Virtual Services

What are Virtual Services?

Blocks icon Programmers often need to specialize the behavior of software components to meet application-specific requirements. Language-based methods such as inheritance, polymorphism, and—most recently—aspects, fall short when:

  1. the programmer does not have access to source code (or knowledge of the program structure in cases where object file modification is possible),

  2. the programmer must reconfigure behavior dynamically,

  3. and the programmer does not have administrative control of the software.

These limitations constrain software construction with networked services and distributed objects. I've developed a general-purpose architecture that overcomes these limitations using virtual services. Virtual services allow you to extend, modify, and reconfigure dynamically the behavior of existing services for which you have no administrative control or source code.

Virtual services started as a research project and has evolved into very useful production software. You can modify the behavior of services and clients without altering their source code. Perhaps the most useful application of virtual services is in dynamically applying new security policies to network software in response to evolving conditions. Virtual services have been shown to enable the dynamic reconfiguration of:

  • authentication,

  • access control,

  • and secrecy/encryption;

as well as:

  • connection monitoring,

  • security breach detection,

  • adaptive response to security breaches,

  • and concurrent and dynamically mutable implementation of multiple security policies for different clients.

Additional Information

My October 2004 Java Pro column, “Adaptive Security with Virtual Services”, describes the virtual services concept at a high level, but mentions some practical examples that make its application more clear. The point of the article was to present the idea of dynamically reconfigurable software and adaptive services, not to describe specifically virtual services. In retrospect, I should have titled it differently and used the term virtual services less. But when you're already late on a submission deadline, you don't get any time to edit and revise. There's an error at the end of the print version referring to the Apache HTTPD module architecture that should have read filter architecture. Also, it includes a screen shot of the primitive reconfiguration tool currently used to inspect and reconfigure virtual services.

Release Plan

Release of Additional Components Cancelled

Plans to release the software in parts have been cancelled. The already released generic library substrates will continue to be supported, but the core application software implementing the actual virtual services and dynamic reconfiguration has evolved considerably from the research prototype (e.g., it's no longer implemented in Java) and been incorporated into proprietary systems.

Currently available VServ components
VServ IPQA Java wrapper for the Linux Netfilter libipq library. This is one of two components that will be released under the GPL because it relies on a GPL library. Virtual service containers are sufficiently decoupled from the virtual service middleware server that the loading of a packet-intercepting virtual service container using libipq is a runtime decision made by the user. Therefore, by keeping the GPL code separate I am not creating a combined work in the same way that Linux module writers do not create a combined work. It is the user at run time that creates a combined work, where the licensing gets nebulous. All I know is that the other source code I distribute will not have any dependencies on GPL'ed code and will not be in violation of the GPL. One way to resolve this issue is to write an Apache licensed library that replicates libipq functionality.
VServ TCP/IPA Java API for manipulating IP and TCP packets.
RockSawA Java API for using raw sockets on Linux, Solaris, and Win32.
UnicornSwing components for interactively invoking methods on JMX MBeans, JavaBeans, and Web Services.
No longer to be released VServ components
VServ NetA Java framework that takes some of the hassle out of writing network clients and servers using non-blocking I/O.
VServ CoreThe core virtual services middleware platform and basic modules.
VServ ContainersAn assortment of virtual service containers. The netfilter-based container will be released separately under the GPL because of its dependency on VServ IPQ.
VServ ModulesAn assortment of virtual service modules. These will probably be released in separate functionality-specific packages such as security policies and HTTP filters.