|
|
@@ -95,8 +95,8 @@ The cryptographic mechanisms used to implement these protections are described i
|
|
|
% Protocol contracts.
|
|
|
One of the design goals of Blocktree is to facilitate the creation of composable distributed
|
|
|
systems.
|
|
|
-A major challenge to building such systems is the difficulty is locating the cause of bugs when they
|
|
|
-inevitably occur.
|
|
|
+A major challenge to building such systems is the difficulty is isolating bugs when they inevitably
|
|
|
+occur.
|
|
|
Research into session types (a.k.a. Behavioral Types) promises to bring the safety benefits
|
|
|
of type checking to actor communication (\cite{armstrong} chapter 9).
|
|
|
Blocktree integrates a session typing system that allows protocol contracts to be defined that
|
|
|
@@ -186,6 +186,23 @@ not every delivery.
|
|
|
This mechanism is intended for periodic tasks or delaying work to a later time,
|
|
|
not for building hard realtime systems.
|
|
|
|
|
|
+% The runtime is implemented using tokio.
|
|
|
+The actor runtime is implemented using the Rust asynchronous runtime tokio
|
|
|
+[\url{https://tokio.rs}].
|
|
|
+Actors are spawned as tasks in the tokio runtime,
|
|
|
+and multi-producer single consumer channels are used for message delivery.
|
|
|
+Because actors are just tasks,
|
|
|
+they can do anything a task can do,
|
|
|
+including awaiting other \texttt{Future}s.
|
|
|
+Because of this, there is no need for the actor runtime to support short-lived worker tasks,
|
|
|
+as any such use-case can be accomplished by awaiting a set of \texttt{Future}s.
|
|
|
+This allows the runtime to focus on providing support for services.
|
|
|
+Using tokio also means that the actor runtime has access to a high performance multi-threaded
|
|
|
+runtime with evented IO.
|
|
|
+This asynchronous programming model ensures that resources are efficiently utilized,
|
|
|
+and is ideal for a system focused on orchestrating services which may be used by many clients.
|
|
|
+
|
|
|
+\subsection{Services}
|
|
|
% Description of virtual actor system.
|
|
|
One of the challenges in building actor systems is supervising and managing actors' lifecycles.
|
|
|
This is handled in Erlang \cite{armstrong} through the use of supervision trees,
|
|
|
@@ -207,14 +224,56 @@ Services which directly use operating system resource,
|
|
|
such as those that listen on network sockets,
|
|
|
are often started immediately after registration so they're available to external clients.
|
|
|
|
|
|
+% Message routing to services.
|
|
|
+Blocktree uses services to represent a logical collection of actors which implement some kind of
|
|
|
+computational service for other actors in the system or external clients.
|
|
|
+A service is identified by a Blocktree path.
|
|
|
+Only one service implementation can be registered in a particular runtime,
|
|
|
+though this implementation may be used to spawn many actors as providers for the service,
|
|
|
+each associated with a different ID.
|
|
|
+The runtime spawns a new actor when it finds no service provider associated with the ID in
|
|
|
+message it's delivering.
|
|
|
+Some services may only have one service provider in a given runtime,
|
|
|
+as is the case for the sector and filesystem services.
|
|
|
+The \texttt{scope} and \texttt{rootward} field in a service name specify the set of runtimes to
|
|
|
+which a message may be delivered.
|
|
|
+They allow the sender to express their intended recipient,
|
|
|
+while still affording enough flexibility to the runtime to route messages as needed.
|
|
|
+If \texttt{rootward} is \texttt{false},
|
|
|
+the message is delivered to a service provider in a runtime that is directly contained in
|
|
|
+\texttt{scope}.
|
|
|
+If \texttt{rootward} is \texttt{true},
|
|
|
+the parent directories of scope are searched,
|
|
|
+working towards the root of the filesystem tree,
|
|
|
+and the message is delivered to the first provider of \texttt{service} which is found.
|
|
|
+When there are multiple service providers to which a given message could be delivered,
|
|
|
+the one to which it is actually delivered is unspecified to allow the runtime to balance load.
