Building Secure and Reliable Network Applications Kenneth P. Birman Department of Computer Science Cornell University Ithaca, New York 14853 Cover image: line drawing of the golden gate bridge looking towards San Francisco? @ Copyright 1995, Kenneth P. Birman. All rights reserved. This document may not be copied, electronically or physically, in whole or in part, or otherwise disseminated without the author’s prior written permission. TRADEMARKS CITED IN THE TEXT 14 PREFACE AND ACKNOWLEDGEMENTS 15 INTRODUCTION 16 A USER’S GUIDE TO THIS BOOK 26 PART I: BASIC DISTRIBUTED COMPUTING TECHNOLOGIES 28 1. FUNDAMENTALS 29 1.1 Introduction 29 1.2 Components of a Reliable Distributed Computing System 32 1.2.1 Communications Technology 35 1.2.2 Basic transport and network services 36 1.2.3 Reliable transport software and communication support 38 1.2.4 “Middleware”: Software tools, utilities, and programming languages 38 1.2.5 Distributed computing environments 39 1.2.6 End-user applications 40 1.3 Critical Dependencies 41 1.4NextSteps 42 1.5 Additional Reading 43 2. COMMUNICATION TECHNOLOGIES 44 2.1 Types of Communication Devices 44 2.2 Properties 45 2.3 Ethernet 46 2.4 FDDI 48 2.5 B-ISDN and the Intelligent Network 50 2.6 ATM 53 2.7 Cluster and Parallel Architectures 56 2.8Nextsteps 57 2.9 Additional Reading 58 Chapter 1: Fundamentals 3 3 3. BASIC COMMUNICATION SERVICES 59 3.1 Communications Standards 59 3.2 Addressing 59 3.3 Internet Protocols 63 3.3.1 Internet Protocol: IP layer 64 3.3.2 Transport Control Protocol: TCP 64 3.3.3 User Datagram Protocol: UDP 64 3.3.4 Internet Packet Multicast Protocol: IP Multicast 65 3.4 Routing 66 3.5 End-to-end Argument 67 3.6 O/S Architecture Issues, Buffering, Fragmentation 68 3.7 Xpress Transfer Protocol 70 3.8NextSteps 71 3.9 Additional Reading 72 4. RPC AND THE CLIENT-SERVER MODEL 73 4.1 RPC Protocols and Concepts 75 4.2 Writing an RPC-based Client or Server Program 77 4.3 The RPC Binding Problem 79 4.4 Marshalling and Data Types 81 4.5 Associated Services 83 4.5.1 Naming services 83 4.5.2 Time services 84 4.5.3 Security services 85 4.5.4 Threads packages 85 4.6 The RPC Protocol 89 4.7 Using RPC in Reliable Distributed Systems 92 4.8 Related Readings 95 5. STREAMS 96 5.1 Sliding Window Protocols 96 5.1.1 Error Correction 97 5.1.2 Flow Control 98 5.1.3 Dynamic Adjustment of Window Size 98 Kenneth P. Birman - Building Secure and Reliable Network Applications 4 4 5.1.4 Burst Transmission Concept 99 5.2 Negative-Acknowledgement Only 100 5.3 Reliability, Fault-tolerance, and Consistency in Streams 100 5.4 RPC over a Stream 102 5.5 Related Readings 102 6. CORBA AND OBJECT-ORIENTED ENVIRONMENTS 104 6.1 The ANSA Project 104 6.2 Beyond ANSA to CORBA 106 6.3 OLE-2 and Network OLE 107 6.4 The CORBA Reference Model 107 6.5 TINA 114 6.6 IDL and ODL 114 6.7 ORB 116 6.8 Naming Service 116 6.9 ENS 117 6.10 Life Cycle Service 118 6.11 Persistent Object Service 118 6.12 Transaction Service 118 6.13 Inter-Object Broker Protocol 118 6.14 Future CORBA Services 118 6.15 Properties of CORBA Solutions 119 6.16 Related Readings 120 7. CLIENT-SERVER COMPUTING 121 7.1 Stateless and Stateful Client-Server Interactions 121 7.2 Major Uses of the Client-Server Paradigm 121 7.3 Distributed File Systems 125 Chapter 