50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2020, Valencia, Spain, June 29 - July 2, 2020. IEEE 【DBLP Link】
【Paper Link】 【Pages】:1-13
【Authors】: Lei Zhou ; Fengwei Zhang ; Jinghui Liao ; Zhenyu Ning ; Jidong Xiao ; Kevin Leach ; Westley Weimer ; Guojun Wang
【Abstract】: Live kernel patching is an increasingly common trend in operating system distributions, enabling dynamic updates to include new features or to fix vulnerabilities without having to reboot the system. Patching the kernel at runtime lowers downtime and reduces the loss of useful state from running applications. However, existing kernel live patching techniques (1) rely on specific support from the target operating system, and (2) admit patch failures resulting from kernel faults. We present KSHOT, a kernel live patching mechanism based on x86 SMM and Intel SGX that focuses on patching Linux kernel security vulnerabilities. Our patching processes are protected by hardware-assisted Trusted Execution Environments. We demonstrate that our technique can successfully patch vulnerable kernel functions at the binary-level without support from the underlying OS and regardless of whether the kernel patching mechanism is compromised. We demonstrate the applicability of KSHOT by successfully patching 30 critical indicative kernel vulnerabilities.
【Keywords】: n/a
【Paper Link】 【Pages】:14-25
【Authors】: Weizhong Li ; Kaiwen Shen ; Run Guo ; Baojun Liu ; Jia Zhang ; Haixin Duan ; Shuang Hao ; Xiarun Chen ; Yao Wang
【Abstract】: Content Delivery Networks (CDNs) aim to improve network performance and protect against web attack traffic for their hosting websites. And the HTTP range request mechanism is majorly designed to reduce unnecessary network transmission. However, we find the specifications failed to consider the security risks introduced when CDNs meet range requests. In this study, we present a novel class of HTTP amplification attack, Range-based Amplification (RangeAmp) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the RangeAmp attacks on 13 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are affected by the RangeAmp attacks. We also disclosed all security issues to affected CDN vendors and already received positive feedback from 12 vendors.
【Keywords】: CDN Security; HTTP Range Request; Amplification Attack; DDoS
【Paper Link】 【Pages】:26-38
【Authors】: Daniel Collins ; Rachid Guerraoui ; Jovan Komatovic ; Petr Kuznetsov ; Matteo Monti ; Matej Pavlovic ; Yvonne Anne Pignolet ; Dragos-Adrian Seredinschi ; Andrei Tonkikh ; Athanasios Xygkis
【Abstract】: We address the problem of online payments, where users can transfer funds among themselves. We introduce Astro, a system solving this problem efficiently in a decentralized, deterministic, and completely asynchronous manner. Astro builds on the insight that consensus is unnecessary to prevent double-spending. Instead of consensus, Astro relies on a weaker primitive---Byzantine reliable broadcast---enabling a simpler and more efficient implementation than consensus-based payment systems. In terms of efficiency, Astro executes a payment by merely broadcasting a message. The distinguishing feature of Astro is that it can maintain performance robustly, i.e., remain unaffected by a fraction of replicas being compromised or slowed down by an adversary. Our experiments on a public cloud network show that Astro can achieve near-linear scalability in a sharded setup, going from 10K payments/sec (2 shards) to 20K payments/sec (4 shards). In a nutshell, Astro can match VISA-level average payment throughput, and achieves a 5× improvement over a state-of-the-art consensus-based solution, while exhibiting sub-second 95^th percentile latency.
【Keywords】: byzantine reliable broadcast; consensus; deterministic; asynchronous; efficient; consensus free; online payments
【Paper Link】 【Pages】:39-51
【Authors】: Jeff H. Perkins ; Jordan Eikenberry ; Alessandro Coglio ; Martin Rinard
【Abstract】: We present ClearTrack, a system that tracks meta-data for each primitive value in Java programs to detect and nullify a range of vulnerabilities such as integer overflow/underflow and SQL/command injection vulnerabilities. Contributions include new techniques for eliminating false positives associated with benign integer overflows and underflows, new metadata-aware techniques for detecting and nullifying SQL/command command injection attacks, and results from an independent evaluation team. These results show that 1) ClearTrack operates successfully on Java programs comprising hundreds of thousands of lines of code (including instrumented jar files and Java system libraries, the majority of the applications comprise over 3 million lines of code), 2) because of computations such as cryptography and hash table calculations, these applications perform millions of benign integer overflows and underflows, and 3) ClearTrack successfully detects and nullifies all tested integer overflow and underflow and SQL/command injection vulnerabilities in the benchmark applications.
【Keywords】: Computer Security, intrusion detection, Computer errors, Software safety
【Paper Link】 【Pages】:52-63
【Authors】: Habib Saissi ; Stefan Winter ; Oliver Schwahn ; Karthik Pattabiraman ; Neeraj Suri
【Abstract】: Modern computing systems typically relax execution determinism, for instance by allowing the CPU scheduler to inter- leave the execution of several threads. While beneficial for performance, execution non-determinism affects programs' execution traces and hampers the comparability of repeated executions. We present TraceSanitizer, a novel approach for execution trace comparison in Error Propagation Analyses (EPA) of multi-threaded programs. TraceSanitizer can identify and compensate for non- determinisms caused either by dynamic memory allocation or by non-deterministic scheduling. We formulate a condition under which TraceSanitizer is guaranteed to achieve a 0% false positive rate, and automate its verification using Satisfiability Modulo Theory (SMT) solving techniques. TraceSanitizer is comprehensively evaluated using execution traces from the PARSEC and Phoenix benchmarks. In contrast with other approaches, Trace- Sanitizer eliminates false positives without increasing the false negative rate (for a specific class of programs), with reasonable performance overheads.
【Keywords】: Fault injection; Error Propagation Analysis; Non determinism; Debugging; Satisfiability Modulo Theory
【Paper Link】 【Pages】:64-75
【Authors】: Zhanhao Chen ; Yinzhi Cao
【Abstract】: As portals to the Internet, web browsers constitute prominent targets for attacks. Existing defenses that redefine web APIs typically capture information related to a single JavaScript function. Thus, they fail to defend against the so-called web concurrency attacks that use multiple interleaved functions to trigger a browser vulnerability. In this paper, we propose JSKernel, the first generic framework that introduces a kernel concept into JavaScript to defend against web concurrency attacks. The JavaScript kernel, inspired from operating system concepts, enforces the execution order of JavaScript events and threads to fortify security. We implement a prototype of JSKernel deployable as add-on extensions to three widely used web browsers, namely Google Chrome, Mozilla Firefox, and Microsoft Edge. These open-source extensions are available at (https://github.com/jskernel2019/jskernel) along with a usability demo at (https://jskernel2019.github.io/). Our evaluation shows the prototype to be robust to web concurrency attacks, fast, and backward compatible with legacy websites.
