Ivan Beschastnikh

Prospective Graduate Students / Postdocs

This faculty member is currently not looking for graduate students or Postdoctoral Fellows. Please do not contact the faculty member with any such requests.

Associate Professor

Research Classification

Research Interests

cloud computing
distributed systems
software analysis
software engineering

Relevant Degree Programs

Affiliations to Research Centres, Institutes & Clusters


Postdoctoral Fellows

Graduate Student Supervision

Master's Student Supervision (2010 - 2018)
Dancing in the dark: private multi-party machine learning in an untrusted setting (2018)

The problem of machine learning (ML) over distributed data sourcesarises in a variety of domains. Unfortunately, today's distributed MLsystems use an unsophisticated threat model: data sources must trust acentral ML process.We propose a brokered learning abstraction that provides datasources with provable privacy guarantees while allowing them tocontribute data towards a globally-learned model in an untrustedsetting. We realize this abstraction by building on the state of theart in multi-party distributed ML and differential privacy methods toconstruct TorMentor, a system that is deployed as a hiddenservice over an anonymous communication protocol.We define a new threat model by characterizing, developing andevaluating new attacks in the brokered learning setting, along witheffective defenses for these attacks. We show that TorMentoreffectively protects data sources against known ML attacks whileproviding them with a tunable trade-off between model accuracy andprivacy.We evaluate TorMentor with local and geo-distributed deployments onAzure. In an experiment with 200 clients and 14 megabytes of data perclient our prototype trained a logistic regression model usingstochastic gradient descent in 65 seconds.

View record

Inferring and asserting distributed invariants (2018)

Distributed systems are difficult to debug and understand. A key reason for this isdistributed state, which is not easily accessible and must be pieced together fromthe states of the individual nodes in the system.We propose Dinv, an automatic approach to help developers of distributed sys-tems uncover the runtime distributed state properties of their systems. Dinv usesstatic and dynamic program analyses to infer relations between variables at differ-ent nodes. For example, in a leader election algorithm, Dinv can relate the variableleader at different nodes to derive the invariant ∀ nodes i, j, leader i = leader j .This can increase the developer’s confidence in the correctness of their system.The developer can also use Dinv to convert an inferred invariant into a distributedruntime assertion on distributed state.We applied Dinv to several popular distributed systems, such as etcd Raft,Hashicorp Serf, and Taipei-Torrent, which have between 1.7K and 144K LOC andare widely used. Dinv derived useful invariants for these systems, including invari-ants that capture the correctness of distributed routing strategies, leadership, andkey hash distribution. We also used Dinv to assert correctness of the inferred etcdRaft invariants at runtime, using these asserts to detect injected silent bugs.

View record

Inter-process communication in disaggregated datacenters (2018)

Disaggregation is a promising new datacenter (DC) architecture which aims to mit- igate mounting DC costs. Disaggregated datacenters (DDCs) disaggregate tradi- tional server components into distinct resources. Disaggregation also poses an interesting paradigm shift. Namely, a DDC possesses traits akin to a distributed system, as resources no longer fate-share: a CPU can fail independently of another CPU. It is not unreasonable to assume that these disaggregated resources will still be presented to a user as a single machine. This requirement has implications for disaggregated system design. For example, what happens if a CPU fails during a remote cross-processor procedure call?This is not a new question, as distributed systems, multi-processor systems, and high performance computing (HPC) systems, have grappled with this challenge. We look at how this challenge translates to a disaggregated context, in particular, focusing on the remote procedure call (RPC) abstraction. We design a disaggregated system, Bifröst, to ensure exactly-once semantics for procedure calls under failure scenarios and provide strict memory consistency. We analyze the overhead of Bifröst compared to an equivalent RPC implementation in Thrift. Although, we find that Bifröst has a higher overhead than Thrift, its results are still promising, showing that we can achieve greater functionality than Thrift with a slightly higher overhead.

