From: Andrew R Putnam (aputnam@cs.washington.edu)
Date: Mon Nov 15 2004 - 07:02:31 PST
Upgrading Transport Protocols Using Untrusted Mobile Code
Parveen Patel, et. al.
Summary: This paper introduces Self-spreading Transport Protocols, STP,
that aim to enable rapid upgrades of transport protocols by inserting a
safe interface into the network layer of the operating system kernel.
Security is guaranteed by a trusted tool chain that uses a safe language.
Untrusted protocol implementations can be downloaded and run without
security risk, and without the need for upgrading the operating system
kernel.
There are many reasons why protocols are not rapidly spread and readily
adopted. There is the lack of a central authority, the different needs of
the user community, and the aversion to risk are all major factors.
Perhaps one of the greatest factors is the slow pace of operating system
development. Network transport protocols are implemented in the operating
system kernel, so the operating system needs to be upgraded to handle the
new protocol. The key benefit of STP is a kernel interface that allows
rapid upgrades without the need for operating system patches or downloads.
With a huge portion of the Internet user community being adverse to
tinkering around with the operating system, this can have a major impact
on the Internet overall.
This system still does not address protocols that require changes to the
network infrastructure (routers and gateways), which seem to account for a
substantial percentage of the proposed yet unadopted protocols.
I do have some concerns about the paper. The trusted toolchain seems to be
the key vulnerability in the system. I am curious as to just how safe this
system really is. Java has tried numerous times to provide a safe
operating environment for untrusted code, and yet vulnerabilities
continually crop up. It seems like STP opens security risks that may be
hard to close. We frequently heard in Compilers class that there is no
such thing as a truly safe language, at least not yet.
I also wonder how flexible STP allows new protocols to be. It seems like
the authors try to prevent protocols from exhibiting behavior that is
significantly different than standard TCP. While this certainly provides a
level of security for both the user and the network, it seems like it does
not provide the flexibility for new protocols that operate in
significantly different manners. If a protocol were introduced that could
do much better than STP allows it to do, then you have the same protocol
rollout problem with upgrading the kernel-side of STP that you do with any
other protocol.
This archive was generated by hypermail 2.1.6 : Mon Nov 15 2004 - 07:02:32 PST