Roaming Pervasive Personal Computing in an Internet Suspend/Resume System The Internet Suspend/Resume model of mobile computing cuts the tight binding between PC state and PC hardware. By layering a virtual machine on distributed storage, ISR lets the VM encapsulate execution and user customization state; distributed storage then transports that state across space and time. This article explores the implications of ISR for an infrastructure-based approach to mobile computing. It reports on experiences with three versions of ISR and describes work in progress toward the OpenISR version. Mahadev Satyanarayanan, ortable computers have been the shops, airport lounges, dental and med- Benjamin Gilbert, driving technology behind mobile ical offices, and other semipublic spaces Matt Toups,Niraj Tolia, P computing since the early 1990s. provide hardware for their clientele. Even Ajay Surie, David R. Today, the phrase mobile computing is the foldout tray at every seat in an air- O’Hallaron,Adam Wolbach, almost synonymous with the use of lap- plane or commuter train could be a lap- Jan Harkes,Adrian Perrig, top and handheld computers. However, top. In that world, users could travel and David J. Farber the plummeting cost of hardware sug- hands-free yet make productive use of Carnegie Mellon University gests that the pervasive computing infra- slivers of time anywhere such infrastruc- structure might some day eliminate the ture is available. This technical capabili- Michael A. Kozuch need to carry such hardware. ty could inspire new business models, and Casey J. Helfrich In this article, we describe a new centered on meeting customer demand Intel Research Pittsburgh approach to mobile computing that for trustworthy computing hardware at embraces this opportunity — specifically any time and place and on preserving PC Partho Nath with the Internet Suspend/Resume (ISR) state on servers. Pennsylvania State University system that emulates the suspend/resume Why is infrastructure-based mobile capability of laptop hardware. Rather computing attractive? There are obvious H.Andrés Lagar-Cavilla than carrying hardware, we might find advantages, such as traveling with less University of Toronto and use hardware transiently at any luggage, simplifying security screening in location. Imagine a world where coffee a post-9/11 world, and being able to get 16 Published by the IEEE Computer Society 1089-7801/07/$25.00 © 2007 IEEE IEEE INTERNET COMPUTING Internet Suspend/Resume Think Wallet, Not Swiss Army Knife he Internet Suspend/Resume (ISR) mentation. For example, you would much anything you need, when and where you T system offers a fundamentally differ- rather use a full-sized screw driver, if avail- need it. ent way of thinking about mobile comput- able, than the small, hard-to-use one in a Thus, we can view a wallet as a device ing and about the resources that we need Swiss Army knife. The same logic applies to that helps transform generic infrastructure to carry. The current design philosophy for that device’s other functions. into highly personalized services. This obser- mobile devices resembles a Swiss Army Contrast this with the different design vation leads to a different design philosophy knife approach: cram as much functionality philosophy of a wallet. Virtually every for mobile devices. Rather than cramming as possible into a single device. Unfortu- adult carries a wallet. The contents vary, direct functionality into the device, we put nately, as anyone who has used a Swiss but they typically include things like cash, indirect functionality in it. This indirect func- Army knife knows, its value as survival gear credit cards, ID cards, and so on. Far from tionality leverages the external environment is much higher than its value in everyday civilization, a wallet is useless. You might to provide direct functionality on demand. use. If you are stranded far from civilization, die of starvation or thirst in the wilder- Carrying a Trust-Sniffer device integrated the many functions of a Swiss Army knife ness even with a fat wallet; a Swiss Army with USB storage for look-aside caching (such as knife, fork, can opener, corkscrew, knife would be much more useful in those brings us close to the model of carrying a screw driver, tooth pick, and so on) can be circumstances. In the context of civiliza- wallet rather than a Swiss Army knife. Such a life saver. But each function is suboptimally tion, however, a wallet is more useful. a device could even be the size of a credit implemented relative to a full-sized imple- With cash or a credit card, you can obtain card and fit into your wallet! work done at unexpected times and locations even To attain this vision, we need to solve at least if you didn’t have the foresight to bring your lap- three difficult technical problems: top. More fundamentally, infrastructure-based mobile computing can liberate us from the rigid • Provide efficient on-demand access to