From: Andrew R Putnam (aputnam@cs.washington.edu)
Date: Mon Nov 15 2004 - 06:58:09 PST
Upgrading Transport Protocols Using Untrusted Mobile Code
Parveen Patel, et. al.
Summary: This paper introduces Self-spreading Transport Protocols, STP, that aim to enable rapid upgrades of transport protocols by inserting a safe interface into the network layer of the operating system kernel. Security is guaranteed by a trusted tool chain that uses a safe language. Untrusted protocol implementations can be downloaded and run without security risk, and without the need for upgrading the operating system kernel.
There are many reasons why protocols are not rapidly spread and readily adopted. There is the lack of a central authority, the different needs of the user community, and the aversion to risk are all major factors. Perhaps one of the greatest factors is the slow pace of operating system development. Network transport protocols are implemented in the operating system kernel, so the operating system needs to be upgraded to handle the new protocol. The key benefit of STP is a kernel interface that allows rapid upgrades without the need for operating system patches or downloads. With a huge portion of the Internet user community being adverse to tinkering around with the operating system, this can have a major impact on the Internet overall.
This system still does not address protocols that require changes to the network infrastructure (routers and gateways), which seem to account for a substantial percentage of the proposed yet unadopted protocols.
I do have some concerns about the paper. The trusted toolchain seems to be the key vulnerability in the system. I am curious as to just how safe this system really is. Java has tried numerous times to provide a safe operating environment for untrusted code, and yet vulnerabilities continually crop up. It seems like STP opens security risks that may be hard to close. We frequently heard in Compilers class that there is no such thing as a truly safe language, at least not yet.
I also wonder how flexible STP allows new protocols to be. It seems like the authors try to prevent protocols from exhibiting behavior that is significantly different than standard TCP. While this certainly provides a level of security for both the user and the network, it seems like it does not provide the flexibility for new protocols that operate in significantly different manners. If a protocol were introduced that could do much better than STP allows it to do, then you have the same protocol rollout problem with upgrading the kernel-side of STP that you do with any other protocol.
This archive was generated by hypermail 2.1.6 : Tue Nov 16 2004 - 09:22:46 PST