@inproceedings{cappos07,
author = {Justin Cappos and Scott Baker and Jeremy Plichta and Duy Nyugen and Jason Hardies and Matt Borgard and Jeffry Johnston and John H. Hartman},
title = {Stork: Package Management for Distributed {VM} Environments},
booktitle = { Proceedings of the 21st Large Installation System Administration Conference (LISA '08)},
month = {November},
year = 2007,
pdf = {papers/cappos07.pdf},
abstract = {In virtual machine environments each application is often run in
its own virtual machine (VM), isolating it from other applications
running on the same physical machine. Contention for memory,
disk space, and network bandwidth among virtual machines, coupled
with an inability to share due to the isolation virtual machines
provide, leads to heavy resource utilization. Additionally,
VMs increase management overhead as each is essentially a
separate system.
Stork is a package management tool for virtual machine environments that
is designed to alleviate these problems. Stork securely and efficiently
downloads packages to physical machines and shares packages between
VMs. Disk space and memory requirements are reduced because shared files,
such as libraries and binaries, require only one persistent copy per
physical machine. Experiments show that Stork reduces the disk space
required to install additional copies of a package by over an order of
magnitude, and memory by about 50%. Stork downloads each package once per
physical machine no matter how many VMs install it. The transfer protocols
used during download improve elapsed time by 7X and reduce repository
traffic by an order of magnitude. Stork users can manage groups of VMs
with the ease of managing a single machine - even groups that consist
of machines distributed around the world. Stork is a real service that
has run on PlanetLab for over four years and has managed thousands of VMs.}
}
@inproceedings{cappos08b,
author = {Justin Cappos and Justin Samuel and Scott Baker and John H. Hartman},
title = {A Look In the Mirror: Attacks on Package Managers},
booktitle = { Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08)},
month = {October},
year = 2008,
pdf = {papers/ccs08.pdf},
note = {To appear},
abstract = {Package managers are a privileged, centralized mechanism for
software update and are essential to the security of modern
computers. This work studies the security of ten popular
package managers. These package managers use different
mechanisms to provide security including signatures embedded in
the package, signatures on metadata detached from the packages,
or a signature on the root metadata (a file that contains the
secure hashes of the package metadata). The security models
used by these package managers are compared and contrasted.
The threat model used to evaluate security in this paper
is an attacker that controls a mirror (a copy of the main
repository's contents for a distribution). We demonstrate that
it is trivial for an attacker to control an official mirror for
a popular distribution. An attacker can compromise a client who
either installs software created by the attacker or installs an
outdated version of a package with a vulnerability the attacker
knows how to exploit. Furthermore, every package manager studied
can be compromised by an attacker who controls a mirror without
compromising a private key. In fact, 5 of the 10 package
managers studied have security flaws that allow an attacker to
compromise every client that requests a package from the mirror.
We estimate that an attacker with a mirror that costs \$50 per
week could compromise between 150 and 1500 clients per week
depending on the package manager.
An existing package manager is modified to add a layered approach
to security where multiple signatures are used. The updated
package manager is evaluated in practical use. By using a
layered approach to security, the package manager provides a
high degree of usability and is not vulnerable to the attacks on
existing package managers. The overhead of additional security
mechanisms is 2-5% in practice and so should not be a deterrent.
The purpose of this work is to not only point out security issues
and provide solutions but also to raise an alarm to the imminent
threat of attacks on package managers. Package managers are
a weak point in the security of modern computers. Given the
simplicity of compromising systems through package managers,
developers and distributions must act quickly and intelligently
to avert disaster.}
}
@inproceedings{cappos08a,
author = {Justin Cappos and John H. Hartman},
title = {San {F}ermin: Aggregating Large Data Sets using Dynamic Binomial Trees},
booktitle = { Proceedings of the 5th USENIX Symposium on Networked Systems Design \& Implementation (NSDI '08)},
month = {April},
year = 2008,
pdf = {papers/nsdi08.pdf},
abstract = {San Ferm\'{i}n is a system for aggregating large amounts
of data from the nodes of large-scale distributed systems.