1: Fundamentals 5 5 7.4 Stateful File Servers 129 7.5 Distributed Database Systems 136 7.6 Applying Transactions to File Servers 141 7.7 Message Oriented Middleware 143 7.8 Related Topics 143 7.9 Related Readings 145 8. OPERATING SYSTEM SUPPORT FOR HIGH PERFORMANCE COMMUNICATION 146 8.1 Lightweight RPC 147 8.2 Fbuf’s and the xKernel Project 149 8.3 Active Messages 151 8.4 Beyond Active Messages: U-Net 153 8.5 Protocol Compilation Techniques 156 8.6 Related Readings 157 PART II: THE WORLD WIDE WEB 158 9. THE WORLD WIDE WEB 159 9.1 Related Readings 164 10. THE MAJOR WEB TECHNOLOGIES 165 10.1 Hyper-Text Markup Language (HTML) 166 10.2 Virtual Reality Markup Language (VRML) 166 10.3 Universal Resource Locators (URLs) 166 10.4 Hyper-Text Transport Protocol (HTTP) 167 10.5 Representations of Image Data 170 10.6 Authorization and Privacy Issues 171 10.7 Web Proxy Servers 174 10.8 Java, HotJava, and Agent Based Browsers 175 Kenneth P. Birman - Building Secure and Reliable Network Applications 6 6 10.9 GUI Builders and Other Distributed CASE Tools 179 10.10 Tacoma and the Agent Push Model 179 10.11 Web Search Engines and Web Crawlers 181 10.12 Important Web Servers 182 10.13 Future Challenges 182 10.14 Related Readings 184 11. RELATED INTERNET TECHNOLOGIES 185 11.1 File Transfer Tools 185 11.2 Electronic Mail 185 11.3 Network Bulletin Boards (newsgroups) 186 11.4 Message Oriented MiddleWare Systems (MOMS) 187 11.5 Message Bus Architectures 189 11.6 Internet Firewalls and Gateways 191 11.7 Related Readings 192 PART III: RELIABLE DISTRIBUTED COMPUTING 193 12. HOW AND WHY COMPUTER SYSTEMS FAIL 194 12.1 Hardware Reliability and Trends 194 12.2 Software Reliability and Trends 194 12.3 Other Sources of Downtime 196 12.4 Complexity 196 12.5 Detecting failures 197 12.6 Hostile Environments 198 12.7 Related Readings 199 13. GUARANTEEING BEHAVIOR IN DISTRIBUTED SYSTEMS 200 13.1 Consistent Distributed Behavior 200 13.2 Warning: Rough Road Ahead! 201 Chapter 1: Fundamentals 7 7 13.3 Membership in a Distributed System 202 13.4 Time in Distributed Systems 203 13.5 Failure Models and Reliability Goals 208 13.6 Reliable Computing in a Static Membership Model 209 13.6.1 The Distributed Commit Problem 210 13.6.1.1 Two-Phase Commit 211 13.6.1.2 Three-Phase Commit 218 13.6.2 Reading and Updating Replicated Data with Crash Failures 221 13.7 Replicated Data with Non-Benign Failure Modes 223 13.8 Reliability in Asynchronous Environments 226 13.9 The Dynamic Group Membership Problem 231 13.10 The Group Membership Problem 235 13.10.1 Protocol used to track GMS Membership 239 13.10.2 GMS Protocol to Handle Client Add and Join Events 241 13.10.3 GMS Notifications With Bounded Delay 242 13.10.4 Extending the GMS to Allow Partition and Merge Events 244 13.11 Dynamic Process Groups and Group Communication 245 13.11.1 Group Communication Primitives 247 13.12 Delivery Ordering Options 249 13.12.1.1 Non-Uniform Failure-Atomic Group Multicast 253 13.12.1.2 Dynamically Uniform Failure-Atomic Group Multicast 255 13.12.2 Dynamic Process Groups 255 13.12.3 View-Synchronous Failure Atomicity 257 13.12.4 Summary of GMS Properties 259 13.12.5 Ordered Multicast 260 13.12.5.1 Fifo Order 260 13.12.5.2 Causal Order 261 13.12.5.2.1 Causal ordering with logical