Specifying and Proving Properties of Guardians for Distributed Systems

In a distributed system where many processors are connected by a network and communicate using message passing, many users can be allowed to access the same facilities. A public utility is usually an expensive or limited resource whose use has to be regulated. A guardian is an abstraction that can be used to regulate the use of resources by scheduling their access, providing protection, and implementing recovery from hardware failures. We present a language construct called a primitive serializer which can be used to express efficient implementations of guardians in a modular fashion. We have developed a proof methodology for proving strong properties of network utilities e.g. the utility is guaranteed to respond to each request which it is sent This proof methodology is illustrated by proving properties of a guardian which manages two hardcopy printing devices. Guardians DRAFT May 1979 I Guardians