Abstract This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each PCC binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks. The main practical difficulty of PCC is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated PCC binaries for them using a special prototype assembler. The PCC binaries can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.

Abstract not found

Chunks are a programming construct in PLAN, the Packet Language for Active Networks, comprised of a code segment and a suspended function call. In PLAN, chunks provide support for encapsulation and other packet programming techniques. This paper begins by explaining the semantics and implementation of chunks. We proceed, using several PLAN source code examples, to demonstrate the usefulness of chunks for micro-protocols, asynchronous adaptation, and as units of authentication granularity. 1 Introduction The current IP-based Internet has been a success in part due to the simplicity of its architecture. However, this success, while bringing greatly increased use, has also greatly increased the demand for new and more complex network services and protocols. The goal of Active Networking is to allow these demands to be met by increasing the exibility with which the network can be changed. Active networking achieves its increased exibility by making the network programmable. In the Swi...

This thesis argues that session-layer services for enhancing functionality and improving network performance are gaining in importance in the Internet; examples include connection multiplexing, congestion state sharing, application-level routing, mobility/migration support, encryption, and so on. To facilitate the development of these services, we describe Tesla, a transparent and extensible framework that allows session-layer services to be developed using a high-level flow-based abstraction (rather than sockets), enables them to be deployed transparently using dynamic library interposition, and enables them to be composed by chaining event handlers in a graph structure. We show how Tesla can be used to design several interesting sessionlayer services including encryption, SOCKS and application-controlled routing, flow migration, and traffic rate shaping, all with acceptably low performance degradation.

Telecommunication service providers have recently begun to offer ubiquitous access to packetised data. As a result, the Internet is not limited to computers that are physically connected but is also available to users that are equipped with mobile devices. This ubiquitous access fuels the growth and the usage of the Internet even further, and thus the realisation of dynamic Internet. With the realisation of the dynamic Internet, increasing support is needed for Internet protocol (IP) and transmission control protocol (TCP) over wireless/mobile networks. Two areas

this paper focuses on application-level quality of service policies and the collaboratory's transport services. Flexible Application-Level QoS Policies Group Membership Service Group Synchronization Service Shared State Service Transport Service

An Active IP Network integrates two very different network programming models, an IP packet based model, and an Active Network capsule based model. This report shows how to integrate these two models into a single node, called an Active IP node, and how to integrate an Active IP node into an IP network. It also presents some preliminary ideas on the constraints network architects will face when building Active protocols for a heterogeneous network of Active and non-Active IP nodes.