Peter Druschel's research while affiliated with Max Planck Institute for Software Systems Kaiserslautern/Saarbruecken and other places

Publications (200)

Preprint
Full-text available
In a secure analytics platform, data sources consent to the exclusive use of their data for a pre-defined set of analytics queries performed by a specific group of analysts, and for a limited period. If the platform is secure under a sufficiently strong threat model, it can provide the missing link to enabling powerful analytics of sensitive person...
Preprint
Security is a core responsibility for Function-as-a-Service (FaaS) providers. The prevailing approach has each function execute in its own container to isolate concurrent executions of different functions. However, successive invocations of the same function commonly reuse the runtime state of a previous invocation in order to avoid container cold-...
Article
Full-text available
The ongoing COVID-19 pandemic let to efforts to develop and deploy digital contact tracing systems to expedite contact tracing and risk notification. Unfortunately, the success of these systems has been limited, partly owing to poor interoperability with manual contact tracing, low adoption rates, and a societally sensitive trade-off between utilit...
Preprint
Full-text available
During the ongoing COVID-19 pandemic, there have been burgeoning efforts to develop and deploy smartphone apps to expedite contact tracing and risk notification. Unfortunately, the success of these apps has been limited, partly owing to poor interoperability with manual contact tracing, low adoption rates, and a societally sensitive trade-off betwe...
Preprint
Full-text available
The ongoing COVID-19 pandemic let to efforts to develop and deploy digital contact tracing systems to expedite contact tracing and risk notification. Unfortunately, the success of these systems has been limited, partly owing to poor interoperability with manual contact tracing, low adoption rates, and a societally sensitive trade-off between utilit...
Preprint
Full-text available
During the ongoing COVID-19 pandemic, there have been burgeoning efforts to develop and deploy smartphone apps to expedite contact tracing and risk notification. Most of these apps track pairwise encounters between individuals via Bluetooth and then use these tracked encounters to identify and notify those who might have been in proximity of a cont...
Preprint
Reliable on-off control of peripherals on smart devices is a key to security and privacy in many scenarios. Journalists want to reliably turn off radios to protect their sources during investigative reporting. Users wish to ensure cameras and microphones are reliably off during private meetings. In this paper, we present SeCloak, an ARM TrustZone-b...
Preprint
Full-text available
An important concern for many Cloud customers is data confidentiality. Of particular concern are potential data leaks via side channels, which arise when mutually untrusted parties contend on resources such as CPUs, caches, and networks. In this paper, we present a principled solution for mitigating side channels that arise from shared network link...
Conference Paper
Full-text available
Isolating sensitive state and data can increase the security and robustness of many applications. Examples include protecting cryptographic keys against exploits like OpenSSL's Heartbleed bug or protecting a language runtime from native libraries written in unsafe languages. When runtime references across isolation boundaries occur relatively infre...
Conference Paper
Full-text available
New applications enabled by personal smart devices and the Internet-of-Things (IoT) require communication in the context of an encounter (a period of spatial co-location). However, existing encounter-based communication (EbC) systems are limited to communication among participants that share a direct encounter. This work is inspired by two insights...
Conference Paper
Full-text available
New applications enabled by personal smart devices and the Internet-of-Things (IoT) require communication in the context of periods of spatial co-location. Examples of this encounter-based communication (EbC) include social exchange among individuals who shared an experience, and interaction among personal and IoT devices that provide location-base...
Preprint
For fear of retribution, the victim of a crime may be willing to report the crime only if others victimized by the same perpetrator also step forward. Common examples include identifying oneself as the victim of sexual harassment by a person in a position of authority or accusing an influential politician, an authoritarian government or ones own em...
Conference Paper
Full-text available
We present Sonoloc, a mobile app and system that allows a set of co-located commodity smart devices to determine their relative positions without local infrastructure. Sonoloc enables users to address each other based on their relative positions at events like meetings, talks, or conferences. This capability can, for instance, aid spontaneous commu...
Conference Paper
Reliable on-off control of peripherals on smart devices is a key to security and privacy in many scenarios. Journalists want to reliably turn off radios to protect their sources during investigative reporting. Users wish to ensure cameras and microphones are reliably off during private meetings. In this paper, we present SeCloak, an ARM TrustZone-b...
Article
Data retrieval systems such as online search engines and online social networks must comply with the privacy policies of personal and selectively shared data items, regulatory policies regarding data retention and censorship, and the provider's own policies regarding data use. Enforcing these policies is difficult and error-prone. Systematic techni...
