Your Desktop on Your Keychain

Ted Wobber

MSR Silicon Valley

with Muthukarrupan Annamalai,

Andrew Birrell, and Dennis Fetterly

Hardware vs. Desktop State

• Computers are (increasingly) everywhere– In furniture/kiosks/environment?

• New form factors for carrying state:– Keychains, cellphones, watches

• Can we make desktop state portable without also carrying the computer hardware?

• Desktop state = user preferences +user data + applications

Who cares??

• Corporations and other large organizations– Moving between offices, sites– Office-sharing– Work-at-home scenarios

• Consumers in general– But kiosk infrastructure and security is a barrier

• Emerging markets– Desktop hardware is scarce– Benefit may outweigh security risk

Models of Desktop Portability

• Laptops• Roaming profiles• Remote desktop

Laptops

• Laptops are (usually) bulky and fragile• Expensive to purchase and to manage• Prone to theft• Once stolen, data is (often) vulnerable• Backup can be haphazard

• But, laptops are self contained and offer a valuable platform for disconnected environments

Roaming Profiles

• Applications don’t roam• In Windows, difficult to separate user,

application, and machine-specific state• Slow, bandwidth intensive• Difficult outside single admin domain• Security of host machine?

Remote Desktops

• Needs strong connectivity• Latency-sensitive• Difficult outside single admin domain• Needs managed server to provide RDP service

– Most desktop PCs aren’t “professionally managed”

• Local devices?

Flash Changes the Equation

• Current cost: 1GB = ~$80• Still following Moore’s Law

• Read/Write performance approaching disk• Modern flash has built-in wear-leveling

– Max write limitations are rarely a problem

• For this talk: Flash == USB Flash Device

Flash Statistics (estimate)

• Projected shipments 60-120 million units in 2005• 2 GB in ’04; 4GB+ in ’05.• Estimated revenue on NAND-based Flash at $9.2 billion

in ‘06 timeframe• NAND Read/Write speeds are slated to increase as

follows:– ‘04 read 8 MB/s; write 6.5MB/s.

– ’05 read. 23 MB/s; write 16MB/s.

– ‘06 read 40 MB/s; write 28 MB/s.

– ‘07 guesstimates are 100MB/s using multiple NAND chips and cache.

• Already being extended with onboard CPU, memory, wireless, etc.

Carry user state cache on flash

• Similar problems to roaming profiles:– Applications don’t roam– In Windows, difficult to separate user, application, and

machine-specific state– Slow, bandwidth intensive– Difficult outside single admin domain– Security of host machine?

Boot from Flash

• Drivers – Problem gets worse with age of installation

• Flash capacity (in short term)– Size of OS + apps a problem– What happens when disk is full?

• Machine state (e.g. hibernation) is non portable • Backup?

Our Solution

• Host machine runs virtual machine monitor• User runs in a virtual machine (VirtualPC)• Virtual disk is a “server in the sky”

– Remote disk handles overflow and backup

• The flash acts as:– A persistent cache/log of virtual disk– Storage for virtual machine state

• Local disk as “lookaside” for virtual disk content

Why Virtualization?

• Eliminates host-specific customization– (e.g. drivers, etc)

• Easy to encapsulate and move VM state• Fewer “moving parts” on host

– Easier to manage/secure: VMM is only requirement

• Development cost (our prototype < 1 kloc)– Simple to customize basic abstractions

• Good performance and getting better– Hardware support of virtualization

• Other platforms? XBox2?• Virtual disks make provisioning new users easy

Differencing Disks

• Compact representation of overlaid content• Standard feature of virtual machines• Convenient for shared disk provisioning

– E.g. multiple users share same base disk

Differencing Disk(s):

Base Disk:

VMM sees:

Why a network connection?

• At least for now, flash drives are too small– With Windows+Office it’s easy to overflow a 1GB disk

• Backup is automatic– Server can keep multiple restore points

• Perhaps this requirement can be eliminated in the future

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Kiosk Architecture

Lookaside Images (~Base Disk)

Flash Disk

Write Log

Read Cache

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Flash Disk

Read Cache

Disk Writes

Lookaside Images (~Base Disk)

Write Log

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Flash Disk

Write Log

Read Cache

Disk Reads

Lookaside Images (~Base Disk)

2

1

3

4

5

Demo

A bit more detail

• Persistent state on flash– Virtual machine state (optional)– Writes logged since last merge– Fingerprint for every 16K chunk in remote virtual disk

• MD5 as a fingerprinting algorithm (128 bits)– Set of cached 16K chunks

Persistent, in flash

A: Chunk number to Fingerprint map (for entire disk)

B: Write Log (sectors)

FP0 FP1 … FPN

17

…

Data for sector 17

…..

