News 2019

Max Planck researchers publish 8 papers at POPL 2020 + a new record!

Researchers from the Max Planck Institute for Software Systems (MPI-SWS) and the new Max Planck Institute for Security and Privacy (MPI-SP) have authored a total of 8 papers accepted to POPL 2020 (over 10% of all accepted papers).  This is the third year in a row that MPI-SWS researchers have published 5 papers in POPL.  Furthermore, MPI-SWS faculty member Derek Dreyer is the first person ever to publish 4 papers in a single POPL.  ...
Researchers from the Max Planck Institute for Software Systems (MPI-SWS) and the new Max Planck Institute for Security and Privacy (MPI-SP) have authored a total of 8 papers accepted to POPL 2020 (over 10% of all accepted papers).  This is the third year in a row that MPI-SWS researchers have published 5 papers in POPL.  Furthermore, MPI-SWS faculty member Derek Dreyer is the first person ever to publish 4 papers in a single POPL.  Congratulations to all our POPL authors!

MPI-SWS papers:

  • The Future is Ours: Prophecy Variables in Separation Logic. Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs. [pdf]

  • The High-Level Benefits of Low-Level Sandboxing. Michael Sammler, Deepak Garg, Derek Dreyer, Tadeusz Litak. [pdf]

  • Persistency Semantics of the Intel-x86 Architecture. Azalea Raad, John Wickerson, Gil Neiger, Viktor Vafeiadis. [pdf]

  • RustBelt Meets Relaxed Memory. Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, Derek Dreyer. [pdf]

  • Stacked Borrows: An Aliasing Model for Rust. Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, Derek Dreyer. [pdf]


MPI-SP papers:

  • Formal Verification of a Constant-Time Preserving C Compiler. Gilles Barthe, Sandrine Blazy, Benjamin Gregoire, Rémi Hutin, Vincent Laporte, David Pichardie, Alix Trieu. [pdf]

  • A Probabilistic Separation Logic. Gilles Barthe, Justin Hsu, Kevin Liao. [pdf]

  • Relational Proofs for Quantum Programs. Gilles Barthe, Justin Hsu, Mingsheng Ying, Nengkun Yu, Li Zhou. [pdf]

Read more

Tenure-track Openings at Max Planck Institutes in Computer Science

The Max Planck Institutes for Informatics (Saarbruecken), Software Systems (Saarbruecken and Kaiserslautern), and Security and Privacy (Bochum), invite applications for tenure-track faculty in all areas of computer science. Pending final approval, we expect to fill several positions.

A doctoral degree in computer science or related areas and an outstanding research record are required. Successful candidates are expected to build a team and pursue a highly visible research agenda, both independently and in collaboration with other groups. ...
The Max Planck Institutes for Informatics (Saarbruecken), Software Systems (Saarbruecken and Kaiserslautern), and Security and Privacy (Bochum), invite applications for tenure-track faculty in all areas of computer science. Pending final approval, we expect to fill several positions.

A doctoral degree in computer science or related areas and an outstanding research record are required. Successful candidates are expected to build a team and pursue a highly visible research agenda, both independently and in collaboration with other groups.

The institutes are part of a network of over 80 Max Planck Institutes, Germany's premier basic-research organisations. MPIs have an established record of world-class, foundational research in the sciences, technology, and the humanities. The institutes offer a unique environment that combines the best aspects of a university department and a research laboratory: Faculty enjoy full academic freedom, lead a team of doctoral students and post-docs, and have the opportunity to teach university courses; at the same time, they enjoy ongoing institutional funding in addition to third-party funds, a technical infrastructure unrivaled for an academic institution, as well as internationally competitive compensation.

We maintain an international and diverse work environment and seek applications from outstanding researchers worldwide. The working language is English; knowledge of the German language is not required for a successful career at the institutes.

Qualified candidates should apply on our application website (apply.cis.mpg.de). To receive full consideration, applications should be received by December 15th, 2019.

The Max Planck Society wishes to increase the number of women in those areas where they are underrepresented. Women are therefore explicitly encouraged to apply. The Max Planck Society is also committed to increasing the number of employees with severe disabilities in its workforce. Applications from persons with severe disabilities are expressly desired.

The initial tenure-track appointment is for five years; it can be extended to seven years based on a midterm evaluation in the fourth year. A permanent contract can be awarded upon a successful tenure evaluation in the sixth year.
Read more

Goran Radanovic joins MPI-SWS

September 2019
Goran Radanovic joined MPI-SWS as a research group leader on Sep 16, 2019. He is generally interested in studying AI systems, and more specifically in the design and analysis of systems with intelligent and self-interested agents. Particular topics of interest include value-aligned artificial intelligence, human-AI collaboration, and decision making systems with societally-aware utility functions. 

