There is considerable interest in programs that can migrate from one host to another and execute.... more There is considerable interest in programs that can migrate from one host to another and execute. Mobile programs are appealing because they support efficient utilization of network resources and extensibility of information servers. However, since they cross administrative domains, they have the ability to access and possibly misuse a host’s protected resources. In this paper, we present a novel approach for controlling and protecting a site’s resources. In this approach, a site uses a declarative policy language to specify a set of constraints on accesses to resources. A set of code transformation tools enforces these constraints on mobile programs by integrating the access constraint checking code directly into the mobile program and resource definitions. Because our approach does not require resources to make explicit calls to a reference monitor, it does not depend upon a specific runtime system implementation.
Concurrency and Computation: Practice and Experience, 2000
There is considerable interest in programs that can migrate from one host to another and execute.... more There is considerable interest in programs that can migrate from one host to another and execute. Mobile programs are appealing because they support efficient utilization of network resources and extensibility of information servers. However, since they cross administrative domains, they have the ability to access and possibly misuse a host's protected resources. In this paper, we present a novel approach for controlling and protecting a site's resources. In this approach, a site uses a declarative policy language to specify a set of constraints on accesses to resources. A set of code transformation tools enforces these constraints on mobile programs by integrating the access constraint checking code directly into the mobile program and resource definitions. Using this approach, a site does not need to explicitly include calls to reference monitors in order to protect resources. The performance analysis show that the approach performs better than reference monitor-based approaches in many cases.
This thesis explores computation mobility. We view mobility, the selection of an execution enviro... more This thesis explores computation mobility. We view mobility, the selection of an execution environment, as an attribute of a computation. To capture this attribute, we introduce a novel programming abstraction, which we call a mobility attribute, that specifies where computations should occur within a distributed system. Programmers dynamically bind mobility attributes to program components, nonempty sets of functions and their state. Once bound to a component, mobility attributes apply prior to each execution of that component.
Abstract: With the advent of WWW, there is considerable interest in programs that can migrate fro... more Abstract: With the advent of WWW, there is considerable interest in programs that can migrate from one host to another and execute. For instance, Java programs are increasingly being used to add dynamic content to a web page. When a user accesses the web page ...
Although the practice of executing external programs is widespread, the security implications hav... more Although the practice of executing external programs is widespread, the security implications have yet to be systematically analyzed. The authors address this problem here, offering a resourcecentric classification of security issues and solutions. 35 IEEE INTERNET COMPUTING
A widely used technique for securing computer systems is to execute programs inside protection do... more A widely used technique for securing computer systems is to execute programs inside protection domains that enforce established security policies. These containers, often referred to as sandboxes, come in a variety of forms. Although current sandboxing techniques have individual strengths, they also have limitations that reduce the scope of their applicability. In this paper, we give a detailed analysis of the options available to designers of sandboxing mechanisms. As we discuss the tradeoffs of various design choices, we present a sandboxing facility that combines the strengths of a wide variety of design alternatives. Our design provides a set of simple yet powerful primitives that serve as a flexible, general-purpose framework for confining untrusted programs. As we present our work, we compare and contrast it with the work of others and give preliminary results.
Programming models that support code migration have gained prominence, mainly due to a widespread... more Programming models that support code migration have gained prominence, mainly due to a widespread shift from stand alone to distributed applications. Although appealing in terms of system design and extensibility, mobile programs are a security risk and require strong access control. Further, the mobile code environment is fluid -the programs and resources located on a host may change rapidly, necessitating an extensible security model. In this paper, we present the design and implementation of a security infrastructure. This infrastructure is built around an event/response mechanism, in which a response is executed when a security-related event occurs. We support a fine-grained, conditional access control language, and enforce policies by instrumenting the bytecode of protected classes. This method enhances efficiency and promotes separation of concerns between security policy and program specification. This infrastructure also allows security policies to change at runtime, adapting to varying system state, intrusion, and other events.
