Unformatted text preview:

CS514: Intermediate Course in Operating SystemsRecapSlide 3Slide 4Slide 5Trustworthy Web ServicesTrustworthy ComputingCategories of systems…ExamplesTechniques vary!Importance of “COTS”The dilemmaAre COTS trustworthy?Slide 14Is this enough?Slide 16SoS and SOAsExample: the Air Force JBIInside the Battlespace InfoSphere (circa 1999)JBI BasicsArchitectural ConceptA fusion of BIG systemsObservations?Systems of Systems (SoS) and Service Oriented Architectures (SOAs)Implications of bigness?Trusting multi-component systemsCS514 threat modelOur modelNetwork modelExecution model: asynchronousSynchronous and Asynchronous ExecutionsReality: neither oneFailure modelDetecting failuresThought problemSam and JillThey eat inside! Sam reasons:Sam had better send an AckWhy didn’t this help?New and improved protocolHow Sam and Jill’s romance endedThings we just can’t doConsistencyDoes this matter in big systems?Why is this important?A bad news story?Trust and ConsistencyLooking aheadHomework (don’t hand it in)CS514: Intermediate Course in Operating SystemsProfessor Ken BirmanVivek Vishnumurthy: TARecapWe started by thinking about Web ServicesBasically, a standardized architecture that clients client systems talk to serversUses XML and other Web protocolsAnd will be widely popular (“ubiquitous”)Our goal is to build “trustworthy” systems using these standard, off-the-shelf techniquesSo we started to look at the issues top downRecapFirst we looked at naming/discoveryWe asked what decisions need to be madeClient needs to pick the right service I want this particular database, or display deviceService may have a high-level routing decisionSend “East Coast” requests to the New Jersey centerService also makes lower-level decisionsJohn Smith is doing a transaction; send requests to the same node if possible to benefit from cachingAnd finally the network does routingRecapIn the case of naming/discoveryWe observed that the architecture doesn’t really offer “slots” for the associated logicDevelopers can solve these problemsI.e. by using the DNS to redirect requestsBut the solutions feel like hacksIdeally one would wish that Web Services tackled such issues. One day they will! But not for a decade…RecapNext we looked at performance issuesWe imagined that we’re building a service and want to increase load on itLed us to think about threading, staged event queuing (SEDA)Eventually leads us to a clustered architecture with load-balancersAgain, found that WS lacks key featuresTrustworthy Web ServicesTo have confidence in solutions we need rigorous technical answersTo questions like “tracking membership” or “data replication” or “recovery after crash”And we need these embodied into WSFor example, would want best-of-breed answers in some sort of discovery “tool” that applications can exploitTrustworthy ComputingOverall, we want to feel confident that the systems we build are “trustworthy”But what should this mean, and how realistic a goal is it?TodayDiscuss some interpretations of the termSettle on the “model” within which we’ll work during the remainder of the termCategories of systems…Roles computing systems play vary widelyMost computing systems aren’t critical in a minute-by-minute sense… but some systems matter more; if they are down, the enterprise is losing money… and very rarely, we need to build ultra-reliable systems for mission-critical usesExamplesFly-by-wire control system for airplaneMilitary weapons targeting systemMicrosoft.com websiteLess “critical”More “critical”Benign threatsMalicious attackHospital billing systemControl of electric power gridAuthentication system of a campus networkOur focusTechniques vary!Less critical systems that face accident (not attack) lend themselves to cheaper solutionsParticularly if we don’t mind outages when something crashesHigh or continuous availability is harderThe mixture of time-critical, very secure, very high availability is particularly difficultSolutions don’t integrate well with standard tools“Secure and highly available” can also be slowImportance of “COTS”The term means “commercial off the shelf”To understand importance of COTS we need to understand history of computingPrior to 1980, “roll your own” was commonBut then with CORBA (and its predecessors) well-supported standards won the dayProductivity benefits of using standards are enormous: better development tools, better system management support, better feature setsToday, most projects mandate COTSThe dilemmaBut major products have been relaxed about:Many aspects of securityReliabilityTime-critical computing (not the same as “fast”)Jim Gray: “Microsoft is mostly interested in multi-billion dollar markets. And it isn’t feasible to make 100% of our customers happy. If we can make 80% of them happy 90% of the time, we’re doing just fine.”Are COTS trustworthy?Security is improving but still pretty weakData is rarely protected “on the wire”Systems are not designed with the threat of overt attack in mindOften limited to perimeter security; if the attacker gets past the firewall, she’s home freeAuditing and system management functions are frequently inadequateAre COTS trustworthy?Most COTS technologies do anticipate crashes and the need to restartYou can usually ask the system to watch your application and relaunch after failureYou can even ask for a restart on a different node… but there won’t be any protection against split-brain problemsSo-called “transactional” model can helpAlternatively can make checkpoints, or replicate critical data, but without platform helpIs this enough?The way COTS systems provide restart is potentially slowTransactional “model” can’t offer high availability (we’ll see why later)Often must wait for failed machine to reboot, clean up its data structures, relaunch its main applications, etcIn big commercial systems could be minutes or even hoursNot enough… if we want high availabilityAre COTS trustworthy?Security… reliability… what about:Time-critical applications, where we want to guarantee a response within some bounded time (and know that the application is fast enough… but worry about platform overheads and


View Full Document

CORNELL CS 514 - Lecture Slides

Documents in this Course
LECTURE

LECTURE

29 pages

LECTURE

LECTURE

28 pages

Load more
Download Lecture Slides
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture Slides and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture Slides 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?