About

Konstantinos Kallas is an Assistant Professor of Computer Science at UCLA Samueli School of Engineering. His research focuses on software systems, distributed systems, cloud computing, programming languages, and compilers. He has contributed to the development of frameworks and systems for microservice architectures, serverless computing, and shell script execution, with notable work including MuCache, a framework for caching in microservice graphs, and Mu2SLS, a system for executing microservice applications on serverless platforms. Kallas has also worked on semantics for stateful serverless functions and systems for shell script parallelization and dataflow modeling. His research aims to improve the correctness, efficiency, and scalability of modern computing systems, and he has received recognition for his work, including awards such as the HotOS Distinguished Presentation Award and the EuroSys Best Paper Award.

Selected publications

• PopPy: Opportunistically Exploiting Parallelism in Python Compound AI Applications

  ArXiv.org · 2026-05-18

  articleOpen access

  Compound AI applications, which compose calls to ML models using a general-purpose programming language like Python, are widely used for a variety of user-facing tasks, from software engineering to enterprise automation, making their end-to-end latency a critical bottleneck. In contrast to traditional applications, execution time is dominated by the external components, which cannot be handled by traditional language optimization systems, like optimizing compilers. To address this problem, we develop PopPy, a system that can uncover parallelization opportunities in Python applications that invoke these heavy external components, including those used in compound AI applications. PopPy supports a very expressive fragment of Python and requires minimal developer input to uncover parallelism. It combines an ahead-of-time compiler with a runtime, addressing three key challenges in extracting parallelism from Python applications: language complexity, dynamic dispatch, and variable mutation. On a set of real-world compound AI applications, PopPy achieves up to $6.4\times$ speedups in end-to-end execution time compared to standard Python execution while preserving the sequential program semantics.

  PublisherOA PDF

• hS: Speculative Script Reordering at Subprocess Granularity (Artifact)

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-27

  otherOpen access

  `hS` is a research prototype for speculative, out-of-order execution of shell scripts. It traces script execution, detects dependency violations, and selectively re-executes affected commands to preserve correct behavior while exposing parallelism. This archive contains the source code, tests, documentation, and artifacts needed to run and evaluate the system.

  PublisherDOI

• An AI Agent Execution Environment to Safeguard User Data

  ArXiv.org · 2026-04-21

  articleOpen access

  AI agents promise to serve as general-purpose personal assistants for their users, which requires them to have access to private user data (e.g., personal and financial information). This poses a serious risk to security and privacy. Adversaries may attack the AI model (e.g., via prompt injection) to exfiltrate user data. Furthermore, sharing private data with an AI agent requires users to trust a potentially unscrupulous or compromised AI model provider with their private data. This paper presents GAAP (Guaranteed Accounting for Agent Privacy), an execution environment for AI agents that guarantees confidentiality for private user data. Through dynamic and directed user prompts, GAAP collects permission specifications from users describing how their private data may be shared, and GAAP enforces that the agent's disclosures of private user data, including disclosures to the AI model and its provider, comply with these specifications. Crucially, GAAP provides this guarantee deterministically, without trusting the agent with private user data, and without requiring any AI model or the user prompt to be free of attacks. GAAP enforces the user's permission specification by tracking how the AI agent accesses and uses private user data. It augments Information Flow Control with novel persistent data stores and annotations that enable it to track the flow of private information both across execution steps within a single task, and also over multiple tasks separated in time. Our evaluation confirms that GAAP blocks all data disclosure attacks, including those that make other state-of-the-art systems disclose private user data to untrusted parties, without a significant impact on agent utility.

  PublisherOA PDF

• PopPy: Opportunistically Exploiting Parallelism in Python Compound AI Applications

  arXiv (Cornell University) · 2026-05-18

  preprintOpen access

  Compound AI applications, which compose calls to ML models using a general-purpose programming language like Python, are widely used for a variety of user-facing tasks, from software engineering to enterprise automation, making their end-to-end latency a critical bottleneck. In contrast to traditional applications, execution time is dominated by the external components, which cannot be handled by traditional language optimization systems, like optimizing compilers. To address this problem, we develop PopPy, a system that can uncover parallelization opportunities in Python applications that invoke these heavy external components, including those used in compound AI applications. PopPy supports a very expressive fragment of Python and requires minimal developer input to uncover parallelism. It combines an ahead-of-time compiler with a runtime, addressing three key challenges in extracting parallelism from Python applications: language complexity, dynamic dispatch, and variable mutation. On a set of real-world compound AI applications, PopPy achieves up to $6.4\times$ speedups in end-to-end execution time compared to standard Python execution while preserving the sequential program semantics.