|
|
|
+Delivery will occur to at most one recipient,
|
|
|
+even in the case that there are multiple potential recipients.
|
|
|
+In order to contact other runtimes and deliver messages to them
|
|
|
+their network endpoints (IP addresses and UDP ports) need to be known.
|
|
|
+This is achieved by maintaining a file with a runtime's endpoint in the same directory as
|
|
|
+the runtime.
|
|
|
+The runtime is granted write permissions on the file,
|
|
|
+and it is updated by \texttt{bttp} when it begins listening on a new endpoint.
|
|
|
+The port a \texttt{bttp} server uses to listen for unicast connections is uniformly
|
|
|
+randomly selected from the set of ports in the dynamic range (49152-65535) which are unused on the
|
|
|
+server's host.
|
|
|
+Use of a random port allows many different \texttt{bttp} servers to share a single IP address
|
|
|
+and makes Blocktree more resistent to censorship.
|
|
|
+The services which are allowed to be registered in a given runtime are specified in the runtime's
|
|
|
+file.
|
|
|
+The runtime reads this list and uses it to deny service registrations for unauthorized services.
|
|
|
+The list is also read by other runtime's when they're searching for service providers.
|
|
|
+
|
|
|
% Message addressing modes.
|
|
|
Messages can be addressed to services or specific actors.
|
|
|
-When addressing to a specific actor,
|
|
|
+When addressed to a specific actor,
|
|
|
the message contains an \emph{actor name},
|
|
|
which is a pair consisting of the path of the runtime hosting the actor and the \texttt{Uuid}
|
|
|
identifying the specific actor in that runtime.
|
|
|
-When addressing a service,
|
|
|
-the message is dispatched using a \emph{service name},
|
|
|
+When addressed to a service,
|
|
|
+a message is dispatched using a \emph{service name},
|
|
|
which contains the following fields:
|
|
|
\begin{enumerate}
|
|
|
\item \texttt{service}: The path identifying the receiving service.
|
|
|
@@ -239,22 +298,23 @@ The reply contains the name of the file actor spawned by the filesystem service
|
|
|
file.
|
|
|
Messages are then dispatched to the file actor using its actor name to read and write to the file.
|
|
|
|
|
|
-% The runtime is implemented using tokio.
|
|
|
-The actor runtime is implemented using the Rust asynchronous runtime tokio
|
|
|
-[\url{https://tokio.rs}].
|
|
|
-Actors are spawned as tasks in the tokio runtime,
|
|
|
-and multi-producer single consumer channels are used for message delivery.
|
|
|
-Because actors are just tasks,
|
|
|
-they can do anything a task can do,
|
|
|
-including awaiting other \texttt{Future}s.
|
|
|
-Because of this, there is no need for the actor runtime to support short-lived worker tasks,
|
|
|
-as any such use-case can be accomplished by awaiting a set of \texttt{Future}s.
|
|
|
-This allows the runtime to focus on providing support for services.
|
|
|
-Using tokio also means that the actor runtime has access to a high performance multi-threaded
|
|
|
-runtime with evented IO.
|
|
|
-This asynchronous programming model ensures that resources are efficiently utilized,
|
|
|
-and is ideal for a system focused on orchestrating services which may be used by many clients.
|
|
|
+% The sector and filesystem service.
|
|
|
+The filesystem is itself implemented as a service.
|
|
|
+A filesystem service provider can be passed messages to delete files, list directory contents,
|
|
|
+open files, or perform other standard filesystem operations.
|
|
|
+When a file is opened,
|
|
|
+a new actor is spawned which owns the newly created file handle and its name is returned to the
|
|
|
+caller in a reply.
|
|
|
+Subsequent read and write messages are sent to this actor.
|
|
|
+The filesystem service does not persist any data itself,
|
|
|
+its job is to function as an integration layer,
|
|
|
+conglomerating sector data from many different sources into a single unified interface.
|
|
|
+The sector service is what is ultimately responsible for storing data
|
|
|
+and maintaining the persistent state of the system.
|
|
|
+It stores sector data in the local filesystem of each computer on which it's registered.
|
|
|
+The details of how this is accomplished are described in the next section.