timestamps 262 13.12.5.2.2 Causal ordering with vector timestamps 263 13.12.5.2.3 Timestamp compression 265 13.12.5.2.4 Causal multicast and consistent cuts 266 13.12.5.2.5 Exploiting Topological Knowledge 268 13.12.5.3 Total Order 269 13.13 Communication From Non-Members to a Group 271 13.13.1 Scalability 273 13.14 Communication from a Group to a Non-Member 273 13.15 Summary 273 13.16 Related Readings 275 14. POINT-TO-POINT AND MULTIGROUP CONSIDERATIONS 276 Kenneth P. Birman - Building Secure and Reliable Network Applications 8 8 14.1 Causal Communication Outside of a Process Group 276 14.2 Extending Causal Order to Multigroup Settings 279 14.3 Extending Total Order to Multigroup Settings 280 14.4 Causal and Total Ordering Domains 281 14.5 Multicasts to Multiple Groups 282 14.6 Multigroup View Management Protocols 283 14.7 Related Reading 283 15. THE VIRTUALLY SYNCHRONOUS EXECUTION MODEL 284 15.1 Virtual Synchrony 284 15.2 Extended Virtual Synchrony 288 15.3 Virtually Synchronous Algorithms and Tools 292 15.3.1 Replicated Data and Synchronization 292 15.3.2 State transfer to a joining process 296 15.3.3 Load-Balancing 298 15.3.4 Primary-Backup Fault Tolerance 299 15.3.5 Coordinator-Cohort Fault-Tolerance 301 15.4 Related Readings 302 16. CONSISTENCY IN DISTRIBUTED SYSTEMS 303 16.1 Consistency in the Static and Dynamic Membership Models 303 16.2 General remarks Concerning Causal and Total Ordering 311 16.3 Summary and Conclusion 314 16.4 Related Reading 315 17. RETROFITTING RELIABILITY INTO COMPLEX SYSTEMS 316 17.1 Wrappers and Toolkits 316 17.1.1 Wrapper Technologies 318 17.1.1.1 Wrapping at Object Interfaces 318 17.1.1.2 Wrapping by Library Replacement 318 17.1.1.3 Wrapping by Object Code Editing 319 17.1.1.4 Wrapping With Interposition Agents and Buddy Processes 320 17.1.1.5 Wrapping Communication Infrastructures: Virtual Private Networks 320 17.1.1.6 Wrappers: Some Final Thoughts 321 17.1.2 Introducing Robustness in Wrapped Applications 321 17.1.3 Toolkit Technologies 323 Chapter 1: Fundamentals 9 9 17.1.4 Distributed Programming Languages 325 17.2 Wrapping a Simple RPC server 326 17.3 Wrapping a Web Server 327 17.4 Hardening Other Aspects of the Web 328 17.5 Unbreakable Stream Connections 332 17.5.1 Reliability Options for Stream Communication 333 17.5.2 An Unbreakable Stream That Mimics TCP 335 17.5.3 Non-Determinism and Its Consequences 336 17.5.4 Dealing With Arbitrary Non-Determinism 337 17.5.5 Replicating the IP Address 337 17.5.6 Maximizing Concurrency by Relaxing Multicast Ordering 338 17.5.7 State Transfer Issues 340 17.5.8 Discussion 340 17.6 Building a Replicated TCP Protocol Using a Toolkit 341 17.7 Reliable Distributed Shared Memory 342 17.7.1 The shared memory wrapper abstraction 342 17.7.2 Memory coherency options for distributed shared memory 344 17.7.3 False sharing 346 17.7.4 Demand paging and intelligent prefetching 346 17.7.5 Fault-tolerance issues 347 17.7.6 Security and protection considerations 347 17.7.7 Summary and discussion 348 17.8 Related Readings 348 18. RELIABLE DISTRIBUTED COMPUTING SYSTEMS 349 18.1 Architectural Considerations in Reliable Systems 349 18.2 Horus: A Flexible Group Communications System 351 18.2.1 A layered process group architecture 352 18.3 Protocol stacks 355 