Ti e E ffi cient Server Audit Problem, Deduplicated Re-execution, - - PowerPoint PPT Presentation

ti e e ffi cient server audit problem deduplicated re
SMART_READER_LITE
LIVE PREVIEW

Ti e E ffi cient Server Audit Problem, Deduplicated Re-execution, - - PowerPoint PPT Presentation

Nov 24, 2022 147 likes •811 views

Ti e E ffi cient Server Audit Problem, Deduplicated Re-execution, and the Web Cheng Tan, Lingfan Yu, Joshua B. Leners*, and Michael Wal fj sh NYU Department of Computer Science, Courant Institute *Two Sigma Investments company Amazon Web

slide-1
SLIDE 1

Tie Efficient Server Audit Problem, Deduplicated Re-execution, and the Web

Cheng Tan, Lingfan Yu, Joshua B. Leners*, and Michael Walfjsh

NYU Department of Computer Science, Courant Institute *Two Sigma Investments

slide-2
SLIDE 2

Amazon Web Services company

Alice employee employee wiki PHP

slide-3
SLIDE 3

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

slide-4
SLIDE 4

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
slide-5
SLIDE 5

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...
slide-6
SLIDE 6

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

kiwi PHP

slide-7
SLIDE 7

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

PCP runtime

slide-8
SLIDE 8

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

OS hypervisor OS

slide-9
SLIDE 9

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

web server

slide-10
SLIDE 10

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

kiwi PHP PCP runtime OS hypervisor OS web server

slide-11
SLIDE 11

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

kiwi PHP PCP runtime OS hypervisor OS web server

slide-12
SLIDE 12

Amazon Web Services company

web server OS PHP runtime hypervisor hardware database wiki PHP Alice employee employee

request response

  • Alice has confjdence in the wiki's PHP code
  • Still, lots of things can go wrong ...

kiwi PHP PCP runtime OS hypervisor OS web server

  • Tius, Alice wants to audit the delivered responses

– Are they derived from executing the actual application?

slide-13
SLIDE 13

Tie Efficient Server Audit Problem

program server

slide-14
SLIDE 14

Tie Efficient Server Audit Problem

program requests responses server

  • nline phase

clients

slide-15
SLIDE 15

Tie Efficient Server Audit Problem

program requests responses server

  • nline phase

clients

  • 2. server is concurrent
  • 1. server is untrusted; can respond arbitrarily
slide-16
SLIDE 16

Tie Efficient Server Audit Problem

program requests responses server

  • nline phase

clients

  • 2. server is concurrent
  • 1. server is untrusted; can respond arbitrarily

trace collector trace

slide-17
SLIDE 17

Amazon Web Services company

request response

web server OS PHP runtime hypervisor hardware OS hypervisor database OS web server wiki PHP kiwi PHP PCP runtime Alice employee employee wiki PHP

trace collector

slide-18
SLIDE 18

Tie Efficient Server Audit Problem

program verifier audit phase requests responses server

  • nline phase

clients trace collector trace

  • 2. server is concurrent
  • 1. server is untrusted; can respond arbitrarily
slide-19
SLIDE 19

Tie Efficient Server Audit Problem

program verifier audit phase requests responses server

  • nline phase

clients trace collector trace = ? program + requests responses

  • 2. server is concurrent
  • 1. server is untrusted; can respond arbitrarily
slide-20
SLIDE 20

Tie Efficient Server Audit Problem

program verifier audit phase requests responses server

  • nline phase

clients trace collector trace = ? program + requests responses

  • 2. server is concurrent
  • 1. server is untrusted; can respond arbitrarily
  • 4. server overhead is low; legacy applications supported
  • 3. verifjer is weaker than server
slide-21
SLIDE 21

Tie Efficient Server Audit Problem

program verifier audit phase requests responses server

  • nline phase

clients = ? program + requests responses trace collector trace

  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...
slide-22
SLIDE 22

Tie Efficient Server Audit Problem

program verifier audit phase requests responses server

  • nline phase

clients = ? program + requests responses

  • Combination of these four is a new problem.
  • Execution integrity is complementary to program verifjcation.

trace collector trace

  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...
  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...
slide-23
SLIDE 23

program verifier audit phase requests responses server

  • nline phase

clients trace trace collector

  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...