|
|
|
|
|
|
+\subsection{Transporting Messages}
|
|
|
% Delivering messages over the network.
|
|
|
Messages can be forwarded between actor runtimes using a secure transport called \texttt{bttp}.
|
|
|
This transport is implemented using the QUIC protocol \cite{quic}, which integrates TLS for
|
|
|
@@ -290,6 +350,7 @@ This is possible thanks to the Rust ownership system,
|
|
|
because the message sender gives ownership to the runtime when it dispatches the message,
|
|
|
and the runtime gives ownership to the recipient when it delivers it.
|
|
|
|
|
|
+\subsection{Communication Security Model}
|
|
|
% Security model based on filesystem permissions.
|
|
|
A runtime is represented in the filesystem as a file.
|
|
|
Among other things,
|
|
|
@@ -318,6 +379,7 @@ security requirements into different operating system processes,
|
|
|
which ensures all of the process isolation machinery in the operating system will be used to
|
|
|
isolate them.
|
|
|
|
|
|
+\subsection{Actor Ownership}
|
|
|
% Representing resources as actors.
|
|
|
As in other actor systems, it is convenient to represent resources in Blocktree using actors.
|
|
|
This allows the same security model used to control communication between actors to be used for
|
|
|
@@ -353,64 +415,30 @@ so distributed resources can be managed by owning actors in many different runti
|
|
|
In this case the connection to the remote runtime serves as a proxy for the remote owner,
|
|
|
so the owned actors will be ordered to return if this connection dies or the remote owner dies.
|
|
|
|
|
|
-% Message routing to services.
|
|
|
-Blocktree uses services to represent a logical collection of actors which implement some kind of
|
|
|
-service for other actors in the system or external clients.
|
|
|
-A service is identified by a Blocktree path.
|
|
|
-Only one service implementation can be registered in a particular runtime,
|
|
|
-though this implementation may be used to spawn many actors as providers for the service,
|
|
|
-each associated with a different ID.
|
|
|
-The runtime spawns a new actor when it finds no service provider associated with the ID in
|
|
|
-message it's delivering.
|
|
|
-Some services may only have one service provider in a given runtime,
|
|
|
-as is the case for the sector and filesystem services.
|
|
|
-The \texttt{scope} and \texttt{rootward} field in a service name specify the set of runtimes to
|
|
|
-which a message may be delivered.
|
|
|
-They allow the sender to express their intended recipient,
|
|
|
-while still affording enough flexibility to the runtime to route messages as needed.
|
|
|
-If \texttt{rootward} is \texttt{false},
|
|
|
-the message is delivered to a service provider in a runtime that is directly contained in
|
|
|
-\texttt{scope}.
|
|
|
-If \texttt{rootward} is \texttt{true},
|
|
|
-the parent directories of scope are searched,
|
|
|
-working towards the root of the filesystem tree,
|
|
|
-and the message is delivered to the first provider of \texttt{service} which is found.
|
|
|
-When there are multiple service providers to which a given message could be delivered,
|
|
|
-the one to which it is actually delivered is unspecified to allow the runtime to balance load.
|
|
|
-Delivery will occur to at most one recipient,
|
|
|
-even in the case that there are multiple potential recipients.
|
|
|
-In order to contact other runtimes and deliver messages to them
|
|
|
-their network endpoints (IP addresses and UDP ports) need to be known.
|
|
|
-This is achieved by maintaining a file with a runtime's endpoint in the same directory as
|
|
|
-the runtime.
|
|
|
-The runtime is granted write permissions on the file,
|
|
|
-and it is updated by \texttt{bttp} when it begins listening on a new endpoint.
|
|
|
-The port a \texttt{bttp} server uses to listen for unicast connections is uniformly
|
|
|
-randomly selected from the set of ports in the dynamic range (49152-65535) which are unused on the
|
|
|
-server's host.
|
|
|
-Use of a random port allows many different \texttt{bttp} servers to share a single IP address
|
|
|
-and makes Blocktree more resistent to censorship.
|
|
|
-The services which are allowed to be registered in a given runtime are specified in the runtime's
|
|
|
-file.
