M. W. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, The University of Pennsylvania, August 2001.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....related to its timing model. Poorly timed models can lead to race conditions during state transformation. An active module to be replaced should first get an opportunity to transfer state information to its successor. Traditionally, this has been possible by using user provided timing constraints [7] (see p.g. 122 123) In SBM, we have made use of a can retreat function, implemented in all the active modules within the device. The use of this function ensures that an active module first deactivates itself, before being finally removed. The function investigates whether the internal state of ....

....(as context awareness is typically device dependent) however, like a class 3 device as in [2] a SBM client device is smart enough to enable dynamic software reconfiguration. Research in related area, but not directed towards Internet devices, have focussed extensively on dynamic software updates [7] and code instrumentation techniques such as Detours [8] SBM achieves dynamic reconfigurability using a function interception technique very similar to the one found in Detours. But unlike Detours that intercepts and patches proxy code to external functions during execution time (in memory) ....

Micheal Hicks, Dynamic Software Updating, PhD Thesis, Department of Computer and Information Science, University of Pennsylvania, August 2001.

....of QCM. The use of a PKI system requires the existence of PKI aware applications. These are applications that know about QCM, or some other PKI, and can use it to find keys or determine whether a request satisfies a policy. Two QCM aware applications have been built so far. The first application [12] provides policies for the evaluation of PLAN programs. PLAN [19] is a programming language for active networks, that is, it is a language for programming the network routing elements which forward packets in an internet. Internets that support such programmability are called active networks. PLAN ....

Michael Hicks. PLAN system security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

....such systems will be necessary. QCM seems best suited for coarse grained access control such as the ABONE rather than fine grained access control like the policy of a reference monitor in an operating system. An interface for using QCM for access control in the PLAN EE [10] was developed by Hicks [8] and used to develop an active firewall application [9] In this case, QCM was used to determine policies about which network services various agents were allowed to use. Efficiency was enhanced by caching information about QCM verification decisions. Another interesting problem with QCM is the ....

Michael Hicks. PLAN system security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

No context found.

M. W. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, The University of Pennsylvania, August 2001.

No context found.

M. Hicks. PLAN system security. Technical Report MSCIS -98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

No context found.

M. Hicks. PLAN system security. Technical Report MSCIS -98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

.... How should updating itself be implemented What language features complicate or simplify updating To what extent can one use common mechanisms for updating in di#erent languages, whether functional, object oriented, or imperative There are quite a number of DSU implementations (e.g. [2, 13, 16, 9, 19, 15, 6, 14] among others) and many informal or incomplete ideas as to when a dynamic update should be considered safe [12, 3, 4, 16, 13] However, we believe a formal, mathematical approach, with clear operational semantics, should be developed to set a firm foundation for both users and implementors of DSU ....

.... common mechanisms for updating in di#erent languages, whether functional, object oriented, or imperative There are quite a number of DSU implementations (e.g. 2, 13, 16, 9, 19, 15, 6, 14] among others) and many informal or incomplete ideas as to when a dynamic update should be considered safe [12, 3, 4, 16, 13]. However, we believe a formal, mathematical approach, with clear operational semantics, should be developed to set a firm foundation for both users and implementors of DSU technology. Unfortunately, little semantic work has been carried out to date. The most substantial work is by Gupta [11, 12] ....

[Article contains additional citation context not shown here]

M. W. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, The University of Pennsylvania, August 2001.

....not pose a security risk. This is in contrast with service routines, which are general purpose and may need to be protected by cryptographic means. Here our coverage of security issues is limited due to space considerations. For more details, we refer the reader to our other papers on the topic [1, 12]. Other functions we have implemented as PLAN programs include route scouting which seeks out low congestion routing paths (as described in Section 4) source directed multicast, traceroute, and network DFS, to name a few. More detail about programming with PLAN may be found in [13] 2.2 ....

....written in C. Some work has been done concerning security in Active Networks. Most notable is the SANE [1] project (Secure Active Network Environment) which defines a general set of guidelines for trust relationships in an Active Network. An adaptation of this approach has been applied to PLANet [12]. There is a scarcity of information available about active networking performance, and so it is difficult to compare our results to others. Wetherall et al. 25] report a maximum packet forwarding rate for ANTS on a 167 MHz Ultrasparc over 100 Mbps Ethernet of 1680 packets per second for minimum ....

