Upload
james-coffey
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Your Desktop on Your Keychain
Ted Wobber
MSR Silicon Valley
with Muthukarrupan Annamalai,
Andrew Birrell, and Dennis Fetterly
Hardware vs. Desktop State
• Computers are (increasingly) everywhere– In furniture/kiosks/environment?
• New form factors for carrying state:– Keychains, cellphones, watches
• Can we make desktop state portable without also carrying the computer hardware?
• Desktop state = user preferences +user data + applications
Who cares??
• Corporations and other large organizations– Moving between offices, sites– Office-sharing– Work-at-home scenarios
• Consumers in general– But kiosk infrastructure and security is a barrier
• Emerging markets– Desktop hardware is scarce– Benefit may outweigh security risk
Models of Desktop Portability
• Laptops• Roaming profiles• Remote desktop
Laptops
• Laptops are (usually) bulky and fragile• Expensive to purchase and to manage• Prone to theft• Once stolen, data is (often) vulnerable• Backup can be haphazard
• But, laptops are self contained and offer a valuable platform for disconnected environments
Roaming Profiles
• Applications don’t roam• In Windows, difficult to separate user,
application, and machine-specific state• Slow, bandwidth intensive• Difficult outside single admin domain• Security of host machine?
Remote Desktops
• Needs strong connectivity• Latency-sensitive• Difficult outside single admin domain• Needs managed server to provide RDP service
– Most desktop PCs aren’t “professionally managed”
• Local devices?
Flash Changes the Equation
• Current cost: 1GB = ~$80• Still following Moore’s Law
• Read/Write performance approaching disk• Modern flash has built-in wear-leveling
– Max write limitations are rarely a problem
• For this talk: Flash == USB Flash Device
Flash Statistics (estimate)
• Projected shipments 60-120 million units in 2005• 2 GB in ’04; 4GB+ in ’05.• Estimated revenue on NAND-based Flash at $9.2 billion
in ‘06 timeframe• NAND Read/Write speeds are slated to increase as
follows:– ‘04 read 8 MB/s; write 6.5MB/s.
– ’05 read. 23 MB/s; write 16MB/s.
– ‘06 read 40 MB/s; write 28 MB/s.
– ‘07 guesstimates are 100MB/s using multiple NAND chips and cache.
• Already being extended with onboard CPU, memory, wireless, etc.
Carry user state cache on flash
• Similar problems to roaming profiles:– Applications don’t roam– In Windows, difficult to separate user, application, and
machine-specific state– Slow, bandwidth intensive– Difficult outside single admin domain– Security of host machine?
Boot from Flash
• Drivers – Problem gets worse with age of installation
• Flash capacity (in short term)– Size of OS + apps a problem– What happens when disk is full?
• Machine state (e.g. hibernation) is non portable • Backup?
Our Solution
• Host machine runs virtual machine monitor• User runs in a virtual machine (VirtualPC)• Virtual disk is a “server in the sky”
– Remote disk handles overflow and backup
• The flash acts as:– A persistent cache/log of virtual disk– Storage for virtual machine state
• Local disk as “lookaside” for virtual disk content
Why Virtualization?
• Eliminates host-specific customization– (e.g. drivers, etc)
• Easy to encapsulate and move VM state• Fewer “moving parts” on host
– Easier to manage/secure: VMM is only requirement
• Development cost (our prototype < 1 kloc)– Simple to customize basic abstractions
• Good performance and getting better– Hardware support of virtualization
• Other platforms? XBox2?• Virtual disks make provisioning new users easy
Differencing Disks
• Compact representation of overlaid content• Standard feature of virtual machines• Convenient for shared disk provisioning
– E.g. multiple users share same base disk
Differencing Disk(s):
Base Disk:
VMM sees:
Why a network connection?
• At least for now, flash drives are too small– With Windows+Office it’s easy to overflow a 1GB disk
• Backup is automatic– Server can keep multiple restore points
• Perhaps this requirement can be eliminated in the future
VMM Host
Base Disk Image
File Server
User-SpecificDifferencing Disk
Disk as seen byyour programs
Composed of ...
VirtualPC
Your ComputingEnvironment
Kiosk Architecture
Lookaside Images (~Base Disk)
Flash Disk
Write Log
Read Cache
VMM Host
Base Disk Image
File Server
User-SpecificDifferencing Disk
Disk as seen byyour programs
Composed of ...
