abstracts

Posted 2021-06-26 xcy6666

Probabilistic Profiling of Stateful Data Planes for Adversarial Testing

Recently, there is a flurry of projects that develop data plane systems
in programmable switches, and these systems perform far more
sophisticated processing than simply deciding a packet’s next hop
(i.e., traditional forwarding). This presents challenges to existing
network program profilers, which are developed primarily to handle
stateless forwarding programs.
We develop P4wn, a program profiler that can analyze program
behaviors of stateful data plane systems; it captures the fact that
these systems process packets differently based on program state,
which in turn depends on the underlying stochastic traffic pattern.
Whereas existing profilers can only analyze stateless network processing, P4wn can analyze stateful processing behaviors and their
respective probabilities. Although program profilers have general
applications, we showcase a concrete use case in detail: adversarial
testing. Unlike regular program testing, adversarial testing distinguishes and specifically stresses low-probability edge cases in a
program. Our evaluation shows that P4wn can analyze complex programs that existing tools cannot handle, and that it can effectively
identify edge-case traces

High Velocity Kernel File Systems with Bento

High development velocity is critical for modern systems.
This is especially true for Linux file systems which are seeing
increased pressure from new storage devices and new demands
on storage systems. However, high velocity Linux kernel
development is challenging due to the ease of introducing
bugs, the difficulty of testing and debugging, and the lack of
support for redeployment without service disruption. Existing
approaches to high-velocity development of file systems for
Linux have major downsides, such as the high performance
penalty for FUSE file systems, slowing the deployment cycle
for new file system functionality.
We propose Bento, a framework for high velocity development of Linux kernel file systems. It enables file systems
written in safe Rust to be installed in the Linux kernel, with
errors largely sandboxed to the file system. Bento file systems
can be replaced with no disruption to running applications,
allowing daily or weekly upgrades in a cloud server setting.
Bento also supports userspace debugging. We implement a simple file system using Bento and show that it performs similarly
to VFS-native ext4 on a variety of benchmarks and outperforms a FUSE version by 7x on ‘git clone’. We also show that
we can dynamically add file provenance tracking to a running
kernel file system with only 15ms of service interruption

NetWarden: Mitigating Network Covert Channels while Preserving Performance

Programmable In-Network Security for Context-aware BYOD Policies

Bring Your Own Device (BYOD) has become the new norm
for enterprise networks, but BYOD security remains a top concern. Context-aware security, which enforces access control
based on dynamic runtime context, is a promising approach.
Recent work has developed SDN solutions to collect device
contexts and enforce access control at a central controller.
However, the central controller could become a bottleneck
and attack target. Processing context signals at the remote
controller is also too slow for real-time decision change.
We present a new paradigm, programmable in-network
security (Poise), which is enabled by the emergence of programmable switches. At the heart of Poise is a novel security
primitive, which can be programmed to support a wide range
of context-aware policies in hardware. Users of Poise specify
concise policies, and Poise compiles them into different configurations of the primitive in P4. Compared with traditional
SDN defenses, Poise is resilient to control plane saturation
attacks, and it dramatically increases defense agility

Check before You Change: Preventing Correlated Failures in Service Updates

The reliability of cloud services can be significantly undermined by correlated failures due to shared service dependencies, even when the services are already replicated across machines. State-of-the-art failure prevention systems can proactively audit a service before its deployment to detect risks
for correlated failures, but their auditing speeds are too slow
for frequent service updates. This paper presents CloudCanary, a system that can perform real-time audits on service
updates to identify the root causes of correlated failure risks,
and generate improvement plans with increased reliability.
CloudCanary achieves this with two primitives, SNAPAUDIT
and DEPBOOSTER. SNAPAUDIT leverages two insights to
achieve high accuracy and efficiency: a) service updates typically affect only a small part of the service stack, allowing
the majority of previous auditing results to be reused; and
b) structural reliability auditing tasks can be reduced to a
Boolean satisfiability problem, which can then be solved efficiently using modern SAT solvers. DEPBOOSTER, on the
other hand, can generate improvement plans efficiently by
reducing the required reasoning load, using novel techniques
such as model counting. We demonstrate in our experiments
that CloudCanary can perform audits over large deployments
200× faster than state-of-the-art systems, and that it consistently generates high-quality improvement plans within minutes. Moreover, CloudCanary can yield valuable insights over
real-world traces collected from production environments

Rethinking Data Management Systems for Disaggregated Data Centers

https://www.cis.upenn.edu/~sga001/papers/ddc-vldb20.pdf

Resource disaggregation is a new architecture for data centers in
which resources like memory and storage are decoupled from the
CPU, managed independently, and connected through a high-speed
network. Recent work has shown that although disaggregated data
centers (DDCs) provide operational benefits, applications running
on DDCs experience degraded performance due to extra network
latency between the CPU and their working sets in main memory.
DBMSs are an interesting case study for DDCs for two main reasons: (1) DBMSs normally process data-intensive workloads and
require data movement between different resource components; and
(2) disaggregation drastically changes the assumption that DBMSs
can rely on their own internal resource management.
We take the first step to thoroughly evaluate the query execution
performance of production DBMSs in disaggregated data centers.
We evaluate two popular open-source DBMSs (MonetDB and PostgreSQL) and test their performance with the TPC-H benchmark in
a recently released operating system for resource disaggregation.
We evaluate these DBMSs with various configurations and compare their performance with that of single-machine Linux with the
same hardware resources. Our results confirm that significant performance degradation does occur, but, perhaps surprisingly, we also
find settings in which the degradation is minor or where DDCs actually improve performance.

