Justin Cappos, Justin Samuel, Scott Baker, and John H. Hartman. “A look in the mirror: Attacks on package managers”. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08), October 2008. To appear. [ bib | PDF ]
Package managers are a privileged, centralized mechanism for software update and are essential to the security of modern computers. This work studies the security of ten popular package managers. These package managers use different mechanisms to provide security including signatures embedded in the package, signatures on metadata detached from the packages, or a signature on the root metadata (a file that contains the secure hashes of the package metadata). The security models used by these package managers are compared and contrasted.The threat model used to evaluate security in this paper is an attacker that controls a mirror (a copy of the main repository's contents for a distribution). We demonstrate that it is trivial for an attacker to control an official mirror for a popular distribution. An attacker can compromise a client who either installs software created by the attacker or installs an outdated version of a package with a vulnerability the attacker knows how to exploit. Furthermore, every package manager studied can be compromised by an attacker who controls a mirror without compromising a private key. In fact, 5 of the 10 package managers studied have security flaws that allow an attacker to compromise every client that requests a package from the mirror. We estimate that an attacker with a mirror that costs $50 per week could compromise between 150 and 1500 clients per week depending on the package manager.
An existing package manager is modified to add a layered approach to security where multiple signatures are used. The updated package manager is evaluated in practical use. By using a layered approach to security, the package manager provides a high degree of usability and is not vulnerable to the attacks on existing package managers. The overhead of additional security mechanisms is 2-5
The purpose of this work is to not only point out security issues and provide solutions but also to raise an alarm to the imminent threat of attacks on package managers. Package managers are a weak point in the security of modern computers. Given the simplicity of compromising systems through package managers, developers and distributions must act quickly and intelligently to avert disaster.
Justin Cappos and John H. Hartman. “San Fermin: Aggregating large data sets using dynamic binomial trees”. In Proceedings of the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI '08), April 2008. [ bib | PDF ]
San Fermín is a system for aggregating large amounts of data from the nodes of large-scale distributed systems. Each San Fermín node individually computes the aggregated result by swapping data with other nodes to dynamically create its own binomial tree. Nodes that fall behind abort their trees, thereby reducing overhead. Having each node create its own binomial tree makes San Fermín highly resilient to failures and ensures that the internal nodes of the tree have high capacity, thereby reducing completion time.Compared to existing solutions, San Fermín handles large aggregations better, has higher completeness when nodes fail, computes the result faster, and has better scalability. We analyze the completion time, completeness, and overhead of San Fermín versus existing solutions using analytical models, simulation, and experimentation with a prototype built on peer-to-peer system deployed on PlanetLab. Our evaluation shows that San Fermín is scalable both in the number of nodes and in the aggregated data size. San Fermín aggregates large amounts of data significantly faster than existing solutions: compared to SDIMS, an existing aggregation system, San Fermín computes a 1MB result from 100 PlanetLab nodes in 61-76% of the time and from 2-6 times as many nodes. Even if 10% of the nodes fail during aggregation, San Fermín still includes the data from 97% of the nodes in the result and does so faster than the underlying peer-to-peer system recovers from failures.
Justin Cappos, Scott Baker, Jeremy Plichta, Duy Nyugen, Jason Hardies, Matt Borgard, Jeffry Johnston, and John H. Hartman. “Stork: Package management for distributed VM environments”. In Proceedings of the 21st Large Installation System Administration Conference (LISA '08), November 2007. [ bib | PDF ]
In virtual machine environments each application is often run in its own virtual machine (VM), isolating it from other applications running on the same physical machine. Contention for memory, disk space, and network bandwidth among virtual machines, coupled with an inability to share due to the isolation virtual machines provide, leads to heavy resource utilization. Additionally, VMs increase management overhead as each is essentially a separate system.Stork is a package management tool for virtual machine environments that is designed to alleviate these problems. Stork securely and efficiently downloads packages to physical machines and shares packages between VMs. Disk space and memory requirements are reduced because shared files, such as libraries and binaries, require only one persistent copy per physical machine. Experiments show that Stork reduces the disk space required to install additional copies of a package by over an order of magnitude, and memory by about 50 physical machine no matter how many VMs install it. The transfer protocols used during download improve elapsed time by 7X and reduce repository traffic by an order of magnitude. Stork users can manage groups of VMs with the ease of managing a single machine - even groups that consist of machines distributed around the world. Stork is a real service that has run on PlanetLab for over four years and has managed thousands of VMs.
