Jon Howell

Practical mobile robot self-localization

A map-making robot integrates accumulated sensor data into a data structure that can be used for future localization or planning operations. Localization is the process of determining the robots location within its environment. This paper describes experiments in which a robot simultaneously makes a map and localizes to that map. The map is a collection of tangent vectors constructed from stored sonar readings localized to a series of estimated poses. The vectors retain sensed surface normal information to improve accuracy. The localization scheme is a Hough transform into a space described by the robots current sonar scan. The Hough transform finds a best fit in the presence of both sporadic sensor noise and discretization error.

A Formal Semantics for SPKI

We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.

Experiments with Desktop Mobile Manipulators

This paper describes our work on Desktop Robotics. The main focus is two robots that locomote and manipulate paper on a desktop. One robot uses wheels for both manipulation and locomotion. The other robot uses wheels for locomotion and a sticky foot to lift and carry pieces of paper. We outline the goals of our work on desktop robotics, describe the design of the robots built so far, present experimental data, and outline some of the issues for future work.

Hey, you got your compiler in my operating system!

Several operating systems projects revolve around moving functionality above or below the kernel red line to increase flexibility or performance. We describe how a general model of partial evaluation encompasses this trend. The operating systems community should not be content with a single interface between applications and the operating system, even if that interface allows extension below the red line; we contend that partial evaluation will be most effective when it is free of that arbitrary static interface. Extending partial evaluation from the language level down to the hardware provides a consistent, global framework for application support.

Restricted delegation: seamlessly spanning administrative boundaries

We have extended Lampsons calculus for access control to model restricted delegation. Basing a security model on a formal semantics and logic helps us understand its subtle consequences. It also suggests consistent extensions that maintain the integrity of the model. Restricted delegation enables flexible administrative boundaries. Conventional systems assume a hierarchy of administrative control, and thus cannot express non-hierarchical trust relationships. Restricted delegation, on the other hand, models real, social relationships. It can model hierarchy: a manager trusts each of his employees in certain ways. Or it can model arbitrary trust graphs. In the example above, the system administrator trusts Alice to manipulate database records about insects. Alice trusts Bob about field observations, so transitively, Bob may create field observation records about insects. Likewise, Bob may trust Charlie to read any of his data, so Charlie is allowed to read the database records on insect field observations. The red arrows represent Charlie making a request of the database server; for it to be granted, Charlies software will supply a proof of his permission that references each of the restricted delegations shown. Quoting principals defer access control decisions to the ultimate resource server. The host does not make per-file access control decisions, it only needs to take care to quote the right user. Hence quoting makes it easier to build such multiplexed resources securely, and helps reduce the size of the trusted computing base. Conjunct principals let us model redundancy. Here, modifying the DNS server requires the agreement of both the CIO and the sysadmin. The webmaster has obtained restricted permission to speak on behalf of both the CIO and the sysadmin, and is therefore trusted to make certain changes to the DNS server. Access Control Logic Lampson, Abadi, et al. s formal semantics for delegation B A SPKI authorization certificates (cryptography) Local and implicit delegations (trusted computing base) Formal semantics for restricted delegation B T A Access Control Implementation we borrow we contribute we contribute we borrow