Web Intelligence and Agent Systems: An International Journal 8

Web Intelligence and Agent Systems: An International Journal 8 (2010) 203–217 203DOI 10.3233/WIA-2010-0187IOS Press

Information security underlying transparentcomputing: Impacts, visions and challenges

Yaoxue Zhang a,∗, Laurence T. Yang b, Yuezhi Zhou a and Wenyuan Kuang a

a Key Laboratory of Pervasive Computing, Ministry of EducationTsinghua National Laboratory for Information Science and Technology,Department of Computer Science and Technology, Tsinghua University, Beijing 100084, P. R. ChinaE-mail: {zhangyx,zhouyz}@mail.tsinghua.edu.cnb Department of Computer Science, St. Francis Xavier University, Antigonish, NS, B2G 2W5, CanadaE-mail: [email protected]

Abstract. The rapid development of computer network technologies and social informationalization has brought many newopportunities and challenges in information security. With improved information and service sharing enjoyed by more and morepeople, how to strengthen the information security has become an increasingly critical issue. In this paper, we propose a newnetwork security mechanism based on a novel computing paradigm, i.e., transparent computing, which is based on the extendedvon Neumann architecture. This paradigm separates the program storage and execution, which is implemented in the networkenvironment. It is realized by a new generation server and client BIOS, namely EFI BIOS, and coordinated with the MetaOSmanagement platform and related switching and input/ouput devices of transparent computing. Through the interface betweenhardware and software, it conducts effective control, monitoring and management of data and instructions in a block-streamingway for the operating system and the application programs above it. At the same time, it adopts a security protection mechanismto prevent and remove prevalent malicious software such as worm and Trojan horse. Several demonstrated examples are describedin detail to illustrate the attractive and promising security features and advantages.

Keywords: Transparent computing, extended von Neumann architecture, ubiquitous and pervasive services, Meta OS, servicesharing

1. Introduction

In recent years, because of the rapid developmentson computer network technologies and social infor-mationalization, the security of computer informationsystems is becoming more and more important. Tradi-tional ways mainly focus on such methods and tech-niques as encryption, decryptions or other enhance-ment strategies to insure the security of either the trans-mitted content or the smooth execution of operatingsystems and their application programs. Nowadays thescope of the security issue bas been extended rangingfrom physical network transmission, computer systemexecution through to massive data and content storage,

*Corresponding author. E-mail: [email protected].

etc., and correspondingly, various attack and defensemechanisms and techniques such as information mas-querade, cheating, penetration and prorogation, disclo-sure, destruction, auditing and monitoring have beenused widely in different computer and information net-working systems.

Undoubtedly, these new mechanisms and tech-niques have significantly positive impacts on computerand network security. However, as users’ demands andexpectations on computer and networks are growingdrastically, the computer systems have become moreand more large and complicated. For example, in ubiq-uitous or pervasive environments, hardware and soft-ware are becoming more complex, harder to main-tain and manage, and needs more frequent system up-grades. This may well lead to even more security holes

1570-1263/10/$27.50 c© 2010 – IOS Press and the authors. All rights reserved

204 Y. Zhang et al. / Information security underlying transparent computing: Impacts, visions and challenges

in these systems. Therefore, it is more difficult to en-sure the high security of the corresponding computerand network systems.

Currently the security issues can be classified, fromthe behavioral point of view, into the following cate-gories [3,6,30]:

– Destructive attack and defense: this refers toattacking and counter-attacking behaviors viaviruses, modifying data in transition or denial ofservice, and so on, aiming to interfere, destructthe victim computer and information systems.

– Information-based attack and defense: this refersto those behaviors via eavesdropping and moni-toring traffic flow and data in transition, guessingsecret keys and passwords, masquerading one en-tity as another, as well as other misconduct to ob-tain unauthorized data or resources from the hostcomputer and information systems.

– Content analysis and filtering: this refers to suchbehaviors as identifying, retrieving and selectingmassive Internet data to get useful information,prevent violent and pornographic contents, andprotect intellectual property.

– Misplay protection: this prevents those authorizedor legitimate users from operating without appro-priate protocols and rules, which may bring aboutharmful effects to the system and other users, andleaving the system vulnerable to outside attack-ers.

– Information leakage protection: this prevents anyinternal system administrator and operator fromdisclosing any unauthorized or classified infor-mation by using networks, laptops and remov-able hard drives and other storage devices. Cur-rently such counter measures mainly reply onnon-technical law and management rules.

Correspondingly, the information security systemscan be roughly divided into the following categories:

– Specific information security systems: examplesinclude anti-virus software [32], firewalls [2,10],Virtual Private Networks (VPN) [7], various en-cryption systems and key management techniques[24], etc.

– Biometric identification systems [18,19]: in thesesystems user ID and privileges must be verifiedbefore her/his accessing designated informationand resources.

– Trusted computer systems [33–35]: refer to thosesystems that, starting from the hardware and

BIOS levels, are constructed by a trusted chainwith user authorization and authentication.

– Content discrimination and filtering systems [21,36]: refer to those systems that, on the applicationlevel, discriminate and filter all users’ visited con-tent to ensure them a suitable and safe access andprotect the intellectual property right concerned.

