The Case for a Single System Image for Personal Devices

Computing technology has gotten cheaper and more powerful, allowing users to have a growing number of personal computing devices at their disposal. While this trend is beneficial for the user, it also creates a growing management burden for the user. Each device must be managed independently and users must repeat the same management tasks on the each device, such as updating software, changing configurations, backup, and replicating data for availability. To prevent the management burden from increasing with the number of devices, we propose that all devices run a single system image called a personal computing image. Personal computing images export a device-specific user interface on each device, but provide a consistent view of application and operating state across all devices. As a result, management tasks can be performed once on any device and will be automatically propagated to all other devices belonging to the user. We discuss evolutionary steps that can be taken to achieve personal computing images for devices and elaborate on challenges that we believe building such systems will face

A Double-Edged Sword: Security Threats and Opportunities in One-Sided Network Communication

One-sided network communication technologies such as RDMA and NVMe-over-Fabrics are quickly gaining adoption in production software and in datacenters. Although appealing for their low CPU utilization and good performance, they raise new security concerns that could seriously undermine datacenter software systems building on top of them. At the same time, they offer unique opportunities to help enhance security. Indeed, one-sided network communication is a double-edged sword in security. This paper presents our insights into security implications and opportunities of one-sided communication

High Velocity Kernel File Systems with Bento

High development velocity is critical for modern systems. This is especially true for Linux file systems which are seeing increased pressure from new storage devices and new demands on storage systems. However, high velocity Linux kernel development is challenging due to the ease of introducing bugs, the difficulty of testing and debugging, and the lack of support for redeployment without service disruption. Existing approaches to high-velocity development of file systems for Linux have major downsides, such as the high performance penalty for FUSE file systems, slowing the deployment cycle for new file system functionality. We propose Bento, a framework for high velocity development of Linux kernel file systems. It enables file systems written in safe Rust to be installed in the Linux kernel, with errors largely sandboxed to the file system. Bento file systems can be replaced with no disruption to running applications, allowing daily or weekly upgrades in a cloud server setting. Bento also supports userspace debugging. We implement a simple file system using Bento and show that it performs similarly to VFS-native ext4 on a variety of benchmarks and outperforms a FUSE version by 7x on 'git clone'. We also show that we can dynamically add file provenance tracking to a running kernel file system with only 15ms of service interruption.Comment: 14 pages, 6 figures, to be published in FAST 202

Toward a Principled Framework for Benchmarking Consistency

Large-scale key-value storage systems sacrifice consistency in the interest of dependability (i.e., partition tolerance and availability), as well as performance (i.e., latency). Such systems provide eventual consistency,which---to this point---has been difficult to quantify in real systems. Given the many implementations and deployments of eventually-consistent systems (e.g., NoSQL systems), attempts have been made to measure this consistency empirically, but they suffer from important drawbacks. For example, state-of-the art consistency benchmarks exercise the system only in restricted ways and disrupt the workload, which limits their accuracy. In this paper, we take the position that a consistency benchmark should paint a comprehensive picture of the relationship between the storage system under consideration, the workload, the pattern of failures, and the consistency observed by clients. To illustrate our point, we first survey prior efforts to quantify eventual consistency. We then present a benchmarking technique that overcomes the shortcomings of existing techniques to measure the consistency observed by clients as they execute the workload under consideration. This method is versatile and minimally disruptive to the system under test. As a proof of concept, we demonstrate this tool on Cassandra

DoubleTake: Fast and Precise Error Detection via Evidence-Based Dynamic Analysis

This paper presents evidence-based dynamic analysis, an approach that enables lightweight analyses--under 5% overhead for these bugs--making it practical for the first time to perform these analyses in deployed settings. The key insight of evidence-based dynamic analysis is that for a class of errors, it is possible to ensure that evidence that they happened at some point in the past remains for later detection. Evidence-based dynamic analysis allows execution to proceed at nearly full speed until the end of an epoch (e.g., a heavyweight system call). It then examines program state to check for evidence that an error occurred at some time during that epoch. If so, it rolls back execution and re-executes the code with instrumentation activated to pinpoint the error. We present DoubleTake, a prototype evidence-based dynamic analysis framework. DoubleTake is practical and easy to deploy, requiring neither custom hardware, compiler, nor operating system support. We demonstrate DoubleTake's generality and efficiency by building dynamic analyses that find buffer overflows, memory use-after-free errors, and memory leaks. Our evaluation shows that DoubleTake is efficient, imposing just 4% overhead on average, making it the fastest such system to date. It is also precise: DoubleTake pinpoints the location of these errors to the exact line and memory addresses where they occur, providing valuable debugging information to programmers.Comment: Pre-print, accepted to appear at ICSE 201