Each San Ferm\'{i}n node individually computes the aggregated
result by swapping data with other nodes to dynamically create
its own binomial tree. Nodes that fall behind abort their
trees, thereby reducing overhead. Having each node create
its own binomial tree makes San Ferm\'{i}n highly resilient to
failures and ensures that the internal nodes of the tree have
high capacity, thereby reducing completion time.
Compared to existing solutions, San Ferm\'{i}n handles large
aggregations better, has higher completeness when nodes fail,
computes the result faster, and has better scalability.
We analyze the completion time, completeness, and overhead
of San Ferm\'{i}n versus existing solutions using analytical
models, simulation, and experimentation with a prototype built on
peer-to-peer system deployed on PlanetLab. Our evaluation shows
that San Ferm\'{i}n is scalable both in the number of nodes and
in the aggregated data size. San Ferm\'{i}n aggregates large
amounts of data significantly faster than existing solutions:
compared to SDIMS, an existing aggregation system, San Ferm\'{i}n
computes a 1MB result from 100 PlanetLab nodes in 61--76\%
of the time and from 2-6 times as many nodes. Even if 10\% of
the nodes fail during aggregation, San Ferm\'{i}n still includes
the data from 97\% of the nodes in the result and does so faster
than the underlying peer-to-peer system recovers from failures.}
}
@inproceedings{cappos05,
author = {Justin Cappos and John H. Hartman},
title = {Why It Is Hard to Build a Long Running Service on {PlanetLab}},
booktitle = {Workshop on Real Large Distributed Systems (WORLDS)},
year = 2005,
month = {December},
pdf = {papers/worlds05.pdf},
abstract = {PlanetLab was conceived as both an experimental testbed and a platform
for long-running services. It has been quite successful at the former,
less so at the latter. In this paper we examine why. The crux
of the problem is that there are few incentives for researchers to
develop long-running services. Research prototypes fulfill publishing
requirements, whereas long-running services do not. Several groups have
tried to deploy \emph{research services}, long-running services that are
useful, but also novel enough to be published. These services have been
generally unsuccessful. In this paper we discuss the difficulties in
developing a research service, our experiences in developing a research
service called Stork, and offer suggestions on how to increase the
incentives for researchers to develop research services.}
}
@article{muir06,
title = {Privileged Operations in a Virtualised System Environment},
author = {S. Muir and L. Peterson and M. Fiuczynski and J. Cappos and J. Hartman},
journal = {Operating Systems Review},
volume = 40,
number = 1,
pages = {75--88},
year = 2006,
pdf = {papers/osr06.pdf},
abstract = {Virtualised systems have experienced a resurgence in popularity in recent
years, whether used to support multiple OSes running on a user's
desktop, provide commercial application hosting facilities, or isolate
a large number of users from each other in global network testbeds. We
also see an increasing level of interest in having entities within
these virtualised systems interact with each other, either as peers
or as helpers providing a service to clients. Very little work has
been previously conducted on how such interaction between virtualised
environments can take place. We introduce Proper, a service running
on the Planet- Lab system, that allows unprivileged entities to access
privileged operations in a safe, tightly controlled manner. This paper
describes our work designing and implementing Proper, including a
discussion of the various architectural decisions made. We describe
how implementing such a system in a traditional UNIX environment is
non-trivial, and provide a number of examples of how services running
on PlanetLab actually use Proper.}
}
@inproceedings{huang06b,
title = {Efficient and Robust Query Processing for Mobile Wireless Sensor Networks},
author = {Huilong Huang and John H. Hartman and Terril Hurst},
booktitle = { Proceedings of the 2006 IEEE Globecom Conference},
month = {November},
year = 2006,
pdf = {papers/globecom06.pdf},
abstract = {We present CNFS, an algorithm for efficient and robust query
processing for mobile wireless sensor networks. CNFS is a
walk--based algorithm that is biased to visit nodes close to the
source first. This bias is accomplished by collecting topology
information about the network as the search progresses. This
information is also used to tolerate changes in the network
topology caused by node mobility that could otherwise cause the
query to fail. As a result, CNFS requires fewer messages to
process a query than flooding--based algorithms, while tolerating
node mobility better than random walk--based algorithms.