【Keywords】: JavaScript; Side channel Attacks; Web Concurrency Attacks
【Paper Link】 【Pages】:76-87
【Authors】: Jialong Zhang ; Zhongshu Gu ; Jiyong Jang ; Dhilung Kirat ; Marc Ph. Stoecklin ; Xiaokui Shu ; Heqing Huang
【Abstract】: Security analysts widely use dynamic malware analysis environments to exercise malware samples and derive virus signatures. Unfortunately, malware authors are becoming more aware of such analysis environments. Therefore, many have embedded evasive logic into malware to probe execution environments before exposing malicious behaviors. Consequently, such analysis environments become useless and evasive malware can damage victim systems with unforeseen malicious activities. However, adopting evasive techniques to bypass dynamic malware analysis is a double-edged sword. While evasive techniques can avoid early detection through sandbox analysis, it also significantly constrains the spectrum of execution environments where the malware activates. In this paper, we exploit this dilemma and seek to reverse the challenge by camouflaging end-user execution environments into analysis-like environments using a lightweight deception engine called SCARECROW. We thoroughly evaluate SCARECROW with real evasive malware samples and demonstrate that we can successfully deactivate 89.56% of evasive malware samples and the variants of ransomware (e.g., WannaCry and Locky) with little or no impact on the most commonly used benign software. Our evaluation also shows that SCARECROW is able to steer state-of-the-art analysis environment fingerprinting techniques so that end-user execution environments with SCARECROW and malware analysis environments with SCARECROW become indistinguishable.
【Keywords】: n/a
【Paper Link】 【Pages】:88-98
【Authors】: Ligeng Chen ; Zhongling He ; Bing Mao
【Abstract】: Code analysis is a powerful way to eliminate vulnerabilities. Closed-source programs lack crucial information vital for code analysis because that information is stripped on compilation to achieve smaller executable size. Restoration has always been a challenge for experts. Variable type information is fundamental in this process because it helps to provide a perspective on program semantic. In this paper, we present an efficient approach for inferring types, and we overcome the challenge of scattered information provided by static analysis on stripped binaries. We discover that neighboring instructions are likely to operate the same type of variables, which are leveraged to enrich the features that we rely on. Therefore, we implement a system called CATI, which locates variables from stripped binaries and infers 19 types from variables. Experiments show that it infers variable type with 71.2% accuracy on unseen binaries. Meanwhile, it takes approximately 6 seconds to process a typical binary.
【Keywords】: Stripped Binary; Variable Type; Static Analysis
【Paper Link】 【Pages】:99-112
【Authors】: Salar Latifi ; Babak Zamirai ; Scott A. Mahlke
【Abstract】: Deep neural networks (DNNs) are now starting to emerge in mission critical applications including autonomous vehicles and precision medicine. An important question is the dependability of DNNs and trustworthiness of their predictions. Considering the irreparable damage that can be caused by mispredictions, assessment of their potential misbehavior is necessary for safe deployment. In this paper, we first show the deficiency of current confidence-based methods as reliability measurement, and assess the effectiveness of traditional architecture reliability methods such as modular redundancy (MR). Then, we propose PolygraphMR and show that the combination of input preprocessing, smarter decision policies, and inclusion of prediction confidences can substantially improve the effectiveness of MR for DNNs. Next, we show how to prohibit explosive growth in the cost of MR by the help of reduced-precision designs and staged activations. Across six benchmarks, PolygraphMR detects an average of 33.5% of the baseline mispredictions with less than 2x overhead.
【Keywords】: Reliability, Machine vision, Computer performance
【Paper Link】 【Pages】:113-124
【Authors】: Saurabh Jha ; Shengkun Cui ; Subho S. Banerjee ; James Cyriac ; Timothy Tsai ; Zbigniew Kalbarczyk ; Ravishankar K. Iyer
【Abstract】: Ensuring the safety of autonomous vehicles (AVs) is critical for their mass deployment and public adoption. However, security attacks that violate safety constraints and cause accidents are a significant deterrent to achieving public trust in AVs, and that hinders a vendor's ability to deploy AVs. Creating a security hazard that results in a severe safety compromise (for example, an accident) is compelling from an attacker's perspective. In this paper, we introduce an attack model, a method to deploy the attack in the form of smart malware, and an experimental evaluation of its impact on production-grade autonomous driving software. We find that determining the time interval during which to launch the attack is{ critically} important for causing safety hazards (such as collisions) with a high degree of success. For example, the smart malware caused 33X more forced emergency braking than random attacks did, and accidents in 52.6% of the driving simulations.
【Keywords】: Autonomous Vehicles, Security, Safety
【Paper Link】 【Pages】:125-137
【Authors】: Junyi Wei ; Yicheng Zhang ; Zhe Zhou ; Zhou Li ; Mohammad Abdullah Al Faruque
【Abstract】: Machine learning has been attracting strong interests in recent years. Numerous companies have invested great efforts and resources to develop customized deep-learning models, which are their key intellectual properties. In this work, we investigate to what extent the secret of deep-learning models can be inferred by attackers. In particular, we focus on the scenario that a model developer and an adversary share the same GPU when training a Deep Neural Network (DNN) model. We exploit the GPU side-channel based on context-switching penalties. This side-channel allows us to extract the fine-grained structural secret of a DNN model, including its layer composition and hyper-parameters. Leveraging this side-channel, we developed an attack prototype named MosConS, which applies LSTM-based inference models to identify the structural secret. Our evaluation of MosConS shows the structural information can be accurately recovered. Therefore, we believe new defense mechanisms should be developed to protect training against the GPU side-channel.
【Keywords】: Deep-learning; GPU; Side-channel
【Paper Link】 【Pages】:138-149
【Authors】: Behzad Salami ; Erhan Baturay Onural ; Ismail Emir Yuksel ; Fahrettin Koc ; Oguz Ergin ; Adrián Cristal Kestelman ; Osman S. Unsal ; Hamid Sarbazi-Azad ; Onur Mutlu
【Abstract】: We empirically evaluate an undervolting technique, i.e., underscaling the circuit supply voltage below the nominal level, to improve the power-efficiency of Convolutional Neural Network (CNN) accelerators mapped to Field Programmable Gate Arrays (FPGAs). Undervolting below a safe voltage level can lead to timing faults due to excessive circuit latency increase. We evaluate the reliability-power trade-off for such accelerators. Specifically, we experimentally study the reduced-voltage operation of multiple components of real FPGAs, characterize the corresponding reliability behavior of CNN accelerators, propose techniques to minimize the drawbacks of reduced-voltage operation, and combine undervolting with architectural CNN optimization techniques, i.e., quantization and pruning. We investigate the effect ofenvironmental temperature on the reliability-power trade-off of such accelerators. We perform experiments on three identical samples of modern Xilinx ZCU102 FPGA platforms with five state-of-the-art image classification CNN benchmarks. This approach allows us to study the effects of our undervolting technique for both software and hardware variability. We achieve more than 3X power-efficiency (GOPs/W ) gain via undervolting. 2.6X of this gain is the result of eliminating the voltage guardband region, i.e., the safe voltage region below the nominal level that is set by FPGA vendor to ensure correct functionality in worst-case environmental and circuit conditions. 43% of the power-efficiency gain is due to further undervolting below the guardband, which comes at the cost of accuracy loss in the CNN accelerator. We evaluate an effective frequency underscaling technique that prevents this accuracy loss, and find that it reduces the power-efficiency gain from 43% to 25%.
