From: Michael J Cafarella (mjc@cs.washington.edu)
Date: Sun Nov 14 2004 - 20:43:46 PST
Upgrading Transport Protocols Using Untrusted Mobile Code
By Patel, Whitaker, Wetherall, Lepreau, and Stack
Review by Michael Cafarella
CSE561
November 15, 2004
Main result:
The authors introduce a system for distributing new protocol code to
internet hosts in a trusted way. Many useful internet protocol upgrades
are rolled out only slowly or partially because the bar for upgrading
is too high. A protocol upgrade requires a new operating system, which
are typically upgraded only rarely. The situation is very bad, as many
protocols require that all parties use the new version, or at least
work with improved qualities when all parties use the new version.
The authors' solution is to break the dependence between the protocol
stack and the operating system version. They propose to add untrusted
protocols dynamically to a system, so that any application can install
and use protocols when necessary. Each protocol implementation exists
in a software layer between the socket and the network layer.
Since protocols typically require kernel privileges to execute, user-upgraded
modules are a huge security problem. So, the protocols will be written
in a trusted sandbox language called Cyclone. Like Java, programs written
in Cyclone are typed and can be limited to certain behaviors. By preventing
the Cyclone protocol module from taking certain actions, the STP system
ensures that protocol upgrades are safe for the system.
There are a few potential problems with this approach that the authors
tackle. They show that performance under Cyclone is still very reasonable;
the language safety does not seem to be a huge burden. Further, they
limit what any STP protocol can actually send to the network. Protocols
are not allowed to emit more packets than a similar TCP connection would.
This prevents poorly-written or malicious protocols from turning the
machine into a rogue host on the internet. Unfortunately, certain protocols
that are designed to be more aggressive than TCP in the face of congestion
(eg, wireless protocols where losses usually signify signal loss rather
than router packet drops) cannot be inplemented with this system.
This seems like a very reasonable idea for upgrading protocols, and
is very relevant today, when few protocols actually get out of the
research arena and into widespread use. However, while STP is clever, it
seems to be an operating systems paper rather than a networking one.
The need for a special STP trusted layer really points to the failure
of modern OSes to provide good systems for upgrading individual parts
of the OS. Why isn't the entire system upgradable like STP, not just the
network stack? That's beyond the scope of the paper here, but seems to
be the real issue at hand.
This archive was generated by hypermail 2.1.6 : Sun Nov 14 2004 - 20:43:47 PST