Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building diagnosable distributed systems Petros Maniatis Intel Research Berkeley ICSI – Security Crystal Ball.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Building diagnosable distributed systems Petros Maniatis Intel Research Berkeley ICSI – Security Crystal Ball."— Presentation transcript:

1 Building diagnosable distributed systems Petros Maniatis Intel Research Berkeley ICSI – Security Crystal Ball

2 …and how that’s going to solve all of our (security) problems Petros Maniatis Intel Research Berkeley ICSI – Security Crystal Ball

3 6/17/2015Petros Maniatis3 Why distributed systems are hard In every application, organizing distributed resources has unique needs Low latency, high bandwidth, high reliability, tolerance to churn, anonymity, long-term preservation, undeniable transactions, … So, for every application one must Figure out right properties Get the algorithms/protocols Implement them Tune them Test them Debug them Repeat

4 6/17/2015Petros Maniatis4 Why distributed systems are hard (among other things) In every application, organizing distributed resources has unique needs Low latency, high bandwidth, high reliability, tolerance to churn, anonymity, long-term preservation, undeniable transactions, … So, for every application one must Figure out right properties  No global view Get the algorithms/protocols  Bad algorithm choice Implement them  Incorrect implementation Tune them  Psychotic timeouts Test them  Partial failures Debug them  Biased introspection Repeat  Homicidal boredom

5 6/17/2015Petros Maniatis5 (Security) Problems in Distributed Systems Local problems contributing to general mess Stepping stones Statistics fudging –Generate traffic that reduces discrimination value of traffic analysis Information hiding –Decorrelate links in multi-hop causal analyses Distributed problems contributing to mess Graph properties inconsistent with detection assumptions –Statistical tools assume trees but graph is an expander

6 6/17/2015Petros Maniatis6 Diagnostic vs. Diagnosable Systems Diagnostic is good Complex query processing Probes into distributed system exporting data to be queried Nice properties –Privacy, efficiency, timeliness, consistency, accuracy, verifiability Diagnosable is even better Information flow can be observed Control flow can be observed Observations can be related to system specification –no need for “translation” If you are really lucky, you can get both

7 6/17/2015Petros Maniatis7 Strawman Design: P2 (Intel, UCB, Rice, MPI) Intended for user-level distributed system design, implementation, monitoring Specify high-level system properties Abstract topology Transport properties Currently: in a variant of Datalog Looks like event-condition-action rules Location specifiers place conditions in space Rendezvous happens under the covers

8 6/17/2015Petros Maniatis8 Strawman Design: P2 Intended for user-level distributed system design, implementation, monitoring Specify high-level system properties Abstract topology Transport properties Currently: in a variant of Datalog Looks like event-condition-action rules Location specifiers place conditions in space Rendezvous happens under the covers response@Req(Key, SAddr1) :- lookup@NAddr(Req, Key), node@NAddr(NodeID), succ@Naddr(NextID, SAddr), succ@SAddr(NextNextID, SAddr1), Key in (NodeID, Succ]. In English: Return a response to Req When node NAddr receives lookup for key Key And that key lies between NAddr’s identifier and that of its successor’s successor

9 6/17/2015Petros Maniatis9 Strawman Design: P2 Specification to Implementation Automatically compile specification into a dataflow graph Elements are little-functionality operators –Filters, multiplexers, loads, stores Elements are interlinked with asynchronous data flows –Data unit: a typed, flat tuple Reversible optimizations happen below

10 6/17/2015Petros Maniatis10 Strawman Design: P2 Diagnosis Flows are observable Treat them as any other data stream, store, query them… Element state transitions are observable Similarly, store them, query them, export them…

11 6/17/2015Petros Maniatis11 Strawman Design: P2 Execution Tracing Execution is observable Whenever a rule creates an output, I can log the inputs that caused that output Generate a causal stream at the granularity of the user’s specification steps

12 6/17/2015Petros Maniatis12 What we know we can do (e.g., in overlays) Monitoring invariants: a distributed watchpoint “A node’s in-degree is greater than k” “Routing is inconsistent” “A node oscillates into and out of a neighborhood’s routing tables” Execution tracing at “pseudo-code” granularity: logical stepping Obtain the causality graph of a failed lookup (what steps led to failure) Find failed lookups with state oscillations in its history (filter failure cause) Install additional sensors where state oscillations usually cause lookup failure Mining of causality graph on-line Complex programmatic system views Run a consistent snapshot on the state of the system Query the consistent snapshot on stable properties Take system checkpoints