【Keywords】: n/a
【Paper Link】 【Pages】:150-157
【Authors】: Zhenyu Zhong ; Zhisheng Hu ; Xiaowei Chen
【Abstract】: DNN models have suffered from adversarial example attacks, which lead to inconsistent prediction results. As opposed to the gradient-based attack, which assumes white-box access to the model by the attacker, we focus on more realistic input perturbations from the real-world and their actual impact on the model robustness without any presence of the attackers. In this work, we promote a standardized framework to quantify the robustness against real-world threats. It is composed of a set of safety properties associated with common violations, a group of metrics to measure the minimal perturbation that causes the offense, and various criteria that reflect different aspects of the model robustness. By revealing comparison results through this framework among 13 pre-trained ImageNet classifiers, three state-of-the-art object detectors, and three cloud-based content moderators, we deliver the status quo of the real-world model robustness. Beyond that, we provide robustness benchmarking datasets for the community.
【Keywords】: neural networks; adversarial example; robustness; threat severity; safety
【Paper Link】 【Pages】:158-171
【Authors】: Rakesh Kumar ; Saurabh Jha ; Ashraf Mahgoub ; Rajesh Kalyanam ; Stephen Lien Harrell ; Xiaohui Carol Song ; Zbigniew Kalbarczyk ; William T. Kramer ; Ravishankar K. Iyer ; Saurabh Bagchi
【Abstract】: Node downtime and failed jobs in a computing cluster translate into wasted resources and user dissatisfaction. Therefore understanding why nodes and jobs fail in HPC clusters is essential. This paper provides analyses of node and job failures in two university-wide computing clusters at two Tier I US research universities. We analyzed approximately 3.0M job execution data of System A and 2.2M of System B with data sources coming from accounting logs, resource usage for all primary local and remote resources (memory, IO, network), and node failure data. We observe different kinds of correlations of failures with resource usages and propose a job failure prediction model to trigger event-driven checkpointing and avoid wasted work. Additionally, we present user history based resource usage and runtime prediction models. These models have the potential to avoid system related issues such as contention, and improve quality of service such as lower mean queue time, if their predictions are used to make a more informed scheduling decision. As a proof of concept, we simulate an easy backfill scheduler to use predictions of one of these models, i.e., runtime and show the improvements in terms of lower mean queue time. Arising out of these observations, we provide generalizable insights for cluster management to improve reliability, such as, for some execution environments local contention dominates, while for others system-wide contention dominates.
【Keywords】: HPC, Production failure data, Data analytics, Compute clusters
【Paper Link】 【Pages】:172-183
【Authors】: Edward Tremel ; Sagar Jha ; Weijia Song ; David Chu ; Ken Birman
【Abstract】: Applications with internal substructure are common in the cloud, where many systems are organized as independently logged and replicated subsystems that interact via flows of objects or some form of RPC. Restarting such an application is difficult: a restart algorithm needs to efficiently provision the subsystems by mapping them to nodes with needed data and compute resources, while simultaneously guaranteeing that replicas are in distinct failure domains. Additional failures can occur during recovery, hence the restart process must itself be a restartable procedure. In this paper we present an algorithm for efficiently restarting a service composed of sharded subsystems, each using a replicated state machine model, into a state that (1) has the same fault-tolerance guarantees as the running system, (2) satisfies resource constraints and has all needed data to restart into a consistent state, (3) makes safe decisions about which updates to preserve from the logged state, (4) ensures that the restarted state will be mutually consistent across all subsystems and shards, and (5) ensures that no committed updates will be lost. If restart is not currently possible, the algorithm will await additional resources, then retry.
【Keywords】: Replication; Fault Tolerance; Recovery; State Machine Replication
【Paper Link】 【Pages】:184-196
【Authors】: Shixiong Zhao ; Xusheng Chen ; Cheng Wang ; Fanxin Li ; Qi Ji ; Heming Cui ; Cheng Li ; Sen Wang
【Abstract】: Mission-critical services often deploy multiple Machine Learning (ML) models in a distributed graph manner, where each model can be deployed on a distinct physical host. Practical fault tolerance for such ML service graphs should meet three crucial requirements: high availability (fast failover), low normal case performance overhead, and global consistency under non-determinism (e.g., threads in a GPU can do floating point additions in random order). Unfortunately, despite much effort, existing fault tolerance systems, including those taking the primary-backup approach or the checkpoint-replay approach, cannot meet all these three requirements. To tackle this problem, we present HAMS, which starts from the primary-backup approach to replicate each stateful ML model, and we leverage the causal logging technique from the checkpoint-replay approach to eliminate the notorious stop-and-buffer delay in the primary-backup approach. Extensive evaluation on 25 ML models and six ML services shows that: (1) in normal case, HAMS achieved 0.5%-3.7% overhead on latency compared with bare metal; (2) HAMS took 116.12ms-254.19ms to recover one stateful model in all services, 155.1X-1067.9X faster than a relevant system Lineage Stash (LS); and (3) HAMS recovered these services with global consistency even when the GPU non-determinism exists, not supported by LS. HAMS's code is released ongithub.com/hku-systems/hams.
【Keywords】: Machine Learning; Distributed System; Fault Tolerance; GPU; Nondeterminism; Determinism; Deep Learning; Prediction; Inference; Backup; Replication; SMR; Microservice; Data Center; High Availability; System
【Paper Link】 【Pages】:197-208
【Authors】: Djob Mvondo ; Alain Tchana ; Renaud Lachaize ; Daniel Hagimont ; Noël De Palma
【Abstract】: Virtual machine monitors (VMMs) play a crucial role in the software stack of cloud computing platforms: their design and implementation have a major impact on performance, security and fault tolerance. In this paper, we focus on the latter aspect (fault tolerance), which has received less attention, although it is now a significant concern. Our work aims at improving the resilience of the "pVM-based" VMMs, a popular design pattern for virtualization platforms. In such a design, the VMM is split into two main components: a bare-metal hypervisor and a privileged guest virtual machine (pVM). We highlight that the pVM is the least robust component and that the existing fault-tolerance approaches provide limited resilience guarantees or prohibitive overheads. We present three design principles (disaggregation, specialization, and pro-activity), as well as optimized implementation techniques for building a resilient pVM without sacrificing end-user application performance. We validate our contribution on the mainstream Xen platform.
【Keywords】: Virtualization; Resilience; disagreggation; bare metal; performance
【Paper Link】 【Pages】:209-220
【Authors】: Maher Alharby ; Roben Castagna Lunardi ; Amjad Aldweesh ; Aad van Moorsel
【Abstract】: In proof-of-work based blockchains such as Ethereum, verification of blocks is an integral part of establishing consensus across nodes. However, in Ethereum, miners do not receive a reward for verifying. This implies that miners face the Verifier's Dilemma: use resources for verification, or use them for the more lucrative mining of new blocks? We provide an extensive analysis of the Verifier's Dilemma, using a data-driven model-based approach that combines closed-form expressions, machine learning techniques and discrete-event simulation. We collect data from over 300,000 smart contracts and experimentally obtain their CPU execution times. Gaussian Mixture Models and Random Forest Regression transform the data into distributions and inputs suitable for the simulator. We show that, indeed, it is often economically rational not to verify, in particular for miners with less hashing power. We consider two approaches to mitigate the implications of the Verifier's Dilemma, namely parallelization and active insertion of invalid blocks, both will be shown to be effective.
