Janos Project: FY 2001 Jay Lepreau Flux Research Group University of Utah
advertisement
Janos Project: FY 2001
Jay Lepreau
Flux Research Group
University of Utah
June 5, 2001
The Main Players
Pat Tullmann
Godmar Back
Mike Hibler
Wilson Hsieh
Rob Ricci
Tim Stack
2
June 5, 2001
University of Utah
janos
Outline
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
A Killer Application?!
Failures, Achievements
3
June 5, 2001
University of Utah
janos
Janos Project Goals
Resource Control & security of a local
node in an Active Network
First-class, OS-style control over Java
“applications”
Separately useful components
– NodeOS, JVM, EE, etc.
4
Open Source
June 5, 2001
University of Utah
janos
Research Goals I
Combine OS + Language
– Merge OS principles and Java typesafety to
create a real Java OS
– Explore which features of Java apply in an
OS context
– Explore which OS features map appropriately
into a Java OS
5
June 5, 2001
University of Utah
janos
Research Goals II
Apply Java OS to the AN domain
– Leverage AN domain’s constraints
Can we safely expose low-level network
aspects?
Can safe code go fast?
6
June 5, 2001
University of Utah
janos
A “Java operating system” is...
An enhanced JVM that provides OS functions to
multiple Java “programs” within it
Features:
– Separation
– Resource management
– Sometimes: direct sharing
Architectural abstractions taken from OS
– User/kernel boundary, processes, etc.
Mechanisms taken from garbage collection
7
June 5, 2001
University of Utah
janos
Previous Options
App1
-
Multiple apps
in one JVM
App2
App3
JVM
Base OS
-
8
One app per
JVM in
different OS
processes
June 5, 2001
App1
App2
App3
JVM
JVM
JVM
Base OS
University of Utah
janos
“Java Operating System”
App1
App2
App3
App4
Java OS
Java OS
Base OS
+ Good separation
+ Good resource management
+ Allows some direct sharing
9
June 5, 2001
University of Utah
janos
Janos Architecture
AA AA AA
EE
ANTS2
JanosVM: A JVM with
resource management
Moab:
An OSKit-based NodeOS
JanosVM
Moab
Hardware (Or Unix)
10
June 5, 2001
University of Utah
janos
Software Specifics
Build NodeOS in C that exposes low-level
network features: Moab
– Optimized for a single, trusted EE
Provide the NodeOS API in Java: Janos Java
NodeOS
– Works with JDK1.x or JanosVM
Provide a JVM for building a Java OS: JanosVM
Make ANTS multi-domain and resource-aware:
ANTS2.0
11
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements
12
June 5, 2001
University of Utah
janos
Java OS Work
Ph.D. on Java Operating Systems
– Godmar Back - June 12, 2001
Designed, built and released JanosVM
– Evolution of KaffeOS to provide key building
block for a Java OS
Sun JSR-121 Expert Group
– “Isolate” : first step in multiprocess support
in Sun’s JDK
– Utah representation
13
June 5, 2001
University of Utah
janos
JanosVM
Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
– Multiprocess support
Designed as foundation for Java OS
– Exports primitives to build efficient Java OS
– Customized by trusted runtime
Java OS
14
{
June 5, 2001
Custom JavaOS Runtime
JanosVM
University of Utah
janos
JanosVM
Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
Exports primitives to build efficient,
targeted Java OS
Janos
15
{
June 5, 2001
Java Nodeos + ANTS2.0
JanosVM
University of Utah
janos
JanosVM
Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
Exports primitives to build efficient,
targeted Java OS
JSR-121
16
{
June 5, 2001
“Isolate” support
JanosVM
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements
17
June 5, 2001
University of Utah
janos
Moab / NodeOS API
Joint NodeOS paper
Pluggable CPU & network schedulers
Click in Moab: fine-grained control over
cut-through channels
More:
– NodeOS API refinement, polling vs. interrupts, SNMP
support, filesys support, ...
