Janos Project: FY 2001
Jay Lepreau
Flux Research Group
University of Utah
June 5, 2001

The Main Players
Pat Tullmann
Godmar Back
Mike Hibler
Wilson Hsieh
Rob Ricci
Tim Stack

Outline
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
A Killer Application?!
Failures, Achievements

Janos Project Goals
Resource Control & security of a local node in an Active Network
First-class, OS-style control over Java “applications”
Separately useful components
NodeOS, JVM, EE, etc.
Open Source

Research Goals I
Combine OS + Language
Merge OS principles and Java typesafety to create a real Java OS
Explore which features of Java apply in an OS context
Explore which OS features map appropriately into a Java OS

Research Goals II
Apply Java OS to the AN domain
Leverage AN domain’s constraints
Can we safely expose low-level network aspects?
Can safe code go fast?

A “Java operating system” is...
An enhanced JVM that provides OS functions to multiple Java “programs” within it
Features:
Separation
Resource management
Sometimes: direct sharing
Architectural abstractions taken from OS
User/kernel boundary, processes, etc.
Mechanisms taken from garbage collection

Previous Options
Multiple apps in one JVM
One app per JVM in different OS processes

“Java Operating System”
+ Good separation
+ Good resource management
+ Allows some direct sharing

Janos Architecture

Software Specifics
Build NodeOS in C that exposes low-level network features: Moab
Optimized for a single, trusted EE
Provide the NodeOS API in Java: Janos Java NodeOS
Works with JDK1.x or JanosVM
Provide a JVM for building a Java OS: JanosVM
Make ANTS multi-domain and resource-aware: ANTS2.0

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements

Java OS Work
 Ph.D. on Java Operating Systems
Godmar Back - June 12, 2001
 Designed, built and released JanosVM
Evolution of KaffeOS to provide key building block for a Java OS
Sun JSR-121 Expert Group
“Isolate” : first step in multiprocess support in Sun’s JDK
Utah representation

JanosVM
Virtual Machine for Java bytecodes
Usual JVM features: JIT, GC, etc.
Multiprocess support
Designed as foundation for Java OS
Exports primitives to build efficient Java OS
Customized by trusted runtime

JanosVM
Virtual Machine for Java bytecodes
Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
Exports primitives to build efficient, targeted Java OS

JanosVM
Virtual Machine for Java bytecodes
Usual JVM features: JIT, GC, etc.
Designed as foundation for Java OS
Exports primitives to build efficient, targeted Java OS

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements

Moab / NodeOS API
Joint NodeOS paper
Pluggable CPU & network schedulers
Click in Moab: fine-grained control over cut-through channels
More:
NodeOS API refinement, polling vs. interrupts, SNMP support, filesys support, ...

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements

Team 3 Demo
Built an IP router
 in Java
on the Janos Java NodeOS bindings
on JanosVM
on Moab
on the bare hardware
Demonstrated
CPU controls, network bandwidth controls, and memory controls over Java apps
Inter-operated with 3 other projects

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
An Application!
Failures, Achievements

ANTS EE
Completed per-domain separation in ANTSR
With UW, evolved and released ANTS2.0 from ANTSR and ANTS1.3, plus:
New security infrastructure
Improved ABONE / ANETD support

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
Branching Out
Tangible Goods
Failures, Acheivements

Branching Out
emulab.net - Utah Network Testbed
200 machines, lots of tools
Real users: 70% dist sys, 30% networking
Developed / tested our Team 3 demo setup, all our AN experiments
Paper under review
A killer application?!

Quote
“We had a little bit of a problem with applications.”
- Sandy Murphy, 4 June 2001

Active Protocols for Agile Censor-Resistant Networks

Key Ideas
Censor-resistant (p2p) publishing is a compelling and feasible application of active networking
…through on-demand, rapid, decentralized, diversification of the hop-by-hop protocol (manually, by people)
We prototyped this in Freenet

Active Networking’s Biggest Problem
Demand: no killer app
Inherent problem, by definition!
The space of AN protocols is interesting, not any given protocol
But… a good match for censor-resistant networks

Censor-Resistant Networks
Goals
Make intentional deletion or denial of access infeasible or difficult
Often: Anonymity
Usually: overlay network
An example: Freenet

Some Problems Facing CRNs
CRN traffic may be identifiable
Static set of protocols a weakness
Mere membership may be incriminating
Only identification may be necessary, not eavesdropping
Last link vulnerable: mercy of ISP
Users on restricted networks cannot participate
But special techniques can get traffic through firewalls, proxies, etc.