What about naive re-execution?

slide-24
SLIDE 24

program verifier audit phase requests responses server

  • nline phase

clients trace trace collector

  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...

What about naive re-execution?

= ?

delivered responses produced responses

slide-25
SLIDE 25

program verifier audit phase requests responses server

  • nline phase

clients trace trace collector

What about naive re-execution?

= ?

delivered responses

  • Tiis does not save the verifjer work.
  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. v
  • 3. veri

erifj fjer is weaker than server er is weaker than server

  • 4. server overhead is low...

❌ ✔ ✔ ✔

produced responses

slide-26
SLIDE 26

program verifier audit phase requests responses server

  • nline phase

clients trace trace collector

= ?

produced responses delivered responses

  • Tiis does not save the verifjer work.
  • Instead, we will accelerate re-execution.
  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...
  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. v
  • 3. veri

erifj fjer is weaker than server er is weaker than server

  • 4. server overhead is low...

❌ ✔ ✔ ✔

  • 1. server is untrusted…
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low...

❓ ✔ ❓ ❓

What about naive re-execution?

slide-27
SLIDE 27

Rest of the talk

  • 1. How does the verifjer accelerate re-execution?
  • 2. Why are shared objects (such as DBs) challenging?
  • 3. Does our implementation for PHP perform well?

(these two are in tension)

slide-28
SLIDE 28

Rest of the talk

  • 1. How does the verifjer accelerate re-execution?
  • 2. Why are shared objects (such as DBs) challenging?
  • 3. Does our implementation for PHP perform well?
  • 1. How does the verifjer accelerate re-execution?
slide-29
SLIDE 29

Accelerating re-execution: a 30,000-foot view

server (online) verifier (offline) advice

  • Deduplicate computation across requests
slide-30
SLIDE 30

Poirot’s observation: repeated computation

  • T. Kim, R. Chandra, and N. Zeldovich.

Efficient patch-based audi>ng for web applica>ons. OSDI, 2012

slide-31
SLIDE 31

Poirot’s observation: repeated computation

  • T. Kim, R. Chandra, and N. Zeldovich.

Efficient patch-based audi>ng for web applica>ons. OSDI, 2012

slide-32
SLIDE 32

Poirot’s observation: repeated computation

reqi reqj “My paper” “Another paper”

  • T. Kim, R. Chandra, and N. Zeldovich.

Efficient patch-based audi>ng for web applica>ons. OSDI, 2012

slide-33
SLIDE 33

Poirot’s observation: repeated computation

reqi reqj “My paper” “Another paper”

  • T. Kim, R. Chandra, and N. Zeldovich.

Efficient patch-based audi>ng for web applica>ons. OSDI, 2012

requires trusting the requires trusting the advice advice

slide-34
SLIDE 34

We accelerate re-execution without trusting the server

server (online) verifier (offline) C: tag→{set of reqs} for each tag: – execute C(tag) with SIMD-on-demand – conduct unanimity checks

slide-35
SLIDE 35

We accelerate re-execution without trusting the server

SIMD-on-demand re-executes identical instructions once.

server reqi reqj verifier reqi+reqj server (online) verifier (offline) C: tag→{set of reqs} for each tag: – execute C(tag) with SIMD-on-demand – conduct unanimity checks

slide-36
SLIDE 36

SIMD-on-demand eliminates redundant computation

main(a,b): c ← a * b c ← c + 1 reqi: reqj: a=1;b=2 a=2;b=1

slide-37
SLIDE 37

SIMD-on-demand eliminates redundant computation

main(a,b): c ← a * b c ← c + 1 reqi: reqj: a=1;b=2 a=2;b=1 reqi+reqj c=[2,2]

+1

* *

a=[1,2] b=[2,1]

  • Multi-value represents different values of the same variable.
slide-38
SLIDE 38
  • Verifjer collapses multi-value to scalar if possible.

c=3 reqi+reqj c=[2,2]

+1

* *

a=[1,2] b=[2,1] c=2

  • Multi-value represents different values of the same variable.

