ifnding the mappings from functions to Fog nodes, requires to consider hardware, software and QoS requirements of single functions as well as their composition into complex applications, and requirements on function bindings with external services. As other application placement problems in the Fog, deciding on the above is NP-hard, thus worst-case exp-time [ 13 ].

Speaking of QoS, FaaS placement requires constraining the function-function and functionservice latencies, which are crucial to support latency-sensitive applications [ 14 ]. Furthermore, guaranteeing a high level of security is an important QoS aspect to consider [ 15, 16, 17 ] as a security flaw in a single function (or in its interactions with external services) may induce an overall security flaw of the function composition. Placing FaaS to Fog nodes therefore needs to consider diferent security contexts, the security level of data flowing between functions, and trust relations among application operators, and infrastructure and external service providers. All these are utterly important to avoid data leaks, e.g. by placing functions handling sensitive data onto insecure or untrusted nodes, or by binding a function to a service managed by an untrusted provider [ 18 ].

This article builds over our previous work on secure and trust-aware multiservice application placement in the Fog [ 17 ]. Our approach permits to express security requirements of IoT applications, as well as infrastructure security capabilities taking into account a trust model of the involved entities. An explainable assessment of the security level of the possible deployments is automatically derived.In this article, we showcase an extension of [ 17 ] over a lifelike motivating example. The extension includes three main directions: () The definition of a declarative model to represent function requirements including security policies, and trust relations, () The (formal) logical definition of the function placement problem, which exploits informationlfow security [ 19 ] to determine functions’ security contexts, and commutative semirings to model and propagate trust [ 20 ], and () A prototype1 of the above, FaaS2Fog, implemented by relying upon an algebraic extension of Prolog, to determine eligible placements (i.e. mappings from functions to Fog nodes) and function-service bindings (i.e. mappings from functions’ service requirements to actual service instances).

We consider a simple orchestration mechanism where FaaS services are chained together as sequences of functions. We call it FaaS chains, and they represent a first step towards placing more complex FaaS orchestrations (e.g. those of OpenWhisk [ 21 ]). FaaS2Fog employs information-flow security [ 19 ] to avoid information leaks to untrusted/insecure nodes or services, and checks all hardware, software and latency chains requirements.

Our approach features two desirable properties to support the placement of FaaS in the Fog. First, it is declarative, hence more concise, easier to understand and maintain compared with procedural solutions, and it ofers high flexibility and extensibility, to accommodate the ever-changing needs of Fog scenarios. Second, it is intrinsically explainable as it derives proofs for input queries by relying on Prolog resolution engines, and it can be easily extended to justify why a certain placement decision was made, in the spirit of explainable AI [ 22 ].

The rest of this article is organised as follows. After describing a lifelike motivating example from augmented reality (Sect. 2), we illustrate FaaS2Fog methodology (Sect. 3), used to solve 1Open sourced and freely available at: https://github.com/di-unipi-socc/FaaS2Fog. and discuss the motivating example (Sect. 4). After presenting closely related work (Sect. 5), we conclude by pointing to some directions for future work (Sect. 6).

This section illustrates a lifelike motivating example to highlight the challenges related to the FaaS chain placement problem. Consider an Augmented Reality (AR) application trying to avoid people gatherings in commercial areas of a city centre, so to contrast the spreading of Covid-19, by load-balancing people presence across similar shops. When users point with their smartphones the entrance of a shop they are about to enter, the application renders over the video 3D information about the number of people inside and its overall capacity. If a high risk of gathering is detected, the application suggests alternative similar locations to the users by giving them 3D AR directions, along with incentives (e.g. discounts, special ofers) to move away from the gathering area. Such an application is implemented by a FaaS chain (Fig. 1): 1. , which authenticates the user into the service, 2. ℎ , which recognises the shop entrance in the framed images, so to discriminate among physically close activities, 3. , which identifies the shop by its image and coordinates via an external map service, also retrieving all shop information, 4. ℎ , which computes the risk of gathering (based on crowd-sensed information), individuates alternative shops and incentives to move there, 5. , which renders AR information over the framed video footage and sends it back to the mobile client.

