Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001.
-
date post
20-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah June 5, 2001.
Janos Project: FY 2001Janos Project: FY 2001
Jay Lepreau
Flux Research GroupUniversity of Utah
June 5, 2001
June 5, 20012 janosUniversity of UtahUniversity of Utah
The Main PlayersThe Main Players
Pat Tullmann
Godmar BackMike HiblerWilson HsiehRob RicciTim Stack
June 5, 20013 janosUniversity of UtahUniversity of Utah
OutlineOutlineJava OS Work
Moab / NodeOS API work Team 3 Demo ANTS EE
A Killer Application?!Failures, Achievements
June 5, 20014 janosUniversity of UtahUniversity of Utah
Janos Project Goals Janos Project Goals
Resource Control & security of a local node in an Active Network
First-class, OS-style control over Java “applications”
Separately useful components– NodeOS, JVM, EE, etc.
Open Source
June 5, 20015 janosUniversity of UtahUniversity of Utah
Research Goals IResearch Goals I
Combine OS + Language– Merge OS principles and Java typesafety to
create a real Java OS– Explore which features of Java apply in an
OS context– Explore which OS features map appropriately
into a Java OS
June 5, 20016 janosUniversity of UtahUniversity of Utah
Research Goals IIResearch Goals II
Apply Java OS to the AN domain– Leverage AN domain’s constraints
Can we safely expose low-level network aspects?
Can safe code go fast?
June 5, 20017 janosUniversity of UtahUniversity of Utah
A “Java operating system” is...A “Java operating system” is... An enhanced JVM that provides OS functions to
multiple Java “programs” within it Features:
– Separation– Resource management– Sometimes: direct sharing
Architectural abstractions taken from OS– User/kernel boundary, processes, etc.
Mechanisms taken from garbage collection
June 5, 20018 janosUniversity of UtahUniversity of Utah
- Multiple apps in one JVM
- One app per JVM in different OS processes
Previous OptionsPrevious Options
App1 App2 App3
Base OS
JVM
App1 App2 App3
JVM JVM JVM
Base OS
June 5, 20019 janosUniversity of UtahUniversity of Utah
“Java Operating System”“Java Operating System”
App1 App2 App3 App4
Java OS
Base OS
+ Good separation
+ Good resource management
+ Allows some direct sharing
Java OS
June 5, 200110 janosUniversity of UtahUniversity of Utah
Janos ArchitectureJanos Architecture
Hardware (Or Unix)
JanosVM
JanosVM: A JVM with resource management JanosVM: A JVM with
resource management
Moab
Moab: An OSKit-based NodeOSMoab: An OSKit-based NodeOS
ANTS2
EEEEAAAA AA
June 5, 200111 janosUniversity of UtahUniversity of Utah
Software SpecificsSoftware Specifics
Build NodeOS in C that exposes low-level network features: Moab– Optimized for a single, trusted EE
Provide the NodeOS API in Java: Janos Java NodeOS– Works with JDK1.x or JanosVM
Provide a JVM for building a Java OS: JanosVM Make ANTS multi-domain and resource-aware:
ANTS2.0
June 5, 200112 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application!Failures, Achievements
June 5, 200113 janosUniversity of UtahUniversity of Utah
Java OS WorkJava OS Work
Ph.D. on Java Operating Systems– Godmar Back - June 12, 2001
Designed, built and released JanosVM– Evolution of KaffeOS to provide key building
block for a Java OSSun JSR-121 Expert Group
– “Isolate” : first step in multiprocess support in Sun’s JDK
– Utah representation
June 5, 200114 janosUniversity of UtahUniversity of Utah
JanosVMJanosVM
Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.– Multiprocess support
Designed as foundation for Java OS– Exports primitives to build efficient Java OS– Customized by trusted runtime
JanosVMJanosVM
Custom JavaOS RuntimeCustom JavaOS Runtime
Java OS {Java OS {
June 5, 200115 janosUniversity of UtahUniversity of Utah
JanosVMJanosVM
Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OSExports primitives to build efficient,
targeted Java OS
JanosVMJanosVM
Java Nodeos + ANTS2.0Java Nodeos + ANTS2.0
Janos {Janos {
June 5, 200116 janosUniversity of UtahUniversity of Utah
JanosVMJanosVM
Virtual Machine for Java bytecodes– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OSExports primitives to build efficient,
targeted Java OS
JanosVMJanosVM
“Isolate” support“Isolate” support
JSR-121 {JSR-121 {
June 5, 200117 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application!Failures, Achievements
June 5, 200118 janosUniversity of UtahUniversity of Utah
Moab / NodeOS APIMoab / NodeOS API
Joint NodeOS paperPluggable CPU & network schedulersClick in Moab: fine-grained control over
cut-through channelsMore:
– NodeOS API refinement, polling vs. interrupts, SNMP support, filesys support, ...
