From: Karthik Gopalratnam (karthikg@cs.washington.edu)
Date: Mon Nov 15 2004 - 00:38:35 PST
Review 22 - Upgrading Transport Protocols using Untrusted Mobile Code
This paper proposes "Self-spreading Transport Protocols" - STP, as a
solution for the problem of upgrding transport protocols across the
internet, by designing a framework that allows end hosts to propagate and
run untrusted transport protocols in a secure manner.
New transport protocols do not realize their benefit since they require
that both communicating hosts run the same version of the protocol, and
getting diverse machines to both have these implemented in the kernel by the
OS vendor is very difficult. STP addresses exactly this problem - to provide
for a fully backwards compatible framework that does not need explicit
kernel support for each version of a protocol, but instead provides a secure
framework which sandboxes untrusted transport protocols that can be easily
propagated and deployed. The authors present what is really a very elegant
solution in terms of conception, design and implementation. I thought that
the idea of sandboxing the transport protocol and abstracting the details of
the exact protocol from the application-socket API was a great idea. This
allows for flexibility and ease of deployment for new protocols. The
security issue is handled very well by the type-safe language Cyclone, a
version of C, coupled with a user-level policy manager, thereby preventing
the host from transport protocol code misbehavior. This design allows for
full backwards compatibility with existing TCP as well, which is essentially
the "default" in the sandbox. All in all a very elegant solution indeed.
However, there are some issues as well. While STP itself provides for
backwards compatibility with older versions of transport protocols, the STP
sandbox and the STP API are essentially kernel components, and require that
they be implemented by OS vendors. While this is a great solution for future
OS kernels, it still does not address all the older machines out there which
will not be able to utilize STP unless they get a kernel makeover. Also,
since the sandbox itself is written in a type-safe language, the performance
overhead, which the authors point out is quite significant, and is clearly
an area that needs to be addressed.
Despite these drawbacks, this is clearly a great concept and will
probably be the foundation for the transport protocols of the future.
This archive was generated by hypermail 2.1.6 : Mon Nov 15 2004 - 00:38:40 PST