– Secure operating systems [13]: starting from theclassification on the data and information accesscontrol, these systems conduct tight monitoringand protection on the reading and writing opera-tion on data and instructions, as well as I/O re-quests and interrupt handling, etc.

Originally designed for stand-alone machines, allthe above security systems have one or another systemarchitectural flaw. For example, it is very difficult toprevent information disclosure, for in networking en-vironments, information is stored in a distributed man-ner, and basically all users on the client terminals mayhave their own hard disks and removable storage de-vices. They can easily access all classified informationand leak them out; due to the lack of anti-virus and pro-tection capabilities, attackers can easily inject variousviruses and malicious software such as Trojan horsesand Zombie into the victim servers and client operat-ing systems via network. This would lead to many se-rious problems, like massive system crashes and infor-mation disclosure and leakage. A major reason for thisis that the system architectures are designed without anetwork-based perspective. As the number of attackingmethods and techniques significantly increases withthe rapid development of computer network, the de-fense or counter-attacking measures still use those out-dated ones intended for stand-alone machines lackingnetwork-based considerations.

A new computing paradigm based on a network-based perspective, namely, Transparent Computing[38], has been proposed to address such problem. Thecore idea of this paradigm is to extend von Neumann’sarchitecture based on the “stored program concept”into networking environments spatio-temporally. Inthis extended model, execution and storage of pro-grams, including operating system and applications,are separately done in different computers: with theformer performed in the clients and the latter, inthe servers. Specifically, system/service programs arestored on the central servers, and fetched on demandin a block-streaming way instead of downloaded allat once, and automatically initiated/executed on theembedded devices or client systems with local CPU

Y. Zhang et al. / Information security underlying transparent computing: Impacts, visions and challenges 205

and memory resources. Users can get different (or thesame) services, including commodity OSes and appli-cations, via the same (or different) embedded device(s)or client system(s). Furthermore users don’t need to door even care about the installation, maintenance andmanagement of services. This computing paradigm to-tally changes the traditional system architectural ba-sis, thus naturally provides extended mechanism to en-hance the security and trust features of correspondingcomputer systems.

This paper focuses on the security enhancing mech-anism based on Transparent Computing and demon-strates that this new computing paradigm can provide apotentially new approach to securer computer systems.The rest of this paper is organized as follows. We firstpresent a short overview of Transparent Computing,including its concept, architecture and related imple-mentation in Section 2. In Section 3, we introduce sev-eral secure enhance mechanisms based on the Trans-parent Computing, which lay the foundation for estab-lishing securer information systems. Section 4 givessome examples we have implemented to illustrate theeffectiveness in terms of system security of the Trans-parent Computing. We also discuss some related worksthat have been done to tackle the problems of informa-tion security in Section 5. Finally, we summarize ourefforts and discuss the future work in Section 6.

2. Transparent computing

Transparent Computing [38] is a new pervasive/ubiquitous paradigm to realize users’ service sharing.Based on the same philosophy of pervasive/ubiquitouscomputing, transparent computing involves a kind ofnetwork thinking. As illustrated in Fig. 1 and Fig. 2,service sharing means users can get the same servicesthrough different embedded devices, hardware plat-forms (such as MID, LID and digital home appliances)or computing devices (such as personal computers);or they can access different services through the sameembedded device or platform or computing device. Inorder to support service sharing, the client systemsmust be able to support, run and display various oper-ating systems and their associated software.

In addition to providing a new paradigm on clientsystems to support and display multiple operating sys-tems, virtual machine technology [20,29,37] also in-curs additional performance overhead due to its vir-tualization of all hardware resources, including CPUand memory. Therefore it demands to be executed on

Fig. 1. Different services on the same hardware platform.

high performance hardware computing platform. Suchvirtualization solution cannot be efficiently applied toubiquitous or pervasive applications since most of theclients are embedded in systems or devices which arenot capable to run the host operating system to supportother operating systems and their applications.

The essential idea of transparent computing paradigmis to extend the von Neumann “stored program con-cept” architecture into the networking environmentsspatio-temporally. In this extension, computation andstorage of programs are separated in different comput-ers. Specifically, the system/service programs (no mat-ter which OS or application program) are stored on thecentral servers (like a warehouse), to be fetched on de-mand if needed, and automatically initiated/executedon embedded devices or client systems with local CPUand memory resources (like a factory). When usersneed the services but cannot access them through theclient system, it will send interrupt and I/O requeststhrough the network to the servers where all neces-sary data and instructions are stored. The server(s) willhandle all corresponding interrupt and I/O requests ac-cordingly, then send the data and instructions back ina block-streaming way to the client system for execu-tion.

The basic idea of the separation of storage and ex-ecution in the transparent computing paradigm is il-lustrated in Fig. 3. In order to realize such separationvia networks, the following two fundamental problems


Fig. 2. The same services on different hardware platforms.

Fig. 3. An extended von Neumann architecture.

should be solved. Firstly, how to manage and distributethe data and instructions in the server, and secondly,how to solve the compatibility issue between differentclient system hardware and different operating systemssupplied by the server. The first problem can be trans-lated into how to ensure all necessary data and instruc-tions to be sent to client systems on time, and the sec-ond, how all data and instructions sent to client sys-tems can be executed efficiently. An interface betweenMeta OS and hardware/software such as EFI (Exten-sible Firmware Interface) [12] has been proposed toaddress the above two problems in [38]. Correspond-ingly, a transparent client and server system called4VP+ supporting both Windows and Linux has beensuccessfully implemented [25] and widely used anddeployed for daily use in such fields as education, in-dustrial and electronic government in China.