VirtualPC
Your ComputingEnvironment
Flash Disk
Read Cache
Disk Writes
Lookaside Images (~Base Disk)
Write Log
VMM Host
Base Disk Image
File Server
User-SpecificDifferencing Disk
Disk as seen byyour programs
Composed of ...
VirtualPC
Your ComputingEnvironment
Flash Disk
Write Log
Read Cache
Disk Reads
Lookaside Images (~Base Disk)
2
1
3
4
5
Demo
A bit more detail
• Persistent state on flash– Virtual machine state (optional)– Writes logged since last merge– Fingerprint for every 16K chunk in remote virtual disk
• MD5 as a fingerprinting algorithm (128 bits)– Set of cached 16K chunks
Persistent, in flash
A: Chunk number to Fingerprint map (for entire disk)
B: Write Log (sectors)
FP0 FP1 … FPN
17
…
Data for sector 17
…..
27 Data for sector 27
3 Data for sector 3
C: Read Cache (chunks)
35
…
Data for chunk 35
…..
7 Data for chunk 7
114 Data for chunk 114
Volatile, in memory
FP0 FP1 … FPN
17
…
Sector 17
…..
27 Sector 27
3 Sector 335
…
Chunk 35
…..
7 Chunk 7
114 Chunk 114
A: Chunk number to Fingerprint map (for entire disk)
FP0 FP1 … FPN
C: Write loghash table (sectors)
17
…
27
3
…..
FP35
…
FP7
FP114
…..
B: FP to Read Cachehash table (chunks)
FP
…
FP
FP
…..
D: FP to Static Diskhash table (chunks)
Lookaside Image
Updating the Fingerprint Map
• Must compute new chunk fingerprints• Partial chunks requires unwritten sectors
Read old chunk
Add new sectors
New FP
What’s actually implemented
• Write “log” is a differencing disk on flash– Differencing drive chain:
• Flash differencing disk →Home differencing disk → Home base
disk
• Manual merging only– No automatic updates in background– Standard VirtualPC “merge to parent”– Merge updates read cache
• Read cache is untuned
Potential Drawbacks
• Security of kiosk machine• Infrastructure rollout• Connectivity requirement
– As flash sizes grow, need for online server decreases– Range of solutions possible depending on size
• Artifacts of virtualization– Availability of pass-through devices– Fancy graphics devices unavailable
• Ensuring that working set fits within the cache
Performance Bottlenecks
• Windows likes to write to disk– Flash fills up quickly– Differencing disk overlays >10% of base image
• Read/write performance:– 4K Reads (sequential or random) ~.8 ms– 4K Writes (sequential) ~ 1.0 ms– 4K Writes (random) > 20ms !!!!
We have confirmed this by analyzing traffic at the USB driver level. The root cause of the 20 ms latency is a mystery. Our
observations are inconsistent with NAND-memory specs.
Optimizations (current)
• Fast-launch defragmentation turned off• Paging disabled• Last-access date on files disabled• Various services turned off• No anti-virus / indexing
Optimizations (possible)
• Implement real log (for sequentiality)– With redundant write elimination
• RAM disk for temporary files (e.g. IE)• Keep guest-OS NTFS log on local disk• Log writes to on-kiosk differencing disk …
periodic sync to flash• Network read/write compression• Virtual disk snapshots
Security
• Primary threats:– Bogus, tapped, or otherwise compromised kiosk– Theft of device
• But, this is a computer:
ASIC or processor NAND Memory
Trusting the Kiosk
• Non-technical considerations– Physical security
• Site security (e.g. within a corporation)• Physical packaging and locks (like an ATM)• Kiosk owner must be accountable
• Technical solutions– NGSCB / Trusted Boot / Attestation
• Small footprint (e.g. just OS+VMM) helps here– User-specific, unforgeable visual feedback– External helper device with UI (e.g. cellphone)
Protecting Against Theft
• On-flash encryption, “unlocks” data only after:– Flash authenticates kiosk– Flash informs user that kiosk is OK– User gives credentials (e.g. password or biometric)
• Lock-out on repetitive failure
• Host-based encryption is also possible– But gives weaker guarantees
• User can roll back to disk state on server
Related Projects
• Internet suspend/resume– CMU / Intel Labs– Virtual machine serial portability– Supported by Coda-like distributed FS– Flash for read optimization
• Stanford “Collective” project– Portable virtual machine– Virtual state/disk “capsule” hierarchy
Conclusions
• New model for desktop portability• Augments range of existing techniques• Spectrum of flash-based solutions
• Looking for ways we can help product efforts• Haven’t explored business/market ramifications• Highlights two growing market forces:
Flash and Virtualization