Transcript janos-pim-0601

Janos Project: FY 2001
Jay Lepreau
Flux Research Group
University of Utah
June 5, 2001
The Main Players

Pat Tullmann
Godmar Back
 Mike Hibler
 Wilson Hsieh
 Rob Ricci
 Tim Stack

2
June 5, 2001
University of Utah
janos
Outline

Java OS Work

Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
A Killer Application?!
 Failures, Achievements

3
June 5, 2001
University of Utah
janos
Janos Project Goals
Resource Control & security of a local
node in an Active Network
 First-class, OS-style control over Java
“applications”
 Separately useful components

– NodeOS, JVM, EE, etc.

4
Open Source
June 5, 2001
University of Utah
janos
Research Goals I

Combine OS + Language
– Merge OS principles and Java typesafety to
create a real Java OS
– Explore which features of Java apply in an
OS context
– Explore which OS features map appropriately
into a Java OS
5
June 5, 2001
University of Utah
janos
Research Goals II

Apply Java OS to the AN domain
– Leverage AN domain’s constraints
Can we safely expose low-level network
aspects?
 Can safe code go fast?

6
June 5, 2001
University of Utah
janos
A “Java operating system” is...

An enhanced JVM that provides OS functions to
multiple Java “programs” within it
 Features:
– Separation
– Resource management
– Sometimes: direct sharing

Architectural abstractions taken from OS
– User/kernel boundary, processes, etc.
 Mechanisms taken from garbage collection
7
June 5, 2001
University of Utah
janos
Previous Options
App1
-
Multiple apps
in one JVM
App2
App3
JVM
Base OS
-
8
One app per
JVM in
different OS
processes
June 5, 2001
App1
App2
App3
JVM
JVM
JVM
Base OS
University of Utah
janos
“Java Operating System”
App1
App2
App3
App4
Java OS
Java OS
Base OS
+ Good separation
+ Good resource management
+ Allows some direct sharing
9
June 5, 2001
University of Utah
janos
Janos Architecture
AA AA AA
EE
ANTS2
JanosVM: A JVM with
resource management
Moab:
An OSKit-based NodeOS
JanosVM
Moab
Hardware (Or Unix)
10
June 5, 2001
University of Utah
janos
Software Specifics

Build NodeOS in C that exposes low-level
network features: Moab
– Optimized for a single, trusted EE

Provide the NodeOS API in Java: Janos Java
NodeOS
– Works with JDK1.x or JanosVM

Provide a JVM for building a Java OS: JanosVM
 Make ANTS multi-domain and resource-aware:
ANTS2.0
11
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 An Application!
 Failures, Achievements

12
June 5, 2001
University of Utah
janos
Java OS Work

Ph.D. on Java Operating Systems
– Godmar Back - June 12, 2001

Designed, built and released JanosVM
– Evolution of KaffeOS to provide key building
block for a Java OS

Sun JSR-121 Expert Group
– “Isolate” : first step in multiprocess support
in Sun’s JDK
– Utah representation
13
June 5, 2001
University of Utah
janos
JanosVM

Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
– Multiprocess support

Designed as foundation for Java OS
– Exports primitives to build efficient Java OS
– Customized by trusted runtime
Java OS
14
{
June 5, 2001
Custom JavaOS Runtime
JanosVM
University of Utah
janos
JanosVM

Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
 Exports primitives to build efficient,
targeted Java OS

Janos
15
{
June 5, 2001
Java Nodeos + ANTS2.0
JanosVM
University of Utah
janos
JanosVM

Virtual Machine for Java bytecodes
– Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
 Exports primitives to build efficient,
targeted Java OS

JSR-121
16
{
June 5, 2001
“Isolate” support
JanosVM
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 An Application!
 Failures, Achievements

17
June 5, 2001
University of Utah
janos
Moab / NodeOS API
Joint NodeOS paper
 Pluggable CPU & network schedulers
 Click in Moab: fine-grained control over
cut-through channels
 More:

– NodeOS API refinement, polling vs. interrupts, SNMP
support, filesys support, ...
18
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 An Application!
 Failures, Achievements

