the case for device namespaces · 2017. 12. 14. · 7 linuxcon 2013 no, they don’t! •only...
TRANSCRIPT
Oren Laadan
LinuxCon 2013
September 18, 2013
www.cellrox.com
The Case for Device Namespaces
aprilzosia
LinuxCon 2013 2
Device Namespaces Roots Based on research at Columbia University: • “Cells: A Virtual Mobile Smartphone Architecture”
• Authors: Jeremy Andrus, Christoffer Dall, Alex Van’t Hof,
Oren Laadan, Jason Nieh.
• Proceedings of the 23rd Symposium on Operating Systems Principles (SOSP 2011). Cascais, Portugal. October, 2011 .
LinuxCon 2013 3
Mobile devices have multiple uses -
LinuxCon 2013 4
Mobile devices have multiple uses -
- the device needs to reflect that.
LinuxCon 2013 5
Personal Phone Business Phone
Security Use Case
LinuxCon 2013 6
Do People Remember?
• Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
• Install a mobile security app for your phone that scans every app you download to ensure it’s safe.
LinuxCon 2013 7
No, They Don’t!
• Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
• Install a mobile security app for your phone that scans every app you download to ensure it’s safe.
LinuxCon 2013 8
No, They Don’t!
• Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
• Install a mobile security app for your phone that scans every app you download to ensure it’s safe.
LinuxCon 2013 9
User Behavior is the #1 Security Risk Lack of user awareness about security policies Insecure web browsing Insecure Wi-Fi connectivity Lost or stolen mobile devices with corporate data Corrupt app downloaded to mobile devices Lack of security patches from service providers High rate of users changing/upgrading devices
LinuxCon 2013 10
More Use Cases
Personal Phone Business Phone Children Phone Privacy Phone Secure Phone
LinuxCon 2013 11
Mobile Wallets
LinuxCon 2013 12
Even More Use Cases
Personal Phone Business Phone Children Phone Privacy Phone Secure Phone Social Phone Guest Phone Dev Phone
LinuxCon 2013 13
Multi-Persona for Mobile Devices
LinuxCon 2013 14
The Usual Suspect
Virtualization
“Every problem in computer science can be solved using another layer of abstraction.”
LinuxCon 2013 15
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Mobile Device Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
LinuxCon 2013 16
Nobody Will Notice?
Performance Transparent Application Transparent Platform Transparent User Transparent
LinuxCon 2013 17
Bare-Metal Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Android
applications
Android
environment
Linux
kernel
Device
hardware
Virtual Phone
Hypervisor Type I
Android
applications
Android
environment
Linux
kernel
Virtual Phone
LinuxCon 2013 18
Bare-Metal (Type-I) Virtualization Suitable for servers • standard hardware • slow server replace rate • strong security model
Sub-optimal for mobile devices • burden to support devices • reduced performance / battery-life • sub-optimal use of resources
LinuxCon 2013 19
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Android
applications
Android
environment
Linux
kernel
Virtual Phone
Hypervisor Type II
Linux kernel
Android
applications
Android
environment
Virtual Phone
Host-Based Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Device
hardware
LinuxCon 2013 20
Host-Based (Type-II) Virtualization Suitable for desktops • rely on host for hardware • rely on host for resources • rely on host for security
Sub-optimal for mobile devices • weak security model (can trust host?) • reduced performance / battery-life • sub-optimal use of resources
LinuxCon 2013 23
Virtual Phone
Operating System Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device Virtual Phone
Android
applications
Android
environment
Linux
kernel
Device
hardware
Android
applications
Android
environment
Namespaces
LinuxCon 2013 24
Operating System Virtualization Namespaces
“provide a group of processes with the illusion that they are the only processes on the system” (LWN article)
LinuxCon 2013 25
Operating System Virtualization Challenge 1: hardware diversity • plethora of peripherals not virtualized • key logical devices not virtualized Challenge 2: interactive usage • users interact with one app at a time • foreground vs. background apps
LinuxCon 2013 26
Hardware Diversity A typical collection of peripherals available on a modern smartphone or tablet:
Headset Microphone Speakers (Touch) Screen
Power Buttons Telephony Bluetooth
GPS WiFi Framebuffer GPU
Compass Camera(s) Accelerometer RTC/Alarms
LinuxCon 2013 27
Device Namespaces Two roles: • Virtualize physical and logical devices, to
address hardware diversity
• Multiplex access to devices and switch contexts to allow interactive usage
LinuxCon 2013 28
Device Namespaces HW diversity: traditional virtualization • create the illusion that processes interact
exclusively with a set of devices • hide the fact that other processes interact
with the same set of devices • Device major/minor (e.g. loop, dm), and
device setup and internal state
LinuxCon 2013 29
Device Namespaces Interactivity: context-aware virtualization • concept of an active namespace, with
which the user actually interacts • ability to switch namespaces, to allow
interacting with multi-namespaces • users really interact with one namespace
at a time
LinuxCon 2013 30
Device Namespaces
Android
applications
Android
environment
Android
applications
Android
environment
Linux
kernel
Device
hardware
Namespaces
Touch
Cam
era
(s)
Headset
GP
U
Fra
mebuf
GP
S
Butto
ns
LinuxCon 2013 31
Framebuffer: single assignment?
Android
applications
Android
environment
Linux
kernel
Framebuffer
Android
applications
Android
environment
Android
applications
Android
environment
VP VP VP
LinuxCon 2013 32
Framebuffer: emulated hardware?
Android
applications
Android
environment
Linux
kernel
Android
applications
Android
environment
Android
applications
Android
environment
VP VP VP
Emulated Framebuffer
Virtual
State Framebuffer
LinuxCon 2013 33
Framebuffer: device namespaces
Android
applications
Android
environment
Linux
kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Foreground Background
RAM Framebuffer
Virtualized Framebuffer
LinuxCon 2013 34
Framebuffer: device namespaces
Android
applications
Android
environment
Linux
kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Foreground Background
RAM Framebuffer
Virtualized Framebuffer
LinuxCon 2013 35
Framebuffer: device namespaces
Android
applications
Android
environment
Linux
kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Background
RAM Framebuffer
Foreground
Virtualized Framebuffer
LinuxCon 2013 36
Experimental Benchmarks • CPU (Linpack) • Graphics (Neocore) • Storage (Quadrant) • Web browsing (SunSpider) • Networking (custom)
LinuxCon 2013 37
Runtime Overhead (Idle)
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
Linpack NeoCore QuadrantI/O
SunSpider
Network
Baseline 1-VP 2-VP 3-VP 4-VP 5-VP
LinuxCon 2013 38
Runtime Overhead (load)
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
Linpack NeoCore QuadrantI/O
SunSpider
Network
Baseline 1-VP 2-VP 3-VP 4-VP 5-VP
LinuxCon 2013 39
Power Consumption Overhead
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
After 4hrsMusic
After 12hrsIdle
Baseline 1-VP2-VP 3-VP4-VP 5-VP
LinuxCon 2013 40
Device Namespaces Patches • RFC patch-set posted in “containers”
and “lxc-devel” mailing lists • Includes 8 patches for: input, backlight,
LED, framebuffer, some Android • Demo of dual-namespaces and switch
between them on Android • Topic at containers mini-conf at LPC
tomorrow
LinuxCon 2013 41
Summary https://www.github.com/Cellrox/devns-patches/wiki • Device namespaces bring virtualization to
end-user devices. • Active vs. non-active namespaces based
on natural usage model • Native performance (up to ~1% overhead
in Vellamo benchmark) • RFC patch-set posted in “containers” list,
to be discussed in LPC