Meta OS [38] is a super operating system to con-trol and manage different operating systems. It is dis-tributed in every server and client system, and residesabove the BIOS level and beneath different operatingsystems (called “Instance OS”, such as Windows and

Linux). In order to realize the separation of execu-tion and storage, the Meta OS should have two basicfunctions. One is to enable users to select an operat-ing system should be loaded and used, and then bootthe needed OS remotely from server repositories. Theother is to schedule programs demanded by users in astreaming way during or after the booting of operatingsystem. This is vital because local storages are lack inthe client system. The structure of Meta OS is shown inFig. 4, which consists of four virtual views of I/O, disk,file and users, and two protocols of MRBP (Multi-OSRemote Boot Protocol) and NSAP (Network ServiceAccessing Protocol).

The implementation of Meta OS is through a 4VP+

(shortly for four virtual layers and two protocols) dis-tributed platform, which partially operates at the as-sembler instruction level. This 4VP+ software platformis mostly installed in a management server, except for apart of MRBP that is burned into a BIOS EEPROM inthe bare client. However, the other programs of 4VP+

platform run in clients systems or server(s) accordingto their specific functions. Those parts of 4VP+ run-


Fig. 4. Layered architecture of transparent computing.

ning in the client systems will be also fetched from theserver repository along with Instance OSes.

The MRBP is used to boot bare clients remotelyfrom servers. It enables users to select their desiredOSes and applications and then installs an NSAP (Net-work Service Access Protocol) module which is writ-ten in assembler instructions to enable a virtual I/O forclients. Through this virtual I/O interface, clients canaccess the OS images located at servers and then loadthem as if with a regular I/O device. After the dynam-ically scheduled OS is started up, the OS-specific in-kernel modules for Virtual I/O Management (VIOM),Virtual Disk Management (VDM), Virtual File Man-agement (VFM) and Virtual User Management (VUM)will function to help the users to access the softwareand carry out their tasks seamlessly. The above 4 mod-ules can be further elaborated as follows:

– Virtual I/O Management (VIOM): it receives in-terrupt and I/O requests of user processes; an-alyzes the reasons of interrupts, then wakes upthe interrupt handling routines and responds ac-cordingly; analyzes the reasons of I/O requests,then allocates devices and buffers, starts I/O op-erations. In the transparent computing paradigm,the buffer queues are different from traditionalparadigms due to the network extension, and in-terrupts and I/O requests are much more complexdue to the use of network devices. The interruptsand I/O handling between clients and servers haveto be synchronized and mutually exclusive.

– Virtual Disk Management (VDM): this modulefunctions for the allocation, collection, and driv-ing of virtual disks (V-disks), and virtual swap-ping and scheduling of programs and data streamsbetween client systems and the server(s). V-disks

are flat addressable block-based virtual storagedevices located beneath file systems. A transpar-ent client can be configured to access data fromone or more V-disks, with each corresponding toa V-disk image located on the server. There are4 categories of V-disks: System V-disk (S), usedto store the “golden image” of OS and applica-tions; Shadow V-disk (H), a user-specific COWdisk of the system V-disk to enable write accessto the system V-disk content; Profile V-disk (P),a profile V-disk to store user-specific persistentdata such as customized user settings for OS andapplications for each user; and User V-disk (U),used to store private user data.

– Virtual File Management (VFM): this modulefunctions for the allocation and management offile space and directory, as well as file redirecting,access, control and retrieval; and to ensure the fileconsistency.

– Virtual User Management (VUM): this modulefunctions for the configuration and managementof user profiles, management of users’ addressesand processes as well as addition and removal ofusers.

The Extensible Firmware Interface (EFI) [12], lateras Unified Extensible Firmware Interface (UEFI), is aspecification that defines a software interface betweenan operating system and platform firmware. EFI/UEFIis developed as a significantly improved version ofthe old legacy BIOS firmware interface historicallyused by all IBM PC compatible personal computers.It works to standardize two primary functions of thePC Basic Input/Output System (BIOS): firmware-to-OS interface and platform initialization. It consists ofdata tables that contain platform-related information,plus boot and runtime service calls that are availableto the operating system and its loader. EFI/UEFI pro-vides a clean and stable interface between operatingsystems and the platform at boot time and supportsan architecture-independent mechanism for initializingadd-ins.

As illustrated in Fig. 5, with the standardization ofinterfaces between operating systems and platform orembedded system firmware, it is anticipated that, inthe transparent computing paradigm, various operat-ing systems and applications will be able to run and beshared on different architectures, platforms or embed-ded systems, so as to accelerate the evolution of inno-vative and differentiated system designs.


Fig. 5. Architecture-independent extensions with EFI/UEFI.

3. Impacts on information security

Because the transparent computing paradigm sepa-rates the storage of program instructions and data fromexecution via network, it not only makes possible thecentral management of data and instruction, but en-ables different operating systems to run on the samehardware platform in a harmonic way, which reducesthe hardware and software complexity, costs and man-agement difficulty. Next we will discuss and analyzethe impact on information security from the viewpointsof system architecture, virus, information disclosureand leakage.

