Andrew Baumann

About me

As a member of the Systems Group at Microsoft Research Redmond, I design and build software systems, often from scratch, to solve new problems. My research interests are operating systems and systems security, with a particular focus on problems driven by hardware evolution, or close to the hardware/software boundary. Most recently, I have built confidential computing systems that protect the confidentiality and integrity of user computations in shared infrastructure even against untrusted hosts and malicious administrators.

I completed my BE (2002) and PhD (2007) in the School of Computer Science and Engineering, University of New South Wales, in the research group that evolved into Trustworthy Systems. I then spent three years as a postdoctoral researcher in the Systems Group at ETH Zurich, before moving to “sunny” Redmond at the end of 2010.

Selected Research Projects

Drawbridge

Drawbridge

Much of my work at MSR has been connected to Drawbridge, a new form of virtualization for application sandboxing based on a library OS version of Windows. As reported in the Bascule paper, we generalised the architecture to permit other guest and host operating systems (including Barrelfish and Linux), and to support lightweight interposition of extensions that are independent of both host and guest. This became the basis of Microsoft SQL Server for Linux.

Haven

Haven

In the Haven project, we introduced the notion of shielded execution: running existing, unmodified applications, while protecting them from an untrusted cloud host. Haven leverages Intel SGX: a hardware implementation of secure enclaves backed by encrypted memory. A significant outcome of Haven was the joint development with Intel of extensions to the SGX ISA to enable dynamic memory management and shielded execution of unmodified binaries.

Komodo

Komodo

In Komodo, we showed how to achieve SGX-like security for isolating enclaves from an untrusted OS without baking the entire isolation mechanism into the instruction set. Komodo decouples the core hardware mechanisms such as memory encryption, address-space isolation and attestation from the management thereof, which is delegated to a privileged software monitor that in turn implements enclaves. We formally-verified the implementation of a prototype monitor for ARM TrustZone.

Autarky

Autarky

SGX suffers from a number of unique side-channel attacks that stem from the use of an untrusted host OS to manage enclave resources, virtual memory in particular. These “controlled channel” attacks are particularly devastating, and have resisted effective mitigation (several prior research efforts notwithstanding), because they are architectural: the leak is deterministic, noise-free, and guaranteed by the architecture specification. In Autarky, we proposed an incremental, cost-effective, and deployable change to the SGX ISA to close this channel. Autarky leverages the old idea of user-level self-paging to support demand-paging efficiently in trusted code, removing it from the realm of the untrusted host.

Barrelfish

Barrelfish

I was a founding member of the Barrelfish project, which is exploring how to structure an OS for future multi- and many-core systems. I led this project for its first three years as a postdoc at ETH Zurich, working with Timothy Roscoe and some talented students. Together with collaborators at MSR, we built an OS from scratch to exploit our observation that modern computers are increasingly structured as distributed systems, by mirroring that structure in the OS. For example, we used an asynchronous message-passing abstraction for all inter-core communication, rather than assuming shared memory. Today Barrelfish is a substantial prototype OS, and is still under active research and development.

