Xenoservers: accountable execution of untrusted programs

Many networked applications could benefit from executing closer to the data or services with which they interact. By doing this they may be able to circumvent long communication latencies or avoid transferring data over congested or expensive network links. However no public infrastructure currently exists that enables this. We propose a system that can execute code supplied by an untrusted user yet can charge this user for all resources consumed by the computation. Such servers could be deployed at strategic locations throughout the Internet, enabling network users such as content providers to distribute components of their applications in a manner that is both efficient and economical. We call such a server a Xenoserver. This paper discusses the construction of such a system, examining how accounting, billing, and quality of service provision can be achieved.

[1]  Timothy Roscoe,et al.  The structure of a multi-service operating system , 1995 .

[2]  Steven McCanne,et al.  An active service framework and its application to real-time multimedia transcoding , 1998, SIGCOMM '98.

[3]  Larry L. Peterson,et al.  Scout: a communications-oriented operating system , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[4]  Jay Lepreau,et al.  Nested Java processes: OS structure for mobile code , 1998, ACM SIGOPS European Workshop.

[5]  David E. Culler,et al.  WebOS: operating system services for wide area applications , 1998, Proceedings. The Seventh International Symposium on High Performance Distributed Computing (Cat. No.98TB100244).

[6]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[7]  Graham Hamilton,et al.  The Spring Nucleus: A Microkernel for Objects , 1993 .

[8]  Stephen Russell,et al.  Resource management in the Mungi single-address-space operating system , 1998 .

[9]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[10]  Dan S. Wallach,et al.  Java security: Web browsers and beyond , 1997 .

[11]  Franco Travostino,et al.  Towards a Resource-safe Java for Service Guarantees in Uncooperative Environments , 1998 .

[12]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[13]  Richard Mortier,et al.  An economic approach to adaptive resource management , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[14]  S. Clearwater Market-based control: a paradigm for distributed resource allocation , 1996 .

[15]  Jay Lepreau,et al.  Evolving Mach 3.0 to A Migrating Thread Model , 1994, USENIX Winter.

[16]  Paul Barham,et al.  A fresh approach to file system quality of service , 1997, Proceedings of 7th International Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV '97).

[17]  Marianne Shaw,et al.  Active bridging , 1997, SIGCOMM '97.

[18]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[19]  Robin Fairbairns,et al.  The Design and Implementation of an Operating System to Support Distributed Multimedia Applications , 1996, IEEE J. Sel. Areas Commun..

[20]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[21]  Richard Black,et al.  Protocol implementation in a vertically structured operating system , 1997, Proceedings of 22nd Annual Conference on Local Computer Networks.