【Keywords】: Ethereum; Smart Contract; Benchmark; Performance; Simulation; Verifier's Dilemma
【Paper Link】 【Pages】:221-232
【Authors】: Bowen Liu ; Siwei Sun ; Pawel Szalachowski
【Abstract】: Although blockchain-based smart contracts promise a "trustless" way of enforcing agreements even with monetary consequences, they suffer from multiple security issues. Many of these issues could be mitigated via an effective access control system, however, its realization is challenging due to the properties of current blockchain platforms (like lack of privacy, costly on-chain resources, or latency). To address this problem, we propose the SMACS framework, where updatable and sophisticated Access Control Rules (ACRs) for smart contracts can be realized with low cost. SMACS shifts the burden of expensive ACRs validation and management operations to an off-chain infrastructure, while implementing on-chain only lightweight token-based access control. SMACS is flexible and in addition to simple access control lists can easily implement rules enhancing the runtime security of smart contracts. With dedicated ACRs backed by vulnerability-detection tools, SMACS can protect vulnerable contracts after deployment. We fully implement SMACS and evaluate it.
【Keywords】: Blockchain; Smart Contract; Access control; Ethereum; Runtime verification
【Paper Link】 【Pages】:233-244
【Authors】: Enrique Fynn ; Alysson Bessani ; Fernando Pedone
【Abstract】: Blockchain systems have received much attention and promise to revolutionize many services. Yet, despite their popularity, current blockchain systems exist in isolation, that is, they cannot share information. While interoperability is crucial for blockchain to reach widespread adoption, it is difficult to achieve due to differences among existing blockchain technologies. This paper presents a technique to allow blockchain interoperability. The core idea is to provide a primitive operation to developers so that contracts and objects can switch from one blockchain to another, without breaking consistency and violating key blockchain properties. To validate our ideas, we implemented our protocol in two popular blockchain clients that use the Ethereum virtual machine. We discuss how to build applications using the proposed protocol and show examples of applications based on real use cases that can move across blockchains. To analyze the system performance we use a real trace from one of the most popular Ethereum applications and replay it in a multi-blockchain environment.
【Keywords】: smart contract; blockchain; sharding; cross-shard
【Paper Link】 【Pages】:245-252
【Authors】: Paulo Silva ; David Vavricka ; João Barreto ; Miguel Matos
【Abstract】: Given the large adoption and economical impact of permissionless blockchains, the complexity of the underlying systems and the adversarial environment in which they operate, it is fundamental to properly study and understand the emergent behavior and properties of these systems. We describe our experience on a detailed, one-month study of the Ethereum network from several geographically dispersed observation points. We leverage multiple geographic vantage points to assess the key pillars of Ethereum, namely geographical dispersion, network efficiency, blockchain efficiency and security, and the impact of mining pools. Among other new findings, we identify previously undocumented forms of selfish behavior and show that the prevalence of powerful mining pools exacerbates the geographical impact on block propagation delays. Furthermore, we provide a set of open measurement and processing tools, as well as the data set of the collected measurements, in order to promote further research on understanding permissionless blockchains.
【Keywords】: Peer-to-peer computing; Propagation delay; Protocols; Time measurement; Data mining; Instruments
【Paper Link】 【Pages】:253-265
【Authors】: Zhao Zhang ; Tavish Vaidya ; Kartik Subramanian ; Wenchao Zhou ; Micah Sherr
【Abstract】: This paper examines an existential threat to Tor---the increasing frequency at which websites apply discriminatory behavior to users who arrive via the anonymity network. Our main contribution is the introduction of Tor exit bridges. Exit bridges, constructed as short-lived virtual machines on cloud service providers, serve as alternative egress points for Tor and are designed to bypass server-side censorship. Due to the proliferation of managed cloud-based desktop services (e.g., Amazon Workspaces), there is already a surprisingly large fraction of web requests that originate in the cloud. Trivially disrupting exit bridges by blocking requests from the cloud would thus lead to significant collateral damage. Our experiments demonstrate that exit bridges effectively circumvent server-side blocking of Tor with low overhead. Additionally, we perform a cost-analysis of exit bridges and show that even a large-scale deployment can be done at low cost.
【Keywords】: Tor; Bridge; Exit; Server-side; Blocking
【Paper Link】 【Pages】:266-277
【Authors】: Philipp Jeitner ; Haya Shulman ; Michael Waidner
【Abstract】: We demonstrate the first practical off-path time shifting attacks against NTP as well as against Man-in-the-Middle (MitM) secure Chronos-enhanced NTP. Our attacks exploit the insecurity of DNS allowing us to redirect the NTP clients to attacker controlled servers. We perform large scale measurements of the attack surface in NTP clients and demonstrate the threats to NTP due to vulnerable DNS.
【Keywords】: DNS; NTP; Chronos; Cache Poisoning; Off-Path; Attack
【Paper Link】 【Pages】:278-285
【Authors】: Gargi Mitra ; Prasanna Karthik Vairam ; Patanjali SLPSK ; Nitin Chandrachoodan ; Kamakoti Veezhinathan
【Abstract】: HTTP/2 introduced multi-threaded server operation for performance improvement over HTTP/1.1. Recent works have discovered that multi-threaded operation results in multiplexed object transmission, that can also have an unanticipated positive effect on TLS/SSL privacy. In fact, these works go on to design privacy schemes that rely heavily on multiplexing to obfuscate the sizes of the objects based on which the attackers inferred sensitive information. Orthogonal to these works, we examine if the privacy offered by such schemes work in practice. In this work, we show that it is possible for a network adversary with modest capabilities to completely break the privacy offered by the schemes that leverage HTTP/2 multiplexing. Our adversary works based on the following intuition: restricting only one HTTP/2 object to be in the server queue at any point of time will eliminate multiplexing of that object and any privacy benefit thereof. In our scheme, we begin by studying if (1) packet delays, (2) network jitter, (3) bandwidth limitation, and (4) targeted packet drops have an impact on the number of HTTP/2 objects processed by the server at an instant of time. Based on these insights, we design our adversary that forces the server to serialize object transmissions, thereby completing the attack. Our adversary was able to break the privacy of a real-world HTTP/2 website 90% of the time, the code for which will be released. To the best of our knowledge, this is the first privacy attack on HTTP/2.
【Keywords】: HTTP/2 attack, HTTP/2 privacy, encrypted traffic analysis
【Paper Link】 【Pages】:286-293
【Authors】: Markus Schneider ; Haya Shulman ; Adi Sidis ; Ravid Sidis ; Michael Waidner
【Abstract】: We explore Email Bomb - a particularly devastating type of Denial of Service (DOS) attack that recently gained traction. During the attack Email account of a victim is targeted with a flood of Emails. Existing anti-spam defences fail at filtering this Emails' flood, since the Emails are not sent from spoofed addresses, but originate from legitimate web services on the Internet which are exploited as reflectors. We perform a two-year study of the Email bomb attack and the affected actors - the victims and the reflectors. We show that although the attack is rented for one day, the Email flood proceeds over longer time periods often lasting months after the initial attack. We identify the properties that allow the attackers to recruit web sites as potential reflectors and demonstrate how the attackers harvest web reflectors. We show that even popular Alexa web sites, such as booking.com, are exploited to launch Email bomb attacks. The main problem is that such attacks are extremely simple to launch and can be rented for 5USD on darknet. We setup a tool which periodically collects and analyses the Emails received during the attack, the analysis as well as the data is presented online at http://emailbombresearch.xyz. We argue that email bomb attacks do not only pose inconvenience and hinder the ability of victims to function, but also we provide the first demonstration how such attacks can be leveraged for hiding other devastating attacks which take place in parallel. We show that existing countermeasures fall short of preventing email bomb attacks and provide effective mitigation recommendations that are based on our study of this attack.