Our experiments show that in medium--density networks (average
node degree 8.3) CNFS requires about 37% fewer messages than
the other algorithms studied, while experiencing significantly
fewer query failures than random walk--based algorithms in both
sparse and dense networks. CNFS's success rate is comparable to
flooding--based algorithms in dense networks and slightly worse
in sparse networks.}
}
@inproceedings{huang06a,
title = {Data-Centric Routing in Sensor Networks using Biased Walk},
author = {Huilong Huang and John H. Hartman and Terril Hurst},
booktitle = { Proceedings of the 2006 IEEE SECON Conference},
month = {September},
year = 2006,
pdf = {papers/secon06.pdf},
abstract = {We present Spiral, a data--centric routing algorithm for short--term
communication in unstructured sensor networks. Conventional
data--centric routing algorithms are based on flooding or random
walk. Flooding returns the shortest route but has a high search cost;
random walk has a lower search cost but returns a sub--optimal route.
Spiral offers a compromise between these two extremes --- it has a lower
search cost than flooding and returns better routes than random walk.
Spiral is a biased walk that visits nodes near the source before more
distant nodes. This results in a spiral--like search path that is not
only more likely to find a closer copy of the desired data than random
walk, but is also able to compute a shorter route because the network
around the source is more thoroughly explored. Our experiments show
that in a 500--node network with an average degree of 20 and two copies
of every data object, for a short--term communication of 40 packets the
total communication cost by Spiral is only 72% of that by flooding, 81%
of ERS, 74% of random walk, and 73% of DFS.}
}
@inproceedings{linn05,
title = {Protecting Against Unexpected System Calls},
author = {C. M. Linn and M. Rajagopalan and S. Baker and C. Collberg and S. K. Debray and J. H. Hartman},
booktitle = { Proceedings of the 2005 Usenix Security Conference},
month = {August},
year = 2005,
pdf = {papers/security05.pdf},
abstract = {
This paper proposes a comprehensive set of techniques which limit the
scope of remote code injection attacks. These techniques prevent any
injected code from making system calls and thus restrict the capabilities
of an attacker. In defending against the traditional ways of harming a
system these techniques significantly raise the bar for compromising the
host system forcing the attack code to take extraordinary steps that may
be impractical in the context of a remote code injection attack. There
are two main aspects to our approach. The first is to embed semantic
information into executables identifying the locations of legitimate
system call instructions; system calls from other locations are treated
as intrusions. The modifications we propose are transparent to user level
processes that do not wish to use them (so that, for example, it is still
possible to run unmodified third-party software), and add more security
at minimal cost for those binaries that have the special information
present. The second is to back this up using a variety of techniques,
including a novel approach to encoding system call traps into the OS
kernel, in order to deter mimicry attacks. Experiments indicate that our
approach is effective against a wide variety of code injection attacks.}
}
@inproceedings{baker04mirage,
author = {Scott Baker and John H. Hartman},
title = {The {M}irage {NFS} Router},
booktitle = { Proceedings of the 29th IEEE Conference on Local Area Networks},
address = {Tampa, FL},
year = 2004,
month = nov,
pdf = {papers/mirage.pdf},
abstract = {Mirage aggregates multiple NFS servers into a single, virtual NFS file
server. It is interposed between the NFS clients and servers, making
the clients believe that they are communicating with a single, large
server. Mirage is an NFS router because it routes an NFS request from a
client to the proper NFS server, and routes the reply back to the proper
client. Experiments with a Mirage prototype show that Mirage effectively
virtualizes an NFS server using unmodified clients and servers. Mirage
imposes a negligible overhead on a realistic NFS workload. On real world
