Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001.

Janos Project: FY 2001Janos Project: FY 2001

Jay Lepreau

Flux Research GroupUniversity of Utah

June 5, 2001

June 5, 20012 janosUniversity of UtahUniversity of Utah

The Main PlayersThe Main Players

Pat Tullmann

Godmar BackMike HiblerWilson HsiehRob RicciTim Stack


OutlineOutlineJava OS Work

Moab / NodeOS API work Team 3 Demo ANTS EE

A Killer Application?!Failures, Achievements


Janos Project Goals Janos Project Goals

Resource Control & security of a local node in an Active Network

First-class, OS-style control over Java “applications”

Separately useful components– NodeOS, JVM, EE, etc.

Open Source


Research Goals IResearch Goals I

Combine OS + Language– Merge OS principles and Java typesafety to

create a real Java OS– Explore which features of Java apply in an

OS context– Explore which OS features map appropriately

into a Java OS


Research Goals IIResearch Goals II

Apply Java OS to the AN domain– Leverage AN domain’s constraints

Can we safely expose low-level network aspects?

Can safe code go fast?


A “Java operating system” is...A “Java operating system” is... An enhanced JVM that provides OS functions to

multiple Java “programs” within it Features:

– Separation– Resource management– Sometimes: direct sharing

Architectural abstractions taken from OS– User/kernel boundary, processes, etc.

Mechanisms taken from garbage collection


- Multiple apps in one JVM

- One app per JVM in different OS processes

Previous OptionsPrevious Options

App1 App2 App3

Base OS

JVM

App1 App2 App3

JVM JVM JVM

Base OS


“Java Operating System”“Java Operating System”

App1 App2 App3 App4

Java OS

Base OS

+ Good separation

+ Good resource management

+ Allows some direct sharing

Java OS


Janos ArchitectureJanos Architecture

Hardware (Or Unix)

JanosVM

JanosVM: A JVM with resource management JanosVM: A JVM with

resource management

Moab

Moab: An OSKit-based NodeOSMoab: An OSKit-based NodeOS

ANTS2

EEEEAAAA AA


Software SpecificsSoftware Specifics

Build NodeOS in C that exposes low-level network features: Moab– Optimized for a single, trusted EE

Provide the NodeOS API in Java: Janos Java NodeOS– Works with JDK1.x or JanosVM

Provide a JVM for building a Java OS: JanosVM Make ANTS multi-domain and resource-aware:

ANTS2.0


FY 2001 ProgressFY 2001 Progress

Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application!Failures, Achievements


Java OS WorkJava OS Work

Ph.D. on Java Operating Systems– Godmar Back - June 12, 2001

Designed, built and released JanosVM– Evolution of KaffeOS to provide key building

block for a Java OSSun JSR-121 Expert Group

– “Isolate” : first step in multiprocess support in Sun’s JDK

– Utah representation


JanosVMJanosVM

Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.– Multiprocess support

Designed as foundation for Java OS– Exports primitives to build efficient Java OS– Customized by trusted runtime

JanosVMJanosVM

Custom JavaOS RuntimeCustom JavaOS Runtime

Java OS {Java OS {


JanosVMJanosVM

Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.

Designed as foundation for Java OSExports primitives to build efficient,

targeted Java OS

JanosVMJanosVM

Java Nodeos + ANTS2.0Java Nodeos + ANTS2.0

Janos {Janos {


JanosVMJanosVM

Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.

Designed as foundation for Java OSExports primitives to build efficient,

targeted Java OS

JanosVMJanosVM

“Isolate” support“Isolate” support

JSR-121 {JSR-121 {


Moab / NodeOS APIMoab / NodeOS API

Joint NodeOS paperPluggable CPU & network schedulersClick in Moab: fine-grained control over

cut-through channelsMore:

– NodeOS API refinement, polling vs. interrupts, SNMP support, filesys support, ...


Team 3 DemoTeam 3 Demo

Built an IP router– in Java– on the Janos Java NodeOS bindings– on JanosVM– on Moab– on the bare hardware

Demonstrated– CPU controls, network bandwidth controls, and

memory controls over Java apps

Inter-operated with 3 other projects



Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application! Failures, Achievements


ANTS EEANTS EE

Completed per-domain separation in ANTSR

With UW, evolved and released ANTS2.0 from ANTSR and ANTS1.3, plus:– New security infrastructure– Improved ABONE / ANETD support



Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEBranching OutTangible GoodsFailures, Acheivements


Branching OutBranching Out

emulab.net - Utah Network Testbed– 200 machines, lots of tools– Real users: 70% dist sys, 30% networking– Developed / tested our Team 3 demo setup,

all our AN experiments– Paper under review

A killer application?!


QuoteQuote

“We had a little bit of a problem with applications.”

- Sandy Murphy, 4 June 2001


Active Protocols for Agile Censor-Resistant Networks

Active Protocols for Agile Censor-Resistant Networks


Key IdeasKey Ideas

Censor-resistant (p2p) publishing is a compelling and feasible application of active networking

…through on-demand, rapid, decentralized, diversification of the hop-by-hop protocol (manually, by people)

We prototyped this in Freenet


Active Networking’s Biggest ProblemActive Networking’s Biggest Problem

Demand: no killer app

Inherent problem, by definition!

The space of AN protocols is interesting, not any given protocol

But… a good match for censor-resistant networks


Censor-Resistant NetworksCensor-Resistant NetworksGoals

– Make intentional deletion or denial of access infeasible or difficult

– Often: Anonymity Usually: overlay networkAn example: Freenet


Some Problems Facing CRNsSome Problems Facing CRNs

CRN traffic may be identifiable– Static set of protocols a weakness

Mere membership may be incriminating– Only identification may be necessary, not

eavesdropping

– Last link vulnerable: mercy of ISP

Users on restricted networks cannot participate– But special techniques can get traffic through

firewalls, proxies, etc.