Prior to joining MPI-SWS, he was a postdoctoral researcher at Harvard University, where he worked with Prof. David C. Parkes. ...
Goran Radanovic joined MPI-SWS as a research group leader on Sep 16, 2019. He is generally interested in studying AI systems, and more specifically in the design and analysis of systems with intelligent and self-interested agents. Particular topics of interest include value-aligned artificial intelligence, human-AI collaboration, and decision making systems with societally-aware utility functions. 

Prior to joining MPI-SWS, he was a postdoctoral researcher at Harvard University, where he worked with Prof. David C. Parkes. He received his Ph.D. in Computer Science from the Swiss Federal Institute of Technolgy in Lausanne (EPFL), under the supervision of Prof. Boi Faltings. He obtained his Master’s and Bachelor’s degrees in Computer Science fromthe Faculty of Electrical Engineering and Computing at the University of Zagreb.
Read more

Filip Mazowiecki joins MPI-SWS

September 2019
Filip Mazowiecki is joining us from the University of Bordeaux, where he spent the last two years as a postdoc. His research area is formal verification, the study of verifying correct functioning of systems. He is mostly interested in the theoretical analysis of models like Petri nets and weighted automata, working on fundamental questions like reachability and equivalence.

Filip obtained his PhD at the University of Warsaw on the topic of database theory. After he obtained his PhD he switched to the area of formal verification, ...
Filip Mazowiecki is joining us from the University of Bordeaux, where he spent the last two years as a postdoc. His research area is formal verification, the study of verifying correct functioning of systems. He is mostly interested in the theoretical analysis of models like Petri nets and weighted automata, working on fundamental questions like reachability and equivalence.

Filip obtained his PhD at the University of Warsaw on the topic of database theory. After he obtained his PhD he switched to the area of formal verification, spending almost four years as a postdoc at the Universities of Warwick, Oxford and Bordeaux.
Read more

Paper by MPI-SWS researchers wins both a 2019 Usenix Security Symposium Distinguished Paper Award and the Usenix/Facebook Internet Defense Prize

The paper "ERIM: Secure, Efficient, In-process Isolation with Memory Protection Keys (MPK)" received a Distinguished Paper Award at the 2019 Usenix Security Symposium. It was selected as one of 6 distinguished papers out of 113 papers that appeared in the conference proceedings.

The work was also selected as the recipient of the Usenix Internet Defense Prize, along with a USD 100k gift from Facebook to support  further development of the technology. ...
The paper "ERIM: Secure, Efficient, In-process Isolation with Memory Protection Keys (MPK)" received a Distinguished Paper Award at the 2019 Usenix Security Symposium. It was selected as one of 6 distinguished papers out of 113 papers that appeared in the conference proceedings.

The work was also selected as the recipient of the Usenix Internet Defense Prize, along with a USD 100k gift from Facebook to support  further development of the technology.

The paper was authored by MPI-SWS doctoral students Anjo Vahldiek-Oberwagner, Eslam Elnikety, and Michael Sammler, along with MPI-SWS intern Nuno Duarte and MPI-SWS faculty members Deepak Garg and Peter Druschel.

Read more about ERIM here.
Read more

Keon Jang joins MPI-SWS

Keon Jang has joined the institute as a tenure-track faculty member, effective February 1, 2019. Keon Jang is joining us from Google, where he has been a software engineer since 2016. He is broadly interested in network systems and currently his work focuses on network performance isolation in data-center networks.

Prior to Google, he worked on software support for on network function virtualization (NFV) at Intel Labs. He received his PhD in Computer Science from KAIST, ...
Keon Jang has joined the institute as a tenure-track faculty member, effective February 1, 2019. Keon Jang is joining us from Google, where he has been a software engineer since 2016. He is broadly interested in network systems and currently his work focuses on network performance isolation in data-center networks.

Prior to Google, he worked on software support for on network function virtualization (NFV) at Intel Labs. He received his PhD in Computer Science from KAIST, and subsequently held a postdoctoral research position at Microsoft Research Cambridge, UK.
Read more

Krishna Gummadi appointed MPI-SWS Director

Krishna Gummadi has accepted the position of scientific member of the Max Planck Society and director at the MPI for Software Systems, effective 1 June 2019. Krishna has been a faculty member at the institute since July 2005. 

