Abstract:

A taxonomy divides things—generally dead things—into categories, suppressing individual differences in favor of an illusory mental architecture. I'll try to do that with the research and software development projects with which I've been involved, which range from network software with hundreds of thousands of active deployments to Github projects with one star. Some overarching questions: Is making software more readable a useful research goal? How much should researchers program? When should you pivot away from a successful project? The answers may surprise me.

Abstract:

The sophistication of malicious adversaries is increasing every day and most defenses are often easily overcome by such attackers. Many existing defensive mechanisms often make differing assumptions about the underlying systems and use varied architectures to implement their solutions. This often leads to fragmentation among solutions and could even open up additional vulnerabilities in the system.

We present the DragonBeam Framework that enables system designers to implement their own monitoring methods and analyses engines to detect intrusions in modern operating systems. It is built upon a novel hardware/software mechanism. Depending on the type of monitoring that is implemented using this framework, the impact on the monitored system is very low. This is demonstrated by the use cases presented in this paper that also showcase how the DragonBeam framework can be used to detect different types of attack.

Abstract:

Utility computing is being gradually realized as exemplified by cloud computing. Outsourcing computing and storage to global-scale cloud providers benefits from high accessibility, flexibility, scalability, and cost-effectiveness. However, users are uneasy outsourcing the storage of sensitive data due to security concerns. We address this problem by presenting SeMiNAS---an efficient middleware system that allows files to be securely outsourced to providers and shared among geo-distributed offices. SeMiNAS achieves end-to-end data integrity and confidentiality with a highly efficient authenticated-encryption scheme. SeMiNAS leverages advanced NFSv4 features, including compound procedures and data-integrity extensions, to minimize extra network round trips caused by security meta-data. SeMiNAS also caches remote files locally to reduce accesses to providers over WANs. We designed, implemented, and evaluated SeMiNAS, which demonstrates a small performance penalty of less than 26% and an occasional performance boost of up to 19% in Filebench workloads.

Abstract:

The success of new technologies depends on whether proper usage models can be found to support them. In this paper we present such a model for Intel's Software Guard Extensions (SGX) – the leveraging of the technology to provide copy protection to software. We describe the system that we architected, designed and implemented, which transforms, in a fully automated manner, off-the-shelve applications into secured versions that run on top of the enclaves. Our system can be delivered as stand-alone, but also as a layer in existing software copy protection stacks.

Abstract:

In recent years, the adoption of NAND flash in enterprise storage systems has been progressing rapidly. Todays all-flash storage arrays exhibit excellent I/O throughput, latency, storage density, and energy efficiency. However, the advancements in NAND technology are driven mostly by the consumer market, which makes NAND flash manufacturers focus primarily on reducing cost ($/GiB) and increasing the storage density by technology node scaling, by increasing the number of bits stored per cell, and by stacking cells vertically (3D-NAND). This comes at the cost of reduced endurance of the raw NAND flash, larger variations across blocks, and longer latencies, especially with extremely high error rates (due to the use of read-retry operations).

In this paper, we present Health Binning, a technique that facilitates bringing low-cost consumer-level flash to the quality required for enterprise-level storage systems. Health Binning determines the wear characteristics of each block in the background and uses this information in the data-placement process to map hotter data to healthier blocks and colder data to less healthy blocks.

Health Binning significantly improves the endurance and performance of the storage system: It actively narrows the block wear distribution and moves endurance from being dictated by the worst blocks towards to a value corresponding to the average endurance of all blocks, resulting in up to 80% enhanced endurance compared with other wear-leveling schemes. At the same time, the probability of reads with high RBER is reduced, thereby decreasing the number of read-retry operations throughout the device lifetime.

Abstract:

Flash-based solid-state drives (SSDs) are getting popular to be deployed as the second-level cache in storage systems because of the noticeable performance acceleration and transparency for the original software. However, the frequent data updates of existing cache replacement algorithms (e.g. LRU, LIRS, and LARC) causes too many writes on SSDs, leading to short lifetime and high costs of devices. SSD-oriented cache schemes with less SSD writes have fixed strategies of selecting cache blocks, so we cannot freely choose a suitable cache algorithm to adapt to application features for higher performance. Therefore, a universal SSD lifetime extension plug-in called Elastic Queue (EQ), which can cooperate with any cache algorithm to extend the lifetime of SSDs, is proposed in this paper. EQ reduces the data updating frequency by extending the eviction border of cache blocks elastically, making SSD devices serve much longer. The experimental results based on some real-world traces indicate that for the original LRU, LIRS, and LARC schemes, adding the EQ plug-in reduces their SSD write amounts by 39.03 times, and improves the cache hit rates by 17.30% on average at the same time.