【Keywords】: n/a
【Paper Link】 【Pages】:294-305
【Authors】: Nassim Corteggiani ; Aurélien Francillon
【Abstract】: Advanced dynamic analysis techniques such as fuzzing and Dynamic Symbolic Execution (DSE) are a cornerstone of software security testing and are becoming popular with embedded systems testing. Testing software in a virtual machine provides more visibility and control. VM snapshots also save testing time by facilitating crash reproduction, performing root cause analysis and avoiding re-executing programs from the start. However, because embedded systems are very diverse virtual machines that perfectly emulate them are often unavailable. Previous work therefore either attempt to model hardware or perform partial emulation (forwarding interaction to the real hardware), which leads to inaccurate or slow emulation. However, such limitations are unnecessary when the whole design is available, e.g., to the device manufacturer or on open hardware. In this paper, we therefore propose a novel approach, called HardSnap, for co-testing hardware and software with a high level of introspection. HardSnap aims at improving security testing of hardware/software co-designed systems, where embedded systems designers have access to the whole HW/SW stack. HardSnap is a virtual-machine-based solution that extends visibility and controllability to the hardware peripherals with a negligible overhead. HardSnap introduces the concept of a hardware snapshot that collects the hardware state (together with software state). In our prototype, Verilog hardware blocks are either simulated in software or synthesized to an FPGA. In both cases HardSnap is able to generate HW/SW snapshot on demand. HardSnap is designed to support new peripherals automatically, to have high performance, and full controllability and visibility on software and hardware. We evaluated HardSnap on open-source peripherals and synthetic firmware to demonstrate improved ability to find and diagnose security issues.
【Keywords】: n/a
【Paper Link】 【Pages】:306-317
【Authors】: Rens Dofferhoff ; Michael Göbel ; Kristian F. D. Rietveld ; Erik van der Kouwe
【Abstract】: Undocumented and faulty CPU instructions can cause undefined behavior and system instability, impairing software efforts such as OS crash recovery and resilience, and system security. Although often not considered, the identification of such undocumented instructions is critical. We present a portable RISC instruction scanner that is able to search for undocumented instructions on a wide range of RISC architectures, empowering users to verify the reliable and secure operation of their systems. We propose two methods to look for undocumented instructions. Both attempt to execute a single instruction word in a controlled manner, regaining control afterwards. Subsequently, we determine if the instruction word is considered valid by the processor, comparing this result to the processor's ISA specification. Our prototype scanner can scan multiple ARMv8 and RISC-V systems. Various inconsistencies were discovered in the QEMU emulator and disassemblers used as ground truth. Furthermore, we found an undocumented instruction on a RISC-V chip.
【Keywords】: Instruction Scanning; Hardware security; Undocumented Instructions
【Paper Link】 【Pages】:318-330
【Authors】: Onur Zungur ; Gianluca Stringhini ; Manuel Egele
【Abstract】: Android applications (apps) are a combination of code written by the developers as well as third-party libraries that carry out most commonly used functionalities such as advertisement and payments. Running apps in a monitoring environment allows researchers to measure how much network traffic is exchanged between an app and remote endpoints. However, current systems currently do not have the ability to reliably distinguish traffic that is generated by different libraries. This is important, because while mobile users are paying for data traffic without distinctions, some of this traffic is useful (e.g., data for core app functionalities), whereas the rest of the traffic can be considered a nuisance (e.g., excessive advertisements). In this paper, we present Libspector, a system that precisely attributes network traffic coming from an Android app to the library that generated it. To this end, we instrument the Android Framework to inspect the network connections initiated by apps, provide fine-grained information on the libraries in use, and calculate method coverage information while performing dynamic analysis. We then perform a measurement on 25,000 popular Android apps and investigate the relation between different categories of apps with the use of specific libraries. We analyze the method coverage of our dynamic analysis method, and further characterize the endpoint connections established by the Android apps. Our results indicate that advertisement libraries account for over a quarter of the total data transmission. We further observe that there is no strict 1-to-1 correlation between the similar categories of network endpoints and libraries which initiated the data transfer.
【Keywords】: n/a
【Paper Link】 【Pages】:331-342
【Authors】: Samantha Archer ; Georgios Mappouras ; A. Robert Calderbank ; Daniel J. Sorin
【Abstract】: Racetrack memory is a promising new non-volatile memory technology, especially because of the density of its 3D implementation. However, for 3D racetrack to reach its potential, certain reliability issues must be overcome. Prior work used per-track encoding to tolerate the shift errors that are unique to racetrack, but no solutions existed for tolerating both shift errors and bit flip errors. We introduce Foosball Coding, which combines per-track coding for shift errors with a novel across-track coding for bit flips. Moreover, our per-track coding scheme methodically explores the design of inter-codeword delimiters and introduces the novel concept of multi-purpose delimiters, in which the existence of multiple delimiter options can be used to provide additional information.
【Keywords】: Racetrack Memory; Fault Tolerance; Error Coding; Endrurance Coding
【Paper Link】 【Pages】:343-354
【Authors】: Huan Ke ; Haryadi S. Gunawi ; David Bonnie ; Nathan DeBardeleben ; Michael Grosskopf ; Terry Grové ; Dominic Manno ; Elisabeth Moore ; Brad Settlemyer
【Abstract】: Massive storage systems composed of tens of thou-sands of disks are increasingly common in high-performance computing data centers. With such an enormous number of components integrated within the storage system the probability for correlated failures across a large number of components becomes a critical concern in preventing data loss. In this paper we reconsider the efficiency of traditional declustered parity data protection schemes in the presence of correlated failures. To better protect against correlated failures we introduce Single-Overlap Declustered Parity (SODP), a novel declustered parity design that tolerates more disk failures than traditional declus-tered parity. We then introduce CoFaCTOR, a tool for exploring operational reliability in the presence of many types of correlated failures. By seeding CoFaCTOR with real failure traces from LANL's data center we are able to create a failure model that accurately describes the existing file system's failure model and can use that model to generate failure data for hypothetical system designs. Our evaluation using CoFaCTOR traces shows that when compared to the state of the art our SODP-based placement algorithms can achieve a 30x improvement in the probability of data loss during failure bursts and achieves similar data protection using only half as much parity overhead.
【Keywords】: Reliability; Declustered Parity; Storage System; Failure Bursts
【Paper Link】 【Pages】:355-363
【Authors】: Qiang Guan ; Xunchao Hu ; Terence Grove ; Bo Fang ; Hailong Jiang ; Heng Yin ; Nathan DeBardeleben
【Abstract】: Resilient computation has been an emerging topic in the field of high-performance computing (HPC). In particular, studies show that tolerating faults on leadership-class supercomputers (such as exascale supercomputers) is expected to be one of the main challenges. In this paper, we utilize dynamic binary instrumentation and virtual machine based fault injection to emulate soft errors and study the soft errors' impact on the behavior of applications. We propose Chaser, a fine-grained, accountable, flexible, and efficient fault injection framework built on top of QEMU. Chaser offers just-in-time fault injection, the ability to trace fault propagation, and flexible and programable interfaces. In the case study, we demonstrate the usage of Chaser on Matvec and a real DOE mini MPI application
【Keywords】: Soft Error; Fault Injection; Resilience; vulnerability; High Performance Computing
【Paper Link】 【Pages】:364-372
【Authors】: Domenico Cotroneo ; Luigi De Simone ; Pietro Liguori ; Roberto Natella
【Abstract】: In this paper, we present a new fault injection tool (ProFIPy) for Python software. The tool is designed to be programmable, in order to enable users to specify their software fault model, using a domain-specific language (DSL) for fault injection. Moreover, to achieve better usability, ProFIPy is provided as software-as-a-service and supports the user through the configuration of the faultload and workload, failure data analysis, and full automation of the experiments using container- based virtualization and parallelization.