13 6/17/2015Petros Maniatis13 Opportunities

14 6/17/2015Petros Maniatis14 What we’d love to be able to do but don’t quite know exactly how yet Small set of basic components Relational operators, flow operators, network operators Should be able to formally validate them Then compose to statically validate entire graph (termination, information flow, etc.) Verifiable dataflow graph execution Attest all dataflow elements in isolation Attest resulting dataflow graph Undeniable causality graphs Tamper-evident logs per dataflow element (Automatically) composable proofs of compliant execution of dataflow graph Smaller combinatorial problems: Chord overlay: ~10000 individual lines of code in C++ Compare that to our P2Chord: ~300 elements, ~12 reusable types, + engine

15 6/17/2015Petros Maniatis15 What we’d love to be able to do but don’t quite know exactly how yet What might be a useful checked invariant? Known protocol weakness we don’t know how to fix Design a distributed query checking for it When it triggers, abort, work less slowly, notify authorities, give random answer, … Graph rewrites that preserve specific properties Information declassification (look at Saberfeld et al) Routing path decorrelation Who cares about verifiable, user-level distributed applications? Monitoring within disparate organizations Who cares about undeniable, user-level distributed applications? Same, when liability is involved (e.g., anti-framing)

16 6/17/2015Petros Maniatis16 What do we have here? Constrained programming/execution environment Typed information flow Very modular design Small set of functional modules can build large set of combinations Only reversible optimizations allowed But we’re nowhere near solving the malicious code understanding prob Can we afford to take the performance hit? Fairly coarse granularity Can you write a general-purpose Distributed FS on this? Hmm… Thesis: Defining a usable (if not complete) programming paradigm that allows “effortless” due diligence might improve the situation

17 Thank You! http://berkeley.intel-research.net/maniatis/

Download ppt "Building diagnosable distributed systems Petros Maniatis Intel Research Berkeley ICSI – Security Crystal Ball."

Similar presentations

P2: Implementing Declarative Overlays

P2: Implementing Declarative Overlays
Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Intel Research Timothy Roscoe P2: Implementing Declarative Overlays Timothy Roscoe Boon Thau Loo, Tyson Condie, Petros Maniatis, Ion Stoica, David Gay,

Intel Research Timothy Roscoe P2: Implementing Declarative Overlays Timothy Roscoe Boon Thau Loo, Tyson Condie, Petros Maniatis, Ion Stoica, David Gay,
Implementing Declarative Overlays Boon Thau Loo 1 Tyson Condie 1, Joseph M. Hellerstein 1,2, Petros Maniatis 2, Timothy Roscoe 2, Ion Stoica 1 1 University.

Implementing Declarative Overlays Boon Thau Loo 1 Tyson Condie 1, Joseph M. Hellerstein 1,2, Petros Maniatis 2, Timothy Roscoe 2, Ion Stoica 1 1 University.
Declarative Networking Mothy Joint work with Boon Thau Loo, Tyson Condie, Joseph M. Hellerstein, Petros Maniatis, Ion Stoica Intel Research and U.C. Berkeley.

Declarative Networking Mothy Joint work with Boon Thau Loo, Tyson Condie, Joseph M. Hellerstein, Petros Maniatis, Ion Stoica Intel Research and U.C. Berkeley.
Intel Research Petros Maniatis, IRB Declarative Overlays Petros Maniatis joint work with Tyson Condie, David Gay, Joseph M. Hellerstein, Boon Thau Loo,

Intel Research Petros Maniatis, IRB Declarative Overlays Petros Maniatis joint work with Tyson Condie, David Gay, Joseph M. Hellerstein, Boon Thau Loo,
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Implementing Declarative Overlays From two talks by: Boon Thau Loo 1 Tyson Condie 1, Joseph M. Hellerstein 1,2, Petros Maniatis 2, Timothy Roscoe 2, Ion.

Implementing Declarative Overlays From two talks by: Boon Thau Loo 1 Tyson Condie 1, Joseph M. Hellerstein 1,2, Petros Maniatis 2, Timothy Roscoe 2, Ion.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Peer to Peer and Distributed Hash Tables

Peer to Peer and Distributed Hash Tables
Evaluation of a Scalable P2P Lookup Protocol for Internet Applications

Evaluation of a Scalable P2P Lookup Protocol for Internet Applications
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Berkeley dsn declarative sensor networks problem David Chu, Lucian Popa, Arsalan Tavakoli, Joe Hellerstein approach related dsn architecture status  B.

Berkeley dsn declarative sensor networks problem David Chu, Lucian Popa, Arsalan Tavakoli, Joe Hellerstein approach related dsn architecture status  B.
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
Object-Oriented Software Construction Bertrand Meyer 2nd ed., Prentice Hall, 1997.

Object-Oriented Software Construction Bertrand Meyer 2nd ed., Prentice Hall, 1997.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.

Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.
Transaction.

Transaction.
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.

SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Similar presentations

Ads by Google