Abstract:

Storage systems are designed to never lose data. However, modern applications increasingly use local storage to improve performance by storing soft state such as cached, prefetched or precomputed results. Required is elastic storage, where cloud providers can alter the storage footprint of applications by removing and regenerating soft state based on resource availability and access patterns. We propose a new abstraction called a motif that enables storage elasticity by allowing applications to describe how soft state can be regenerated. Carillon is a system that uses motifs to dynamically change the storage space used by applications. Carillon is implemented as a runtime and a collection of shim layers that interpose between applications and specific storage APIs; we describe shims for a filesystem (Carillon-FS) and a key-value store (Carillon-KV). We show that Carillon-FS allows us to dynamically alter the storage footprint of a VM, while Carillon-KV enables a graph database that accelerates performance based on available storage space.

Abstract:

Despite the growing popularity of Solid State Disks (SSDs) in the datacenter, little is known about their reliability characteristics in the field. The little knowledge is mainly vendor supplied, and such information cannot really help understand how SSD failures can manifest and impact the operation of production systems, in order to take appropriate remedial measures. Besides actual failure data and the symptoms exhibited by SSDs before failing, a detailed characterization effort requires wide set of data about factors influencing SSD failures, right from provisioning factors to the operational ones. This paper presents an extensive SSD failure characterization by analyzing a wide spectrum of data from over half a million SSDs that span multiple generations spread across several datacenters which host a wide spectrum of workloads over nearly 3 years. By studying the diverse set of design, provisioning and operational factors on failures, and their symptoms, our work provides the first comprehensive analysis of the what, when and why characteristics of SSD failures in production datacenters.

Abstract:

Current data-center applications tend to process increasingly large volume of data sets. The caching effect of page cache is reduced by its limited capacity. Emerging flash-based solid state drives (SSD) have latency and price advantages compared to hard disk and DRAM. Thus, SSD-based caching is widely deployed in data centers. However, SSD caching faces two challenges. First, SSD has limited write endurance, which requires cache manager to reduce write amount to SSD. Second, data-center workloads exhibit a diverse I/O access patterns, which requires one to figure out SSD caching friendly access patterns. This paper first classifies 6 I/O access patterns among 32 data-center workloads using a cost-benefit analysis. We derive implications for designing SSD cache from analyzing the access patterns. We then propose an SSD cache manager S-RAC with re-adding blocks and ghost cache adaptation to retain SSD friendly blocks in SSD. The experimental evaluation shows the efficiency of S-RAC in reducing SSD write amount while improving/maintaining cache hit ratio.

Abstract:

Abstract: Online infrastructure depends on many security-critical authorities such as logging, time, directory, and software update services. These authorities represent high-value attack targets to hackers, criminals, and spy agencies, who can secretly compromise many hosts by stealing keys from or coercing only one such "weakest-link" authority. We claim there is an urgent need to develop systems that mitigate these weaknesses by decentralizing authorities into scalable, diverse, "strongest-link" collective authorities, which we term "cothorities." A cothority efficiently splits trust among tens, hundreds, or thousands of independent parties, collectively enforcing agreed-upon policies, and remaining globally secure unless many compromised participants collude.

As a first step in this long-term program we introduce CoSi, a cothority architecture for decentralized witness cosigning, which increases the transparency and security of traditional centralized authorities while remaining backward-compatible with and incrementally deployable alongside their existing logic. By increasing the scalability of existing multisignature techniques, CoSi efficiently ensures that every authoritative statement is validated and publicly logged by a diverse group of witnesses before any client will accept it, forcing secrecy-minded attackers to risk that any compromise will be detected quickly. As a second step, we adapt CoSi's collective signing techniques to create ByzCoin, a blockchain architecture that enhances Bitcoin with strong consistency, Byzantine fault tolerance, higher throughput, and lower transaction latencies. CoSi and ByzCoin have been demonstrated to scale efficiently to support over 8,000 globally-distributed participants, while keeping collective signing and transaction latencies to within a few seconds.