For each function in the chain, Fig. 1 lists the software requirements in terms of required runtime support, and the hardware requirements. For instance, function ℎ needs Python3 and NumPy to be available on the deployment node, along with 2 GB of RAM, and 4 vCPUs at 1.5 GHz at least.

UserInfo 13 ms

In this section, we describe our methodology to place FaaS chains to Fog infrastructure. We illustrate both the modelling (Sect. 3.1) and the declarative solution (Sect. 3.2) of the problem, showing the main Prolog2 facts where clarifications are needed. 3.1. Modelling Applications, Infrastructures and Trust Declaring FaaS Chains. Application operators declare the requirements of a function F they will chain into FaaS applications using functionReqs(F, SoftwareRequirements, HardwareRequirements, ServiceTypeRequirements). Such requirements include SoftwareRequirements and HardwareRequirements, as well as ServiceTypeRequirements used to bind at run time service instances to be invoked by the function.

The function behaviour of a function F is defined by a relation between security types of input data (Inputs), output data (Outputs) and data exchanged with external services (ServiceInteractions). The declaration of function behaviours is functionBehaviour(F, Inputs, ServiceInteractions, Outputs):- ...

We assume that such information can be defined manually, or obtained by exploiting static analyses and type systems (see e.g. [ 23, 24 ]).

A Function chain FChain managed by Operator is declared as functionChain(FChain, Operator, EventTrigger, Functions, Latencies). where are included the list of Functions forming the chain, the FaaS Operator, the EventTrigger associated with the chain, and the maximum tolerated Latencies from the trigger to the ifrst chain function, and between consecutive chained functions. Chain triggers are denoted by pairs containing the trigger source and the list of security labels of its parameters (e.g. [top,low,low,low]). Those security labels will match the input types of the first function and propagate along the chain according to declared function behaviours. Chained functions are denoted by pairs containing a function identifier and a list of actual service instances each function will bind to. Bindings either specify a certain service instance identifier or are left unbound, meaning that any service of the required type can satisfy the requirement.

Application operators also declare a lattice of the security types to define their functions and function chains, as the one in Fig. 2, using g_lattice_higherThan(Higher, Lower). to represent each ordered pair of the lattice with the Higher and the Lower security types. Declaring Fog Infrastructures. Infrastructure node are declared as node(NodeId, ProvId, SecCaps, SWCaps, HWCaps). including the NodeId (e.g. its IP address) and the security, software and hardware capabilities featured by the node (viz. SecCaps, SWCaps and HWCaps), which enable FaaS2Fog to check the latter against function requirements. Security capabilities are lists of literals from Fig. 4.

End-to-end links between nodes (NId1 and NId2) are associated with the average Latency in milliseconds experienced between the nodes, declared as

2A Prolog program is a finite set of clauses of the form: a :- b1, ... , bn. stating that a holds when b1 ∧ ⋯ ∧ bn holds, where n≥0 and a, b1, ..., bn are atomic literals. Clauses with empty condition are also called facts. Prolog variables begin with upper-case letters, lists are denoted by square brackets, and negation by \+. Conventionally, a Prolog predicate pred with N arguments is indicated as pred/N.

External services, running on available nodes, are declared by service providers as service(ServiceId, ServiceProvider, ServiceType, NodeId). where are specified the ServiceId, the identifier of the ServiceProvider, the ServiceType, and the NodeId of the service host node.

The declaration of an event generator EG is eventGenerator(EG, EventType, NodeId). and it includes the EventType of generated triggers it can generate as well as the NodeId of the node with which it is connected. It is worth noting that data about infrastructure capabilities, services and event generators can be obtained by exploiting available monitoring tools targeting Fog settings (e.g. FogMon [ 25 ], or one of the tools surveyed in [ 26 ]).