Conference Paper
Full-text available
We introduce a new OS abstraction—light-weight contexts (lwCs)—that provides independent units of protection , privilege, and execution state within a process. A process may include several lwCs, each with possibly different views of memory, file descriptors, and access capabilities. lwCs can be used to efficiently implement roll-back (process can...
Conference Paper
Full-text available
Data retrieval systems process data from many sources, each subject to its own data use policy. Ensuring compliance with these policies despite bugs, misconfiguration, or operator error in a large, complex, and fast evolving system is a major challenge. Thoth provides an efficient, kernel-level compliance layer for data use policies. Declarative po...
Conference Paper
Inertial Measurement Units (IMUs) embedded in commercial mobile devices are a good choice for continuous monitoring in healthcare domain due to their attractive form factor and low power consumption. We present improved and accurate sensing algorithms to sense basic events like step count, stride length, fall, and calorie, with accuracies better th...
Conference Paper
Full-text available
The ubiquity of portable mobile devices equipped with built-in cameras have led to a transformation in how and when digital images are captured, shared, and archived. Photographs and videos from social gatherings, public events, and even crime scenes are commonplace online. While the spontaneity afforded by these devices have led to new personal an...
Conference Paper
Preventing the leakage of user information via untrusted third-party apps is a key challenge in mobile privacy. We propose and evaluate privacy capsules (PCs), a platform execution model for mobile apps that prevents the flow of private information to untrusted parties by design. With PCs, apps execute in two sequential phases. In the unsealed phas...
Article
Effectively anonymizing Voice-over-IP (VoIP) calls requires a scalable anonymity network that is resilient to traffic analysis and has sufficiently low delay for high-quality voice calls. The popular Tor anonymity network, for instance, is not designed for the former and cannot typically achieve the latter. In this paper, we present the design, imp...
Conference Paper
Effectively anonymizing Voice-over-IP (VoIP) calls requires a scalable anonymity network that is resilient to traffic analysis and has sufficiently low delay for high-quality voice calls. The popular Tor anonymity network, for instance, is not designed for the former and cannot typically achieve the latter. In this paper, we present the design, imp...
Conference Paper
Full-text available
Search engines are the prevalently used tools to collect information about individuals on the Internet. Search results typically comprise a variety of sources that contain personal information — either intentionally released by the person herself, or unintentionally leaked or published by third parties without being noticed, often with detrimental...
Conference Paper
Full-text available
In today's data processing systems, both the policies protecting stored data and the mechanisms for their enforcement are spread over many software components and configuration files, increasing the risk of policy violation due to bugs, vulnerabilities and misconfigurations. Guardat addresses this problem. Users, developers and administrators speci...
Conference Paper
Full-text available
Many anonymous communication networks (ACNs) rely on routing traffic through a sequence of proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes may become embroiled in a criminal investigation if originators commit criminal actions through the ACN. We present BackRef, a generic mechanism for...
Article
Mobile social apps provide sharing and networking opportunities based on a user's location, activity, and set of nearby users. A platform for these apps must meet a wide range of communication needs while ensuring users' control over their privacy. In this paper, we introduce EnCore, a mobile platform that builds on secure encounters between pairs...
Article
Full-text available
Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides pract...
Conference Paper
Content distribution systems have traditionally adopted one of two architectures: infrastructure-based content delivery networks (CDNs), in which clients download content from dedicated, centrally managed servers, and peer-to-peer CDNs, in which clients download content from each other. The advantages and disadvantages of each architecture have bee...
Conference Paper
Existing IP anonymity systems tend to sacrifice one of low latency, high bandwidth, or resistance to traffic-analysis. High-latency mix-nets like Mixminion batch messages to resist traffic-analysis at the expense of low latency. Onion routing schemes like Tor deliver low latency and high bandwidth, but are not designed to withstand traffic analysis...
Conference Paper
Existing IP anonymity systems tend to sacrifice one of low latency, high bandwidth, or resistance to traffic-analysis. High-latency mix-nets like Mixminion batch messages to resist traffic-analysis at the expense of low latency. Onion routing schemes like Tor deliver low latency and high bandwidth, but are not designed to withstand traffic analysis...
Chapter
This chapter is focused towards the empirical validation of generation of powerlaw networks. Empirical growth data from four different networks (the Flickr and the YouTube online social networks, Wikipedia’s content graph, and the Internet’s AS-level graph) are used to show this growth. This study makes two contributions: First, the gathering of de...
