University Homepage School Homepage School Contacts School Search

 

Butler Lampson

Microsoft Research, Redmond

Milner lecture Computer Security in the Real World

Monday 24th May,

3.30pm Swann Theatre, JCMB,

What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren't a paying business), and minimum interference with daily life. Computer security is hard because people don't trust new things (especially when they don't understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I'll explain why this is wrong, and talk about what kind of security is practical and how to get it.

Computer Systems Research: Past and Future

Tuesday 25th May,

People have been inventing new ideas in computer systems for nearly four decades, usually driven by Moore's law. Many of them have been spectacularly successful: virtual memory, packet networks, objects, relational databases, and graphical user interfaces are a few examples. Other promising ideas have not worked out: capabilities, formal methods, distributed computing, and persistent objects. And the fate of some is still in doubt: parallel computing, RISC, and software reuse. The most important invention of the last decade, the World Wide Web, was not made by computer systems researchers. In the light of all this experience, I will talk about the topics that I think will be exciting to work on in the next few years.

How to Build a Highly Available System without a Toolkit

Tuesday 25th May,

In this talk I will describe the general recipe for building a highly available system and show how to do it efficiently in practice. The idea is to build a replicated state machine. The tricky part is getting all the replicas to agree on the content and order of the inputs. For this you need a general fault-tolerant algorithm for reaching consensus. Two-phase commit uses the simplest possible such algorithm, but I will describe Lamport's "Paxos" algorithm, which is the best one that works without real-time guarantees. Since consensus is expensive, you also need to minimize its use, and you do that with leases, which are locks that time out.

The other theme of the talk is a general method for designing or understanding a complex system, especially a concurrent or fault-tolerant one. Using the Paxos algorithm as the example, I will show you how to write a precise spec for such a system and how to prove that an implementation satisfies the spec. There won't be any formulas in the talk.