Declaring Security Policies. The security context of nodes and external services is determined according to the security policies specified by application operators. Node and service labelling is performed as per the same security types of functions parameters to guarantee that types can be checked against each other and to enforce that functions are placed onto nodes and interacts with services that feature at least their security type. Node labelling is specified by the declaration assignNodeLabel(Node, SecurityContextLabel) :- ... meaning that the SecurityContextLabel is assigned to the Node if all conditions of the right hand-side of the rule hold. For example, a node is labelled top only if such node features both anti-tampering and public key encryption among its security capabilities. Analogously, external services are labelled by defining the security policies based on the available service information. Declaring Trust Opinions. All involved stakeholders (i.e. application operators, infrastructure providers, service providers) can declare trust opinions towards each other. Following [ 20 ], trust relations are modelled as pairs ( , ) ∈ [ 0, 1 ] × [ 0, 1 ] where represents a level of trust (the higher the better) and the confidence in (i.e. the quality of) such value , based on trust monitoring data. By employing a dialect of Prolog, viz. -Problog [ 27 ], trust opinions are declared as facts annotated with ( , ) , in the form (T,C)::trustOpinion(Stakeholder1, Stakeholder2). where Stakeholder1 declares her trust level and confidence toward Stakeholder2. 3.2. Placing FaaS Chains onto Fog Infrastructures In this section, we briefly illustrate how FaaS2Fog determines FaaS application placements, based on the modelling described in the previous section. Fig. 5 lists the faas2fog/2 predicate, giving an overview of the overall functioning of our prototype. After retrieving a function chain by its identifier CId (line 2), faas2fog/2 retrieves also an event generator associated to the chain, if any (line 3). Then, after propagating security types along the FaaS chain to determine the security contexts needed by each function (line 4), faas2fog/2 determines an eligible FaaS chain Placement satisfying all set requirements (line 5). 2. Resource- & QoS-aware Placement. After this step, the mapping/7 (Fig. 7) scans the list of typed functions TFList and determines an eligible placement for each of them, until the list is empty (line 1). For each function F to be placed, mapping/7 non-deterministically selects a candidate node N (line 3) and checks the latency constraint between N and the node of the previously allocated function3 (line 4). Then, software and hardware requirements of F are checked against N capabilities (lines 5–6). Notably, the predicate hwReqsOK/5 also checks whether cumulative hardware requirements allow placing F onto N, i.e. whether, due to the allocation of previous functions OldAllocHW, the current capacity of N can still host F as well. If this is possible, the hardware allocation is updated by summing the hardware required by F to the allocated hardware at N into AllocHW. Consequently, the compatibleNodeType/2 predicate checks whether the security context of N (determined by the assignNodeLabel/2 provided by the application operator) is compatible with the security context required by the function. Finally, the bindServices/6 predicate determines if bindings to external services comply to security and latency constraints of the function to be placed. Note that when a binding requirement is left unbound, bindServices/6 can determine eligible services (if any) that satisfy the requirements. Each placement and binding for F is accumulated in the last parameter of mapping/7, in tuples like on(F,N,FBinding). Such result will be returned by faas2fog/2. 3. Trust Propagation. FaaS2Fog also considers trust relations by using the semiring-based 3In case of the first function, mapping/7 checks the latency from the event generator. modelling of [ 20 ] to aggregate opinions from diferent stakeholders. Trust propagation is conditioned to a maximum radius of 3 hops in the trust graph, assuming that each stakeholder trusts herself with a (1, 1) opinion. Following the model of [ 20 ], we propagate trust from to as follows: opinions along paths from to are multiplied, while opinions across paths from to are summed. We employ the multiplication (⊗) and sum (⊕) operations of Fig. 8, implemented as in [ 17 ] via -Problog.

Trust relations are checked between the application operator and the node operator where functions are placed. Analogously, trust re- ⟨ , ⟩ ⊗ ⟨ ′, ′⟩ = ⟨ ′, ′⟩ lations are checked between the application ⎧⟨ , ⟩ if > ′ loypienrgatoonr a-nPdroebxltoegr,nFaalasSe2rFvoicgeapnrnoovtiadteersse.aRceh- ⟨ , ⟩ ⊕ ⟨ ′, ′⟩ = ⎩⎨⟨⟨m′a,x{′ ⟩, ′}, ⟩, iiff =′ > ′ output eligible placement with its overall trust assessment computed as described above. Figure 8: Semiring ⊗ and ⊕ operations.

In this section, we solve the motivating example4 of Sect. 2 by answering the questions raised therein. Security policies to label services specify that all the services provided by appOp are labelled top, the maps services provided by cloudProvider are labelled medium, and all the other services are labelled low. We assume that input parameters generated by userDevices triggering the chain are labelled [top,low,low,low], only considering user’s data as sensitive information.