|
|
|
-The runtime reads this list and uses it to deny service registrations for unauthorized services.
|
|
|
-The list is also read by other runtime's when they're searching for service providers.
|
|
|
-
|
|
|
-% The sector and filesystem service.
|
|
|
-The filesystem is itself implemented as a service.
|
|
|
-A filesystem service provider can be passed messages to delete files, list directory contents,
|
|
|
-open files, or perform other standard filesystem operations.
|
|
|
-When a file is opened,
|
|
|
-a new actor is spawned which owns the newly created file handle and its name is returned to the
|
|
|
-caller in a reply.
|
|
|
-Subsequent read and write messages are sent to this actor.
|
|
|
-The filesystem service does not persist any data itself,
|
|
|
-its job is to function as an integration layer,
|
|
|
-conglomerating sector data from many different sources into a single unified interface.
|
|
|
-The sector service is what is ultimately responsible for storing data
|
|
|
-and maintaining the persistent state of the system.
|
|
|
-It stores sector data in the local filesystem of each computer on which it's registered.
|
|
|
-The details of how this is accomplished are described in the next section.
|
|
|
+% Running containers using actors.
|
|
|
+While the actor runtime can be a convenient way of implementing new systems,
|
|
|
+a backwards compatibility mechanism is needed to allow existing systems to operate in the context
|
|
|
+of Blocktree.
|
|
|
+Containers have become the standard unit of deployment for modern applications,
|
|
|
+which makes them both useful and straight-forward to support in Blocktree.
|
|
|
+To execute a container in the actor runtime,
|
|
|
+it must be owned by a supervising actor.
|
|
|
+This actor is responsible for starting the container and managing the container's kernel resources.
|
|
|
+Logically, it owns all such resources, including all spawned operating system processes.
|
|
|
+When the actor halts,
|
|
|
+all of these resources are destroyed.
|
|
|
+All network communication to the container is controlled by the supervising actor.
|
|
|
+The supervisor can be configured to bind container ports to host ports,
|
|
|
+as is commonly done today,
|
|
|
+but it can also be used to encapsulate traffic to and from the container in Blocktree messages.
|
|
|
+These messages are routed to other actors based on the configuration of the supervisor.
|
|
|
+This essentially creates a VPN for containers,
|
|
|
+ensuring that regardless of how insecure their communication is,
|
|
|
+they will be safe to communicate over any network.
|
|
|
+This network encapsulation system could be used in other actors as well,
|
|
|
+allowing a lightweight and secure VPN system to built.
|
|
|
|
|
|
+\subsection{Runtime Discovery Over the Network}
|
|
|
% Runtime queries.
|
|
|
While it's possible to resolve runtime paths to network endpoints when the filesystem is available,
|
|
|
another mechanism is needed to allow the filesystem service providers to be discovered.
|
|
|
@@ -520,6 +548,7 @@ an answering runtime should check that that the execute permission is granted on
|
|
|
that it's responsible for storing.
|
|
|
If all these checks pass, it should forward the querier to the next runtime as usual.
|
|
|
|
|
|
+\subsection{Protocol Contracts}
|
|
|
% Overview of protocol contracts and runtime checking of protocol adherence.
|
|
|
To facilitate the creation of composable systems,
|
|
|
a protocol contract checking system based on session types has been designed.
|
|
|
@@ -623,10 +652,11 @@ we allow for many different interoperable implementations to be created.
|
|
|
We can also isolate bugs in these implementations because unexpected or malformed messages are
|
|
|
checked for by the generated code.
|
|
|
|
|
|
+\subsection{Future Work}
|
|
|
% Implementing actors in languages other than Rust.
|
|
|
-Today the actor runtime only supports actors implemented in Rust.
|
|
|
-A WebAssembly (Wasm) plugin system is planned to allow actors to be implemented in any language which can compile to
|
|
|
-Wasm.
|
|
|
+Currently, the actor runtime only supports actors implemented in Rust.
|
|
|
+A WebAssembly (Wasm) plugin system is planned which allows actors to be implemented in any language
|
|
|
+which can be compiled to Wasm.
