Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Bees: A Secure, Resource - Controlled,

advertisement 
Bees: A Secure,
Resource-Controlled,
Java-Based Execution Environment
Tim Stack Eric Eide Jay Lepreau
University of Utah
April 5, 2003
1
What is Bees?
z Mobile
code system that is
– Realistically deployable because it
addresses needs of node
administrators
– Realistically usable because it provides
rich interface needed by service authors
z We
believe may be the first such
environment
2
Key Features
z Flexible
security primitives
z Resource control
z Flexible protocol composition
z Flexible control of packet propagation
z Isolates interaction with end-user apps
Bees integrates them all
3
A Motivating Application
z
Motherboard sensor
monitor
– Spreads over network
– Reports to server
– Shuts down faulty nodes
z
Ideal for active protocol
– Flexible access to sensors
– Not speed-critical
Health Reports
Node
4
ANTS: Implementation
z Capsule
– Packet associated with Java class
through MD5 hash
z Protocol
– Collection of capsule classes
z Application
– Includes copy of protocol
– Source of all capsules
5
ANTS: Security
Sensor.class
FileOutputStream.class
Healthd
6
ANTS: Security
Sensor.class
FileOutputStream.class
Not Found
Not Found
Healthd
z No
security infrastructure
– Can’t read sensors
– Can’t log to file
7
ANTS: Resource Control
z
z
TTL controls resources
TTL must be replenished
Report Capsule
Node
8
ANTS: Resource Control
z
z
TTL controls resources
TTL must be replenished
– Server sends requests
z
Problems
– More network traffic
– Topology not discovered
Request Capsule
Report Capsule
Node
9
ANTS: Node Discovery
z
Discover topology
– Just send to neighbors
Capsules
Node
10
ANTS: Node Discovery
z
Discover topology
Border Router
– Just send to neighbors
z
Problems
– Protocol containment
– More TTL issues
– Hard to reuse
Capsules
Node
External Node
11
ANTS: Endpoint
z Node
unhealthy
– No shutdown
permission
– Tell application
Node
Shutter Downer
Healthd
Healthd
Temperature: 180°F
Fan Speed: 0 rpm
12
ANTS: Endpoint
z Node
unhealthy
– No shutdown
permission
– Tell application
z Version
change
– Capsule hash
mismatch
– Application must be
updated manually
Node
Shutter Downer
Healthd
Drop
Healthd v2.0
Temperature: 180°F
Fan Speed: 0 rpm
13
ANTS: Assessment
z Reality
intervenes
z What is wrong?
z Wrong type of EE
z Richer EE needed
14
Lean vs. Rich
Rich
Lean
z
z
z
z
z
Little to no state
Forwarding loop only
Specialized language
Simple resource
control/accounting
z
Example SNAP/ANTS
z
z
z
z
Node resident state
Threads, timer events
General language
Complex resource
control/accounting
Example: Bees
15
Overview
z Bees
– Security
– Resource control
– Protocol composition
– Application interaction
– Details of code migration
z Related
work
z Conclusion
16
Security: Isolation
z Multi-process
JVM
– Isolates active code
– Process holds state,
privileges
z Process
is unit of
resource control
z Auth Agent creates
and terminates
JanosVM
Auth Agent
Healthd
Protocol A
17
Security: Capabilities
z Capability-based
security mechanism
z Examples
– Files
– Cryptographic keys
– Neighbors
z Distributed
Auth Agent
by
Auth Agent
Sensor
Sensor Log File
Healthd
18
Example: Node Discovery
z Border
neighbor
withheld
z Privileges needed to
escape
Border Router
Capsules
Node
External Node
19
Resource Control
z Janos
infrastructure
– CPU, network, and memory
z Process
is unit of control
z Termination reclaims resources
z Network controls
– Bandwidth limits not enough
– TTL too restrictive
