department of computer sciencejanos project janos a java-oriented active network operating system...

Department of Computer Science

Janos Project

JanosA Java-oriented Active Network

Operating System

Jay Lepreau, Patrick Tullmann, Kristin Wright

Wilson Hsieh, Godmar Back, many more...

University of UtahFlux Research Group

www.cs.utah.edu/flux/

March 30, 1999


Janos Project

Goals

Develop a principled yet efficient local OS architecture for active nodes, oriented to hierarchical structure, resource control, and security.

Produce separately useful OS, security, and Java VM components.


Janos Project

Goals 2

Investigate local resource management and security in language-based systems

– Java, in particular

Investigate OS support for active networking Investigate broader resource management issues


Janos Project

Resources (obvious)

Memory CPU Network bandwidth


Janos Project

Resources (less obvious)

Backing/caching store Persistent store Encryption hardware Other specialized hardware…

– DSPsl

– Reconfigurable HW?

– Special links (eg long set up time)

Specialized data...– Routing table entries?

– ...


Janos Project

Genesis

Builds on three lines of existing work:– Fluke Nested Process Model

» Strong OS model with a new protection mechanism: focus on resource control

– Flask security architecture» Policy-flexible fine-grain mechanisms

– The OSKit» Reusable low-level components and a framework (COM, APIs)

Other:– Optimization of Java for systems code

» predictability, speed

– Network testbed (possibly)


Janos Project

Janos Structure

The OSKit

AN Execution Environment

Janos VM

Hardware or Unix


Janos Project

Primary Execution Environment

Java-based Prototype will be based on ANTS [Wetherall et al. 97]

– Initial changes to ANTS structure and execution model to better support resource control (released June ‘98)

Integration with Janos resource management– Admission control

– Prevent denial of service

– Fair sharing


The Nested Process Model

Child process is encapsulated in its parent.

Parent has complete control over the child.

Traditional Process Model Nested Process Model

ParentProcess

State

ChildState

ChildState

ChildState

ChildState

ParentProcess

State


Janos Project

Nested Process Model

Derived from a recursive virtual machine model Resources for a process are obtained from parent Parent services requests for new resources and for

management Strict hierarchy enabled, not enforced

ParentProcess

State

ChildState

ChildState

ChildState

ChildState

ParentProcess

State

Traditional Fluke


Janos Project

Obscure Names

Fluke: microkernel and server implementation of OS model

Flask: high-security version of Fluke Alta: Fluke architecture implemented in a JVM, using

type-safety for memory protection


Janos Project

Swap in Patrick


Janos Project

Flask: High-security version of Fluke

Joint with NSA R23, SCC Security architecture orthogonal to Flask

implementation Augments Fluke with fine grained security

mechanisms– Explicit security bindings

– Mandatory controls

– Mutual authentication


Janos Project

Flask: Security Policy

Policy flexibility:– Dynamic both in time and in configuration

– Economic and market reasons

– Separate security policy “decider” makes all policy decisions

– Revocation support

Investigating extensions to multiple policy servers


Janos Project

The OSKit


Janos Project

Dual Execution Modes


Janos Project

UserFriendlyOSDevelopment….!?


Example Working Kernel

#include <stdio.h>

main(){

printf("Hello, world.\n");return 0;

}


Janos Project

OSKit Status

Major releases 18 Dec 98, 15 Jan 99– Unique downloads running 1000/month

– 600 on mailing list

Base for Janos prototype on bare hardware Another route for Utah/NSA security tech xfer Likely vehicle for external OS research tech xfer

(Quorum, NT) Evolving into flexible OS itself


Janos Project

OSKit: Ongoing and Future

Make components more separable Dynamic loading and linking Module configuration language & GUI “Protection” component Further integrate with languages

– Java

– Scheme (Indiana, Kansas, Rice)

– ML (MIT, CMU)

….


Janos Project

OSKit future components

Buffering/caching (IO-Lite?), network mgmt protocols, ... Modular protocol impl. Secure boot (Penn), filesys (Linux xfer), policy engine Network components

– access checks at all levels and objects (local node, remote node, interface, routing table, …)

Crypto, auth, PCC verifier (w/ CMU/Cedilla) ….


Janos Project

CPU Inheritance Scheduling

Threads schedule each other by donating the CPU using a directed yield primitive

One root scheduler per processor sources all CPU time Kernel dispatcher manages threads, events, and CPU

donation without making any scheduling policy decisions


Janos Project

Stride (WFQ) Scheduling

400 600

50 50

20 % CPU 20 % CPU

60 % CPU


Janos Project

Possible Curves in the Road

Fluke model will likely be modified Hardware protection may be included Flask security architecture may not map well to Java

and Janos Challenges in GC and cpu interactions. More surprises undoubtedly await…


Janos Project

The Big Todo

GVM and Alta prototypes: evaluate, choose best pieces, synthesize

Evaluate use of hardware protection in the OSKit Refine and integrate AN execution environment Measure and tune performance Leverage AN-specifc fine-grained sharing


Janos Project

Summary

Resource control and security in Java– Applicable in other language-based systems

– Explore power/speed of software mechanisms

Primary motivation: active networks and other mobile code

Useful in other contexts– Servlet environments

– Active service environments

– OS without hardware protection

Wide applicability and tech xfer thru the OSKit www.cs.utah.edu/flux/

department of computer sciencejanos project janos a java-oriented active network operating system...

Documents

unknown slide

unix slide

network bandwidth slide

execution model

local resource management

os support

parent services requests

javaoriented active