Modern software must evolve in response to changing conditions. In the most widely used programmi... more Modern software must evolve in response to changing conditions. In the most widely used programming environments, code is static and cannot change at runtime. This poses problems for applications that have limited down-time. More support is needed for dynamic evolution. In this paper we present an approach for supporting dynamic evolution of Java programs. In this approach, Java programs can evolve by changing their components, namely classes, during their execution. Changes in a class lead to changes in its instances, thereby allowing evolution of both code and state. The approach promotes compatibility with existing Java applications, and maintains the security and type safety controls imposed by Java’s dynamic linking mechanism. Experimental analyses of our implementation indicate that the implementation imposes a moderate performance penalty relative to the unmodified virtual machine.
Applications that are distributed, fault tolerant, or perform dynamic load balancing rely on redi... more Applications that are distributed, fault tolerant, or perform dynamic load balancing rely on redirection techniques, such as network address translation (NAT), DNS request routing, or middleware to handle Internet scale loads. In this paper, we describe a new connection redirection mechanism that allows applications to change end-points of communication channels. The mechanism supports redirections across LANs and WANs and is application-independent. Further, it does not introduce any central bottlenecks. We have implemented the redirection mechanism using a novel end-point control session layer. The performance results show that the overhead of the mechanism is minimal. Further, Internet applications built using this mechanism scale better than those built using HTTP redirection.
Page 1. Supporting Quality Of Service in HTTP Servers Raju Pandey J. Fritz Barnes Ronald Olsson P... more Page 1. Supporting Quality Of Service in HTTP Servers Raju Pandey J. Fritz Barnes Ronald Olsson Parallel and Distributed Computing Laboratory Computer Science Department University of California, Davis, CA 95616 {pandey, ba.rnes, olsson}Qcs.ucdavis.edu Abstract ...
Web caching has emerged as one solution for improving client latency on the web. Cache effectiven... more Web caching has emerged as one solution for improving client latency on the web. Cache effectiveness depends on the policies used to route requests to other caches and servers, to maintain up-to-date web objects and to remove objects from the cache. Traditional caches apply one set of policies, which determines the eciency as well as the effectiveness of the caches.
Sensor networks are being deployed at massive scales, containing a range of platforms. Programmin... more Sensor networks are being deployed at massive scales, containing a range of platforms. Programming paradigms for sensor networks should meet the attendant challenges of scale and heterogeneity. Researchers have considered virtual machines as a means to address these challenges. However, in order to satisfy the resource limitations of sensor nodes, they export only a minimal set of services to the application programmer. This makes applications of even moderate complexity difficult to implement. We present VM -a framework for building resource-efficient virtual machines that scale and export comprehensive service suites on a per-application basis. We advocate the use of fine-grained software synthesis to build resource-efficient system software, and facilitate both application changes and system software upgrades at runtime through an efficient incremental update scheme. We have used our framework to build virtual machines on the Mica platform and describe how virtual machines are effective in meeting the difficult demands of heterogeneity and reprogrammability.
With sensor networks expected to be deployed for long periods of time, the ability to reprogram t... more With sensor networks expected to be deployed for long periods of time, the ability to reprogram them remotely is necessary for providing new services, fixing bugs, and enhancing applications and system software. Given the envisioned scales of future sensor network deployments, their restricted accessibility, and the limited energy and computing resources of sensors, transmitting raw binary images is inefficient. We present a technique to minimize the cost of application evolution by remotely and incrementally linking updated modules at the base station, and distributing deltas of the pre-linked software modules. This paper provides details of our implementation, some preliminary results, and surveys critical research issues in developing a comprehensive framework for reprogramming sensor networks.
Virtual machines (VM) are promising as system software in networks of embedded systems and pervas... more Virtual machines (VM) are promising as system software in networks of embedded systems and pervasive comput- ing spaces. VMs facilitate the development of platform- independent applications with small footprints to enable low cost application distribution and evolution. A major im- pediment to their more widespread acceptance is the per- formance overhead of interpretation. Compiling VM byte- code to native instructions addresses this issue, but can in- crease footprint and code distribution costs. Thus, there is an important tradeo between cost of computing, and cost of communication due to code distribution. In this paper, we describe a remote Just-In-Time (JIT) compilation ser- vice for the VMF framework that is eectiv e in combining interpretation with native execution to arrive at an ecien t hybrid execution conguration. The principles apply to any VM or middleware used to develop applications in sensor networks.
