Implementing Performance Competitive Logical Recovery

New hardware platforms, e.g. cloud, multi-core, etc., have led to a reconsideration of database system architecture. Our Deuteronomy project separates transactional functionality from data management functionality, enabling a flexible response to exploiting new platforms. This separation requires, however, that recovery is described logically. In this paper, we extend current recovery methods to work in this logical setting. While this is straightforward in principle, performance is an issue. We show how ARIES style recovery optimizations can work for logical recovery where page information is not captured on the log. In side-by-side performance experiments using a common log, we compare logical recovery with a state-of-the art ARIES style recovery implementation and show that logical redo performance can be competitive.Comment: VLDB201

Chip and Skim: cloning EMV cards with the pre-play attack

EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures

Middleware-based Database Replication: The Gaps between Theory and Practice

The need for high availability and performance in data management systems has been fueling a long running interest in database replication from both academia and industry. However, academic groups often attack replication problems in isolation, overlooking the need for completeness in their solutions, while commercial teams take a holistic approach that often misses opportunities for fundamental innovation. This has created over time a gap between academic research and industrial practice. This paper aims to characterize the gap along three axes: performance, availability, and administration. We build on our own experience developing and deploying replication systems in commercial and academic settings, as well as on a large body of prior related work. We sift through representative examples from the last decade of open-source, academic, and commercial database replication systems and combine this material with case studies from real systems deployed at Fortune 500 customers. We propose two agendas, one for academic research and one for industrial R&D, which we believe can bridge the gap within 5-10 years. This way, we hope to both motivate and help researchers in making the theory and practice of middleware-based database replication more relevant to each other.Comment: 14 pages. Appears in Proc. ACM SIGMOD International Conference on Management of Data, Vancouver, Canada, June 200

BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure

This paper describes BlockPKI, a blockchain-based public-key infrastructure that enables an automated, resilient, and transparent issuance of digital certificates. Our goal is to address several shortcomings of the current TLS infrastructure and its proposed extensions. In particular, we aim at reducing the power of individual certification authorities and make their actions publicly visible and accountable, without introducing yet another trusted third party. To demonstrate the benefits and practicality of our system, we present evaluation results and describe our prototype implementation.Comment: Workshop on Blockchain and Sharing Economy Application

S-Store: Streaming Meets Transaction Processing

Stream processing addresses the needs of real-time applications. Transaction processing addresses the coordination and safety of short atomic computations. Heretofore, these two modes of operation existed in separate, stove-piped systems. In this work, we attempt to fuse the two computational paradigms in a single system called S-Store. In this way, S-Store can simultaneously accommodate OLTP and streaming applications. We present a simple transaction model for streams that integrates seamlessly with a traditional OLTP system. We chose to build S-Store as an extension of H-Store, an open-source, in-memory, distributed OLTP database system. By implementing S-Store in this way, we can make use of the transaction processing facilities that H-Store already supports, and we can concentrate on the additional implementation features that are needed to support streaming. Similar implementations could be done using other main-memory OLTP platforms. We show that we can actually achieve higher throughput for streaming workloads in S-Store than an equivalent deployment in H-Store alone. We also show how this can be achieved within H-Store with the addition of a modest amount of new functionality. Furthermore, we compare S-Store to two state-of-the-art streaming systems, Spark Streaming and Storm, and show how S-Store matches and sometimes exceeds their performance while providing stronger transactional guarantees

Strengthening e-banking security using keystroke dynamics

This paper investigates keystroke dynamics and its possible use as a tool to prevent or detect fraud in the banking industry. Given that banks are constantly on the lookout for improved methods to address the menace of fraud, the paper sets out to review keystroke dynamics, its advantages, disadvantages and potential for improving the security of e-banking systems. This paper evaluates keystroke dynamics suitability of use for enhancing security in the banking sector. Results from the literature review found that keystroke dynamics can offer impressive accuracy rates for user identification. Low costs of deployment and minimal change to users modus operandi make this technology an attractive investment for banks. The paper goes on to argue that although this behavioural biometric may not be suitable as a primary method of authentication, it can be used as a secondary or tertiary method to complement existing authentication systems

Choosing between Auctions and Negotiations in Online B2B Markets for IT Services: The Effect of Prior Relationships and Performance

The choice of contract allocation mechanism in procurement affects such aspects of transactions as information exchange between buyer and supplier, supplier competition, pricing and, eventually, performance. In this study we investigate the buyer’s choice between reverse auctions and bilateral negotiations as an allocation mechanism for IT services contracts. Prior studies into allocation mechanism choice focused on factors pertaining to discrete exchange situation, such as con-tract complexity or availability of suppliers. We broaden the research by focusing on buyers’ past exchange relationships with vendors. Based on the literature on the economics of contracting and agency theory, we hypothesize that prior re-peat interaction with vendors favors the use of negotiations over auctions in the next transaction, while the need to explore the marketplace due to buyer’s inexperience or dissatisfaction with vendor’s performance in the most recent project leads to the use of auctions instead of negotiations. We find support for these hypotheses in a longitudinal dataset of 2,081 IT projects realized by 91 repeat buyers at a leading online services marketplace over a period of eight years. Taken together, the results show that analyzing B2B auctions and negotiations should move beyond analyzing discrete instances and instead analyze them in the context of the individual firm’s history and supplier strategy.outsourcing;IT services;online marketplace;reverse auctions