236 research outputs found
Stop Hiding The Sharp Knives: The WebAssembly Linux Interface
WebAssembly is gaining popularity as a portable binary format targetable from
many programming languages. With a well-specified low-level virtual instruction
set, minimal memory footprint and many high-performance implementations, it has
been successfully adopted for lightweight in-process memory sandboxing in many
contexts. Despite these advantages, WebAssembly lacks many standard system
interfaces, making it difficult to reuse existing applications.
This paper proposes WALI: The WebAssembly Linux Interface, a thin layer over
Linux's userspace system calls, creating a new class of virtualization where
WebAssembly seamlessly interacts with native processes and the underlying
operating system. By virtualizing the lowest level of userspace, WALI offers
application portability with little effort and reuses existing compiler
backends. With WebAssembly's control flow integrity guarantees, these modules
gain an additional level of protection against remote code injection attacks.
Furthermore, capability-based APIs can themselves be virtualized and
implemented in terms of WALI, improving reuse and robustness through better
layering. We present an implementation of WALI in a modern WebAssembly engine
and evaluate its performance on a number of applications which we can now
compile with mostly trivial effort.Comment: 12 pages, 8 figure
Improving Desktop System Security Using Compartmentalization
abstract: Compartmentalizing access to content, be it websites accessed in a browser or documents and applications accessed outside the browser, is an established method for protecting information integrity [12, 19, 21, 60]. Compartmentalization solutions change the user experience, introduce performance overhead and provide varying degrees of security. Striking a balance between usability and security is not an easy task. If the usability aspects are neglected or sacrificed in favor of more security, the resulting solution would have a hard time being adopted by end-users. The usability is affected by factors including (1) the generality of the solution in supporting various applications, (2) the type of changes required, (3) the performance overhead introduced by the solution, and (4) how much the user experience is preserved. The security is affected by factors including (1) the attack surface of the compartmentalization mechanism, and (2) the security decisions offloaded to the user. This dissertation evaluates existing solutions based on the above factors and presents two novel compartmentalization solutions that are arguably more practical than their existing counterparts.
The first solution, called FlexICon, is an attractive alternative in the design space of compartmentalization solutions on the desktop. FlexICon allows for the creation of a large number of containers with small memory footprint and low disk overhead. This is achieved by using lightweight virtualization based on Linux namespaces. FlexICon uses two mechanisms to reduce user mistakes: 1) a trusted file dialog for selecting files for opening and launching it in the appropriate containers, and 2) a secure URL redirection mechanism that detects the user’s intent and opens the URL in the proper container. FlexICon also provides a language to specify the access constraints that should be enforced by various containers.
The second solution called Auto-FBI, deals with web-based attacks by creating multiple instances of the browser and providing mechanisms for switching between the browser instances. The prototype implementation for Firefox and Chrome uses system call interposition to control the browser’s network access. Auto-FBI can be ported to other platforms easily due to simple design and the ubiquity of system call interposition methods on all major desktop platforms.Dissertation/ThesisDoctoral Dissertation Computer Science 201
High-Performance Cloud Computing: A View of Scientific Applications
Scientific computing often requires the availability of a massive number of
computers for performing large scale experiments. Traditionally, these needs
have been addressed by using high-performance computing solutions and installed
facilities such as clusters and super computers, which are difficult to setup,
maintain, and operate. Cloud computing provides scientists with a completely
new model of utilizing the computing infrastructure. Compute resources, storage
resources, as well as applications, can be dynamically provisioned (and
integrated within the existing infrastructure) on a pay per use basis. These
resources can be released when they are no more needed. Such services are often
offered within the context of a Service Level Agreement (SLA), which ensure the
desired Quality of Service (QoS). Aneka, an enterprise Cloud computing
solution, harnesses the power of compute resources by relying on private and
public Clouds and delivers to users the desired QoS. Its flexible and service
based infrastructure supports multiple programming paradigms that make Aneka
address a variety of different scenarios: from finance applications to
computational science. As examples of scientific computing in the Cloud, we
present a preliminary case study on using Aneka for the classification of gene
expression data and the execution of fMRI brain imaging workflow.Comment: 13 pages, 9 figures, conference pape
Reusable generic software robot
Abstract. The main purpose of this thesis was to create a generic reusable software robot which can be deployed into any IaaS type of a cloud service. In this thesis the first thing to be researched was how to implement a virtualised environment into a cloud service. The possibilities for virtualising the environment were a container and a virtual machine. The two possible implementations were researched since the resulting implementation must be compatible with a cloud service. Firstly, it was found that a container-based implementation would be the best option because it is lightweight to move around and secondly, a start-up time of a new instance in a cloud service is fast.