【Keywords】: Software Fault Injection; Python; Software-as-a-Service; Bug Pattern
【Paper Link】 【Pages】:373-384
【Authors】: Pengfei Sun ; Luis Garcia ; Gabriel Salles-Loustau ; Saman A. Zonouz
【Abstract】: Mobile and IoT operating systems–and their ensuing software updates–are usually distributed as binary files. Given that these binary files are commonly closed source, users or businesses who want to assess the security of the software need to rely on reverse engineering. Further, verifying the correct application of the latest software patches in a given binary is an open problem. The regular application of software patches is a central pillar for improving mobile and IoT device security. This requires developers, integrators, and vendors to propagate patches to all affected devices in a timely and coordinated fashion. In practice, vendors follow different and sometimes improper security update agendas for both mobile and IoT products. Moreover, previous studies revealed the existence of a hidden patch gap: several vendors falsely reported that they patched vulnerabilities. Therefore, techniques to verify whether vulnerabilities have been patched or not in a given binary are essential. Deep learning approaches have shown to be promising for static binary analyses with respect to inferring binary similarity as well as vulnerability detection. However, these approaches fail to capture the dynamic behavior of these systems, and, as a result, they may inundate the analysis with false positives when performing vulnerability discovery in the wild. In particular, they cannot capture the fine-grained characteristics necessary to distinguish whether a vulnerability has been patched or not. In this paper, we present PATCHECKO, a vulnerability and patch presence detection framework for executable binaries. PATCHECKO relies on a hybrid, cross-platform binary code similarity analysis that combines deep learning-based static binary analysis with dynamic binary analysis. PATCHECKO does not require access to the source code of the target binary nor that of vulnerable functions. We evaluate PATCHECKO on the most recent Google Pixel 2 smartphone and the Android Things IoT firmware images, within which 25 known CVE vulnerabilities have been previously reported and patched. Our deep learning model shows a vulnerability detection accuracy of over 93%. We further prune the candidates found by the deep learning stage–which includes false positives–via dynamic binary analysis. Consequently, PATCHECKO successfully identifies the correct matches among the candidate functions in the top 3 ranked outcomes 100% of the time. Furthermore, PATCHECKO's differential engine distinguishes between functions that are still vulnerable and those that are patched with an accuracy of 96%.
【Keywords】: Deep Learning; Dynamic Analysis; Patch; Firmware Vulnerabilities; Mobile; IoT
【Paper Link】 【Pages】:385-397
【Authors】: Mohammad Samin Yasar ; Homa Alemzadeh
【Abstract】: Cyber-physical systems for robotic surgery have enabled minimally invasive procedures with increased precision and shorter hospitalization. However, with increasing complexity and connectivity of software and major involvement of human operators in the supervision of surgical robots, there remain significant challenges in ensuring patient safety. This paper presents a safety monitoring system that, given the knowledge of the surgical task being performed by the surgeon, can detect safety-critical events in real-time. Our approach integrates a surgical gesture classifier that infers the operational context from the time-series kinematics data of the robot with a library of erroneous gesture classifiers that given a surgical gesture can detect unsafe events. Our experiments using data from two surgical platforms show that the proposed system can detect unsafe events caused by accidental or malicious faults within an average reaction time window of 1,693 milliseconds and F1 score of 0.88 and human errors within an average reaction time window of 57 milliseconds and F1 score of 0.76.
【Keywords】: Surgery; Task analysis; Safety; Needles; Medical robotics; Monitoring
【Paper Link】 【Pages】:398-410
【Authors】: Tingting Li ; Cheng Feng ; Chris Hankin
【Abstract】: Network diversity has been widely recognized as an effective defense strategy to mitigate the spread of malware. Optimally diversifying network resources can improve the resilience of a network against malware propagation. This work proposes a scalable method to compute such an optimal deployment, in the context of upgrading a legacy Industrial Control System with modern IT infrastructure. Our approach can tolerate various constraints when searching for optimal diversification, such as outdated products and strict configuration policies. We explicitly measure the vulnerability similarity of products based on the CVE/NVD, to estimate the infection rate of malware between products. A Stuxnet-inspired case demonstrates our optimal diversification in practice, particularly when constrained by various requirements. We then measure the improved resilience of the diversified network in terms of a well-defined diversity metric and Mean-time-to-compromise (MTTC), to verify the effectiveness of our approach. Finally, we show the competitive scalability of our approach in finding optimal solutions within a couple of seconds to minutes for networks of large scales (up to 10,000 hosts) and high densities (up to 240,000 edges).
【Keywords】: ICS/SCADA Security, Network Diversity, Optimal Diversification, Malware Propagation
【Paper Link】 【Pages】:411-423
【Authors】: Haotian Chi ; Qiang Zeng ; Xiaojiang Du ; Jiaping Yu
【Abstract】: Internet of Thing platforms prosper home automation applications (apps). Prior research concerns intra-app security. Our work reveals that automation apps, even secured individually, still cause a family of threats when they interplay, termed as Cross-App Interference (CAI) threats. We systematically categorize such threats and encode them using satisfiability modulo theories (SMT). We present HomeGuard, a system for detecting and handling CAI threats in real deployments. A symbolic executor is built to extract rule semantics, and instrumentation is utilized to capture configuration during app installation. Rules and configuration are checked against SMT models, the solutions of which indicate the existence of corresponding CAI threats. We further combine app functionalities, device attributes and CAI types to label the risk level of CAI instances. In our evaluation, HomeGuard discovers 663 CAI instances from 146 SmartThings market apps, imposing minor latency upon app installation and no runtime overhead.
【Keywords】: n/a
【Paper Link】 【Pages】:424-436
【Authors】: Alysson Bessani ; Eduardo Alchieri ; João Sousa ; André Oliveira ; Fernando Pedone
【Abstract】: The popularization of blockchains leads to a resurgence of interest in Byzantine Fault-Tolerant (BFT) state machine replication protocols. However, much of the work on this topic focuses on the underlying consensus protocols, with emphasis on their lack of scalability, leaving other subtle limitations unaddressed. These limitations are related to the effects of maintaining a durable blockchain instead of a write-ahead log and the requirement for reconfiguring the set of replicas in a decentralized way. We demonstrate these limitations using a digital coin blockchain application and BFT-SMaRt, a popular BFT replication library. We show how they can be addressed both at a conceptual level, in a protocol-agnostic way, and by implementing SMaRtChain, a blockchain platform based on BFT-SMaRt. SMaRtChain improves the performance of our digital coin application by a factor of eight when compared with a naive implementation on top of BFT-SMaRt. Moreover, SMaRtChain achieves a throughput 8x and 33x better than Tendermint and Hyperledger Fabric, respectively, when ensuring strong durability on its blockchain.
