Project DescriptionWe propose to develop the theoretical and engineering basis for the trustless disseminationof software. We seek to develop the means to distribute and execute software among literallythousands of networked computers without compromising their integrity, while minimizing the needfor trust among participants and maximizing the usage of their collective computational resources.To make this p ossible, we propose to undertake a comprehensive investigation into the use ofcertifying compilers to produce efficient machine code that is equipped with a checkable certificateof compliance with the security, integrity, and privacy requirements necessary for its safe executionon unknown computers. We propose not only to develop the enabling technology, but also to builda demonstration system that allows developers to deploy, rapidly and reliably, applications thatmake use of the idle computing and storage resources of a network of computers, perhaps spanningthe entire Internet.The general concept of making productive use of idle computational resources has been aroundfor decades. With the advent of the Internet, the sum total of all idle resources is thought to bemany times greater than the fastest supercomputers. Therefore, the prospect of harnessing thispower has attracted an increasing number of researchers, and in recent years some substantialprogress has been made. Many of the early successful applications have been devoted to solvingbasic problems in number theory and cryptography, such as computing the digits of Pi [3, 44],computing the factors of large numbers [53], and finding large primes [15]. In just the last threeyears, however, the range of problems being attacked has been expanding rapidly, to include globalclimate modeling [1], protein folding [42], AIDS drug research [25], the search for extraterrestriallife [57], video animation [21], cancer research [43], and more.Participation by computer users has also been increasing. For example, in 1997 the Searchfor Extraterrestrial Life project created SETI@Home, in the hopes that thousands of computerowners might volunteer their excess CPU cycles. The response has been extremely enthusiastic; inMay of 2000 the SETI@Home project reported that over two million users were actively runningtheir software. This success has sparked a large number of related developments, leading mostrecently to the formation of the Global Grid Forum [16], which is a consortium of researchers anddevelopers intended to foster the development of a world-wide distributed computing fabric. Indeed,interest in this mode of computing has reached the point where several commercial enterprises havelaunched with business models predicated on the ability to harness the Internet’s idle computingcycles [11, 12, 13, 43]. This all seems to happen at an opportune time, as developer demandfor large-scale computing resources is growing, exemplified not only by SETI@Home, but also bysuch projects as the National Virtual Observatory [32], which plans to build a massive database ofastronomical information and requires large-scale parallel computation to achieve its goals.While some researchers and commercial enterprises have successfully used the Internet as a mas-sive computer, significant technical hurdles prevent the full benefits of Internet-scale distributedcomputing to be realized. One set of fundamental problems lies in the nature of distributed com-puting itself, because it is often extremely difficult or even impossible to divide a large computationinto many small pieces in a way that avoids large communication overheads. Interprocess commu-nication is particularly problematic in Internet-scale computing, since many of the volunteeringhosts might have slow or occasional links to the Internet (for example, some hosts might connectonce a day by modem), and any application that depends on rapid and reliable communicationbetween hosts is therefore not likely to work well.We do not propose to develop new algorithmic techniques for building distributed applications,but rather to investigate the means by which a distributed computing fabric might be provided.1Specifically, we propose to investigate the problem of how the components of a distributed applica-tion may be disseminated to as many hosts as possible and with the greatest exploitation of theirresources. In our view a fundamental technical obstacle to achieving this goal is how to establishan appropriate trust relationship between an application developer and the owners of the host com-puters. This trust relationship is crucial for several reasons. Firstly, host owners need to knowbefore any software is installed that their safety and security requirements will be respected by anyapplications that are to be hosted on their computers. Secondly, host owners furthermore requirea measure of protection against invasion of privacy, so that any uses of personal information canbe carefully controlled. Finally, developers must be able to modify and upgrade their applicationsfreely, and as a practical matter, it is important that installing upgrades causes minimal risk andinconvenience for the host owners.1(See the SETI@Home web page [54] for a glimpse into theinconveniences of performing upgrades.)Establishing these trust relationships is especially important for exploiting computing resourceson the network. Since users derive little or no direct benefit from the application software installedon their computers, they may be expected to be especially sensitive to the reliability, security, andmaintainability of the software. Standing in the way of the establishment of the necessary trustrelationships is the fact that the Internet environment simply provides no justification for suchtrust. Malicious application developers abound, and even benign developers are still often unableto produce safe, reliable software. When an application is run for the host’s benefit (as is ordinarilythe case), the host’s owner is typically willing to assume the risks of unreliable software. But if itis to be run for the benefit of others, the host owners should and will demand strong privacy andsecurity guarantees. In other words, for the purposes of exploiting its idle computational power, theInternet is essentially a trustless environment. The fundamental problem, then, is how to generatethe necessary trust in a trustless environment.Today, trust is a matter of faith. Furthermore, in many cases, host owners are forced