18.4 Using Horus to Build a Robust Groupware Application 356 18.5 Using Horus to Harden CORBA applications 359 18.6 Basic Performance of Horus 360 18.7 Masking the Overhead of Protocol Layering 362 18.7.1 Reducing Header Overhead 363 18.7.2 Eliminating Layered Protocol Processing Overhead 364 18.7.3 Message Packing 365 18.7.4 Performance of Horus with the Protocol Accelerator 365 18.8 Scalability 366 Kenneth P. Birman - Building Secure and Reliable Network Applications 10 10 18.9 Related Readings 368 19. SECURITY OPTIONS FOR DISTRIBUTED SETTINGS 370 19.1 Perimeter Defense Technologies 372 19.2 Access Control Technologies 374 19.3 Authentication Schemes and Kerberos 376 19.3.1 RSA and DES 376 19.3.2 Kerberos 377 19.3.3 ONC security and NFS 380 19.3.4 Fortezza 380 19.4 Availability and Security 382 19.5 Related Readings 383 20. CLOCK SYNCHRONIZATION AND SYNCHRONOUS SYSTEMS 384 20.1 Clock Synchronization 384 20.2 Timed-asynchronous Protocols 388 20.3 Adapting Virtual Synchrony for Real-Time Settings 395 20.4 Related Readings 398 21. TRANSACTIONAL SYSTEMS 399 21.1 Implementation of a Transactional Storage System 401 21.1.1 Write-ahead logging 401 21.1.2 Persistent data seen “through” an updates list 402 21.1.3 Non-distributed commit actions 403 21.2 Distributed Transactions and Multi-Phase Commit 404 21.3 Transactions on Replicated Data 404 21.4 Nested Transactions 405 21.4.1 Comments on the nested transaction model 407 21.5 Weak Consistency Models 410 21.5.1 Epsilon serializability 410 21.5.2 Weak and strong consistency in partitioned database systems 411 21.5.3 Transactions on multi-database systems 412 21.5.4 Linearizability 412 21.5.5 Transactions in Real-Time Systems 413 21.6 Advanced Replication Techniques 413 [...]... 26 .1. 10 Phoenix 26 .1. 11 Psync 26 .1. 12 Relacs 26 .1. 13 Rampart 26 .1. 14 RMP 26 .1. 15 StormCast 26 .1. 16 Totem 26 .1. 17 Transis 26 .1. 18 The V System 26.2 Systems That Implement Transactions 26.2 .1 Argus 26.2.2 Arjuna 26.2.3 Avalon 26.2.4 Bayou 26.2.5 Camelot and Encina 12 4 61 4 61 4 61 462 462 463 463 464 464 465 465 465 465 466 466 466 467 468 468 469 469 470 470 470 4 71 Chapter 1: Fundamentals 13 APPENDIX: PROBLEMS... Process and Message-Oriented Models 454 25.3 System Definition Languages 457 25.4 High Level Languages and Logics 458 26 OTHER DISTRIBUTED AND TRANSACTIONAL SYSTEMS 4 61 26 .1 Related Work in Distributed Computing 26 .1. 1 Ameoba 26 .1. 2 Chorus 26 .1. 3 Delta-4 26 .1. 4 Harp 26 .1. 5 The Highly Available System (HAS) 26 .1. 6 The Isis Toolkit 26 .1. 7 Locus 26 .1. 8 Sender-Based Logging and Manetho 26 .1. 9 NavTech 26 .1. 10...Chapter 1: Fundamentals 21. 7 Related Readings 22 PROBABILISTIC PROTOCOLS 11 416 417 22 .1 Probabilistic Protocols 417 22.2 Other applications of gossip protocols 419 22.3 Hayden’s pbcast primitive 22.3 .1 Unordered pbcast protocol 22.3.2 Adding Total Ordering 22.3.3 Probabilistic Reliability and the Bimodal Delivery Distribution 22.3.4 An Extension to Pbcast 22.3.5 Evaluation and Scalability 22.3.5 .1 Reliability... management, and banking 19 20 Kenneth P Birman - Building Secure and Reliable Network Applications This study was undertaken against a backdrop colored by the recent difficulties of the Federal Aviation Agency, which launched a