FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 | 3 | 4 | 5 |   ...   | 27 |

«Shaya Potter Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences ...»

-- [ Page 1 ] --

Virtualization Mechanisms for Mobility, Security

and System Administration

Shaya Potter

Submitted in partial fulfillment of the

requirements for the degree

of Doctor of Philosophy

in the Graduate School of Arts and Sciences


c 2010

Shaya Potter

All Rights Reserved


Virtualization Mechanisms for Mobility, Security and System Administration

Shaya Potter This dissertation demonstrates that operating system virtualization is an effective method for solving many different types of computing problems. We have designed novel systems that make use of commodity software while solving problems that were not conceived when the software was originally written. We show that by leveraging and extending existing virtualization techniques, and introducing new ones, we can build these novel systems without requiring the applications or operating systems to be rewritten.

We introduce six architectures that leverage operating system virtualization. *Pod creates fully secure virtual environments and improves user mobility. AutoPod reduces the downtime needed to apply kernel patches and perform system maintenance.

PeaPod creates least-privilege systems by introducing the pea abstraction. Strata improves the ability of administrators to manage large numbers of machines by introducing the Virtual Layered File System. Apiary builds upon Strata to create a new form of desktop security by using isolated persistent and ephemeral application containers.

Finally, ISE-T applies the two-person control model to system administration.

By leveraging operating system virtualization, we have built these architectures on Linux without requiring any changes to the underlying kernel or user-space applications. Our results, with real applications, demonstrate that operating system virtualization has minimal overhead. These architectures solve problems with minimal impact on end-users while providing functionality that would previously have required modifications to the underlying system.

Contents Contents i List of Figures vii List of Tables ix Acknowledgments xi 1 Introduction 1

1.1 OS Virtualization Security and User Mobility............. 3

1.2 Mobility to Improve Administration................... 5

1.3 Isolating Cooperating Processes.............

–  –  –

My deepest thanks go to my advisor, Jason Nieh, for his continual support and guidance. His constant questioning, demanding of explanations and objective evaluation has helped develop ideas that I would not have been able to reach on my own, while also teaching me skills that I hope remain with me. I am constantly amazed by how many different studies, projects and papers he is able to juggle while retaining the ability to ask insightful questions. He has provided the model that I aspire to be.

There are many people at Columbia who have been a significant part of my graduate experience. My officemates, Dinesh Subhraveti, Dan Phung and Dana Glasner have been good friends, acted as sounding boards, provided valuable feedback, and, in general, made the graduate experience an enjoyable one. I’ve worked on many projects together with Ricardo Baratto and Oren Laadan and I am always amazed by their abilities. Stelios Sidiroglou-Douskos, Mike Locasto, Carlo P´rez and Gong Su e provided valuable feedback and friendship. I’d also like to thank Angelos Keromytis, Steven M. Bellovin for providing help and guidance in my research. In addition, I’d like to thank Erez Zadok, Gail Kaiser and Chandra Narayanaswami for serving on my Ph.D. committee. Finally, I’d be remiss if I did not thank the administrative staff in the Computer Science Department, including Alice Cueba, Twinkle Edwards, Elias

–  –  –

Introduction Computer use is more widespread today than it was even 10 years ago, but we are still using software designs from 20 or 30 years ago. Although these designs are well tested and understood, they were created to solve the problems of that time.

Today’s users face difficulties that the original software designers did not imagine.

We can redesign the operating system and applications to attempt to address these problems, but this creates new, relatively untested software and designs and may force users and administrators to learn fundamentally new models of usage. This dissertation demonstrates that many problems can be solved not by redesigning and rewriting the applications, but instead by virtualizing the interfaces through which existing applications interact with the operating system.

Virtualization is the creation of a layer of indirection between two entities that previously communicated directly. For example, in hardware virtualization [28, 34, 142, 147], a virtual machine monitor (VMM) places a layer of indirection between an operating system and the underlying hardware. A VMM provides a complete virChapter 1. Introduction 2 tualized hardware platform for an operating system, enabling any operating system supporting that platform to run as though on physical hardware. Hardware virtualization has been shown to enable operating systems to take advantage of hardware for which they were not designed. The Disco project [34] demonstrated how to run an operating system not designed for ccNUMA architectures on those architectures by using a VMM.

