Presentation is loading. Please wait.

Presentation is loading. Please wait.

3/31/99TIS Labs at Network Associates AMP Project Status Stephen Schwab TIS Labs at Network Associates March 31, 1999.

Published byRandall Hill Modified over 9 years ago

Similar presentations

Presentation on theme: "3/31/99TIS Labs at Network Associates AMP Project Status Stephen Schwab TIS Labs at Network Associates March 31, 1999."— Presentation transcript:

1 3/31/99TIS Labs at Network Associates AMP Project Status Stephen Schwab TIS Labs at Network Associates March 31, 1999

2 3/31/99TIS Labs at Network Associates AMP Project AMP Overview Exokernel Techniques AMP Security Architecture Work Status

3 3/31/99TIS Labs at Network Associates AMP Node OS Project Goals –Provide separation and controlled sharing between EEs and flows on each Active Network node. –Support multiple EEs –Constrain the execution of Active Code to access those entities for which it has authorization Utilize techniques developed throughout the AN community for safely and securely importing Active Code –Implement security mechanisms without compromising performance

4 3/31/99TIS Labs at Network Associates Active Networks Framework Execution Environments Node OS EE1 EE2 IPv6 MGMT EE MGMT EE STORAGECHANNELS POLICY DATABASE SECURITY ENFORCEMENT ENGINE From Calvert, 1998

5 3/31/99TIS Labs at Network Associates AMP Node OS Implementation Exploit new features of a radically different OS architecture: the MIT Exokernel Exokernels separate concerns: –control of resourceskernel –managementlibrary OS Library OS located in address space with each application (in AMP, each EE)

6 3/31/99TIS Labs at Network Associates xok userspace CAPS SCHEDULER QUEUE PACKET FILTER EE PAGE TABLES SWT POLICY DATABASE FLOWS/ CAPS AMP System Architecture FLOWS TRANSMISSION QUEUE

7 3/31/99TIS Labs at Network Associates AMP Project AMP Overview Exokernel Techniques AMP Security Architecture Work Status

8 3/31/99TIS Labs at Network Associates Exokernels Key Concept -- Expose information –Expose allocation decisions –Expose low-level names –Expose revocation By allowing applications to directly manage resources, exokernels eliminate the costs that are associated with the mismatch between specific requirements and a general purpose implementation

9 3/31/99TIS Labs at Network Associates Xok/LibExos Architecture xok userspace CAPS SCHEDULER QUEUE PACKET FILTER PAGE TABLES environment libExos app Shared State

10 3/31/99TIS Labs at Network Associates Hierarchical Capabilities –Uniform resource protection mechanism –Each Xok Environment has a ring of capabilities associated with it Xok Features 125 1251 Extensible Tamper-proof Explicitly passed on syscalls C1 dominates C2 C1 C2

11 3/31/99TIS Labs at Network Associates Restricted Languages Dynamic Packet Filter (DPF) –Allows environments to download functions that are compiled into a native code function that makes the packet delivery decision Wakeup Predicates –Restricted expressions that allow an environment to sleep until a condition holds Untrusted Deterministic Functions

12 3/31/99TIS Labs at Network Associates AMP Project AMP Overview Exokernel Techniques AMP Security Architecture Work Status

13 3/31/99TIS Labs at Network Associates 2 AMP Security Architecture Kernel Resources Flow Capabilities... Access Decision Objects... Resource Access Control Tables... Manager Validator Security Writer (SWT) 167 3 4 5 Packets arrive and SWT is invoked before code is executed in a flow of control Flow / Thread of Execution

14 3/31/99TIS Labs at Network Associates Security Architecture Process credentials during flow creation –within the SWT (Node OS Interface) –create and manage capabilities –maintain a cache of previous security decisions Provide interface to coordinate with EEs –EE specific policy and enforcement Control primitive resource types: –CPU scheduling, memory, channels

15 3/31/99TIS Labs at Network Associates Use of Existing Xok Techniques Hierarchical capability mechanism as basic hook for access control techniques Environment mechanisms as foundation for implementing EEs/flows Use of kernel modules for mappings between: flows, capabilities, resources, resource groups, ACLs

16 3/31/99TIS Labs at Network Associates Use of Xok Techniques in Diagram 1. Dataflow of packets to SWT 2. SWT has broad powers of access/update to 3: Flow/Capability Mapping 4: Resource/Group/ACL Mapping 5: ACL as Capability/Resource Mapping 6. Dispatch packet to proper flow 7. Flow accesses resources after access check using capability, mappings, and ACL

17 3/31/99TIS Labs at Network Associates What is New in Diagram SWT: validator cache of credentials and capability previously computed by manager using policy and semantics of credentials Access Decision Object –New implementation of ACL –Requires clean interface to ACL module –May require extension of interface

18 3/31/99TIS Labs at Network Associates What is Orthogonal to Xok Efficient implementation of access decision object Efficient interplay between validator and manager components of SWT Clever taxonomy of resources New crypto stuff for dynamic symmetric- cipher credentials in PKI

19 3/31/99TIS Labs at Network Associates Control Facilities Demultiplexing Control Facility Scheduling Control Facility Transmission Control Facility Shared Memory Abstraction –namespace control facility

20 3/31/99TIS Labs at Network Associates ANEP Demultiplexing Control Facility

21 3/31/99TIS Labs at Network Associates ANEP ANTS1 Demultiplexing Control Facility

22 3/31/99TIS Labs at Network Associates ANEP ANTS1 Flow 47 ACK FlowID = X Demultiplexing Control Facility

23 3/31/99TIS Labs at Network Associates SWT Capabilities Filter Table ANEP Validate ANEP.ANTS.FLOW EE = ANTS INIT(ANTS) Filter Capability ANEP/IP ANEP/UDP/IP

