This paper promotes accountability as a central design goal for dependable networked systems. We define three properties for accountable systems that extend beyond the basic security properties of authentication, privacy, and integrity. These accountability properties reduce the vulnerability of network services to subversion, tampering, corruption, and abuse. For example, actions taken in accountable systems and their clients are provable or even legally binding, to support contractual relationships in federated systems.We propose a framework for accountable network services, and explore its applicability and limitations. The foundation of our approach is to preserve digitally signed records of actions and/or internal state snapshots of each service, and use them to detect tampering, verify the consistency of actions and behavior, and prove responsibility for unexpected states or actions. We outline the key challenges in generalizing the principles and methodology of accountable design for practical use.
{"title":"Trust but verify: accountability for network services","authors":"Aydan R. Yumerefendi, J. Chase","doi":"10.1145/1133572.1133585","DOIUrl":"https://doi.org/10.1145/1133572.1133585","url":null,"abstract":"This paper promotes accountability as a central design goal for dependable networked systems. We define three properties for accountable systems that extend beyond the basic security properties of authentication, privacy, and integrity. These accountability properties reduce the vulnerability of network services to subversion, tampering, corruption, and abuse. For example, actions taken in accountable systems and their clients are provable or even legally binding, to support contractual relationships in federated systems.We propose a framework for accountable network services, and explore its applicability and limitations. The foundation of our approach is to preserve digitally signed records of actions and/or internal state snapshots of each service, and use them to detect tampering, verify the consistency of actions and behavior, and prove responsibility for unexpected states or actions. We outline the key challenges in generalizing the principles and methodology of accountable design for practical use.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121115263","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Building reliable data storage from unreliable components presents many challenges and is of particular interest for peer-to-peer storage systems. Recent work has examined the trade-offs associated with ensuring data availability in such systems. Reliability, however, is more than just availability. In fact, the durability of data is typically of more paramount concern. While users are likely to tolerate occasional disconnection from their data (they will likely have no choice in the matter), they demand a much stronger guarantee that their data is never permanently lost due to failure. To deliver strong durability guarantees efficiently, however, requires decoupling durability from availability. This paper describes the design of a data redundancy scheme that guarantees durability independently from availability. We provide a formula for determining the rate of redundancy repair when durability is the only concern and show that availability requires much more frequent repair. We simulate modified versions of the Total Recall block store that incorporate our design. Our results show that we can deliver durability more cheaply than availability, reducing network overhead by between 50% and 97%.
{"title":"Separating durability and availability in self-managed storage","authors":"Geoffrey Lefebvre, M. Feeley","doi":"10.1145/1133572.1133576","DOIUrl":"https://doi.org/10.1145/1133572.1133576","url":null,"abstract":"Building reliable data storage from unreliable components presents many challenges and is of particular interest for peer-to-peer storage systems. Recent work has examined the trade-offs associated with ensuring data availability in such systems. Reliability, however, is more than just availability. In fact, the durability of data is typically of more paramount concern. While users are likely to tolerate occasional disconnection from their data (they will likely have no choice in the matter), they demand a much stronger guarantee that their data is never permanently lost due to failure. To deliver strong durability guarantees efficiently, however, requires decoupling durability from availability. This paper describes the design of a data redundancy scheme that guarantees durability independently from availability. We provide a formula for determining the rate of redundancy repair when durability is the only concern and show that availability requires much more frequent repair. We simulate modified versions of the Total Recall block store that incorporate our design. Our results show that we can deliver durability more cheaply than availability, reducing network overhead by between 50% and 97%.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114942356","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Web application workloads are often characterized by a large number of unique read requests and a significant fraction of write requests. Hosting these applications drives the need for the next generation CDN architecture that does more than caching the results of Web applications but replicates both the application code and its underlying data. We propose the design of a system that guarantees strong consistency for Web applications with high scalability. The proposed system is based on partial replication, where data units are replicated only to servers that access them often. This reduces the consistency overhead as updates are sent to a reduced number of servers. The novelty of our system is that the proposed partial replication is performed by the system automatically by analyzing the system's access patterns periodically. We explore the design space of this system, find the key issues that need to be addressed to build it and propose solutions to solve them. We further show that the proposed algorithms offer significant performance gains compared to existing solutions for a wide range of Web access patterns.