Krishna's appointment solidifies our institute's foothold in the emerging area of social computing and secures Krishna's leadership and contributions to the institute for the future.

Research Spotlight: Tracing the Behavior of Cloud Applications

Consider the everyday websites and apps that we use: online shops, news websites, search engines, social networks, navigation apps, instant messaging apps, and many more.  Most of these programs don't just run in isolation on our laptops or phones, but instead connect over the internet to backends and databases running in datacenters across the world.  These backends perform a wide range of tasks, including constructing your personalized social network feed, storing and retrieving comments on message boards, ...
Consider the everyday websites and apps that we use: online shops, news websites, search engines, social networks, navigation apps, instant messaging apps, and many more.  Most of these programs don't just run in isolation on our laptops or phones, but instead connect over the internet to backends and databases running in datacenters across the world.  These backends perform a wide range of tasks, including constructing your personalized social network feed, storing and retrieving comments on message boards, and calculating results for your search query.  From our perspective as users, the actions we perform are simple, such as opening the app and loading our personalized profile.  But under the hood, each action usually results in complex processing across many processes and machines in a datacenter.

It has never been easier to write and deploy complex programs like these.  Cloud computing companies who own datacenters (such as Google, Amazon, and Microsoft) will gladly rent out computer services at a touch of a button, on demand.  Using designs like microservices, it is easy for programmers to construct complex programs out of smaller, simpler building blocks.  There are frameworks and open-source software packages to help developers construct big applications out of small pieces, to spread those pieces out over multiple machines in a datacenter, and to have the pieces communicate and interact with each other over the network.

Problems show up when software goes live.  Compared to developing and deploying the software, it is much harder to make sure everything goes smoothly when the software is up and running.  Distributed computer programs have lots of moving pieces, and there are lots of opportunities for things to go wrong.  For example, if one machine in the datacenter has a hardware problem, or the code is buggy, or too many people are trying to access it at once, the effects can be wide-ranging.  It can create a butterfly effect of problems, which we term cascading failures, that can lead to the app or website as a whole becoming slow, or going down entirely.  It's hard for programmers to get to the bottom of these kinds of problems, because there's no single machine or process doing all the work.  A problem that occurs on one machine might manifest as strange symptoms on a different machine later on.  Figuring out the root cause of a problem is challenging, as is anticipating problems in the first place.  Even big internet companies like Facebook and Google experience problems like this today.

These kinds of problems motivate the research of the Cloud Software Systems Research Group at the Max Planck Institute for Software Systems.  We research ways for operators to understand what's going on in their live distributed system, to troubleshoot problems when they occur at runtime, and to design systems that proactively avoid problems.  One approach we take is to design distributed tracing tools that can be used by the system operators.  The goal of distributed tracing is to record information about what a program does while it's running.  The tools record events, metrics, and performance counters, which together expose the current state and performance of the system, and how it changes over time.  A key additional step taken by distributed tracing tools is to record the causal ordering of events happening in the system — that is, the interactions and dependencies between machines and processes.  Causal ordering is is very useful for diagnosing problems that span multiple processes and machines, especially when there might be lots of concurrent, unrelated activity going on at the same time.  It lets us reconstruct the end-to-end execution paths of requests, across all components and machines, and then reason about the sequence of conditions and events that led up to a problem.  Without causal ordering, this information is missing, and pinpointing the root cause of a problem would be like searching for a needle in a haystack.

The Cloud Software Systems Research Group has looked at a number of challenges in making distributed tracing tools efficient, scalable, and more widely deployable. In our recent work, we have thought about how you can efficiently insert instrumentation to record entirely new information, into an already-running system, without having to rebuild or restart the system [1].  We have looked at problems in dealing with the large volume of data generated by distributed tracing tools, and deciding which data is most valuable to keep if there's not enough room to keep it all [2].  We have also considered the implications of distributed tracing at extremely large scale, and how to efficiently collect, aggregate, and process tracing data in real-time [3].

In our ongoing work, we are investigating ways for the data recorded by tracing tools to feed back in to decisions made by datacenter infrastructure, such as resource management, scheduling, and load balancing.  We are also considering new challenges that arise in scalable data analysis: how do you analyze large datasets of traces and derive insights about aggregate system behavior?  One approach we are exploring uses techniques in representational machine learning, to transform richly annotated tracing data into a more tractable form for interactive analysis.  More broadly, our group investigates a variety of approaches besides just distributed tracing tools, including ways to better design and develop the distributed systems in the first place.  Ultimately, our goal is to make modern cloud systems easier to operate, understand, and diagnose.

References


[1] Jonathan Mace, Ryan Roelke, and Rodrigo Fonseca.  Pivot Tracing: Dynamic Causal Monitoring for Distributed Systems.  In Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP '15), 2015.

[2] Pedro Las-Casas, Jonathan Mace, Dorgival Guedes, and Rodrigo Fonseca.  Weighted Sampling of Execution Traces: Capturing More Needles and Less Hay.  In Proceedings of the 9th ACM Symposium on Cloud Computing (SoCC'18), 2018.

[3] Jonathan Kaldor, Jonathan Mace, Michał Bejda, Edison Gao, Wiktor Kuropatwa, Joe O'Neill, Kian Win Ong, Bill Schaller, Pingjia Shan, Brendan Viscomi, Vinod Venkataraman, Kaushik Veeraraghavan, Yee Jiun Song.  Canopy: An End-to-End Performance Tracing And Analysis System. In Proceedings of the 26th ACM Symposium on Operating Systems Principles (SOSP '17), 2017.
Read more

Girls' Day 2019

April 2019
As in the years before, the MPIs for Informatics and Software Systems jointly participated in the annual Girls' Day on 28 March. We welcomed a record number of 27 school-aged girls to our institutes to provide them with a bit of insight into computer science. Together we programmed smartphone apps, soldered blinking smiles and running bugs, and solved hands-on computer science puzzles.

Research Spotlight: A General Data Anonymity Measure

A long-standing problem both within research and in society generally is that of how to analyze data about people without risking the privacy of those people. There is an ever-growing amount of data about people: medical, financial, social, government, geo-location, etc. This data is very valuable in terms of better understanding ourselves. Unfortunately, analyzing the data in its raw form carries the risk of exposing private information about people.

The problem of how to analyze data while protecting privacy has been around for more than 40 years---ever since the first data processing systems were developed. ...
A long-standing problem both within research and in society generally is that of how to analyze data about people without risking the privacy of those people. There is an ever-growing amount of data about people: medical, financial, social, government, geo-location, etc. This data is very valuable in terms of better understanding ourselves. Unfortunately, analyzing the data in its raw form carries the risk of exposing private information about people.

The problem of how to analyze data while protecting privacy has been around for more than 40 years---ever since the first data processing systems were developed. Most workable solutions are ad hoc: practitioners try things like removing personally identifying information (e.g. names and addresses), aggregating data, removing outlying data, and even swapping some data between individuals. This process can work reasonably well, but it is time-consuming, requires substantial expertise to get right, and invariably limits the accuracy of the analysis or the types of analysis that can be done.

A holy grail within computer science is to come up with an anonymization system that has formal guarantees of anonymity and provides good analytics. Most effort in this direction has focused on two ideas, K-anonymity and Differential Privacy. Both can provide strong anonymity, but except in rare cases neither can do so while still providing adequate analytics. As a result, common practice is still to use informal ad hoc techniques with weak anonymization, and to mitigate risk by for instance sharing data only with trusted partners.

The European Union has raised the stakes with the General Data Protection Regulation (GDPR). The GDPR has strict rules on how personal data may be used, and threatens large fines to organizations that do not follow the rules. However, GDPR says that if data is anonymous, then it is not considered personal and does not fall under the rules. Unfortunately, there are no precise guidelines on how to determine if data is anonymous or not. Member states are expected to come up with certification programs for anonymity, but do not know how to do so.

This is where we come in. Paul Francis' group, in research partnership with the startup Aircloak, has been developing an anonymizing technology called Diffix over the last five years. Diffix is an empirical, not a formal technology, and so the question remains "how anonymous is Diffix?" While it may not be possible to precisely answer that question, one way we try to answer that question is through a bounty program: we pay attackers who can demonstrate how to compromise anonymity in our system. Last year we ran the first (and still only) bounty program for anonymity. The program was successful in that some attacks were found, and in the process of designing defensive measures, Diffix has improved.

In order to run the bounty program, we naturally needed a measure of anonymity so that we could decide how much to pay attackers. We designed a measure based on how much confidence an attacker has in a prediction of an individual's data values, among other things. At some point, we realized that our measure applies not just to attacks on Diffix, but to any anonymization system. We also realized that our measure might be useful in the design of certification programs for anonymity.

We decided to develop a general score for anonymity, and to build tools that would allow anyone to apply the measure to any anonymization technology. The score is called the GDA Score, for General Data Anonymity Score.

The primary strength of the GDA Score is that it can be applied to any anonymization method, and therefore is apples-to-apples. The primary weakness is that it is based on empirical attacks (real attacks against real systems), and therefore the score is only as good as the attacks themselves. If there are unknown attacks on a system, then the score won't reflect this and may therefore make a system look more anonymous than it is.

Our hope is that over time enough attacks will be developed that we can have high confidence in the GDA Score. Towards that end, we've started the Open GDA Score Project. This is a community effort to provide software and databases in support of developing new attacks, and a repository where the scores can be viewed. We recently launched the project in the form of a website, www.gda-score.org, and some initial tools and simple attacks. We will continue to develop tools and new attacks, but our goal is to attract broad participation from the community.

For more information, visit www.gda-score.org.
Read more

Francis' group launches Open GDA Score Project

We have launched the Open GDA Score Project at www.gda-score.org.  This is an open project to develop a set of tools and databases to generate anonymity scores for any data anonymization technique. The GDA Score, which stands for General Data Anonymity Score, is the first data anonymization measurement methodology that works with any anonymization technique. The GDA Score is a generalization of the measurement technique developed by Francis' group for the Diffix bounty program run last year. ...
We have launched the Open GDA Score Project at www.gda-score.org.  This is an open project to develop a set of tools and databases to generate anonymity scores for any data anonymization technique. The GDA Score, which stands for General Data Anonymity Score, is the first data anonymization measurement methodology that works with any anonymization technique. The GDA Score is a generalization of the measurement technique developed by Francis' group for the Diffix bounty program run last year. This was the first bounty program for anonymity. The GDA Score is of particular interest in Europe, where member states are expected to produce certification programs for anonymity.
Read more

Five MPI-SWS papers at POPL 2019!

Just as in 2018, MPI-SWS researchers again authored a total of five POPL papers in 2019:

  • Bridging the Gap Between Programming Languages and Hardware Weak Memory Models by Anton Podkopaev, Ori Lahav, and Viktor Vafeiadis.

  • From Fine- to Coarse-Grained Dynamic Information Flow Control and Back by Marco Vassena, Alejandro Russo, Deepak Garg, Vineet Rajani, and Deian Stefan.

  • Formal verification of higher-order probabilistic programs by Tetsuya Sato,
...
Just as in 2018, MPI-SWS researchers again authored a total of five POPL papers in 2019:


  • Bridging the Gap Between Programming Languages and Hardware Weak Memory Models by Anton Podkopaev, Ori Lahav, and Viktor Vafeiadis.

  • From Fine- to Coarse-Grained Dynamic Information Flow Control and Back by Marco Vassena, Alejandro Russo, Deepak Garg, Vineet Rajani, and Deian Stefan.

  • Formal verification of higher-order probabilistic programs by Tetsuya Sato, Alejandro Aguirre, Gilles Barthe, Marco Gaboardi, Deepak Garg, Justin Hsu.

  • Grounding Thin-Air Reads with Event Structures by Soham Chakraborty and Viktor Vafeiadis.

  • On Library Correctness under Weak Memory Consistency by Azalea Raad, Marko Doko, Lovro Rožić, Ori Lahav, and Viktor Vafeiadis.


What's more, the MPI-SWS Software Analysis and Verification group has a whole session to itself at POPL 2019. The weak memory session on Thursday, Jan 17, is comprised of the three papers by Viktor Vafeiadis, his students, postdocs, and collaborators.
Read more

ERC-supported TOROS Project officially launches!

January 2019
The TOROS project, supported by an ERC Starting Grant, has officially started. The project targets the challenge of implementing safety-critical cyber-physical systems on commodity multicore processors such that their temporal correctness can be certified in a formal, trustworthy manner.

Specifically, the TOROS project aims to design a new theory-oriented RTOS that by construction ensures that the temporal behavior of any workload can be analyzed (regardless of whether an application developer is aware of the relevant scheduling theory),  ...
The TOROS project, supported by an ERC Starting Grant, has officially started. The project targets the challenge of implementing safety-critical cyber-physical systems on commodity multicore processors such that their temporal correctness can be certified in a formal, trustworthy manner.

Specifically, the TOROS project aims to design a new theory-oriented RTOS that by construction ensures that the temporal behavior of any workload can be analyzed (regardless of whether an application developer is aware of the relevant scheduling theory), develop a matching novel timing analysis for below-worst-case provisioning with analytically sound safety margins that yields meaningful probabilistic response-time guarantees, and plans to mechanize and verify all supporting scheduling theory with the Coq proof assistant using the Prosa framework.

See the project homepage for further details. For inquiries, contact Björn Brandenburg (toros@mpi-sws.org).
Read more