Operating Systems Lecture Notes
23 April 2012 • Web Operating Systems
Outline
Introduction
A read-only web; writing and computing is hard.
Want distributed, available, scalable, reconfigurable applications.
Dynamic reconfiguration and mobility.
overall availability, better performance, increased resiliency.
Existing technologies include active networks and Java.
Approach
Application-independent middleware (an OS in the clouds).
Process management over users.
Distributed file systems.
Security and rights management.
Possible applications include content distribution (CDNs) and virtual server farms.
Techniques
Global naming is transparent, but influenced by requirements.
The closest or fastest.
File systems (name-object mappings) with caching and replication.
Authentication and access across autonomous domains.
Process management as system and user levels.
The split between local and global (distributed) function. Should there even be one?
Naming
Abstractions for location-independent, dynamic naming.
Named entities may change in scope (replication, for example) and location.
Name resolution also caters to, for example, load balancing and availability.
Persistent Shared State
State that exists independent of readers and writers, which are unconstrained by the state.
Shared state is a more natural model than explicit networking.
But there’s a lot of expensive assumptions lurking.
Consistency and coherence being two big ones.
Consistent and coherent shared state is an important abstraction.
The Man
Quotidian and extraordinary (which is also quotidian) protection.
Quotidian protection supports recognized activities.
Extraordinary protection prevents unrecognized (or unwanted) activities.
Extraordinary protection is universal; quotidian protection is local.
Abstractions must distribute quotidian protection outward along with the implementation.
Certificates
A
certificate
is a grant of transferable rights.
A.k.a capabilities.
Reference monitors are responsible for certificate verification and validation.
This can be a chain-of-trust model, or something more nebulous (webs of trust).
Other requirements include delegation and revocation.
Domains
A security domain is an environment (resource set) satisfying a certificate.
Allowing what’s allowed; denying (or disabling) what’s not.
Security domains are not portable, but should seem to be so.
The security manager constructs the domain from, among other things, the certificate.
Roles
Not all certificate rights are appropriate in all security domains.
The agent can do lots of things, the client (domain) should do only what’s necessary.
A role is a function with a particular set of minimal permissions.
Roles are created by agents from their problems and credentials.
This is similar to role-based protection.
Authorization
Given an authentic agent and an expected operation, can the agent do the operation?
Is the client
authorized
?
The access-control list (ACL) is the abstraction in support.
Capacities vs ACLs.
Reference monitors translate certificates into principals for ACLs.
Process Control
Extended local abstractions over remote processors.
Local safety via separate address spaces.
Fair resource allocations.
The problem is to extend these properties to remote processors.
Process Management
Remote requests arrive at resource managers on each site.
Resource managers create and hand-off requests to virtual machines.
Virtual machines interact with reference monitors.
Resources are allocated to virtual machines, then to processes.
Essentially a “portable” security domain.
Summary
Operating-system functions can be exported through-out the cloud.
As an operating system.
Dynamic resource placement enables useful naming, balance, and tolerance.
Fine-grained, role managed security extends to security domains over the network.
References
WebOS: Operating System Services for Wide-Area Applications
by Amin Vahdat and others in
Proceedings of the 7th IEEE International Symposium on High Performance Distributed Computing
, July, 1998.
This page last modified on 2012 April 25.