User-Centric ComputingBryan Parno

Microsoft Research

JD Douceur Jon HowellJay Lorch James Mickens

2

Goal: Free users from all administrative tasks

Approach: Remove user’s ability to perform admin tasks

Examples: Problems:Install a program

Install a driver

Configure the firewall

Install malware

Install a rootkit

Create a hole in the firewall

3

Is This Acceptable?

User-CentricComputing

4

Ability/Control MismatchBubbleUp

Now with more bubbles!

• Full system control• Limited expertise

• High expertise in BubbleUp• No system control

Welcome to BubbleSoft!

5

Correct Alignment:

• Can make high-level decisions– Do I like BubbleSoft?– Do I want to share this picture with my coworkers?

• Can reliably present an experience to the user• Cannot be affected by other vendors’ decisions

User:

Vendor:

6

Foundations of User-Centric Computing

1. Strong Isolation + Minimal TCB

2. Disaggregation

3. “Protocol”-Based Communication

7

1) Strong Isolation + Minimal TCB

OS

App App…

Drivers Modules

Kernel

VendorVendor

KernelKernel

OS LoC

Windows NT 3.1 4-5 M

Windows NT 4.0 11-12M

Windows 2000 >29 M

Windows XP 40 M

Windows Server 2003 50 M

OS LoCLinux Kernel 2.6.0 5.2 M

Linux Kernel 2.6.29 11.0 M

Linux Kernel 2.6.32 12.6 M

VMM LoCXen – 2003 42 K

Xen – 2005 83 K

Xen – 2010 250 K

8

2) Disaggregation

VendorNetwork

File System

Windowing

Vendor3D Graphics

File System

Physics Lib

Ext4NTFSBlob Store IPC

9

3) “Protocol”-Based Communication

• All communication happens via network protocols

Kernel

VendorVendor

Key Point: No special privileges from being co-located!

10

User-Driven Sharing• Leverage existing delegation metaphors

• When querying user, questions should be:– Rare– Narrow in scope– User-meaningful

11

Conclusions• Removing a user’s admin powers can

improve security and usability

• Disaggregate and formalize communication to avoid TCB bloat

• Many questions remain, esp. regarding user-driven sharing

Thank you!parno@microsoft.com