Systems and Networking Session
9:00am-12:00pm, February 24 on Zoom
The increase in large-scale distributed systems used by almost every service on the internet requires more sophisticated management of traffic, resources, and adversaries. It plays an increasingly more important role as the internet, and large-scale services, are accessible in more areas of the world every day. Decentralized systems, on the other hand, is a relatively new field that has invigorated the security field with the introduction of digital, programmable money. Such systems have forced security professionals to consider a whole new class of adversaries and how to design systems around them. However, as decentralized systems begin scaling to large populations the two areas start to overlap. The principles and research happening in the networking world have become over more important to scaling cryptocurrencies.
In this session, we explore networking and decentralized systems research, both where they differ and where they overlap. The Systems and Networking session will have a keynote speech by Prof. J. Alex Halderman a prominent researcher in the area.
“Computer Security and Privacy for Populations Undergoing Change or Crises”
Abstract: Through this talk, I explore how change or crisis contributes to making populations vulnerable to security and privacy threats. I argue that designing systems and technologies for users in crisis is critical to supporting all users, and that not designing for change makes vulnerable populations more vulnerable. I suggest this connection exists between change/crisis and vulnerability for three reasons. First, when someone experiences crisis, new threats, risks, assets, and actors arise; if they do not update their personal threat model, it may be incomplete or inaccurate, making them unable to respond to extant threats. Second, even if they are aware of all threats, they may be unable to prioritize security and privacy, as other needs may be more important in a crisis. Third, I argue that technology is not culturally or politically neutral, and that when the design of technology is misaligned with the needs and threat models of a user group, those users are made more vulnerable by that technology. I explore these three themes through two research endeavors with (a) refugees, who experience change at an individual or familial level, and (b) activists in Sudan during the 2018-2019 revolution, who experienced change at a regional level.
Biography: Lucy Simko is a PhD candidate at the University of Washington’s Paul G. Allen School of Computer Science and Engineering and she was recently a remote intern at the Max Planck Institute for Security and Privacy. Her work focuses on the security and privacy-related needs and practices of populations experiencing crises or times of instability. Her research has been published at IEEE Security & Privacy, PETS, CHI, and IDC, and she is the recipient of a National Science Foundation Graduate Research Fellowship.
“Leveraging Service Meshes as a New Network Layer”
Abstract: As modern cloud services have scaled out, applications have moved from relatively monolithic designs to highly modularized fleets of microservices that communicate among each other to perform application-level tasks. These microservices effectively form a network at the application layer, and service mesh frameworks have recently emerged to factor out microservices’ common communication functionality.
This work seeks to highlight the emergence of service meshes as what is effectively a new layer in the networking stack, and the associated new challenges and opportunities. As a case study, we leverage the fact that service meshes can be better informed about application needs, and design a system that utilizes provenance tracing within the service mesh to perform cross-layer prioritization of latency-sensitive requests, within an application serving a mix of workloads. Broadly speaking, we believe that as applications factor out communication into service meshes, an exciting new domain is opening that can utilize techniques from the networking community to improve application performance.
Biography: Sachin Ashok is a 2nd year PhD student in the Department of Computer Science at the University of Illinois Urbana-Champaign, where he’s co-advised by Prof. Radhika Mittal and Prof. Brighten Godfrey. He was previously a Research Fellow at Microsoft Research India, where he worked on congestion control and network simulation with Dr Venkat Padmanabhan. His interests lie in the broad area of networked systems, and recently, he’s been excited about optimizing networking for microservices.
“IceClave: A Trusted Execution Environment for In-Storage Computing”
Abstract: In-storage computing with modern solid-state drives (SSDs) enables developers to offload programs from the host to the SSD. It has been proven to be an effective approach to alleviating the I/O bottleneck. To facilitate in-storage computing, many frameworks have been proposed. However, few of them treat in-storage security as the first citizen. Specifically, since modern SSD controllers do not have a trusted execution environment, an offloaded (malicious) program could steal, modify, and destroy the data stored in the SSD, which hinders the wide adoption of in-storage computing.
In our work, we first investigate the attacks that could be conducted by offloaded in-storage programs. To defend against these attacks, we build a lightweight trusted execution environment, named IceClave for in-storage computing. IceClave protects in-storage applications and flash management functions with security isolation and memory encryption and integrity verification of in-storage DRAM. We develop IceClave with a full system simulator as well as a real programmable SSD board. Compared to state-of-the-art in-storage computing approaches, IceClave introduces 6.2% performance overhead and minimal hardware cost. IceClave delivers up to 2.31x better performance than the conventional host-based computing.
Biography: Yuqi Xue is a first-year PhD student from the Department of ECE at UIUC. He is interested in computer architecture with a special focus on memory and storage system architecture for accelerators.
“Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical”
We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect. There are two challenges that make it uniquely difficult to exploit this channel. First, little is known about the ring interconnect’s functioning and complex architecture. Second, information that can be learned by an attacker through ring contention is noisy by nature and has coarse spatial granularity. To address the first challenge, we perform a thorough reverse engineering of the sophisticated protocols that handle communication on the ring interconnect. With this knowledge, we build a cross-core covert channel over the ring interconnect with a capacity of over 4 Mbps from a single thread, the largest to date for a cross-core channel not relying on shared memory. To address the second challenge, we leverage the fine-grained temporal patterns of ring contention to infer a victim program’s secrets. We demonstrate our attack by extracting key bits from vulnerable EdDSA and RSA implementations, as well as inferring the precise timing of keystrokes typed by a victim user.
“Pinpointing crash-consistency bugs in the HPC I/O stack: a cross-layer approach”
We present ParaCrash, a testing framework for studying crash recovery in a typical HPC I/O stack, and demonstrate its use by identifying 15 new crash-consistency bugs in various parallel file systems (PFS) and I/O libraries. ParaCrash uses a” golden version” approach to test the entire HPC I/O stack: storage state after recovery from a crash is correct if it matches the state that can be achieved by a partial execution with no crashes. It supports systematic testing of a multilayered I/O stack while properly identifying the layer responsible for the bugs.
For more information, please contact the session chair, Sourav Das.