520 likes | 635 Views
Janos Project: FY 2001. Jay Lepreau Flux Research Group University of Utah June 5, 2001. The Main Players. Pat Tullmann Godmar Back Mike Hibler Wilson Hsieh Rob Ricci Tim Stack. Outline. Java OS Work Moab / NodeOS API work Team 3 Demo ANTS EE A Killer Application?!
E N D
Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001
The Main Players • Pat Tullmann • Godmar Back • Mike Hibler • Wilson Hsieh • Rob Ricci • Tim Stack
Outline • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • A Killer Application?! • Failures, Achievements
Janos Project Goals • Resource Control & security of a local node in an Active Network • First-class, OS-style control over Java “applications” • Separately useful components • NodeOS, JVM, EE, etc. • Open Source
Research Goals I • Combine OS + Language • Merge OS principles and Java typesafety to create a real Java OS • Explore which features of Java apply in an OS context • Explore which OS features map appropriately into a Java OS
Research Goals II • Apply Java OS to the AN domain • Leverage AN domain’s constraints • Can we safely expose low-level network aspects? • Can safe code go fast?
A “Java operating system” is... • An enhanced JVM that provides OS functions to multiple Java “programs” within it • Features: • Separation • Resource management • Sometimes: direct sharing • Architectural abstractions taken from OS • User/kernel boundary, processes, etc. • Mechanisms taken from garbage collection
App1 App2 App3 JVM JVM JVM Base OS Previous Options App1 App2 App3 • Multiple apps in one JVM • One app per JVM in different OS processes JVM Base OS
“Java Operating System” + Good separation + Good resource management + Allows some direct sharing App1 App2 App3 App4 Java OS Java OS Base OS
AA AA AA EE ANTS2 JanosVM: A JVM with resource management JanosVM Moab: An OSKit-based NodeOS Moab Janos Architecture Hardware (Or Unix)
Software Specifics • Build NodeOS in C that exposes low-level network features: Moab • Optimized for a single, trusted EE • Provide the NodeOS API in Java: Janos Java NodeOS • Works with JDK1.x or JanosVM • Provide a JVM for building a Java OS: JanosVM • Make ANTS multi-domain and resource-aware: ANTS2.0
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • An Application! • Failures, Achievements
Java OS Work • Ph.D. on Java Operating Systems • Godmar Back - June 12, 2001 • Designed, built and released JanosVM • Evolution of KaffeOS to provide key building block for a Java OS • Sun JSR-121 Expert Group • “Isolate” : first step in multiprocess support in Sun’s JDK • Utah representation
JanosVM • Virtual Machine for Java bytecodes • Usual JVM features: JIT, GC, etc. • Multiprocess support • Designed as foundation for Java OS • Exports primitives to build efficient Java OS • Customized by trusted runtime Java OS { Custom JavaOS Runtime JanosVM
JanosVM • Virtual Machine for Java bytecodes • Usual JVM features: JIT, GC, etc. • Designed as foundation for Java OS • Exports primitives to build efficient, targeted Java OS Janos { Java Nodeos + ANTS2.0 JanosVM
JanosVM • Virtual Machine for Java bytecodes • Usual JVM features: JIT, GC, etc. • Designed as foundation for Java OS • Exports primitives to build efficient, targeted Java OS JSR-121 { “Isolate” support JanosVM
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • An Application! • Failures, Achievements
Moab / NodeOS API • Joint NodeOS paper • Pluggable CPU & network schedulers • Click in Moab: fine-grained control over cut-through channels • More: • NodeOS API refinement, polling vs. interrupts, SNMP support, filesys support, ...
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • An Application! • Failures, Achievements
Team 3 Demo • Built an IP router • in Java • on the Janos Java NodeOS bindings • on JanosVM • on Moab • on the bare hardware • Demonstrated • CPU controls, network bandwidth controls, and memory controls over Java apps • Inter-operated with 3 other projects
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • An Application! • Failures, Achievements
ANTS EE • Completed per-domain separation in ANTSR • With UW, evolved and released ANTS2.0 from ANTSR and ANTS1.3, plus: • New security infrastructure • Improved ABONE / ANETD support
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • Branching Out • Tangible Goods • Failures, Acheivements
Branching Out • emulab.net - Utah Network Testbed • 200 machines, lots of tools • Real users: 70% dist sys, 30% networking • Developed / tested our Team 3 demo setup, all our AN experiments • Paper under review • A killer application?!