June 5, 200119 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application!Failures, Achievements
June 5, 200120 janosUniversity of UtahUniversity of Utah
Team 3 DemoTeam 3 Demo
Built an IP router– in Java– on the Janos Java NodeOS bindings– on JanosVM– on Moab– on the bare hardware
Demonstrated– CPU controls, network bandwidth controls, and
memory controls over Java apps
Inter-operated with 3 other projects
June 5, 200121 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEAn Application! Failures, Achievements
June 5, 200122 janosUniversity of UtahUniversity of Utah
ANTS EEANTS EE
Completed per-domain separation in ANTSR
With UW, evolved and released ANTS2.0 from ANTSR and ANTS1.3, plus:– New security infrastructure– Improved ABONE / ANETD support
June 5, 200123 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EEBranching OutTangible GoodsFailures, Acheivements
June 5, 200124 janosUniversity of UtahUniversity of Utah
Branching OutBranching Out
emulab.net - Utah Network Testbed– 200 machines, lots of tools– Real users: 70% dist sys, 30% networking– Developed / tested our Team 3 demo setup,
all our AN experiments– Paper under review
A killer application?!
June 5, 200125 janosUniversity of UtahUniversity of Utah
QuoteQuote
“We had a little bit of a problem with applications.”
- Sandy Murphy, 4 June 2001
June 5, 200126 janosUniversity of UtahUniversity of Utah
Active Protocols for Agile Censor-Resistant Networks
Active Protocols for Agile Censor-Resistant Networks
June 5, 200127 janosUniversity of UtahUniversity of Utah
Key IdeasKey Ideas
Censor-resistant (p2p) publishing is a compelling and feasible application of active networking
…through on-demand, rapid, decentralized, diversification of the hop-by-hop protocol (manually, by people)
We prototyped this in Freenet
June 5, 200128 janosUniversity of UtahUniversity of Utah
Active Networking’s Biggest ProblemActive Networking’s Biggest Problem
Demand: no killer app
Inherent problem, by definition!
The space of AN protocols is interesting, not any given protocol
But… a good match for censor-resistant networks
June 5, 200129 janosUniversity of UtahUniversity of Utah
Censor-Resistant NetworksCensor-Resistant NetworksGoals
– Make intentional deletion or denial of access infeasible or difficult
– Often: Anonymity Usually: overlay networkAn example: Freenet
June 5, 200130 janosUniversity of UtahUniversity of Utah
Some Problems Facing CRNsSome Problems Facing CRNs
CRN traffic may be identifiable– Static set of protocols a weakness
Mere membership may be incriminating– Only identification may be necessary, not
eavesdropping
– Last link vulnerable: mercy of ISP
Users on restricted networks cannot participate– But special techniques can get traffic through
firewalls, proxies, etc.
June 5, 200131 janosUniversity of UtahUniversity of Utah
Agile ProtocolsAgile Protocols Use active networking techniques for
replacement of single-hop protocols Completely decentralized
– Any node (person) can create a new protocol & pass to its peer
– Rapid response time to censorship– Nodes can customize for their environment
Unbounded set of protocols– Attacker cannot even know what percentage of set
they have discovered
June 5, 200132 janosUniversity of UtahUniversity of Utah
Protocol ExamplesProtocol ExamplesDisguise and tunnel, eg through SMTP,
HTTPPort-hopping… randomlyPort-smearing (~spread spectrum)Bounce thru 3rd hostSteganography…even better in wireless domain:
physical & link level
June 5, 200133 janosUniversity of UtahUniversity of Utah
What About MaliciousProtocol Objects?
What About MaliciousProtocol Objects?
June 5, 200134 janosUniversity of UtahUniversity of Utah
Protecting Local Node’s Integrity, Privacy, and Availability
Protecting Local Node’s Integrity, Privacy, and Availability Threat model like Java applet, but worse for
privacy– node state: cache contents, neighbor list, IP addr,
username, …– message itself
Integrity and privacy: std type-safety and namespace isolation
Resource attacks: resource-managing JVM [OSDI’00, ...]