|
|
|
This work is blocked pending the standardization of the WebAssembly Component Model,
|
|
|
which promises to provide an interface definition language which will allow type safe actors to be
|
|
|
defined in many different languages.
|
|
|
@@ -634,38 +664,15 @@ Once Wasm support is added,
|
|
|
it will make sense to use the filesystem to distribute compiled actor modules,
|
|
|
as the strong integrity protection it provides make it an ideal way to securely distribute software.
|
|
|
|
|
|
-% Running containers using actors.
|
|
|
-While the actor runtime can be a convenient way of implementing new systems,
|
|
|
-a backwards compatibility mechanism is needed to allow existing systems to operate in the context
|
|
|
-of Blocktree.
|
|
|
-Containers have become the standard unit of deployment for modern applications,
|
|
|
-which makes them both useful and straight-forward to support in Blocktree.
|
|
|
-To execute a container in the actor runtime,
|
|
|
-it must be owned by a supervising actor.
|
|
|
-This actor is responsible for starting the container and managing the container's kernel resources.
|
|
|
-Logically, it owns all such resources, including all spawned operating system processes.
|
|
|
-When the actor halts,
|
|
|
-all of these resources are destroyed.
|
|
|
-All network communication to the container is controlled by the supervising actor.
|
|
|
-The supervisor can be configured to bind container ports to host ports,
|
|
|
-as is commonly done today,
|
|
|
-but it can also be used to encapsulate traffic to and from the container in Blocktree messages.
|
|
|
-These messages are routed to other actors based on the configuration of the supervisor.
|
|
|
-This essentially creates a VPN for containers,
|
|
|
-ensuring that regardless of how well secured their communication is,
|
|
|
-they will be safe to communicate over any network.
|
|
|
-This network encapsulation system could be used in other actors as well,
|
|
|
-allowing a lightweight and secure VPN system to built.
|
|
|
-
|
|
|
% Web GUI used for managing the system.
|
|
|
Any computer system of even moderate complexity needs an interface for viewing and controlling the
|
|
|
state of the system.
|
|
|
The modern cross-platform way to accomplish this is by creating a web GUI.
|
|
|
-Blocktree includes a service called \texttt{btconsole} which provides such an interface.
|
|
|
-It can be used to view and modify the filesystem, modify runtime attributes,
|
|
|
+Blocktree will include a service called \texttt{btconsole} which provides such an interface.
|
|
|
+It will be used to view and modify the filesystem, modify runtime attributes,
|
|
|
and even register new services.
|
|
|
The aim is to provide an interface which makes complicated network management tasks simple,
|
|
|
-and make networks more secure by providing a single pane of glass showing their configuration.
|
|
|
+and make networks more secure by providing a single pane of glass which shows their configuration.
|
|
|
|
|
|
|
|
|
\section{Filesystem}
|
|
|
@@ -687,6 +694,7 @@ the cost of providing these protections is amortized over the size of the sector
|
|
|
Thus there is tradeoff between latency and throughput when selecting the sector size:
|
|
|
a smaller size means less latency but a larger one enables more throughput.
|
|
|
|
|
|
+\subsection{The Sector Service}
|
|
|
% Types of sectors: metadata, integrity, and data.
|
|
|
A file has a single metadata sector, a Merkle sector, and zero or more data sectors.
|
|
|
The sector size of a file can be specified when it's created,
|
|
|
@@ -734,7 +742,7 @@ When a sector is updated,
|
|
|
a new local file is created with a different name containing the new contents.
|
|
|
Rather than deleting the old sector file,
|
|
|
it is overwritten by the creation of a hardlink to the new file,
|
|
|
-and the name that used to create the new file is unlinked.
|
|
|
+and the name that was used to create the new file is unlinked.
|
|
|
This method ensures that the sector file is updated in one atomic operation.
|
|
|
The sector service also uses the local filesystem to persist the replicated log it uses for Raft.
|
|
|
This file serves as a journal of sector operations.
|
|
|
@@ -761,7 +769,8 @@ Communication with the sector service is done by passing it messages of type \te
|
|
|
}
|
|
|
\end{verbatim}
|
|
|
Here \texttt{FileMeta} is the type used to store metadata for files.
