Container Data Item: An Abstract Datatype for Efficient Container-based Edge Computing

2026-02-16

Building a Security OS With Software Defined Infrastructure

UNC Libraries · 2026-04-03

The recent emergence of Software-Defined Infrastructure (SDI) offers a number of useful tools for managing, monitoring, containing, shepherding, and recovering computing units within an enterprise, cloud, or data center. As SDI utilities grow and the types of resources that can be abstracted into software-managed control and data planes increase, there is a pressing need for datacenter-level operating systems (OSes). Such a datacenter-level OS can further abstract and easily capture higher-level policy goals, and push them down to different types of hardware and software, ranging from application processes to storage and networking. This paper thus proposes S2OS, an SDI-defined Security OS, which offers an easy-to-use, programmable security model for monitoring and dynamically securing applications. We anticipate S2OS could unlock a wide range of unprecedented security opportunities, including fine-grained and dynamic security programmability at infrastructure scale, and information flow tracking across an entire infrastructure.

Efficiency, Expressivity, and Extensibility in a Close-to-Metal NPU Programming Interface

2025-05-04

Accelerators such as neural processing units (NPUs) deliver an enticing balance of performance and efficiency compared to general purpose compute architectures. However, effectively leveraging accelerator capabilities is not always simple: low-level programming toolkits may require substantial developer effort while high-level programming toolkits may abstract critical optimization features. This work aims to increase efficiency of designers using IRON, a toolkit for close-to-metal NPU performance engineers. We provide an updated programmer interface to IRON containing new and refined programming constructs. The new interface includes extensible features for placement and data transformation. These contributions are evaluated in terms of 1) efficiency, with analysis showing ~ 26% average reduction in lines of code and decreases in Halstead metrics for a variety of designs; 2) expressivity, demonstrating the new interface supports the wide range of features and patterns already supported by IRON; and 3) extensibility, illustrating the new tooling for placement and tiling can be extended to accommodate common use-cases.

Efficiency, Expressivity, and Extensibility in a Close-to-Metal NPU Programming Interface

ArXiv.org · 2025-04-25

Accelerators such as neural processing units (NPUs) deliver an enticing balance of performance and efficiency compared to general purpose compute architectures. However, effectively leveraging accelerator capabilities is not always simple: low-level programming toolkits may require substantial developer effort while high-level programming toolkits may abstract critical optimization features. This work aims to increase efficiency of designers using IRON, a toolkit for close-to-metal NPU performance engineers. We provide an updated programmer interface to IRON containing new and refined programming constructs. The new interface includes extensible features for placement and data transformation. These contributions are evaluated in terms of 1) efficiency, with analysis showing ~26% average reduction in lines of code and decreases in Halstead metrics for a variety of designs; 2) expressivity, demonstrating the new interface supports the wide range of features and patterns already supported by IRON; and 3) extensibility, illustrating the new tooling for placement and tiling can be extended to accommodate common use-cases.

DND-Db: A Democratized Network Data Database for Tailored Routing and Security Campaigns

2025-05-12

Despite the desire to fix BGP underlying security shortcomings, present solutions, such as RPKI, have struggled to achieve broad adoption. Focusing on providers' needs first can incentivize the adoption of platforms that better enable the integration of security mechanisms, thereby overcoming stagnation and deployment barriers. To demonstrate this concept, we propose a real-time global routing database of network data that providers could leverage to support the management, troubleshooting, and business needs of their own networks. We show how broadly sharing information about networks, such as link usage and cost, can be leveraged to obtain business optimal routing decisions that could reduce provider transit costs by an average of 10% over standard BGP route selection or to provide route selection based on customer-defined security requirements-incentives for a business to adopt. We then leverage the same database to show how security solutions, similar to RPKI and BGPsec, could easily be adopted to further enhance internet security outcomes, demonstrating an incentivized approach to security adoption.

THORN-ML: Transparent Hardware Offloaded Resilient Networks for RDMA based Distributed ML Workloads

2025-11-19

Distributed deep learning (DDL) requires a great investment in cloud infrastructure, including accelerated compute nodes and networking hardware capable of supporting high-performance networking, e.g., Remote Direct Memory Access (RDMA). When a host running a DDL application becomes unreachable, the cost can be high as application-level failure recovery is slow and disruptive. When the host is unreachable due to host failure, this is unavoidable; however, when the network components involved in attaching the host to the core data center network fail, we argue that this cost is avoidable. This paper introduces THORN-ML, a hardware-offloaded resilient network architecture that is completely transparent to DDL applications and works with commodity hardware. We evaluate THORN-ML on a cluster of 5 nodes with Nvidia A100 GPUs and Mellanox ConnectX-5 NICs, with several applications leveraging model parallelism and/or data parallelism, and find that THORN-ML reduces disruption from minutes (impacting the whole cluster) to milliseconds (impacting packets that can be re-transmitted).