EbbRT: Elastic Building Block Runtime - overview

EbbRT provides a lightweight runtime that enables the construction of reusable, low-level system software which can integrate with existing, general purpose systems. It achieves this by providing a library that can be linked into a process on an existing OS, and as a small library OS that can be booted directly on an IaaS node

Making data center computations fast, but not so furious

We propose an aggressive computational sprinting variant for data center environments. While most of previous work on computational sprinting focuses on maximizing the sprinting process while ensuring non-faulty conditions, we take advantage of the existing replication in data centers to push the system beyond its safety limits. In this paper we outline this vision, we survey existing techniques for achieving it, and we present some design ideas for future work in this area.Comment: The 7th Workshop on Multi-core and Rack Scale Systems - MARS'1

Configuration Testing: Testing Configuration Values as Code and with Code

This paper proposes configuration testing--evaluating configuration values (to be deployed) by exercising the code that uses the values and assessing the corresponding program behavior. We advocate that configuration values should be systematically tested like software code and that configuration testing should be a key reliability engineering practice for preventing misconfigurations from production deployment. The essential advantage of configuration testing is to put the configuration values (to be deployed) in the context of the target software program under test. In this way, the dynamic effects of configuration values and the impact of configuration changes can be observed during testing. Configuration testing overcomes the fundamental limitations of de facto approaches to combatting misconfigurations, namely configuration validation and software testing--the former is disconnected from code logic and semantics, while the latter can hardly cover all possible configuration values and their combinations. Our preliminary results show the effectiveness of configuration testing in capturing real-world misconfigurations. We present the principles of writing new configuration tests and the promises of retrofitting existing software tests to be configuration tests. We discuss new adequacy and quality metrics for configuration testing. We also explore regression testing techniques to enable incremental configuration testing during continuous integration and deployment in modern software systems

T-Visor: A Hypervisor for Mixed Criticality Embedded Real-time System with Hardware Virtualization Support

Recently, embedded systems have not only requirements for hard real-time behavior and reliability, but also diversified functional demands, such as network functions. To satisfy these requirements, virtualization using hypervisors is promising for embedded systems. However, as most of existing hypervisors are designed for general-purpose information processing systems, they rely on large system stacks, so that they are not suitable for mixed criticality embedded real-time systems. Even in hypervisors designed for embedded systems, their schedulers do not consider the diversity of real-time requirements and rapid change in scheduling theory. We present the design and implementation of T-Visor, a hypervisor specialized for mixed criticality embedded real-time systems. T-Visor supports ARM architecture and realizes full virtualization using ARM Virtualization Extensions. To guarantee real-time behavior, T-Visor provides a flexible scheduling framework so that developers can select the most suitable scheduling algorithm for their systems. Our evaluation showed that it performed better compared to Xen/ARM. From these results, we conclude that our design and implementation are more suitable for embedded real-time systems than the existing hypervisors

Efficient System-Enforced Deterministic Parallelism

Deterministic execution offers many benefits for debugging, fault tolerance, and security. Running parallel programs deterministically is usually difficult and costly, however - especially if we desire system-enforced determinism, ensuring precise repeatability of arbitrarily buggy or malicious software. Determinator is a novel operating system that enforces determinism on both multithreaded and multi-process computations. Determinator's kernel provides only single-threaded, "shared-nothing" address spaces interacting via deterministic synchronization. An untrusted user-level runtime uses distributed computing techniques to emulate familiar abstractions such as Unix processes, file systems, and shared memory multithreading. The system runs parallel applications deterministically both on multicore PCs and across nodes in a cluster. Coarse-grained parallel benchmarks perform and scale comparably to - sometimes better than - conventional systems, though determinism is costly for fine-grained parallel applications.Comment: 14 pages, 12 figures, 3 table