3/31/99 TIS Labs at Network Associates
AMP Project Status
Stephen Schwab
TIS Labs at Network Associates
March 31, 1999
3/31/99 TIS Labs at Network Associates
AMP Project
• AMP Overview
• Exokernel Techniques
• AMP Security Architecture
• Work Status
3/31/99 TIS Labs at Network Associates
AMP Node OS Project
• Goals– Provide separation and controlled sharing between
EEs and flows on each Active Network node.
– Support multiple EEs
– Constrain the execution of Active Code to access those entities for which it has authorization
• Utilize techniques developed throughout the AN community for safely and securely importing Active Code
– Implement security mechanisms without compromising performance
3/31/99 TIS Labs at Network Associates
Active Networks Framework
ExecutionEnvironments
Node OS
EE1EE1 EE2EE2 IPv6IPv6
MGMTEE
MGMTEE
STORAGECHANNELS
POLICYDATABASE
SECURITYENFORCEMENTENGINE
From Calvert, 1998
3/31/99 TIS Labs at Network Associates
AMP Node OS Implementation
• Exploit new features of a radically different OS architecture: the MIT Exokernel
• Exokernels separate concerns:– control of resources kernel– management library OS
• Library OS located in address space with each application (in AMP, each EE)
3/31/99 TIS Labs at Network Associates
xok
userspace
CAPS
SCHEDULERQUEUE
PACKET FILTER
EE EE
PAGE TABLES
SWT
POLICYDATABASE
FLOWS/CAPS
AMP System Architecture
FLOWS
TRANSMISSIONQUEUE
3/31/99 TIS Labs at Network Associates
AMP Project
• AMP Overview
• Exokernel Techniques
• AMP Security Architecture
• Work Status
3/31/99 TIS Labs at Network Associates
Exokernels• Key Concept -- Expose information
– Expose allocation decisions– Expose low-level names– Expose revocation
• By allowing applications to directly manage resources, exokernels eliminate the costs that are associated with the mismatch between specific requirements and a general purpose implementation
3/31/99 TIS Labs at Network Associates
Xok/LibExos Architecture
xok
userspace
CAPS
SCHEDULERQUEUE
PACKET FILTER
PAGE TABLES
environment
libExos libExos
app app
SharedState
3/31/99 TIS Labs at Network Associates
• Hierarchical Capabilities– Uniform resource protection mechanism
– Each Xok Environment has a ring of capabilities associated with it
Xok Features
1 2 5
1 2 5 1
ExtensibleTamper-proofExplicitly passed on syscallsC1 dominates C2
C1
C2
3/31/99 TIS Labs at Network Associates
Restricted Languages
• Dynamic Packet Filter (DPF)– Allows environments to download functions
that are compiled into a native code function that makes the packet delivery decision
• Wakeup Predicates– Restricted expressions that allow an
environment to sleep until a condition holds
• Untrusted Deterministic Functions
3/31/99 TIS Labs at Network Associates
AMP Project
• AMP Overview
• Exokernel Techniques
• AMP Security Architecture
• Work Status
3/31/99 TIS Labs at Network Associates
2
AMP Security Architecture
KernelKernelResources
FlowCapabilities
...
Access DecisionObjects
...
...
Resource AccessControl Tables
...
Manager Validator
Security Writer (SWT)
1 6 7
3 4
5
Packets arriveand SWT isinvoked before code is executed in aflow of control
Flow / Thread ofExecution
3/31/99 TIS Labs at Network Associates
Security Architecture
• Process credentials during flow creation– within the SWT (Node OS Interface)– create and manage capabilities – maintain a cache of previous security decisions
• Provide interface to coordinate with EEs – EE specific policy and enforcement
• Control primitive resource types: – CPU scheduling, memory, channels
3/31/99 TIS Labs at Network Associates
Use of Existing Xok Techniques
• Hierarchical capability mechanism as basic hook for access control techniques
• Environment mechanisms as foundation for implementing EEs/flows
• Use of kernel modules for mappings between: flows, capabilities, resources, resource groups, ACLs
3/31/99 TIS Labs at Network Associates
Use of Xok Techniques in Diagram
1. Dataflow of packets to SWT
2. SWT has broad powers of access/update to3: Flow/Capability Mapping
4: Resource/Group/ACL Mapping
5: ACL as Capability/Resource Mapping
6. Dispatch packet to proper flow
7. Flow accesses resources after access check using capability, mappings, and ACL
3/31/99 TIS Labs at Network Associates
What is New in Diagram
• SWT: validator cache of credentials and capability previously computed by manager using policy and semantics of credentials
• Access Decision Object– New implementation of ACL– Requires clean interface to ACL module– May require extension of interface
3/31/99 TIS Labs at Network Associates
What is Orthogonal to Xok
• Efficient implementation of access decision object
• Efficient interplay between validator and manager components of SWT
• Clever taxonomy of resources
• New crypto stuff for dynamic symmetric-cipher credentials in PKI
3/31/99 TIS Labs at Network Associates
Control Facilities
• Demultiplexing Control Facility
• Scheduling Control Facility
• Transmission Control Facility
• Shared Memory Abstraction– namespace control facility
3/31/99 TIS Labs at Network Associates
ANEP
Demultiplexing Control Facility
3/31/99 TIS Labs at Network Associates
ANEP
ANEP ANTS1
Demultiplexing Control Facility
3/31/99 TIS Labs at Network Associates
ANEP
ANEP
ANEP
ANTS1
ANTS1 Flow 47
ACKFlowID = X
Demultiplexing Control Facility
3/31/99 TIS Labs at Network Associates
SWT
Capabilities
Filter Table
ANEP Validate
ANEP.ANTS.FLOW
EE = ANTS
INIT(ANTS)
Filter Capability
ANEP/IP
ANEP/UDP/IP
3/31/99 TIS Labs at Network Associates
SWT
Capabilities
Filter Table
ANEP Validate
ANTS
EE = ANTS
INIT(ANTS)
EE Filter Capability
Filter Capability
ANEP/IP
ANEP/UDP/IP
ANTS1/ANEP...