Sensor networks have received wide attention in recent years for their revolutionary impact in nu... more Sensor networks have received wide attention in recent years for their revolutionary impact in numerous fields. To harness their full potential, researchers are beginning to build end-to-end solutions that integrate het- erogeneous sensor deployments with traditional networks. While such efforts will bring true value to the use of sensor networks, there are several challenges that need to be kept in
Resource constrained systems often are programmed using an event-based model. Many applications d... more Resource constrained systems often are programmed using an event-based model. Many applications do not lend themselves well to an event-based approach, but preemptive multithreading pre-allocates resources that cannot be used even while not in use by the owning thread. In this paper, we propose a hybrid approach called Y-Threads. Y-Threads provide separate small stacks for blocking portions of applications, while allowing for shared stacks for non-blocking computations. We have implemented Y-Threads on Mica and Telos wireless sensor network platforms. The results show that Y-Threads provide a preemptive multithreaded programming model with resource utilization closer to an event-based approach. In addition, relatively large memory buffers can be allocated for temporary use with less overhead than conventional dynamic memory allocation methods.
Virtual machines (VM) are promising as system software in sensor networks. A major impediment to ... more Virtual machines (VM) are promising as system software in sensor networks. A major impediment to their widespread acceptance is their performance overhead. The compilation of VM byte code to native code improves performance, but increases the code's footprint and cost of code distribution. Thus, there is an important tradeoff between the cost of computing and the cost of communication due to code distribution. We describe a remote Just-In-Time compilation service that is effective in combining interpretation with native execution to arrive at an efficient hybrid execution configuration. The principles may be applied to any middleware that is used to develop applications for sensor networks.
There is considerable interest in programs that can migrate from one host to another and execute.... more There is considerable interest in programs that can migrate from one host to another and execute. Mobile programs are appealing because they support efficient utilization of network resources and extensibility of information servers. However, since they cross administrative domains, they have the ability to access and possibly misuse a host’s protected resources. In this paper, we present a novel approach for controlling and protecting a site’s resources. In this approach, a site uses a declarative policy language to specify a set of constraints on accesses to resources. A set of code transformation tools enforces these constraints on mobile programs by integrating the access constraint checking code directly into the mobile program and resource definitions. Because our approach does not require resources to make explicit calls to a reference monitor, it does not depend upon a specific runtime system implementation.
Concurrency and Computation: Practice and Experience, 2000
There is considerable interest in programs that can migrate from one host to another and execute.... more There is considerable interest in programs that can migrate from one host to another and execute. Mobile programs are appealing because they support efficient utilization of network resources and extensibility of information servers. However, since they cross administrative domains, they have the ability to access and possibly misuse a host's protected resources. In this paper, we present a novel approach for controlling and protecting a site's resources. In this approach, a site uses a declarative policy language to specify a set of constraints on accesses to resources. A set of code transformation tools enforces these constraints on mobile programs by integrating the access constraint checking code directly into the mobile program and resource definitions. Using this approach, a site does not need to explicitly include calls to reference monitors in order to protect resources. The performance analysis show that the approach performs better than reference monitor-based approaches in many cases.
This thesis explores computation mobility. We view mobility, the selection of an execution enviro... more This thesis explores computation mobility. We view mobility, the selection of an execution environment, as an attribute of a computation. To capture this attribute, we introduce a novel programming abstraction, which we call a mobility attribute, that specifies where computations should occur within a distributed system. Programmers dynamically bind mobility attributes to program components, nonempty sets of functions and their state. Once bound to a component, mobility attributes apply prior to each execution of that component.