Publications

Conferences

  • Meni Orenbach, Andrew Baumann, and Mark Silberstein. Autarky: Closing controlled channels with self-paging enclaves. In Proc. 15th European Conference on Computer Systems (EuroSys), Heraklion, Greece, April 2020. ACM.
  • Luke Nelson, James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, and Xi Wang. Scaling symbolic evaluation for automated verification of systems code with Serval. In Proc. 27th Symposium on Operating Systems Principles (SOSP), pages 225—242, Huntsville, Ontario, Canada, October 2019. ACM.
     Best paper award, Distinguished artifact award.
  • Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proc. 26th Symposium on Operating Systems Principles (SOSP), pages 287—305, Shanghai, China, October 2017. ACM.
  • Jacob R. Lorch, Andrew Baumann, Lisa Glendenning, Dutch Meyer, and Andrew Warfield. Tardigrade: Leveraging lightweight virtual machines to easily and efficiently construct fault-tolerant services. In Proc. 12th Symposium on Networked Systems Design and Implementation (NSDI), pages 575—588, Oakland, CA, USA, May 2015.
  • Andrew Baumann, Marcus Peinado, and Galen Hunt. Shielding applications from an untrusted cloud with Haven. In Proc. 11th Symposium on Operating Systems Design and Implementation (OSDI), Broomfield, CO, USA, October 2014.
     Best paper award.
  • Andrew Baumann, Chris Hawblitzel, Kornilios Kourtis, Tim Harris, and Timothy Roscoe. Cosh: clear OS data sharing in an incoherent world. In Conference on Timely Results in Operating Systems (TRIOS), Broomfield, CO, USA, October 2014. ACM.
  • Andrew Baumann, Dongyoon Lee, Pedro Fonseca, Lisa Glendenning, Jacob R. Lorch, Barry Bond, Reuben Olinsky, and Galen C. Hunt. Composing OS extensions safely and efficiently with Bascule. In Proc. 8th European Conference on Computer Systems (EuroSys), pages 239—252, Prague, Czech Republic, April 2013. ACM.
  • Adrian Schüpbach, Andrew Baumann, Timothy Roscoe, and Simon Peter. A declarative language approach to device configuration. In Proc. 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, March 2011.
  • Qin Yin, Adrian Schüpbach, Justin Cappos, Andrew Baumann, and Timothy Roscoe. Rhizoma: a runtime for self-deploying, self-managing overlays. In Proc. ACM/IFIP/USENIX 10th International Middleware Conference, Urbana Champaign, IL, USA, November 2009.
  • Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. The multikernel: A new OS architecture for scalable multicore systems. In Proc. 22nd Symposium on Operating Systems Principles (SOSP), pages 29—44, Big Sky, MT, USA, October 2009. ACM.
     SIGOPS Hall of Fame award, 2020.
  • Simon Peter, Andrew Baumann, Timothy Roscoe, Paul Barham, and Rebecca Isaacs. 30 seconds is not enough! A study of operating system timer usage. In Proc. 3rd European Conference on Computer Systems (EuroSys), pages 205—218, Glasgow, Scotland, UK, April 2008. ACM.
  • Andrew Baumann, Jonathan Appavoo, Robert W. Wisniewski, Dilma Da Silva, Orran Krieger, and Gernot Heiser. Reboots are for hardware: Challenges and solutions to updating an operating system on the fly. In Proc. USENIX Annual Technical Conference (ATC), pages 337—350, Santa Clara, CA, USA, June 2007.
  • Andrew Baumann, Gernot Heiser, Jonathan Appavoo, Dilma Da Silva, Orran Krieger, Robert W. Wisniewski, and Jeremy Kerr. Providing dynamic update in an operating system. In Proc. USENIX Annual Technical Conference (ATC), pages 279—291, Anaheim, CA, USA, April 2005.
  • Andrew Baumann, Jeremy Kerr, Jonathan Appavoo, Dilma Da Silva, Orran Krieger, and Robert W. Wisniewski. Module hot-swapping for dynamic update and reconfiguration in K42. In Proc. 6th Linux.Conf.Au, Canberra, Australia, April 2005.

