Opening
remarks: Goal of meeting - snapshot of work in progress, introduction
Session
1 Armando Fox chairing
9.15
â 9.45
Stefan Savage, UCSD
Inuit: a system for waste-free computing
Observes:
Computers do nothing of value mos the time, and then we throw them away.
- Because we allocate resources in units of
"a machine" - good abstraction
- implementing this abstraction directly is
a bad idea
- high pre-emption cost and poor
utilisation
solution:
Extreme Multiplexing -
Xen 3.0 VMs plus lots of resource
management
Copy-on-write, and shareed _everything_
Share
execution traces - often people doing same computation. Aggressive VM migration. Virtual clusters. Makes sense for the Grid, data centers... how
about the desktop?
Butler
Lampson: "so are your slides the same as the next speakers?"
Andy
Tanenbaum: re-inventing thin clients the hard way - why bother with VMs
SS:- because processes dont work - people
often want to change the environment their processes run in.
Matt
Welsh: for research, what about predictable performance? What about benchmarks?
SS - support hard resource reservations,
but they should be "rare"
Galen:
what about bad behaviour?
SS - nt my problem - could happen anyway.
Bryan
Ford: Flash crowd at SOSP deadline?
SS - even then, get 25% utilisation
Liuba
Shrira: "communism sucks- its nice not to haev to share a kitchen!"
Robert
Grimm - so why do the students complain about it (referring to the fact that SS
says they actually forced this on UCSD!)
SS- honestly - Xen not quite stable enough
yet. also students have bugs:)
Butler
L. We should have staggered deadlines for conferences :)
(JC:
note there's other conferences too than SOSP that use planetlab and aren't
synched)
Not
just waste - machines are 1000x better than they need to be so we
should be able to do even better with this
9.45
â 10.00
Tim Harris, MSR Cambridge
Transactional memory: challenges and opportunities
Programming
abstractiosn for concurrency. "Atomic"
abstraction: runtime is responsible for making it work.
TH - don't know whether we need that yet!
BL:
How to think about this with dataflow?
TH - Tcc@standford looking at this, with
h/w support
10.00
â 10.15
Derek McAuley, Intel
Message Passing and manycore
- In partoclar, Xen style device channels
- How to map the many VMs onto many core
(>=16) in a way that minimises CC traffic? minimises memory traffic
generally?
- using VMs to partition the many cores
different from using them to timeslice one core
- xen drivers model is basically in-kernel
protection, not really a need for full virtual machines
- need a VM equivalent of fork, to make
programming model where VMs make sense and are usable.
Michael
Isard "why VMs at all - just for legacy support"?
Mac: security- we dont trust device drivers any more shrinkwrap
OS with the app assuming VM API is more stable than OS one:)
Jeff
Mogul: measure Xen to look at the actual messages that are passed?
Mac: a group is looking at it?
Session
chaired by Frans Kaashoek
10.45
â 11.15
Butler Lampson, Microsoft
Accountability and Freedom.
- Need accoutnbility - security needs
deterrents: punishment
- Configuration errors are a big
obverlooked problem
-> least privilege doesnt work because
too hard to admin
- TCB as "lock" is a bust -
failed
- need instead authentication and audit
trail -> deterrent
- Has to be viable for receiver to demand
accountability from the sender
-> sender must pledge something of value
(money, reputation, etc) in a plusible way.
- Anti-spam - euther maik has a good sender
(reputation/whitelist) or a mechanism to forec the sender to donate a 1$ to
(e.g. ) United Way...
Various
people - wat if your computer gets 0wned?
BL: well, the $s make people take more care
(and grandpa can use some whole-managed service) (JC note - so if most people then
have thin client coz they can't manage complexity, then where does SS's Inuit go, and any/all of
the P2P go? :)
- This needs a bunch of support: user IDs,
auth, trust nets...
- Easier to do eend-to-end trust than to buid accountability
in network
- Freedom:
"red" world has no
accountability - do what you want
"green" word has
accountability: isoldated from red, restricted behaviour
=> another config issue:
1/ make sure valuble assets are in
gree, and
2/ do not run "bad" code on
the red.
- Need policy for data transfer betewen
machines
(JC note - see later for talk about taint)
Liuba:
hackers will concentrage on the greenside coz its where the good stuff is
BL: but its harder to attack because inputs
are rejected out-of-hand?
Jacob
Hansen: what about crypto and covert channels out of green?
BL: there wont be people in green to use
the channels
SS:
what about forensixa ad surveillance?
BL: demand forensic as part of
accountability?
SS:
need this in network too
BL: no, point of accountability is dont
need net trace too.
Tanenbaum:
can;t run 50M lines of windows in Green
BL: can! because we don't tickle the bugs!
Jeff
Chase: assumption punishment is administered by injured party?
JC:
companies (worldcom, andersons, nixon:) dont want audit trail for liability
reasons
BL: let them take risk then:
Peter
Druschel: accountability limits privacy, not _freedom_
Bryan
Ford: what about grandma? - she doesn't have sys admin team to run the greenbox
BL: people can sell this service to her
JH:
what about h/w support - e.g. 2 PCs in a box? (JC note: YA VMM/Xen)
11.15
â 11.45
Galen Hunt, MSR Redmond
The Singularity operating system
- Lightweigh runtime, safe programming
language, mechanical verificaition
- (nemesis/java/spin...)