LinuxFP: Transparently Accelerating Linux Networking

2024-07-23

This paper introduces transparent acceleration into the Linux networking stack. To do so, we build on years of research in creating high-performance software-based packet processing systems. Rather than treating these technologies as alternative pipelines, we leverage the technology to create explicit fast paths in the Linux kernel. With this, Linux still serves as a complete implementation of all its supported protocols, but frequent operations on the critical path can be transparently han-dled by a fast path. We implement a controller that continuously introspects the Linux kernel to determine exactly what packet-processing functionality is currently configured. The controller then synthesizes and deploys a minimal fast past into the packet processing pipeline that only implements functionality that is currently needed. In this way, common command line tools, such as brctl, control plane software, such as FRRouting (FRR), and higher-level management frameworks such as Kubernetes and Ansible, work without modification and transparently benefit from a faster network data plane. Our system, LinuxFP, includes a controller that can implement IP forwarding, bridging, and IP filtering fast paths that are synthesized on-demand using their specific and current configuration in the kernel. We evaluate performance improvements using Linux management tools and a Kubernetes network plugin. We show performance improvements over Linux for packet forwarding of 77 % and 20 % for an unmodified Kubernetes network plugin.

Container Data Item: An Abstract Datatype for Efficient Container-based Edge Computing

arXiv (Cornell University) · 2024-09-01

We present Container Data Item (CDI), an abstract datatype that allows multiple containers to efficiently operate on a common data item while preserving their strong security and isolation semantics. Application developers can use CDIs to enable multiple containers to operate on the same data, synchronize execution among themselves, and control the ownership of the shared data item during runtime. These containers may reside on the same server or different servers. CDI is designed to support microservice based applications comprised of a set of interconnected microservices, each implemented by a separate dedicated container. CDI preserves the important isolation semantics of containers by ensuring that exactly one container owns a CDI object at any instant and the ownership of a CDI object may be transferred from one container to another only by the current CDI object owner. We present three different implementations of CDI that allow different containers residing on the same server as well containers residing on different servers to use CDI for efficiently operating on a common data item. The paper provides an extensive performance evaluation of CDI along with two representative applications, an augmented reality application and a decentralized workflow orchestrator.

Capturing and Predicting User Frustration to Support a Smart Operating System

2023-03-26 · 1 citations

This paper presents an IRB-approved human study to capture data to build models for human frustration prediction of computer users. First, an application was developed that ran in the user’s computer/laptop/VM with Linux 20.04. Then, the application collected a variety of data from their computers, including: mouse clicks, movements and scrolls; the pattern of keyboard keys clicks; user audio features; and head movements through the user video; System-wide information such as computation, memory usage, network bandwidth, and input/output bandwidth of the running applications in the computer and user frustrations. Finally, the application sent the data to the cloud. After two weeks of data collection, supervised and semi-supervised models were developed offline to predict user frustration with the computer using the collected data. A semi-supervised model using a generative adversarial network (GAN) resulted in the highest accuracy of 90%.

Doomed to Repeat with IPv6? Characterization of NAT-centric Security in SOHO Routers

ACM Computing Surveys · 2023-03-07 · 3 citations

With the transition to IPv6, addressing constraints that necessitated a common security architecture under network address translation (NAT) are no longer present. Instead, manufacturers are now able to choose between an open model design, where devices are end-to-end reachable, or a more familiar closed model, where the home gateway may continue to serve as a perimeter security device. The potential for further nuance, such as differences in default access control policies, filtering behaviors, and IPv6 specific requirements, present an environment defined by ambiguity. For the consumer, the potential impact of these changes are unclear. To address this uncertainty, we taxonomize the present NAT-centric model of consumer gateway security through a survey of over 300 common vulnerabilities and exposures surrounding NAT and hole punching protocols. From this survey, we contextualize the limited security NAT has provided while serving as the primary perimeter defense mechanism in home networks. We further define how this baseline security model for consumer gateways is reflected in IPv6 through an assessment of ten commonly deployed consumer gateways. Our conclusion is that familiarity of a NAT-centric design is no longer assured for IPv6, requiring an active involvement by users to limit exposures within their home networks.