upgrading, and maintaining operating system software is a growing
management complexity problem that can result in unacceptable system
downtime. We introduce AutoPod, a system that enables unscheduled
operating system updates while preserving application service
availability. AutoPod provides a group of processes and associated users
with an isolated machine-independent virtualized environment that is
decoupled from the underlying operating system instance. This
virtualized environment is integrated with a novel checkpoint-restart
mechanism which allows processes to be suspended, resumed, and migrated
across operating system kernel versions with different security and
incorporates a system status service to determine when operating system
patches need to be applied to the current host, then automatically
migrates application services to another host to preserve their
availability while the current host is updated and rebooted. We have
implemented AutoPod on Linux without requiring any application or
operating system kernel changes. Our measurements on real world desktop
and server applications demonstrate that AutoPod imposes little overhead
and provides sub-second suspend and resume times that can be an order
of magnitude faster than starting applications after a system reboot.
AutoPod enables systems to autonomically stay updated with relevant
maintenance and security patches, while ensuring no loss of data and
minimizing service disruption.
surface concept provides a means of discussing the susceptibility of
software to as-yet-unknown attacks. A system's attack surface
encompasses the methods the system makes available to an attacker, and
the system resources which can be used to further an attack. A
measurement of the size of the attack surface could be used to compare
the security of multiple systems which perform the same function.
Internet Message Access Protocol (IMAP) has been in existence for over a
decade. Relative to HTTP or SMTP, IMAP is a niche protocol, but IMAP
servers are widely deployed nonetheless. There are three popular open
source UNIX IMAP servers—UW-IMAP, Cyrus, and Courier-IMAP—and there has
not been a formal security comparison between them.
paper, I use attack surfaces to compare the relative security risks
posed by these three products. I undertake this evaluation in service of
two complementary goals: to provide an honest examination of the
security postures and risks of the three servers, and to advance the
study of attack surfaces by performing an automated attack surface
measurement using a methodology based on counting entry and exit points
in the code.
This paper introduces JitterBugs,
a class of inline interception mechanisms that covertly transmit data
by perturbing the timing of input events likely to affect externally
observable network traffic. JitterBugs positioned at input devices deep
within the trusted environment (e.g., hidden in cables or connectors)
can leak sensitive data without compromising the host or its software.
In particular, we show a practical Keyboard JitterBug that solves
the data exfiltration problem for keystroke loggers by leaking captured
passwords through small variations in the precise times at which
keyboard events are delivered to the host. Whenever an interactive
communication application (such as SSH, Telnet, instant messaging, etc)
is running, a receiver monitoring the host's network traffic can recover
the leaked data, even when the session or link is encrypted. Our
experiments suggest that simple Keyboard JitterBugs can be a practical
technique for capturing and exfiltrating typed secrets under
conventional OSes and interactive network applications, even when the
receiver is many hops away on the Internet.
an open-source virtual machine for Java
intended as a research framework for efficient
execution of Java bytecode.
The framework is essentially composed
of an extensible bytecode interpreter using state-of-the-art
and innovative techniques.
Written in the C programming language, and assuming
minimal system dependencies, the interpreter emphasizes high-level
techniques to support efficient execution.
In particular, we introduce a biderectional layout for object
instances that groups reference fields sequentially to allow
efficient garbage collection. We also introduce
a sparse interface virtual table layout that reduces the cost
of interface method calls to that of normal virtual calls.
Finally, we present a technique to improve
by eliminating busy-wait in presence of contention.
user-level operating system (OS) can be implemented as a regular user
process on top of another host operating system.
Conventional user-level OSes, such as User Mode Linux, view the
underlying host operating system as a specific hardware architecture.
Therefore, the implementation of a user-level OS often requires porting
of an existing kernel to a new hardware architecture.
This paper proposes a new implementation method of user-level OSes by
using partial emulation of hardware and static rewriting of machine
In this method, privileged instructions and their related non-privileged
instructions in a native operating system are statically translated
into subroutine calls that perform emulation.
The translated instructions of the user-level OS are executed by both
the real CPU and the partial emulator.
This method does not require detailed knowledge about kernel internals.
By using the proposed method, NetBSD and FreeBSD are executed as user
processes on NetBSD and Linux.
describes a programming framework for clean construction of disk
maintenance applications. They can use it to expose the disk activity
to be done, and then process completed requests as they are reported.