|
|
|
-Note that updated metadata is required to be sent when a sector's contents are modified.
|
|
|
+Note that updated metadata is required to be sent when a sector's contents are modified, because it
|
|
|
+contains updated integrity information.
|
|
|
|
|
|
% Scaling horizontally: using Raft to create consensus cluster. Additional replication methods.
|
|
|
A generation of sector service providers uses the Raft protocol to synchronize the state of the
|
|
|
@@ -809,7 +818,7 @@ The process it uses to do this involves several steps:
|
|
|
The write message is considered valid if and only if there is a match.
|
|
|
\end{enumerate}
|
|
|
This same logic is used by file actors to verify the data they read from the sector service,
|
|
|
-except they don't modify the Merkle tree,
|
|
|
+except they don't modify the Merkle tree during verification,
|
|
|
they just compare computed hashes to those contained in the nodes on the path from the sector's leaf
|
|
|
node to the root.
|
|
|
Only once a write message is validated is it shared with the sector service provider's peers in
|
|
|
@@ -821,6 +830,7 @@ To prevent this, a sector service provider checks a file's metadata to verify th
|
|
|
principal actually has a readcap (to be defined in the next section) for the file.
|
|
|
This ensures that only principals that are authorized to read a file can access its sectors.
|
|
|
|
|
|
+\subsection{The Filesystem Service}
|
|
|
% File actors are responsible for cryptographic operations. Client-side encryption.
|
|
|
The sector service is relied upon by the filesystem service to read and write sectors.
|
|
|
Filesystem service providers communicate with the sector service to open files and perform
|
|
|
@@ -876,6 +886,7 @@ The file actor is configured when it is spawned to allow read only, write only,
|
|
|
access to a file,
|
|
|
depending on what type of access was requested by the actor opening the file.
|
|
|
|
|
|
+\subsection{Filesystem Event Publishing}
|
|
|
% Streaming replication.
|
|
|
Often when building distributed systems it's convenient to publish information about events to any
|
|
|
interested party.
|
|
|
@@ -890,7 +901,7 @@ a simple notification system can be built.
|
|
|
Because the contents of a directory may be distributed over many different generations,
|
|
|
this system does not support the recursive monitoring of directories.
|
|
|
Although this system lacks the power of \texttt{inotify} in the Linux kernel,
|
|
|
-it does provides some of its benefits without incurring much or a performance overhead
|
|
|
+it does provides some of its benefits without incurring much of a performance overhead
|
|
|
or implementation complexity.
|
|
|
For example, this system can be used to implement streaming replication.
|
|
|
This is done by subscribing to writes on all the files that are to be replicated,
|
|
|
@@ -898,17 +909,7 @@ then reading new sectors as soon as notifications are received.
|
|
|
These sectors can then be written into replica files in a different directory.
|
|
|
This ensures that the contents of the replicas will be updated in near real-time.
|
|
|
|
|
|
-% Peer-to-peer distribution of sector data.
|
|
|
-Because of the strong integrity protection afforded to sectors,
|
|
|
-it is possible for peer-to-peer distribution of sector data to be done securely.
|
|
|
-Implementing this mechanism is planned as a future enhancement to the system.
|
|
|
-The idea is to base the design on bit torrent,
|
|
|
-where the generation responsible for a file acts as a tracker for that file,
|
|
|
-and the file actors accessing it communicate with one another directly using the information
|
|
|
-provided by the sector service.
|
|
|
-This could allow the system to scale elastically to a much larger number of concurrent reads by
|
|
|
-reducing the load on the sector service.
|
|
|
-
|
|
|
+\subsection{External Access to the Filesystem}
|
|
|
% The FUSE daemon.
|
|
|
Being able to access the filesystem from actors allows a programmer to implement new applications
|
|
|
using Blocktree,
|
|
|
@@ -928,12 +929,25 @@ This would reduce the overhead associated with context switching back and forth
|
|
|
to kernel space,
|
|
|
increasing the performance of the system.
|
|
|
|
|
|
+\subsection{Future Work}
|
|
|
+% Peer-to-peer distribution of sector data.
