Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications最新文献

{"title":"Protection wrappers: a simple and portable sandbox for untrusted applications","authors":"C. Jensen, D. Hagimont","doi":"10.1145/319195.319211","DOIUrl":"https://doi.org/10.1145/319195.319211","url":null,"abstract":"In open and configurable applications, external programs are often used to handle different functions and data formats. This is particularly true for applications that communicate through the Internet, where new protocols and data formats are frequently introduced. These external programs are often installed quickly and without a full security auditing, even when the sources are available. This makes the users of such applications vulnerable to viruses and Trojan horses introduced by misconfiguration or flaws in the security of these applications. In this paper we introduce a mechanism called \"protection wrappers\" that allows an application to run external programs in a restricted environment called a \"sandbox\". Programs running in a sandbox will execute with the identity of a user with limited privileges. This reduces the potential damage to the system and to the data of the user who originally launched the application. 1 I n t r o d u c t i o n The dramatic growth of the Internet and the popularity of the World Wide Web have given birth to a new network community where individual users, academic and industrial institutions, in all countries, are exchanging data and software freely across the network. The Internet was previously used to exchange software and data among a small community of researchers who knew and trusted each other just like computer hobbyists have exchanged software on diskettes with friends, neighbors, and colleagues but today people connected to the Internet are receiving data and using software from various unknown sources, e.g. installing and using a new video player found on a Web server. In principle both programs and data should be carefully verified before being used, the program by the administrator who installs it and the data by the program *Universitfi Joseph Fourier, Grenoble tINRIA Rh6ne-Alpes that manipulates them. However, in many cases software or data are used without prior verification and without authentication of the source. Internet communication softwares like web browsers or mail readers are increasingly relying on external programs to display images or postscript files, play music or video dips, convert MIME encoded mail, or simply allow users to specify external pagers and editors. These programs are potential Trojan horses for two reasons: first because they may have been written by malicious programmers and secondly because they rarely implement a protection policy that allow them to verify data before operating on them. Most of these external programs are developed to be used in safe environments where data are generally trusted. Two good examples of this are Ghostscript (gs(1)) that allows users to preview their PostScript documents and MS-Word that can be used to prepare reports and write documentation for programs. However, PostScript is a full programming language, that for instance allows programs to access files in the file system, and MS-Word has the ability to create or update macros, based","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130186510","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Porcupine scalable mail server","authors":"Yasushi Saito, Eric Hoffman, B. Bershad, H. Levy, D. Becker, B. Folliot","doi":"10.1145/319195.319203","DOIUrl":"https://doi.org/10.1145/319195.319203","url":null,"abstract":"This paper describes the design and preliminary performance of the Porcupine mail server, a clusterbased mail server that can handle up to I billion messages a day. Unlike common large-scale mail servers deployed today, there is no role separation among nodes. Each node in the cluster runs all the services supported by the cluster and balances the workload dynamically using the cluster membership information. This architecture is more available, manageable, and scalable than traditional architecture.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"89 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114563332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Efficient mobile access to the WWW over GSM","authors":"X. Delord, S. Perret, A. Duda","doi":"10.1145/319195.319196","DOIUrl":"https://doi.org/10.1145/319195.319196","url":null,"abstract":"An increasing number of users access the W W W from small portable mobile hosts connected through different network interfaces supporting mobility: wireless low bandwidth connections over long distances (GSM 9.6 Kbi t /s ) , wireless medium bandwidth connections over small distances (waveLAN 2 Mbit /s) , desk area infrared connections to stationary LANs (NetBeamIR 4 Mbit/s) . The connections have different distance coverage, bandwidth, latency, cost, and quality of service (error rate, j i t ter) and the parameters may vary over time. GSM provides global untethered connectivity thus allowing ubiquitous mobile access to the WWW: anywhere, anytime. However, it suffers from relatively slow bandwidth and important cost compared to its wired counterpart. Various client devices can use GSM ranging from PDAs to full-featured laptops. In order to use GSM efficiently, we need system and application support for reducing bandwidth requirements, adapting to hardware variations, and optimizing connection costs. In this paper, we propose an application support for W W W access based on a different paradigm than the previous work: we use mobile agents to delegate all t ime-consuming operations to the network, in particular, downloading documents and data type specific distillation of their contents.