24 3/31/99TIS Labs at Network Associates SWT Capabilities Filter Table ANEP Validate ANTS EE = ANTS INIT(ANTS) EE Filter Capability Filter Capability ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Top-Level Flow Capabilities Top-Level ANEP.ANTS.FLOW

25 3/31/99TIS Labs at Network Associates SWT Capabilities Filter Table ANEP Validate ANTS ANEP.ANTS.FLOW EE = ANTS INIT(ANTS) EE Filter Capability Filter Capability ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Top-Level Flow A B Capabilities Top-Level A B TL

26 3/31/99TIS Labs at Network Associates SWT Capabilities Filter Table ANEP Validate ANTS ANEP.ANTS.FLOW EE = ANTS INIT(ANTS) EE Filter Capability Filter Capability ANEP/IP ANEP/UDP/IP ANTS1/ANEP... Top-Level Flow A B A1A2 Capabilities Top-Level A B A B A1A1 A2A2 TL

27 3/31/99TIS Labs at Network Associates Scheduling Control Facility Xok implements a round-robin queue of scheduled quanta SWT can restructure/reassign quanta in queue as needed to provide guarantees Environments are the scheduled entities Well-behaved environments can clean-up and gracefully yield the CPU

28 3/31/99TIS Labs at Network Associates Scheduling in Xok Scheduler Quantums Attributes environment runnable flag wakeup predicate timer ticks in-revocationflag capability list 1. New Quantum Selected 2. Prologue Executed within Environment 3. Epilogue Executed at end of quantum slice 4. Executing Thread -- yield to a thread or environment -- sleep until an event occurs

29 3/31/99TIS Labs at Network Associates Transmission Control Facility Original Xok implementation does not guard the transmit syscall Need to control –Bandwidth allocation –Requested latency bounds Strategy: migrate buffers from transmitting flows to control facility

30 3/31/99TIS Labs at Network Associates Shared Memory Abstraction Need to implement some sort of namespace above the virtual memory/page table level Provide for storage of information that should be sharable between EEs Options –Linda-style tuple space –In-memory file system –Fully functional persistent file system

31 3/31/99TIS Labs at Network Associates AMP Project AMP Overview Exokernel Techniques AMP Security Architecture Work Status

32 3/31/99TIS Labs at Network Associates Work Completed Exokernel Security Overview Report PAN port to Exokernel –EE developed at M.I.T. to explore the limits of AN performance –Written in C, defers security issues –Similar structure to ANTS Node OS Interface WG –First draft

33 3/31/99TIS Labs at Network Associates Work-in-progress AMP Security Architecture Report –Draft version identifying security requirements PLAN/OCAML port to exokernel –Needed to support FBAR ANTS/KAFFE port to exokernel –Prelude to supporting TIS Labs SANP variant which requires JDK 1.2 security functions Performance measurements

34 3/31/99TIS Labs at Network Associates Work-in-progress (continued) DPF Control Facility Scheduler/Context Switching Experiments ABONE/ANETD startup activities –preliminary to AMP nodes on the ABONE Security Interoperability –credential formats, authorization granularity, policy specification, EE/Node OS trust boundary

35 3/31/99TIS Labs at Network Associates Upcoming Work AMP System Design Report –Need to finalize the security requirements and interactions before addressing implementation SWT and Control Facility Implementation –Node OS Abstractions and Interface –Secure flow creation (authorizations translated into granted capabilities protecting local resources)

36 3/31/99TIS Labs at Network Associates Upcoming Work 2 FBAR Team 6 Demo –Standing up FBAR on two distinct EEs –Definition of policy describing when and by whom separate FBAR instances or users may share state produced by Active Code –Translation of policy into mediation and enforcement by the AMP architecture

37 3/31/99TIS Labs at Network Associates Exokernel Research www.pdos.lcs.mit.edu

38 3/31/99TIS Labs at Network Associates Node OS Flow Hierarchy NodeOS Flow1 Flow2 Flow3 InChan OutChan InChan OutChan InChan Flow4 FlowN InChan OutChan InChan MEMORY POOL THREAD POOL From Peterson, 1998

39 3/31/99TIS Labs at Network Associates ANEP Channels Abstraction for Network Resources –Generalizes Network I/O device to include: protocol stack (ANEP/UDP/IP/ETH) demultiplexing binding (addresses/ports/flow) other attributes (transmission limits, QoS) –Anchored Channels for Input and Output –Cut-through Channels for fast processing of non-active packets Network interface Network interface IP UDP

40 3/31/99TIS Labs at Network Associates Node OS Channels EE NodeOS Userspace NETWORK InChannel OutChannel CutChannel

Download ppt "3/31/99TIS Labs at Network Associates AMP Project Status Stephen Schwab TIS Labs at Network Associates March 31, 1999."

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
Vassal: Loadable Scheduler Support for Multi-Policy Scheduling George M. Candea, Oracle Corporation Michael B. Jones, Microsoft Research.

Vassal: Loadable Scheduler Support for Multi-Policy Scheduling George M. Candea, Oracle Corporation Michael B. Jones, Microsoft Research.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,

Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.

Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
VIA and Its Extension To TCP/IP Network Yingping Lu Based on Paper “Queue Pair IP, …” by Philip Buonadonna.

VIA and Its Extension To TCP/IP Network Yingping Lu Based on Paper “Queue Pair IP, …” by Philip Buonadonna.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.

Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.

Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.

Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
NodeOS Programming Forwarding Functions for Extensible Routers Department of Computer Science Princeton University Router Workshop 2000-08-17 Yitzchak.

NodeOS Programming Forwarding Functions for Extensible Routers Department of Computer Science Princeton University Router Workshop Yitzchak.
Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()

Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()

Similar presentations

Ads by Google