janos-pimteam3-990330
Download
Report
Transcript janos-pimteam3-990330
Janos
A Java-oriented Active Network
Operating System
Jay Lepreau, Patrick Tullmann, Kristin Wright
Wilson Hsieh, Godmar Back, many more...
University of Utah
Flux Research Group
www.cs.utah.edu/flux/
March 30, 1999
Department of Computer Science
Janos Project
Goals
Develop a principled yet efficient local OS architecture
for active nodes, oriented to hierarchical structure,
resource control, and security.
Produce separately useful OS, security, and Java VM
components.
Department of Computer Science
Janos Project
Goals 2
Investigate local resource management and security in
language-based systems
– Java, in particular
Investigate OS support for active networking
Investigate broader resource management issues
Department of Computer Science
Janos Project
Resources (obvious)
Memory
CPU
Network bandwidth
Department of Computer Science
Janos Project
Resources (less obvious)
Backing/caching store
Persistent store
Encryption hardware
Other specialized hardware…
– DSPsl
– Reconfigurable HW?
– Special links (eg long set up time)
Specialized data...
– Routing table entries?
– ...
Department of Computer Science
Janos Project
Genesis
Builds on three lines of existing work:
– Fluke Nested Process Model
» Strong OS model with a new protection mechanism: focus on
resource control
– Flask security architecture
» Policy-flexible fine-grain mechanisms
– The OSKit
» Reusable low-level components and a framework (COM, APIs)
Other:
– Optimization of Java for systems code
» predictability, speed
– Network testbed (possibly)
Department of Computer Science
Janos Project
Janos Structure
AN Execution Environment
Janos VM
The OSKit
Hardware or Unix
Department of Computer Science
Janos Project
Primary Execution Environment
Java-based
Prototype will be based on ANTS [Wetherall et al. 97]
– Initial changes to ANTS structure and execution model to better
support resource control (released June ‘98)
Integration with Janos resource management
– Admission control
– Prevent denial of service
– Fair sharing
Department of Computer Science
Janos Project
The Nested Process Model
Child process is encapsulated in its parent.
Traditional Process Model
Nested Process Model
Parent
Process
State
Parent
Process
State
Child
State
Child
State
Child
State
Child
State
Parent has complete control over the child.
Department of Computer Science
Nested Process Model
Parent
Process
State
Parent
Process
State
Child
State
Child
State
Child
State
Child
State
Traditional
Fluke
Derived from a recursive virtual machine model
Resources for a process are obtained from parent
Parent services requests for new resources and for
management
Strict hierarchy enabled, not enforced
Department of Computer Science
Janos Project
Obscure Names
Fluke: microkernel and server implementation of OS
model
Flask: high-security version of Fluke
Alta: Fluke architecture implemented in a JVM, using
type-safety for memory protection
Department of Computer Science
Janos Project
Swap in Patrick
Department of Computer Science
Janos Project
Flask: High-security version of
Fluke
Joint with NSA R23, SCC
Security architecture orthogonal to Flask
implementation
Augments Fluke with fine grained security
mechanisms
– Explicit security bindings
– Mandatory controls
– Mutual authentication
Department of Computer Science
Janos Project
Flask: Security Policy
Policy flexibility:
– Dynamic both in time and in configuration
– Economic and market reasons
– Separate security policy “decider” makes all policy decisions
– Revocation support
Investigating extensions to multiple policy servers
Department of Computer Science
Janos Project
The OSKit
Department of Computer Science
Janos Project
Dual Execution Modes
Department of Computer Science
Janos Project
User
Friendly
OS
Development
….!?
Department of Computer Science
Janos Project
Example Working Kernel
#include <stdio.h>
main()
{
printf("Hello, world.\n");
return 0;
}
Department of Computer Science
OSKit Status
Major releases 18 Dec 98, 15 Jan 99
– Unique downloads running 1000/month
– 600 on mailing list
Base for Janos prototype on bare hardware
Another route for Utah/NSA security tech xfer
Likely vehicle for external OS research tech xfer
(Quorum, NT)
Evolving into flexible OS itself
Department of Computer Science
Janos Project
OSKit: Ongoing and Future
Make components more separable
Dynamic loading and linking
Module configuration language & GUI
“Protection” component
Further integrate with languages
– Java
– Scheme (Indiana, Kansas, Rice)
– ML (MIT, CMU)
….
Department of Computer Science
Janos Project
OSKit future components
Buffering/caching (IO-Lite?), network mgmt protocols, ...
Modular protocol impl.
Secure boot (Penn), filesys (Linux xfer), policy engine
Network components
– access checks at all levels and objects (local node, remote node,
interface, routing table, …)
Crypto, auth,
PCC verifier (w/ CMU/Cedilla)
….
Department of Computer Science
Janos Project
CPU Inheritance Scheduling
Threads schedule each other by donating the CPU
using a directed yield primitive
One root scheduler per processor sources all CPU time
Kernel dispatcher manages threads, events, and CPU
donation without making any scheduling policy
decisions
Department of Computer Science
Janos Project
Stride (WFQ) Scheduling
600
400
50
20 % CPU
Department of Computer Science
50
60 % CPU
20 % CPU
Janos Project
Possible Curves in the Road
Fluke model will likely be modified
Hardware protection may be included
Flask security architecture may not map well to Java
and Janos
Challenges in GC and cpu interactions.
More surprises undoubtedly await…
Department of Computer Science
Janos Project
The Big Todo
GVM and Alta prototypes: evaluate, choose best pieces,
synthesize
Evaluate use of hardware protection in the OSKit
Refine and integrate AN execution environment
Measure and tune performance
Leverage AN-specifc fine-grained sharing
Department of Computer Science
Janos Project
Summary
Resource control and security in Java
– Applicable in other language-based systems
– Explore power/speed of software mechanisms
Primary motivation: active networks and other mobile
code
Useful in other contexts
– Servlet environments
– Active service environments
– OS without hardware protection
Wide applicability and tech xfer thru the OSKit
www.cs.utah.edu/flux/
Department of Computer Science
Janos Project