SIMD-on-demand eliminates redundant computation

main(a,b): c ← a * b c ← c + 1 reqi: reqj: a=1;b=2 a=2;b=1

slide-39
SLIDE 39

Recap

  • Verifjer re-executes in an accelerated way …
  • ... by exploiting advice from the server ...
  • ... without trusting that advice.
slide-40
SLIDE 40
  • 1. How does the verifjer accelerate re-execution?
  • 2. Why are shared objects (such as DBs) challenging?
  • 3. Does our implementation for PHP perform well?
slide-41
SLIDE 41
  • Will try to give some intuition for the difficulties
  • Solutions in the paper, rigorous proofs in tech report

server (online)

UPDATE database put get SELECT key-value store

slide-42
SLIDE 42
  • For now, assume simple storage model

– Read-write registers, named with letters

  • Will try to give some intuition for the difficulties
  • Solutions in the paper, rigorous proofs in tech report

register B register A write(B,12) 12←read(B) 56←read(A) write(A,56)

server (online)

slide-43
SLIDE 43

Central challenge: re-execution is out of order

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A

verifier (offline)

register B

server (online)

slide-44
SLIDE 44

Central challenge: re-execution is out of order

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A

verifier (offline)

register B

server (online)

slide-45
SLIDE 45

Central challenge: re-execution is out of order

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A

verifier (offline)

register B write(B,12) ←read(B)

?

server (online)

slide-46
SLIDE 46

How can the verifjer re-execute reads? Attempt 1:

  • Server logs read values; verifjer supplies from log

advice

reqi

register B READ 12

… … write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A register B write(B,12) 12←read(B)

verifier (offline) server (online)

slide-47
SLIDE 47

How can the verifjer re-execute reads? Attempt 1:

  • Server logs read values; verifjer supplies from log
  • Tiis can fool the verifjer

advice

reqi

register B READ 12

… …

reqi

register B READ 999

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A register B write(B,12) 12←read(B) 999←read(B)

999←read(B)

verifier (offline) server (online)

slide-48
SLIDE 48

How can the verifjer re-execute reads? Attempt 2:

advice

reqj

register B WRITE 12

… …

reqk

register B READ

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A register B write(B,12) 12←read(B)

  • Server: logs operands
  • Verifjer: simulates reads using log and checks writes

verifier (offline) server (online)

slide-49
SLIDE 49

How can the verifjer re-execute reads? Attempt 2:

advice

reqj

register B WRITE 12

… …

reqk

register B READ

write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A register B write(B,12) 12←read(B)

  • Server: logs operands
  • Verifjer: simulates reads using log and checks writes

verifier (offline) server (online)

slide-50
SLIDE 50

How can the verifjer re-execute reads? Attempt 2:

advice

reqj

register B WRITE 12

… …

reqk

register B READ

check if “WRITE 12” write(B,12) 12←read(B) register B 56←read(A) write(A,56) register A register B write(B,12) 12←read(B)

  • Server: logs operands
  • Verifjer: simulates reads using log and checks writes

verifier (offline) server (online)

slide-51
SLIDE 51

Another challenge is validating the log order

  • Order in log could be nonsensical
  • Verifjer must check consistency of log:

– Is log order consistent with observed request order?

req1 r e q

2

resp1 resp2 r e q

3

resp4

server

r e q

4

resp3

… …

req2

  • p

req3

  • p

req2

  • p

req1

  • p

?

consistent with

  • Tiis check must be efficient
slide-52
SLIDE 52
  • 1. How does the verifjer accelerate re-execution?
  • 2. Why are shared objects (such as DBs) challenging?
  • 3. Does our implementation for PHP perform well?
slide-53
SLIDE 53

A built system: Orochi

  • Orochi targets apps based on PHP and SQL (“LAMP”)
  • Server and verifjer: modifjed PHP runtimes
  • Includes techniques for deduplicating database queries
  • Details

– Built atop HipHop VM (HHVM) – 20K lines of C++, PHP, Bash, Python

slide-54
SLIDE 54
  • Is auditing efficient for the verifjer?
  • What is the price of verifjability?
  • How compatible is Orochi with legacy applications?