- Merge language security model into OS one
- Optimisaing compiler
no dynamic loading, no self modifying
code
use child processes for that
- software isolated processes
- using type-safe language, not h/w, to
isolate process from other object
- channel for passing message object
have contract for how the protocol
will work - runtime check on contract
- minimize TCB - by having computer output
types asm and proof of correcness
- fast, because no privilage level switches,
no VM switches (+ v. good compiler)
Richard
Sharp: details of type system for unique ownership of data across channels?
GH: yes, linear types
RS:
but you can alias objects in your own heap
GH: no - on the stack, yes, but gheap only
has linear pointer
Sean
Rhea - why no JIT?
GH Each SIP has its own runtime, starting a
JT runtime for each new SUIP would be expensive - lots of data is touched at
startup in JITs
runtime - >Bigfoot-print
SS
- is that just because its widespread? would coalesscing help?
GH - no its just big (actually because of
widespread use of reflection)
Herbert
Bos Users find it dificult to write specs+contracts
GH yes, they were unpopular, but they do get
re-used a lot (plus writign the contract is a good debugging tool)
JC:
pointer to SLAng http://www.cs.ucl.ac.uk/staff/w.emmerich/publications/FTDCS03/
11.45
â 12.15
Pei Cao, Stanford
Flow-Cookies: A Bandwidth
Amplification Approach to Defend Against DdoS Flooding Attacks
- Can't solve link flooding at the attached
server
- network filtering hard -need to establish
who the bad guys are
- capabilities hard -
need to hand out caps,
need to change routers to check them
- want solution which doesnt need state in
all the routers
or change to clients
- Flow cookies
push syn cookies out from web server
to network device in its tier 1 ISP
also cookie up later packet exchange
use the top 24 bits of the TCP
timestamp for later "flow" cookies
- Bugs
- idle persistent connections: cookies
will expire (use keepalives)
- rests don't carry timestamps
- multi-homing nees routers to
cooperate
AKW:
know we see OC48s flooded
SS:
Akamai has seen > 25Gbps attacks + exist botnets with >1Million nodes
SS:
How do you deice a flow is bad?
PC: Bad == Mal-formed
SS:
1.5Million * valuid TCP means you're doomed
SS_
re: Dina Katabi's killbots
PC: websites decisions are out of scope...
?:
Who verifies TCP?
PC: The website, which pushes blacklists to
the n/w device.
Session
Chaired by Jon Crowcroft
1.45
â 2.15
Rodrigo Rodrigues, IST/INESC
Complexity in peer-to-peer systems
Mapped
out the design space for P2P in terms of number of peers and churn rate
(lifetime) of peers versus size of object
Need
around billion to cut over to workable system
JC:
so in 2009, thats 1 years 3G cell phones sales:)
Alos
looked at Erasure code saving versus these.
Work in progress: when is network coding a good optimization for CDNs?
Walsh?Savage
questions usefulness of p2p
SS:
also asked about whether the _mean_ is a useful measure (heavy tails in distributions
mean that the p2p perf. "advantage" is distributed to good effect for
those rather htan for average users...
2.15
â 2.45
Peter Pietzuch, Harvard
A Large-Scale Overlay Infrastructure for Streaming Real-Time Data.
- Internet scale sensor nets
- Stream based overlay, aggregate and
filter data
- Operator operations can migrate,
aggregate, decompose
placement uses relaxation spring model
(could use others too)
Michael
Isard: This looks lik google map/reduce
Petros
Maniatis: 2 layer of spring optimisation seems crazy (the underlying net.
coordinate system may be using one) -
PP: could use another net coord system if you like.
Sue
Moon: How do you archive data?
PP: not their focus
2.45
â 3.15
Robert Grimm, NYU
Na Kika: Towards a unified
architecture for edge-side content creation, transformation, and caching
Need a CDN for heavy content
Secure, extensible, external security
JC:
why not just use IP multicast?
MW: not deployable
BL: no one wants it
JC: not true!
3.45
â 4.15
Liuba Shrira, Brandeis
Thresher: A Filtered Snapshot Memory
- snapshotting (read only) for roll-back
analysis
- want some snapshots more than others,
want app. to chase snapshot
- adaptability of representations
- COW osnapshots of the running db
- can you doi it for a file system
Petros:
what about the tradeoff between fast reconstruction using page tables and
overhead of copying pages?
LS - can also do this with fine grain
diffs.
SS:
infinite history, why not computation too?
LS: yes, we did that too
4.15
â 4.45
Andy Warfield, University of Cambridge
Virtual Devices for Virtual Machines
- pick up from SS & Mac's talk: Xen 3 -
- add virtualisation of devices,
- show duct tape (ring buffer:) model
- now demo how effective model is useing 3
demos, packet symmetry, parallax
versioning files, and wild crazy stuff with taint tracking
Petros:
how long did the slides take? :-)
SS:
haev you thought about display device?
AW: yes, interface could be done, latency
would be nasty
GH:
is this just an indication that the OS
community failed to provide isolation? or
that we failed at designing APIs?
Bryan
Ford: Unix process model was good at isolation - what a happened.
AW: consider migration - thats hard even
with the unix process model
BL:
This (interface rot) will happen to Singularity too
John
Wilkes: Maybe new isolation models have
a half life before they (too) become useless.
Exeunt all, to a fine hostel for beverages.
---------------------------------------------------------------
Note
takes: Tim Deegan, Andrew Warfield
Noise
process: Jon Crowcroft
---------------------------------------------------------------