Agile ProtocolsAgile Protocols Use active networking techniques for

replacement of single-hop protocols Completely decentralized

– Any node (person) can create a new protocol & pass to its peer

– Rapid response time to censorship– Nodes can customize for their environment

Unbounded set of protocols– Attacker cannot even know what percentage of set

they have discovered


Protocol ExamplesProtocol ExamplesDisguise and tunnel, eg through SMTP,

HTTPPort-hopping… randomlyPort-smearing (~spread spectrum)Bounce thru 3rd hostSteganography…even better in wireless domain:

physical & link level


What About MaliciousProtocol Objects?

What About MaliciousProtocol Objects?


Protecting Local Node’s Integrity, Privacy, and Availability

Protecting Local Node’s Integrity, Privacy, and Availability Threat model like Java applet, but worse for

privacy– node state: cache contents, neighbor list, IP addr,

username, …– message itself

Integrity and privacy: std type-safety and namespace isolation

Resource attacks: resource-managing JVM [OSDI’00, ...]


Publishing-specific DoS AttacksPublishing-specific DoS AttacksSame general issues as malicious nodes Failure (total or intermittent)

– Either malicious or unintentional– Heuristic approach: rate Protocol Objects

• Ratings based on success rates for requests• Evaluate via loopback test harness

– Ratings are node-local

More attacks/responses in paper


What About Bootstrapping?What About Bootstrapping?Shared by base Freenet system: must

acquire initial {IP addr, port} out-of-bandNow need {IP addr, byte code}Quantitative difference ==> qualitative

change?Memory, piece of paper ==> floppy disk,

email attachment, appletConclusion: acceptable


Our ImplementationOur Implementation

Prototype based on Freenet systemPeers can exchange Java bytecode for

new protocolsProtocol usage can be asymmetric, can

change on any message boundaryRestricted namespace


Four sample Protocol ObjectsFour sample Protocol Objects‘Classic’ Freenet protocol HTTPProtocol: Looks (vaguely) like HTTPTrickyProtocol: Negotiates port change

after every messageSpreadProtocol: Splits message on

arbitrary byte boundaries, sends each chunk on a different port


Reprise:AN’s Major Technical ChallengesReprise:AN’s Major Technical Challenges

Performance: no problem– In Java already!– Overlay network: IP not my problem

Security– Key: change local, keep global protocol– Global network: domain-specific, therefore tractable. – Local to node: tractable, based on recent research


Agile Experiment: ConclusionsAgile Experiment: Conclusions AN techniques seem likely to improve the

censor-resistance of such networks Feasible to implement in existing systems Lots still to do

– Implement ratings, etc, etc– JanosVM + runtime, re-engineer base– Evaluate in the lab– Evaluate “in the wild”

Lot of fun, lot of military relevance



Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EETangible GoodsFailures, Achievements


Papers: FY 2001Papers: FY 2001Back et. al. Processes in KaffeOS: Isolation, Resource

Management and Sharing in Java (OSDI 2000)

Tullmann et. al. Janos: A Java-oriented OS for Active Network Nodes (IEEE JSAC Mar 2001)

Peterson et. al. An OS Interface for Active Routers(IEEE JSAC Mar 2001)

Ricci et. al. Active Protocols for Agile Censor-Resistant Networks (HotOS 2001)


Software Releases: FY 2001Software Releases: FY 200111 separate releases

– 2 OSKit versions– 2 Moab versions– 2 JanosVM versions– 1 ANTS2.0– 2 Java NodeOS versions– 1 ANTS CVS – 1 Java NodeOS CVS


Mistakes IMistakes I

Over-emphasis on strict hierarchy– Original nested process model– NodeOS mempools

NodeOS/EE split– Makes a nearly impossible research

challenge even harderUnder-emphasis on applications


Mistakes IIMistakes II

Too much energy on software artifacts– ==> Missed research opportunities

ANTS?– Most aggressive AN model– Dated


Mistakes IIIMistakes III

A-Flow -> Flow -> Domain

Failure to keep dm in ITO!


AchievementsAchievements

Four generations of Java OS’s– Culminated in generic JavaOS infrastructure– Java spec impact: JSR-121 “Isolate”, ...

Low-level networking that leverages type-safety– Safe zero-copy– Unoptimized Java IP forwarding is

40% speed of C (JNodeOS v. Moab)


Questions?Questions?

Where do I get Janos papers, software?– www.cs.utah.edu/flux/janos

How do I use the network testbed?– www.emulab.net


END OF PRESENTATIONEND OF PRESENTATION


ArchitectureArchitecture

Hardware (Or Unix)

Moab

JanosVM

ANTSRJanosVM: A JVM with resource management JanosVM: A JVM with

resource management

Moab An OSKit-based NodeOSMoab An OSKit-based NodeOS

ANTSR EEANTSR EEAAAA AA


ApproachApproach

Re-fit existing AN infrastructure to multiprocess, resource-aware JVM

Apply OS principles to Java language run-time– User/kernel boundary, processes, etc.– Construct a “multiprocess” JVM

Build a NodeOS that exposes low-level network features


Team 3 DemoTeam 3 Demo

First full Janos prototype to run Java on the bare hardware

Illuminated many performance issues in our prototype

Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001.

Documents

Transcript of Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001.