1 / 40

AMP Project Status

AMP Project Status. Stephen Schwab TIS Labs at Network Associates March 31, 1999. AMP Project. AMP Overview Exokernel Techniques AMP Security Architecture Work Status. AMP Node OS Project. Goals

gayora
Download Presentation

AMP Project Status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AMP Project Status Stephen Schwab TIS Labs at Network Associates March 31, 1999 TIS Labs at Network Associates

  2. AMP Project • AMP Overview • Exokernel Techniques • AMP Security Architecture • Work Status TIS Labs at Network Associates

  3. AMP Node OS Project Goals Provide separation and controlled sharing between EEs and flows on each Active Network node. Support multiple EEs Constrain the execution of Active Code to access those entities for which it has authorization Utilize techniques developed throughout the AN community for safely and securely importing Active Code Implement security mechanisms without compromising performance TIS Labs at Network Associates

  4. Active Networks Framework EE1 EE2 IPv6 Execution Environments MGMT EE Node OS CHANNELS STORAGE SECURITY ENFORCEMENT ENGINE POLICY DATABASE TIS Labs at Network Associates From Calvert, 1998

  5. AMP Node OS Implementation • Exploit new features of a radically different OS architecture: the MIT Exokernel • Exokernels separate concerns: • control of resources kernel • management library OS • Library OS located in address space with each application (in AMP, each EE) TIS Labs at Network Associates

  6. AMP System Architecture PAGE TABLES SWT EE EE FLOWS/ CAPS FLOWS POLICY DATABASE userspace xok SCHEDULER QUEUE CAPS TRANSMISSION QUEUE PACKETFILTER TIS Labs at Network Associates

  7. AMP Project • AMP Overview • Exokernel Techniques • AMP Security Architecture • Work Status TIS Labs at Network Associates

  8. Exokernels • Key Concept -- Expose information • Expose allocation decisions • Expose low-level names • Expose revocation • By allowing applications to directly manage resources, exokernels eliminate the costs that are associated with the mismatch between specific requirements and a general purpose implementation TIS Labs at Network Associates

  9. Xok/LibExos Architecture environment app app Shared State libExos libExos userspace xok SCHEDULER QUEUE PAGE TABLES CAPS PACKETFILTER TIS Labs at Network Associates

  10. Xok Features • Hierarchical Capabilities • Uniform resource protection mechanism • Each Xok Environment has a ring of capabilities associated with it Extensible Tamper-proof Explicitly passed on syscalls C1 dominates C2 1 2 5 C1 1 2 5 1 C2 TIS Labs at Network Associates

  11. Restricted Languages • Dynamic Packet Filter (DPF) • Allows environments to download functions that are compiled into a native code function that makes the packet delivery decision • Wakeup Predicates • Restricted expressions that allow an environment to sleep until a condition holds • Untrusted Deterministic Functions TIS Labs at Network Associates

  12. AMP Project • AMP Overview • Exokernel Techniques • AMP Security Architecture • Work Status TIS Labs at Network Associates

  13. Validator Manager ... AMP Security Architecture Security Writer (SWT) Flow / Thread of Execution 1 6 7 2 Packets arrive and SWT is invoked before code is executed in a flow of control Kernel Resources 3 Resource Access Control Tables 4 Flow Capabilities Access Decision Objects 5 ... ... ... TIS Labs at Network Associates

  14. Security Architecture • Process credentials during flow creation • within the SWT (Node OS Interface) • create and manage capabilities • maintain a cache of previous security decisions • Provide interface to coordinate with EEs • EE specific policy and enforcement • Control primitive resource types: • CPU scheduling, memory, channels TIS Labs at Network Associates

  15. Hierarchical capability mechanism as basic hook for access control techniques Environment mechanisms as foundation for implementing EEs/flows Use of kernel modules for mappings between: flows, capabilities, resources, resource groups, ACLs Use of Existing Xok Techniques TIS Labs at Network Associates

  16. 1. Dataflow of packets to SWT 2. SWT has broad powers of access/update to 3: Flow/Capability Mapping 4: Resource/Group/ACL Mapping 5: ACL as Capability/Resource Mapping 6. Dispatch packet to proper flow 7. Flow accesses resources after access check using capability, mappings, and ACL Use of Xok Techniques in Diagram TIS Labs at Network Associates

  17. SWT: validator cache of credentials and capability previously computed by manager using policy and semantics of credentials Access Decision Object New implementation of ACL Requires clean interface to ACL module May require extension of interface What is New in Diagram TIS Labs at Network Associates

  18. What is Orthogonal to Xok • Efficient implementation of access decision object • Efficient interplay between validator and manager components of SWT • Clever taxonomy of resources • New crypto stuff for dynamic symmetric-cipher credentials in PKI TIS Labs at Network Associates

  19. Control Facilities • Demultiplexing Control Facility • Scheduling Control Facility • Transmission Control Facility • Shared Memory Abstraction • namespace control facility TIS Labs at Network Associates