3.1. Secure system architecture

Traditional methods to ensure the security of com-puter systems mainly focused on the secure operat-ing systems, identification authorization, authentica-tion and monitoring, firewalls and gateways, variousanti-virus and scanning systems, encryption and de-cryption, etc. In recent years, people start to thinkabout building the trusted chain from BIOS, based onwhich to construct trusted computing systems. As in-formation systems become increasingly complex andnetworked, the traditional security framework of sys-tem architectures and techniques are facing even moredaunting challenges. For example, secure operatingsystems are considered a promising solution, and thusa BLP security model has been proposed to classifydifferent security levels for different operating sys-tems, but this solution still cannot solve all problemscurrently in front of us. For those users who do nothave the source codes of secure operating systems, inparticular, they cannot make any further changes andupdates to enhance the security of their own systems.Additionally, in the traditional von Neumann architec-

ture, all reading and writing operations on file blocksare done through system bus, disk file storages, dataexchange areas or data blocks in the buffer queues. Ifusers cannot monitor the reading and writing opera-tions on files, attackers can easily by-pass the readingand writing protection mechanism, and cause destruc-tive damages on users’ files and the entire computersystem.

The transparent computing paradigm provides anew and more secure system architecture to overcomethe above issues. It extends the traditional stored pro-gram concept to networked/ubiquitous computers ordevices spatio-temporally. Specifically, the storage andexecution of programs are separated between differ-ent computers. Applications and operating systemsare stored on the central computers (servers) insteadof local storage devices in traditional architectures.Therefore all reading and writing operations on dataand instruction blocks should go through the networkbuffers. This makes it possible for system administra-tors to monitor and control, via network switches andgateways, all data and instruction block streams in-cluding operating systems, without having to rely onthe secure operating system entirely. This will shift thefocus of secure system architecture from secure op-erating systems and their above applications to BIOSlevel and its above data and instruction streams be-tween clients and servers. Since the BIOS is the levelclosest to hardware, and is relatively less complexcompared with secure operating systems, such an ap-proach can much easily solve all related challengesand difficulties we are facing.

3.2. The anti-virus mechanism

Typically most viruses start to spread and attackcomputer systems by one of the following two ways:changing the boot sector or modifying data during thereading and writing operations. Transparent comput-ing provides an effective defense mechanism to ad-dress these issues, which is also realized by eitherof the two methods: adding a control and protectionarea in the Instance OS’s boot sector [25], or chang-ing the reading and writing operations on data and in-struction blocks to prevent the virus attacks. Firstly,for those viruses trying to destroy the boot sector, thisnew paradigm can set up various control and protec-tion parameters at the BIOS and EFI interface to pre-vent the booting sector from being infected and dam-aged. Figure 6 gives a detailed illustration on the struc-


Fig. 6. OS file system structural changes.

Fig. 7. Changes of the reading and writing operation path.

tural changes of the OS file system. The control andprotection areas have the following advantages:

– After receiving the initial interrupt signals suchas INT 13 signal from MRBP (Multi-RemoteBooting Protocol), the Meta OS can retrieve andidentify the corresponding Instance OS from theserver.

– Through the EFI interface, some related controland protection parameters can be adjusted to ef-fectively prevent the relevant viruses from rewrit-ing and destroying the boot sector.

A detailed example on how to prevent the viruses fromattacking the booting sector will be given in Section 4.

Further, this new computing paradigm changes theway of reading and writing file in Instance OSes. InInstance OSes, the reading and writing mechanismcan be divided into 3 types: synchronous reading andwriting, asynchronous reading and writing, and de-layed reading and writing. All these three types are im-plemented and used among memory, cache and harddisk of the von Neumann architecture as illustratedin Fig. 7(a). In the transparent computing paradigm,the reading and writing mechanism is totally differ-

ent. Since the client system does not have the harddisk (or the virtual disk image in the server), when anInstance OS reads or writes (by either synchronous,asynchronous or delayed ones) on the hard disk, thereading and writing path will be extended like the onedepicted in Fig. 7(b). Correspondingly, Meta OS willrevise the reading and writing program to adapt themto the above mentioned new reading and writing pathof the transparent computing paradigm. Obviously, allviruses involving the reading and writing operations ondata and instructions will fail to activate.

Furthermore, since all reading and writing opera-tions in Instance OS on data and instructions becomevisible, once anything unusual happens during the pro-cess, the system administrator can adjust the controland protection parameters immediately to stop andprevent any further infection. A detailed example onhow to prevent the read- and write-related viruses willbe described in Section 4.

3.3. Information leakage prevention

The largest advantage of the transparent computingparadigm in terms of information security lies in its


effectiveness in information leakage prevention due toits central management feature. For example, since theclient systems do not store any data, users cannot di-rectly copy any data and instruction. If users want toaccess the server to get the relevant data and instruc-tions, the transparent computing system can monitorand record the entire accessing process via Meta OS. Ifnecessary, it can stop all illegal access requests. Sincethe client systems do not contain any of their own dataand instructions, they are totally useless if they are notconnected with the network and managed by the MetaOS. Therefore, this computing paradigm allows all in-formation centrally stored, monitored and managed,so as to effectively avoid and prevent any informationleakage.

