UC Irvine

Decentralized systems, that is, distributed systems designed, developed, operated and maintained by more than one authority affect people's lives every day. Representative domains where decentralized systems operate include e-commerce, healthcare, inter-government coordination, emergency response, and electronic trading. Such systems present unique challenges in terms of evolution, adaptation, and security. It is difficult, if not impossible, to coordinate the evolution of a decentralized system as organizations evolve the system's constituent components in response to their potentially independent organizational needs and interests. Security is a major concern since there is no single, uniform perimeter to defend, and it is significantly affected by complex trust relationships, susceptible to change at any point of time; a trusted component can become the epicenter of an "insider attack" if someone takes control over it. Worse still, decentralized systems are the supreme example of systems of systems, therefore, an unintentional mistake or an unexpected error can put at risk the system's integrity and the services offered. At the core of this research study is the concept of capability, an unforgeable reference whose possession confers both the right and authority to perform some action within a system. We hypothesize that capability accounting – tracking the creation, exploitation, and transfer of capabilities – let us obtain insightful information about a system, therefore, help us build, operate and maintain secure decentralized systems. We ground our work in COmputationAl State Transfer (COAST), an architectural style for secure and adaptive decentralized systems that permits and encourages continuous auditing. In COAST, capabilities are first-class architectural elements that regulate and articulate what a computation may do, and when, how, and with whom a computation may communicate. This work presents an assessment of capability accounting within the financial trading domain. It includes a framework that specifies which capability events are to be studied, and the means to represent, capture and examine those events as well as techniques to analyze them. We evaluate the proposed framework and techniques using COast Monitoring Event Tool (COMET), a tool we built for analyzing capabilities, a prototype of an electronic trading system, and various trading computations. We found that capability accounting is a valuable technique to obtain information about a system, and that COAST is very well-suited for this form of measurement.