{"title":"Scalable strong consistency for web applications","authors":"S. Sivasubramanian, G. Pierre, M. Steen","doi":"10.1145/1133572.1133581","DOIUrl":"https://doi.org/10.1145/1133572.1133581","url":null,"abstract":"Web application workloads are often characterized by a large number of unique read requests and a significant fraction of write requests. Hosting these applications drives the need for the next generation CDN architecture that does more than caching the results of Web applications but replicates both the application code and its underlying data. We propose the design of a system that guarantees strong consistency for Web applications with high scalability. The proposed system is based on partial replication, where data units are replicated only to servers that access them often. This reduces the consistency overhead as updates are sent to a reduced number of servers. The novelty of our system is that the proposed partial replication is performed by the system automatically by analyzing the system's access patterns periodically. We explore the design space of this system, find the key issues that need to be addressed to build it and propose solutions to solve them. We further show that the proposed algorithms offer significant performance gains compared to existing solutions for a wide range of Web access patterns.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123825293","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent research works have been presented on conserving energy for multi-disk systems either at a single disk drive level or at a storage system level and thereby having certain limitations. This paper studies several new redundancy-based, power-aware, I/O request scheduling and cache management policies at the RAID controller level to build energy-efficient RAID systems, by exploiting the redundant information and destage issues of the array for two popular RAID levels, RAID 1 and RAID 5. For RAID 1, we develop a Windowed Round Robin (WRR) request scheduling policy; for RAID 5, we introduce a N-chance Power Aware cache replacement algorithm (NPA) for writes and a Power-Directed, Transformable (PDT) request scheduling policy for reads. Trace-driven simulation proves EERAID saves much more energy than legacy RAIDs and existing solutions.
{"title":"EERAID: energy efficient redundant and inexpensive disk array","authors":"Dong Li, Jun Wang","doi":"10.1145/1133572.1133577","DOIUrl":"https://doi.org/10.1145/1133572.1133577","url":null,"abstract":"Recent research works have been presented on conserving energy for multi-disk systems either at a single disk drive level or at a storage system level and thereby having certain limitations. This paper studies several new redundancy-based, power-aware, I/O request scheduling and cache management policies at the RAID controller level to build energy-efficient RAID systems, by exploiting the redundant information and destage issues of the array for two popular RAID levels, RAID 1 and RAID 5. For RAID 1, we develop a Windowed Round Robin (WRR) request scheduling policy; for RAID 5, we introduce a N-chance Power Aware cache replacement algorithm (NPA) for writes and a Power-Directed, Transformable (PDT) request scheduling policy for reads. Trace-driven simulation proves EERAID saves much more energy than legacy RAIDs and existing solutions.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121200549","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Service discovery in Ubiquitous Computing is a task that has to be done frequently due to dynamically changing environments. The limited battery power of mobile devices requires us to optimize frequent and energy costly tasks, especially the ones incurring in communication activities. In this paper we present a novel service discovery algorithm based on node clustering. Nodes within a cluster may sleep to save energy when idle. A cluster head node is always active and answers discovery requests on behalf of other nodes to achieve low discovery latencies. Simulation experiments show energy savings of up to 66% compared to an approach where all nodes are permanently active while the discovery latencies were not increased.
{"title":"Energy-efficient cluster-based service discovery for Ubiquitous Computing","authors":"Gregor Schiele, C. Becker, K. Rothermel","doi":"10.1145/1133572.1133604","DOIUrl":"https://doi.org/10.1145/1133572.1133604","url":null,"abstract":"Service discovery in Ubiquitous Computing is a task that has to be done frequently due to dynamically changing environments. The limited battery power of mobile devices requires us to optimize frequent and energy costly tasks, especially the ones incurring in communication activities. In this paper we present a novel service discovery algorithm based on node clustering. Nodes within a cluster may sleep to save energy when idle. A cluster head node is always active and answers discovery requests on behalf of other nodes to achieve low discovery latencies. Simulation experiments show energy savings of up to 66% compared to an approach where all nodes are permanently active while the discovery latencies were not increased.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115798469","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chad Yoshikawa, Brent N. Chun, Amin Vahdat, Fred S. Annexstein, K. Berman
In this paper we take the position that current research in the area of distributed systems has all but forgotten about one of the largest collective Internet resources - the NATed node. These are hosts that are behind Network Address Translation (NAT) gateways and are hidden by the fact that they have private IP addresses. We argue that Distributed-Hash Tables [20], P2P systems [6], and Grid Computing [10] could greatly benefit by tapping into this forgotten pool of resources. Also, we give an outline of a service, the Distributed-Hash Queue (DHQ), that can enable these NATed resources to be exploited.