project in the late 19 80’s and early 19 90’s to develop a new generation of highly reliable distributed air traffic control software Late in 19 94, after losing a huge sum of money and. .. developing Internet and Web applications, at emerging standards such as 21 Kenneth P Birman - Building Secure and Reliable Network Applications 22 CORBA, and at the technologies available to us for building reliable solutions within these settings Many texts that set this goal would do so primarily through a treatment of the underlying theory, but our approach here is much more pragmatic By and large, we... 482 INDEX 505 13 14 Kenneth P Birman - Building Secure and Reliable Network Applications Trademarks Cited in the Text Unix is a Trademark of Santa Cruz Operations, Inc CORBA (Common Object Request Broker Architecture) and OMG IDL are trademarks of the Object Management Group ONC (Open Network Computing), NFS (Network File System), Solaris, Solaris MC, XDR (External Data Representation), and Java are... twenty year period, and during the mid 19 90’s network connectivity between computer systems became pervasive Network bandwidth has also increased enormously, rising from hundreds of bytes per second in the early 19 80’s to millions per second in the mid 19 90’s, with gigabit rates anticipated in the late 19 90’s and beyond Network functionality evolved steadily during this period Early use of networks was entirely... and CMIP 23.3 .1 Sensors and events 23.3.2 Actuators 430 4 31 434 23.4 Reactive control in Distributed Settings 435 23.5 Fault-tolerance by State Machine Replication 436 23.6 Visualization of Distributed System States 436 23.7 Correlated Events 437 23.8 Information Warfare and Defensive Tactics 437 23.9 Related Readings 4 41 24 CLUSTER COMPUTER ARCHITECTURES 442 11 Kenneth P Birman - Building Secure and. .. here are my own, and may not represent positions of the organizations and corporations that have supported this research 15 16 Kenneth P Birman - Building Secure and Reliable Network Applications Introduction Despite nearly twenty years of progress towards ubiquitous computer connectivity, distributed computing systems have only recently emerged to play a serious role in industry and society Perhaps... secure , or otherwise reliable Today, these terms are often used in advertising for products that are not reliable in any meaningful sense at all One might similarly claim that a building or a bridge was constructed “above code” in a setting where the building code is completely ad-hoc The situation changes considerably when the building code is made more explicit and demanding, and bridges and buildings . COMPLEX SYSTEMS 316 17 .1 Wrappers and Toolkits 316 17 .1. 1 Wrapper Technologies 318 17 .1. 1 .1 Wrapping at Object Interfaces 318 17 .1. 1.2 Wrapping by Library Replacement 318 17 .1. 1.3 Wrapping by. Challenges 18 2 10 .14 Related Readings 18 4 11 . RELATED INTERNET TECHNOLOGIES 18 5 11 .1 File Transfer Tools 18 5 11 .2 Electronic Mail 18 5 11 .3 Network Bulletin Boards (newsgroups) 18 6 11 .4 Message. 11 4 6.7 ORB 11 6 6.8 Naming Service 11 6 6.9 ENS 11 7 6 .10 Life Cycle Service 11 8 6 .11 Persistent Object Service 11 8 6 .12 Transaction Service 11 8 6 .13 Inter-Object Broker Protocol 11 8 6 .14 Future