Invited Talks

NoHype: Virtualized Cloud Infrastructure without the Virtualization

• Abstract, Cloud computing is a disruptive trend that is changing the way we use computers. The key underlying technology in cloud infrastructures is virtualization -- so much so that many consider virtualization to be one of the key features rather than simply an implementation detail. Unfortunately, the use of virtualization is the source of a significant security concern. Because multiple virtual machines run on the same server and since the virtualization layer plays a considerable role in the operation of a virtual machine, a malicious party has the opportunity to attack the virtualization layer. A successful attack would give the malicious party control over the all-powerful virtualization layer, potentially compromising the confidentiality and integrity of the software and data of any virtual machine. In this talk we propose removing the virtualization layer, while retaining the key features enabled by virtualization. Our NoHype architecture, named to indicate the removal of the hypervisor, addresses each of the key roles of the virtualization layer: arbitrating access to CPU, memory, and I/O devices, acting as a network device (e.g., Ethernet switch), and managing the starting and stopping of guest virtual machines. Additionally, we show that our NoHype architecture is indeed "no hype" through an implementation on today's commodity hardware making use of hardware extensions to processors and I/O devices. , slides ( pptx )
• University of Pennsylvania, Apr. 2011.
• IBM, Dec. 2010.

Dynamic Infrastructure for Dependable Cloud Services

• Abstract, Cloud computing is changing how people use the Internet, and how service providers run applications. However, cloud computing makes users and service providers alike reliant on an infrastructure that they cannot control. To support dependable cloud services, we must rethink the network and computing infrastructure to offer better reliability, security, and performance. First, we allow network operators to manage their routers without disrupting the flow of traffic, by breaking the tight coupling between the hardware, software, and underlying links. Our solutions can seamlessly "graft" a link to another router, or "migrate" a virtual router to a different physical router. Second, we allow cloud providers to host multiple virtual machines on the same server, without the risk that one virtual machine can attack another by exploiting vulnerabilities in the virtualization layer (i.e., the "hypervisor"). Our NoHype system removes the hypervisor, through a refactoring of the server software, processor, and I/O devices. By rethinking the layers in both the router and server architectures, we provide a more dependable infrastructure for cloud services. , slides ( pptx )
• University of Maryland, Mar. 2011.
• Northeastern University, Mar. 2011.
• Bell Labs, Feb. 2011.
• University of Delaware, Feb. 2011.
• Rutgers University, Dec. 2010.

Refactoring Router Software to Minimize Disruption

(previous title: Migrating and Grafting Routers to Accomodate Change)

• Abstract, The complexity of network management is widely recognized as one of the biggest challenges facing the Internet today. Network operators are under tremendous pressure to make their networks highly reliable to avoid service disruptions. Yet, operators often need to change the network to upgrade faulty equipment, deploy new services, and install new routers. Unfortunately, changes cause disruptions, forcing a trade-off between the benefit of the change and the disruption it will cause. We argue that the reason why accommodating change is so difficult is the monolithic view of a router -- the hardware, software, and links are one entity. Hence, we propose two new network-management primitives to break this view where (i) (virtual) routers are allowed to freely move from one physical router to another, and (ii) parts of a router can be seamlessly removed from one router and merged into another without any disruption. In addition to simplifying existing network-management tasks like planned maintenance and service deployment, these primitives can also help tackle emerging challenges such as reducing energy consumption and can even be applied to traffic management. In this talk I will present the design and implementation of our modified router to incorporate these two primitives. , slides ( pptx )
• Georgetown University, Nov. 2011.
• University of North Carolina, Mar. 2010.
• Rutgers University, Mar. 2010.
• University of Pennsylvania, Jan. 2010.
• North Carolina State University, Dec. 2010.
• Duke University, Nov. 2010.

Accountability in Hosted Virtual Networks

• Abstract, Virtualization enables multiple networks, each customized for a particular purpose, to run concurrently over a shared substrate. One such model for managing these virtual networks is to create a hosting platform where companies can deploy services by leasing a portion of several physical routers. While lowering the barrier for innovation in the network, this model introduces new security concerns. In this paper we examine the issue of accountability in this setting of hosted virtual networks. That is, how a service provider can know its software is running without modification and that the infrastructure provider's physical router is forwarding packets as instructed with the quality of service promised. Rather than presenting a single specification of what every router on the Internet must look like, in this paper we examine two possible approaches: one that detects violations by monitoring the service and one that prevents violations from occurring in the first place. For each, we provide a description of an architecture that can be achieved with technology available today, the limitations of that architecture, and then propose an extension which overcomes the limitations. , slides ( pptx )
• Microsoft Research, Jul. 2009.
• AT&T Research, Jul. 2009.

Virtually Eliminating Router Bugs

• Abstract, Software bugs in routers lead to network outages, security vulnerabilities, and other unexpected behavior. Rather than simply crashing the router, bugs can violate protocol semantics, rendering traditional failure detection and recovery techniques ineffective. Handling router bugs is an increasingly important problem as new applications demand higher availability, and networks become better at dealing with traditional failures. Further demonstrating the importance is a string of recent high profile outages, including a very recent incident where a single prefix announcement to a single provider caused a huge increase in the global update rate and instability due to two bugs in routers from two different vendors. In this paper, we tailor software and data diversity (SDD) to the unique properties of routing protocols, to avoid buggy behavior at run time. Our bug-tolerant router executes multiple diverse instances of routing software, and uses voting to determine the output to publish to the forwarding table, or to advertise to neighbors. We design and implement a router hypervisor that makes this parallelism transparent to other routers, handles fault detection and booting of new router instances, and performs voting in the presence of routing-protocol dynamics, without need to modify software of the diverse instances. Experiments with BGP message traces and the XORP and Quagga open-source software running on our Linux-based router hypervisor demonstrate that our solution scales to large networks and efficiently masks buggy behavior.
  
  
  , slides ( pdf )
• NANOG, Jun. 2009.