3.4. Ubisafe computing

With the rapid advance of information technologyand the spread of information services, the IT dispar-ity between different groups of people in terms of age,social standing, and race has been expanding and hasbecome a critical social problem of the 21st century.Ubisafe [23] is a novel and inclusive paradigm pro-posed to study and provide possible solutions with aunified methodology to satisfy the needs of people inany situation, any place and any time. The ultimategoal is to build a computing environment in which allpeople and organizations can benefit from ubiquitousservices anytime anywhere with satisfaction, withoutworrying or thinking about safety. It covers such issuesas reliability, security, privacy, persistency, trust, risk,uncontrollability, and other watchfulness while consid-ering the novel, essential ubiquitous and pervasive fea-tures of unobtrusive computers, diverse users/peopleand life-like systems. For example, since so many sen-sors and embedded systems are deployed in our dailylife, several wailful accidents, due to the diverse andinappropriate software designs and other reasons, havebeen reported, such as a boy got stuck to death bythe revolving hotel door, the temperature of the pro-grammed closestool is too high, etc., which may leadto very negative attitude towards new technologiesamong people. The traditional way to deal with thesetragic problems is to re-design the corresponding soft-ware systems, but it is very expensive. The updatesand upgrades on those sensors and embedded systemsmay not only result in tremendous economic loss, butalso lead to further safety and security problems; in theworst case, the whole system may have to be rebuiltfrom the scratch.

Transparent computing provides a new solution toupdate and upgrade these embedded systems and sen-sors effectively. When system administrators find anymissing functionalities and technical flaws, they canget the latest and revised resources from the network toget the updating and upgrading done. This is a simpler,safer and more feasible approach to realize a Ubisafecomputing environment.

4. Demonstrated examples

The current prevalence of Internet renders variousmalicious software one of the major threats to com-puter systems. Early computer viruses propagated andspread by embedding harmful codes in the executableprogram or hard disk’s system sector, which were set to“explode” when certain conditions were met. From themid-1990s, macro viruses has become the most preva-lent type of virus, and they are particularly threaten-ing because they are platform independent, infectingdocuments instead of executable codes, and are eas-ily spread. Macro viruses take advantage of the macrofeature found in Word and other applications. Besidesself-replication, many viruses carry function codes tosend copies from computer to computer across net-work connections. Upon arrival, they may be acti-vated to replicate and propagate again, and usually se-cretly perform disruptive or destructive activities with-out users’ awareness.

Currently there are more than one hundred thou-sands active malicious software, including around 6–7thousands major ones. There has been a constant armsrace between virus writers and antivirus software pro-grammers, with the most significant types of virusesbeing:

– Boot sector virus: it infects a master boot recordand spreads when a system is booted from thedisk containing the virus.

– Parasitic virus: this is the most traditional and stillmost common form of virus, attaching itself toexecutable files and replicates when the infectedprogram is executed.

– Macro virus: a prevalent type of viruses, whichis particularly threatening since they are platformindependent, infecting documents instead of exe-cutable code, and are easily spread.

– Memory-resident virus: it lodges in the mainmemory as part of a resident system program, andinfects every executed program.


Fig. 8. System configuration for demonstrated examples.

– Trojan horse: it is a useful, or seemingly use-ful, program or command procedure (e.g., game,utility, software upgrade, etc.) containing hiddencodes that perform some unwanted or harmfulfunctions. These functions could not be accom-plished directly by an unauthorized user.

– Worm: a program that can replicate itself andsend copies from computer to computer acrossnetwork connections. It actively seeks out moremachines to infect and each infected machineserves as an automatic launching pad for attackson other machines. To replicate itself, a networkworm uses a kind of network vehicle such asemail, remote execution, or remote login. Onceactivated within a system, a network worm canbehave as a computer virus or bacteria, or it couldimplant Trojan horse programs or perform anyharmful and unwanted actions.

In order to verify the security protection mechanismin the transparent computing paradigm, we have con-ducted some preliminary experiments on a transparentcomputing system connected by LAN, as illustrated inFig. 8. The experimental system consists of the exper-imental controller, the malicious software sample de-pository, the victims in the transparent computing sys-tem and the PC system. From the propagation point ofview, the malicious software can be divided into pas-sive and active ones. Passive software attempts to learnor make use of information from the system but does

not affect system resources. The aim of eavesdroppingor monitoring of data transmission is to obtain mes-sage content, or monitor traffic flows. Such software isdifficult to detect because it does not involve any al-teration of the data. For example, W32.Sasser.Worm issuch a worm, which exploits the vulnerability of MSWindow LSASS buffer. Active software attempts to al-ter system resources or affect their operation. By mod-ification of the data stream, it masquerades one entityas some other one, replays previous messages, mod-ifies messages in transiting or involves denial of ser-vices. The characteristics of active software are oppo-site to those of passive ones. Whereas passive softwareis difficult to detect, measures are available to preventtheir successful attacking. On the other hand, it is quitedifficult to prevent active ones absolutely, owing to thepotential presence of physical, software, and networkvulnerabilities. So that in the latter case, the goal isto detect and recover from any disruption or delayscaused by them.