View record

"Not able to resist the urge" : social insider attacks on Facebook (2017)

Facebook accounts are secured against unauthorized access through passwords, and through device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to their accounts using the victim's device. To characterize these attacks, we ran two Amazon Mechanical Turk studies geographically restricting participant pool to US only. Our major goal was to establish social insider attack prevalence and characteristics to justify a call to action for better protective and preventative countermeasures against it. In the first study involving 1308 participants, we used the list experiment, a quantitative method to estimate that 24% of participants had perpetrated social insider attacks, and that 21% had been victims to it (and knew about it). In the second, qualitative study with 45 participants, we collected stories detailing personal experiences with such attacks. Using thematic analysis, we typified attacks around 5 motivations (fun, curiosity, jealousy, animosity and utility), and explored dimensions associated with each type. Our combined findings indicate a number of trends in social insider attacks. We found that they are common, they can be perpetrated by almost all social relations and often have serious emotional consequences. Effective mitigation would require a variety of approaches as well as better user awareness. Based on the results of our experiments, we propose methodological steps to study the perception of severity of social insider attacks. In this procedure, we include an experimental design of the study and its possible limitations. The study consists of presenting stories collected in the previously mentioned second study to a new cohort of participants. It the asks them to provide a Likert Scale rating and justification for how severe they perceive the attack in the story to be if they were the victim as well as how likely they feel they might be a victim to such an attack. Lastly, we discuss possible future work in creating countermeasures to social insider attacks, their viability and limitations. We conclude that no single technique is complete solution. Instead mitigation will require a number of techniques in combination to be effective.

View record

Cross-platform data integrity and confidentiality with graduated access control (2017)

Security of data is tightly coupled to its access policy. However, in practice, a data owner has control of his data’s access policies only as far as the boundaries of his own systems. We introduce graduated access control, which provides mobile, programmable, and dynamically-resolving policies for access control that extends a data owner’s policies across system boundaries. We realize this through a novel data-centric abstraction called trusted capsules and its associated system, the trusted data monitor. A trusted capsule couples data and policy into a single mobile unit. A capsule is backwards-compatible and is indistinguishable from any regular file to applications. In coordination with the trusted data monitor, a capsule provides data integrity and confidentiality on remote devices, strong authentication to a trusted capsule service, and supports nuanced and dynamic access control decisions on remote systems. We implemented our data monitor using ARM TrustZone. We show that graduated access control can express novel and useful real world policies, such as revocation, remote monitoring, and risk-adaptable disclosure. We illustrate trusted capsules for different file formats, including JPEG, FODT, MP4 and PDF. Wealso show compatibility with unmodified applications such as LibreOffice Writer, Evince, GpicView and VLC. In general, we found that applications operating on trusted capsules have varying performance, which depends on file size, application access patterns, and policy complexity.

View record

Qualitative Repository Analysis with RepoGrams (2015)

The availability of open source software projects has created an enormous opportunity for empirical evaluations in software engineering research. However, this availability requires that researchers judiciously select an appropriate set of evaluation targets and properly document this rationale. This selection process is often critical as it can be used to argue for the generalizability of the evaluated tool or method.To understand the selection criteria that researchers use in their work we systematically read 55 research papers appearing in six major software engineering conferences. Using a grounded theory approach we iteratively developed a codebook and coded these papers along five different dimensions, all of which relate to how the authors select evaluation targets in their work. Our results indicate that most authors relied on qualitative and subjective features to select their evaluation targets. Building on these results we developed a tool called RepoGrams, which supports researchers in comparing and contrasting source code repositories of multiple software projects and helps them in selecting appropriate evaluation targets for their studies. We describe RepoGrams's design and implementation, and evaluate it in two user studies with 74 undergraduate students and 14 software engineering researchers who used RepoGrams to understand, compare, and contrast various metrics on source code repositories. For example, a researcher interested in evaluating a tool might want to show that it is useful for both software projects that are written using a single programming language, as well as ones that are written using dozens of programming languages. RepoGrams allows the researcher to find a set of software projects that are diverse with respect to this metric. We also evaluate the amount of effort required by researchers to extend RepoGrams for their own research projects in a case study with 2 researchers. We find that RepoGrams helps software engineering researchers understand and compare characteristics of a project's source repository and that RepoGrams can be used by non-expert users to investigate project histories. The tool is designed primarily for software engineering researchers who are interested in analyzing and comparing source code repositories across multiple dimensions.

View record

News Releases

This list shows a selection of news releases by UBC Media Relations over the last 5 years.

If this is your researcher profile you can log in to the Faculty & Staff portal to update your details and provide recruitment preferences.


Follow these steps to apply to UBC Graduate School!