[ Up ] [ Proposal ] [ Current Status ] [ Previous Status ]

Scalable, Secure Computing Environments Status Report - Q2 1999

Ensemble Project - Ken Birman, et al

The Ensemble project provides communication support for secure and reliable multicast, tools for programming with process groups, and an embedding of the same into object oriented environments and systems. As part of this project, we have recently focused on a highly scalable group key management protocol based on an algorithm by Wong, Gouda and Lam for “Secure Group Communications using Key Graphs”.  Graduate student Ohad Rodeh’s work, undertaken under Ken Birman’s supervision jointly with Professor Danny Dolev in Israel (Hebrew University) is similar in spirit, using a group architecture and a key graph, but extends the original methods to be fully decentralized and fault-tolerant. Rodeh’s version of the algorithm also handles group partitioning and remerging after a partitioning event. Surprisingly, these additional properties have a small (potentially negligible) impact on the performance of the basic algorithm, and the solution retains the scalability properties that made the original paper so interesting. Ohad has also demonstrated this technology through various applications, which use the resulting security keys.  For example, he built a dynamic virtually private network which looks like a conventional IP network, but uses dynamically refreshed keys to encrypt or sign all messages, discarding messages from intruders.  The DVPN technology was compatible with Unix and NT and had roughly the same performance impact as does a tunneling IP implementation.  We view the DVPN as a demo; the underlying key management algorithm (which is useful in many kinds of applications) is the point of this work.

Papers

Takako M. Hickey, and Robbert van Renesse. June 1999. PEX: A partitionable execution service for a network of heterogeneous processors, In Proc. of the 29th International Symposium on Fault-Tolerant Computing, Madison, Wisconsin.

Jason Hickey, Nancy Lynch, and Robbert van Renesse. March 1999. Specifications and proofs for Ensemble layers. In R. Cleaveland, ed., 5th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, LNCS 1579, pp. 119-133, Springer Verlag.

Mobile Agents - Greg Morrisett

We have continued our development of a type system for the 32-bit subset of the Intel IA32 (x86) architecture. Our Typed Assembly Language (TAL) is expressive enough that it can encode high-level source abstractions, such as private fields in objects, yet allows programmers or compilers to generate highly-optimized code. In our mobile agent system, agents can be compiled from a high-level source language to TAL. The TAL code can be shipped to a host, which can then verify that the assembly language is type correct (i.e., respects the host's interfaces.) We have constructed a prototype compiler for a type-safe variant of C that automatically produces TAL and are working on optimizations and applications for the system.

For more technical information about TAL, please visit the TAL web pages.

Papers

Neal Glew and Greg Morrisett. Type-Safe Linking and Modular Assembly Language Twenty-Sixth Symposium on Principles of Programming Languages (POPL '99), pages 250-261, San Antonio, January 1999.

Karl Crary, David Walker, and Greg Morrisett. Typed Memory Management in a Calculus of Capabilities. Twenty-Sixth Symposium on Principles of Programming Languages (POPL '99), pages 262-275, San Antonio, January 1999.

Karl Crary, Stephanie Weirich, and Greg Morrisett. Intensional Polymorphism in Type-Erasure Semantics. 1998 International Conference on Functional Programming, pages 301-312, Baltimore, September 1998.

J-Server - An Extensible web & telephony server built on language-based protection - Thorsten von Eicken, Chris Hawblitzel, Chi-Chao Chang, Grzegorz Czajkowski

The J-Server is an integrated web and telephony server that allows untrusted Java servlets to be dynamically uploaded to extend the server's functionality. The J-Server is built around the J-Kernel, which provides for protection and communication between J-Server servlets, and ensures that servlets can be cleanly terminated. A resource monitor called JRes is used to account for servlet resource usage. Two sample applications show that the overhead of J-Kernel task boundary crossings is small compared to the applications' overall running time. Experience developing applications for the J-Server demonstrates the benefits of extensible systems based on safe language protection, and the flexibility of the servlet model.

The J-Server core manages a hierarchical namespace of resources where each resource can correspond either to a URL or to a telephone number. Users of the system can upload programs (called servlets) to the J-Server and attach each servlet to one or more resources. The servlets can then handle all HTTP requests and phone calls that are sent to the resources. Furthermore, servlets may communicate with one another, so that one servlet may provide a service to another servlet. For example, a servlet that uses speech recognition to determine the nature of a call might need to dispatch the call to another servlet once it is clear who the call is for.

Accounting for resources is necessary for billing users/organizations and for diagnostics purposes. Failing to provide means of constraining resources available to extensions leads to problems with malicious extensions that monopolize use of particular resources. Guaranteeing resource availability enables time-critical services. Despite the need for providing resource management facility, general-purpose safe languages fail to address this issue. This is rather surprising in view of the fact that runtime environments of safe languages such as Java aspire to provide operating-system environments. The lack of resource management prevents a safe language runtime environment from subsuming the role of a traditional operating system.

We have addressed this problem by designing and implementing JRes - a Java interface for accounting for heap memory, CPU time, and the number of bytes sent and received over the network on a per thread and per task basis. JRes provides mechanisms to set limits on the resources available to particular threads and tasks and to associate overuse callbacks that are invoked whenever any such resource limit is exceeded. Although the interface is simple, it is flexible enough to support a variety of resource consumption enforcement policies. For instance, a policy which ensures that no thread gets more than 100 milliseconds of CPU time out of every second is easily expressible. Similarly, a few lines of code suffice to create a policy in which no task can send more than 2MB of data, or a policy in which the combined size of all live objects allocated by a task does not exceed 1MB.

Over the past year, we have been using the J-Server to manage a number of phone lines in our research lab. To quantify its performance characteristics, we ran two experiments to measure specifically the costs of cross-task calls and the frequency of such calls in a non-trivial application. The first test, Half-Duplex Conversation, mimics a 40 second phone conversation between two people, each of whom is simulated by a servlet. The call initiator "speaks" for two seconds, then "listens" for two seconds, then "speaks" again, while the receiver is doing the opposite. The second test, VoiceBox Listing, measures the performance of checking for voicemail. We found that below 1% of the total consumed CPU time was spent in cross-task communication overhead, and the cost of copying data from one task to another accounts for 27-31% of an average cross-task call.

Last modified on: 10/07/99