We have set up two passive malicious software sam-ple depositories on a transparent computing systemserver and a PC system, respectively, and an activeone on a victim PC system outside the LAN. The pas-sive sample depositories contain file viruses, macroviruses such as Mellisa, boot sector virus such as Poly-boot, Trojan horse viruses including info-stealing tro-jan Netchief and disk killer trojan HDBreaker, and soon. The active one includes different worm virusessuch as W32.Sasser.Worm and mass-mailing worm


Fig. 9. Example of info-stealing Trojan on the PC and the transparent computing system.

W32.Netsky.C. First we install a virus control pro-gram into the experimental controller, where it com-municates via a customized lightweight protocol toinstruct the activation programs in both the transpar-ent client and the PC respectively to initiate the mali-cious software. We then compare how the viruses in-fect both machines. The traditional PC is either diskdestroyed or totally infected, but the transparent clientin transparent computing system runs normally, andeven it is infected, it will run normally after reboot.This clearly demonstrates the inherent advantage of theproposed computing paradigm in terms of system se-curity.

Two viruses, namely an info-stealing Trojan Netchiefand a disk killer Trojan HDBreaker, are used as thedemonstrated examples as follows. Figure 9 showshow the info-stealing Trojan Netchief infects the PCand the transparent computing system. From the con-trol console we see that the virus can only run on thePC system, but we cannot trace any running virus onthe transparent computing system.

Figures 10 and 11 give the examples of the diskkiller Trojan on the transparent computing system andthe PC system, respectively. Figures 10(a) and 11(a)show the main experimental interface for the mali-cious software to be activated. In case the disk killerTrojan HDBreaker is selected, Figs 10(b) and 11(b)show the interface on how to operate the experiments,which involves injecting the virus either to the trans-parent client or to the PC. Figures 10(c) and (d) in-dicate the cases in which the virus is being and hasbeen activated in the transparent client, respectively.

Figure 11(f) shows clearly that on the PC the Windowoperating system has been totally destroyed, so that thesystem administrator has to clean the hard disk to re-install the operating system. On the contrary, becauseof the protection mechanism of Meta OS in the bootsector, the virus cannot infect the boot sector of thetransparent client. Users just restart the system againto go back to work normally as usual, as described inFig. 10(f).

5. Related work

Extensive researches on distributed and pervasivecomputing platforms have been reported. Our work ismostly related to such systems as network computers,thin-clients, network (distributed) file systems, and vir-tual machine based systems.

In order to deal with the management challenge ofpersonal computers, network computers, such as theJava Station by Sun [15], are proposed to replace per-sonal computers. This solution only supports WWW &Java applications, and does not support general com-modity OSes or other applications such as MicrosoftOffice.

Thin-client systems have been very popular, andby providing a full featured desktop to users withlow management costs, they are deemed as pervasivecomputing platforms. Exemplary systems include Mi-crosoft RDP [11], Citrix ICA [4], Sun Ray 1 [31],VNC [26], and MobiDesk [1]. In the thin-client sys-tem paradigm, all computing tasks are performed at the


Fig. 10. Example of disk killer Trojan on the transparent computing system.

central server, while a client works only as a user in-terface by performing display, and keyboard/mouse in-put/output functions. Although such systems also con-duct centralized management, they greatly increase theserver resource requirements, and feature very lim-ited scalability. Applications with heavy computingrequirements (e.g., multimedia applications) usuallycannot be supported by thin-client systems efficiently.Furthermore, there is no isolated user performance orsecurity guarantee: one user can easily interfere withanother user when they are sharing the server.

Network file systems and devices, such as NFS [27],AFS [16], and NAS [14], are popular solutions forsharing data in a distributed enterprise environment.Although these systems can be used to share user filesflexibly, they generally do not support sharing operat-ing systems or application files for the reason that therunning of software will need to write to the locationthat they resides to save configurations or user-specificdata.

Our idea of centralizing storage while distributingcomputing is similar to the concept of diskless com-


Fig. 11. Example of disk killer Trojan on the PC system.

puters (e.g., [9,22]) in early years. Without local harddisks, a diskless computer usually downloads an OSkernel image from the remote server. Thus it can-not support OSes that do not have clear kernel im-ages, such as Windows, neither does it support bootingfrom heterogeneous OSes. Further, V-disks perceivedby users can be flexibly mapped to V-disk image fileson the server. Such flexibility allows transparent com-puting system to share OS and application softwareacross clients to reduce the storage and management

overhead, while still isolating personal files for userprivacy.

The iSCSI protocol has been used to access diskblocks via network [28]. In particular, the iBoot [17]Project at IBM has proposed a method that can re-motely boot a commodity OS through iSCSI. An iBootclient needs a special type of BIOS ROM to carry outthe OS boot process, so that it is not generally appli-cable. For better performance, transparent computingsystem can potentially adopt iSCSI to replace the cur-


rent V-disk access protocol, but it may need to modifythe protocol implementation in order to fit the smallsize client BIOS memory.

The concept of resource virtualization has been in-troduced long ago, and recently, it has been adopted toaddress such issues in computer systems as security,flexibility, and user mobility. For example, commercialproducts such as VMware [37] have extended the con-cept of virtual machine to support multiple commod-ity platforms. The disks in these virtual machines arealso virtualized, but reside in a local host machine andaccessed through the file system of the Host OS. Incontrast, virtual disks in transparent computing systemis located in the remote server, with different types ofV-disks for sharing and isolating data among users.