Top-Level Flow
Capabilities
Top-Level
ANEP.ANTS.FLOW
3/31/99 TIS Labs at Network Associates
SWT
Capabilities
Filter Table
ANEP Validate
ANTS
ANEP.ANTS.FLOW
EE = ANTS
INIT(ANTS)
EE Filter Capability
Filter Capability
ANEP/IP
ANEP/UDP/IP
ANTS1/ANEP...
Top-Level Flow
A B
Capabilities
Top-Level
A B TL
3/31/99 TIS Labs at Network Associates
SWT
Capabilities
Filter Table
ANEP Validate
ANTS
ANEP.ANTS.FLOW
EE = ANTS
INIT(ANTS)
EE Filter Capability
Filter Capability
ANEP/IP
ANEP/UDP/IP
ANTS1/ANEP...
Top-Level Flow
A B
A1 A2
Capabilities
Top-Level
A B
A BA1 A2
TL
TL
3/31/99 TIS Labs at Network Associates
Scheduling Control Facility
• Xok implements a round-robin queue of scheduled quanta
• SWT can restructure/reassign quanta in queue as needed to provide guarantees
• Environments are the scheduled entities
• Well-behaved environments can clean-up and gracefully yield the CPU
3/31/99 TIS Labs at Network Associates
Scheduling in Xok
Scheduler Quantums
Attributes environment runnable flag wakeup predicate timer ticks in-revocationflag capability list
1. New QuantumSelected
2. Prologue Executedwithin Environment
3. Epilogue Executedat end of quantum slice
4. Executing Thread-- yield to a threador environment-- sleep until anevent occurs
3/31/99 TIS Labs at Network Associates
Transmission Control Facility
• Original Xok implementation does not guard the transmit syscall
• Need to control– Bandwidth allocation– Requested latency bounds
• Strategy: migrate buffers from transmitting flows to control facility
3/31/99 TIS Labs at Network Associates
Shared Memory Abstraction
• Need to implement some sort of namespace above the virtual memory/page table level
• Provide for storage of information that should be sharable between EEs
• Options– Linda-style tuple space– In-memory file system– Fully functional persistent file system
3/31/99 TIS Labs at Network Associates
AMP Project
• AMP Overview
• Exokernel Techniques
• AMP Security Architecture
• Work Status
3/31/99 TIS Labs at Network Associates
Work Completed
• Exokernel Security Overview Report
• PAN port to Exokernel– EE developed at M.I.T. to explore the limits of
AN performance– Written in C, defers security issues– Similar structure to ANTS
• Node OS Interface WG– First draft
3/31/99 TIS Labs at Network Associates
Work-in-progress
• AMP Security Architecture Report– Draft version identifying security requirements
• PLAN/OCAML port to exokernel– Needed to support FBAR
• ANTS/KAFFE port to exokernel– Prelude to supporting TIS Labs SANP variant
which requires JDK 1.2 security functions
• Performance measurements
3/31/99 TIS Labs at Network Associates
Work-in-progress (continued)
• DPF Control Facility
• Scheduler/Context Switching Experiments
• ABONE/ANETD startup activities– preliminary to AMP nodes on the ABONE
• Security Interoperability– credential formats, authorization granularity,
policy specification, EE/Node OS trust boundary
3/31/99 TIS Labs at Network Associates
Upcoming Work
• AMP System Design Report– Need to finalize the security requirements and
interactions before addressing implementation
• SWT and Control Facility Implementation– Node OS Abstractions and Interface– Secure flow creation (authorizations translated
into granted capabilities protecting local resources)
3/31/99 TIS Labs at Network Associates
Upcoming Work 2
• FBAR Team 6 Demo– Standing up FBAR on two distinct EEs– Definition of policy describing when and by
whom separate FBAR instances or users may share state produced by Active Code
– Translation of policy into mediation and enforcement by the AMP architecture
3/31/99 TIS Labs at Network Associates
Exokernel Research
• www.pdos.lcs.mit.edu
3/31/99 TIS Labs at Network Associates
Node OS Flow Hierarchy
NodeOS
Flow1 Flow2Flow2 Flow3Flow3
InChanOutChan
InChan
OutChanOutChanInChan
Flow4Flow4 FlowNFlowN
InChanOutChan OutChanInChan
MEMORY POOLTHREAD POOL
From Peterson, 1998
3/31/99 TIS Labs at Network Associates
ANEP
Channels
• Abstraction for Network Resources– Generalizes Network I/O device to include:
• protocol stack (ANEP/UDP/IP/ETH)• demultiplexing binding (addresses/ports/flow)• other attributes (transmission limits, QoS)
– Anchored Channels for Input and Output– Cut-through Channels for fast processing of non-active packets
Networkinterface
Networkinterface
IP
UDP
3/31/99 TIS Labs at Network Associates
Node OS Channels
EEEE
NodeOS
Userspace
NETWORK
InChannel OutChannel
CutChannel