1,809 research outputs found
An Experiment on Bare-Metal BigData Provisioning
Many BigData customers use on-demand platforms in the cloud, where they can get a dedicated virtual cluster in a couple of minutes and pay only for the time they use. Increasingly, there is a demand for bare-metal bigdata solutions for applications that cannot tolerate the unpredictability and performance degradation of virtualized systems. Existing bare-metal solutions can introduce delays of 10s of minutes to provision a cluster by installing operating systems and applications on the local disks of servers. This has motivated recent research developing sophisticated mechanisms to optimize this installation. These approaches assume that using network mounted boot disks incur unacceptable run-time overhead. Our analysis suggest that while this assumption is true for application data, it is incorrect for operating systems and applications, and network mounting the boot disk and applications result in negligible run-time impact while leading to faster provisioning time.This research was supported in part by the MassTech
Collaborative Research Matching Grant Program, NSF
awards 1347525 and 1414119 and several commercial
partners of the Massachusetts Open Cloud who may be
found at http://www.massopencloud.or
KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels
Commodity OS kernels have broad attack surfaces due to the large code base
and the numerous features such as device drivers. For a real-world use case
(e.g., an Apache Server), many kernel services are unused and only a small
amount of kernel code is used. Within the used code, a certain part is invoked
only at runtime while the rest are executed at startup and/or shutdown phases
in the kernel's lifetime run. In this paper, we propose a reliable and
practical system, named KASR, which transparently reduces attack surfaces of
commodity OS kernels at runtime without requiring their source code. The KASR
system, residing in a trusted hypervisor, achieves the attack surface reduction
through a two-step approach: (1) reliably depriving unused code of executable
permissions, and (2) transparently segmenting used code and selectively
activating them. We implement a prototype of KASR on Xen-4.8.2 hypervisor and
evaluate its security effectiveness on Linux kernel-4.4.0-87-generic. Our
evaluation shows that KASR reduces the kernel attack surface by 64% and trims
off 40% of CVE vulnerabilities. Besides, KASR successfully detects and blocks
all 6 real-world kernel rootkits. We measure its performance overhead with
three benchmark tools (i.e., SPECINT, httperf and bonnie++). The experimental
results indicate that KASR imposes less than 1% performance overhead (compared
to an unmodified Xen hypervisor) on all the benchmarks.Comment: The work has been accepted at the 21st International Symposium on
Research in Attacks, Intrusions, and Defenses 201
- …