【Keywords】: n/a
【Paper Link】 【Pages】:437-451
【Authors】: Chao Liu ; Sisi Duan ; Haibin Zhang
【Abstract】: Asynchronous BFT protocols such as HoneyBadgerBFT and BEAT are inherently robust against timing, performance, and denial-of-service attacks. The protocols, however, achieve static security, where the adversary needs to choose the set of corrupted replicas before the execution of the protocol. The situation is in contrast to that of most of existing BFT protocols (e.g., PBFT) which achieve adaptive security, where the adversary can choose to corrupt replicas at any moment during the execution of the protocol. We present EPIC, a novel and efficient asynchronous BFT protocol with adaptive security. Via a five-continent deployment on Amazon EC2, we show that EPIC is slightly slower for small and medium-sized networks than the most efficient asynchronous BFT protocols with static security. We also find as the number of replicas is smaller than 46, EPIC's throughput is stable, achieving peak throughput of 8,000--12,500 tx/sec using t2.medium VMs. When the network size grows larger, EPIC is not as efficient as those with static security, with throughput of 4,000--6,300 tx/sec.
【Keywords】: Byzantine fault tolerance; asynchronous BFT; adaptive security; adaptively secure BFT; threshold cryptography
【Paper Link】 【Pages】:452-463
【Authors】: Mehdi Fooladgar ; Mohammad Hossein Manshaei ; Murtuza Jadliwala ; Mohammad Ashiqur Rahman
【Abstract】: Algorand is a recent, open-source public or permissionless blockchain system that employs a novel proof-of-stake Byzantine consensus protocol to efficiently scale the distributed transaction agreement problem to billions of users. Despite its promise, one relatively understudied aspect of this protocol has been the incentive compatibility of its reward sharing approach, without which cooperation among rational network users cannot be guaranteed, resulting in protocol failure. This paper is the first attempt to address this problem. By carefully modeling the participation costs and rewards received within a strategic interaction scenario in Algorand, we first show that even a small number of non-participating users (due to insufficiency of the expected incentives) can result in the network failing to append new transaction blocks. We further show that this effect, which was observed in simulations, can be formalized by means of a game-theoretic model that realistically captures the strategic interactions between users in Algorand. Specifically, we formally prove that mutual cooperation under the currently proposed reward sharing approach in Algorand is not a Nash equilibrium. To remedy this, we propose a novel reward sharing approach for Algorand and formally show that it is incentive-compatible, i.e., it can guarantee cooperation within a group of selfish users. Extensive numerical and Algorand simulation results further confirm our analytical findings. Moreover, these results show that for a given distribution of stakes in the network, our reward sharing approach can guarantee cooperation with a significantly smaller reward per round.
【Keywords】: Blockchain, Algorand, Incentive Compatibility, Game Theory, Reward Sharing
【Paper Link】 【Pages】:464-475
【Authors】: Siyi Lin ; Jingjing Zhang ; Weigang Wu
【Abstract】: Payment channel is an effective and popular technique to improve the scalability and throughput of blockchains by transferring transactions from on-chain to off-chain. Multiple payment channels can constitute a payment network and realize transaction execution via multi-hop paths. How to find a feasible and efficient transaction path, i.e., transaction routing, is a key issue in payment channel networks, and different solutions have been proposed. However, the problem of funds skewness, which may cause routing failures, has been largely ignored in existing routing algorithms. In this work, we design FSTR, a routing algorithm that attempts to route transactions using a funds skewness based path selection scheme so as to reduce funds skewness and increase transaction success probability. To evaluate the performance of FSTR, we conduct experiments using the real-world dataset of Ripple. The experiment results show that FSTR outperforms existing routing algorithms, in terms of success ratio, delay, and overhead.
【Keywords】: blockchain, payment channel network, transaction, routing algorithm, funds skewness
【Paper Link】 【Pages】:476-488
【Authors】: Benny Fuhry ; Lina Hirschoff ; Samuel Koesnadi ; Florian Kerschbaum
【Abstract】: File sharing applications using cloud storage are increasingly popular for personal and business use. Due to data protection concerns, end-to-end encryption is often a desired feature of these applications. Many attempts at designing cryptographic solutions fail to be adopted due to missing relevant features. We present SeGShare, a new architecture for end-to-end encrypted, group-based file sharing using trusted execution environments (TEE), e.g., Intel SGX. SeGShare is the first solution to protect the confidentiality and integrity of all data and management files; enforce immediate permission and membership revocations; support deduplication; and mitigate rollback attacks. Next to authentication, authorization and file system management, our implementation features an optimized TLS layer that enables high throughput and low latency. The encryption overhead of our implementation is extremely small in computation and storage resources. Our enclave code comprises less than 8500 lines of code enabling efficient mitigation of common pitfalls in deploying code to TEEs.
【Keywords】: encrypted file sharing; cloud storage; trusted execution environment; Intel SGX; TEE
【Paper Link】 【Pages】:489-501
【Authors】: Cláudio Correia ; Miguel Correia ; Luís Rodrigues
【Abstract】: Edge computing is a paradigm that extends cloud computing with storage and processing capacity close to the edge of the network that can be materialized by using many fog nodes placed in multiple geographic locations. Fog nodes are likely to be vulnerable to tampering, so it is important to secure the functions they provide. A key building block of many distributed applications is an ordering service that keeps track of cause-effect dependencies among events and that allows events to be processed in an order that respects causality. In this paper we present the design and implementation of a secure event ordering service for fog nodes. Our service, named Omegae, leverages the availability of a Trusted Execution Environment (TEE) based on Intel SGX technology to offer fog clients guarantees regarding the order in which events are applied and served, even when fog nodes are compromised. We have also built OmegaKV, a key-value store that uses Omega e to offer causal consistency. Experimental results show that the ordering service can be secured without violating the latency constraints of time-sensitive edge applications, despite the overhead associated with using a TEE.
【Keywords】: Security; IoT; Fog; Edge; Intel SGX
【Paper Link】 【Pages】:502-514
【Authors】: Franz Gregor ; Wojciech Ozga ; Sébastien Vaucher ; Rafael Pires ; Do Le Quoc ; Sergei Arnautov ; André Martin ; Valerio Schiavoni ; Pascal Felber ; Christof Fetzer
【Abstract】: Trust is arguably the most important challenge for critical services both deployed as well as accessed remotely over the network. These systems are exposed to a wide diversity of threats, ranging from bugs to exploits, active attacks, rogue operators, or simply careless administrators. To protect such applications, one needs to guarantee that they are properly configured and securely provisioned with the "secrets" (e.g., encryption keys) necessary to preserve not only the confidentiality, integrity and freshness of their data but also their code. Furthermore, these secrets should not be kept under the control of a single stakeholder—which might be compromised and would represent a single point of failure—and they must be protected across software versions in the sense that attackers cannot get access to them via malicious updates. Traditional approaches for solving these challenges often use ad hoc techniques and ultimately rely on a hardware security module (HSM) as root of trust. We propose a more powerful and generic approach to trust management that instead relies on trusted execution environments (TEEs) and a set of stakeholders as root of trust. Our system, PALÆMON, can operate as a managed service deployed in an untrusted environment, i.e., one can delegate its operations to an untrusted cloud provider with the guarantee that data will remain confidential despite not trusting any individual human (even with root access) nor system software. PALÆMON addresses in a secure, efficient and cost-effective way five main challenges faced when developing trusted networked applications and services. Our evaluation on a range of benchmarks and real applications shows that PALÆMON performs efficiently and can protect secrets of services without any change to their source code.