27 Data for sector 27

3 Data for sector 3

C: Read Cache (chunks)

35

…

Data for chunk 35

…..

7 Data for chunk 7

114 Data for chunk 114

Volatile, in memory

FP0 FP1 … FPN

17

…

Sector 17

…..

27 Sector 27

3 Sector 335

…

Chunk 35

…..

7 Chunk 7

114 Chunk 114

A: Chunk number to Fingerprint map (for entire disk)

FP0 FP1 … FPN

C: Write loghash table (sectors)

17

…

27

3

…..

FP35

…

FP7

FP114

…..

B: FP to Read Cachehash table (chunks)

FP

…

FP

FP

…..

D: FP to Static Diskhash table (chunks)

Lookaside Image

Updating the Fingerprint Map

• Must compute new chunk fingerprints• Partial chunks requires unwritten sectors

Read old chunk

Add new sectors

New FP

What’s actually implemented

• Write “log” is a differencing disk on flash– Differencing drive chain:

• Flash differencing disk →Home differencing disk → Home base

disk

• Manual merging only– No automatic updates in background– Standard VirtualPC “merge to parent”– Merge updates read cache

• Read cache is untuned

Potential Drawbacks

• Security of kiosk machine• Infrastructure rollout• Connectivity requirement

– As flash sizes grow, need for online server decreases– Range of solutions possible depending on size

• Artifacts of virtualization– Availability of pass-through devices– Fancy graphics devices unavailable

• Ensuring that working set fits within the cache

Performance Bottlenecks

• Windows likes to write to disk– Flash fills up quickly– Differencing disk overlays >10% of base image

• Read/write performance:– 4K Reads (sequential or random) ~.8 ms– 4K Writes (sequential) ~ 1.0 ms– 4K Writes (random) > 20ms !!!!

We have confirmed this by analyzing traffic at the USB driver level. The root cause of the 20 ms latency is a mystery. Our

observations are inconsistent with NAND-memory specs.

Optimizations (current)

• Fast-launch defragmentation turned off• Paging disabled• Last-access date on files disabled• Various services turned off• No anti-virus / indexing

Optimizations (possible)

• Implement real log (for sequentiality)– With redundant write elimination

• RAM disk for temporary files (e.g. IE)• Keep guest-OS NTFS log on local disk• Log writes to on-kiosk differencing disk …

periodic sync to flash• Network read/write compression• Virtual disk snapshots

Security

• Primary threats:– Bogus, tapped, or otherwise compromised kiosk– Theft of device

• But, this is a computer:

ASIC or processor NAND Memory

Trusting the Kiosk

• Non-technical considerations– Physical security

• Site security (e.g. within a corporation)• Physical packaging and locks (like an ATM)• Kiosk owner must be accountable

• Technical solutions– NGSCB / Trusted Boot / Attestation

• Small footprint (e.g. just OS+VMM) helps here– User-specific, unforgeable visual feedback– External helper device with UI (e.g. cellphone)

Protecting Against Theft

• On-flash encryption, “unlocks” data only after:– Flash authenticates kiosk– Flash informs user that kiosk is OK– User gives credentials (e.g. password or biometric)

• Lock-out on repetitive failure

• Host-based encryption is also possible– But gives weaker guarantees

• User can roll back to disk state on server

Related Projects

• Internet suspend/resume– CMU / Intel Labs– Virtual machine serial portability– Supported by Coda-like distributed FS– Flash for read optimization

• Stanford “Collective” project– Portable virtual machine– Virtual state/disk “capsule” hierarchy

Conclusions

• New model for desktop portability• Augments range of existing techniques• Spectrum of flash-based solutions

• Looking for ways we can help product efforts• Haven’t explored business/market ramifications• Highlights two growing market forces:

Flash and Virtualization