VM-based stateless thick client approaches, such asISR (Internet Suspend/Resume [20]), use virtual ma-chine technology (e.g., VMware) together with a net-work file system (e.g., Coda [29]) to support user mo-bility. Each ISR client runs OS and applications on topof a preinstalled VMware on the host OS. The use ofvirtual machines supports heterogeneous OSes as well,but it also incurs additional performance overhead dueto virtualization of all hardware resources, includingCPU and memory, while in transparent system, clientOSes are running directly on top of the CPU, memoryand graphics resource.

SoulPad [5] is another project that uses virtual ma-chine concept for mobility, with a portable storage de-vice to store the entire virtual machine image. TheCollective Project [8] proposed a cache-based systemmanagement model based on virtual machines to re-duce the management tasks of desktop computing.Similar to transparent computing system, it also usesdifferent types of virtual disks, among which there isan immutable system disk to protect it against out-side threats. Compared with Collective, the transparentcomputing system uses a COW file semantic insteadof COW disks. Moreover, it adopts on-demand blocklevel disk access instead of using network file systems(such as NFS) to access and cache disk images.

6. Conclusions and future work

This paper tries to give a detailed description ofthe impact of the transparent computing paradigm,based on the spatio-temporally extended von Neu-mann architecture, on the information security, whichhas been a significant issue since computer and in-formation technology came into full existence in our

daily life. This new computing paradigm brings a rev-olutionary change on the computer system architec-ture since the execution and storage of programs, in-cluding operating system and applications, are sepa-rated between client systems and the server(s); specif-ically, system/service programs are stored on the cen-tral servers, while fetched on demand in a block-streaming way, and automatically initiated/executedon the client system with local CPU and memoryresources. This radically reduces the work load onthe client systems, improves dramatically the perfor-mance, efficiency and capability running heteroge-neous operating systems on various hardware plat-forms, and significantly enhances the central manage-ment and service. Obviously its impacts on informa-tion security are enormous. In the traditional von Neu-mann model, all security discussions are relied on thesecure operating system and the security applicationprograms above it, such as different access control pro-gram, etc. This is because users and system adminis-trators do not know exactly how the data and instruc-tions are operated (such as read, write and transmissionoperations) within operating systems, whereas all se-curity problems such as virus and information leakageare just tightly coupled with these reading and writingoperations within operating systems.

The transparent computing system allows systemadministrators to fully understand and control all thereading, writing and transmission operations of theseinternal data and instructions. Furthermore, it can ad-just the control parameters of Meta OS at the BIOSlevel to manage and control the operating system (In-stance OS) to identify the users’ access privileges andto prevent virus infections. Also it can avoid users’ andadministrators’ intentional and unintentional informa-tion leakage.

The transparent computing paradigm has its inher-ent advantages, which not only perfectly suit educa-tional, industrial, military, governmental and entertain-ment applications, but are particularly useful in mo-bile, family and home applications. Currently morethan one hundred thousands transparent computingsystems have been massively deployed in the abovefields in China. As this computing paradigm is morewidely used in the society, its security feature and ad-vantages will become more and more attractive. In or-der to further improve the system, we plan to conducteven more in-depth research in the following direc-tions:


– The secure and trusted system architecture: theparadigm has shifted the focus of essential secu-rity issues from the secure operating system downto the Meta OS and BIOS (such as EFI) levels.Although the implementation based on these lev-els is simpler and easier, how to build the securitymodel, define system structure and classify func-tional blocks, etc., still needs our further system-atic study.

– How to control and implement the reading andwriting operations between Meta OS and InstanceOS is still an open problem. This control mech-anism will directly influence the protection andprevention of viruses. This is also closely relatedwith the issue of how to build the trusted trans-parent computing system.

– How to detect and control the data and instruc-tion streaming is a very challenging research is-sue. At the server and gateway, this new paradigmhas provided a mechanism to make the detectionand control possible, but further details and tech-niques of its implementation need comprehensiveinvestigations in the future.

– The integration of the existing security techniquesinto the transparent computing paradigm wouldbe an interesting topic.

– The further studies on the Ubisafe computing andother emerging areas.

References

[1] R.A. Baratto, S. Potter, G. Su, and J. Nieh. MobiDesk: MobileVirtual Desktop Computing. In Proceedings of the 10th AnnualInternational Conference on Mobile Computing and Network-ing, 2004.

[2] S.M. Bellovin and W.R. Cheswick. Network Firewalls. IEEECommunications Magazine, 32(9):50–57, 1994.

[3] M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.

[4] I. Boca. Citrix ICA Technology Brief, Technical White Paper,1999.

[5] R. Caceres, C. Carter, C. Narayanaswami, and M. Raghu-nath. Reincarnating PCs with Portable SoulPads. In Proc. ofACM/USENIX MobiSys, pages 65–78, 2005.

[6] J. Carter and A. Ghorbani. Towards a Formalization of Value-centric Trust in Agent Societies. Web Intelligence and AgentSystems, 2(3):167–184, 2004.

