one.world — System Support for Pervasive Applications

Download Report

Transcript one.world — System Support for Pervasive Applications

Active Everything
Robert Grimm
New York University
Your Project Statistics at Work:
Programmer Effort
 Minimum
2.8 hours
 Average
9.6 hours
 Maximum
23.7 hours
Effort/person/week
25.0
Hours
20.0
15.0
10.0
5.0
0.0
1
2
3
4
5
6
7
8
9
10
11
12
13
Remember Your
Presentation/Demo?
 About 20 minutes per group
 A short presentation with at least 3 slides
 Application: What does it do?
 Implementation: How does it work?
 Lessons learned: What did you get out of it?
 The demo
 This machine, your group’s machine, home machines…
 Prepare a web page with the presentation and JAR file
 Your code
 Email me your slides & source code before class
Active Everything
Active Everything
 The problem with Internet protocols and services
 Based on exchange of state/data
 Hard to deploy state-processing functionality
 Ensure incremental deployment and localized benefits
 Have access to servers, middle-of-the network nodes
 What if instead of exchanging data, we could
easily distribute data and computations?
 Provide better web caching
 Including personalized content, access statistics, ads
 Make multicast a reality
 Make better performance trade-offs
 Example: Whether to compress images at server or proxy
Active Everything (cont.)
 Well, by using mobile code, we can distribute
computations
 Key idea: provide a safe execution platform across devices
 Modern virtual machines: TeleScript, Java, Microsoft’s CLR
 But, what about protection and resource management?
 Let’s look at three active examples
 Active Cache
 Active Names
 Active Networks
Active Cache
 Basic idea: Run code in web cache
 Validate cached document
 Create new document
 Require server to be contacted
 A new header: CacheApplet
 Identifies code associated with document
 The contract




Cache invokes cache applet on cache hits
Applet failures always result in contacting the server
Proxy adheres to result of cache applet
Cache applet log returned to server
Active Cache API
 fromCache
 Main method takes request, IP address and name of
client, file descriptors for cached file and new file
 is_in_cache, open, close, create, read, write, lseek,
send_request_to_server, lock, unlock
 Provide file-based I/O
 Access other server objects
 Create temporary log objects
 curtime
 Shockingly, returns the current time
Active Cache Security
 Proctection
 Java’s type safety ensures interfaces are observed
 ActiveProxy provides limited API (see previous slide)
 java.io, threads, processes are off-limits
 Applets can only access resources associated with same
server
 Resource management
 ActiveProxy tracks storage size, disk and network
bandwidth
 JVM spawning process tracks CPU usage and virtual
memory size
Active Names
 Basic idea: Combine name resolution w/service access
 Namespace programs
 Resolve hierarchical names
and route/process data
 Are location-independent
 Run on resolvers
 After methods serve as continuations (remember them?)
 Final namespace program invokes first after method
(which typically routes result back to original requestor)
 API based on a single method
 Name, reference to data stream, list of after methods
Active Names Security
 Protection
 Builds on Java 2 security (we’ll return to this later on)
 Provides additional hooks for namespace programs
 Certificate to identify caller
 Resource management
 None implemented!
Active Networks
The ANTS System
 Capsule-based
 Extended IP packet that contains not only data,
but also code
 Processed at active nodes
 Regular IP-based routing at regular routers
 Code included by reference
 Cached at active nodes
 Fetched on demand
from previous node
 Lost code messages or
unavailable code results
in dropped capsules
ANTS API
 Node environment
 getAddress, getChannel, findExtension, time
 Soft-store
 put, get, remove
 Routing and logging
 routeForNode, deliverToApp, log
 Again, as for Active Cache, a minimal API
 Just enough to build interesting applications
ANTS Security
 Protection
 Type safety to protect against runtime corruption
 Code fingerprinting to protect against capsule code
corruption or spoofing
 Hierarchical capsule typing to limit sharing
 Resource management
 Simple accounting to limit node resources
 No protection against end systems injecting a large
number of capsules into the network
 External inspection to limit intra-network resource
consumption
Pulling Back:
Java as a Mobile Code Platform
Java as a Mobile Code Platform
 The great big hype: Write once, run everywhere
 A relatively elegant programming language
 A single, safe execution platform
 The Java virtual machine (JVM)
 A large set of standardized platform libraries
 The reality: Well, uh, hmm




Protection
Resource management
Debug everywhere
Different operating systems, different classes of devices
Protection
 Code signed, thus associated with principals
 Policy expresses corresponding permissions
 Access checks request permissions
 JVM walks current call stack and checks that every
unit of code on stack has requested permissions
 Check succeeds if all units of code have permissions
 Privileged code can limit depth of stack walk
 But, platform library designers decide where to check
 E.g., file open, but not file read or write
Resource Management
 Java’s resource management: None!
 Though, we would like to control




CPU utilization
Memory utilization
Storage capacity, bandwidth
Networking bandwidth
Can We Do Better?
 One approach: Add new APIs to Java/JVM
 Create your own JVM
 Good enough for research prototypes (Utah’s KaffeOS)
 But limited impact
 Change the JVM specification
 A long and arduous process (Java Community Process)
 Example: Generics will become part of Java in JDK 1.5
after at least five years!
A More Compatible,
More Immediate Alternative
 Customize the runtime environment
 The enabling hook: Class loaders
 Load all code
 Arranged in hierarchy
 If child does not know how to load a class,
it defers to parent
 Effectively create different namespaces
 The same class loaded by two class loaders is not the same!
What Can We Do in Class Loaders?
 Make code inaccessible
 Refuse to load platform classes, e.g. java.lang
 Replace code
 Wrap platform classes with more limiting versions
 E.g., collect networking statistics in modified socket class and
enforce per-application limits
 Rewrite code
 Modify code to “do the right thing”
 E.g., increment memory counter on every object allocation and
decrement memory counter on object deallocation
Debug Everywhere
A Case Study
 Based on one.world and Sun’s JDK 1.3.1
 Running on Windows 2000 and Linux
 Task: Stop reading from socket and then close it
 Thread blocked in read() method
 The obvious alternatives
 Just close socket in another thread
 read() throws exception on Linux but socket is not closed
 Use periodic timeouts and check termination flag
 Windows injects spurious bytes into read-in data
(which really confuse Java’s serialization)
 We exhausted the socket API. What to do?
Debug Everywhere
A Case Study (cont.)
 Poison values to the rescue!




Select a special object as a close-socket marker
Write special object to socket
Other machine sends object back and closes socket
Sender receives object and closes socket
 What are the limitations of this scheme?
Different Operating Systems
 Consider the user interface
 Java’s Swing provides different look-and-feels
 Java native, Windows, Mac OS, Motif
 But the devil is in the detail: Windows vs. Mac OS
 Menu bar location
 Per-window vs. top of screen
 Default menus and menu items
 Exit in file menu vs. quit in application menu
 Keyboard equivalents
 None for exit vs. command-q for quit
Different Classes of Devices
 Differences don’t stop at user interface
 Consider PDAs, cell phones, smart cards
 Differ in CPU speed, memory capacity,
networking capabilities, battery life, …
 Current state of the art
 Specialized JVM editions, based on device profiles
 Dedicated platform libraries, including user interface
 Not Swing, not AWT
Is Mobile Code the Right
Approach?