18
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements
19
June 5, 2001
University of Utah
janos
Team 3 Demo
Built an IP router
–
–
–
–
–
in Java
on the Janos Java NodeOS bindings
on JanosVM
on Moab
on the bare hardware
Demonstrated
– CPU controls, network bandwidth controls, and
memory controls over Java apps
20
Inter-operated with 3 other projects
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements
21
June 5, 2001
University of Utah
janos
ANTS EE
Completed per-domain separation in
ANTSR
With UW, evolved and released ANTS2.0
from ANTSR and ANTS1.3, plus:
– New security infrastructure
– Improved ABONE / ANETD support
22
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
Branching Out
Tangible Goods
Failures, Acheivements
23
June 5, 2001
University of Utah
janos
Branching Out
emulab.net - Utah Network Testbed
– 200 machines, lots of tools
– Real users: 70% dist sys, 30% networking
– Developed / tested our Team 3 demo setup,
all our AN experiments
– Paper under review
24
A killer application?!
June 5, 2001
University of Utah
janos
Quote
“We had a little bit of a problem
with applications.”
- Sandy Murphy, 4 June 2001
25
June 5, 2001
University of Utah
janos
Active Protocols for Agile
Censor-Resistant Networks
26
June 5, 2001
University of Utah
janos
Key Ideas
Censor-resistant (p2p) publishing is a
compelling and feasible application of
active networking
…through on-demand, rapid,
decentralized, diversification of the hopby-hop protocol (manually, by people)
We prototyped this in Freenet
27
June 5, 2001
University of Utah
janos
Active Networking’s Biggest
Problem
Demand: no killer app
Inherent problem, by definition!
The space of AN protocols is
interesting, not any given protocol
But… a good match for censorresistant networks
28
June 5, 2001
University of Utah
janos
Censor-Resistant Networks
Goals
– Make intentional deletion or denial of access
infeasible or difficult
– Often: Anonymity
Usually: overlay network
An example: Freenet
29
June 5, 2001
University of Utah
janos
Some Problems Facing CRNs
CRN traffic may be identifiable
– Static set of protocols a weakness
Mere membership may be incriminating
– Only identification may be necessary, not
eavesdropping
– Last link vulnerable: mercy of ISP
Users on restricted networks cannot
participate
– But special techniques can get traffic through
firewalls, proxies, etc.
30
June 5, 2001
University of Utah
janos
Agile Protocols
Use active networking techniques for
replacement of single-hop protocols
Completely decentralized
– Any node (person) can create a new protocol & pass
to its peer
– Rapid response time to censorship
– Nodes can customize for their environment
Unbounded set of protocols
– Attacker cannot even know what percentage of set
they have discovered
31
June 5, 2001
University of Utah
janos
Protocol Examples
Disguise and tunnel, eg through SMTP,
HTTP
Port-hopping… randomly
Port-smearing (~spread spectrum)
Bounce thru 3rd host
Steganography
…even better in wireless domain:
physical & link level
32
June 5, 2001
University of Utah
janos
What About Malicious
Protocol Objects?
33
June 5, 2001
University of Utah
janos
Protecting Local Node’s Integrity,
Privacy, and Availability
Threat model like Java applet, but worse for
privacy
– node state: cache contents, neighbor list, IP addr,
username, …
– message itself
Integrity and privacy: std type-safety and
namespace isolation
Resource attacks: resource-managing JVM
[OSDI’00, ...]
34
June 5, 2001
University of Utah
janos
Publishing-specific DoS
Attacks
Same general issues as malicious nodes
Failure (total or intermittent)
– Either malicious or unintentional
– Heuristic approach: rate Protocol Objects
• Ratings based on success rates for requests
• Evaluate via loopback test harness
– Ratings are node-local
35
More attacks/responses in paper
June 5, 2001
University of Utah
janos
What About Bootstrapping?
Shared by base Freenet system: must
acquire initial {IP addr, port} out-of-band
Now need {IP addr, byte code}
Quantitative difference ==> qualitative
change?