【Keywords】: PALAEMON; trust management; SGX; TEE; secrets
【Paper Link】 【Pages】:515-527
【Authors】: Tsz On Li ; Jianyu Jiang ; Ji Qi ; Chi Chiu So ; Jiacheng Ma ; Xusheng Chen ; Tianxiang Shen ; Heming Cui ; Yuexuan Wang ; Peng Wang
【Abstract】: In the era of big-data, individuals and institutions store their sensitive data on clouds, and these data are often analyzed and computed by MapReduce frameworks (e.g., Spark). However, releasing the computation result on these data may leak privacy. Differential Privacy (DP) is a powerful method to preserve the privacy of an individual data record from a computation result. Given an input dataset and a query, DP typically perturbs an output value with noise proportional to sensitivity, the greatest change on an output value when a record is added to or removed from the input dataset. Unfortunately, directly computing the sensitivity value for a query and an input dataset is computationally infeasible, because it requires adding or removing every record from the dataset and repeatedly running the same query on the dataset: a dataset of one million input records requires running the same query for more than one million times. This paper presents UPA, the first automated, accurate, and efficient sensitivity inferring approach for big-data mining applications. Our key observation is that MapReduce operators often have commutative and associative properties in order to enable parallelism and fault tolerance among computers. Therefore, UPA can greatly reduce the repeated computations at runtime while computing a precise sensitivity value automatically for general big-data queries. We compared UPA with FLEX, the most relevant work that does static analysis on queries to infer sensitivity values. Based on an extensive evaluation on nine diverse Spark queries, UPA supports all the nine evaluated queries, while FLEX supports only five of the nine queries. For the five queries which both UPA and FLEX can support, UPA enforces DP with five orders of magnitude more accurate sensitivity values than FLEX. UPA has reasonable performance overhead compared to native Spark. UPA's source code is available on https://github.com/hku-systems/UPA.
【Keywords】: n/a
【Paper Link】 【Pages】:528-539
【Authors】: Zaeem Hussain ; Taieb Znati ; Rami G. Melhem
【Abstract】: Reliability-aware speedup models study the expected speedup of a parallel application as a function of the number of processors, on a platform susceptible to processor failures. Existing works in this area have developed models using checkpoint-restart (without replication) as the only fault tolerance mechanism, and have studied the upper bound on the number of processors beyond which the application speedup starts to degrade due to increasing likelihood of failure. In this work, we develop speedup models in which replication, specifically dual replication, is also employed for resilience. We demonstrate that the upper bound on the number of processors to execute a perfectly parallel application using dual replication is of the order λ^-^2 where λ is the individual processor failure rate. We also compare the dual replication model with that of no-replication. Specifically, we found that, given the same hardware resources, replication starts offering better speedup just before the upper bound on the number of processors for no-replication is reached. Taken together, our results indicate that replication can significantly enhance reliability-aware speedup models by i) pushing the number of processors that yield the optimal speedup to a much higher value than what is possible without replication, and ii) improving on the optimal speedup possible through checkpoint-restart alone.
【Keywords】: fault tolerance; reliability; speedup; modelling; parallel; hpc
【Paper Link】 【Pages】:540-551
【Authors】: Doganalp Ergenc ; Jacek Rak ; Mathias Fischer
【Abstract】: Embedded IoT networks are the backbone of safety-critical systems like smart factories, autonomous vehicles, and airplanes. Therefore, resilience against failures and attacks should be a prior concern already in their design stage. In this study, we introduce a service-based network model as an MILP optimization problem for the efficient deployment of a service overlay to the embedded network by meeting QoS and resilience requirements. We show the complexity and boundaries of the problem and propose several heuristics to relax the service deployment phase and increase the fault-tolerance against node and link failures. Our results indicate that the heuristics achieve results close to the optimum for small sizes of the problem with up to 10^8 time faster solution time. We also show that the heuristics can solve larger problem sizes and can maintain the service availability for 85% of all potential single node failures.
【Keywords】: Resilience, service overlay, optimization, embedded IoT, systems
【Paper Link】 【Pages】:552-563
【Authors】: Bin Nie ; Jianwu Xu ; Jacob Alter ; Haifeng Chen ; Evgenia Smirni
【Abstract】: Modern physical systems deploy large numbers of sensors to record at different time-stamps the status of different systems components via measurements such as temperature, pressure, speed, but also the component's categorical state. Depending on the measurement values, there are two kinds of sequences: continuous and discrete. For continuous sequences, there is a host of state-of-the-art algorithms for anomaly detection based on time-series analysis, but there is a lack of effective methodologies that are tailored specifically to discrete event sequences. This paper proposes an analytics framework for discrete event sequences for knowledge discovery and anomaly detection. During the training phase, the framework extracts pairwise relationships among discrete event sequences using a neural machine translation model by viewing each discrete event sequence as a "natural language". The relationship between sequences is quantified by how well one discrete event sequence is "translated" into another sequence. These pairwise relationships among sequences are aggregated into a multivariate relationship graph that clusters the structural knowledge of the underlying system and essentially discovers the hidden relationships among discrete sequences. This graph quantifies system behavior during normal operation. During testing, if one or more pairwise relationships are violated, an anomaly is detected. The proposed framework is evaluated on two real-world datasets: a proprietary dataset collected from a physical plant where it is shown to be effective in extracting sensor pairwise relationships for knowledge discovery and anomaly detection, and a public hard disk drive dataset where its ability to effectively predict upcoming disk failures is illustrated.
【Keywords】: anomaly detection, categorical event sequences, discrete event sequences, rare events, unsupervised learning, physical plant failures, disk failures
【Paper Link】 【Pages】:564-571
【Authors】: Han Wu ; Zhihao Shang ; Katinka Wolter
【Abstract】: The rise of streaming data processing is driven by mass deployment of sensors, the increasing popularity of mobile devices, and the rapid growth of online financial trading. Apache Kafka is often used as a real-time messaging system for many stream processors. However, efficiently running Kafka as a reliable data source is challenging, especially in the case of real-time processing with unstable network connection. We find that changing configuration parameters can significantly impact the guarantee of message delivery in Kafka. Therefore the key to solving the above problem is to predict the reliability of Kafka given various configurations and network conditions. We define two reliability metrics to be predicted, the probability of message loss and the probability of message duplication. Artificial neural networks (ANN) are applied in our prediction model and we select some key parameters, as well as network metrics as the features. To collect sufficient training data for our model we build a Kafka testbed based on Docker containers. With the neural network model we can predict Kafka's reliability for different application scenarios given various network environments. Combining with other metrics that a streaming application user may care for, a weighted key performance indicator (KPI) of Kafka is proposed for selecting proper configuration parameters. In the experiments we propose a rough dynamic configuration scheme, which significantly improves the reliability while guaranteeing message timeliness.
【Keywords】: Stream processing; Reliability; Apache Kafka; Machine Learning; Docker