voyager-and looked at issues such as ease of installation, feature set, documentation, and cost. We also discuss new capabilities of Java 1.1 that show promise as simple yet powerful means to create mobile agent systems. We conclude with a brief look at the ways in which mobile agents are currently being used and the limitations of today's technologies. The current explosion of interest in mobile agent systems is due almost entirely to the widespread adoption of Java. As recently as three years ago, only a few mobile agent systems were under development based primarily on research languages like Tcl, Scheme, Oblique, and Rosette. Only one system was commercially available, Telescript from General Magic. Java has changed all that. During the past year over a dozen Javabased agent systems have been announced for developers to choose
UberNet: The Infospheres Network Layer User Guide
Computer, Feb 11, 1998
1¨UberNet, its specification, implementation and documentation are Copyright c 1997-98, Californi... more 1¨UberNet, its specification, implementation and documentation are Copyright c 1997-98, California Institute of Technology. All rights are reserved. This work is supported in part by the Air Force Office of Scientific Research under grant AFOSR F49620-94-1-0244, by the CISE directorate of the National Science Foundation under Problem Solving Environments grant CCR-9527130, by the Center for Research in Parallel Computing under grant NSF CCR-9120008, by Parasoft and Novell Corporation, and by an NSF Graduate Research ...
II: The Infospheres Infrastructure User Guide
Computer, Jan 23, 1998
Welcome! This is the README and User Guide introduction for the Infospheres Infrastructure, relea... more Welcome! This is the README and User Guide introduction for the Infospheres Infrastructure, release 1.0. This final release has been through six release levels (alpha0, alpha1, beta1, beta2, beta3, fc) so we believe that it is pretty solid now. The Caltech Infospheres Infrastructure (II) is a distributed system framework that provides:
Infospheres distributed object system
A distributed system framework and a distributed system architecture that includes three features... more A distributed system framework and a distributed system architecture that includes three features: it can accommodate a large number of addressable entities, it is possible to connect any arbitrary group of entities together into a virtual network, and the infrastructure supports large numbers of concurrent virtual networks. In one aspect, the invention includes a distributed system framework for a networked environment, including a plurality of process objects, each process object including: a program method for creating at least one inbox ...
The nonterminal java-literal represents Java literals which are taken without change from Java [G... more The nonterminal java-literal represents Java literals which are taken without change from Java [Gosling-Joy-Steele96]. Various authors refer to "model types" when they really mean "types with modifier pure that are used for modeling." Such a usage is contrary to JML's notion of a type with a model modifier. The following is the syntax of modifiers.
Lecture Notes in Computer Science, 2012
Formal specifications of standard libraries are necessary when statically verifying software that... more Formal specifications of standard libraries are necessary when statically verifying software that uses those libraries. Library specifications must be both correct, accurately reflecting library behavior, and useful, describing library behavior in sufficient detail to allow static verification of client programs. Specification and verification researchers regularly face the question of whether the library specifications we use are correct and useful, and we have collectively provided no good answers. Over the past few years we have created and refined a software engineering process, which we call the Formal CTD Process (FCTD), to address this problem. Although FCTD is primarily targeted toward those who write Java libraries (or specifications for existing Java libraries) using the Java Modeling Language (JML), its techniques are broadly applicable. The key to FCTD is its novel usage of library conformance test suites. Rather than executing the conformance tests, FCTD uses them to measure the correctness and utility of specifications through static verification. FCTD is beginning to see significant use within the JML community and is the cornerstone process of the JML Spec-a-thons, meetings that bring JML researchers and practitioners together for intensive specification writing sessions. This article describes the Formal CTD Process, its use in small case studies, and its broad application to the standard Java class library.
Uploads
Papers by Daniel M Zimmerman