Dependable Network Data Plane for the Cloud

With the advent of new data-centric services related to entertainment, business, health, etc., the number of applications, the size of the user base, and the amount of applications deployed in the modern Cloud is growing explosively. While users of Cloud services benefit from high flexibility and low infrastructure cost, they inevitably accept the sharing of resources, facilities, and infrastructure with other users. The consequences of this, often undesired fate-sharing, are contradictory: on the one hand, it is a key to the apparent business success of the multi-tenant cloud, on the other hand it raises significant reliability and security concerns. What if a malevolent user steals, spoofs, or tampers with the data of another user with whom they share, e.g., the same server in the Cloud data center? What if, instead of directly attacking the other user, bad actors merely run an adverse workload on their resource slice that will interfere with the service provision of innocent Cloud users, e.g., increases the time to respond to web requests to a time frame that will be intolerably slow for an enjoyable customer experience? Unfortunately, this type of inadvertent or intended breaking of the data and performance isolation between users is clearly possible in the Cloud, as demonstrated by a set of recent high-profile incidents. What is worse, it is enough to have only a single malevolent user of a data center to cause massive collateral damage to an entire fleet of victims. The reason is that it is not just physical resources, like servers, CPUs, memory, storage, and network devices that are shared between users, but also a set of much less tangible assets as well, namely, algorithms and data-structures and the state embodied by these "virtual" artifacts. Unfortunately, in order to facilitate the unprecedented programmability and sharing provided by the Cloud, the algorithms and data-structures applied there are often fairly complex and not always designed with availability, reliability, security, and performability (i.e., dependability), in mind. The objective of this project is to chart a comprehensive algorithmic landscape of the "trustworthiness" (dependability) and the isolation properties of the typical algorithms and data structures applied in the Cloud, and to design new algorithms and data-structures with dependability as a critical feature rather than an afterthought.

While users of cloud services benefit from high flexibility and low infrastructure costs, they inevitably accept the sharing of resources, facilities, and infrastructure with other users. The consequences of this often undesirable "shared fate" are contradictory: on the one hand, it is a key to the obvious business success of the multi-tenant cloud, but on the other hand, it raises significant questions about reliability and security. The DELTA project focuses particularly on the cloud network, which has recently become reconfigurable and programmable in a completely new way. This enables the development of new algorithmic tools and brings great flexibility to network operations. However, the complex algorithmic infrastructure is often shared among multiple users. An unintentional error, a misconfigured network element, or a malicious attack can easily cause widespread damage. Indeed, network algorithms can become targets of novel attacks, such as algorithmic complexity attacks that exploit specific computationally intensive operations to impair network performance and availability. For example, it has been shown that the performance of network algorithms can suffer from attacks like the "Tuple Space Explosion," and that attacks on the packet parser of a virtual switch can even allow an attacker to take over an entire data center. DELTA designs a comprehensive picture of the algorithmic possibilities and reliability aspects of the cloud network data plane in general, as well as the underlying algorithms, data structures, and isolation properties in particular. It examines how and to what extent more adaptable and "self-adjusting" algorithms in the data plane can improve network performance and availability, as well as support parallelization and scaling. Furthermore, it demonstrates how performance isolation can be achieved, enabling more predictable and reliable operation despite shared resource usage. For example, DELTA contributes self-adjusting data structures for firewalls in the network data plane, improving their performance and availability. Another example is self-adjusting Bloom filters, which can help prevent denial-of-service attacks on specific applications. Overall, we are very pleased with the success of this project. We had an excellent team of postdocs, doctoral students, and students who were able to benefit from the project and publish outstanding research results. We sincerely thank the FWF for its support.