The system ensures that these applications make steady forward progress
without competing for disk access with a system's primary applications.
It opportunistically completes maintenance requests by using disk idle
time and freeblock scheduling. In this paper, three disk maintenance
applications (backup, write-back cache destaging, and disk layout
reorganization) are adapted to the system support and evaluated on a
FreeBSD implementation. All are shown to successfully execute in busy
systems with minimal (e.g., less than 2%) impact on foreground disk
performance. In fact, by modifying FreeBSD's cache to write dirty
blocks for free, the average read cache miss response time is decreased
by 12-30%. For non-volatile caches, the reduction is almost 50%.
Track-aligned extents (traxtents) utilize disk-specific
knowledge to match access patterns to the strengths of
modern disks. By allocating and accessing related data
on disk track boundaries, a system can avoid most rotational
latency and track crossing overheads. Avoiding
these overheads can increase disk access efficiency by up
to 50% for mid-sized requests (100Ð500 KB). This paper
describes traxtents, algorithms for detecting track boundaries,
and some uses of traxtents in file systems and video
servers. For large-file workloads, a version of FreeBSD's
FFS implementation that exploits traxtents reduces application
run times by up to 20% compared to the original
version. A video server using traxtent-based requests can
support 56% more concurrent streams at the same startup
latency and buffer space. For LFS, 44% lower overall
write cost for track-sized segments can be achieved.
the design, implementation, and evaluation of D-GRAID, a
gracefully-degrading and quickly-recovering RAID storage array. D-GRAID
ensures that most files within the file system remain available even
when an unexpectedly high number of faults occur. D-GRAID also recovers
from failures quickly, restoring only live file system data to a hot
spare. Both graceful degradation and live-block recovery are implemented
in a prototype SCSI-based storage system underneath unmodified file
systems, demonstrating that powerful "file-system like" functionality
can be implemented behind a narrow block-based interface.
BGP, the current inter-domain routing protocol, assumes that the routing
information propagated by authenticated routers is correct. This assumption
renders the current infrastructure vulnerable to both accidental misconfigurations
and deliberate attacks. To reduce this vulnerability, we present a combination
of two mechanisms: Listen and Whisper. Listen passively
probes the data plane and checks whether the underlying routes to different
destinations work. Whisper uses cryptographic functions along with routing
redundancy to detect bogus route advertisements in the control plane. These
mechanisms are easily deployable, and do not rely on either a public key
infrastructure or a central authority like ICANN.
The combination of Listen and Whisper eliminates a large number of problems
due to router misconfigurations, and restricts (though not eliminates) the
damage that deliberate attackers can cause. Moreover, these mechanisms can
detect and contain isolated adversaries that propagate even a few invalid
route announcements. Colluding adversaries pose a more stringent challenge,
and we propose simple changes to the BGP policy mechanism to limit the damage
colluding adversaries can cause. We demonstrate the utility of Listen and
Whisper through real-world deployment, measurements and empirical analysis.
For example, a randomly placed isolated adversary, in the worst case can
affect reachability to only 10% of the nodes.
games are a rapidly growing Internet application. Because of the cost in
supporting on-line games and the unpredictable load on servers,
companies are moving toward sharing infrastructure for game hosting. To
efficiently provision on-line games, it is important to understand game
workloads and the behavior of game players. In this paper, we present a
comprehensive analysis of a collection of on-line game players and game
workloads using data from several sources including: a 13-month trace of
an extremely busy game server containing over 2.8 million connections, a
two-year trace of the aggregate game populations of over 500 on-line
games, and a 4-month trace of a content-distribution network used to
deliver games. The key findings from our measurement study are: (1)
these gamers are an extremely difficult set of users to satisfy and
unless game servers are properly set up and provisioned, gamers quickly
choose to go elsewhere, (2) the popularity of these games follows a
power law making games difficult to provision at launch time, (3) game
workloads are predictable only over short-term intervals, (4) there are
significant challenges in hosting games on shared infrastructure due to
temporal and geographic synchronization across different games and other
interactive applications, and (5) game software updates are a
significent burden on game hosting that must be planned for. Our results
have implications for both game publishers as well as infrastructure