Memory, piece of paper ==> floppy disk,
email attachment, applet
Conclusion: acceptable
36
June 5, 2001
University of Utah
janos
Our Implementation
Prototype based on Freenet system
Peers can exchange Java bytecode for
new protocols
Protocol usage can be asymmetric, can
change on any message boundary
Restricted namespace
37
June 5, 2001
University of Utah
janos
Four sample Protocol Objects
‘Classic’ Freenet protocol
HTTPProtocol: Looks (vaguely) like HTTP
TrickyProtocol: Negotiates port change
after every message
SpreadProtocol: Splits message on
arbitrary byte boundaries, sends each
chunk on a different port
38
June 5, 2001
University of Utah
janos
Reprise:AN’s Major Technical
Challenges
Performance: no problem
– In Java already!
– Overlay network: IP not my problem
Security
– Key: change local, keep global protocol
– Global network: domain-specific, therefore tractable.
– Local to node: tractable, based on recent research
39
June 5, 2001
University of Utah
janos
Agile Experiment: Conclusions
AN techniques seem likely to improve the
censor-resistance of such networks
Feasible to implement in existing systems
Lots still to do
–
–
–
–
40
Implement ratings, etc, etc
JanosVM + runtime, re-engineer base
Evaluate in the lab
Evaluate “in the wild”
Lot of fun, lot of military relevance
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
Tangible Goods
Failures, Achievements
41
June 5, 2001
University of Utah
janos
Papers: FY 2001
Back et. al. Processes in KaffeOS: Isolation, Resource
Management and Sharing in Java (OSDI 2000)
Tullmann et. al. Janos: A Java-oriented OS for Active
Network Nodes (IEEE JSAC Mar 2001)
Peterson et. al. An OS Interface for Active Routers
(IEEE JSAC Mar 2001)
Ricci et. al. Active Protocols for Agile Censor-Resistant
Networks (HotOS 2001)
42
June 5, 2001
University of Utah
janos
Software Releases: FY 2001
11 separate releases
– 2 OSKit versions
– 2 Moab versions
– 2 JanosVM versions
– 1 ANTS2.0
– 2 Java NodeOS versions
– 1 ANTS CVS
– 1 Java NodeOS CVS
43
June 5, 2001
University of Utah
janos
Mistakes I
Over-emphasis on strict hierarchy
– Original nested process model
– NodeOS mempools
NodeOS/EE split
– Makes a nearly impossible research
challenge even harder
44
Under-emphasis on applications
June 5, 2001
University of Utah
janos
Mistakes II
Too much energy on software artifacts
– ==> Missed research opportunities
ANTS?
– Most aggressive AN model
– Dated
45
June 5, 2001
University of Utah
janos
Mistakes III
A-Flow -> Flow -> Domain
Failure to keep dm in ITO!
46
June 5, 2001
University of Utah
janos
Achievements
Four generations of Java OS’s
– Culminated in generic JavaOS infrastructure
– Java spec impact: JSR-121 “Isolate”, ...
Low-level networking that leverages typesafety
– Safe zero-copy
– Unoptimized Java IP forwarding is
40% speed of C (JNodeOS v. Moab)
47
June 5, 2001
University of Utah
janos
Questions?
Where do I get Janos papers, software?
– www.cs.utah.edu/flux/janos
How do I use the network testbed?
– www.emulab.net
48
June 5, 2001
University of Utah
janos
END OF PRESENTATION
49
June 5, 2001
University of Utah
janos
Architecture
AA AA AA
ANTSR EE
ANTSR
JanosVM: A JVM with
resource management
Moab
An OSKit-based NodeOS
JanosVM
Moab
Hardware (Or Unix)
50
June 5, 2001
University of Utah
janos
Approach
Re-fit existing AN infrastructure to
multiprocess, resource-aware JVM
Apply OS principles to Java language runtime
– User/kernel boundary, processes, etc.
– Construct a “multiprocess” JVM
51
Build a NodeOS that exposes low-level
network features
June 5, 2001
University of Utah
janos
Team 3 Demo
First full Janos prototype to run Java on
the bare hardware
Illuminated many performance issues in
our prototype
52
June 5, 2001
University of Utah
janos