19
June 5, 2001
University of Utah
janos
Team 3 Demo

Built an IP router
–
–
–
–
–

in Java
on the Janos Java NodeOS bindings
on JanosVM
on Moab
on the bare hardware
Demonstrated
– CPU controls, network bandwidth controls, and
memory controls over Java apps

20
Inter-operated with 3 other projects
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 An Application!
 Failures, Achievements

21
June 5, 2001
University of Utah
janos
ANTS EE

Completed per-domain separation in
ANTSR

With UW, evolved and released ANTS2.0
from ANTSR and ANTS1.3, plus:
– New security infrastructure
– Improved ABONE / ANETD support
22
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 Branching Out
 Tangible Goods
 Failures, Acheivements

23
June 5, 2001
University of Utah
janos
Branching Out

emulab.net - Utah Network Testbed
– 200 machines, lots of tools
– Real users: 70% dist sys, 30% networking
– Developed / tested our Team 3 demo setup,
all our AN experiments
– Paper under review

24
A killer application?!
June 5, 2001
University of Utah
janos
Quote
“We had a little bit of a problem
with applications.”
- Sandy Murphy, 4 June 2001
25
June 5, 2001
University of Utah
janos
Active Protocols for Agile
Censor-Resistant Networks
26
June 5, 2001
University of Utah
janos
Key Ideas
Censor-resistant (p2p) publishing is a
compelling and feasible application of
active networking
 …through on-demand, rapid,
decentralized, diversification of the hopby-hop protocol (manually, by people)

We prototyped this in Freenet
27
June 5, 2001
University of Utah
janos
Active Networking’s Biggest
Problem

Demand: no killer app
Inherent problem, by definition!
The space of AN protocols is
interesting, not any given protocol
But… a good match for censorresistant networks
28
June 5, 2001
University of Utah
janos
Censor-Resistant Networks

Goals
– Make intentional deletion or denial of access
infeasible or difficult
– Often: Anonymity
Usually: overlay network
 An example: Freenet

29
June 5, 2001
University of Utah
janos
Some Problems Facing CRNs

CRN traffic may be identifiable
– Static set of protocols a weakness

Mere membership may be incriminating
– Only identification may be necessary, not
eavesdropping
– Last link vulnerable: mercy of ISP

Users on restricted networks cannot
participate
– But special techniques can get traffic through
firewalls, proxies, etc.
30
June 5, 2001
University of Utah
janos
Agile Protocols

Use active networking techniques for
replacement of single-hop protocols
 Completely decentralized
– Any node (person) can create a new protocol & pass
to its peer
– Rapid response time to censorship
– Nodes can customize for their environment

Unbounded set of protocols
– Attacker cannot even know what percentage of set
they have discovered
31
June 5, 2001
University of Utah
janos
Protocol Examples
Disguise and tunnel, eg through SMTP,
HTTP
 Port-hopping… randomly
 Port-smearing (~spread spectrum)
 Bounce thru 3rd host
 Steganography
 …even better in wireless domain:
physical & link level

32
June 5, 2001
University of Utah
janos
What About Malicious
Protocol Objects?
33
June 5, 2001
University of Utah
janos
Protecting Local Node’s Integrity,
Privacy, and Availability

Threat model like Java applet, but worse for
privacy
– node state: cache contents, neighbor list, IP addr,
username, …
– message itself

Integrity and privacy: std type-safety and
namespace isolation
 Resource attacks: resource-managing JVM
[OSDI’00, ...]
34
June 5, 2001
University of Utah
janos
Publishing-specific DoS
Attacks

Same general issues as malicious nodes

Failure (total or intermittent)
– Either malicious or unintentional
– Heuristic approach: rate Protocol Objects
• Ratings based on success rates for requests
• Evaluate via loopback test harness
– Ratings are node-local

35
More attacks/responses in paper
June 5, 2001
University of Utah
janos
What About Bootstrapping?
Shared by base Freenet system: must
acquire initial {IP addr, port} out-of-band
 Now need {IP addr, byte code}
 Quantitative difference ==> qualitative
change?
 Memory, piece of paper ==> floppy disk,
email attachment, applet
 Conclusion: acceptable