|
|
|
+Because of the strong integrity protection afforded to sectors,
|
|
|
+it is possible for peer-to-peer distribution of sector data to be done securely.
|
|
|
+Implementing this mechanism is planned as a future enhancement to the system.
|
|
|
+The idea is to base the design on bit torrent,
|
|
|
+where the generation responsible for a file acts as a tracker for that file,
|
|
|
+and the file actors accessing it communicate with one another directly using the information
|
|
|
+provided by the sector service.
|
|
|
+This could allow the system to scale elastically to a much larger number of concurrent reads by
|
|
|
+reducing the load on the sector service.
|
|
|
+
|
|
|
|
|
|
\section{Cryptography}
|
|
|
This section describes the cryptographic mechanisms used to integrity and confidentiality protect
|
|
|
files as well as procedures for obtaining credentials.
|
|
|
These mechanisms are based on well-established cryptographic constructions.
|
|
|
|
|
|
+\subsection{Integrity Protection}
|
|
|
% Integrity protection.
|
|
|
A file is integrity protected by a digital signature over its metadata.
|
|
|
The metadata contains an integrity field which contains the root node of the Merkle tree over
|
|
|
@@ -948,7 +962,7 @@ A file's metadata also contains a certificate chain,
|
|
|
and this chain is used to authenticate the signature over the metadata.
|
|
|
In Blocktree, the certificate chain is referred to as a \emph{writecap}
|
|
|
because it grants the capability to write to files.
|
|
|
-This term comes from the Tahoe Least-Authority Filesystem \cite{tahoe}.
|
|
|
+This term comes from Tahoe: The Least-Authority Filesystem \cite{tahoe}.
|
|
|
The certificates in a valid writecap are ordered by their paths,
|
|
|
the initial certificate contains the longest path,
|
|
|
the path in each subsequent certificate must be a prefix of the one preceding it,
|
|
|
@@ -961,6 +975,7 @@ By including all the information necessary to verify the integrity of a file in
|
|
|
it is possible for a requestor who only knows the path of a file to verify that the contents of the
|
|
|
file are authentic.
|
|
|
|
|
|
+\subsection{Confidentiality Protection}
|
|
|
% Confidentiality protecting files with readcaps. Single pubkey operation to read a dir tree.
|
|
|
Confidentiality protection of files is optional but when it is enabled,
|
|
|
a file's sectors are individually encrypted using a symmetric cipher.
|
|
|
@@ -1014,6 +1029,7 @@ By forcing the user to create a new file,
|
|
|
they are forced to re-encrypt the data using a fresh key and IV,
|
|
|
which cannot be known to the principal whose readcap was revoked.
|
|
|
|
|
|
+\subsection{Obfuscation of Sector Files in the Local Filesystem}
|
|
|
% Obfuscating sector files stored in the local filesystem.
|
|
|
From an attacker's perspective,
|
|
|
not every file in a domain is equally interesting.
|
|
|
@@ -1032,6 +1048,7 @@ This simple method makes it more difficult for an attacker to identify the files
|
|
|
to
|
|
|
while still allowing the sector service efficient access.
|
|
|
|
|
|
+\subsection{Credential Storage and Provisioning}
|
|
|
% Credential stores.
|
|
|
Processes need a way to securely store their credentials.
|
|
|
They accomplish this by using a credential store,
|
|
|
@@ -1134,6 +1151,7 @@ The first runtime is configured to host the sector and filesystem services,
|
|
|
so that subsequent runtimes will have access to the filesystem.
|
|
|
After that, additional runtimes on the same LAN can be provisioned using the automatic process.
|
|
|
|
|
|
+\subsection{Access Control Examples}
|
|
|
% Setting up user based access control.
|
|
|
Up till now the focus has been on authentication and authorization of processes,
|
|
|
but it bears discussing how user based access control can be accomplished with Blocktree.
|
|
|
@@ -1162,7 +1180,7 @@ Note that this setup does require all of the user's runtimes to be able to commu
|
|
|
runtime whose principal was issued the readcap.
|
|
|
|
|
|
% Example of how these mechanisms allow data to be shared.