Abstract: With the advent of WWW, there is considerable interest in programs that can migrate fro... more Abstract: With the advent of WWW, there is considerable interest in programs that can migrate from one host to another and execute. For instance, Java programs are increasingly being used to add dynamic content to a web page. When a user accesses the web page ...
Although the practice of executing external programs is widespread, the security implications hav... more Although the practice of executing external programs is widespread, the security implications have yet to be systematically analyzed. The authors address this problem here, offering a resourcecentric classification of security issues and solutions. 35 IEEE INTERNET COMPUTING
A widely used technique for securing computer systems is to execute programs inside protection do... more A widely used technique for securing computer systems is to execute programs inside protection domains that enforce established security policies. These containers, often referred to as sandboxes, come in a variety of forms. Although current sandboxing techniques have individual strengths, they also have limitations that reduce the scope of their applicability. In this paper, we give a detailed analysis of the options available to designers of sandboxing mechanisms. As we discuss the tradeoffs of various design choices, we present a sandboxing facility that combines the strengths of a wide variety of design alternatives. Our design provides a set of simple yet powerful primitives that serve as a flexible, general-purpose framework for confining untrusted programs. As we present our work, we compare and contrast it with the work of others and give preliminary results.
Programming models that support code migration have gained prominence, mainly due to a widespread... more Programming models that support code migration have gained prominence, mainly due to a widespread shift from stand alone to distributed applications. Although appealing in terms of system design and extensibility, mobile programs are a security risk and require strong access control. Further, the mobile code environment is fluid -the programs and resources located on a host may change rapidly, necessitating an extensible security model. In this paper, we present the design and implementation of a security infrastructure. This infrastructure is built around an event/response mechanism, in which a response is executed when a security-related event occurs. We support a fine-grained, conditional access control language, and enforce policies by instrumenting the bytecode of protected classes. This method enhances efficiency and promotes separation of concerns between security policy and program specification. This infrastructure also allows security policies to change at runtime, adapting to varying system state, intrusion, and other events.
Modern software must evolve in response to changing conditions. In the most widely used programmi... more Modern software must evolve in response to changing conditions. In the most widely used programming environments, code is static and cannot change at runtime. This poses problems for applications that have limited down-time. More support is needed for dynamic evolution. In this paper we present an approach for supporting dynamic evolution of Java programs. In this approach, Java programs can evolve by changing their components, namely classes, during their execution. Changes in a class lead to changes in its instances, thereby allowing evolution of both code and state. The approach promotes compatibility with existing Java applications, and maintains the security and type safety controls imposed by Java’s dynamic linking mechanism. Experimental analyses of our implementation indicate that the implementation imposes a moderate performance penalty relative to the unmodified virtual machine.
Applications that are distributed, fault tolerant, or perform dynamic load balancing rely on redi... more Applications that are distributed, fault tolerant, or perform dynamic load balancing rely on redirection techniques, such as network address translation (NAT), DNS request routing, or middleware to handle Internet scale loads. In this paper, we describe a new connection redirection mechanism that allows applications to change end-points of communication channels. The mechanism supports redirections across LANs and WANs and is application-independent. Further, it does not introduce any central bottlenecks. We have implemented the redirection mechanism using a novel end-point control session layer. The performance results show that the overhead of the mechanism is minimal. Further, Internet applications built using this mechanism scale better than those built using HTTP redirection.
Page 1. Supporting Quality Of Service in HTTP Servers Raju Pandey J. Fritz Barnes Ronald Olsson P... more Page 1. Supporting Quality Of Service in HTTP Servers Raju Pandey J. Fritz Barnes Ronald Olsson Parallel and Distributed Computing Laboratory Computer Science Department University of California, Davis, CA 95616 {pandey, ba.rnes, olsson}Qcs.ucdavis.edu Abstract ...
Web caching has emerged as one solution for improving client latency on the web. Cache effectiven... more Web caching has emerged as one solution for improving client latency on the web. Cache effectiveness depends on the policies used to route requests to other caches and servers, to maintain up-to-date web objects and to remove objects from the cache. Traditional caches apply one set of policies, which determines the eciency as well as the effectiveness of the caches.
