Replication is a commonly proposed solution to problems of scale associated with distributed services. However, when a service is replicated, each client must be assigned a server. Prior work has generally assumed that assignment to be static. In contrast, we propose dynamic server selection, and show that it enables application-level congestion avoidance. To make

Replication is a commonly proposed solution to problems of scale associated with distributed services. However, when a service is replicated, each client must be assigned a server. Prior work has generally assumed that assignment to be static. In contrast, we propose dynamic server selection, and show that it enables application-level congestion avoidance. Using tools to measure available bandwidth and round trip latency (RTT), we demonstrate dynamic server selection and compare it to previous static approaches. We show that because of the variability of paths in the Internet, dynamic server selection consistently outperforms static policies, reducing response times by as much as 50%. However, we also must adopt a systems perspective and consider the impact of the measurement method on the network. Therefore, we look at alternative lowcost approximations and find that the careful measurements provided by our tools can be closely approximated by much lighter-weight measurements. We pr...

We describe a two-dimensional architecture for defending against denial of service attacks. In one dimension, the architecture accounts for all resources consumed by each I/O path in the system; this accounting mechanism is implemented as an extension to the path object in the Scout operating system. In the second dimension, the various modules that define each path can be configured in separate protection domains; we implement hardware enforced protection domains, although other implementations are possible. The resulting system---which we call Escort---is the first example of a system that simultaneously does end-to-end resource accounting (thereby protecting against resource based denial of service attacks where principals can be identified) and supports multiple protection domains (thereby allowing untrusted modules to be isolated from each other). The paper describes the Escort architecture and its implementation in Scout, and reports a collection of experiments that measure the c...

Language-based security leverages program analysis and program rewriting to enforce security policies. The approach promises efficient enforcement of fine-grained access control policies and depends on a trusted computing base of only modest size. This paper surveys progress and prospects for the area, giving overviews of in-lined reference monitors, certifying compilers, and advances in type theory.

In contemporary operating systems, continuous media (CM) applications are sensitive to the behaviour of other tasks in the system. This is due to contention in the kernel (or in servers) between these applications. To properly support CM tasks, we require “Quality of Service Firewalling” between different applications. This paper presents a memory management system supporting Quality of Service (QoS) within the Nemesis operating system. It combines application-level paging techniques with isolation, exposure and responsibility in a manner we call self-paging. This enables rich virtual memory usage alongside (or even within) continuous media applications. 1

Abstract not found

Abstract Widespread replication of information can ameliorate the problem of server overloading but raises the allied question of server selection. Clients may be assigned to a replica in a static manner or they may choose among replicas based on client-initiated measurements. The latter technique, called dynamic server selection (DSS), can provide significantly improved response time to users when compared with static server assignment policies (for example, based on network distance in hops). In the first part of this paper we demonstrate the idea of DSS using experiments performed in the Internet. We compare a range of policies for DSS and show that obtaining additional information about servers and paths in the Internet before choosing a server improves response time significantly. The best policy we examine adopts a strategy of never adding more than one percent additional traffic to the network, and is still able to provide nearly all the benefits of the most expensive policies. While these results suggest that DSS is beneficial from the network user's standpoint, the system-wide effects of DSS schemes should also be closely examined. In the second part of this paper we use large-scale simulation to study the system-wide network impact of dynamic server selection. We use a simulated network of over 100 hosts that allows local-area effects to be distinguished from wide-area effects within traffic patterns. In this environment we compare DSS with static server selection schemes and confirm that client benefits remain even when many use DSS simultaneously. Importantly, we also show that DSS confers system-wide benefits from the network standpoint, as compared to static server selection. First, overall data traffic volume in the network is reduced, since DSS tends to diminish network congestion. Second, traffic distribution improves--\Lambda This work was done while the author was at Boston University.

Research on decentralized systems such as peer-to-peer overlays and ad hoc networks has been hampered by the fact that few systems of this type are in production use, and the space of possible applications is still poorly understood. As a consequence, new ideas have mostly been evaluated using common synthetic workloads, traces from a few existing systems, testbeds like PlanetLab, and simulators like ns-2. Some of these methods have, in fact, become the “gold standard ” for evaluating new systems, and are often a prerequisite for getting papers accepted at top conferences in the field. In this paper, we examine the current practice of evaluating decentralized systems under these specific sets of conditions and point out pitfalls associated with this practice. In particular, we argue that (i) despite authors ’ best intentions, results from such evaluations often end up being inappropriately generalized; (ii) there is an incentive not to deviate from the accepted standard of evaluation, even if that is technically appropriate; (iii) research may gravitate towards systems that are feasible and perform well when evaluated in the accepted environments; and, (iv) in the worst-case, research may become ossified as a result. We close with a call to action for the community to develop tools, data, and best practices that allow systems to be evaluated across a space of workloads and environments. 1.

Kernel memory is a resource that must be managed carefully in order to ensure the eciency and safety of the system. The use of an inappropriate management policy can weaken the isolation between subsystems, lead to suboptimal performance, and even make the kernel vulnerable to denial-of-service attacks. Yet, many existing kernels use only a single built-in policy, which is always a compromise between performance and generality.

deployed for the specific needs of individual applications. This paper describes a safe and efficient method for userlevel extensibility that requires only minimal changes to the kernel. A sandboxing technique is described that supports multiple logical protection domains within the same address space at user-level. This approach allows applications to register sandboxed code with the system, that may be executed in the context of any process. Our approach differs from other implementations that require special hardware support, such as segmentation or tagged translation lookaside buffers (TLBs), to either implement multiple protection domains in a single address space, or to support fast switching between address spaces. Likewise, we do not require the entire system to be written in a type-safe language, to provide fine-grained protection domains. Instead, our user-level sandboxing technique requires only pagedbased virtual memory support, and the requirement that extension code is written either in a type-safe language, or by a trusted source.