5,615 research outputs found
Design and Evaluation of a Collective IO Model for Loosely Coupled Petascale Programming
Loosely coupled programming is a powerful paradigm for rapidly creating
higher-level applications from scientific programs on petascale systems,
typically using scripting languages. This paradigm is a form of many-task
computing (MTC) which focuses on the passing of data between programs as
ordinary files rather than messages. While it has the significant benefits of
decoupling producer and consumer and allowing existing application programs to
be executed in parallel with no recoding, its typical implementation using
shared file systems places a high performance burden on the overall system and
on the user who will analyze and consume the downstream data. Previous efforts
have achieved great speedups with loosely coupled programs, but have done so
with careful manual tuning of all shared file system access. In this work, we
evaluate a prototype collective IO model for file-based MTC. The model enables
efficient and easy distribution of input data files to computing nodes and
gathering of output results from them. It eliminates the need for such manual
tuning and makes the programming of large-scale clusters using a loosely
coupled model easier. Our approach, inspired by in-memory approaches to
collective operations for parallel programming, builds on fast local file
systems to provide high-speed local file caches for parallel scripts, uses a
broadcast approach to handle distribution of common input data, and uses
efficient scatter/gather and caching techniques for input and output. We
describe the design of the prototype model, its implementation on the Blue
Gene/P supercomputer, and present preliminary measurements of its performance
on synthetic benchmarks and on a large-scale molecular dynamics application.Comment: IEEE Many-Task Computing on Grids and Supercomputers (MTAGS08) 200
Device-Based Isolation for Securing Cryptographic Keys
In this work, we describe an eective device-based isolation
approach for achieving data security. Device-based isolation
leverages the proliferation of personal computing devices to
provide strong run-time guarantees for the condentiality of
secrets. To demonstrate our isolation approach, we show its
use in protecting the secrecy of highly sensitive data that
is crucial to security operations, such as cryptographic keys
used for decrypting ciphertext or signing digital signatures.
Private key is usually encrypted when not used, however,
when being used, the plaintext key is loaded into the memory
of the host for access. In our threat model, the host may
be compromised by attackers, and thus the condentiality of
the host memory cannot be preserved. We present a novel
and practical solution and its prototype called DataGuard to
protect the secrecy of the highly sensitive data through the
storage isolation and secure tunneling enabled by a mobile
handheld device. DataGuard can be deployed for the key
protection of individuals or organizations
Measuring the Impact of Spectre and Meltdown
The Spectre and Meltdown flaws in modern microprocessors represent a new
class of attacks that have been difficult to mitigate. The mitigations that
have been proposed have known performance impacts. The reported magnitude of
these impacts varies depending on the industry sector and expected workload
characteristics. In this paper, we measure the performance impact on several
workloads relevant to HPC systems. We show that the impact can be significant
on both synthetic and realistic workloads. We also show that the performance
penalties are difficult to avoid even in dedicated systems where security is a
lesser concern
Lic-Sec: an enhanced AppArmor Docker security profile generator
Along with the rapid development of cloud computing technology,
containerization technology has drawn much attention from both industry and
academia. In this paper, we perform a comparative measurement analysis of
Docker-sec, which is a Linux Security Module proposed in 2018, and a new
AppArmor profile generator called Lic-Sec, which combines Docker-sec with a
modified version of LiCShield, which is also a Linux Security Module proposed
in 2015. Docker-sec and LiCShield can be used to enhance Docker container
security based on mandatory access control and allows protection of the
container without manually configurations. Lic-Sec brings together their
strengths and provides stronger protection. We evaluate the effectiveness and
performance of Docker-sec and Lic-Sec by testing them with real-world attacks.
We generate an exploit database with 42 exploits effective on Docker containers
selected from the latest 400 exploits on Exploit-db. We launch these exploits
on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations
show that for demanding images, Lic-Sec gives protection for all privilege
escalation attacks for which Docker-sec failed to give protection
- …