LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed

Running off-site software middleboxes at third-party service providers has been a popular practice. However, routing large volumes of raw traffic, which may carry sensitive information, to a remote site for processing raises severe security concerns. Prior solutions often abstract away important factors pertinent to real-world deployment. In particular, they overlook the significance of metadata protection and stateful processing. Unprotected traffic metadata like low-level headers, size and count, can be exploited to learn supposedly encrypted application contents. Meanwhile, tracking the states of 100,000s of flows concurrently is often indispensable in production-level middleboxes deployed at real networks. We present LightBox, the first system that can drive off-site middleboxes at near-native speed with stateful processing and the most comprehensive protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox is the product of our systematic investigation of how to overcome the inherent limitations of secure enclaves using domain knowledge and customization. First, we introduce an elegant virtual network interface that allows convenient access to fully protected packets at line rate without leaving the enclave, as if from the trusted source network. Second, we provide complete flow state management for efficient stateful processing, by tailoring a set of data structures and algorithms optimized for the highly constrained enclave space. Extensive evaluations demonstrate that LightBox, with all security benefits, can achieve 10Gbps packet I/O, and that with case studies on three stateful middleboxes, it can operate at near-native speed.Comment: Accepted at ACM CCS 201

Defect Perturbations in Landau-Ginzburg Models

Perturbations of B-type defects in Landau-Ginzburg models are considered. In particular, the effect of perturbations of defects on their fusion is analyzed in the framework of matrix factorizations. As an application, it is discussed how fusion with perturbed defects induces perturbations on boundary conditions. It is shown that in some classes of models all boundary perturbations can be obtained in this way. Moreover, a universal class of perturbed defects is constructed, whose fusion under certain conditions obey braid relations. The functors obtained by fusing these defects with boundary conditions are twist functors as introduced in the work of Seidel and Thomas.Comment: 46 page

Permutation branes and linear matrix factorisations

All the known rational boundary states for Gepner models can be regarded as permutation branes. On general grounds, one expects that topological branes in Gepner models can be encoded as matrix factorisations of the corresponding Landau-Ginzburg potentials. In this paper we identify the matrix factorisations associated to arbitrary B-type permutation branes.Comment: 43 pages. v2: References adde

Thomas Decomposition and Nonlinear Control Systems

This paper applies the Thomas decomposition technique to nonlinear control systems, in particular to the study of the dependence of the system behavior on parameters. Thomas' algorithm is a symbolic method which splits a given system of nonlinear partial differential equations into a finite family of so-called simple systems which are formally integrable and define a partition of the solution set of the original differential system. Different simple systems of a Thomas decomposition describe different structural behavior of the control system in general. The paper gives an introduction to the Thomas decomposition method and shows how notions such as invertibility, observability and flat outputs can be studied. A Maple implementation of Thomas' algorithm is used to illustrate the techniques on explicit examples

Stateless CPU-aware datacenter load-balancing

Today, datacenter operators deploy Load-balancers (LBs) to efficiently utilize server resources, but must over-provision server resources (by up to 30%) because of load imbalances and the desire to bound tail service latency. We posit one of the reasons for these imbalances is the lack of per-core load statistics in existing LBs. As a first step, we designed CrossRSS, a CPU core-aware LB that dynamically assigns incoming connections to the least loaded cores in the server pool. CrossRSS leverages knowledge of the dispatching by each server's Network Interface Card (NIC) to specific cores to reduce imbalances by more than an order of magnitude compared to existing LBs in a proof-of-concept datacenter environment, processing 12% more packets with the same number of cores

Highly cited articles in environmental and occupational health, 1919-1960

Although numerous lists of "citation classics" have been compiled across a variety of scientific fields, few have included articles from environmental and occupational health (EOH). This investigation sought to identify and analyze the most highly cited articles ever published in the Journal of Industrial Hygiene (1919-1935), the Journal of Industrial Hygiene and Toxicology (1936-1949) the Archives of Industrial Hygiene and Occupational Medicine (1950), the American Medical Association (A.M.A.) Archives of Industrial Hygiene and Occupational Medicine (1950-1954), and the A.M.A. Archives of Industrial Health (1955-1960). Regularly cited topics included metal fume fever and various studies of beryllium, whereas the most highly cited article of all was a 1957 paper describing the control of heat casualties at military training centers. Interestingly, the most highly cited articles were not the oldest, and nor were they written as literature reviews. Overall, this Study suggests that although some citation patterns in EOH reflect those of other disciplines, the trend is not uniform and EOH itself appears to have some distinctive bibliometric characteristics