Quote “We had a little bit of a problem with applications.” - Sandy Murphy, 4 June 2001
Key Ideas • Censor-resistant (p2p) publishing is a compelling and feasible application of active networking • …through on-demand, rapid, decentralized,diversification of the hop-by-hop protocol (manually, by people) We prototyped this in Freenet
Active Networking’s Biggest Problem • Demand: no killer app Inherent problem, by definition! The space of AN protocols is interesting, not any given protocol But… a good match for censor-resistant networks
Censor-Resistant Networks • Goals • Make intentional deletion or denial of access infeasible or difficult • Often: Anonymity • Usually: overlay network • An example: Freenet
Some Problems Facing CRNs • CRN traffic may be identifiable • Static set of protocols a weakness • Mere membership may be incriminating • Only identification may be necessary, not eavesdropping • Last link vulnerable: mercy of ISP • Users on restricted networks cannot participate • But special techniques can get traffic through firewalls, proxies, etc.
Agile Protocols • Use active networking techniques for replacement of single-hop protocols • Completely decentralized • Any node (person) can create a new protocol & pass to its peer • Rapid response time to censorship • Nodes can customize for their environment • Unbounded set of protocols • Attacker cannot even know what percentage of set they have discovered
Protocol Examples • Disguise and tunnel, eg through SMTP, HTTP • Port-hopping… randomly • Port-smearing (~spread spectrum) • Bounce thru 3rd host • Steganography • …even better in wireless domain: physical & link level
Protecting Local Node’s Integrity, Privacy, and Availability • Threat model like Java applet, but worse for privacy • node state: cache contents, neighbor list, IP addr, username, … • message itself • Integrity and privacy: std type-safety and namespace isolation • Resource attacks: resource-managing JVM [OSDI’00, ...]
Publishing-specific DoS Attacks • Same general issues as malicious nodes • Failure (total or intermittent) • Either malicious or unintentional • Heuristic approach: rate Protocol Objects • Ratings based on success rates for requests • Evaluate via loopback test harness • Ratings are node-local • More attacks/responses in paper
What About Bootstrapping? • Shared by base Freenet system: must acquire initial {IP addr, port} out-of-band • Now need {IP addr, byte code} • Quantitative difference ==> qualitative change? • Memory, piece of paper ==> floppy disk, email attachment, applet • Conclusion: acceptable
Our Implementation • Prototype based on Freenet system • Peers can exchange Java bytecode for new protocols • Protocol usage can be asymmetric, can change on any message boundary • Restricted namespace
Four sample Protocol Objects • ‘Classic’ Freenet protocol • HTTPProtocol: Looks (vaguely) like HTTP • TrickyProtocol: Negotiates port change after every message • SpreadProtocol: Splits message on arbitrary byte boundaries, sends each chunk on a different port
Reprise:AN’s Major Technical Challenges • Performance: no problem • In Java already! • Overlay network: IP not my problem • Security • Key: change local, keep global protocol • Global network: domain-specific, therefore tractable. • Local to node: tractable, based on recent research
Agile Experiment: Conclusions • AN techniques seem likely to improve the censor-resistance of such networks • Feasible to implement in existing systems • Lots still to do • Implement ratings, etc, etc • JanosVM + runtime, re-engineer base • Evaluate in the lab • Evaluate “in the wild” • Lot of fun, lot of military relevance
FY 2001 Progress • Java OS Work • Moab / NodeOS API work • Team 3 Demo • ANTS EE • Tangible Goods • Failures, Achievements
Papers: FY 2001 Back et. al. Processes in KaffeOS: Isolation, Resource Management and Sharing in Java (OSDI 2000) Tullmann et. al. Janos: A Java-oriented OS for Active Network Nodes (IEEE JSAC Mar 2001) Peterson et. al. An OS Interface for Active Routers (IEEE JSAC Mar 2001) Ricci et. al. Active Protocols for Agile Censor-Resistant Networks (HotOS 2001)
Software Releases: FY 2001 • 11 separate releases • 2 OSKit versions • 2 Moab versions • 2 JanosVM versions • 1 ANTS2.0 • 2 Java NodeOS versions • 1 ANTS CVS • 1 Java NodeOS CVS
Mistakes I • Over-emphasis on strict hierarchy • Original nested process model • NodeOS mempools • NodeOS/EE split • Makes a nearly impossible research challenge even harder • Under-emphasis on applications
Mistakes II • Too much energy on software artifacts • ==> Missed research opportunities • ANTS? • Most aggressive AN model • Dated
Mistakes III • A-Flow -> Flow -> Domain • Failure to keep dm in ITO!
Achievements • Four generations of Java OS’s • Culminated in generic JavaOS infrastructure • Java spec impact: JSR-121 “Isolate”, ... • Low-level networking that leverages type-safety • Safe zero-copy • Unoptimized Java IP forwarding is40% speed of C (JNodeOS v. Moab)
Questions? • Where do I get Janos papers, software? • www.cs.utah.edu/flux/janos • How do I use the network testbed? • www.emulab.net
Architecture AA AA AA ANTSR EE ANTSR JanosVM: A JVM with resource management JanosVM Moab An OSKit-based NodeOS Moab Hardware (Or Unix)