June 5, 200135 janosUniversity of UtahUniversity of Utah
Publishing-specific DoS AttacksPublishing-specific DoS AttacksSame general issues as malicious nodes Failure (total or intermittent)
– Either malicious or unintentional– Heuristic approach: rate Protocol Objects
• Ratings based on success rates for requests• Evaluate via loopback test harness
– Ratings are node-local
More attacks/responses in paper
June 5, 200136 janosUniversity of UtahUniversity of Utah
What About Bootstrapping?What About Bootstrapping?Shared by base Freenet system: must
acquire initial {IP addr, port} out-of-bandNow need {IP addr, byte code}Quantitative difference ==> qualitative
change?Memory, piece of paper ==> floppy disk,
email attachment, appletConclusion: acceptable
June 5, 200137 janosUniversity of UtahUniversity of Utah
Our ImplementationOur Implementation
Prototype based on Freenet systemPeers can exchange Java bytecode for
new protocolsProtocol usage can be asymmetric, can
change on any message boundaryRestricted namespace
June 5, 200138 janosUniversity of UtahUniversity of Utah
Four sample Protocol ObjectsFour sample Protocol Objects‘Classic’ Freenet protocol HTTPProtocol: Looks (vaguely) like HTTPTrickyProtocol: Negotiates port change
after every messageSpreadProtocol: Splits message on
arbitrary byte boundaries, sends each chunk on a different port
June 5, 200139 janosUniversity of UtahUniversity of Utah
Reprise:AN’s Major Technical ChallengesReprise:AN’s Major Technical Challenges
Performance: no problem– In Java already!– Overlay network: IP not my problem
Security– Key: change local, keep global protocol– Global network: domain-specific, therefore tractable. – Local to node: tractable, based on recent research
June 5, 200140 janosUniversity of UtahUniversity of Utah
Agile Experiment: ConclusionsAgile Experiment: Conclusions AN techniques seem likely to improve the
censor-resistance of such networks Feasible to implement in existing systems Lots still to do
– Implement ratings, etc, etc– JanosVM + runtime, re-engineer base– Evaluate in the lab– Evaluate “in the wild”
Lot of fun, lot of military relevance
June 5, 200141 janosUniversity of UtahUniversity of Utah
FY 2001 ProgressFY 2001 Progress
Java OS WorkMoab / NodeOS API workTeam 3 DemoANTS EETangible GoodsFailures, Achievements
June 5, 200142 janosUniversity of UtahUniversity of Utah
Papers: FY 2001Papers: FY 2001Back et. al. Processes in KaffeOS: Isolation, Resource
Management and Sharing in Java (OSDI 2000)
Tullmann et. al. Janos: A Java-oriented OS for Active Network Nodes (IEEE JSAC Mar 2001)
Peterson et. al. An OS Interface for Active Routers(IEEE JSAC Mar 2001)
Ricci et. al. Active Protocols for Agile Censor-Resistant Networks (HotOS 2001)
June 5, 200143 janosUniversity of UtahUniversity of Utah
Software Releases: FY 2001Software Releases: FY 200111 separate releases
– 2 OSKit versions– 2 Moab versions– 2 JanosVM versions– 1 ANTS2.0– 2 Java NodeOS versions– 1 ANTS CVS – 1 Java NodeOS CVS
June 5, 200144 janosUniversity of UtahUniversity of Utah
Mistakes IMistakes I
Over-emphasis on strict hierarchy– Original nested process model– NodeOS mempools
NodeOS/EE split– Makes a nearly impossible research
challenge even harderUnder-emphasis on applications
June 5, 200145 janosUniversity of UtahUniversity of Utah
Mistakes IIMistakes II
Too much energy on software artifacts– ==> Missed research opportunities
ANTS?– Most aggressive AN model– Dated
June 5, 200146 janosUniversity of UtahUniversity of Utah
Mistakes IIIMistakes III
A-Flow -> Flow -> Domain
Failure to keep dm in ITO!
June 5, 200147 janosUniversity of UtahUniversity of Utah
AchievementsAchievements
Four generations of Java OS’s– Culminated in generic JavaOS infrastructure– Java spec impact: JSR-121 “Isolate”, ...
Low-level networking that leverages type-safety– Safe zero-copy– Unoptimized Java IP forwarding is
40% speed of C (JNodeOS v. Moab)
June 5, 200148 janosUniversity of UtahUniversity of Utah
Questions?Questions?
Where do I get Janos papers, software?– www.cs.utah.edu/flux/janos
How do I use the network testbed?– www.emulab.net
June 5, 200150 janosUniversity of UtahUniversity of Utah
ArchitectureArchitecture
Hardware (Or Unix)
Moab
JanosVM
ANTSRJanosVM: A JVM with resource management JanosVM: A JVM with
resource management
Moab An OSKit-based NodeOSMoab An OSKit-based NodeOS
ANTSR EEANTSR EEAAAA AA
June 5, 200151 janosUniversity of UtahUniversity of Utah
ApproachApproach
Re-fit existing AN infrastructure to multiprocess, resource-aware JVM
Apply OS principles to Java language run-time– User/kernel boundary, processes, etc.– Construct a “multiprocess” JVM
Build a NodeOS that exposes low-level network features