Workshop Program

Cloud systems such as Hadoop, Spark and Zookeeper are frequently written in Java or other garbage-collected languages. However, GC-induced pauses can have a significant impact on these workloads. Specifically, GC pauses can reduce throughput for batch workloads, and cause high tail-latencies for interactive applications.

In this paper, we show that distributed applications suffer from each node’s language runtime system making GC-related decisions independently. We first demonstrate this problem on two widely-used systems (Apache Spark and Apache Cassandra). We then propose solving this problem using a Holistic Runtime System, a distributed language runtime that collectively manages runtime services across multiple nodes.

We present initial results to demonstrate that this Holistic GC approach is effective both in reducing the impact of GC pauses on a batch workload, and in improving GC-related tail-latencies in an interactive setting.

Recent big data processing systems provide quick answers to users by keeping data in memory across a cluster. As a simple way to manage data in memory, the systems are deployed as long-running workers on a static allocation of the cluster resources. This simplicity comes at a cost: elasticity is lost. Using today’s resource managers such as YARN and Mesos, this severely reduces the utilization of the shared cluster and limits the performance of such systems. In this paper, we propose Elastic Memory, an abstraction that can dynamically change the allocated memory resource to improve resource utilization and performance. With Elastic Memory, we outline how we enable elastic interactive query processing and machine learning.

Idle CPUs may enter power-saving hardware sleeps by, for instance, lowering the operating voltage and flushing the caches. However, wakeup delays that reach one hundred Secs or more are disrupting the operations of fast devices like solid-state disks and tightly integrated accelerators. On the other hand, maximal power savings on modern multicores are only realized through continuous, simultaneous CPU sleeps. We argue that strong software engagement (at the OS and applications) is needed to maximize the power saving while maintaining the desired performance. Specifically, we present anticipatory CPU wakeups for latency-sensitive operations on fast devices. We also explore power-saving sleep shaping opportunities through non-work-conserving scheduling on smartphones and staged bursts on servers.

To attain high program performance, a developer must be conscious to the many intricacies of hardware and organize their code accordingly. This however, is not an easy task. Often the hardware is unknown to developers, or, if it is known, it is difficult to control or account for. Developers struggle with this challenge by using hardware conscious algorithms, specialized programming languages, or doing manual low-level optimizations.

We investigate the concept of instruction organization at a more general level. In particular, we investigate if a program, running on existing hardware, can be automatically reorganized according to a chosen organization metric. Further, if the reorganization can be done automatically, a program can then be reorganized during execution to adapt to changes in system resources, and changing execution and data access patterns.

We use data locality as an organization metric with the goal of reducing data access latency and improving program performance.

We propose FlexNIC, a flexible network DMA interface that can be used by operating systems and applications alike to reduce packet processing overheads. The recent surge of network I/O performance has put enormous pressure on memory and software I/O processing subsystems. Yet even at high speeds, flexibility in packet handling is still important for security, performance isolation, and virtualization.

Thus, our proposal moves some of the packet processing traditionally done in software to the NIC DMA controller, where it can be done flexibly and at high speed. We show how FlexNIC can benefit widely used data center server applications, such as key-value stores.

While it is widely acknowledged that the Border Gateway Protocol (BGP) has many flaws, most of the proposed fixes focus solely on improving the stability and security of its path computation. However, because interdomain routing involves contracts between Autonomous Systems (ASes), this paper argues that contractual and routing issues should be tackled jointly. We propose Route Bazaar, a backward-compatible system for flexible Internet connectivity. Inspired by the decentralized construction of trust in cryptocurrencies, Route Bazaar uses a decentralized public ledger and cryptography to provide ASes with automatic means to form, establish, and verify end-to-end connectivity agreements.

In certain usage scenarios, mobile devices are required to operate in some constrained manner. For example, when movies are being screened in movie theaters, all devices in the room must be muted. However, typical mobile devices operate in unrestricted mode, allowing users to control their configurations. As a result, it is hard to guarantee that mobile devices operate under certain restrictions. In this paper, we present a security architecture that enables mobile applications to temporarily restrict the functionality of devices. To this end, we introduce a novel abstraction for mobile operating systems (MOS) called trust lease, which enables devices to safely switch between modes. We discuss the design implications that need to be addressed to implement this primitive on modern MOSes.

Applications using connected devices are difficult to develop today because they are constructed as monolithic silos, tightly coupled to sensing devices, and must implement all data sensing and inference logic, even as devices move or are temporarily disconnected. We present Beam, a framework and runtime for distributed inference-driven applications that (i) decouples applications, inference algorithms, and devices, (ii) handles environmental dynamics, and (iii) automatically splits sensing and inference logic across devices while optimizing resource usage. Using Beam, applications only specify "what should be sensed or inferred," without worrying about "how it is sensed or inferred." Beam simplifies application development and maximizes the utility of user-owned devices. It is time to end monolithic apps for connected devices.

There have been many recent advances in distributed systems that provide stronger semantics for geo-replicated data stores like those underlying Facebook. These research systems provide a range of consistency models and transactional abilities while demonstrating good performance and scalability on experimental workloads. At Facebook we are excited by these lines of research, but fundamental and operational challenges currently make it infeasible to incorporate these advances into deployed systems. This paper describes some of these challenges with the hope that future advances will address them.