Evaluation questions

slide-55
SLIDE 55
  • Applications:

– MediaWiki, phpBB and HotCRP

  • Workloads:

– MediaWiki: Wikipedia 2007 trace – phpBB: 7-day’s posts from CentOS forum – HotCRP: Simulation of SIGCOMM’09

slide-56
SLIDE 56

Our workloads see a lot of redundant computation

MediaWiki’s workload (20K requests)

propor>on of iden>cal instruc>ons the number of requests

slide-57
SLIDE 57

200 400 600 800 CPU >me take (s) PHP DB Others

Orochi's verifjer is efficient

beaer

10.9x

MediaWiki’s workload phpBB’s workload HotCRP’s workload

5.6x 6.2x

* Pessimistically estimated from the original online execution Naive re-execu>on* Orochi Naive re-execu>on* Orochi Naive re-execu>on* Orochi

Orochi's verifjer achieves speedups compared to naive replay

slide-58
SLIDE 58

Tie price of verifjability is tolerable

CPU

MediaWiki’s workload phpBB’s workload HotCRP’s workload

4.7% 8.6% 5.9%

trace (per req) advice (per req) Orochi’s

  • verhead

7.1KB 1.7KB 11.4% 5.7KB 0.3KB 2.7%

Network

MediaWiki’s workload phpBB’s workload HotCRP’s workload

3.2KB 0.4KB 10.9%

Storage

MediaWiki’s workload phpBB’s workload HotCRP’s workload

1.0x 1.7x 1.5x Verifjer needs to store the trace and advice for one audit epoch.

slide-59
SLIDE 59

Orochi requires modest application adjustments

  • Lines of code modifjed:

– 346 lines of code change for MediaWiki – 270 lines of code change for phpBB – 67 lines of code change for HotCRP

  • Most of the changes are due to

– PHP features that our implementation does not support – Modifying the application to respect object semantics

slide-60
SLIDE 60

Recap of evaluation

  • Verifjer: 5.6--10.9x speedup over naive re-execution
  • Costs: storage at verifjer, <10% overhead on server
  • Compatibility: Modest application changes
slide-61
SLIDE 61

Related work, future work, and wrap-up

slide-62
SLIDE 62

Related work

  • Efficient execution integrity

– Replication: BFT – Attestation: TPMs, SGX – Probabilistic proofs: Pepper, CMT, Pinocchio, Pantry, SNARKs

  • Computation deduplication (Delta execution, iTireads)
  • Record-replay

– Untrusted recorder: Accountable Virtual Machines – Accelerated replayer: Poirot – Multiprocessor: RecPlay, LEAP, DoublePlay, PRES, ODR, …

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility
  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

❌ ❌ – Attestation: TPMs, SGX

slide-63
SLIDE 63

Related work

  • Efficient execution integrity

– Replication: BFT – Attestation: TPMs, SGX – Probabilistic proofs: Pepper, CMT, Pinocchio, Pantry, SNARKs

  • Computation deduplication (Delta execution, iTireads)
  • Record-replay

– Untrusted recorder: Accountable Virtual Machines – Accelerated replayer: Poirot – Multiprocessor: RecPlay, LEAP, DoublePlay, PRES, ODR, …

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility
  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

❌ ❌

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

❌ ❌ – Probabilistic proofs: Pepper, CMT, Pinocchio, Pantry, SNARKs

slide-64
SLIDE 64

Related work

  • Efficient execution integrity

– Replication: BFT – Attestation: TPMs, SGX – Probabilistic proofs: Pepper, CMT, Pinocchio, Pantry, SNARKs

  • Computation deduplication (Delta execution, iTireads)
  • Record-replay

– Untrusted recorder: Accountable Virtual Machines – Accelerated replayer: Poirot – Multiprocessor: RecPlay, LEAP, DoublePlay, PRES, ODR, …

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility
  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

❌ ❌

  • 1. server is untrusted
  • 2. server is concurrent
  • 3. verifjer is weaker than server
  • 4. server overhead is low; compatibility

❌ ❌

  • Computation deduplication (Delta execution, iTireads)
  • Record-replay
slide-65
SLIDE 65

Wrap-up and future work

  • Our solution to the Efficient Server Audit Problem:

– Includes a new accelerated re-execution technique – Includes new algorithms for verifying concurrent executions – Comes with a rigorous proof of correctness

  • Our instantiation for PHP, SQL web apps:

– 5-10x speedups over a naive replay; <10% CPU overhead on server

  • Future work includes:

– SGX integration – Extend to multiple interacting servers – Accelerate other record-replay systems