Operating systems can also be virtualized in multiple ways, most commonly by providing each process with its own virtualized and protected memory mappings. Instead of letting a process directly access the machine’s memory, the operating system, with hardware support, places a layer of indirection between the processes and physical memory, creating a virtualized mapping between the process’s memory space and the physical machine’s memory space. This provides security, efficiency and flexibility. The processes’ memories are isolated from one another, but memory can still be shared among processes.

Memory, however, is not the only operating system interface that can be virtualized. Zap [100] and FiST [152] demonstrated that an operating system’s kernel state and file systems can be virtualized as well. Kernel virtualization operates by virtualizing the system call interface, that is, by placing a layer of indirection between processes and the system calls they use to access the operating system kernel’s functionality and ephemeral state. Similarly, file system virtualization works by placing a layer of indirection between processes and the underlying physical file systems, or the operating system’s persistent state. Instead of accessing the machine’s kernel and file system directly using built-in system call and file system functions, the application running in the virtualized operating system executes a function within the virtualization layer. The virtualization layer can modify the parameters passed to it, perform

work required by the desired virtualization, call built-in kernel and file system funcChapter 1. Introduction 3

tions to perform the desired real work, and modify the return value passed to the calling process.

This dissertation demonstrates that by leveraging different forms of operating system virtualization, we can use commodity operating systems and software in novel ways and solve problems that the original developers could not have anticipated. By virtualizing the interfaces, we do not change the applications or operating system, but instead create specialized environments that enable us to solve problems. Although virtualized environments, from the perspective of processes, look and behave like the system they are virtualizing, they can look and behave very differently to the systems on which they are hosted. This decoupling of execution environment and host environment lets us create tools that run on the host and solve new problems without modifying a well-tested operating system and application code. For example, we can create virtual private namespaces for applications distinct from the namespace of the physical computer. To the processes running within the virtualized environment, the environment looks like a regular machine, provides the same application interface, and does not require applications to be rewritten. Similarly, because operating system virtualization only interposes itself between the application and the underlying operating system kernel, the underlying kernel’s binary and source code do not have to be modified either.

1.1 OS Virtualization Security and User Mobility

Some forms of operating system virtualization [85, 100] are limited to isolating a single user’s processes and are not designed to provide any security constraints. This is especially noticeable for processes that run with elevated privileges, such as those provided to root on Unix systems. Without secure virtualization, operating system

Chapter 1. Introduction 4

virtualization can only solve single user problems, substantially limiting its use. To enable secure virtualization, we have enabled each virtualized environment to have a unique set of virtualized users. Virtualizing the set of users gives each environment an isolated set of privileges. However, unlike hardware virtualization, where each virtual machine has a full operating system instance and therefore its own isolated privileged state, operating systems generally only have a single set of privileged states.

Therefore, in addition to providing unique sets of virtualized users, we also restrict the abilities of virtualized root users. If the virtualized root users were not restricted, they could be treated equivalently to the root user of the underlying system, enabling them to break the virtualization abstraction. This dissertation demonstrates how operating system virtualization can be used to simply virtualize the set of users while restricting the abilities of the privileged but virtualized root user.

We then show that operating system virtualization can be combined with checkpoint/restart functionality to improve mobile users’ computing experience. Many users lug around bulky, heavy computers simply to have access to their data and applications. To solve this problem, we created *Pod devices. A *Pod is a physical storage device, such as a portable hard disk or USB thumb drive, containing a complete application-specific environment, such as a desktop or web environment.

*Pod devices run their applications on whatever host computer is available at the user’s current location. By storing the entire environment on the portable device, users can move it between computers while retaining a common usage environment.

Operating system virtualization, coupled with process migration technology, enables users to move their running processes and data between physical machines, much like a laptop can be suspended and resumed when changing locations. We have built a number of *Pod devices that enable users to carry an application [109,110,113] or an entire desktop [114] with them.

Chapter 1. Introduction 5

1.2 Mobility to Improve Administration

Building on *Pod, we demonstrate how operating system virtualization and checkpoint/restart ability can improve system maintenance, much of which requires taking the machine offline and shutting down all active processes. Among other problems, this prevents the kernel from being patched quickly. as it requires the machine to be rebooted for the patch to take effect, thereby killing all running processes on the machine. To address this, we developed AutoPod [112], a system that enables unscheduled operating system updates while preserving application service availability.