20
Network Control
z Allow
only solicited forwarding
z External stimuli
– Timer, capsule receipt, application, …
z Fine
grained operations
– Forward to neighbor
– Return to source
– Multicast to neighborhood
– Transform to another capsule type
21
Capsule Operations
z Capsule
operation counters
– Protocol author defines initial values
– Stimuli replenishes values
– Decremented on use
– Operations disallowed when zero
z Initial
values limited by Auth Agent
22
Example: Resource Control
z Report
capsule
– Replenished by timer
– Sent
– Further use stopped
z Forwarding
is similar
– Replenished by receive
Report Capsule
Node
23
Protocol Composition
z No
protocol is an island
– Protocols depend on each other
z Protocol
is the unit of composition
– Primary paired with companions
z Protocols
form a hierarchy
z System provided
– Code downloader
24
Pathfinder
z Primitive
routing protocol
z Routing scenarios:
– Client to server
– Server to all clients
– Server response to client request
z Implementation
– Spanning tree behavior
– No addresses
25
Example: Node Discovery
z Periodic
broadcast
– Finds path to server
– Spreads code
Discovered Path
Client Node
Server Node
26
Application Interaction
z Protocol
Session provides
application interface
z Trust barrier
– Only byte arrays are exchanged
z Abstracts
raw protocol
– Insulation from versioning issues
z Similar
to standard socket interfaces
27
Example: Endpoint
z Node
unhealthy
– Tell application
z Other
protocols can
use same interface
Cluster Scheduler
Node
Shutter Downer
Healthd
Temperature: 180°F
Fan Speed: 0 rpm
28
Code Migration
z
Unknown capsule
Auth App
ID
AD
DL
ID
Healthd
AD
29
Code Migration
z
z
Unknown capsule
Map capsule to Healthd
Auth App
ID
AD
DL
ID
Healthd
AD
30
Code Migration
z
z
z
Unknown capsule
Map capsule to Healthd
Download auth data
Auth App
ID
AD
DL
ID
Healthd
AD
31
Code Migration
z
z
z
z
Unknown capsule
Map capsule to Healthd
Download auth data
Check auth data
Auth App
ID
AD
DL
ID
Healthd
AD
32
Code Migration
z
z
z
z
z
Unknown capsule
Map capsule to Healthd
Download auth data
Check auth data
Create process
Auth App
Healthd
DL
ID
AD
DL
ID
Healthd
AD
33
Code Migration
z
z
z
z
z
z
Unknown capsule
Map capsule to Healthd
Download auth data
Check auth data
Create process
Start download
Auth App
Healthd
DL
ID
AD
DL
ID
Healthd
AD
34
Code Migration
z
z
z
z
z
z
z
Unknown capsule
Map capsule to Healthd
Download auth data
Check auth data
Create process
Start download
Finish download
Auth App
Healthd
DL
ID
AD
DL
ID
Healthd
AD
35
Related Work
z Resource
control
– RCANE[Menage00], SNAP[Moore01]
z Security
– SANE[Alexander98], SANTS[Murphy01]
z Protocol
composition
– CANES[Bhattacharjee99]
36
Bees v0.5.0
z 50,000+
Lines of Code
z 30-page manual
z Example application
z Available at:
www.cs.utah.edu/flux/janos
37
Conclusion
z Rich
environment
– Support for node administrators
– Support for protocol authors
z Key
Features
– Security and resource control
– Protocol composition
– Isolates interaction with end-user apps
38
Related documents
Warm Up: Week 16 Time Capsules
Warm Up: Week 16 Time Capsules
Sponge in capsule lab
Sponge in capsule lab
Time Capsule Book Report Project
Time Capsule Book Report Project
ANTS : A Toolkit for Building and Dynamically Deploying Network Protocols
ANTS : A Toolkit for Building and Dynamically Deploying Network Protocols
Key Terms
Key Terms
Realistic Fiction or Mystery Book Project: Choose a Task
Realistic Fiction or Mystery Book Project: Choose a Task
Download
advertisement