|
|
|
-To illustrate how these mechanisms can be used to facilitate collaboration between enterprises,
|
|
|
+To illustrate how Blocktree can be used to enable collaboration between enterprises,
|
|
|
consider a situation where two companies wish to partner on the development of a product.
|
|
|
To facilitate their collaboration,
|
|
|
they want to have a way to securely share data.
|
|
|
@@ -1188,7 +1206,7 @@ directory, by monitoring a directory for changes,
|
|
|
it's possible to begin monitoring files as soon as they're created.
|
|
|
|
|
|
|
|
|
-\section{Examples}
|
|
|
+\section{Example Systems}
|
|
|
This section contains examples of systems that could be built using Blocktree.
|
|
|
The hope is to illustrate how this platform can be used to implement existing applications more
|
|
|
easily and to make it possible to implement systems which are currently out of reach.
|
|
|
@@ -1465,7 +1483,7 @@ each of which is stored in its own directory.
|
|
|
A single top-level directory represents the entire planet,
|
|
|
and contains a manifest describing it.
|
|
|
This manifest specifies the planet's name, its radius, its rotational period,
|
|
|
-the size of its regions in MB, as well as any
|
|
|
+the size limit of its regions in MB, as well as any
|
|
|
other global attributes.
|
|
|
This top-level directory also contains the texture for the sky box to render the view of
|
|
|
space from the planet.
|
|
|
@@ -1478,7 +1496,7 @@ centerline parallel to the $\phi$ axis, and the one parallel to the $\lambda$ ax
|
|
|
In other words, it is divided in half north to south and east to west.
|
|
|
The four new regions are stored in four subdirectories of the original region's directory
|
|
|
named SE, SW, NE, and NW, depending on their location relative to the original region.
|
|
|
-The data in the old region is then moved into the appropriate directory.
|
|
|
+The data in the old region is then moved into the appropriate directories.
|
|
|
The directory tree of a planet essentially forms a quadtree,
|
|
|
albeit one which is built up progressively.
|
|
|
|
|
|
@@ -1500,8 +1518,8 @@ This is allowed in a controlled way by defining plot objects.
|
|
|
A plot is like a symbolic link,
|
|
|
it points to a file whose contents contain the data used to render the plot.
|
|
|
This mechanisms allows the owner of the planet to delegate a specific area on its surface
|
|
|
-to another player by creating a plot defining that area and pointing it to a file owned by that
|
|
|
-player.
|
|
|
+to another player by creating a plot defining that area and pointing it to a file owned by the
|
|
|
+other player.
|
|
|
The other player can then write meshes, textures, and shaders into this file to describe the
|
|
|
contents of the plot.
|
|
|
If the other player wishes to collaborate with others on the construction,
|
|
|
@@ -1522,7 +1540,7 @@ the planet's surface.
|
|
|
|
|
|
% Sharding planet data.
|
|
|
By dividing the planet's data into different leaf directories,
|
|
|
-it becomes possible to provision computers running the sector and filesystem services ie each of
|
|
|
+it becomes possible to provision computers running the sector and filesystem services in each of
|
|
|
them.
|
|
|
This divides the storage and bandwidth requirements for serving the planet over this set of
|
|
|
servers.
|
|
|
@@ -1532,14 +1550,14 @@ Game clients address their messages using the directory of the region their play
|
|
|
in, and set \texttt{rootward} to true.
|
|
|
These messages are delivered to the closest game server to the region the player is in,
|
|
|
which may be located in the region's directory or higher up the tree.
|
|
|
-When a player approaches the board of a region,
|
|
|
+When a player approaches the border of a region,
|
|
|
its game client begins dispatching messages to the adjacent directories as well.
|
|
|
|
|
|
|
|
|
\section{Conclusion}
|
|
|
% Blocktree serves as the basis for building distributed Unix.
|
|
|
There have been many attempts to create a distributed Unix over the years.
|
|
|
-Time has shown that this is a very hard problem,
|
|
|
+Time has shown that this is a difficult problem,
|
|
|
but time has not diminished its importance.
|
|
|
IT systems are more complex now than ever,
|
|
|
with many layers of abstraction that have built up over time.
|
Matthew Carr