Rethinking Data Management Systems for Disaggregated Data Centers

One recent trend of cloud data center design is resource disaggregation. Instead of having server units with “converged” compute,
memory, and storage resources, a disaggregated data center (DDC)
has pools of resources of each type connected via a network. While
the systems community has been investigating the research challenges of DDC by designing new OS and network stacks, the implications of DDC for next-generation database systems remain unclear. In this paper, we take a first step towards understanding how
DDCs might affect the design of relational databases, discuss the
potential advantages and drawbacks in the context of data processing, and outline research challenges in addressing them

Optimizing Declarative Graph !eries at Large Scale

This paper presents GraphRex, an e!cient, robust, scalable,
and easy-to-program framework for graph processing on
datacenter infrastructure. To users, GraphRex presents a
declarative, Datalog-like interface that is natural and expressive. Underneath, it compiles those queries into e!cient
implementations. A key technical contribution of GraphRex
is the identi"cation and optimization of a set of global operators whose e!ciency is crucial to the good performance
of datacenter-based, large graph analysis. Our experimental results show that GraphRex signi"cantly outperforms
existing frameworks—both high- and low-level—in scenarios ranging across a wide variety of graph workloads and
network conditions, sometimes by two orders of magnitude.

Zeno: Diagnosing Performance Problems with Temporal Provenance

When diagnosing a problem in a distributed system, it is
sometimes necessary to explain the timing of an event – for
instance, why a response has been delayed, or why the network latency is high. Existing tools offer some support for
this, typically by tracing the problem to a bottleneck or to
an overloaded server. However, locating the bottleneck is
merely the first step: the real problem may be some other
service that is sending traffic over the bottleneck link, or a
machine that is overloading the server with requests. These
off-path causes do not appear in a conventional trace and will
thus be missed by most existing diagnostic tools.
In this paper, we introduce a new concept we call temporal provenance that can help with diagnosing timing-related
problems. Temporal provenance is inspired by earlier work
on provenance-based network debugging; however, in addition to the functional problems that can already be handled
with classical provenance, it can also diagnose problems that
are related to timing. We present an algorithm for generating
temporal provenance and an experimental debugger called
Zeno; our experimental evaluation shows that Zeno can successfully diagnose several realistic performance bugs

Total Recall: Persistence of Passwords in android

Abstract—A good security practice for handling sensitive data,
such as passwords, is to overwrite the data buffers with zeros once
the data is no longer in use. This protects against attackers who
gain a snapshot of a device’s physical memory, whether by inperson physical attacks, or by remote attacks like Meltdown and
Spectre. This paper looks at unnecessary password retention in
Android phones by popular apps, secure password management
apps, and even the lockscreen system process. We have performed
a comprehensive analysis of the Android framework and a variety
of apps, and discovered that passwords can survive in a variety of
locations, including UI widgets where users enter their passwords,
apps that retain passwords rather than exchange them for tokens,
old copies not yet reused by garbage collectors, and buffers in
keyboard apps. We have developed solutions that successfully fix
these problems with modest code changes.

Architecting Programmable Data Plane Defenses into the Network with FastFlex

This paper is motivated by the ever increasing scale and diversity of attacks that are best handled by the network infrastructure. FastFlex builds upon recent progress, which has developed a variety of network defenses in programmable data
planes, and takes this trend one step further: it aims to develop architectural support for these defenses as a first-class
citizen. We envision that the network architecture would
support these defenses as naturally as it does routingÐas the
network routes traffic end-to-end, it also turns the defenses
on and off as needed for attack mitigation. We propose a key
abstraction: the multimode data plane. Normally, it operates
under optimal configurations computed by centralized control, but upon attacks, it performs distributed mode changes
entirely in data plane for mitigation. Mixed-vector attacks
would trigger co-existing modes at different regions of the
network, and attacks that rapidly change would be met with
equally fast mode adaptations. We sketch this vision, discuss
the opportunities and challenges it involves, and present a
use case on link-flooding defense.

Accelerated Service Chaining on a Single Switch ASIC

Network functions and service function chaining are prevalent in cloud and ISP networks. In traditional software-based
solutions, scaling up the capacity of these functions requires
a large number of server cores. However, edge clouds are
severely resource-constrained in terms of space, power, and
budget, so traditional methods incur a high cost. We present
Dejavu, a system that can offload a service chain to a programmable switch to achieve high performance and resource
efficiency. Our system can compose multiple network functions into a single program that preserves the original chaining requirements, and exploit features of the switch ASIC to
efficiently deploy the composed program on a single switch

NetWarden: Mitigating Network Covert Channels while Preserving Performance

Network covert channels are an advanced threat to the security of distributed systems. Existing defenses all come at the
cost of performance, so they present significant barriers to
a practical deployment in high-speed networks. We propose
NetWarden, a novel defense whose key design goal is to preserve TCP performance while mitigating covert channels. The
use of programmable data planes makes it possible for NetWarden to adapt defenses that were only demonstrated before
as proof of concept, and apply them at linespeed. Moreover,
NetWarden uses a set of performance boosting techniques
to temporarily increase the performance of connections that
have been affected by covert channel mitigation, with the ultimate goal of neutralizing the overall performance impact.
NetWarden also uses a fastpath/slowpath architecture to combine the generality of software and the efficiency of hardware
for effective defense. Our evaluation shows that NetWarden
works smoothly with complex applications and workloads,
and that it can mitigate covert timing and storage channels
with little performance disturbance