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126958628","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Driving the composition of runtime platforms by architectural knowledge","authors":"L. Baum, Martin Becker, L. Geyer, G. Molter, P. Sturm","doi":"10.1145/319195.319217","DOIUrl":"https://doi.org/10.1145/319195.319217","url":null,"abstract":"Reusing app roved components is an a ttractive approach for the c ustomization o f runtime platforms in an economically sensible manner. However, the successful t ransition from particular requirements to a suitable architecture including appropriate components heavily relies on the expertise of t he system designers. In this paper, we propose an a rchitecture-driven approach to support runtime platform developers in the c omposition o f customized p latforms. Central to this approach is the explicit consideration of architectural aspects on an intermediate level of description. At this level, the appropriate matching o f requirements against properties of available components is controlled by formalized architectural knowledge. With SDL patterns and design spaces we present t wo techniques for performing this mapping process.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120948552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A customizable library to support software synthesis for embedded applications and micro-kernel systems","authors":"C. Ditze","doi":"10.1145/319195.319209","DOIUrl":"https://doi.org/10.1145/319195.319209","url":null,"abstract":"Experiences gained from the design of micro-kernel related to either high-performance or hard real-time computing have shown that customization plays a major role to enhance the performance of applications while maintaining a reusable and flexible software architecture. Our goal is to cover both fields by developing a customizable library operating system (DREAMS 1) intended to be used as a basis for the synthesis of application-specific run-time platforms or operating system kernel.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"8 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132340681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Battery-powered distributed systems (extended abstract)","authors":"P. Havinga, A. Helme, S. Mullender, G. Smit, J. Smit","doi":"10.1145/319195.319227","DOIUrl":"https://doi.org/10.1145/319195.319227","url":null,"abstract":"Mobile personal computers will be a vital technology for making electronic information processing available to people on the move. We expect personal mobile computers, 'mobile digital companions', to be small enough that they can be carried along all day, versatile enough that they can be used for all kinds of information processing -- diary, notebook, pager, telephone, walk man, dictation, e-mail, e-money, keys, ID -- and frugal enough that they can be used all day without recharging. This paper reports ongoing work on Moby Dick, a research project that addresses fundamental issues in the architecture, design and implementation of lowpower hand-held computers, with particular emphases on energy conservation and security. The goal is to investigate architectural issues in hardware and software design in concert, so that opportunities in hardware design can be exploited by supportive software.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125338287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Escaping the evils of centralized control with self-certifying pathnames","authors":"David Mazires, Frans Kaashoek","doi":"10.1145/319195.319213","DOIUrl":"https://doi.org/10.1145/319195.319213","url":null,"abstract":"People have long trusted central authorities to coordinate secure collaboration on local-area networks. Unfortunately, the Internet doesn’t provide the kind of administrative structures individual organizations do. As such, users risk painful consequen ces if global, distributed systems rely on central authorities for security. Fortunately, securit y need not come at the price of centralized control. To prove it, we present SFS, a secure, global, decen tralized file system permitting easy cross-administrative realm collaboration. With a simple i d a, self-certifying pathnames, SFS lets users escape the evils of centralized control.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117236672","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dual objects—an object model for distributed system programming","authors":"J. Nolte, Wolfgang Schröder-Preikschat","doi":"10.1145/319195.319235","DOIUrl":"https://doi.org/10.1145/319195.319235","url":null,"abstract":"When parallel processing became popular at the end of the eighties, it became evident that common operating systems were not able to deliver the pure performance of parallel hardware to parallel applications. Much processing power was wasted with complex system call mechanisms and sometimes vast resource consumptions of the operating system itself. Even micro-kernel based systems were often too slow, because these also relied on computing power consuming concepts like address space separation or virtual memory systems. Nevertheless, some applications required exactly those functionalities that others denied for performance reasons. Since this contradiction can hardly be solved within a single operating system, the PEACE operating system family[10] was developed at GMD-FIRST. The most simple family members were represented as highly efficient runtime libraries while the most complex members can be regarded as full fledged micro-kernel