Post on 18-Feb-2016
description
User-Centric ComputingBryan Parno
Microsoft Research
JD Douceur Jon HowellJay Lorch James Mickens
2
Goal: Free users from all administrative tasks
Approach: Remove user’s ability to perform admin tasks
Examples: Problems:Install a program
Install a driver
Configure the firewall
Install malware
Install a rootkit
Create a hole in the firewall
3
Is This Acceptable?
User-CentricComputing
4
Ability/Control MismatchBubbleUp
Now with more bubbles!
• Full system control• Limited expertise
• High expertise in BubbleUp• No system control
Welcome to BubbleSoft!
5
Correct Alignment:
• Can make high-level decisions– Do I like BubbleSoft?– Do I want to share this picture with my coworkers?
• Can reliably present an experience to the user• Cannot be affected by other vendors’ decisions
User:
Vendor:
6
Foundations of User-Centric Computing
1. Strong Isolation + Minimal TCB
2. Disaggregation
3. “Protocol”-Based Communication
7
1) Strong Isolation + Minimal TCB
OS
App App…
Drivers Modules
Kernel
VendorVendor
KernelKernel
OS LoC
Windows NT 3.1 4-5 M
Windows NT 4.0 11-12M
Windows 2000 >29 M
Windows XP 40 M
Windows Server 2003 50 M
OS LoCLinux Kernel 2.6.0 5.2 M
Linux Kernel 2.6.29 11.0 M
Linux Kernel 2.6.32 12.6 M
VMM LoCXen – 2003 42 K
Xen – 2005 83 K
Xen – 2010 250 K
8
2) Disaggregation
VendorNetwork
File System
Windowing
Vendor3D Graphics
File System
Physics Lib
Ext4NTFSBlob Store IPC
9
3) “Protocol”-Based Communication
• All communication happens via network protocols
Kernel
VendorVendor
Key Point: No special privileges from being co-located!
10
User-Driven Sharing• Leverage existing delegation metaphors
• When querying user, questions should be:– Rare– Narrow in scope– User-meaningful
11
Conclusions• Removing a user’s admin powers can
improve security and usability
• Disaggregate and formalize communication to avoid TCB bloat
• Many questions remain, esp. regarding user-driven sharing
Thank you!parno@microsoft.com