Workshops

  • Andrew Baumann, Jonathan Appavoo, Orran Krieger, and Timothy Roscoe. A fork() in the road. In Proc. 17th Workshop on Hot Topics in Operating Systems (HotOS), pages 14—22, Bertinoro, Italy, May 2019. ACM.
  • Andrew Baumann. Hardware is the new software. In Proc. 16th Workshop on Hot Topics in Operating Systems (HotOS), pages 132—137, Whistler, BC, Canada, May 2017. ACM.
  • Jeffrey C. Mogul, Andrew Baumann, Timothy Roscoe, and Livio Soares. Mind the gap: Reconnecting architecture and os research. In Proc. 13th Workshop on Hot Topics in Operating Systems (HotOS). Usenix, May 2011.
  • Simon Peter, Adrian Schüpbach, Paul Barham, Andrew Baumann, Rebecca Isaacs, Tim Harris, and Timothy Roscoe. Design principles for end-to-end multicore schedulers. In Proc. 2nd Workshop on Hot Topics in Parallelism (HotPar), Berkeley, CA, USA, June 2010.
  • Pierre-Evariste Dagand, Andrew Baumann, and Timothy Roscoe. Filet-o-Fish: Practical and dependable domain-specific languages for OS development. In Proc. 5th Workshop on Programming Languages and Operating Systems (PLOS), Big Sky, MT, USA, October 2009.
  • Andrew Baumann, Simon Peter, Adrian Schüpbach, Akhilesh Singhania, Timothy Roscoe, Paul Barham, and Rebecca Isaacs. Your computer is already a distributed system. Why isn't your OS? In Proc. 12th Workshop on Hot Topics in Operating Systems (HotOS), Monte Verità, Switzerland, May 2009.
  • Qin Yin, Justin Cappos, Andrew Baumann, and Timothy Roscoe. Dependable self-hosting distributed systems using constraints. In Proc. 4th Workshop on Hot Topics in System Dependability (HotDep), San Diego, CA, USA, December 2008.
  • Adrian Schüpbach, Simon Peter, Andrew Baumann, Timothy Roscoe, Paul Barham, Tim Harris, and Rebecca Isaacs. Embracing diversity in the Barrelfish manycore operating system. In Proc. Workshop on Managed Many-Core Systems (MMCS), Boston, MA, USA, June 2008.
  • Andrew Baumann, Jonathan Appavoo, Dilma Da Silva, Orran Krieger, and Robert W. Wisniewski. Improving operating system availability with dynamic update. In Proc. Workshop on Operating System and Architectural Support for the On-Demand IT Infrastructure (OASIS), Boston, MA, USA, October 2004.

Journals

  • Andrew Baumann, Marcus Peinado, and Galen Hunt. Shielding applications from an untrusted cloud with Haven. ACM Transactions on Computer Systems (TOCS), 33(3), August 2015.
  • Adrian Schüpbach, Andrew Baumann, Timothy Roscoe, and Simon Peter. A declarative language approach to device configuration. ACM Transactions on Computer Systems (TOCS), 30(1), February 2012.
  • Dilma Da Silva, Orran Krieger, Robert W. Wisniewski, Amos Waterland, David Tam, and Andrew Baumann. K42: an infrastructure for operating system research Operating Systems Review, 40(2):34—42, April 2006.

Other

  • Andrew Baumann. Fish in a Barrel: an insider's retrospective of the SOSP'09 multikernel paper. ACM SIGOPS Blog, April 2021.
  • Simon Peter, Andrew Baumann, Zachary Anderson, and Timothy Roscoe. Gang scheduling isn't worth it... yet. Technical Report number 745, ETH Zurich Department of Computer Science, November 2011.
  • Andrew Baumann. Dynamic Update for Operating Systems. PhD Thesis. The University of New South Wales, August 2007.

Student Mentoring

Interns

At Microsoft Research, I've been lucky to work with:

Student theses

While at ETH Zurich, I advised the following students:

  • Dominik Menzi, Support for heterogeneous cores for Barrelfish, Master’s thesis, 2011.
  • Bram Scheidegger, Barrelfish on Netronome, Bachelor’s thesis, 2011.
  • Raffaele Sandrini, VMkit A lightweight hypervisor library for Barrelfish, Master’s thesis, 2009.
  • Animesh Trivedi, Hotplug in a Multikernel Operating System, Master’s thesis, 2009.

Service

Teaching

At the University of Washington:

At ETH Zurich, with Timothy Roscoe:

  • Autumn 2010: Advanced Operating Systems
  • Spring 2010: Lions’ Commentary on 6th Edition UNIX Seminar
  • Autumn 2009: Advanced Operating Systems
  • Spring 2009: Advanced Operating Systems
  • Autumn 2008: Data Processing Architectures for New Hardware Platforms Seminar
  • Spring 2008: Advanced Operating Systems
  • Autumn 2007: Advanced Topics in OS Kernel Design Seminar