Huilong Huang, John H. Hartman, and Terril Hurst. “Efficient and robust query processing for mobile wireless sensor networks”. In Proceedings of the 2006 IEEE Globecom Conference, November 2006. [ bib | PDF ]
We present CNFS, an algorithm for efficient and robust query processing for mobile wireless sensor networks. CNFS is a walk-based algorithm that is biased to visit nodes close to the source first. This bias is accomplished by collecting topology information about the network as the search progresses. This information is also used to tolerate changes in the network topology caused by node mobility that could otherwise cause the query to fail. As a result, CNFS requires fewer messages to process a query than flooding-based algorithms, while tolerating node mobility better than random walk-based algorithms. Our experiments show that in medium-density networks (average node degree 8.3) CNFS requires about 37 the other algorithms studied, while experiencing significantly fewer query failures than random walk-based algorithms in both sparse and dense networks. CNFS's success rate is comparable to flooding-based algorithms in dense networks and slightly worse in sparse networks.
Huilong Huang, John H. Hartman, and Terril Hurst. “Data-centric routing in sensor networks using biased walk”. In Proceedings of the 2006 IEEE SECON Conference, September 2006. [ bib | PDF ]
We present Spiral, a data-centric routing algorithm for short-term communication in unstructured sensor networks. Conventional data-centric routing algorithms are based on flooding or random walk. Flooding returns the shortest route but has a high search cost; random walk has a lower search cost but returns a sub-optimal route. Spiral offers a compromise between these two extremes - it has a lower search cost than flooding and returns better routes than random walk. Spiral is a biased walk that visits nodes near the source before more distant nodes. This results in a spiral-like search path that is not only more likely to find a closer copy of the desired data than random walk, but is also able to compute a shorter route because the network around the source is more thoroughly explored. Our experiments show that in a 500-node network with an average degree of 20 and two copies of every data object, for a short-term communication of 40 packets the total communication cost by Spiral is only 72 of ERS, 74% of random walk, and 73% of DFS.
S. Muir, L. Peterson, M. Fiuczynski, J. Cappos, and J. Hartman. “Privileged operations in a virtualised system environment”. Operating Systems Review, 40(1):75-88, 2006. [ bib | PDF ]
Virtualised systems have experienced a resurgence in popularity in recent years, whether used to support multiple OSes running on a user's desktop, provide commercial application hosting facilities, or isolate a large number of users from each other in global network testbeds. We also see an increasing level of interest in having entities within these virtualised systems interact with each other, either as peers or as helpers providing a service to clients. Very little work has been previously conducted on how such interaction between virtualised environments can take place. We introduce Proper, a service running on the Planet- Lab system, that allows unprivileged entities to access privileged operations in a safe, tightly controlled manner. This paper describes our work designing and implementing Proper, including a discussion of the various architectural decisions made. We describe how implementing such a system in a traditional UNIX environment is non-trivial, and provide a number of examples of how services running on PlanetLab actually use Proper.
John H. Hartman, Scott Baker, and Ian Murdock. “Customizing the Swarm storage system using agents”. Software - Practice & Experience, 36(2):117-137, 2006. [ bib | PDF ]
Swarm is a scalable, modular storage system that uses agents to customize low-level storage functions to meet the needs of high-level services. Agents influence low-level storage functions such as data layout, metadata management, and crash recovery. An agent is a program that is attached to data in the storage system and invoked when events occur during the data's lifetime. For example, before Swarm writes data to disk, agents attached to the data are invoked to determine a layout policy. Agents are typically persistent, remaining attached to the data they manage until the data are deleted; this allows agents to continue to affect how the data are handled long after the application or storage service that created the data has terminated. In this paper, we present Swarm's agent architecture, describe the types of agents that Swarm supports and the infrastructure used to support them, and discuss their performance overhead and security implications. We describe how several storage services and applications use agents, and the benefits they derive from doing so.
Justin Cappos and John H. Hartman. “Why it is hard to build a long running service on PlanetLab”. In Workshop on Real Large Distributed Systems (WORLDS), December 2005. [ bib | PDF ]
PlanetLab was conceived as both an experimental testbed and a platform for long-running services. It has been quite successful at the former, less so at the latter. In this paper we examine why. The crux of the problem is that there are few incentives for researchers to develop long-running services. Research prototypes fulfill publishing requirements, whereas long-running services do not. Several groups have tried to deploy research services, long-running services that are useful, but also novel enough to be published. These services have been generally unsuccessful. In this paper we discuss the difficulties in developing a research service, our experiences in developing a research service called Stork, and offer suggestions on how to increase the incentives for researchers to develop research services.
C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, and J. H. Hartman. “Protecting against unexpected system calls”. In Proceedings of the 2005 Usenix Security Conference, August 2005. [ bib | PDF ]
This paper proposes a comprehensive set of techniques which limit the scope of remote code injection attacks. These techniques prevent any injected code from making system calls and thus restrict the capabilities of an attacker. In defending against the traditional ways of harming a system these techniques significantly raise the bar for compromising the host system forcing the attack code to take extraordinary steps that may be impractical in the context of a remote code injection attack. There are two main aspects to our approach. The first is to embed semantic information into executables identifying the locations of legitimate system call instructions; system calls from other locations are treated as intrusions. The modifications we propose are transparent to user level processes that do not wish to use them (so that, for example, it is still possible to run unmodified third-party software), and add more security at minimal cost for those binaries that have the special information present. The second is to back this up using a variety of techniques, including a novel approach to encoding system call traps into the OS kernel, in order to deter mimicry attacks. Experiments indicate that our approach is effective against a wide variety of code injection attacks.
Christian Collberg, John H. Hartman, Sridivya Babu, and Sharath K. Udupa. “Slinky: Static linking reloaded”. In Proceedings of the 2005 Usenix Technical Conference, 2005. [ bib | PDF ]
Static linking has many advantages over dynamic linking. It is simple to understand, implement, and use. It ensures that an executable is self-contained and does not depend on a particular set of libraries during execution. As a consequence, the user executes exactly the same executable image as was tested by the developer, diminishing the risk that the user2019s environment will affect correct behavior. The major disadvantages of static linking are increases in the memory required to run an executable, network bandwidth to transfer it, and disk space to store it. In this paper we describe the Slinky system that uses digest-based sharing to combine the simplicity of static linking with the space savings of dynamic linking: although Slinky executables are completely self-contained, minimal performance and disk-space penalties are incurred if two executables use the same library. We have developed a Slinky prototype that consists of tools for adding digests to executables, a slight modification of the Linux kernel to use those digests to share code pages, and tools for transferring files between machines based on digests of their contents. Results show that our prototype has no measurable performance decrease relative to dynamic linking, a comparable memory footprint, a 20 the network bandwidth required to transfer the packages. We believe that Slinky obviates many of the justifications for dynamic linking, making static linking a superior technology for software organization and distribution.
Steve Muir, Larry Peterson, Marc Fiuczynski, Justin Cappos, and John Hartman. “Proper: Privileged operations in a virtualised system environment”. In Proceedings of the 2005 Usenix Technical Conference, 2005. (Short paper). [ bib | PDF ]
Scott Baker and John H. Hartman. “The Mirage NFS router”. In Proceedings of the 29th IEEE Conference on Local Area Networks, Tampa, FL, November 2004. [ bib | PDF ]
Mirage aggregates multiple NFS servers into a single, virtual NFS file server. It is interposed between the NFS clients and servers, making the clients believe that they are communicating with a single, large server. Mirage is an NFS router because it routes an NFS request from a client to the proper NFS server, and routes the reply back to the proper client. Experiments with a Mirage prototype show that Mirage effectively virtualizes an NFS server using unmodified clients and servers. Mirage imposes a negligible overhead on a realistic NFS workload. On real world workloads, such as a collection of clients executing compile jobs over NFS, Mirage imposes an overhead of 3 forwards packets.
