Research Statement. Amy Babay December 2018

Transcription

1 Research Statement Amy Babay December 2018 My research focuses on distributed systems and networks, with core goals spanning two domains: enabling new Internet services and building dependable infrastructure. The Internet s incredible reach has made our society increasingly global and connected, but inherent architectural limitations prevent it from natively supporting new applications with demanding performance, processing, or security requirements. I am excited about the potential to extend network programmability to create a new generation of Internet services, and especially about solving fundamental performance challenges to allow new levels of interactivity. At the same time, as networked systems become essential to daily life, with even critical infrastructure like the power grid becoming more connected, their resilience becomes crucial. Therefore, the second major goal of my work is building intrusion-tolerant infrastructure: infrastructure that maintains correct operation and predictable performance even when partially compromised by a sophisticated adversary. I believe that taking research ideas all the way to deployed systems raises interesting new questions that must be addressed for the work to be useful in practice and try to develop my work to that point as much as possible. I implemented my dissertation s low-latency, high-reliability Internet transport service in the Spines overlay network ( validated it in a globespanning deployment over twelve data centers, and am working to transition it to commercial use for high-value video feeds. Spire ( the intrusion-tolerant SCADA system that Tom Tantillo and I created together during our PhDs, successfully withstood a red-team attack at PNNL in 2017, was deployed in a test at the Hawaiian Electric Company in 2018, and was presented to the Army Corps of Engineers in an invited talk; I am investigating opportunities to transition these ideas commercially or through government. 1 Enabling a New Generation of Internet Services While the Internet s ubiquity has created demand for new networked applications, some of its key design choices limit its ability to natively support emerging applications. In particular, the Internet s incredible scale requires its routers core functionality to be very simple: they perform best-effort packet switching and cannot maintain per-flow state. My experience at LTN Global Communications prior to my PhD showed me the power of structured overlay networks to overcome this limitation. At LTN, I was exposed to a global overlay network for live broadcast-quality video transmission. This service requires a 200ms one-way latency guarantee with reliability such that % of packets are delivered on time; it is made possible by strategically placing overlay software routers in data centers around the world and implementing custom overlay routing and recovery protocols. My research aims to leverage the concepts behind structured overlays, namely the ability to put processing power and context into the middle of the network, to go beyond video transmission to support a new generation of highly demanding Internet services at scale. 1.1 Current Research Timely, reliable Internet transport. Compared with live video s 200ms latency requirement, highly interactive remote manipulation applications such as remote surgery bring a new level of timeliness demands, requiring one-way latencies on the order of 65ms for interaction to feel natural. 1

2 To meet these latency requirements (which approach the physical propagation delay for crosscontinent transmission) while still supporting % on-time delivery, I developed a new overlay routing approach that uses dissemination graphs to redundantly send packets over a subgraph of the network [1]. While the problem of selecting an optimal dissemination graph for arbitrary network conditions is challenging to model precisely and is NP-hard even with simplifying assumptions, we provided a highly effective solution by observing the types of problems that occur in practice (collecting data on LTN s commercial infrastructure) and converting this hard optimization problem into a simple classification problem. The dissemination graph for each packet is selected dynamically by classifying current network conditions into just four states: normal, source problem, destination problem, and simultaneous source-destination problem. The approach uses a dissemination graph consisting of two node-disjoint paths in the normal case, and custom dissemination graphs that add targeted redundancy in the problematic areas of the network in the other three cases. We show that this approach can achieve about 99% of the benefit of an optimal but prohibitively expensive scheme, at a cost increase of 2% or less compared with two disjoint paths. In addition to remote manipulation applications with extremely demanding timeliness constraints, this work can support video applications that allow latencies on the order of 200ms but require near-perfect reliability. Part of my current work aims to transition these protocols to commercial use with LTN for high value video feeds (e.g. sports events). Intrusion-tolerant networking. Monitoring and control of large-scale cloud systems faces a major challenge: failures or attacks can render their network infrastructure unusable, but diagnosing and correcting the problem can be impossible without functioning network infrastructure. I was involved in work using structured overlays to create an intrusion-tolerant network service that enables cloud monitoring and control systems to continue to work while under attack [2]. This service leverages redundancy in the overlay s resilient network architecture to overcome attacks in the underlying network and uses new intrusion-tolerant overlay protocols to guarantee ultimate resilience: messages will be delivered even in the presence of compromised overlay nodes, as long as at least one path of correct nodes exists between the source and destination. 1.2 Future Research Vision My research aims to use structured overlays to enable a new generation of network services that cannot be supported by the native Internet. Part of this work will involve developing new overlay protocols to support the needs of emerging applications, but the fundamental challenges that remain are scaling the approach and extending it to provide end-to-end guarantees. Immersive multiparty virtual reality. Like remote manipulation, immersive virtual reality for multiplayer online games or multiparty virtual training requires extremely low latency and high reliability. However, these applications add the challenge of multicast communication, as all parties interact in the same virtual space. A dissemination-graph-based routing approach may be a good fit for these applications, but new techniques are needed to construct more complex dissemination graphs that connect multiple participants while meeting the timeliness and reliability requirements. Unlimited programmability at scale. The strength of the structured overlay approach is that overlay routers run as normal user-level programs and offer the unlimited programmability of general purpose computing. However, this limits the scalability of the approach: a single overlay router cannot process packets at line speed. Interestingly, the strengths of Software Defined Networking (SDN) appear complementary to those of overlay networks: SDN switches can process packets at 2