Conference Paper
Thwarting large-scale crawls of user profiles in online social networks (OSNs) like Facebook and Renren is in the interest of both the users and the operators of these sites. OSN users wish to maintain control over their personal information, and OSN operators wish to protect their business assets and reputation. Existing rate-limiting techniques a...
Conference Paper
Content distribution networks (CDNs) have started to adopt hybrid designs, which employ both dedicated edge servers and resources contributed by clients. Hybrid designs combine many of the advantages of infrastructure-based and peer-to-peer systems, but they also present new challenges. This paper identifies reliable client accounting as one such c...
Article
Content distribution networks (CDNs) have started to adopt hybrid designs, which employ both dedicated edge servers and resources contributed by clients. Hybrid designs combine many of the advantages of infrastructurebased and peer-to-peer systems, but they also present new challenges. This paper identifies reliable client accounting as one such ch...
Conference Paper
Full-text available
Recently, there has been significant research interest in leveraging social networks to defend against Sybil attacks. While much of this work may appear similar at first glance, existing social network-based Sybil defense schemes can be divided into two categories: Sybil detection and Sybil tolerance. These two categories of systems both leverage g...
Conference Paper
Online social networking sites (OSNs) like Facebook and Orkut contain personal data of millions of users. Many OSNs view this data as a valuable asset that is at the core of their business model. Both OSN users and OSNs have strong incentives to restrict large scale crawls of this data. OSN users want to protect their privacy and OSNs their busines...
Patent
Storage leases specify access restrictions and time periods, restricting access to their associated data during the storage lease time period. Storage leases may be assigned to individual data storage blocks or groups of data storage blocks in a data storage device. A data storage device may include any arbitrary number of different storage leases...
Article
IP source addresses are often the only initial lead when in-vestigating cybercrime in the Internet. Unfortunately, source addresses are easily forged, which can protect the culprits and lead to false accusations. We describe a new method for packet attestation in the Internet. Packet attestation estab-lishes whether or not a given IP packet was sen...
Conference Paper
Full-text available
People use an increasing number of personal electronic devices like notebook computers, MP3 players and smart phones in their daily lives. Making sure that data on these devices is available where needed and backed up regularly is a time-consuming and error-prone burden on users. In this paper, we describe and evaluate PodBase, a system that automa...
Conference Paper
In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record non-repudiable information that allows auditors to subsequently check whether the software behaved as intended. AVMs provide strong accounta...
Article
Peer-tO-Peer (P2P) computing has attracted significant interest in recent years, originally sparked by the release of three influential systems in 1999: the Napster music-sharing system, the Freenet anonymous data store, and the SETI@home volunteerbased scientific computing projects. Napster, for instance, allowed its users to download music direct...
Article
Full-text available
Understanding the characteristics of the Internet delay space (i.e., the all-pairs set of static round-trip propagation delays among edge networks in the Internet) is important for the design of global-scale distributed systems. For instance, algorithms used in overlay networks are often sensitive to violations of the triangle inequality and to the...
Conference Paper
Full-text available
Online social networks are now a popular way for users to connect, express themselves, and share content. Users in to- day's online social networks often post a profile, consisting of attributes like geographic location, interests, and schools attended. Such profile information is used on the sites as a basis for grouping users, for sharing content...
Article
When Communications relaunched in July 2008, the issue included a "Viewpoint" column by Rick Rashid, entitled "Image Crisis: Inspiring a New Generation of Computer Scientists."
Article
Cooperative end-system multicast (CEM) is a promising paradigm for Internet video distribution. Several CEM systems have been proposed and deployed, but the tradeoffs inherent in the different designs are not well understood. In this work, we provide a com- mon framework in which different CEM design choices can be em- pirically and systematically...
Article
Many peer-to-peer (p2p) system designs assume cooperativeen- vironments, with all clients correctly running the same sof tware. Any client who modifies its software may be able to unfairly be n- efit. This paper considers such fairness issues in the contex t of p2p multicast streaming services. We present mechanisms th at can distinguish nodes with...
Conference Paper
Full-text available
Despite many attempts to fix it, the Internet's interdo- main routing system remains vulnerable to configuration errors, buggy software, flaky equipment, protocol oscil- lation, and intentional attacks. Unlike most existing so- lutions that prevent specific routing problems, our ap- proach is to detect problems automatically and to iden- tify the o...