based operating systems. Family based systems can be implemented conveniently by means of object oriented programming paradigms. Thus the PEACE operating system family has entirely been implemented in C++. Operating system services are implemented as classes and users can extend and specialize these system classes by means of inheritance mechanisms. In theory this scenario is sound and straight forward but in practice the conceptual advantages of object orientation are extremely hard to exploit without suitable object models and language-level support for object-oriented implementation techniques in distributed contexts. When users extend and specialize PEACE classes by means of inheritance mechanisms, class hierarchies need to be extended across address spaces as well as network boundaries and objects can be fragmented across address spaces. This in turn can lead to serious performance bugs caused by frequent remote invocations, when application classes closely interact with their system-level base classes. On the other hand it is obvious that client classes cannot have full access to system-level state information to avoid forgery and ease resource sharing amongst many clients. Implementing system services as fragmented objects[7] like in the SOS system [12] would have supported independence as well as encapsulation of object fragments allocated in different address spaces. Nevertheless we considered that model already too complex for those very lightweight system structures we were aiming at, because","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116064103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Resource management for extensible Internet servers","authors":"G. Czajkowski, Chi-Chao Chang, C. Hawblitzel, Deyu Hu, T. V. Eicken","doi":"10.1145/319195.319201","DOIUrl":"https://doi.org/10.1145/319195.319201","url":null,"abstract":"With the continued spread of the Internet the typical computing model for servers is undergoing a drastic change. In the past, server systems have moved from providing interactive time-sharing service to providing fileserver and now more general back-office (mail, database, web, etc.) services. While the characteristics of the new Internet server systems are not yet clear, we expect that Internet servers will have at least three characteristics that distinguish them drastically from today’s servers: (i) high code mobility, (ii) large numbers of anonymous users, and (iii) significant concern for the efficient use of resources.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125316721","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Nested Java processes: OS structure for mobile code","authors":"Patrick Tullmann, Jay Lepreau","doi":"10.1145/319195.319212","DOIUrl":"https://doi.org/10.1145/319195.319212","url":null,"abstract":"The majority of work on protection in single-language mobile code environments focuses on information security issues and depends on the language environment for solutions to the problems of resource management and process isolation. We believe that what is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and resource management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same problems faced by multi-user operating systems. We believe that real solutions will come only if an OS model is uniformly applied to these environments. We present Alta, our prototype Java-based system patterned on Fluke, a highly structured, hardware-based OS, and report on its features appropriate to mobile code. 1 Operating System Model Required In the last European SIGOPS Workshop, our paper [17] argued that the local operating system is an essential foundation for global applications. We described the many demands that a reasonably well functioning distributed system places on the local OS, and particularly emphasized end-system security in the widespread presence of mobile code. The focus of that paper was on making the case for the importance of the local OS, and outlining an appropriate OS for that environment: the Fluke [10] operating system, an OS based on a recursive virtual machine model, analogous to the Cambridge CAP Computer [30], but implemented by a microkernel instead of special hardware. In this paper we assume that the importance of the local This research was supported in part by the Defense Advanced Research Projects Agency, monitored by the Department of the Army under contract number DABT63–94–C–0058, and the Air Force Research Laboratory, Rome Research Site, USAF, under agreement number F30602–96–2–0269. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. OS to distributed applications is evident. From that base, we endeavor to make four points concerning platforms for mixed trust components and mobile code: (i) A coherent, structured approach is required, driven by a full-blown OS model; language-level patches are not enough. (ii) Existing security-oriented approaches fall short in resource management. (iii) Applying an OS model is feasible, based upon our initial experiences with Alta. (iv) Alta provides features useful for mobile code, including hierarchical resource management and flexible object sharing. 1.1 Application Scenario In 1997 MCI developed and distributed its Denial of Service Tracker (DoSTracker) [19], after getting their router vendor to add the required interfaces and code to the routers. DoSTracker works as follows. Many denial of service attacks involve generating packets that spoof the IP address of the victim’s host. For example, fabricating broadcast packets will ","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127028132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}