{"title":"The lonely NATed node","authors":"Chad Yoshikawa, Brent N. Chun, Amin Vahdat, Fred S. Annexstein, K. Berman","doi":"10.1145/1133572.1133584","DOIUrl":"https://doi.org/10.1145/1133572.1133584","url":null,"abstract":"In this paper we take the position that current research in the area of distributed systems has all but forgotten about one of the largest collective Internet resources - the NATed node. These are hosts that are behind Network Address Translation (NAT) gateways and are hidden by the fact that they have private IP addresses. We argue that Distributed-Hash Tables [20], P2P systems [6], and Grid Computing [10] could greatly benefit by tapping into this forgotten pool of resources. Also, we give an outline of a service, the Distributed-Hash Queue (DHQ), that can enable these NATed resources to be exploited.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"102 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115853826","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gilles Muller, J. Lawall, Jean-Marc Menaud, Mario Südholt
Implementing an extension of a legacy operating system requires knowing what functionalities the extension should provide and how the extension should be integrated with the legacy code. To resolve the first problem, we propose that the use of a component model can make explicit the interface between an extension and legacy code. To resolve the second problem, we propose to augment interface specifications with rewrite rules that integrate support for extensions in the legacy code. We illustrate our approach using extensions that add new scheduling policies to Linux and prefetching to the Squid Web cache. In both cases a small number of rules are sufficient to describe modifications that apply across the implementation of a large legacy system.
{"title":"Constructing component-based extension interfaces in legacy systems code","authors":"Gilles Muller, J. Lawall, Jean-Marc Menaud, Mario Südholt","doi":"10.1145/1133572.1133605","DOIUrl":"https://doi.org/10.1145/1133572.1133605","url":null,"abstract":"Implementing an extension of a legacy operating system requires knowing what functionalities the extension should provide and how the extension should be integrated with the legacy code. To resolve the first problem, we propose that the use of a component model can make explicit the interface between an extension and legacy code. To resolve the second problem, we propose to augment interface specifications with rewrite rules that integrate support for extensions in the legacy code. We illustrate our approach using extensions that add new scheduling policies to Linux and prefetching to the Squid Web cache. In both cases a small number of rules are sufficient to describe modifications that apply across the implementation of a large legacy system.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131104837","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Overlay networks are widely used to deploy functionality at edge nodes without changing network routers. Each node in an overlay network maintains pointers to a set of neighbor nodes. These pointers are used both to maintain the overlay and to implement application functionality, for example, to locate content stored by overlay nodes. If an attacker controls a large fraction of the neighbors of correct nodes, it can "eclipse" correct nodes and prevent correct overlay operation. This Eclipse attack is more general than the Sybil attack. Attackers can use a Sybil attack to launch an Eclipse attack by inventing a large number of seemingly distinct overlay nodes. However, defenses against Sybil attacks do not prevent Eclipse attacks because attackers may manipulate the overlay maintenance algorithm to mount an Eclipse attack. This paper discusses the impact of the Eclipse attack on several types of overlay and it proposes a novel defense that prevents the attack by bounding the degree of overlay nodes. Our defense can be applied to any overlay and it enables secure implementations of overlay optimizations that choose neighbors according to metrics like proximity. We present preliminary results that demonstrate the importance of defending against the Eclipse attack and show that our defense is effective.