Eugenio de la Rosa, John H. Hartman, and Terril Hurst. “Analysis of the Restricted Broadcast Query (RBQ) cooperation mechanism”. In Proceedings of the SPIE-ITCom, Performance and Control of Next-Generation Communications Networks, September 2003. [ bib ]
Larry Peterson, Yitzchak Gottlieb, Mike Hibler, Patrick Tullmann, Jay Lepreau, Steve Schwab, Hrishikesh Dandelkar, Andrew Purtell, and John Hartman. “An OS Interface for Active Routers”. IEEE Journal on Selected Areas in Communications, 19(3):473-487, March 2001. [ bib ]
Scott Baker and John H. Hartman. “The design and implementation of the Gecko NFS Web proxy”. Software: Practice & Experience, 31(7):637-665, 2001. [ bib ]
Ian Murdock and John H. Hartman. “Swarm: A log-structured storage system for Linux”. In Proceedings of the FREENIX Track: 2000 USENIX Annual Technical Conference, June 2000. [ bib ]
Oliver Spatscheck, Jørgen S. Hansen, John H. Hartman, and Larry L. Peterson. “Optimizing TCP forwarder performance”. IEEE/ACM Transactions on Networking, 8(2):146-157, April 2000. [ bib ]
John Hartman, Larry Peterson, Andy Bavier, Peter Bigot, Patrick Bridges, Brady Montz, Rob Piltz, Todd Proebsting, and Oliver Spatscheck. “Experiences building a communication-oriented JavaOS”. Software: Practice & Experience, 30(10):1107-1126, 2000. [ bib ]
Prasenjit Sarkar and John H. Hartman. “Hint-based cooperative caching”. ACM Transactions on Computer Systems, 18(4):387-419, 2000. [ bib ]
Tammo Spalink, John H. Hartman, and Garth Gibson. “A mobile agent's effect on file service”. IEEE Concurrency, 8(2):62-69, 2000. [ bib ]
Scott Baker and John H. Hartman. “The Gecko NFS Web proxy”. Computer Networks: The International Journal of Computer and Telecommunications Networking, 31(11-16):1725-1736, May 1999. Also published in the Proceedings of the 8th International Conference on the World Wide Web. [ bib ]
John H. Hartman, Ian Murdock, and Tammo Spalink. “The Swarm scalable storage system”. In International Conference on Distributed Computing Systems, pages 74-81, 1999. [ bib ]
Todd A. Proebsting, Gregg Townsend, Patrick Bridges, John H. Hartman, Tim Newsham, and Scott A. Watterson. “Toba: Java for applications, a way ahead of time (wat) compiler”. In Proceedings of the 3rd USENIX Conference on Object-Oriented Technologies and Systems (COOTS), June 1997. [ bib ]
Prasenjit Sarkar and John Hartman. “Efficient cooperative caching using hints”. In Proceeding of the 2nd ACM Symposium on Operating Systems Design and Implementation (OSDI), Seattle, WA, 1996. [ bib ]
Ann L. Drapeau, Ken W. Shirrif, John H. Hartman, Ethan L. Miller, Srinivasan Seshan, Randy H. Katz, Ken Lutz, David A. Patterson, Edward K. Lee, Peter H. Chen, and Garth A. Gibson. “RAID-II: A high-bandwidth network file server”. In Proceedings of the 21st Annual International Symposium on Computer Architecture, pages 234-244, 1994. [ bib ]
Mary G. Baker, John H. Hartman, Michael D. Kupfer, Ken W. Shirriff, and John K. Ousterhout. “Measurements of a distributed file system”. In Proceedings of 13th ACM Symposium on Operating Systems Principles, pages 198-212. Association for Computing Machinery SIGOPS, 1991. [ bib ]
John H. Hartman and John K. Ousterhout. “Performance measurements of a multiprocessor Sprite kernel”. In USENIX Summer, pages 279-288, 1990. [ bib ]
This file was generated by bibtex2html 1.92.