Kumseok Jung, Sathish Gopalakrishnan, Karthik Pattabiraman, To appear in the Proceedings of the ACM/IFIP/Usenix International Middleware Conference (Middleware), 2026. (Acceptance rate: TBD). [ PDF | Talk ] (Code)
Abstract: Modern distributed applications must satisfy complex security and privacy (S&P) requirements, while simultaneously meeting quality of service (QoS) goals. Dynamic information flow tracking (DIFT) is a powerful mechanism for enforcing fine-grained S&P policies. However, integrating DIFT with conventional distributed computing platforms (DCP) creates a fundamental conflict. Layered approaches suffer from prohibitive runtime overheads, and standard QoS mechanisms — such as dynamic replication — can silently break the protections provided by DIFT by replicating a sensitive service to untrusted nodes.
To resolve this, we introduce Requalizer, a framework that co-designs QoS management and DIFT. Requalizer employs a dataflow-aware workload placement strategy that creates topologically isolated pipelines, allowing the system to safely disable expensive runtime tracking for internal flows. Furthermore, we formulate a DIFT-aware load balancer using Mixed-Integer Linear Programming (MILP), guaranteeing that routing decisions optimize performance without violating non-interference rules.
We evaluated Requalizer using three applications. Our results show that Requalizer reconciles these competing goals, incurring only 3% latency overhead compared to a non-secure baseline while maintaining 100% policy compliance where layered approaches do not. Further, Requalizer maintains 100% policy compliance even under node failures and network congestion.