Applications and middleware services, such as data placement engines,
I/O scheduling, and prefetching engines, require low-latency
access to telemetry data in order to make optimal decisions. However,
typical monitoring services store their telemetry data in a database
in order to allow applications to query them, resulting in significant
latency penalties. This work presents Apollo: a low-latency monitoring
service that aims to provide applications and middleware
libraries with direct access to relational telemetry data. Monitoring
the system can create interference and overhead, slowing down raw
performance of the resources for the job. However, having a current
view of the system can aid middleware services in making more
optimal decisions which can ultimately improve the overall performance.
Apollo has been designed from the ground up to provide
low latency, using Publish–Subscribe (Pub-Sub) semantics, and low
overhead, using adaptive intervals in order to change the length of
time between polling the resource for telemetry data and machine
learning in order to predict changes to the telemetry data between
actual resource polling. This work also provides some high level
abstractions called I/O curators, which can further aid middleware
libraries and applications to make optimal decisions. Evaluations
showcase that Apollo can achieve sub-millisecond latency for acquiring
complex insights with a memory overhead of ~57MB and CPU
overhead being only 7% more than existing state-of-the-art systems.
more »
« less
AVGuardian: Detecting and Mitigating Publish-Subscribe Overprivilege for Autonomous Vehicle Systems
Autonomous vehicle (AV) software systems are emerging to enable rapidly developed self-driving functionalities. Since such systems are responsible for safety-critical decisions, it is necessary to secure them in face of cyber attacks. Through an empirical study of representative AV software systems Baidu Apollo and Autoware, we discover a common over-privilege problem with the publish-subscribe communication model widely adopted by AV systems: due to the coarse-grained message design for the publish-subscribe communication, some message fields are over-granted with
publish/subscribe permissions. To comply with the least-privilege principle and reduce the attack surface resulting from such problem, we argue that the publish/subscribe permissions should be defined and enforced at the granularity of message fields instead of messages.
To systematically address such publish-subscribe over-privilege problems, we present AVGuardian, a system that includes (1) a static analysis tool that detects over-privilege
instances in AV software and generates the corresponding access control policies at the message field granularity, and (2) a low-overhead, module-transparent, runtime publish/subscribe permission policy enforcement mechanism to perform online policy violation detection and prevention. Using our detection tool, we are able to automatically detect 581 over-privilege instances in total in Baidu Apollo. To demonstrate the severity, we further constructed several concrete exploits that can lead to vehicle collision and identity theft for AV owners, which have been reported to Baidu Apollo and confirmed as valid. For defense, we prototype and evaluate the policy enforcement mechanism, and find that it has very low overhead, does not affect original AV decision logic, and also is resilient to message replay attacks.
more »
« less
- Award ID(s):
- 1929771
- PAR ID:
- 10297459
- Date Published:
- Journal Name:
- IEEE European Symposium on Security and Privacy (EuroS&P)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
null (Ed.)We present Chios, an intrusion-tolerant publish/subscribe system which protects against Byzantine failures. Chios is the first publish/subscribe system achieving decentralized confidentiality with fine-grained access control and strong publication order guarantees. This is in contrast to existing publish/subscribe systems achieving much weaker security and reliability properties. Chios is flexible and modular, consisting of four fully-fledged publish/subscribe configurations (each designed to meet different goals). We have deployed and evaluated our system on Amazon EC2. We compare Chios with various publish/subscribe systems. Chios is as efficient as an unreplicated, single-broker publish/subscribe implementation, only marginally slower than Kafka and Kafka with passive replication, and at least an order of magnitude faster than all Hyperledger Fabric modules and publish/subscribe systems using Fabric.more » « less
-
Heterogeneous distributed systems, including the Internet of Things (IoT) or distributed cyber-physical systems (CPS), often su↵er a lack of interoperability and security, which hinders the wider deployment of such systems. Specifically, the di↵erent levels of security requirements and the heterogeneity in terms of communication models, for instance, point-to-point vs. publish-subscribe, are the example challenges of IoT and distributed CPS consisting of heterogeneous devices and applications. In this paper, we propose a working application programming interface (API) and runtime to enhance interoperability and security while addressing the challenges that stem from the heterogeneity in the IoT and distributed CPS. In our case study, we design and implement our application programming interface (API) design approach using opensource software, and with our working implementation, we evaluate the e↵ectiveness of our proposed approach. Our experimental results suggest that our approach can achieve both interoperability and security in the IoT and distributed CPS with a reasonably small overhead and better-managed software.more » « less
-
Self-driving cars, or Autonomous Vehicles (AVs), are increasingly becoming an integral part of our daily life. About 50 corporations are actively working on AVs, including large companies such as Google, Ford, and Intel. Some AVs are already operating on public roads, with at least one unfortunate fatality recently on record. As a result, understanding bugs in AVs is critical for ensuring their security, safety, robustness, and correctness. While previous studies have focused on a variety of domains (e.g., numerical software; machine learning; and error-handling, concurrency, and performance bugs) to investigate bug characteristics, AVs have not been studied in a similar manner. Recently, two software systems for AVs, Baidu Apollo and Autoware, have emerged as frontrunners in the opensource community and have been used by large companies and governments (e.g., Lincoln, Volvo, Ford, Intel, Hitachi, LG, and the US Department of Transportation). From these two leading AV software systems, this paper describes our investigation of 16,851 commits and 499 AV bugs and introduces our classification of those bugs into 13 root causes, 20 bug symptoms, and 18 categories of software components those bugs often affect. We identify 16 major findings from our study and draw broader lessons from them to guide the research community towards future directions in software bug detection, localization, and repair.more » « less
-
Efficient and secure message dissemination plays an important role during a disaster environment. Name-based publish/subscribe systems, especially role-based names, using principles of Information-Centricity provide an efficient frame-work for communications among first responders. However, a challenge is maintaining confidentiality during communication. We have developed an encryption framework that leverages graph-based naming systems which provides role-based communication among first responders. Our framework is built on top of the dynamic role-based names and can be implemented using attribute-based encryption (ABE) or public key encryption (PKE). In this demo, we show the operations of our framework in a typical scenario of first responders using the application.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
