- AboutThis should describe the systems research collaboration, and present the overall research goals of the new group.
- PeopleHere are the different labs in the SRC…
- PublicationsA page where you will find categorized publications!
- ProjectsA page where you will find our projects
- ResourcesVarious resources for prospective students, current students, alumni. Maybe put something here about life in NYC and at Columbia…
Publications from 2010
Proceedings of the 2010 USENIX Annual Technical Conference (USENIX 2010), June 2010
Desktop computers are often compromised by the inter- action of untrusted data and buggy software. To address this problem, we present Apiary, a system that trans- parently contains application faults while retaining the usage metaphors of a traditional desktop environment. Apiary accomplishes this with three key mechanisms. It isolates applications in containers that integrate in a con- trolled manner at the display and file system. It intro- duces ephemeral containers that are quickly instantiated for single application execution, to prevent any exploit that occurs from persisting and to protect user privacy. It introduces the Virtual Layered File System to make instantiating containers fast and space efficient, and to make managing many containers no more complex than a single traditional desktop. We have implemented Api- ary on Linux without any application or operating sys- tem kernel changes. Our results with real applications, known exploits, and a 24-person user study show that Apiary has modest performance overhead, is effective in limiting the damage from real vulnerabilities, and is as easy for users to use as a traditional desktop.
Proceedings of the 3rd Annual Haifa Experimental Systems Conference (SYSTOR 2010), May 2010
Operating system (OS) virtualization can provide a num- ber of important benefits, including transparent migration of applications, server consolidation, online OS maintenance, and enhanced system security. However, the construction of such a system presents a myriad of challenges, even for the most cautious developer, that if overlooked may result in a weak, incomplete virtualization. We present a detailed dis- cussion of key implementation issues in providing OS virtu- alization in a commodity OS, including system call interposi- tion, virtualization state management, and race conditions. We discuss our experiences in implementing such functional- ity across two major versions of Linux entirely in a loadable kernel module without any kernel modification. We present experimental results on both uniprocessor and multiproces- sor systems that demonstrate the ability of our approach to provide fine-grain virtualization with very low overhead.
Proceedings of the 41st ACM Technical Symposium on Computer Science Education (SIGCSE 2010), March 2010
Students learn more through hands-on project experience for computer science courses such as operating systems, but pro- viding the infrastructure support for a large class to learn by doing can be hard. To address this issue, we introduce a new approach to managing and grading operating system home- work assignments based on virtual appliances, a distributed version control system, and live demonstrations. Our solu- tion is easy to deploy and use with studentsâ€™ personal com- puters, and obviates the need to provide a computer labora- tory for teaching purposes. It supports the most demanding course projects, such as those that involve operating system kernel development, and can be used by both on-campus and remote distance learning students even with intermit- tent network connectivity. Our experiences deploying and using this solution to teach operating systems at Columbia University show that it is easier to use, more flexible, and more pedagogically effective than other approaches.
Ph.D. Thesis, Department of Computer Science, Columbia University, March 2010
This dissertation demonstrates that operating system virtualization is an effective method for solving many different types of computing problems. We have designed novel systems that make use of commodity software while solving problems that were not conceived when the software was originally written. We show that by leveraging and extending existing virtualization techniques, and introducing new ones, we can build these novel systems without requiring the applications or operating systems to be rewritten. We introduce six architectures that leverage operating system virtualization. *Pod creates fully secure virtual environments and improves user mobility. AutoPod re- duces the downtime needed to apply kernel patches and perform system maintenance. PeaPod creates least-privilege systems by introducing the pea abstraction. Strata im- proves the ability of administrators to manage large numbers of machines by introduc- ing the Virtual Layered File System. Apiary builds upon Strata to create a new form of desktop security by using isolated persistent and ephemeral application containers. Finally, ISE-T applies the two-person control model to system administration. By leveraging operating system virtualization, we have built these architectures on Linux without requiring any changes to the underlying kernel or user-space ap- plications. Our results, with real applications, demonstrate that operating system virtualization has minimal overhead. These architectures solve problems with min- imal impact on end-users while providing functionality that would previously have required modifications to the underlying system.