36
June 5, 2001
University of Utah
janos
Our Implementation
Prototype based on Freenet system
 Peers can exchange Java bytecode for
new protocols
 Protocol usage can be asymmetric, can
change on any message boundary
 Restricted namespace

37
June 5, 2001
University of Utah
janos
Four sample Protocol Objects
‘Classic’ Freenet protocol
 HTTPProtocol: Looks (vaguely) like HTTP
 TrickyProtocol: Negotiates port change
after every message
 SpreadProtocol: Splits message on
arbitrary byte boundaries, sends each
chunk on a different port

38
June 5, 2001
University of Utah
janos
Reprise:AN’s Major Technical
Challenges

Performance: no problem
– In Java already!
– Overlay network: IP not my problem

Security
– Key: change local, keep global protocol
– Global network: domain-specific, therefore tractable.
– Local to node: tractable, based on recent research
39
June 5, 2001
University of Utah
janos
Agile Experiment: Conclusions

AN techniques seem likely to improve the
censor-resistance of such networks
 Feasible to implement in existing systems
 Lots still to do
–
–
–
–

40
Implement ratings, etc, etc
JanosVM + runtime, re-engineer base
Evaluate in the lab
Evaluate “in the wild”
Lot of fun, lot of military relevance
June 5, 2001
University of Utah
janos
FY 2001 Progress
Java OS Work
 Moab / NodeOS API work
 Team 3 Demo
 ANTS EE
 Tangible Goods
 Failures, Achievements

41
June 5, 2001
University of Utah
janos
Papers: FY 2001
Back et. al. Processes in KaffeOS: Isolation, Resource
Management and Sharing in Java (OSDI 2000)
Tullmann et. al. Janos: A Java-oriented OS for Active
Network Nodes (IEEE JSAC Mar 2001)
Peterson et. al. An OS Interface for Active Routers
(IEEE JSAC Mar 2001)
Ricci et. al. Active Protocols for Agile Censor-Resistant
Networks (HotOS 2001)
42
June 5, 2001
University of Utah
janos
Software Releases: FY 2001

11 separate releases
– 2 OSKit versions
– 2 Moab versions
– 2 JanosVM versions
– 1 ANTS2.0
– 2 Java NodeOS versions
– 1 ANTS CVS
– 1 Java NodeOS CVS
43
June 5, 2001
University of Utah
janos
Mistakes I

Over-emphasis on strict hierarchy
– Original nested process model
– NodeOS mempools

NodeOS/EE split
– Makes a nearly impossible research
challenge even harder

44
Under-emphasis on applications
June 5, 2001
University of Utah
janos
Mistakes II

Too much energy on software artifacts
– ==> Missed research opportunities

ANTS?
– Most aggressive AN model
– Dated
45
June 5, 2001
University of Utah
janos
Mistakes III

A-Flow -> Flow -> Domain

Failure to keep dm in ITO!
46
June 5, 2001
University of Utah
janos
Achievements

Four generations of Java OS’s
– Culminated in generic JavaOS infrastructure
– Java spec impact: JSR-121 “Isolate”, ...

Low-level networking that leverages typesafety
– Safe zero-copy
– Unoptimized Java IP forwarding is
40% speed of C (JNodeOS v. Moab)
47
June 5, 2001
University of Utah
janos
Questions?

Where do I get Janos papers, software?
– www.cs.utah.edu/flux/janos

How do I use the network testbed?
– www.emulab.net
48
June 5, 2001
University of Utah
janos
END OF PRESENTATION
49
June 5, 2001
University of Utah
janos
Architecture
AA AA AA
ANTSR EE
ANTSR
JanosVM: A JVM with
resource management
Moab
An OSKit-based NodeOS
JanosVM
Moab
Hardware (Or Unix)
50
June 5, 2001
University of Utah
janos
Approach
Re-fit existing AN infrastructure to
multiprocess, resource-aware JVM
 Apply OS principles to Java language runtime

– User/kernel boundary, processes, etc.
– Construct a “multiprocess” JVM

51
Build a NodeOS that exposes low-level
network features
June 5, 2001
University of Utah
janos
Team 3 Demo
First full Janos prototype to run Java on
the bare hardware
 Illuminated many performance issues in
our prototype

52
June 5, 2001
University of Utah
janos