Possible cloud providers were scanned after researching possible implementation methods. Two possible cloud providers, AWS and Azure, were studied more closely since they offer an infrastructure as a service and once they are commonly used. AWS was chosen to be the platform to be used because of a higher maturity level and also because of the possibility to add or remove container capabilities.
Finally, it was discussed how a generic reusable software robot was implemented. Notable circumstances of suitable tasks for a software robot were considered.Kertakäyttöinen geneerinen ohjelmistorobotti. Tiivistelmä. Tässä työssä tutkittiin, kuinka geneerinen kertakäyttöinen ohjelmistorobotti voidaan toteuttaa pilvipalvelussa. Ensin tarkasteltiin erilaisia virtualisointimenetelmiä, joilla ohjelmistorobotti voitaisiin toteuttaa. Tutkitut menetelmät olivat virtuaalikone ja kontti. Näitä kahta toteutustapaa vertailtiin huomioiden valmiin toteutuksen sopivuus pilvipalveluun. Kontti todettiin sopivimmaksi toteutustavaksi, koska se vie vähän tilaa ja uuden instanssin käynnistäminen on nopeaa.
Pilvipalvelutarjoajia tutkittiin, kun sopiva toteutusmenetelmä ohjelmistorobotille oli löydetty. Tutkimuksessa keskityttiin AWS:ään ja Azureen, jotka ovat tällä hetkellä suurimpia markkinoilla toimivia infrastructure as a service -tyyppisten pilvipalveuiden tarjoajia. AWS valittiin toteutusalustaksi, koska se on teknisesti edistyneempi kuin Azure ja AWS:ssä on mahdollista lisätä ja poistaa kontin oikeuksia.
Lopuksi esiteltiin, kuinka geneerinen kertakäyttöinen ohjelmistorobotti toteutettiin ja mitä täytyy ottaa huomioon, kun päätetään sopivasta käyttökohteesta ohjelmistorobotille
Are Unikernels Ready for Serverless on the Edge?
Function-as-a-Service (FaaS) is a promising edge computing execution model
but requires secure sandboxing mechanisms to isolate workloads from multiple
tenants on constrained infrastructure. Although Docker containers are
lightweight and popular in open-source FaaS platforms, they are generally
considered insufficient for executing untrusted code and providing sandbox
isolation. Commercial cloud FaaS platforms thus rely on Linux microVMs or
hardened container runtimes, which are secure but come with a higher resource
footprint.
Unikernels combine application code and limited operating system primitives
into a single purpose appliance, reducing the footprint of an application and
its sandbox while providing full Linux compatibility. In this paper, we study
the suitability of unikernels as an edge FaaS execution environment using the
Nanos and OSv unikernel tool chains. We compare performance along several
metrics such as cold start overhead and idle footprint against sandboxes such
as Firecracker Linux microVMs, Docker containers, and secure gVisor containers.
We find that unikernels exhibit desirable cold start performance, yet lag
behind Linux microVMs in stability. Nevertheless, we show that unikernels are a
promising candidate for further research on Linux-compatible FaaS isolation
Mining sandboxes for Linux containers
NSFC Progra
- …