Abstract
Network testbeds are critical for systems research but can be
problematic due to their complex nature. Testbeds like Emulab allocate
physical computers to users for the duration of an experiment. During
an experiment, a user has nearly unfettered access to the devices under
his or her control. Thus, at the end of an experiment, an allocated
computer can be in an arbitrary state. A testbed must reclaim devices
and ensure they are properly configured for future experiments. This is
particularly important for security-related experiments: for example, a
testbed must ensure that malware cannot persist on a device from one
experiment to another.
Physical testbed nodes can be securely reconditioned in a scalable,
maintainable way by making use of the Trusted Platform Module (TPM) and
through adherence to a strict network boot protocol. This thesis
presents the TDLS that we have implemented for Emulab. When Emulab
allocates a PC to an experiment, the TDLS ensures that if experiment
set-up succeeds, the PC is configured to boot the operating system
specified by the user. The TDLS uses the TPM of an allocated PC to
securely communicate with Emulab's control infrastructure and attest
about the PC's configuration. The TDLS prevents state from surviving
from one experiment to another, and it prevents devices in the testbed
from impersonating one another. The TDLS addresses the challenges of
providing a scalable and flexible service, which allows large testbeds
to support a wide range of systems research. We describe these
challenges, detail our TDLS for Emulab, and present the lessons we have
learned from its construction.