{"title":"Defending against eclipse attacks on overlay networks","authors":"Atul Singh, M. Castro, P. Druschel, A. Rowstron","doi":"10.1145/1133572.1133613","DOIUrl":"https://doi.org/10.1145/1133572.1133613","url":null,"abstract":"Overlay networks are widely used to deploy functionality at edge nodes without changing network routers. Each node in an overlay network maintains pointers to a set of neighbor nodes. These pointers are used both to maintain the overlay and to implement application functionality, for example, to locate content stored by overlay nodes. If an attacker controls a large fraction of the neighbors of correct nodes, it can \"eclipse\" correct nodes and prevent correct overlay operation. This Eclipse attack is more general than the Sybil attack. Attackers can use a Sybil attack to launch an Eclipse attack by inventing a large number of seemingly distinct overlay nodes. However, defenses against Sybil attacks do not prevent Eclipse attacks because attackers may manipulate the overlay maintenance algorithm to mount an Eclipse attack. This paper discusses the impact of the Eclipse attack on several types of overlay and it proposes a novel defense that prevents the attack by bounding the degree of overlay nodes. Our defense can be applied to any overlay and it enables secure implementations of overlay optimizations that choose neighbors according to metrics like proximity. We present preliminary results that demonstrate the importance of defending against the Eclipse attack and show that our defense is effective.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129879176","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Ledlie, Jeffrey Shneidman, M. Welsh, M. Roussopoulos, M. Seltzer
Research in sensor networks, continuous queries (CQ), and other domains has been motivated by powerful applications that aim to aggregate, assimilate, and interact with scores of sensor networks in parallel. Numerous system ingredients are necessary to make these applications possible. Sensor network research is building some of these components from the bottom up, dealing with issues such as wireless connectivity and battery life. CQ, peer-to-peer (P2P), and other research areas are building top down, examining in-network services, naming, decentralized queries, and scale. While many research groups use the same types of applications to motivate their work, many of these applications cannot be built today because of missing bridge research. These challenges include: uniting vastly differing devices and services, managing intermittent connectivity, placing in-network services with QoS and other constraints, developing unified security models, and correlating between sensor networks. This paper distills these new problems and outlines one proposed system that explores solutions to these concerns.
{"title":"Open problems in data collection networks","authors":"J. Ledlie, Jeffrey Shneidman, M. Welsh, M. Roussopoulos, M. Seltzer","doi":"10.1145/1133572.1133575","DOIUrl":"https://doi.org/10.1145/1133572.1133575","url":null,"abstract":"Research in sensor networks, continuous queries (CQ), and other domains has been motivated by powerful applications that aim to aggregate, assimilate, and interact with scores of sensor networks in parallel. Numerous system ingredients are necessary to make these applications possible. Sensor network research is building some of these components from the bottom up, dealing with issues such as wireless connectivity and battery life. CQ, peer-to-peer (P2P), and other research areas are building top down, examining in-network services, naming, decentralized queries, and scale. While many research groups use the same types of applications to motivate their work, many of these applications cannot be built today because of missing bridge research. These challenges include: uniting vastly differing devices and services, managing intermittent connectivity, placing in-network services with QoS and other constraints, developing unified security models, and correlating between sensor networks. This paper distills these new problems and outlines one proposed system that explores solutions to these concerns.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"92 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134460451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Alexandra Fedorova, Christopher Small, Daniel Nussbaum, M. Seltzer
The unpredictable nature of modern workloads, characterized by frequent branches and control transfers, can result in processor pipeline utilization as low as 19%. Chip multithreading (CMT), a processor architecture combining chip multiprocessing and hardware multithreading, is designed to address this issue. Hardware vendors plan to ship CMT systems within the next two years; understanding how such systems will perform is crucial if we are to use them to full advantage.Our simulation experiments show that a CMT-savvy operating system scheduler could improve application performance by a factor of two. In this paper we describe our initial analysis of application performance on CMT systems and propose a design for a scheduler tailored for the needs of a CMT system.
{"title":"Chip multithreading systems need a new operating system scheduler","authors":"Alexandra Fedorova, Christopher Small, Daniel Nussbaum, M. Seltzer","doi":"10.1145/1133572.1133597","DOIUrl":"https://doi.org/10.1145/1133572.1133597","url":null,"abstract":"The unpredictable nature of modern workloads, characterized by frequent branches and control transfers, can result in processor pipeline utilization as low as 19%. Chip multithreading (CMT), a processor architecture combining chip multiprocessing and hardware multithreading, is designed to address this issue. Hardware vendors plan to ship CMT systems within the next two years; understanding how such systems will perform is crucial if we are to use them to full advantage.Our simulation experiments show that a CMT-savvy operating system scheduler could improve application performance by a factor of two. In this paper we describe our initial analysis of application performance on CMT systems and propose a design for a scheduler tailored for the needs of a CMT system.","PeriodicalId":285758,"journal":{"name":"EW 11","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2004-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127158142","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: