Andreas Haeberlen (original) (raw)

I am currently on a leave of absence from Penn to lead the new systems group at Roblox Research.

Some recent publications

• RoboRebound: Multi-Robot System Defense with Bounded-Time Interaction.Neeraj Gandhi, Yifan Cai, Andreas Haeberlen, and Linh Thi Xuan Phan.20th European Conference on Computer Systems (EuroSys '25), Mar 2024.
  × @inproceedings{gandhi-2025-roborebound,
  author = {Neeraj Gandhi and Yifan Cai and Andreas Haeberlen and Linh Thi Xuan Phan},
  title = {{RoboRebound}: {M}ulti-{R}obot {S}ystem {D}efense with {B}ounded-{T}ime {I}nteraction},
  booktitle = {20th European Conference on Computer Systems (EuroSys '25)},
  month = mar,
  year = 2024
  }
  ×
  Byzantine Fault Tolerance (BFT) is a classic technique for defending distributed systems against a wide range of faults and attacks. However, existing solutions are designed for systems where nodes can interact only by exchanging messages. They are not directly applicable to systems where nodes have sensors and actuators and can also interact in the physical world — perhaps by blocking each other's path or by crashing into each other.
  In this paper, we take a first stab at extending BFT to this larger class of systems. We focus on multi-robot systems (MRS), an emerging technology that is increasingly being deployed for applications such as target tracking, warehouse logistics, and exploration. An MRS can consist of dozens of interacting robots and is thus a bona-fide distributed system. The classic masking guarantee is not practical in a MRS, but we propose a variant called bounded-time interaction that can be implemented, and we present an algorithm that achieves it, in combination with a few small hardware tweaks. We built a simulator and prototyped wheeled robots to show that our algorithm is effective, and that it has a reasonable overhead.
  PDF BibTeX Abstract Neeraj's slides
• Metaverse as a Service: Megascale Social 3D on the Cloud.Andreas Haeberlen, Linh Thi Xuan Phan, and Morgan McGuire.14th ACM Symposium on Cloud Computing (SoCC '23), Oct 2023.
  × @inproceedings{haeberlen-2023-metaverse,
  author = {Andreas Haeberlen and Linh Thi Xuan Phan and Morgan McGuire},
  title = {Metaverse as a Service: Megascale Social 3D on the Cloud},
  booktitle = {14th ACM Symposium on Cloud Computing (SoCC '23)},
  month = oct,
  year = 2023
  }
  ×
  We present a vision for the future of an emerging category of cloud service: the metaverse of 3D virtual worlds. Today, hundreds of millions of users are active daily in such worlds, but they are partitioned into small groups of at most a few hundred players. Each group joins a different virtual world instance, and players can only interact in 3D with others players in the same group during that session. Current platforms are designed in ways that simply cannot scale much further, and solutions from other cloud services do not generalize to the more interactive, bidirectional, and latency-sensitive interactive 3D domain. We outline some of the technical challenges that currently stand in the way of a metaverse without inherent technical limitations on the number of users in a shared experience. We argue that, although these obviously touch on many other areas of Computer Science such as computer graphics and numerical simulation, the core challenges lie squarely within the systems domain.
  PDF BibTeX Abstract Slides
• Arboretum: A Planner for Massive-Scale Federated Analytics with Differential Privacy.Elizabeth Margolin, Karan Newatia, Edo Roth, Tao Luo, and Andreas Haeberlen.29th ACM Symposium on Operating Systems Principles (SOSP '23), Oct 2023.
  × @inproceedings{margolin-2023-arboretum,
  author = {Elizabeth Margolin and Karan Newatia and Edo Roth and Tao Luo and Andreas Haeberlen},
  title = {Arboretum: A Planner for Massive-Scale Federated Analytics with Differential Privacy},
  booktitle = {29th ACM Symposium on Operating Systems Principles (SOSP '23)},
  month = oct,
  year = 2023
  }
  ×
  Federated analytics is a way to answer queries over sensitive data that is spread across multiple parties, without sharing the data or collecting it in a single place. Prior work has developed solutions that can scale to large deployments with millions of devices but, due to the distributed nature of federated analytics, these solutions can support only a limited class of queries - typically various forms of numerical queries, which can be answered with lightweight cryptographic primitives. Supporting richer queries, such as categorical queries, requires heavier cryptography, whose cost can quickly exceed even the resources of a powerful data center.
  In this paper, we present Arboretum, a new federated analytics system that can efficiently answer a broader range of queries, including categorical queries, in deployments with millions or even billions of participants. Arboretum achieves this by 1) automatically optimizing query plans to find highly efficient ways to answer each query, and by 2) including the participant devices in the computation. Our evaluation shows that Arboretum can match the cost of earlier systems that have been hand-optimized for particular kinds of queries, and that it can additionally support a range of new queries for which no efficient solution exists today.
  PDF BibTeX Abstract Eli's slides
• Mycelium: Large-Scale Distributed Graph Queries with Differential Privacy.Edo Roth, Karan Newatia, Yiping Ma, Ke Zhong, Sebastian Angel, and Andreas Haeberlen.28th ACM Symposium on Operating Systems Principles (SOSP '21), Oct 2021.
  × @inproceedings{roth-2021-mycelium,
  author = {Edo Roth and Karan Newatia and Yiping Ma and Ke Zhong and Sebastian Angel and Andreas Haeberlen},
  title = {Mycelium: Large-Scale Distributed Graph Queries with Differential Privacy},
  booktitle = {28th ACM Symposium on Operating Systems Principles (SOSP '21)},
  doi = {10.1145/3477132.3483585},
  month = oct,
  year = 2021
  }
  ×
  This paper introduces Mycelium, the first system to process differentially private queries over large graphs that are distributed across millions of user devices. Such graphs occur, for instance, when tracking the spread of diseases or malware. Today, the only practical way to query such graphs is to upload them to a central aggregator, which requires a great deal of trust from users and rules out certain types of studies entirely. With Mycelium, users’ private data never leaves their personal devices unencrypted, and each user receives strong privacy guarantees. Mycelium does require the help of a central aggregator with access to a data center, but the aggregator merely facilitates the computation by providing bandwidth and computation power; it never learns the topology of the graph or the underlying data. Mycelium accomplishes this with a combination of homomorphic encryption, a verifiable secret redistribution scheme, and a mix network based on telescoping circuits. Our evaluation shows that Mycelium can answer a range of different questions from the medical literature with millions of devices.
  PDF BibTeX Abstract Edo's slides Talk
• REBOUND: Defending Distributed Systems Against Attacks with Bounded-Time Recovery.Neeraj Gandhi, Edo Roth, Brian Sandler, Andreas Haeberlen, and Linh Thi Xuan Phan.16th European Conference on Computer Systems (EuroSys '21), Apr 2021.
  × @inproceedings{gandhi-2021-rebound,
  author = {Neeraj Gandhi and Edo Roth and Brian Sandler and Andreas Haeberlen and Linh Thi Xuan Phan},
  title = {{REBOUND}: {D}efending Distributed Systems Against Attacks with {B}ounded-{T}ime {R}ecovery},
  booktitle = {16th European Conference on Computer Systems (EuroSys '21)},
  doi = {10.1145/3447786.3456257},
  month = apr,
  year = 2021
  }
  ×
  This paper shows how to use bounded-time recovery (BTR) to defend distributed systems against non-crash faults and attacks. Unlike many existing fault-tolerance techniques, BTR does not attempt to completely mask all symptoms of a fault; instead, it ensures that the system returns to the correct behavior within a bounded amount of time. This weaker guarantee is sufficient, e.g., for many cyber-physical systems, where physical properties – such as inertia and thermal capacity – prevent quick state changes and thus limit the damage that can result from a brief period of undefined behavior.
  We present an algorithm called REBOUND that can provide BTR for the Byzantine fault model. REBOUND works by detecting faults and then reconfiguring the system to exclude the faulty nodes. This supports very fine-grained responses to faults: for instance, the system can move or replace existing tasks, or drop less critical tasks entirely to conserve resources. REBOUND can take useful actions even when a majority of the nodes is compromised, and it requires less redundancy than full fault-tolerance.
  PDF BibTeX Abstract Neeraj's slides Talk
• Orchard: Differentially Private Analytics at Scale.Edo Roth, Hengchu Zhang, Andreas Haeberlen, and Benjamin C. Pierce.14th USENIX Symposium on Operating Systems Design and Implementation (OSDI '20), Nov 2020.
  × @inproceedings{roth-2020-orchard,
  author = {Edo Roth and Hengchu Zhang and Andreas Haeberlen and Benjamin C. Pierce},
  title = {Orchard: {D}ifferentially Private Analytics at Scale},
  booktitle = {14th USENIX Symposium on Operating Systems Design and Implementation (OSDI '20)},
  month = nov,
  year = 2020
  }
  ×
  This paper presents Orchard, a system that can answer queries about sensitive data that is held by millions of user devices, with strong differential privacy guarantees. Orchard combines high accuracy with good scalability, and it uses only a single untrusted party to facilitate the query. Moreover, whereas previous solutions that shared these properties were custom-built for specific queries, Orchard is general and can accept a wide range of queries. Orchard accomplishes this by rewriting queries into a distributed protocol that can be executed efficiently at scale, using cryptographic primitives.
  Our prototype of Orchard can execute 14 out of 17 queries chosen from the literature; to our knowledge, no other system can handle more than one of them in this setting. And the costs are moderate: each user device typically needs only a few megabytes of traffic and a few minutes of computation time. Orchard also includes a novel defense against malicious users who attempt to distort the results of a query.
  PDF BibTeX Abstract Edo's slides Talk TR

For more papers, please see the full list of publications.