3 line speed but offer a more limited match-action table programming model. I plan to combine structured overlay networks and SDNs to provide unlimited programmability at scale. One promising direction is to run many overlays in parallel and use SDN to classify incoming packets at line speed, with only those packets that require specialized processing being directed to an appropriate overlay. While promising, this approach presents considerable management challenges. My experience with LTN Global Communications shows that manually managing even a moderate number of overlays is a complex and time consuming task. I intend to explore automated flow management techniques to automatically assign flows to overlays while respecting capacity constraints, instantiate new overlays as needed, and install forwarding rules in SDN switches. Over time, I also plan to investigate how certain processing functions may be moved from the overlay level to the network level for increased efficiency. End-to-end guarantees. My work so far has focused on the network core, assuming that endpoints are co-located with overlay nodes or have high quality redundant connections in the underlying network. While this is reasonable for a small number of high-value endpoints, these assumptions will not hold as the framework scales to support a wider range of applications and clients. Most endpoints will connect to the overlay remotely and can have diverse connection quality, including lossy connections or ones with limited bandwidth. I plan to explore techniques for extending overlay protocols to the edge and ensuring end-to-end quality with wireless or mobile clients; emerging 5G technology offers a promising avenue for cellular clients. 2 Building Dependable Infrastructure Our increasing reliance on computerized and networked systems makes it crucial to guarantee that they can, in fact, be relied on to work as expected. This is especially true for critical infrastructure like the power grid as it becomes more connected and more exposed to attacks. 2.1 Current Research Intrusion-tolerant SCADA for the power grid. My work has developed Spire, the first Supervisory Control and Data Acquisition (SCADA) system for the power grid that is resilient to simultaneous system compromises and network attacks [3]. While other work has made SCADA systems resilient to system-level compromises of the SCADA Master (central control server) using Byzantine fault tolerant (BFT) replication, Spire extends this model to additionally consider network-level attacks. Spire combines BFT replication with our intrusion-tolerant network service [2] to overcome a wide range of sophisticated network attacks and introduces a novel architecture for distributing replicas across multiple sites to overcome the complete network isolation of a power grid control center while guaranteeing correct operation and predictable performance. We demonstrated Spire s practical effectiveness in two deployments. The first was conducted at Pacific Northwest National Lab, where a red team from Sandia National Labs attacked both a NIST-compliant commercial SCADA architecture and Spire. While the red team was able to take full control of the commercial system within only a few hours, they were unable to disrupt Spire s operation throughout three days of attacks, including being given source code and root access to one of the replicated SCADA Masters. The second event was a test deployment conducted with the Hawaiian Electric Company (HECO) in a mothballed power plant that had active control systems but was not generating power at the time. Spire managed a small set of real breakers and successfully provided the timely reactions expected by HECO engineers without interfering with other plant control systems, demonstrating its ability to operate in a power plant environment. 3