Bio:

Prof. Bryan Ford leads the Decentralized/Distributed Systems (DEDIS) research group at the Swiss Federal Institute of Technology in Lausanne (EPFL). Ford focuses broadly on building secure decentralized systems, touching on topics including private and anonymous communication, scalable decentralization, Internet architecture, and operating systems. Ford earned his B.S. at the University of Utah and his Ph.D. at MIT, then joined the faculty of Yale University where his work received the Jay Lepreau Best Paper Award and grants from NSF, DARPA, and ONR, including the NSF CAREER award. His continuing work receives support from EPFL and the AXA Research Fund.

Abstract:

Synchronous replication is critical for today's enterprise IT organization. It is mandatory by regulation in several countries for some types of organizations, including banks and insurance companies.

The technology have been available for a long period of time, but due to speed of light and maximal latency limitations, it is usually limited to a distance of 50 miles. Flight data recorders, also known as black boxes, have long been used to record the last actions which happened in airplanes at times of disasters. We present an integration between an Enterprise Data Recorder and an asynchronous replication mechanism, which allows breaking the functional limits that light speed imposes on synchronous replication.

Abstract:

We present SPCN, a framework that further extends the benefits of having distributed partially rollbackable (closed- nested) transactions by exploiting their parallel activation. SPCN provides support for executing each closed-nested transaction in parallel with others belonging to the same parent transaction. Their commit sequence is equivalent to the serial commit execution, but parallelism is leveraged to improve performance by reducing the amount of serial network communication. As we show in our evaluation study using 20 nodes on Amazon EC2 and three well-known benchmarks, SPCN provides performance improvement over the original closed nesting, gaining more than 2x in throughput.

Abstract:

This paper introduces versioned programming, a technique that can be used to convert pointer-based data structures into efficient, lock-free implementations. Versioned programming allows arbitrary composition of pointer modifications. Taking linked-lists as an example, VLISTs, or versioned lists, support features missing in other lock-free implementations, such as double linking and atomic moves among lists.

The main idea of versioning is to allow different versions of a nodes exist at the same time such that each thread can pick the appropriate version and has a consistent view of the whole data structure. We present a detailed example of VLISTs, simple enough to include all code inline. The paper also evaluates versioned tree implementations.

We evaluate versioned programming against several concurrency techniques. Versioned programming outperforms read-log-update, which locks nodes, with a modest number of writers. VLIST out-perform lists with SwissTM, a high-quality STM, showing the value of trading some programmer-transparency for performance. Composability hurts performance compared to a non-composable, hand-written lock-free algorithm. Using the technique described in this paper, application developers can have both the performance scalability of sophisticated synchronization techniques with functionality and simplicity comparable to coarse locks.

Abstract:

Using discrete GPUs for processing very large datasets is challenging, in particular when an algorithm exhibit unpredictable, data-driven access patterns. In this paper we investigate the utility of GPUfs, a library that provides direct access to files from GPU programs, to implement such algorithms. We analyze the system's bottlenecks, and suggest several modification to the GPUfs design, including new concurrent hash table for the buffer cache and a highly parallel memory allocator. We also show that by implementing the workload in a warp-centric manner we can improve the performance even further. We evaluate our changes by implementing a real image processing application which creates collages from a dataset of 10 Million images. The enhanced GPUfs design improves the application performance by 5.6X on average over the original GPUfs, and outperforms both 12-core parallel CPU which uses the AVX instruction set, and a standard CUDA-based GPU implementation by up to 2.5X and 3X respectively, while significantly enhancing system programmability and simplifying the application design and implementation.

Abstract:

The remote reachability of computer systems that run imperfect, vulnerable software puts individuals' and organizations' security and privacy at risk. Miscreants divulge users' sensitive data by exploiting vulnerabilities in network-attached servers' software. Even the client side of web applications poses acute privacy risks. Modern web applications are conglomerations of JavaScript written by multiple authors: application developers routinely incorporate code from third-party libraries, and mashup applications synthesize data and code hosted at different sites. In current browsers, a web application's developer and user must trust third-party code in libraries not to leak the user's sensitive information. Fundamentally, today's browser security model trades privacy for flexibility because it lacks a sufficient mechanism for confining untrusted code.

