| |
software
-
BlockSim - a discrete event Blockchain simulator
-
SafeCloudFS aka RockFS - single cloud or cloud-of-clouds file system resilient to client side attacks
-
SafeCloudFS - is a file system backed by a single cloud or a cloud-of-clouds that is resilient to client side attacks.
SafeCloudFS provides two sets of security mechanisms to be integrated with the client-side of a file system:
(1) a recovery service capable of undoing unintended file operations without losing valid file operations that occurred after the attack; and
(2) device data security mechanisms to safely store encryption keys reducing the probability of having the credentials compromised by attackers and to protect cached data. See the RockFS paper at Middleware 2018 and the SCFS paper at Usenix ATC 2014. Implemented by David Matos, Ricardo Mendes and Tiago Oliveira.
-
Rectify black-box intrusion recovery system for PaaS clouds
-
Web applications hosted on clouds are exposed to cyberattacks that can modify their state. PaaS offerings often provide a backup service that allows restoring the application state after a serious attack, but all valid state changes since the last backup are lost. Rectify is a service designed to be deployed alongside the application in a PaaS container and to support their recovery, without loosing valid state changes. It is black-box in the sense that it does not require changing the application code (unlike Shuttle). See paper at Middleware 2017. Implemented by David Matos.
-
SafeAudit / S-Audit cloud storage integrity verification service
-
ITZ Library - Virtual Machine Introspection for ARM TrustZone
-
NoSQL Undo recovery tool for NoSQL databases
-
NoSQL databases offer high throughput and support huge data structures, but typically provide only basic backup and restore mechanisms. These mechanisms allow recovering databases from a crash, but not to remove undesired operations caused by accidental or malicious actions. NoSQL Undo is a tool that allows database administrators to remove the effect of undesirable actions by undoing operations, leading the system to a consistent state. The current version works with MongoDB. See paper at NCA 2016. Implemented by David Matos.
-
Chrysaor fine-grained fault-tolerant cloud-of-clouds MapReduce
-
Chrysaor is a platform that allows MapReduce computations to scale out to multiple clouds, similarly to Medusa. Chrysaor, is based on a fine-grained replication scheme that tolerates faults at the task level. It has three important properties: it tolerates arbitrary faults and cloud outages at reasonable cost; it requires minimal modifications to the users' applications; and it does not involve changes to the Hadoop source code. See paper at CCGrid 2017. Implemented by Pedro Costa.
-
Medusa fault-tolerant cloud-of-clouds MapReduce
-
Medusa is a platform that allows MapReduce computations to scale out to multiple clouds and tolerate several types of faults. First, it is transparent to the user, who writes her typical MapReduce application without modification. Second, it does not require any modification to the widely used Hadoop framework. Third, the proposed system goes well beyond the fault-tolerance offered by MapReduce to tolerate arbitrary faults, cloud outages, and even malicious faults caused by corrupt cloud insiders. Fourth, it achieves this increased level of fault tolerance at reasonable cost. See paper at CCGrid 2016. Implemented by Pedro Costa.
-
PREMIUM - Private REactive MultIpath commUnication Middleware
-
PREMIUM provides a mechanism to split network traffic among multiple paths, and is able to react in near real-time to hijacking attacks. The solution uses two components: MACHETE and Darshana. The first is a multipath communication component that splits data, with Multipath TCP (MPTCP), among multiple physical paths on top of an overlay network, using when possible multiple Internet Service Providers (ISPs) through multihoming. The second is a route hijacking monitor, that uses a combination of detection mechanisms to alert the user that its data traffic is likely being intercepted. The end client uses this reactive middleware so that hijack alerts can trigger path changes, to protect the communication. Implemented by Isabel Costa, Diogo Raposo, Karan Balu, and David Matos.
-
MACHETE - multi-path communication (most recent implementation is part of PREMIUM)
-
Protocols such as HTTPS may be used to protect communication, but occasionally vulnerabilities that may allow snooping on packet content are discovered. MACHETE is an application-layer multi-path communication mechanism that provides additional confidentiality by splitting data streams in different physical paths. MACHETE has to handle two challenges: sending packets over different paths when Internet's routing imposes a single path between pairs of network interfaces; splitting streams of data sent over TCP connections. MACHETE leverages overlay networks and multihoming to handle the first challenge and MultiPath TCP (MPTCP) to handle the second. MACHETE establishes an overlay network and scatters the data over the available paths, thus reducing the effectiveness of snooping attacks. See paper at NCA 2016. Implemented by Diogo Raposo.
-
vtTLS - vulnerability-tolerant channels for transport layer security
-
There are often concerns about the strength of some of the encryption mechanisms used in SSL/TLS channels, with some regarded as insecure at some point in time. vtTLS is our solution to mitigate the problem of secure communication channels being vulnerable to attacks due to unexpected vulnerabilities in encryption mechanisms. It is based on diversity and redundancy of cryptographic mechanisms and certificates to provide a secure communication channel even when one or more mechanisms are vulnerable. vtTLS relies on a combination of k cipher suites. Even if k-1 cipher suites are insecure or vulnerable, vtTLS relies on the remaining cipher suites to maintain the channel secure. vtTLS is based on OpenSSL. See paper at NCA 2016. Implemented by André Joaquim.
-
Shuttle intrusion recovery service for PaaS clouds
-
WAP - automatic Web Application Protection
(OWASP project)
-
SCFS cloud-backed file system (most recent implementation is part of SafeCloudFS)
-
SCFS is a cloud-backed file system that provides strong consistency even on top of eventually-consistent cloud storage services. Its build on top of FUSE, thus providing a POSIX-like interface. SCFS provides also a pluggable backend that allows it to work with a single cloud or with a cloud-of-clouds. See paper at Usenix ATC 2014. Implemented by Ricardo Mendes and Tiago Oliveira.
-
DepSky - cloud-of-clouds storage
-
A programming library that implements the DepSky cloud-of-clouds replication algorithms. These
algorithms use Byzantine quorum systems together secret sharing and erasure codes to spread data in a diverse set of clouds ensuring
provider fault tolerance and confidentiality. See paper at EuroSys 2011 and ACM Trans. Storage 2013. Implemented by Alysson Bessani, Bruno Quaresma and Fernando André.
-
JITeR - Just-In-Time Routing
-
An algorithm that timely routes messages at application-layer using overlay networking and multihoming, leveraging the natural redundancy of wide-area IP networks. See paper at ComNet 2016. Implemented by Alexandre Fonseca, Rui Silva, and Pedro Luz.
-
php
parser
-
MinBFT, MinZyzzyna, Spinning and EBAWA
-
Asynchronous Byzantine fault-tolerant
state machine replication (BFT) algorithms that are minimal and efficient in
WANs. See papers at IEEE Transactions on Computers 2013, SRDS 2009 and HASE 2010.
Implemented by Giuliana S. Veronese. MinBFT is now being reimplemented in Go by the Hyperledger project!
-
Randomized Intrusion-Tolerant Asynchronous Services (RITAS)
-
Detector of integEr
vulnerabilitiEs in softwarE Portability (DEEEP)
-
Dependable
Tuple Space (DepSpace)
-
Trusted Timely Computing Base (TTCB)
Besides
LASIGE's and
GSD's distributed computing
testbeds, we frequently run experiments at
Emulab, PlanetLab, and Amazon AWS. My warm
thanks to the promoters of those platforms.
|