Your Desktop on Your Keychain Ted Wobber MSR Silicon Valley with Muthukarrupan Annamalai, Andrew Birrell, and Dennis Fetterly.

Your Desktop on Your Keychain

Ted Wobber

MSR Silicon Valley

with Muthukarrupan Annamalai,

Andrew Birrell, and Dennis Fetterly

Hardware vs. Desktop State

• Computers are (increasingly) everywhere– In furniture/kiosks/environment?

• New form factors for carrying state:– Keychains, cellphones, watches

• Can we make desktop state portable without also carrying the computer hardware?

• Desktop state = user preferences +user data + applications

Who cares??

• Corporations and other large organizations– Moving between offices, sites– Office-sharing– Work-at-home scenarios

• Consumers in general– But kiosk infrastructure and security is a barrier

• Emerging markets– Desktop hardware is scarce– Benefit may outweigh security risk

Models of Desktop Portability

• Laptops• Roaming profiles• Remote desktop

Laptops

• Laptops are (usually) bulky and fragile• Expensive to purchase and to manage• Prone to theft• Once stolen, data is (often) vulnerable• Backup can be haphazard

• But, laptops are self contained and offer a valuable platform for disconnected environments

Roaming Profiles

• Applications don’t roam• In Windows, difficult to separate user,

application, and machine-specific state• Slow, bandwidth intensive• Difficult outside single admin domain• Security of host machine?

Remote Desktops

• Needs strong connectivity• Latency-sensitive• Difficult outside single admin domain• Needs managed server to provide RDP service

– Most desktop PCs aren’t “professionally managed”

• Local devices?

Flash Changes the Equation

• Current cost: 1GB = ~$80• Still following Moore’s Law

• Read/Write performance approaching disk• Modern flash has built-in wear-leveling

– Max write limitations are rarely a problem

• For this talk: Flash == USB Flash Device

Flash Statistics (estimate)

• Projected shipments 60-120 million units in 2005• 2 GB in ’04; 4GB+ in ’05.• Estimated revenue on NAND-based Flash at $9.2 billion

in ‘06 timeframe• NAND Read/Write speeds are slated to increase as

follows:– ‘04 read 8 MB/s; write 6.5MB/s.

– ’05 read. 23 MB/s; write 16MB/s.

– ‘06 read 40 MB/s; write 28 MB/s.

– ‘07 guesstimates are 100MB/s using multiple NAND chips and cache.

• Already being extended with onboard CPU, memory, wireless, etc.

Carry user state cache on flash

• Similar problems to roaming profiles:– Applications don’t roam– In Windows, difficult to separate user, application, and

machine-specific state– Slow, bandwidth intensive– Difficult outside single admin domain– Security of host machine?

Boot from Flash

• Drivers – Problem gets worse with age of installation

• Flash capacity (in short term)– Size of OS + apps a problem– What happens when disk is full?

• Machine state (e.g. hibernation) is non portable • Backup?

Our Solution

• Host machine runs virtual machine monitor• User runs in a virtual machine (VirtualPC)• Virtual disk is a “server in the sky”

– Remote disk handles overflow and backup

• The flash acts as:– A persistent cache/log of virtual disk– Storage for virtual machine state

• Local disk as “lookaside” for virtual disk content

Why Virtualization?

• Eliminates host-specific customization– (e.g. drivers, etc)

• Easy to encapsulate and move VM state• Fewer “moving parts” on host

– Easier to manage/secure: VMM is only requirement

• Development cost (our prototype < 1 kloc)– Simple to customize basic abstractions

• Good performance and getting better– Hardware support of virtualization

• Other platforms? XBox2?• Virtual disks make provisioning new users easy

Differencing Disks

• Compact representation of overlaid content• Standard feature of virtual machines• Convenient for shared disk provisioning

– E.g. multiple users share same base disk

Differencing Disk(s):

Base Disk:

VMM sees:

Why a network connection?

• At least for now, flash drives are too small– With Windows+Office it’s easy to overflow a 1GB disk

• Backup is automatic– Server can keep multiple restore points

• Perhaps this requirement can be eliminated in the future

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Kiosk Architecture

Lookaside Images (~Base Disk)

Flash Disk

Write Log

Read Cache

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Flash Disk

Read Cache

Disk Writes

Lookaside Images (~Base Disk)

Write Log

VMM Host

Base Disk Image

File Server

User-SpecificDifferencing Disk

Disk as seen byyour programs

Composed of ...