AutoPod leverages *Pod’s virtualization abstraction to provide a group of processes and associated users with an isolated machine-independent virtualized environment decoupled from the underlying operating system instance. This enables AutoPod to run each independent service in its own isolated environment, preventing a security fault in one from propagating to other services running on the same machine. This virtualized environment is integrated with a checkpoint/restart system that allows processes to be suspended, resumed and migrated across operating system kernel versions with different security and maintenance patches. AutoPod incorporates a system status service to determine when operating system patches need to be applied to the current host, then automatically migrates application services to another host to preserve their availability while the current host is updated and rebooted. AutoPod’s ability to migrate processes across kernel versions also increases *Pod’s value by making it possible for users to move their *Pod between machines that are not running the exact same kernel version.

Chapter 1. Introduction 6

1.3 Isolating Cooperating Processes

AutoPod envisions virtual computer usage growing rapidly as users create and use many task-specific virtual computers, as is already occurring with the rise of virtual appliances. But more computers mean more targets for malicious attackers, making it even more important to keep them secure. Operating system virtualization, as in a pod, provides namespaces that isolate processes from the host, enabling a level of least-privilege isolation as single services are constrained to independent pods.

Today’s services, however, are complex applications with many distinct components.

Even within a pod, each component of the service has access to all resources required by every component within the system, which is not a true least-privilege system.

To solve this problem, we developed PeaPod [115], which combines the pod with a pea (Protection and Encapsulation Abstraction). As AutoPod demonstrates, pods can be used to isolate services into separate virtual machine environments. The pea is used within a pod to provide finer-grained isolation among application components of a single service while still enabling them to interact. This allows services composed of multiple distinct processes to be constructed more securely. PeaPod enables processes to work together while limiting the resources each process can access to only those needed to perform its job.

1.4 Managing Large Numbers of Machines

Pages:   || 2 | 3 | 4 | 5 |   ...   | 27 |

Similar works:

«Diplomarbeit Titel der Diplomarbeit „Pressefotografen zwischen den Weltkriegen. Eine Biografiensammlung von Pressefotografen, die zwischen 1918 und 1939 in Wien tätig waren.“ Verfasserin Samanta Benito Sanchez angestrebter akademischer Grad Magistra der Philosophie (Mag. Phil.) Wien, 2009 Studienkennzahl lt. Studienblatt: A 301 295 Studienrichtung lt. Studienblatt: Publizistik und Kommunikationswissenschaften, Gewählte Fächer statt 2. Studenrichtung Betreuer: Dr. Ao. Univ. Prof....»

«Handlung / Handlungstheorie Christoph Lumer Erschienen in: Hans Jörg Sandkühler (Hg.): Enzyklopädie Philosophie. Hamburg: Meiner 1999. S. 534-547. Handlung / Handlungstheorie 1. Begriffsbestimmungen. Eine Handlung (H.) ist ein Verhalten einer Person, das 1. durch eine H.sabsicht (Erläuterung s.u.) dieser Person und 2. (anschließend) vermittelt über einen mit großer Zuverlässigkeit die Korrespondenz von Absicht und Tat sichernden (h.sgenerierenden) Mechanismus innerhalb der Person und 3....»

«Cantor on Frege’s Foundations of Arithmetic Cantor’s 1885 review of Frege’s Die Grundlagen der Arithmetik PHILIP A. EBERT∗ and MARCUS ROSSBERG† ∗ University of Stirling, UK † University of Connecticut, USA In 1885, Georg Cantor published his review of Gottlob Frege’s Grundlagen der Arithmetik. In this essay we provide its first English translation together with an introductory note. We also provide a translation of a note by Ernst Zermelo on Cantor’s review, and a new...»

«Infection dynamics of Plasmodium falciparum in Papua New Guinea Inauguraldissertation zur Erlangung der Würde eines Doktors der Philosophie vorgelegt der Philosophisch-Naturwissenschaftlichen Fakultät der Universität Basel von Sonja Schöpflin aus Binzen, Deutschland Basel, 2009 Genehmigt von der Philosophisch-Naturwissenschaftlichen Fakultät auf Antrag von Prof. Dr. Marcel Tanner, Dr. Ingrid Felger, Dr. Ian Hastings and Dr. Ivo Müller Basel, den 23.06.2009 Prof. Dr. Eberhard Parlow Dekan...»