workloads, such as a collection of clients executing compile jobs over
NFS, Mirage imposes an overhead of 3% as compared to a proxy that simply
forwards packets.}
}
@inproceedings{collberg05slinky,
author = {Christian Collberg and John H. Hartman and Sridivya Babu and Sharath K. Udupa},
title = {Slinky: Static Linking Reloaded},
booktitle = { Proceedings of the 2005 Usenix Technical Conference},
year = 2005,
pdf = {papers/slinky.pdf},
abstract = {Static linking has many advantages over dynamic linking. It is simple
to understand, implement, and use. It ensures that an executable is
self-contained and does not depend on a particular set of libraries
during execution. As a consequence, the user executes exactly the same
executable image as was tested by the developer, diminishing the risk
that the user\u2019s environment will affect correct behavior. The major
disadvantages of static linking are increases in the memory required
to run an executable, network bandwidth to transfer it, and disk space
to store it. In this paper we describe the Slinky system that uses
digest-based sharing to combine the simplicity of static linking with
the space savings of dynamic linking: although Slinky executables are
completely self-contained, minimal performance and disk-space penalties
are incurred if two executables use the same library. We have developed a
Slinky prototype that consists of tools for adding digests to executables,
a slight modification of the Linux kernel to use those digests to share
code pages, and tools for transferring files between machines based
on digests of their contents. Results show that our prototype has no
measurable performance decrease relative to dynamic linking, a comparable
memory footprint, a 20% storage space increase, and a 34% increase in
the network bandwidth required to transfer the packages. We believe
that Slinky obviates many of the justifications for dynamic linking,
making static linking a superior technology for software organization
and distribution.}
}
@inproceedings{muir05proper,
title = { Proper: Privileged Operations in a Virtualised System Environment},
author = {Steve Muir and Larry Peterson and Marc Fiuczynski and Justin Cappos and John Hartman},
booktitle = { Proceedings of the 2005 Usenix Technical Conference},
year = 2005,
pdf = {papers/usenix05.pdf},
note = {(Short paper).}
}
@article{baker05swarm,
title = {Customizing the {Swarm} Storage System using Agents},
author = {John H. Hartman and Scott Baker and Ian Murdock},
journal = { Software - Practice \& Experience },
year = 2006,
volume = 36,
number = 2,
pages = {117--137},
pdf = {papers/swarm.pdf},
abstract = {Swarm is a scalable, modular storage system that uses agents to
customize low-level storage functions to meet the needs of high-level
services. Agents influence low-level storage functions such as data
layout, metadata management, and crash recovery. An agent is a program
that is attached to data in the storage system and invoked when events
occur during the data's lifetime. For example, before Swarm writes
data to disk, agents attached to the data are invoked to determine a
layout policy. Agents are typically persistent, remaining attached to
the data they manage until the data are deleted; this allows agents to
continue to affect how the data are handled long after the application
or storage service that created the data has terminated. In this paper,
we present Swarm's agent architecture, describe the types of agents that
Swarm supports and the infrastructure used to support them, and discuss
their performance overhead and security implications. We describe how
several storage services and applications use agents, and the benefits
they derive from doing so.}
}
@inproceedings{rosa03rbq,
author = {Eugenio de la Rosa and John H. Hartman and Terril Hurst},
title = {Analysis of the {Restricted Broadcast Query} ({RBQ}) cooperation mechanism},
booktitle = { Proceedings of the SPIE-ITCom, Performance and Control of Next-Generation Communications Networks},
month = sep,
year = 2003
}
@inproceedings{proebsting97toba,
author = {Todd A. Proebsting and Gregg Townsend and Patrick Bridges and John H. Hartman and Tim Newsham and Scott A. Watterson},