In this talk, I will describe techniques that address these privacy threats on the server and client sides of distributed applications. I will first describe how to design server software that adheres to the principle of least privilege, and does not divulge sensitive information, even when successfully exploited by an attacker. I will then present COWL (Confinement with Origin Web Labels), a robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content. I'll use simple case-study applications to motivate COWL's design and demonstrate how COWL allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple distinct origins, all while protecting users' privacy.

(Joint work with Andrea Bittau, Petr Marchenko, Mark Handley, Deian Stefan, Edward Yang, Alejandro Russo, Dave Herman, and David Mazieres.)

Bio:

Brad Karp is a Professor of Computer Systems and Networks and Head of the Systems and Networks Research Group in the Department of Computer Science at University College London (UCL). His research interests span computer system and network security (current work includes web browser and JavaScript security; past work includes the Wedge secure OS extensions and the Autograph and Polygraph worm signature generation systems); large-scale distributed systems (recent work includes LOUP, a provably loop-free Internet routing protocol; past work includes the Open DHT shared public DHT service); and wireless networks (current work includes techniques for improving capacity at the MAC and PHY layers; past work includes the GPSR and CLDP scalable geographic routing protocols). Prior to taking up his post at UCL in late 2005, Karp held joint appointments at Intel Research and Carnegie Mellon, and as a researcher at ICSI at UC Berkeley. He is a recipient of the Royal Society-Wolfson Research Merit Award (2005-2010). He served as program co-chair of ACM SIGCOMM 2015, and currently serves on the ACM SIGCOMM Technical Steering Committee. Karp earned his Ph.D. in Computer Science at Harvard University in 2000, and holds a B.S. in Computer Science from Yale University, earned in 1992.

Abstract:

This paper proposes a novel high-level abstraction for realtime control, called Proper Timed I/O (PTIO). The abstraction allows user-space programs running on an embedded system with a stock operating system (without real-time extensions) to perform high-resolution real-time digital I/O (setting pins high or low, responding to input transitions, etc). PTIO programs express their real-time I/O behavior in terms of a timed automata that can communicate with the user-space program. Simple behaviors are encoded in the timed automata; complex behaviors are implemented by arbitrary algorithms in the user-space program. The paper also presents two different implementations of the PTIO abstraction, both under Linux. One utilizes a deterministic coprocessor that is available on some ARM-based system-ona-chip processors. This implementation can achieve timing accuracy of 100ns or better and it can perform millions of finite-state transitions per second. The other implementation uses hardware timers that are available on every system-ona-chip; it achieves a timing accuracy of 6us or better, but it is limited to about 2000 state transitions per second. Both implementations guarantee that the PTIO never fails silently: if the mechanism missed a deadline, the user space program is always notified of the failure. In many cases, PTIOs eliminate the need for bare-metal programming or for specialized real-time operating systems.

Abstract:

Despite the popularity of trace-based file system performance evaluation, there is currently no accepted methodology to capture and accurately replay file system traces. The less we know about the limitations of trace-based methodologies, the less we can rely on the obtained results. In this paper, we present a case study analyzing the two most popular trace capture methods. The results of the case study indicate that the two evaluated methods provide good precision, but significant bias in some cases. In addition to providing guidelines on how to improve the quality of trace capture, our results allow us to draw important observations about current practice. We show that bias can be corrected by the execution of a calibration procedure, a practice that is mostly absent in the methodology used in the area. Our results also revealed that, to achieve correct calibration, it is crucial to collect information about the background activity and about the operating system layer running in the experimental environment. Finally, our results allow to quantify the overall trace capture uncertainty, providing means for researches to decide on the suitability of trace capture tools for their purposes.

Abstract:

This paper analyzes the host cache effectiveness in full virtualization, particularly associated with journaling of guests. We observe that the journal access of guests degrades cache performance largely due to the write-once access pattern and the frequent sync operations. To remedy this problem, we design and implement a novel caching policy, called PDC (Pollution Defensive Caching), that detects the journal accesses and prevents them from entering the host cache. The proposed PDC is implemented in QEMU-KVM 2.1 on Linux 4.14 and provides 3-32% performance improvement for various file and I/O benchmarks.

Abstract:

In this paper, we report on the analysis of data from Android mobile phones of 38 users, composed of access traces of the users' mobile file systems during 30 days. We shed new light on the file usage patterns and present the data in terms of file size distributions, file sessions, file lifetime, file access activity and read / write access patterns. We characterize different distributions and extract conclusions about usage patterns of Android file systems.