«soBre ÉTICa Y FIlosoFÍa analÍTICa elIZaBeTH ansCoMBe Y la FIlosoFÍa Moral MoDerna carlos I. MassInI-correas u.M – CONICET carlos.massini@um.edu.ar Sumario: I. Las cuestiones a tratar II. Acerca de las notas centrales de la filosofía analítica III. Elizabeth Anscombe, universitaria y católica IV. Las tesis centrales de Modern Moral Philosophy V. Discusión de algunas tesis de Modern Moral Philosophy VI. Conclusiones sobre Anscombe y la “filosofía moral moderna” Resumen: El autor,...»

«Nathan Wolek, Ph.D. Stetson University Associate Professor of Digital Arts 421 N. Woodland Blvd. Unit 8252 Chair, Department of Creative Arts DeLand, FL 32723-0001 Coordinator of Music Technology 386.822.8987 www.nathanwolek.com nwolek@stetson.edu ! ! ! EDUCATION Doctor of Philosophy in Music Technology, Northwestern University, 1999 2005 Concentrations: Granular Synthesis, Performance Systems, Audio Installations Dissertation: A Simplified Granular Processing Interface Based on Perceptual...»

«! ‘Strategic traditions’: Changing livelihoods, access to food and child malnutrition in the Zambian Kafue Flats Inauguraldissertation Zur Erlangung der Würde einer Doktorin der Philosophie vorgelegt der Philosophisch-Naturwissenschaftlichen Fakultät der Universität Basel von Sonja Merten aus Winterthur (ZH) Basel, 2008 ! Genehmigt von der Philosophisch-Naturwissenschaftlichen Fakultät auf Antrag von Frau Prof. Dr. Brigit Obrist, Herrn Prof. Dr. Marcel Tanner, Frau Prof. Dr. Ursula...»

«Die Eroberung der Zeit Grundzüge einer Philosophie verlängerter Lebensspannen Bearbeitet von Sebastian Knell 1. Auflage 2015. Buch. 750 S. Hardcover ISBN 978 3 518 58619 8 Format (B x L): 14,5 x 22 cm Gewicht: 853 g Weitere Fachgebiete Philosophie, Wissenschaftstheorie, Informationswissenschaft Wissenschaften Interdisziplinär Zeit: philosophische, technische, soziale Aspekte schnell und portofrei erhältlich bei Die Online-Fachbuchhandlung beck-shop.de ist spezialisiert auf Fachbücher,...»

«SOUNDING PLACES: SITUATED CONVERSATIONS THROUGH THE SOUNDSCAPE COMPOSITIONS OF HILDEGARD WESTERKAMP ANDRA SHIRLEY JEAN McCARTNEY A thesis submitted to the Faculty of Graduate Studies in partial fulfillment of the requirements for the degree of Doctor of Philosophy Graduate Programme in Music York University Toronto, Ontario August 1999 copyright page certificate page Abstract In this dissertation, I consider the significance of Hildegard Westerkamp's work to current scholarship in the area of...»

«Safe Work Practices in Interdisciplinary Surgical Teamwork Model Development and Validation by Sindre Høyland Thesis submitted in fulfillment of the requirements for the degree of PHILOSOPHIAE DOCTOR (Ph.D.) Faculty of Social Sciences University of Stavanger University of Stavanger N-4036 Stavanger NORWAY www.uis.no © 2013 Sindre Høyland ISBN: 978-82-7644-540-4 ISSN: 1890-1387 PhD thesis no. 200 ii To my dearest family, I dedicate this thesis. Your ideals and belief in me will always be my...»

«DEVELOPMENT AND ADVANCED CHARACTERIZATION OF NOVEL CHEMICALLY AMPLIFIED RESISTS FOR NEXT GENERATION LITHOGRAPHY A Dissertation Presented to The Academic Faculty by Cheng-Tsung Lee In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Chemical and Biomolecular Engineering Georgia Institute of Technology December 2008 COPYRIGHT 2008 BY CHENG-TSUNG LEE DEVELOPMENT AND ADVANCED CHARACTERIZATION OF NOVEL CHEMICALLY AMPLIFIED RESISTS FOR NEXT GENERATION...»

«1 Understanding the Social II – Philosophiy of Sociality Proto Sociology An International Journal of Interdisciplinary Research Double Vol. 18-19, 2003 Understanding the Social II – Philosophy of Sociality Edited by Raimo Tuomela, Gerhard Preyer, and Georg Peter Contents I Membership and Collective Commitments Acting as a Group Member and Collective Commitment. 7 Raimo Tuomela and Maj Tuomela On Collective Identity Kay Mathiesen A Collective’s Rational Trust in a Collective’s Action...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.