  20. Demultiplexing Control Facility ANEP TIS Labs at Network Associates

  21. Demultiplexing Control Facility ANEP ANTS1 ANEP TIS Labs at Network Associates

  22. Demultiplexing Control Facility ANEP ANTS1 Flow 47 ACK FlowID = X ANEP ANTS1 ANEP TIS Labs at Network Associates

  23. SWT Capabilities FilterCapability Filter Table ANEP/IP ANEP/UDP/IP ANEP Validate EE = ANTS INIT(ANTS) ANEP.ANTS.FLOW TIS Labs at Network Associates

  24. SWT ANTS Capabilities FilterCapability Top-Level Flow EE Filter Capability Filter Table ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Capabilities Top-Level ANEP Validate EE = ANTS INIT(ANTS) ANEP.ANTS.FLOW TIS Labs at Network Associates

  25. SWT ANTS Capabilities FilterCapability Top-Level Flow EE Filter Capability A B Filter Table ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Capabilities Top-Level ANEP Validate EE = ANTS A B TL INIT(ANTS) ANEP.ANTS.FLOW TIS Labs at Network Associates

  26. SWT ANTS Capabilities FilterCapability Top-Level Flow EE Filter Capability A B Filter Table A1 A2 ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Capabilities Top-Level ANEP Validate EE = ANTS A B TL INIT(ANTS) A1 A2 B A TL ANEP.ANTS.FLOW TIS Labs at Network Associates

  27. Scheduling Control Facility • Xok implements a round-robin queue of scheduled quanta • SWT can restructure/reassign quanta in queue as needed to provide guarantees • Environments are the scheduled entities • Well-behaved environments can clean-up and gracefully yield the CPU TIS Labs at Network Associates

  28. Scheduling in Xok 2. Prologue Executed within Environment 3. Epilogue Executed at end of quantum slice 1. New Quantum Selected 4. Executing Thread -- yield to a thread or environment -- sleep until an event occurs Attributes environment runnable flag wakeup predicate timer ticks in-revocationflag capability list Scheduler Quantums TIS Labs at Network Associates

  29. Transmission Control Facility • Original Xok implementation does not guard the transmit syscall • Need to control • Bandwidth allocation • Requested latency bounds • Strategy: migrate buffers from transmitting flows to control facility TIS Labs at Network Associates

  30. Shared Memory Abstraction • Need to implement some sort of namespace above the virtual memory/page table level • Provide for storage of information that should be sharable between EEs • Options • Linda-style tuple space • In-memory file system • Fully functional persistent file system TIS Labs at Network Associates

  31. AMP Project • AMP Overview • Exokernel Techniques • AMP Security Architecture • Work Status TIS Labs at Network Associates

  32. Work Completed • Exokernel Security Overview Report • PAN port to Exokernel • EE developed at M.I.T. to explore the limits of AN performance • Written in C, defers security issues • Similar structure to ANTS • Node OS Interface WG • First draft TIS Labs at Network Associates

  33. Work-in-progress • AMP Security Architecture Report • Draft version identifying security requirements • PLAN/OCAML port to exokernel • Needed to support FBAR • ANTS/KAFFE port to exokernel • Prelude to supporting TIS Labs SANP variant which requires JDK 1.2 security functions • Performance measurements TIS Labs at Network Associates

  34. Work-in-progress (continued) • DPF Control Facility • Scheduler/Context Switching Experiments • ABONE/ANETD startup activities • preliminary to AMP nodes on the ABONE • Security Interoperability • credential formats, authorization granularity, policy specification, EE/Node OS trust boundary TIS Labs at Network Associates

  35. Upcoming Work • AMP System Design Report • Need to finalize the security requirements and interactions before addressing implementation • SWT and Control Facility Implementation • Node OS Abstractions and Interface • Secure flow creation (authorizations translated into granted capabilities protecting local resources) TIS Labs at Network Associates

  36. Upcoming Work 2 • FBAR Team 6 Demo • Standing up FBAR on two distinct EEs • Definition of policy describing when and by whom separate FBAR instances or users may share state produced by Active Code • Translation of policy into mediation and enforcement by the AMP architecture TIS Labs at Network Associates

  37. Exokernel Research • www.pdos.lcs.mit.edu TIS Labs at Network Associates

  38. Node OS Flow Hierarchy NodeOS Flow2 Flow3 Flow1 InChan InChan InChan OutChan OutChan OutChan MEMORY POOL THREAD POOL Flow4 FlowN InChan InChan OutChan From Peterson, 1998 OutChan TIS Labs at Network Associates

  39. Channels • Abstraction for Network Resources • Generalizes Network I/O device to include: • protocol stack (ANEP/UDP/IP/ETH) • demultiplexing binding (addresses/ports/flow) • other attributes (transmission limits, QoS) • Anchored Channels for Input and Output • Cut-through Channels for fast processing of non-active packets ANEP UDP IP Network interface TIS Labs at Network Associates

  40. Node OS Channels EE Userspace NodeOS OutChannel InChannel CutChannel NETWORK TIS Labs at Network Associates

More Related