[7] M. Carugi and J.D. Clercq. Virtual Private Network Services:Scenarios, Requirements and Architectural Constructs froma Standardization Perspective. IEEE Communications Maga-zine, 42(6):116–122, 2004.

[8] R. Chandra, N. Zeldovich, C. Sapuntzakis, and M.S. Lam. TheCollective: A Cache-Based Systems Management Architec-ture. In Proc. of NSDI, pages 259–272, May 2005.

[9] D.R. Cheriton and W. Zwaenepoel. The Distributed V Kerneland its Performance for Diskless Workstations. In Proceedingsof the 9th ACM Symposium on Operating Systems Principles,pages 128–140, Bretton Woods, N.H., October 1983.

[10] W.R. Cheswick, S.M. Bellovin, and A.D. Rubin. Firewalls andInternet Security: Repelling the Wily Hacker. Addison-Wesley,1996.

[11] B. Cumberland, G. Carius, and A. Muir. Microsoft WindowsNT Server 4.0, Terminal Server Edition: Technical Reference.Microsoft Press, 1999.

[12] Extensible Firmware Interface. http://www.uefi.org/.[13] R.J. Feiertag and P.G. Neumann. The Foundations of a Prov-

ably Secure Operating System (PSOS). In Proceedings of theNational Computer Conference, pages 329–334, 1979.

[14] G.A. Gibson and R.Y. Meter. Network Attached Storage Ar-chitecture. Communications of the ACM, 43(11):37–45, 2000.

[15] R.G. Herrtwich and T. Kappner. Network Computers – Ubiq-uitous Computing or Dumb Multimedia? In Proceedings of theThird International Symposium on Autonomous DecentralizedSystems, 1997.

[16] J.H. Howard, M.L. Kazar, and S.G. Menees. Scale and Per-formance in a Distributed File System. ACM Transactions onComputer Systems, 6(1):51–81, 1988.

[17] iBoot, Remote Boot Over iSCSI. http://www.haifa.il.ibm.com/projects/storage/iboot/index.html, 2008.

[18] A. Jain, L. Hong, and S. Pankanti. Biometric Identification.Communications of the ACM, 43(2):91–98, 2000.

[19] A.K. Jain, R. Bolle, and S. Pankanti. Biometrics: PersonalIdentification in Networked Society. Kluwer Academic Pub-lishers, 1999.

[20] M. Kozuch and M. Satyanarayanan. Internet Suspend/Resume.In Proceedings of the 4th IEEE Workshop Mobile ComputingSystems and Applications, 2005.

[21] P.Y. Lee, S.C. Hui, and A.C.M. Fong. Neural Networks forWeb Content Filtering. IEEE Intelligent Systems, 17(5):48–57,2002.

[22] R. Linlayson. Bootstrap Loading Using TFTP. RFC 906, 1984.[23] J. Ma, Q. Zhao, V. Chaudhary, J. Cheng, L.T. Yang, R. Huang,

and Q. Jin. Ubisafe Computing: Vision and Challenges (I). InProceedings of the 3rd International Conference on Autonomicand Trusted Computing (ATC-06), pages 386–397, September2006.

[24] D. Maughan, M. Schertler, M. Schneider, and J. Turner. In-ternet Security Association and Key Management Protocol(ISAKMP). RFC 2408, 1998.

[25] RedFlag Linux. http://www.redflag-linux.com/eindex.html, 2003.

[26] T. Richardson, Q. Stafford-Fraser, K.R. Wood, and A. Hop-per. Virtual Network Computing. IEEE Internet Computing,2(1):33–38, 1998.

[27] R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B. Lyon.Design and Implementation of the Sun Network Filesystem. InUSENIX Association Conference Proceedings, 1985.

[28] J. Satran, C.S.K. Meth, M. Chadalapaka, and E. Zeidner. In-ternet Small Computer Systems Interface (iSCSI). RFC 3720,2004.

[29] M. Satyanarayanan. The Evolution of Coda. ACM Transactionson Computer Systems, 20(2), 2002.

[30] W. Stallings. Cryptography and Network Security, 4 Ed., Pren-tice Hall, 2005.


[31] Sun Ray Overview, White Paper, Version 2. http://www.sun.com/sunray/whitepapers.html, Decem-ber 2004.

[32] P. Szor. The Art of Computer Virus Research and Defense.Addison-Wesley, 2005.

[33] TCG PC Client Specific Implementation Specification for Con-ventional BIOS, Version 1.20.

[34] TCG PC Specific Implementation Specification, Version 1.1.[35] TCG Specification Architecture Overview, Revision 1.4.

https://www.trustedcomputinggroup.org/groups/TCG_1_4_Architecture_Overview.pdf,2007.

[36] Z. Tian, M. Hu, B. Li, B. Liu, and H. Zhang. Defend-ing Against Distributed Denial-of-Service Attacks with anAuction-Based Method. Web Intelligence and Agent Systems,4(3):341–351, 2006.

[37] VMware GSX Server. http://www.vmware.com/products/gsx, 2001.

[38] Y. Zhang and Y. Zhou. Transparent Computing: A NewParadigm for Pervasive Computing. In Proceedings of the 3rdInternational Conference on Ubiquitous Intelligence and Com-puting (UIC-06), pages 1–11, September 2006.

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Web Intelligence and Agent Systems: An International Journal 8

Documents