Agile Protocols
Use active networking techniques for replacement of single-hop protocols
Completely decentralized
Any node (person) can create a new protocol & pass to its peer
Rapid response time to censorship
Nodes can customize for their environment
Unbounded set of protocols
Attacker cannot even know what percentage of set they have discovered

Protocol Examples
Disguise and tunnel, eg through SMTP, HTTP
Port-hopping… randomly
Port-smearing (~spread spectrum)
Bounce thru 3rd host
Steganography
…even better in wireless domain: physical & link level

What About Malicious
Protocol Objects?

Protecting Local Node’s Integrity, Privacy, and Availability
Threat model like Java applet, but worse for privacy
node state: cache contents, neighbor list, IP addr, username, …
message itself
Integrity and privacy: std type-safety and namespace isolation
Resource attacks: resource-managing JVM [OSDI’00, ...]

Publishing-specific DoS Attacks
Same general issues as malicious nodes
Failure (total or intermittent)
Either malicious or unintentional
Heuristic approach: rate Protocol Objects
Ratings based on success rates for requests
Evaluate via loopback test harness
Ratings are node-local
More attacks/responses in paper

What About Bootstrapping?
Shared by base Freenet system: must acquire initial {IP addr, port} out-of-band
Now need {IP addr, byte code}
Quantitative difference ==> qualitative change?
Memory, piece of paper ==> floppy disk, email attachment, applet
Conclusion: acceptable

Our Implementation
Prototype based on Freenet system
Peers can exchange Java bytecode for new protocols
Protocol usage can be asymmetric, can change on any message boundary
Restricted namespace

Four sample Protocol Objects
‘Classic’ Freenet protocol
HTTPProtocol: Looks (vaguely) like HTTP
TrickyProtocol: Negotiates port change after every message
SpreadProtocol: Splits message on arbitrary byte boundaries, sends each chunk on a different port

Reprise:AN’s Major Technical Challenges
Performance: no problem
In Java already!
Overlay network: IP not my problem
Security
Key: change local, keep global protocol
Global network: domain-specific, therefore tractable.
Local to node:  tractable, based on recent research

Agile Experiment: Conclusions
AN techniques seem likely to improve the censor-resistance of such networks
Feasible to implement in existing systems
Lots still to do
Implement ratings, etc, etc
JanosVM + runtime, re-engineer base
Evaluate in the lab
Evaluate “in the wild”
Lot of fun, lot of military relevance

FY 2001 Progress
Java OS Work
Moab / NodeOS API work
Team 3 Demo
ANTS EE
Tangible Goods
Failures, Achievements

Papers: FY 2001
Back et. al.   Processes in KaffeOS: Isolation, Resource Management and Sharing in Java   (OSDI 2000)
Tullmann et. al.   Janos: A Java-oriented OS for Active Network Nodes   (IEEE JSAC Mar 2001)
Peterson et. al.   An OS Interface for Active Routers
(IEEE JSAC Mar 2001)
Ricci et. al.   Active Protocols for Agile Censor-Resistant Networks   (HotOS 2001)

Software Releases: FY 2001
11 separate releases
2 OSKit versions
2 Moab versions
2 JanosVM versions
1 ANTS2.0
2 Java NodeOS versions
1 ANTS CVS
1 Java NodeOS CVS

Mistakes I
Over-emphasis on strict hierarchy
Original nested process model
NodeOS mempools
NodeOS/EE split
Makes a nearly impossible research challenge even harder
Under-emphasis on applications

Mistakes II
Too much energy on software artifacts
==> Missed research opportunities
ANTS?
Most aggressive AN model
Dated

Mistakes III
A-Flow -> Flow -> Domain
Failure to keep dm in ITO!

Achievements
Four generations of Java OS’s
Culminated in generic JavaOS infrastructure
Java spec impact:  JSR-121 “Isolate”, ...
Low-level networking that leverages type-safety
Safe zero-copy
 Unoptimized Java IP forwarding is
40% speed of C (JNodeOS v. Moab)

Questions?
Where do I get Janos papers, software?
www.cs.utah.edu/flux/janos
How do I use the network testbed?
www.emulab.net

END OF PRESENTATION

Architecture

Approach
Re-fit existing AN infrastructure to multiprocess, resource-aware JVM
Apply OS principles to Java language run-time
User/kernel boundary, processes, etc.
Construct a “multiprocess” JVM
Build a NodeOS that exposes low-level network features

Team 3 Demo
First full Janos prototype to run Java on the bare hardware
Illuminated many performance issues in our prototype