a user’s design constraints of portable hardware. For a entire personal computing environment. Today, given cost and level of technology, considerations users who carry a portable computer are of weight, power, size, and ergonomics exact a assured of seeing exactly the same set of per- penalty in attributes such as processor speed, sonal files, operating system, customizations, memory size, and disk capacity. Although mobile and so on everywhere they go. Precise and elements will improve in absolute ability, they will complete recreation of this familiar context is always be resource-poor relative to static elements the key to low user distraction in any future of the same vintage. Furthermore, the dependence mobile computing model. Just providing access on a finite energy source and the need to monitor to a user’s personal files or to application cus- remaining energy is an ongoing distraction for tomizations won’t suffice. mobile users. • Ensure resilience to Internet vagaries. Today, users working with local data on portable com- Liberating Personal Computing puters are unaffected by network quality. They The world we envision will retain the user cus- aren’t impacted by unpredictable bandwidth tomization aspect of personal computing. However, and latency or by occasional failures. This computers themselves will become a ubiquitous defines the standard against which consumers resource, much like light at the flip of a switch, will judge new models of mobile computing. water from a faucet, or the air we breathe. (See the Users must perceive crisp, stable, interactive “Think Wallet, Not Swiss Army Knife” sidebar for performance even under conditions of high an extended discussion of this idea.) On demand, network latency and network congestion. The any Internet-connected computer could temporari- building blocks of modern-day user interfaces ly become your personal computer. Any machine such as scrolling, highlighting, and popup will be able to acquire a user’s unique customiza- menus all assume a tight feedback loop tion and state from a server. When a user is done, between users and their applications. Only a his or her modified state is erased from that machine thick-client solution, in which the application and returned to the server. Loss, theft, or destruc- executes close to the user, can support this tight tion of the machine will become only a minor feedback loop when network connectivity is inconvenience, not a catastrophic event. poor.1 In the extreme case of network discon- MARCH • APRIL 2007 17 Roaming Guest applications seamlessly resume on another. We have built three User parcel experimental versions of ISR (ISR-1, ISR-2, and Guest operating system (OS) ISR-3) and have gained small-scale deployment experience with ISR-3. Based on our implementa- tion and usage experience, we’re working toward a Virtual machine Virtualized new version of ISR, which we call OpenISR. e n hardware achi Virtual machine monitor m ISR Architecture t n ISR builds on two technologies that have matured Clie in the past few years. Specifically, it layers virtual Disk I/O intercept and ISR smarts ISR layer machine technology on distributed storage tech- nology. Each VM encapsulates a distinct execution Hardware and and user-customization state that we call a parcel. x86 hardware host OS or The distributed storage layer transports a parcel hypervisor across space (from suspend site to resume site) and time (from suspend instant to resume instant). End-to-end encryption Users can own multiple parcels, just as they can own multiple machines with different operating Distributed storage systems or application suites. Figure 1 shows an ISR client machine’s logi- Figure 1. Modular structure of an Internet Suspend/Resume cal structure. This structure has remained invari- (ISR) client. ant across the many different ISR versions, although the components implementing each layer have changed over time. For example, the nection, the user should still be able to contin- virtual machine monitor (VMM) was VMware5 in ue working. This challenging requirement pre- early versions of ISR but now can be VMware, cludes a range of thin-client solutions such as KVM, or Xen.6 These VMMs support a mode in Sun Ray,2 Virtual Network Computing (VNC),3 which a local disk partition holds the VM state. and AJAX-based applications4 that execute on By intercepting disk I/O references from the a remote computing server. VMM to this disk partition, the ISR layer can • Establish trust in unmanaged hardware for transparently redirect the references to distrib- transient use. Today, when users sit down to uted storage. use a computer in their office or home, they As Figure 1 shows, the ISR client software implicitly assume that their machine hasn’t encrypts data from a parcel before handing it to been tampered with and that no malware such the distributed storage layer. Neither servers nor as a keystroke logger has been installed.