Conference Paper
We describe CSAR, a novel technique for generating cryp- tographically strong, accountable randomness. Using CSAR, we can generate a pseudo-random sequence and a proof that the elements of this sequence up to a given point have been correctly generated, while future values in the sequence remain unpredictable. CSAR enables ac- countability for dist...
Article
Full-text available
Online social networking sites like MySpace, Orkut, and Flickr are among the most popular sites on the Web and continue to experience dramatic growth in their user population. The popularity of these sites offers a unique opportunity to study the dynamics of social networks at scale. Having a proper understanding of how online social networks grow...
Article
As wireless devices become more pervasive, mobile ad hoc networks are gaining importance, motivating the development of highly scalable ad hoc networking techniques. In this paper, we give an overview of the Safari architecture for highly scalable ad hoc network routing, and we present the design and evaluation of a specific realization of the Safa...
Conference Paper
Social expectations play an important role in distributed systems that span multiple administrative domains. For instance, participants in peer-to-peer systems are expected to contribute resources for the common good; members of federated systems are expected to adhere to best practices and fulfil contractual obligations; and providers of hosting s...
Conference Paper
Full-text available
Much recent work on Byzantine state machine replica- tion focuses on protocols with improved performance under benign conditions (LANs, homogeneous repli- cas, limited crash faults), with relatively little evalua- tion under typical, practical conditions (WAN delays, packet loss, transient disconnection, shared resources). This makes it difficult f...
Conference Paper
Full-text available
Internet addresses are routinely being used to infer the identity of persons who send offending traffic - a capabil- ity they were not designed to provide. As a result, prob- lems abound: innocent users are being accused, while the culprits can easily avoid detection. In this paper, we present Pretty Good Packet Au- thentication (PGPA), a simple se...
Conference Paper
Full-text available
Online communication media such as email, instant mes- saging, bulletin boards, voice-over-IP, and social net- working sites allow any sender to reach potentially mil- lions of users at near zero marginal cost. This property enables information to be exchanged freely: anyone with Internet access can publish content. Unfortunately, the same property...
Conference Paper
We describe PeerReview, a system that provides accountability in distributed systems. PeerReview ensures that Byzantine faults whose effects are observed by a correct node are eventually detected and irrefutably linked to a faulty node. At the same time, PeerReview ensures that a correct node can always defend itself against false accusations. Thes...
Conference Paper
Full-text available
Online social networking sites like Orkut, YouTube, and Flickr are among the most popular sites on the Internet. Users of these sites form a social network, which provides a powerful means of sharing, organizing, and finding content and contacts. The popularity of these sites provides an opportunity to study the characteristics of online social net...
Conference Paper
Full-text available
We describe PeerReview, a system that provides accountability in distributed systems. PeerReview ensures that Byzantine faults whose effects are observed by a correct node are eventually detected and irrefutably linked to a faulty node. At the same time, PeerReview ensures that a correct node can always defend itself against false accusations. Thes...
Conference Paper
Many cooperative overlay multicast systems of diverse designs have been implemented and deployed. In this pa- per, we explore a new architecture for overlay multicast: we factor out the control plane into a separate overlay that provides a single primitive: a congurable anycast for peer selection. This separation of control and data overlays has se...
Conference Paper
Understanding the characteristics of the Internet delay space (i.e., the all-pairs set of static round-trip propagation delays among edge networks in the Internet) is important for the design of global-scale distributed systems. For instance, algorithms used in overlay networks are often sensitive to violations of the triangle inequality and to the...
Conference Paper
Distributed systems are hard to build, prole, debug, and test. Mon- itoring a distributed system ñ to detect and analyze bugs, test for regressions, identify fault-tolerance problems or security compro- mises ñ can be difcult and error-prone. In this paper we argue that declarative development of distributed systems is well suited to tackle these t...
Conference Paper
Peer-to-peer (p2p) technology can potentially be used to build highly reliable applications without a single point of failure. However, most of the existing applications, such as file sharing or web caching, have only moderate reliability demands. Without a challenging proving ground, it remains unclear whether the full potential of p2p systems can...
Article
Distributed systems are hard to build, profile, debug, and test. Monitoring a distributed system - to detect and analyze bugs, test for regressions, identify fault-tolerance problems or security compromises - can be difficult and error-prone. In this paper we argue that declarative development of distributed systems is well suited to tackle these t...