title = {Toba: Java For Applications, A Way Ahead of Time (WAT) Compiler},
booktitle = { Proceedings of the 3rd USENIX Conference on Object-Oriented Technologies and Systems (COOTS)},
month = {June},
year = 1997
}
@inproceedings{drapeau94raidii,
author = {Ann L. Drapeau and Ken W. Shirrif and John H. Hartman and Ethan L. Miller and Srinivasan Seshan and Randy H. Katz and Ken Lutz and David A. Patterson and Edward K. Lee and Peter H. Chen and Garth A. Gibson},
title = {{RAID-{II}:} {A} High-Bandwidth Network File Server},
booktitle = { Proceedings of the 21st Annual International Symposium on Computer Architecture},
pages = {234--244},
year = {1994}
}
@article{baker01gecko,
author = {Scott Baker and John H. Hartman},
title = {The Design and Implementation of the {Gecko} {NFS} {Web} proxy},
journal = {Software: Practice \& Experience},
volume = 31,
number = 7,
year = 2001,
pages = {637--665}
}
@article{Peterson_JSAC_2001,
author = {Larry Peterson and Yitzchak Gottlieb and Mike Hibler and
Patrick Tullmann and Jay Lepreau and Steve Schwab and
Hrishikesh Dandelkar and Andrew Purtell and John Hartman},
title = {{An {OS} Interface for Active Routers}},
journal = {IEEE Journal on Selected Areas in Communications},
volume = 19,
number = 3,
pages = {473--487},
month = mar,
year = 2001
}
@article{Spatscheck_TON_2000,
author = {Oliver Spatscheck and J\o{}rgen S. Hansen and John H. Hartman
and Larry L. Peterson},
title = {Optimizing {TCP} Forwarder Performance},
journal = {IEEE/ACM Transactions on Networking},
volume = 8,
number = 2,
pages = {146--157},
month = apr,
year = 2000
}
@article{baker99gecko,
author = {Scott Baker and John H. Hartman},
title = {The {Gecko NFS Web} Proxy},
journal = {Computer Networks: The International Journal of Computer and Telecommunications Networking},
volume = 31,
number = {11--16},
month = may,
year = 1999,
pages = {1725--1736},
note = {Also published in the Proceedings of the 8th International Conference on the World Wide Web.}
}
@article{hartman00,
author = {John Hartman and Larry Peterson and Andy Bavier and Peter Bigot and Patrick Bridges and Brady Montz and Rob Piltz and Todd Proebsting and Oliver Spatscheck},
title = {Experiences building a communication-oriented {JavaOS}},
journal = {Software: Practice \& Experience},
volume = {30},
number = {10},
pages = {1107--1126},
year = {2000}
}
@inproceedings{hartman99,
author = {John H. Hartman and Ian Murdock and Tammo Spalink},
title = {The {Swarm} Scalable Storage System},
booktitle = {International Conference on Distributed Computing Systems},
pages = {74--81},
year = {1999}
}
@inproceedings{hartman90,
author = {John H. Hartman and John K. Ousterhout},
title = {Performance Measurements of a Multiprocessor {Sprite} Kernel},
booktitle = {{USENIX} Summer},
pages = {279--288},
year = {1990}
}
@inproceedings{baker91,
author = {Mary G. Baker and John H. Hartman and Michael D. Kupfer and Ken W. Shirriff and John K. Ousterhout},
title = {Measurements of a distributed file system},
booktitle = {Proceedings of 13th {ACM} Symposium on Operating Systems Principles},
publisher = {Association for Computing Machinery SIGOPS},
pages = {198--212},
year = {1991}
}
@inproceedings{sarkar96,
author = {Prasenjit Sarkar and John Hartman},
title = {Efficient Cooperative Caching using Hints},
booktitle = {Proceeding of the 2nd {ACM} Symposium on Operating Systems Design and Implementation ({OSDI})},
address = {Seattle, WA},
year = {1996}
}
@article{sarkar00,
author = {Prasenjit Sarkar and John H. Hartman},
title = {Hint-based cooperative caching},
journal = {ACM Transactions on Computer Systems},
volume = {18},
number = {4},
pages = {387--419},
year = {2000}
}
@inproceedings{Murdock00,
author = {Ian Murdock and John H. Hartman},
title = {Swarm: A Log-Structured Storage System for {L}inux},
booktitle = {Proceedings of the FREENIX Track: 2000 USENIX Annual Technical Conference},
month = {June},
year = {2000}
}
@article{spalink00,
author = {Tammo Spalink and John H. Hartman and Garth Gibson},
title = {A Mobile Agent's Effect on File Service},
journal = {IEEE Concurrency},
volume = 8,
number = 2,
pages = {62--69},
year = 2000
}
This file was generated by bibtex2html 1.92.