Michael Hicks. PLAN system security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of P ennsylvania, April 1998.

....usual, and then relink the other modules in the program to use the new module by calling their dyninit functions. Any needed state translation can be performed by the new module s init function. Though not described here, we have fully explored this idea with an alternative version of DLpop [19] [18], and used it to build a dynamically updateable webserver, FlashEd [12] The DLpop Library The DLpop interface in Figure 2 is implemented as a Popcorn library. The central element of the library is a type safe implementation of the dynamic symbol table for managing the symbols exported by the ....

....If some flaw exists in DLpop, the result will be object files that fail to verify, not a security hole. We should point out that the implementation described here (and measured in the next section) is the first of two DLpop implementations. Our most recent implementation, described fully in [18], di#ers in two key ways from the one described here. First, rather than perform the dynamic transformation for files within the compiler, we do it source to source, preceding compilation. Decoupling the transformation from the compiler results in a more modular and flexible implementation, but ....

M. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, University of Pennsylvania, 2001.

....experience with a real world application, a dynamically updateable web server, FlashEd, is described in x5; its performance is presented in x6. We then move on to a more in depth discussion of existing research and future directions before concluding. This work summarizes the rst author s thesis [10]; readers seeking more explanation and analysis should look there. 2. GOALS AND APPROACH What properties de ne an e ective dynamic updating framework To evaluate general purpose dynamic updating systems, we establish four evaluation criteria: Flexibility. Any part of a running system should ....

.... For these tests, the variability dropped signi cantly (the semi interquartile range was typically 0:25 of the median, as opposed to about 3 for the log based test) and the overheads were similar, ranging from 2:3 for a 500B le and 0 for a 500KB le; details on these tests can be found in [10]. The measurements do not consistently favor either the updated or updateable code. In particular, for FlashEd 0:2, the updated server is slightly faster than the updateable one, while the reverse is true for version 0:3. The fact that the relative and absolute locations of the code in an updated ....

[Article contains additional citation context not shown here]

M. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, University of Pennsylvania, August 2001.

....related work, place our current work into a broader context, and consider future work. We organize the discussion around our four major criteria for evaluating updating systems: exibility, correctness, ease of use, and low overhead. A more complete discussion of related work may be found in [7]. 6.1 Flexibility At one extreme of the exibility axis are systems that use dynamic linking alone to support updating [1, 18] These solutions are only adequate when the programmer anticipates the kinds of updates that may be made ahead of time and structures the program to accommodate them. ....

M. Hicks. Dynamic software updating. Technical report, Department of Computer and Information Science, University of Pennsylvania, October 1999. Thesis proposal.

....related work, place our current work into a broader context, and consider future work. We organize the discussion around our four major criteria for evaluating updating systems: flexibility, correctness, ease of use, and low overhead. A more complete discussion of related work may be found in [7]. 6.1 Flexibility At one extreme of the flexibility axis are systems that use dynamic linking alone to support updating [1, 18] These solutions are only adequate when the programmer antici pates the kinds of updates that may be made ahead of time and structures the program to accommodate them. ....

M. Hicks. Dynamic software updating. Technical report, Department of Computer and Information Science, University of Pennsylvania, October 1999. Thesis proposal.

....of validity and security In this subsection, we present some of the more recent work in the area and point to some promising approaches. In general, no existing system meets all of the requirements we have mentioned. We hope to draw from this work to arrive at a more comprehensive solution [9]. 4.2.1 Erlang Erlang [5] is a dynamically typed, concurrent, purely functional programming language designed for building long running telecommunications systems. It comes with language level and library support for the dynamic update of program modules. If the old module is active when the ....

....state managed by another thread is to pass it a message and receive its response (which is different than a function call) In general, we believe that the Erlang model of dynamic software updating is a good step towards facilitating evolution: it is simple and yet very flexible. In future work [9], we plan to generalize the updating notions in Erlang to less restricted environments (i.e. ones that allow mutation) to add further automated support (i.e. loadtime type checking) and to better formalize the programming patterns necessary to preserve correctness. We have begun to implement ....