Unix took a rich smorgasbord of operating system features from its predecessors and pared it down to a small but powerful set of abstractions: files, processes, pipes, and the shell to glue the system together. In the intervening forty years, the common-case computational substrate has evolved from a lone PDP-11 minicomputer to vast clouds of virtualized computational resources. Contemporary distributed systems are being built by adding layer upon layer atop the foundation established by Unix’s chosen abstractions. Unfortunately, the resulting mess has lost the “simplicity, elegance, and ease of use” that was a hallmark of the original Unix design. To cope with distribution at astronomic scale, we must take our operating systems back to the drawing board. We are living in a new world, and it is time to be brave.

A physical memory address is no longer the stable concept it was. We demonstrate how modern computer systems from rack-scale to SoCs have multiple physical address spaces, which overlap and intersect in complex, dynamic ways, and may be too small to even address available memory in the near future.

We present a new model of representing and interpreting physical addresses in a machine for the purposes of memory management, and outline an implementation of the model in a memory system based on capabilities which can handle arbitrary translations between physical address spaces and still globally manage system memory.

Finally, we point out future challenges in managing physical memory, of which our model and design are merely a foundation.

What a user does in an app (e.g., viewing the menu of a restaurant or listening to the same song several times) is key to understanding user interests and preferences, and ultimately to enabling personalised experiences. This kind of behavioural analytics information, as we call it, is rarely used today (and if it is used, it remains siloed in one app). This paper makes a case for the OS to provide an in-app behavioural analytics service which monitors user activities within an app to extract such analytics and to share them with other apps in a secure, private and uniform way. All this must be achieved with zero-developer effort and with low resource overhead.

User-generated content is becoming increasingly common on the Web, but current web applications isolate their users’ data, enabling only restricted sharing and cross-service integration. We believe users should be able to share their data seamlessly between their applications and with other users. To that end, we propose Amber, an architecture that decouples users’ data from applications, while providing applications with powerful global queries to find user data. We demonstrate how multi-user applications, such as e-mail, can use these global queries to efficiently collect and monitor relevant data created by other users. Amber puts users in control of which applications they use with their data and with whom it is shared, and enables a new class of applications by removing the artificial partitioning of users’ data by application.

Software that is provably correct has been a long-time goal of computer science. Until recently this goal was realized for only small programs, but over the last decade several large systems have been built that have provable correctness properties. Examples include CompCert, seL4, IronClad, CertiKOS, Bedrock, Termite, Click’s dataplane, and Jitk. One aspect not covered by these systems is reasoning about failures—power failures, hardware faults, or software bugs—which is well-known to be tricky in systems code.

In this paper, we advocate “activity” to be a central abstraction between people and computing instead of applications. We outline the vision of the activity platform as the next-generation social platform.

Cloud IaaS and PaaS tenants rely on cloud providers to provide network infrastructures that make the appropriate tradeoff between cost and performance. This can include mechanisms to help customers understand the performance requirements of their applications. Previous research (e.g., Proteus and Cicada) has shown how to do this for network-bandwidth demands, but cloud tenants may also need to meet latency objectives, which in turn may depend on reliable limits on network latency, and its variance, within the cloud providers infrastructure. On the other hand, if network latency is sufficient for an application, further decreases in latency might add cost without any benefit. Therefore, both tenant and provider have an interest in knowing what network latency is good enough for a given application.

This paper explores several options for a cloud provider to infer a tenants network-latency demands, with varying tradeoffs between requirements for tenant participation, accuracy of inference, and instrumentation overhead. In particular, we explore the feasibility of a hypervisor-only mechanism, which would work without any modifications to tenant code, even in IaaS clouds.

Common misconceptions about randomness underlie the design and implementation of randomness sources in popular operating systems. We debunk these fallacies with a survey of the “realities of randomness” and derive a number of new architectural principles for OS randomness subsystems.

Embedded sensor platforms can dissipate most of their energy in accessing sensor integrated circuits such as gyroscopes. But the algorithms which process the sensor data and the humans who consume the overall output of the system may often be able to tolerate some amount of error in the retrieved sensor values. Because devices are accessed through interfaces provided by system software, exploiting the tolerable error for improvements in energy efficiency requires appropriate system software and hardware support. However, no such support currently exists.

We present Lax, a device driver abstraction for interacting with sensors that enables power savings in exchange for occasionally returning erroneous sensor data. Our implementation on a hardware prototype delivers savings in sensor dynamic power dissipation of up to 48% (as compared to precise device access) while providing sensor access error rates lower than 5 data acquisition errors per 100 data accesses. Given the significant proportion of system energy budgets in wearable platforms that are devoted to sensors, approximate sensor data acquisition using Lax can deliver significant system-level energy savings.

How to perform a systematic security analysis of complex applications is a challenging and open question. Approaches based on formal verification are impeded due to the lack of application specifications. To address this challenge, we propose a framework, called ASPIRE, that enables analysts to automatically synthesize specifications from examples such as application input-output examples and system demonstrations. Our approach starts by synthesizing the initial candidate specifications in a domain specific language that conform to the examples, and iteratively prunes the candidate set by incorporating more user feedback. We implement a prototype of ASPIRE for synthesizing and checking specifications of web applications, although our approach is not limited to web security, and use it in three case studies to demonstrate the discovery of complex vulnerabilities in implementations of real world web applications. Our work is the first to design a general framework that leverages program synthesis techniques for security applications.