Your Desktop on Your Keychain

1
Your Desktop on Your Keychain

• Ted Wobber
• MSR Silicon Valley
• with Muthukarrupan Annamalai,
• Andrew Birrell, and Dennis Fetterly

2
Hardware vs. Desktop State

• Computers are (increasingly) everywhere
• In furniture/kiosks/environment?
• New form factors for carrying state
• Keychains, cellphones, watches
• Can we make desktop state portable without also
  carrying the computer hardware?
• Desktop state user preferences user data
  applications

3
Who cares??

• Corporations and other large organizations
• Moving between offices, sites
• Office-sharing
• Work-at-home scenarios
• Consumers in general
• But kiosk infrastructure and security is a
  barrier
• Emerging markets
• Desktop hardware is scarce
• Benefit may outweigh security risk

4
Models of Desktop Portability

• Laptops
• Roaming profiles
• Remote desktop

5
Laptops

• Laptops are (usually) bulky and fragile
• Expensive to purchase and to manage
• Prone to theft
• Once stolen, data is (often) vulnerable
• Backup can be haphazard
• But, laptops are self contained and offer a
  valuable platform for disconnected environments

6
Roaming Profiles

• Applications dont roam
• In Windows, difficult to separate user,
  application, and machine-specific state
• Slow, bandwidth intensive
• Difficult outside single admin domain
• Security of host machine?

7
Remote Desktops

• Needs strong connectivity
• Latency-sensitive
• Difficult outside single admin domain
• Needs managed server to provide RDP service
• Most desktop PCs arent professionally managed
• Local devices?

8
Flash Changes the Equation

• Current cost 1GB 80
• Still following Moores Law
• Read/Write performance approaching disk
• Modern flash has built-in wear-leveling
• Max write limitations are rarely a problem
• For this talk Flash USB Flash Device

9
Flash Statistics (estimate)

• Projected shipments 60-120 million units in 2005
• 2 GB in 04 4GB in 05.
• Estimated revenue on NAND-based Flash at 9.2
  billion in 06 timeframe
• NAND Read/Write speeds are slated to increase as
  follows
• 04 read 8 MB/s write 6.5MB/s.
• 05 read. 23 MB/s write 16MB/s.
• 06 read 40 MB/s write 28 MB/s.
• 07 guesstimates are 100MB/s using multiple NAND
  chips and cache.
• Already being extended with onboard CPU, memory,
  wireless, etc.

10
Carry user state cache on flash

• Similar problems to roaming profiles
• Applications dont roam
• In Windows, difficult to separate user,
  application, and machine-specific state
• Slow, bandwidth intensive
• Difficult outside single admin domain
• Security of host machine?

11
Boot from Flash

• Drivers
• Problem gets worse with age of installation
• Flash capacity (in short term)
• Size of OS apps a problem
• What happens when disk is full?
• Machine state (e.g. hibernation) is non portable
• Backup?

12
Our Solution

• Host machine runs virtual machine monitor
• User runs in a virtual machine (VirtualPC)
• Virtual disk is a server in the sky
• Remote disk handles overflow and backup
• The flash acts as
• A persistent cache/log of virtual disk
• Storage for virtual machine state
• Local disk as lookaside for virtual disk content

13
Why Virtualization?

• Eliminates host-specific customization
• (e.g. drivers, etc)
• Easy to encapsulate and move VM state
• Fewer moving parts on host
• Easier to manage/secure VMM is only requirement
• Development cost (our prototype lt 1 kloc)
• Simple to customize basic abstractions
• Good performance and getting better
• Hardware support of virtualization
• Other platforms? XBox2?
• Virtual disks make provisioning new users easy

14
Differencing Disks

• Compact representation of overlaid content
• Standard feature of virtual machines
• Convenient for shared disk provisioning
• E.g. multiple users share same base disk

VMM sees
Differencing Disk(s)
Base Disk
15
Why a network connection?