4 2.2 Future Research Vision Holistic intrusion tolerance. The two events described above underscored the need for a holistic approach to intrusion tolerance that goes beyond BFT replication to consider the system as a whole. Spire takes a significant step in this direction by extending intrusion tolerance to the network level, but a principled approach to making systems truly resilient to dedicated attackers is needed. For example, it has become generally accepted that BFT replication must be augmented with proactive recovery, a technique for periodically removing intrusions and restoring compromised nodes to a correct state. However, most BFT protocols introduced after PBFT [4] have not specified their own proactive recovery protocols. My experience implementing proactive recovery in Prime [5] showed that design choices made to prove latency guarantees under attack (which are necessary for systems like SCADA that require timely reactions) make proactive recovery much more complex. I am interested in analyzing BFT protocols to determine the key requirements for simple and effective proactive recovery and designing replication and recovery protocols together to support strong latency guarantees under attack and proactive recovery that is fast and easy to reason about. Beyond proactive recovery, I am interested in safely combining intrusion tolerance with intrusion detection (i.e. compromised components must not be able to deny service by suspecting correct components), adding domain-specific resilience (e.g. ensuring that malicious commands issued by a rogue power grid operator are not simply replicated and consistently executed by the control servers), and recovering from temporary assumption breaches (e.g. the simultaneous failure of more than f replicas in a BFT replicated system). I also intend to investigate approaches for incrementally transitioning legacy systems to resilient architectures, as my experience with HECO showed this to be the most feasible path to creating a practical impact. As a first step, I am developing a proxy-based approach to deploying Spire s intrusion-tolerant network component in legacy systems. 3 Future Plans: Funding, Collaboration The technical aspects of my future research vision are described above, but this plan also involves securing resources to fund it and leveraging expertise from other domains. During my Masters and PhD, my work was funded by DARPA and DoD, and I believe this format is especially appropriate for the resilience side of my work with its direct relevance to national defense. My dissertation work was also funded by an NSF Algorithms in the Field proposal that I helped write, and I see the NSF CNS Core, Secure and Trustworthy Cyberspace (SaTC), and Faculty Early Career Development Program (CAREER) as avenues for funding both sides of my research vision. Beyond that, I plan to explore industry funding; our work on structured overlays attracted interest and gift funding from AT&T labs, and I plan to continue close industry collaboration in my research. I also plan to collaborate with other researchers in Computer Science and Electrical Engineering, especially including theory, security, networking, robotics, and power systems. My work on timely, reliable Internet transport has already included theory collaboration with Michael Dinitz on constructing dissemination graphs and robotics collaboration on a proof-of-concept for transatlantic robotic manipulation. My future work will continue to seek collaborations in these areas and expand them to include networking researchers in SDN (to realize unlimited network programmability at scale) and wireless (to extend overlay capabilities to the edge) as well as application domains like gaming. In the resilience domain, collaboration with security researchers is especially important; Cristina Nita-Rotaru and her group contributed crucial expertise in specifying threat models and automatically verifying implementations to our work on intrusion-tolerant networking. As I extend my power grid work to include domain-specific solutions for malicious input, it will also include Electrical Engineering researchers and industry practitioners like the HECO engineers. 4

5 References [1] A. Babay, E. Wagner, M. Dinitz, and Y. Amir, Timely, reliable, and cost-effective internet transport service using dissemination graphs, in Proceedings of the 37th International Conference on Distributed Computing Systems (ICDCS), June 2017, pp [2] D. Obenshain, T. Tantillo, A. Babay, J. Schultz, A. Newell, M. E. Hoque, Y. Amir, and C. Nita- Rotaru, Practical intrusion-tolerant networks, in Proceedings of the 36th International Conference on Distributed Computing Systems (ICDCS), June 2016, pp [3] A. Babay, T. Tantillo, T. Aron, M. Platania, and Y. Amir, Network-attack-resilient intrusiontolerant SCADA for the power grid, in Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 2018, pp [4] M. Castro and B. Liskov, Practical byzantine fault tolerance and proactive recovery, ACM Transactions on Computer Systems, vol. 20, no. 4, pp , November [5] Y. Amir, B. Coan, J. Kirsch, and J. Lane, Prime: Byzantine replication under attack, IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 4, pp , July