  PublisherDOI

• An AI Agent Execution Environment to Safeguard User Data

  arXiv (Cornell University) · 2026-04-21

  preprintOpen access

  AI agents promise to serve as general-purpose personal assistants for their users, which requires them to have access to private user data (e.g., personal and financial information). This poses a serious risk to security and privacy. Adversaries may attack the AI model (e.g., via prompt injection) to exfiltrate user data. Furthermore, sharing private data with an AI agent requires users to trust a potentially unscrupulous or compromised AI model provider with their private data. This paper presents GAAP (Guaranteed Accounting for Agent Privacy), an execution environment for AI agents that guarantees confidentiality for private user data. Through dynamic and directed user prompts, GAAP collects permission specifications from users describing how their private data may be shared, and GAAP enforces that the agent's disclosures of private user data, including disclosures to the AI model and its provider, comply with these specifications. Crucially, GAAP provides this guarantee deterministically, without trusting the agent with private user data, and without requiring any AI model or the user prompt to be free of attacks. GAAP enforces the user's permission specification by tracking how the AI agent accesses and uses private user data. It augments Information Flow Control with novel persistent data stores and annotations that enable it to track the flow of private information both across execution steps within a single task, and also over multiple tasks separated in time. Our evaluation confirms that GAAP blocks all data disclosure attacks, including those that make other state-of-the-art systems disclose private user data to untrusted parties, without a significant impact on agent utility.

  PublisherDOI

• hS: Speculative Script Reordering at Subprocess Granularity (Artifact)

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-27

  otherOpen access

  `hS` is a research prototype for speculative, out-of-order execution of shell scripts. It traces script execution, detects dependency violations, and selectively re-executes affected commands to preserve correct behavior while exposing parallelism. This archive contains the source code, tests, documentation, and artifacts needed to run and evaluate the system.

  PublisherDOI

• NaSh: Guardrails for an LLM-Powered Natural Language Shell

  ArXiv.org · 2025-06-16

  preprintOpen access

  We explore how a shell that uses an LLM to accept natural language input might be designed differently from the shells of today. As LLMs may produce unintended or unexplainable outputs, we argue that a natural language shell should provide guardrails that empower users to recover from such errors. We concretize some ideas for doing so by designing a new shell called NaSh, identify remaining open problems in this space, and discuss research directions to address them.

  PublisherOA PDFDOI

• From Ahead-of- to Just-in-Time and Back Again: Static Analysis for Unix Shell Programs

  2025-05-14

  articleOpen access

  Shell programming is as prevalent as ever. It is also quite complex, due to the structure of shell programs, their use of opaque software components, and their complex interactions with the broader environment. As a result, even when exercising an abundance of care, shell developers discover devastating bugs in their programs only at runtime: at best, shell programs going wrong crash the execution of a long-running task; at worst, they silently corrupt the broader environment in which they execute---affecting user data, modifying system files, and rendering entire systems unusable. Could the shell's users enjoy the benefits of semantics-driven static analysis before their programs' execution---as offered by most other production languages?

  PublisherDOI

• Opportunistically Parallel Lambda Calculus

  Proceedings of the ACM on Programming Languages · 2025-10-09 · 2 citations

  articleOpen access

  Scripting languages are widely used to compose external calls such as native libraries and network services. In such scripts, execution time is often dominated by waiting for these external calls, rendering traditional single-language optimizations ineffective. To address this, we propose a novel opportunistic evaluation strategy for scripting languages based on a core lambda calculus that automatically dispatches independent external calls in parallel and streams their results. We prove that our approach is confluent, ensuring that it preserves the programmer’s original intent, and that it eventually executes every external call. We implement this approach in a scripting language called Opal. We demonstrate the versatility and performance of Opal, focusing on programs that invoke heavy external computation through the use of large language models (LLMs) and other APIs. Across five scripts, we compare to several state-of-the-art baselines and show that opportunistic evaluation improves total running time (up to 6.2×) and latency (up to 12.7×) compared to standard sequential Python, while performing very close (between 1.3% and 18.5% running time overhead) to hand-tuned manually optimized asynchronous Rust. For Tree-of-Thoughts, a prominent LLM reasoning approach, we achieve a 6.2× performance improvement over the authors’ own implementation.

  PublisherDOI

• Netherite: efficient execution of serverless workflows

  The VLDB Journal · 2025-02-21 · 5 citations

  article
  PublisherDOI

Awards & honors

• Distinguished Presentation Award for “Unix Shell Programming…
• Best Paper Award for "PaSh: Light-touch Data-Parallel Shell…
• Morris and Dorothy Rubinoff Award (Best CIS PhD at Penn) (20…
• 2nd place at ACM SRC Grand Finals (2021)