• At least for now, flash drives are too small
• With WindowsOffice its easy to overflow a 1GB
  disk
• Backup is automatic
• Server can keep multiple restore points
• Perhaps this requirement can be eliminated in the
  future

16
Kiosk Architecture
VMM Host
Your ComputingEnvironment
VirtualPC
Disk as seen by
your programs
File Server
Composed of ...
Base Disk Image
17
Disk Writes
VMM Host
Your ComputingEnvironment
Flash Disk
Write Log
VirtualPC
Read Cache
Disk as seen by
your programs
File Server
Composed of ...
User-Specific
Differencing Disk
Base Disk Image
Lookaside Images (Base Disk)
18
Disk Reads
VMM Host
Your ComputingEnvironment
Flash Disk
Write Log
VirtualPC
Read Cache
Disk as seen by
your programs
File Server
Composed of ...
User-Specific
Differencing Disk
Base Disk Image
Lookaside Images (Base Disk)
19
Demo
20
A bit more detail

• Persistent state on flash
• Virtual machine state (optional)
• Writes logged since last merge
• Fingerprint for every 16K chunk in remote virtual
  disk
• MD5 as a fingerprinting algorithm (128 bits)
• Set of cached 16K chunks

21
Persistent, in flash
A Chunk number to Fingerprint map (for entire
disk)
FP0
FP1

FPN
B Write Log (sectors)

27
Data for sector 27
3
Data for sector 3
17
Data for sector 17

..
C Read Cache (chunks)
7
Data for chunk 7
114
Data for chunk 114
35
Data for chunk 35

..
22
Volatile, in memory
A Chunk number to Fingerprint map (for entire
disk)
FP0
FP1

FPN
C Write log hash table (sectors)
B FP to Read Cache hash table (chunks)

FP7
27
FP114
3
FP35
17

..

..
D FP to Static Disk hash table (chunks)
FP
FP
FP

..
Lookaside Image
23
Updating the Fingerprint Map

• Must compute new chunk fingerprints
• Partial chunks requires unwritten sectors

Read old chunk
New FP
Add new sectors
24
Whats actually implemented

• Write log is a differencing disk on flash
• Differencing drive chain
• Flash differencing disk ? Home differencing disk
  ? Home base disk
• Manual merging only
• No automatic updates in background
• Standard VirtualPC merge to parent
• Merge updates read cache
• Read cache is untuned

25
Potential Drawbacks

• Security of kiosk machine
• Infrastructure rollout
• Connectivity requirement
• As flash sizes grow, need for online server
  decreases
• Range of solutions possible depending on size
• Artifacts of virtualization
• Availability of pass-through devices
• Fancy graphics devices unavailable
• Ensuring that working set fits within the cache

26
Performance Bottlenecks

• Windows likes to write to disk
• Flash fills up quickly
• Differencing disk overlays gt10 of base image
• Read/write performance
• 4K Reads (sequential or random) .8 ms
• 4K Writes (sequential) 1.0 ms
• 4K Writes (random) gt 20ms !!!!

We have confirmed this by analyzing traffic at
the USB driver level. The root cause of the 20
ms latency is a mystery. Our observations are
inconsistent with NAND-memory specs.
27
Optimizations (current)

• Fast-launch defragmentation turned off
• Paging disabled
• Last-access date on files disabled
• Various services turned off
• No anti-virus / indexing

28
Optimizations (possible)

• Implement real log (for sequentiality)
• With redundant write elimination
• RAM disk for temporary files (e.g. IE)
• Keep guest-OS NTFS log on local disk
• Log writes to on-kiosk differencing disk
  periodic sync to flash
• Network read/write compression
• Virtual disk snapshots

29
Security

• Primary threats
• Bogus, tapped, or otherwise compromised kiosk
• Theft of device
• But, this is a computer

30
Trusting the Kiosk

• Non-technical considerations
• Physical security
• Site security (e.g. within a corporation)
• Physical packaging and locks (like an ATM)
• Kiosk owner must be accountable
• Technical solutions
• NGSCB / Trusted Boot / Attestation
• Small footprint (e.g. just OSVMM) helps here
• User-specific, unforgeable visual feedback
• External helper device with UI (e.g. cellphone)

31
Protecting Against Theft

• On-flash encryption, unlocks data only after
• Flash authenticates kiosk
• Flash informs user that kiosk is OK
• User gives credentials (e.g. password or
  biometric)
• Lock-out on repetitive failure
• Host-based encryption is also possible
• But gives weaker guarantees
• User can roll back to disk state on server

32
Related Projects

• Internet suspend/resume
• CMU / Intel Labs
• Virtual machine serial portability
• Supported by Coda-like distributed FS
• Flash for read optimization
• Stanford Collective project
• Portable virtual machine
• Virtual state/disk capsule hierarchy

33
Conclusions

• New model for desktop portability
• Augments range of existing techniques
• Spectrum of flash-based solutions
• Looking for ways we can help product efforts
• Havent explored business/market ramifications
• Highlights two growing market forces
  Flash and Virtualization