The Case for Device Namespaces

The Case for Device Namespaces Oren Laadan September 18, 2013 www.cellrox.com aprilzosia

Device Namespaces Roots Based on research at Columbia University: Cells: A Virtual Mobile Smartphone Architecture Authors: Jeremy Andrus, Christoffer Dall, Alex Van t Hof, Oren Laadan, Jason Nieh. Proceedings of the 23 rd Symposium on Operating Systems Principles (SOSP 2011). Cascais, Portugal. October, 2011. 2

Mobile devices have multiple uses - 3

Mobile devices have multiple uses - - the device needs to reflect that. 4

Security Use Case Personal Phone Business Phone 5

Do People Remember? Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings. Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides. Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity. Install a mobile security app for your phone that scans every app you download to ensure it s safe. 6

No, They Don t! Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings. Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides. Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity. Install a mobile security app for your phone that scans every app you download to ensure it s safe. 7

No, They Don t! Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings. Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides. Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity. Install a mobile security app for your phone that scans every app you download to ensure it s safe. 8

User Behavior is the #1 Security Risk Lack of user awareness about security policies Insecure web browsing Insecure Wi-Fi connectivity Lost or stolen mobile devices with corporate data Corrupt app downloaded to mobile devices Lack of security patches from service providers High rate of users changing/upgrading devices 9

More Use Cases Personal Phone Business Phone Children Phone Privacy Phone Secure Phone 10

Mobile Wallets 11

Even More Use Cases Personal Phone Business Phone Children Phone Privacy Phone Secure Phone Social Phone Guest Phone Dev Phone 12

Multi-Persona for Mobile Devices 13

The Usual Suspect Virtualization Every problem in computer science can be solved using another layer of abstraction. 14

Mobile Device Virtualization Typical device Linux kernel Device hardware 15

Nobody Will Notice? Performance Transparent Application Transparent Platform Transparent User Transparent 16

Bare-Metal Virtualization Typical device Virtual Phone Virtual Phone Linux kernel Device hardware Linux kernel Hypervisor Type I Device hardware Linux kernel 17

Bare-Metal (Type-I) Virtualization Suitable for servers standard hardware slow server replace rate strong security model Sub-optimal for mobile devices burden to support devices reduced performance / battery-life sub-optimal use of resources 18

Host-Based Virtualization Typical device Virtual Phone Virtual Phone Linux kernel Linux kernel Linux kernel Hypervisor Type II Device hardware Device hardware 19

Host-Based (Type-II) Virtualization Suitable for desktops rely on host for hardware rely on host for resources rely on host for security Sub-optimal for mobile devices weak security model (can trust host?) reduced performance / battery-life sub-optimal use of resources 20

Operating System Virtualization Typical device Virtual Phone Virtual Phone Linux kernel Namespaces Linux kernel Device hardware Device hardware 23

Operating System Virtualization Namespaces provide a group of processes with the illusion that they are the only processes on the system (LWN article) 24

Operating System Virtualization Challenge 1: hardware diversity plethora of peripherals not virtualized key logical devices not virtualized Challenge 2: interactive usage users interact with one app at a time foreground vs. background apps 25

Hardware Diversity A typical collection of peripherals available on a modern smartphone or tablet: Headset Microphone Speakers (Touch) Screen Power Buttons Telephony Bluetooth GPS WiFi Framebuffer GPU Compass Camera(s) Accelerometer RTC/Alarms 26

Device Namespaces Two roles: Virtualize physical and logical devices, to address hardware diversity Multiplex access to devices and switch contexts to allow interactive usage 27

Device Namespaces HW diversity: traditional virtualization create the illusion that processes interact exclusively with a set of devices hide the fact that other processes interact with the same set of devices Device major/minor (e.g. loop, dm), and device setup and internal state 28

Device Namespaces Interactivity: context-aware virtualization concept of an active namespace, with which the user actually interacts ability to switch namespaces, to allow interacting with multi-namespaces users really interact with one namespace at a time 29

Device Namespaces Namespaces Linux kernel GPU Framebuf Touch Camera(s) Headset Buttons GPS Device hardware 30

Framebuffer: single assignment? VP VP VP Framebuffer Linux kernel 31

Framebuffer: emulated hardware? VP VP VP Emulated Framebuffer Framebuffer Virtual State Linux kernel 32

Framebuffer: device namespaces Foreground Background Background Virtualized Framebuffer Framebuffer RAM Linux kernel 33

Framebuffer: device namespaces Foreground Background Background Virtualized Framebuffer Framebuffer RAM Linux kernel 34

Framebuffer: device namespaces Background Foreground Background Virtualized Framebuffer Framebuffer RAM Linux kernel 35

Experimental Benchmarks CPU (Linpack) Graphics (Neocore) Storage (Quadrant) Web browsing (SunSpider) Networking (custom) 36

Runtime Overhead (Idle) 1.40 1.20 Baseline 1-VP 2-VP 3-VP 4-VP 5-VP 1.00 0.80 0.60 0.40 0.20 0.00 Linpack NeoCore Quadrant I/O Sun Spider Network 37

Runtime Overhead (load) 1.40 1.20 Baseline 1-VP 2-VP 3-VP 4-VP 5-VP 1.00 0.80 0.60 0.40 0.20 0.00 Linpack NeoCore Quadrant I/O Sun Spider Network 38

Power Consumption Overhead 1.40 1.20 1.00 0.80 0.60 0.40 0.20 0.00 Baseline 2-VP 4-VP After 4hrs Music 1-VP 3-VP 5-VP After 12hrs Idle 39

Device Namespaces Patches RFC patch-set posted in containers and lxc-devel mailing lists Includes 8 patches for: input, backlight, LED, framebuffer, some Demo of dual-namespaces and switch between them on Topic at containers mini-conf at LPC tomorrow 40

Summary https://www.github.com/cellrox/devns-patches/wiki Device namespaces bring virtualization to end-user devices. Active vs. non-active namespaces based on natural usage model Native performance (up to ~1% overhead in Vellamo benchmark) RFC patch-set posted in containers list, to be discussed in LPC 41