Looking at lists of publications doesn't necessarily tell the whole story on how they fit together nor does it indicate what is current research. Below I list the four main projects that I've been involved with. Though, calling them projects is a bit inaccurate since it's really more like streams of research -- a project seems to imply a more structured problem definition, work plan, and end goal up front.

Virtualization Security (heavy focus)

Cloud computing is quickly becoming the platform of choice for many web services. Virtualization is the key underlying technology enabling cloud providers to host services for a large number of customers. Unfortunately, virtualization software is large and complex, and therefore prone to bugs and vulnerabilities that a malicious virtual machine (VM) can exploit to attack or obstruct other VMs---a major concern for organizations wishing to move "to the cloud.'' In contrast to previous work on hardening or minimizing the virtualization software, we remove the hypervisor so guest VMs can run natively on the underlying hardware. Our NoHype system has four key components: (i) pre-allocation of CPU and memory resources, (ii) virtualized I/O devices, (iii) minor modifications to the guest OS to perform all system discovery during bootup, and (iv) routing interrupts and identifiers directly to the guest VM. Hence, no hypervisor is needed to allocate resources dynamically, emulate I/O devices, support system discovery after bootup, or map interrupts and other identifiers. NoHype capitalizes on the unique use model in cloud computing, where customers specify resource requirements ahead of time and providers offer a suite of OS kernels. Our prototype utilizes Xen 4.0 to prepare the environment for guest VMs, and a slightly modified version of Linux 2.6 for the guest OS. Our evaluation with both SPEC and Apache benchmarks shows a roughly 1% performance gain over running applications on top of Xen. Our security analysis shows that, while there are some minor limitations with current commodity hardware, NoHype is a significant advance in the security of cloud computing.

We are actively continuing the line of research started with NoHype by branching it out in many directions. Two of which are listed here as examples.

Insider Threats: With NoHype we addressed the threat of a malicious VM (either infected with malware, or leased from the cloud provider by a malicious party) attacking the virtualization layer. That is, we trusted the cloud provider. We are now extending the threat model to include the cloud provider as part of the threat -- i.e., insider attacks. A recent survey by Northrop Grumman suggested 16 of the 17 cloud providers they surveyed completely trust their employees. However, the threat of an insider attack grows with the size of the cloud infrastructure. Of course, since the survey 1 of the providers had an insider breach and now does more extensive background checks.

New domains (e.g., Wireless Access Networks): Virtualization is not just transforming cloud computing, but being utilized in many systems. The security of each is important and the threat model and assumptions that can be made vary. We're exploring pushing the use of virtualization and NoHype concepts into new domains -- namely wireless access networks and desktop/laptop/smartphones.

Relevant papers:

Eliminating the Hypervisor Attack Surface for a More Secure Cloud

  • Jakub Szefer, Eric Keller, Jennifer Rexford, and Ruby B. Lee
  • In ACM Conference on Computer and Communications Security (CCS). Oct., 2011.
  • ( paper  )

NoHype: Virtualized cloud infrastructure without the virtualization

  • Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee
  • In Proc. International Symposium on Computer Architecture (ISCA). July, 2010.
  • ( paper  , presentation-ppt  , presentation-pdf  )

Accountability in hosted virtual networks

  • Eric Keller, Ruby Lee, and Jennifer Rexford
  • In Proc. Workshop on Virtualized Infrastructure Systems and Architectures (VISA). Aug., 2009.
  • ( paper  , presentation-ppt  )

Cloud Resident Data Center (ramping up)

Today's simple abstraction of leasing a virtual machine on a hosted infrastructure makes applications simple to create, rapid to expand, and economical to run. However, companies must sacrifice the control they normally have with their own private infrastructure---e.g., the control of security measures within the network as well as the isolation between networks. As a result, many companies continue to run applications on their own private infrastructure, forgoing the many benefits of the public cloud.

Rather than leasing individual virtual machines, we argue that cloud providers should offer customers an entire cloud resident data center--- effectively providing isolation of the shared network that is comparable to physical isolation while giving each customer the illusion of full control over the network. With the cloud resident data center, the provider presents each customer with a virtualized infrastructure, including a virtualized network topology that the customer can configure. This allows the customer to forward packets over paths with different performance properties, control the sharing of bandwidth across different services, or direct traffic through its own firewalls, load balancers, and intrusion detection systems.

While the security properties are universally desirable, the abstraction of full control may not be appropriate for all companies -- the users of infrastructures such as Amazon EC2 are currently dominated by small, new companies who want the simplicity of today's abstraction. However, by going to the extreme of providing the abstraction of controlling an entire data center, we can support all customer requirements and better understand the security threats in public clouds. A set of tools can provide the simpler abstraction to those that do not need the full control. Further, supporting this extreme will help develop technology that is useful independent of the abstraction. Two initial examples include technology to enable a more seamless transition to software defined networks and technology to enable live migration of a collection of virtual machines and associated network without disruption.

Relevant papers:

Cloud Resident Data Center

  • Eric Keller, Dmitry Drutskoy, Jakub Szefer, and Jennifer Rexford
  • Princeton University Computer Science Department Technical Report TR-914-11. Sept., 2011.
  • ( paper  )

The 'Platform as a Service' model for networking

  • Eric Keller and Jennifer Rexford
  • In Proc. Internet Network Management Workshop and Workshop on Research in Enterprise Networking (INM/WREN). Apr., 2010.
  • ( paper  , presentation-ppt  , presentation-pdf  )

Refactoring Router Software to Minimize Disruption (wrapping up)

The best resource for this work is my Ph.D. Dissertation titled, "Refactoring Router Software to Minimize Disruption" (2011) .

Network operators are under tremendous pressure to make their networks highly reliable to avoid service disruptions. Yet, operators often need to change the network to upgrade faulty equipment, deploy new services, and install new routers. Unfortunately, changes cause disruptions, forcing a trade-off between the benefit of the change and the disruption it will cause. This disruption comes from the very design of the routers and routing protocols underlying the Internet's operation. First, since the Internet is composed of many smaller networks, in order to determine a path between two end points, a distributed calculation involving many of the networks is necessary. Therefore, during any network event that requires a calculation, there will be a period of time when there are disagreements among the routers in the various networks, potentially leading to the situation where there is no path available between some end points. Second, selecting routes involves computations across millions of routers spread over vast distances, multiple routing protocols, and highly customizable routing policies. This leads to very complex software systems. Like any complex software, routing software is prone to implementation errors, or bugs (a significant security threat to the Internet in that it is a very plausible way to create a cyber-nuke). Given these disruptions, operators must make tremendous effort to minimize their effect. Not only does this lead to a lot of human effort, it also increases the opportunity for mistakes in the configuration -- a common cause of outages.

We believe that with a refactoring of today's router software we can make the network infrastructure more accommodating of change, and therefore more reliable and easier to manage.

First, we tailor software and data diversity (SDD) to the unique properties of routing protocols, so as to avoid buggy behavior at run time. Our bug-tolerant router executes multiple diverse instances of routing software, and uses voting to determine the output to publish to the forwarding table, or to advertise to neighbors. We designed and implemented a router hypervisor that makes this parallelism transparent to other routers, handles fault detection and booting of new router instances, and performs voting in the presence of routing-protocol dynamics, without needing to modify software of the diverse instances.

Second, we argue that breaking the tight coupling between the physical and logical configurations of a network can provide a single, general abstraction that simplifies network management. Specifically, we propose VROOM (Virtual ROuters On the Move), a new network-management primitive where virtual routers can move freely from one physical router to another. We present the design, implementation, and evaluation of novel migration techniques for virtual routers with either hardware or software data planes.

Finally, we introduce the concept of router grafting. This capability allows an operator to rehome a customer with no disruption, compared to downtimes today measured in minutes. With our architecture, this rehoming can be performed completely transparently from the neighboring network -- where the customer's router is not modified and is unaware migration is happening.

Together, these three modifications enable network operators to perform the desired change on their network without (i) possibly triggering bugs in routers that causes Internet-wide instability, (ii) causing unnecessary network re-convergence events, (iii) having to coordinate with neighboring network operators, or (iv) needing an Internet-wide upgrade to new routing protocols.

Relevant papers:

Rehoming Edge Links for Better Traffic Engineering

  • Eric Keller, Michael Schapira, and Jennifer Rexford
  • In Submission. , 2011.

Seamless BGP Migration with Router Grafting

Virtually Eliminating Router Bugs

  • Eric Keller, Minlan Yu, Matthew Caesar, and Jennifer Rexford
  • In Proc. International Conference on emerging Networking EXperiments and Technologies (CoNEXT). Dec., 2009.
  • ( paper  , presentation-ppt  )

Virtual Routers on the Move: Live Router Migration as a Network-Management Primitive

  • Yi Wang, Eric Keller, Brian Biskeborn, Jacobus van der Merwe, Jennifer Rexford
  • In Proc. ACM SIGCOMM. Aug., 2008.
  • ( paper  , presentation-ppt  )

FPGA Research -- Run-time Reconfigurable Computing, System Level Design, Networking (retired)

Run-time Reconfiguable Computing: One unique aspect of FPGAs, in comparison to ASICs, is their ability to be reprogrammed. This capability can blur the difference between hardware and software. Yet without tool support, this capability goes unused. JBits is a development environment, that I helped developed, that enables run-time reconfiguration by providing an API into the configuration bitstream. In particular I created JRoute, a router, as a layer on top of JBits and later ported JBits to the embedded processor along with a number of applications that require run-time reconfiguration (see the gene matching paper, which received much interest).