Sensor networks are being deployed at massive scales, containing a range of platforms. Programmin... more Sensor networks are being deployed at massive scales, containing a range of platforms. Programming paradigms for sensor networks should meet the attendant challenges of scale and heterogeneity. Researchers have considered virtual machines as a means to address these challenges. However, in order to satisfy the resource limitations of sensor nodes, they export only a minimal set of services to the application programmer. This makes applications of even moderate complexity difficult to implement. We present VM -a framework for building resource-efficient virtual machines that scale and export comprehensive service suites on a per-application basis. We advocate the use of fine-grained software synthesis to build resource-efficient system software, and facilitate both application changes and system software upgrades at runtime through an efficient incremental update scheme. We have used our framework to build virtual machines on the Mica platform and describe how virtual machines are effective in meeting the difficult demands of heterogeneity and reprogrammability.
With sensor networks expected to be deployed for long periods of time, the ability to reprogram t... more With sensor networks expected to be deployed for long periods of time, the ability to reprogram them remotely is necessary for providing new services, fixing bugs, and enhancing applications and system software. Given the envisioned scales of future sensor network deployments, their restricted accessibility, and the limited energy and computing resources of sensors, transmitting raw binary images is inefficient. We present a technique to minimize the cost of application evolution by remotely and incrementally linking updated modules at the base station, and distributing deltas of the pre-linked software modules. This paper provides details of our implementation, some preliminary results, and surveys critical research issues in developing a comprehensive framework for reprogramming sensor networks.
Virtual machines (VM) are promising as system software in networks of embedded systems and pervas... more Virtual machines (VM) are promising as system software in networks of embedded systems and pervasive comput- ing spaces. VMs facilitate the development of platform- independent applications with small footprints to enable low cost application distribution and evolution. A major im- pediment to their more widespread acceptance is the per- formance overhead of interpretation. Compiling VM byte- code to native instructions addresses this issue, but can in- crease footprint and code distribution costs. Thus, there is an important tradeo between cost of computing, and cost of communication due to code distribution. In this paper, we describe a remote Just-In-Time (JIT) compilation ser- vice for the VMF framework that is eectiv e in combining interpretation with native execution to arrive at an ecien t hybrid execution conguration. The principles apply to any VM or middleware used to develop applications in sensor networks.
Sensor networks have received wide attention in recent years for their revolutionary impact in nu... more Sensor networks have received wide attention in recent years for their revolutionary impact in numerous fields. To harness their full potential, researchers are beginning to build end-to-end solutions that integrate het- erogeneous sensor deployments with traditional networks. While such efforts will bring true value to the use of sensor networks, there are several challenges that need to be kept in
Resource constrained systems often are programmed using an event-based model. Many applications d... more Resource constrained systems often are programmed using an event-based model. Many applications do not lend themselves well to an event-based approach, but preemptive multithreading pre-allocates resources that cannot be used even while not in use by the owning thread. In this paper, we propose a hybrid approach called Y-Threads. Y-Threads provide separate small stacks for blocking portions of applications, while allowing for shared stacks for non-blocking computations. We have implemented Y-Threads on Mica and Telos wireless sensor network platforms. The results show that Y-Threads provide a preemptive multithreaded programming model with resource utilization closer to an event-based approach. In addition, relatively large memory buffers can be allocated for temporary use with less overhead than conventional dynamic memory allocation methods.
Virtual machines (VM) are promising as system software in sensor networks. A major impediment to ... more Virtual machines (VM) are promising as system software in sensor networks. A major impediment to their widespread acceptance is their performance overhead. The compilation of VM byte code to native code improves performance, but increases the code's footprint and cost of code distribution. Thus, there is an important tradeoff between the cost of computing and the cost of communication due to code distribution. We describe a remote Just-In-Time compilation service that is effective in combining interpretation with native execution to arrive at an efficient hybrid execution configuration. The principles may be applied to any middleware that is used to develop applications for sensor networks.
Uploads
Papers by Raju Pandey