Summary: The Price of Safety in an Active Network
D. Scott Alexander, Paul B. Menage, Angelos D. Keromytis,
William A. Arbaugh, Kostas G Anagnostakis, and Jonathan M. Smith
Abstract: Security is a major challenge for "Active Networking,"
as accessible programmability creates numerous opportunities for
mischief. The point at which programmability is exposed, e.g.,
through the loading and execution of code in network elements,
must therefore be carefully crafted to ensure security.
The SwitchWare active networking research project has studied
the architectural implications of various tradeoffs between perfor-
mance and security. Namespace protection and type safety were
achieved with a module loader for active networks, ALIEN, which
carefully delineated boundaries for privilege and dynamic updates.
ALIEN supports two extensions, the Secure Active Network En-
vironment (SANE), and the Resource Controlled Active Network
Environment (RCANE). SANE extends ALIEN's node protection
model into a distributed setting, and uses a secure bootstrap to
guarantee integrity of the namespace protection system. RCANE
provides resource isolation between active network node users, in-
cluding separate heaps and robust time-division multiplexing of the