[Article contains additional citation context not shown here]

Michael Hicks. Dynamic software updating. Technical report, Department of Computer and Information Science, University of Pennsylvania, October 1999. Thesis proposal. Available at http://www.cis. upenn.edu/mwh/proposal.ps.

....the loaded le to customize operations performed at link time. For example, the dyninit function could remove old symbols from the dynamic symbol table and add its own as a replacements, carefully directing the transferal of old state to the new implementation; this idea is explored in Hicks [15]. Finally, dyninit simpli es the implementation of policy decisions made by the loading code with regard to symbol management. For example, the loading code may wish to restrict access to some of its symbols based on security criteria [33] in this case, it could customize the lookup function ....

M. Hicks. Dynamic software updating. Technical report, Department of Computer and Information Science, University of Pennsylvania, October 1999. Thesis proposal. Available at http://www.cis.upenn.edu/~mwh/proposal.ps.

.... called at startup foo is still exported (not static) so statically linked les may refer to it dlsym now has explicit type arg Figure 5: Compilation of statically linked code ments, carefully directing the transferal of old state to the new implementation; this idea is explored in Hicks [12]. Finally, init simpli es the implementation of policy decisions made by the loading code with regard to symbol management. For example, the loading code may wish to restrict access to some of its symbols based on security criteria [28] in this case, it could customize the lookup function ....

M. Hicks. Dynamic software updating. Technical report, Department of Computer and Information Science, University of Pennsylvania, October 1999. Thesis proposal. Available at http://www.cis.upenn.edu/~mwh/proposal.ps.

....governed by trust management. We briefly discuss PLAN and its role in this architecture, but focus more attention on service security. We present both architecture and implementation, and conclude with some applications of our approach, including a simple firewall that filters active packets. HK99] an extended version of this paper, contains more detailed motivation and performance analysis. This work was supported by DARPA under Contract #N66001 96 C 852, with additional support from the Intel Corporation. PLAN packet core services protocol A routing network management service ....

Michael Hicks and Angelos D. Keromytis. A Secure PLAN. Technical Report MS-CIS-99-14, Department of Computer and Information Science, University of Pennsylvania, May 1999.

....The use of module thinning has been explored for active networks in [Ale98] and for mobile agent systems in [LOW98] Also, while we have experimented with mechanisms for enforcing resource usage, we have yet to arrive at ones that are sufficiently lightweight. Relevant details may be found in [Hic98] 4 Implementation 4.1 Authentication Before a PLAN program may invoke a trusted service, its associated principal must be determined; this is the process of authentication. Authentication is typically done in a public key setting by verifying a digital signature in the context of some ....

Michael Hicks. PLAN System Security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

....using some straightforward alterations to the language, including one presented in [12] We are currently researching the effects of such alterations and whether they are, in fact, enough, or whether further restriction is necessary. Additional security mechanisms for PLANet are considered in [11] and [13] Scalability. So far, we have only experimented with small topologies, thus far avoiding problems of scalability. One area of needed improvement is in the lack of organization of service namespaces. Currently, all services exist in a flat namespace with the effect that newly installed ....

Michael Hicks. PLAN System Security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

....thinning. The use of module thinning has been explored for active networks in [1] and for mobile agent systems in [27] Also, while we have experimented with mechanisms for enforcing resource usage, we have yet to arrive at ones that are sufficiently lightweight. Relevant details may be found in [19]. 5 Implementation In this section, we describe the mechanisms used by PLAN programs for authentication and authorization. 5.1 Authentication Before a PLAN program may invoke a trusted service, its associated principal must be determined; this is the process of authentication. Authentication ....

Michael Hicks. PLAN system security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998. Available at www.cis.upenn.edu/ ~switchware/ papers/ plan security.ps.

....define a distributed key and authorization infrastructure which should scale nicely in a large network. We are also exploring ways to modify PLAN itself to obtain better security at the expense of expressiveness (one such approach was described in Section 3. 5) Preliminary results may be found in [10]. Two topics related to security are that of namespaces and formal semantics. We currently have a very basic method for managing service namespaces; a much more sophisticated mechanism will eventually be needed for scalability. Another related topic is the formal specification of PLAN and its ....

Michael Hicks. PLAN system security. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998.

No context found.

M. Hicks. Dynamic Software Updating. PhD thesis, Department of Computer and Information Science, University of Pennsylvania, Aug 2001.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC