miguel pupo correia           


  • Rectify black-box intrusion recovery system for PaaS clouds

    • Web applications hosted on clouds are exposed to cyberattacks that can modify their state. PaaS offerings often provide a backup service that allows restoring the application state after a serious attack, but all valid state changes since the last backup are lost. Rectify is a service designed to be deployed alongside the application in a PaaS container and to support their recovery, without loosing valid state changes. It is black-box in the sense that it does not require changing the application code (unlike Shuttle). See paper at Middleware 2017. Implemented by David Matos.

  • NoSQL Undo recovery tool for NoSQL databases

    • NoSQL databases offer high throughput and support huge data structures, but typically provide only basic backup and restore mechanisms. These mechanisms allow recovering databases from a crash, but not to remove undesired operations caused by accidental or malicious actions. NoSQL Undo is a tool that allows database administrators to remove the effect of undesirable actions by undoing operations, leading the system to a consistent state. The current version works with MongoDB. See paper at NCA 2016. Implemented by David Matos.

  • Chrysaor fine-grained fault-tolerant cloud-of-clouds MapReduce

    • Chrysaor is a platform that allows MapReduce computations to scale out to multiple clouds, similarly to Medusa. Chrysaor, is based on a fine-grained replication scheme that tolerates faults at the task level. It has three important properties: it tolerates arbitrary faults and cloud outages at reasonable cost; it requires minimal modifications to the users' applications; and it does not involve changes to the Hadoop source code. See paper at CCGrid 2017. Implemented by Pedro Costa.

  • Medusa fault-tolerant cloud-of-clouds MapReduce

    • Medusa is a platform that allows MapReduce computations to scale out to multiple clouds and tolerate several types of faults. First, it is transparent to the user, who writes her typical MapReduce application without modification. Second, it does not require any modification to the widely used Hadoop framework. Third, the proposed system goes well beyond the fault-tolerance offered by MapReduce to tolerate arbitrary faults, cloud outages, and even malicious faults caused by corrupt cloud insiders. Fourth, it achieves this increased level of fault tolerance at reasonable cost. See paper at CCGrid 2016. Implemented by Pedro Costa.

  • MACHETE - multi-path communication

    • Protocols such as HTTPS may be used to protect communication, but occasionally vulnerabilities that may allow snooping on packet content are discovered. MACHETE is an application-layer multi-path communication mechanism that provides additional confidentiality by splitting data streams in different physical paths. MACHETE has to handle two challenges: sending packets over different paths when Internet's routing imposes a single path between pairs of network interfaces; splitting streams of data sent over TCP connections. MACHETE leverages overlay networks and multihoming to handle the first challenge and MultiPath TCP (MPTCP) to handle the second. MACHETE establishes an overlay network and scatters the data over the available paths, thus reducing the effectiveness of snooping attacks. See paper at NCA 2016. Implemented by Diogo Raposo.

  • vtTLS - vulnerability-tolerant channels for transport layer security

    • There are often concerns about the strength of some of the encryption mechanisms used in SSL/TLS channels, with some regarded as insecure at some point in time. vtTLS is our solution to mitigate the problem of secure communication channels being vulnerable to attacks due to unexpected vulnerabilities in encryption mechanisms. It is based on diversity and redundancy of cryptographic mechanisms and certificates to provide a secure communication channel even when one or more mechanisms are vulnerable. vtTLS relies on a combination of k cipher suites. Even if k-1 cipher suites are insecure or vulnerable, vtTLS relies on the remaining cipher suites to maintain the channel secure. vtTLS is based on OpenSSL. See paper at NCA 2016. Implemented by André Joaquim.

  • Shuttle intrusion recovery service for PaaS clouds

    • Shuttle is a service that allows cloud consumers to recover from intrusions in their cloud applications. It combines a record-and-replay approach with the elasticity provided by cloud offerings to recover applications deployed on various instances and backed by distributed databases. See paper at ICDCS 2015. Implemented by Dário Nascimento.

  • WAP - automatic Web Application Protection (OWASP project)

    • A tool that searches for vulnerabilities in web applications written in PHP using static source code analysis and data mining, then inserts fixes for the vulnerabilities found. See papers at WWW 2014 and IEEE Transactions on Reliability 2015. Implemented by Ibéria Medeiros.

  • SCFS cloud-backed file system

    • SCFS is a cloud-backed file system that provides strong consistency even on top of eventually-consistent cloud storage services. Its build on top of FUSE, thus providing a POSIX-like interface. SCFS provides also a pluggable backend that allows it to work with a single cloud or with a cloud-of-clouds. See paper at Usenix ATC 2014. Implemented by Ricardo Mendes and Tiago Oliveira.

  • DepSky - cloud-of-clouds storage

    • A programming library that implements the DepSky cloud-of-clouds replication algorithms. These algorithms use Byzantine quorum systems together secret sharing and erasure codes to spread data in a diverse set of clouds ensuring provider fault tolerance and confidentiality. See paper at EuroSys 2011 and ACM Trans. Storage 2013. Implemented by Alysson Bessani, Bruno Quaresma and Fernando André.

  • JITeR - Just-In-Time Routing

    • An algorithm that timely routes messages at application-layer using overlay networking and multihoming, leveraging the natural redundancy of wide-area IP networks. See paper at ComNet 2016. Implemented by Alexandre Fonseca, Rui Silva, and Pedro Luz.

  • php parser

    • A Java parser for PHP 5.3 that is the core of WAP. Implemented by Ibéria Medeiros.

  • MinBFT, MinZyzzyna, Spinning and EBAWA

    • Asynchronous Byzantine fault-tolerant state machine replication (BFT) algorithms that are minimal and efficient in WANs. See papers at IEEE Transactions on Computers 2013, SRDS 2009 and HASE 2010. Implemented by Giuliana S. Veronese.

  • Randomized Intrusion-Tolerant Asynchronous Services (RITAS)

    • A toolkit of intrusion-tolerant randomized agreement protocols. See our 2006 DSN and SRDS papers. Implemented by Henrique Moniz.

  • Detector of integEr vulnerabilitiEs in softwarE Portability (DEEEP)

    • A static analysis tool that finds integer vulnerabilities caused by problems when porting code from 32 to 64 bit processors. Implemented by Ibéria Medeiros.

  • Dependable Tuple Space (DepSpace)

    • An intrusion-tolerant coordination service. See paper at EuroSys 2008 paper. Implemented by Alysson Bessani, Eduardo Alchieri, and others.

  • Trusted Timely Computing Base (TTCB)

    • A secure component used to support intrusion-tolerant protocols. See my 2002 EDCC and SRDS papers or my PhD thesis. Implemented by me and Pedro Martins.


Besides LASIGE's and GSD's distributed computing testbeds, we frequently run experiments at Emulab, PlanetLab, and Amazon AWS. My warm thanks to the promoters of those platforms.


home | last update: 06-12-2017