Rayman Preet Singh, Benjamin Cassell , S. Keshav, Tim Brecht.

Abstract

Networked sensors and actuators are increasingly permeating our computing devices, and provide a variety of functions for Internet of Things (IoT) devices and applications. However, this sensor data can also be used by applications to extract private information about users. Applications and users are thus in a tussle over access to private data. Tussles occur in operating systems when stakeholders with competing interests try to access shared resources such as sensor data, CPU time, or network bandwidth. Unfortunately, existing operating systems lack a principled approach for identifying, tracking, and resolving such tussles. Moreover, users typically have little control over how tussles are resolved. Controls for sensor data tussles, for example, often fail to address trade-offs between functionality and privacy. Therefore, we propose a framework to explicitly recognize and manage tussles. Using sensor data as an example resource, we investigate the design of mechanisms for detecting and resolving privacy tussles in a cyber-physical system, enabling privacy and functionality to be negotiated between users and applications. In doing so, we identify shortcomings of existing research and present directions for future work.

Public review by Dave Choffnes

Ubiquitous Internet connectivity and sensing is quickly becoming reality. Many of us welcome this new world and its myriad applications ranging from entertainment and communication to health and education. On the other hand, this new functionality comes with an often invisible and thorny cost: exposure of private information. Historically, operating systems have focused on enabling functionality, with privacy controls being blunt, bolt-on features, if present at all. The Yelp app, for example, will use GPS coordinates to identify local businesses, but there is no easy way for the user to negotiate the use of coarser-grained location data for potentially less customized results but without the privacy cost.

In this paper, the authors propose using tussles as a way to manage the trade-offs between functionality and privacy settings that restrict it, and to provide this service at the operating system layer. Specifically, the paper identifies high-level abstractions to specify privacy and functionality requirements, techniques to resolve competing requirements, and mechanism to enforce the resolved behavior. Instead of focusing on any specific solution, the authors survey application functionality and user privacy requirements, and suggest how they might be addressed. Rather than offering a solution to the problem, this work serves as a starting point for a conversation about how to improve OS-level support for privacy.

The reviewers agreed that the authors identified an important problem and proposed an interesting potential direction for addressing it. The case studies in the paper provide supporting evidence that the approach is viable. There were concerns that the paper raises more questions than it answers (which is typical for a position paper) and that privacy negotiations have been proposed in previous work (impacting novelty). Despite these issues, the reviewers agreed that TussleOS is an interesting topic for future work.

Download the full article

Zaafar Ahmed, Muhammad Hamad Alizai, Affan A. Syed .

Abstract

InKeV is a network virtualization platform based on eBPF, an in-kernel execution engine recently upstreamed into linux kernel. InKeV’s key contribution is that it enables in-kernel programmability and configuration of virtualized network functions, allowing to create a distributed virtual network across all edges hosting tenant workloads. Despite high performance demands of production environments, existing virtualization solutions have largely static in-kernel components due to the difficulty of developing and maintaining kernel modules and their years-long feature delivery time. The resulting compromise is either in programmability of network functions that rely on the data plane, such as payload processing, or in performance, due to expensive user-/kernel-space context switching. InKeV addresses these concerns: The use of eBPF allows it to dynamically insert programmable network functions into a running kernel, requiring neither to package a custom kernel nor to hope for acceptance in mainline kernel. Its novel stitching feature allows to flexibly configure complete virtual networks by creating a graph of network functions inside the kernel. Our evaluation reports on the flexibility of InKeV, and in-kernel implementation benefits such as low latency and impressive flow creation rate.

Public review by Katerina Argyraki

The ability to program the data plane — to introduce new packet-processing functionality in the network — is one of the main challenges faced by network operators today, whether in the context of datacenters or Internet service providers. A popular approach is to introduce “network functions” at the edge of the network, in general-purpose machines (not custom network equipment). To maximize performance, we would normally run these network functions inside the kernel, however, the standard ways of doing this, e.g., packaging custom kernels, are impractical. Instead, this paper proposes to leverage the extended Berkeley Packet Filter (eBFP), a way to safely introduce new functionality into the kernel, which is now part of the Linux kernel. The paper contributes a framework for managing network functions that are implemented on top of eBPF, and it shows experimentally that the proposed approach significantly outperforms the current standard approach, represented by OpenStack Neutron (which does not run entire network functions in the kernel). The reviewers appreciated the proposed solution for its simplicity and the clear demonstration of its performance benefits; in a sea of proposals for how to build programmable data planes, this one stands out for its potential for practical impact.

Download the full article