Given these ingredients, we simply query the main predicate of FaaS2Fog, faas2fog(chainGath, Placement), to determine eligible placements for the FaaS chain. FaaS2Fog matches trigger types with the input labels of function (UserInfo, Screenshot, Coordinates, SensorsInfo) and, by propagation, it determines the labelling of functions5 as: ( , top), ( ℎ , low), ( , low), ( ℎ , medium), and ( , medium). Afterwards, eligible placements and service bindings meeting all software, hardware, latency, and security requirements of the chain of Fig. 1 are looked for by the placement phase. Table 1 summarises all obtained results. They are 9 eligible placements 4Full example code at: https://github.com/di-unipi-socc/FaaS2Fog/tree/main/examples/ITASEC21 5Note that, labelling Coordinates as medium, we would obtain a diferent labelling, i.e. ( medium), ( , medium), ( ℎ , medium), and ( , medium). , top), ( ℎ , and bindings – 1 - 9 , one per row – that satisfy all set requirements. Each column in the table corresponds to a chain function and lists the placement node and the service bindings. It is worth mentioning that while service bindings are already specified for myUserDB) and for ℎ (with the service myGatherS), the binding of (with the service was left unbound and is determined by FaaS2Fog so to meet the required low security context. As a consequence, depending also on function-service latency considerations, such requirement is bound either to the openM (e.g. 1 ) or to the cMaps instance (e.g. 2 ).

f Login We now also consider the trust network of Fig. 9, where links are annotated with (Trust, Confidence) values. For instance, appOp has a trust level of 0.99 with confidence telco provider, and a trust level of 0.9 with confidence 0.9 toward the cloudProvider provider.

Table 2 lists the trust and confidence values associated to the found placements 1 – 9 , listed in placement(s), as well as to set a minimum trust level to meet. For instance, blindly choosing the first result 1

of Table 1 actually leads to selecting one of the placements which can be trusted less (viz. (0.27, 0.23)) among the eligible ones. By considering trust assessment, the application operator will instead likely choose 4 , with the best trust level (viz. (0.77, 0.48)).

0.99,0.9 appOp

telco 0.9,0.9 0.9,0.9

0.9,0.9 0.5,0.9 private1 0.6,1 cloudProvider

university 0.8,0.85

0.9,0.9 private2 0.8,0.9

0.8,1 0.89,0.9 openS

P1 P2 P3 P4 P5 P6 P7 P8 P9

Trust (0.27, 0.23) (0.61, 0.31) (0.27, 0.23) (0.77, 0.48) (0.34, 0.35) (0.34, 0.31) (0.17, 0.28) (0.30, 0.28) (0.24, 0.21)

In this section, we survey some closely related work proposing declarative solutions to resource management in Cloud or Fog scenarios and techniques to assist the placement of orchestrated serverless functions in the Fog.

Speaking of declarative approaches to resource management, some have been proposed to manage Cloud resources (e.g. [ 28 ]) and to improve network usage (e.g. [ 29 ]). We employed -Problog prototypes to assess the security and trust levels of diferent multiservice application placements [ 17 ], and to securely place VNF chains and steer trafic across them [ 30 ]. The taxonomy of Fig. 4 to express security policies was introduced in [ 17 ], where trust relations modelled via semirings were introduced. Diferently from FaaS2Fog, it determines placements of multiservice applications (i.e. not FaaS-based) without considering information flow security, external service interactions, nor hardware and software requirements of services to be placed. Similarly, focussing on Software-defined Networking (SDN) domains, [ 30 ] considers neither trust relations nor information flow security, but only security requirements as AND-OR combinations of the taxonomy elements. Closely related to these, [ 31 ] devises a (non-declarative) solution to the problem of placing multiservice applications over multiple nodes, configuring hardware/software security controls without considering information-flow nor trust.

Targeting FaaS architectures, Pinto et al. [ 32 ] dynamically decide whether to run a serverless function within the local Edge network or in the Cloud, based on monitored data. An Edge proxy is in charge of making such a decision, also considering network failures. On the same line, Das et al. [ 33 ] present an edge-based framework to dynamically decide whether to execute a function in the Cloud or locally, by estimating operational costs and improving end-to-end latencies. Similarly, Aske and Zhao [ 34 ] present a serverless monitoring and scheduling system to select FaaS providers, based on average execution time, afinity constraints, and costs – possibly considering user-defined scheduling policies. Cho et al. [ 35 ] discuss a solution to distribute FaaS tasks over hierarchical Fog infrastructures, by employing a token bucket algorithm and einforcement learning to optimise workload distribution and response times.