VirtualPC

Your ComputingEnvironment

Flash Disk

Write Log

Read Cache

Disk Reads

Lookaside Images (~Base Disk)

2

1

3

4

5

Demo

A bit more detail

• Persistent state on flash– Virtual machine state (optional)– Writes logged since last merge– Fingerprint for every 16K chunk in remote virtual disk

• MD5 as a fingerprinting algorithm (128 bits)– Set of cached 16K chunks

Persistent, in flash

A: Chunk number to Fingerprint map (for entire disk)

B: Write Log (sectors)

FP0 FP1 … FPN

17

…

Data for sector 17

…..

27 Data for sector 27

3 Data for sector 3

C: Read Cache (chunks)

35

…

Data for chunk 35

…..

7 Data for chunk 7

114 Data for chunk 114

Volatile, in memory

FP0 FP1 … FPN

17

…

Sector 17

…..

27 Sector 27

3 Sector 335

…

Chunk 35

…..

7 Chunk 7

114 Chunk 114

A: Chunk number to Fingerprint map (for entire disk)

FP0 FP1 … FPN

C: Write loghash table (sectors)

17

…

27

3

…..

FP35

…

FP7

FP114

…..

B: FP to Read Cachehash table (chunks)

FP

…

FP

FP

…..

D: FP to Static Diskhash table (chunks)

Lookaside Image

Updating the Fingerprint Map

• Must compute new chunk fingerprints• Partial chunks requires unwritten sectors

Read old chunk

Add new sectors

New FP

What’s actually implemented

• Write “log” is a differencing disk on flash– Differencing drive chain:

• Flash differencing disk →Home differencing disk → Home base

disk

• Manual merging only– No automatic updates in background– Standard VirtualPC “merge to parent”– Merge updates read cache

• Read cache is untuned

Potential Drawbacks

• Security of kiosk machine• Infrastructure rollout• Connectivity requirement

– As flash sizes grow, need for online server decreases– Range of solutions possible depending on size

• Artifacts of virtualization– Availability of pass-through devices– Fancy graphics devices unavailable

• Ensuring that working set fits within the cache

Performance Bottlenecks

• Windows likes to write to disk– Flash fills up quickly– Differencing disk overlays >10% of base image

• Read/write performance:– 4K Reads (sequential or random) ~.8 ms– 4K Writes (sequential) ~ 1.0 ms– 4K Writes (random) > 20ms !!!!

We have confirmed this by analyzing traffic at the USB driver level. The root cause of the 20 ms latency is a mystery. Our

observations are inconsistent with NAND-memory specs.

Optimizations (current)

• Fast-launch defragmentation turned off• Paging disabled• Last-access date on files disabled• Various services turned off• No anti-virus / indexing

Optimizations (possible)

• Implement real log (for sequentiality)– With redundant write elimination

• RAM disk for temporary files (e.g. IE)• Keep guest-OS NTFS log on local disk• Log writes to on-kiosk differencing disk …

periodic sync to flash• Network read/write compression• Virtual disk snapshots

Security

• Primary threats:– Bogus, tapped, or otherwise compromised kiosk– Theft of device

• But, this is a computer:

ASIC or processor NAND Memory

Trusting the Kiosk

• Non-technical considerations– Physical security

• Site security (e.g. within a corporation)• Physical packaging and locks (like an ATM)• Kiosk owner must be accountable

• Technical solutions– NGSCB / Trusted Boot / Attestation

• Small footprint (e.g. just OS+VMM) helps here– User-specific, unforgeable visual feedback– External helper device with UI (e.g. cellphone)

Protecting Against Theft

• On-flash encryption, “unlocks” data only after:– Flash authenticates kiosk– Flash informs user that kiosk is OK– User gives credentials (e.g. password or biometric)

• Lock-out on repetitive failure

• Host-based encryption is also possible– But gives weaker guarantees

• User can roll back to disk state on server

Related Projects

• Internet suspend/resume– CMU / Intel Labs– Virtual machine serial portability– Supported by Coda-like distributed FS– Flash for read optimization

• Stanford “Collective” project– Portable virtual machine– Virtual state/disk “capsule” hierarchy

Conclusions

• New model for desktop portability• Augments range of existing techniques• Spectrum of flash-based solutions

• Looking for ways we can help product efforts• Haven’t explored business/market ramifications• Highlights two growing market forces:

Flash and Virtualization