System Level Design: At this point, FPGAs started becoming integrated with processors -- hard embedded processors (e.g., PowerPC on the Virtex 2 Pro) or soft processors (Microblaze). This means you can take advantage of the FPGA in unique ways. We looked at (i) extending the reconfiguration support inspired by JBits (see the "self reconfiguring platform" paper), (ii) proposing unique ways to use the processor (see the "software decellerators" paper), and (iii) creating an architecture that mimics a board which has a central processor and pluggable cards (the project was canned before it could be published). For this last one, the FPGA logic was partitioned into slots whose configuration can be dynamically loaded by software running on the processor embedded in the FPGA (much like plugging in a card). The only documentation available are the related patents -- 7,076,596 and 7,028,283.

Networking: I then focused on a single domain -- networking. Traditionally, implementing functionality on FPGAs currently requires using a hardware description language. We proposed and created a tool flow that was geared towards networking experts, yet efficiently mapped to an FPGA. This toolkit consists of three components: (i) a system level description tool for creating pipelines (ie., Click to FPGA), (ii) domain specific language to define elements in the pipeline (the language is called G), and (iii) a simulation environment. Unfortunately, much of this was unpublished -- due to internal decisions not to publish. Though, some information about G can be found here, and the initial work about building a platform for domain specific design was published (see the two "hyper-programmable" papers).

Following the lines of networking, I collaborated with researchers at UIUC for proposing that network protocols should be designed with a hardware implementation in mind. BGP is one protocol that could use some "hardware acceleration" as we've been forced to slow down the rate at which information is propagated due to processing concerns at routers (referring to, e.g., MRAI timers). We showed (through implementation on FPGA) that we can accelerate BGP by an order of magnitude. Even more, we noted that several features of BGP were very geared toward a software implementation. With a slight modification of the protocol (keeping the functionality), we saw a further 2 orders of magnitude improvment. See the Better by a HAIR paper.

The future: While I have largely gone away from FPGAs recently, I do feel they have an important place in future infrastructure -- along side processors in large data centers for more efficent processing, in network equipment to enable more programmability, and in the billions of embedded devices soon to come online.

Relevant papers:

Better by a HAIR: Hardware-Amenable Internet Routing

  • Firat Kiyak, Brent Mochizuki, Eric Keller, and Matthew Caesar
  • In Proc. IEEE International Conference on Network Protocols (ICNP). Oct., 2009.
  • ( paper  , presentation-ppt  )

Programming a Hyper-Programmable Architectures for Networked Systems

  • Eric Keller and Gordon Brebner
  • In Proc. International Conference on Field-Programmable Technology (FPT). Dec., 2004.
  • ( paper  , presentation-ppt  )

Hyper-Programmable Architectures for Adaptable Networked Systems

  • Gordon Brebner, Phil James-Roxby, Eric Keller, Chidamber Kulkarni
  • In Proc. IEEE 15th International Conference on Application-specific Systems, Architectures and Processors (ASAP). Sept., 2004.
  • ( paper  )

Software Decelerators

  • Eric Keller, Gordon Brebner, Phil James-Roxby
  • In Proc. 13th International Field Programmable Logic and Applications Conference (FPL). Sept., 2003.
  • ( paper  , presentation-ppt  )

A Self-Reconfiguring Platform

  • Brandon Blodget, Philip James-Roxby, Eric Keller, Scott McMillan, Prasanna Sundararajaran
  • In Proc. 13th International Field Programmable Logic and Applications Conference (FPL). Sept., 2003.
  • ( paper  , presentation-ppt  )

Gene Matching Using JBits

  • Steven A. Guccione and Eric Keller
  • In Proc. 12th International Field-Programmable Logic and Applications Conference (FPL). Sept., 2002.
  • ( paper  , presentation-ppt  )

JRoute: A Run-Time Routing API for FPGA Hardware

  • Eric Keller
  • In Proc. 7th Reconfigurable Architectures Workshop (RAW 2000). May, 2000.
  • ( paper  , presentation-ppt  )