Cicconetti et al. [ 36 ] propose an architecture to realise serverless computing SDN scenarios where network routers assign function execution to edge devices based on arbitrary costs (e.g. latency, bandwidth, energy). The infrastructure is monitored and updated by SDN controllers, and diferent strategies try to optimise operational costs and load-balancing. More recently, based on their model to annotate function requirements [ 37 ], Rausch et al. [ 38 ] discuss a Kubernetes-based scheduler to optimise the placement of FaaS in the Fog based on a linear combination of proximity to image registries and to data producers, available node resources and Edge or Cloud locality. Bermbach et al. [ 39 ] take an infrastructure provider’s perspective to FaaS placement in the Fog, using distributed auctions. Programmers submit functions to target nodes along with a resource bid, based on which nodes decide whether to run functions.

Only [ 40 ] and [ 41 ] exploit information flow security to check that no leak is present in FaaS orchestrations, at runtime. Diferently from FaaS2Fog, security types are not exploited to determine eligible FaaS placements. To the best of our knowledge, none of the previously proposed approaches considers information-flow security, or infrastructure security countermeasures, or trust relations when performing latency-aware placement of FaaS orchestrations in the Fog.

This article introduced a life-like example concerning the problem of determining eligible placements of FaaS chains to Fog infrastructures, that is addressed with a declarative methodology and its prototype, FaaS2Fog. Our approach considers hardware, software and latency requirements, and exploits information-flow security policies as well as infrastructure security capabilities. Eligible placements are ranked by employing semiring-based trust relations among the involved stakeholders. From the architectural viewpoint, FaaS2Fog employs information on the application, on its security types and on infrastructure labelling policies (declared by application operators), data on infrastructure capabilities (collected via distributed monitoring tools, and declared by infrastructure operators), and trust relations (declared by all involved providers).

Our approach shows some qualifying strenghts to address FaaS placement in Fog scenarios. Its declarative nature makes it easier to define FaaS chain requirements and security policies, infrastructure capabilities, and trust relations. Moreover, it naturally supports a flexible approach since it allows the definition of new requirements (e.g. bandwidth, availability of specialised hardware) or security considerations (e.g. provider whitelisting). Finally, placement explanation can be obtained by taking advantage of proof paths determined via the -Problog engine. Thus, employing explainable placements combined with information-flow and trust assessment can reduce the possibility of leaking critical data to untrusted or insecure parties during the deployment of FaaS chains. On the other hand, FaaS2Fog does not yet handle structured FaaS orchestrations, obtained by combining functions with traditional control mechanisms (e.g. branches, loops). This needs to be addressed to model more complex use cases, also extending information flow analyses to the general case. Additionally, human-readable explanations on why a certain placement was (or was not) output would further improve interactions with the users and their trust in systems based on the proposed methodology. Finally, FaaS2Fog incurs in worst-case exp-time to determine valid placements. As serverless functions are usually on-demand and short-lived, it is crucial to assess execution times over larger examples, and to improve on those via heuristics or continuous reasoning [ 42 ].

In addition to tackling all aforementioned points, in our future work we plan to extend the methodology underlying FaaS2Fog by formally defining type judgement rules for a featurecomplete orchestration language, showing how they can be naturally expressed in -Problog. Last, we intend to implement a service based on FaaS2Fog and on the Logic-Programming-asa-Service paradigm [ 43 ], and to experiment with actual FaaS deployments in Fog settings by relying on open-source orchestration engines such as OpenWhisk with IBM Composer [ 21 ].

This work has been partly supported by project “Lightweight Self-adaptive Cloud-IoT Monitoring across Fed4FIRE+ Testbed” (LiSCIo) funded by Fed4Fire+ and“Continuous QoS-compliant Management of Software Applications over the Cloud-IoT Continuum ” (CONTWARE) funded by the Conference of Italian University Rectors.