Secure and efficient application monitoring and replication

Memory corruption vulnerabilities remain a grave threat to systems software written in C/C++. Current best practices dictate compiling programs with exploit mitigations such as stack canaries, address space layout randomization, and control-flow integrity. However, adversaries quickly find ways to circumvent such mitigations, sometimes even before these mitigations are widely deployed. In this paper, we focus on an "orthogonal" defense that amplifies the effectiveness of traditional exploit mitigations. The key idea is to create multiple diversified replicas of a vulnerable program and then execute these replicas in lockstep on identical inputs while simultaneously monitoring their behavior. A malicious input that causes the diversified replicas to diverge in their behavior will be detected by the monitor; this allows discovery of previously unknown attacks such as zero-day exploits. So far, such multi-variant execution environments (MVEEs) have been held back by substantial runtime overheads. This paper presents a new design, ReMon, that is non-intrusive, secure, and highly efficient. Whereas previous schemes either monitor every system call or none at all, our system enforces cross-checking only for security critical system calls while supporting more relaxed monitoring policies for system calls that are not security critical. We achieve this by splitting the monitoring and replication logic into an in-process component and a cross-process component. Our evaluation shows that ReMon offers same level of security as conservative MVEEs and run realistic server benchmarks at near-native speeds

UPC++ v1.0 Programmer’s Guide, Revision 2020.3.0

UPC++ is a C++11 library that provides Partitioned Global Address Space (PGAS) programming. It is designed for writing parallel programs that run efficiently and scale well on distributed-memory parallel computers. The PGAS model is single program, multiple-data (SPMD), with each separate constituent process having access to local memory as it would in C++. However, PGAS also provides access to a global address space, which is allocated in shared segments that are distributed over the processes. UPC++ provides numerous methods for accessing and using global memory. In UPC++, all operations that access remote memory are explicit, which encourages programmers to be aware of the cost of communication and data movement. Moreover, all remote-memory access operations are by default asynchronous, to enable programmers to write code that scales well even on hundreds of thousands of cores

Development of an Intelligent Monitoring and Control System for a Heterogeneous Numerical Propulsion System Simulation

The NASA Numerical Propulsion System Simulation (NPSS) project is exploring the use of computer simulation to facilitate the design of new jet engines. Several key issues raised in this research are being examined in an NPSS-related research project: zooming, monitoring and control, and support for heterogeneity. The design of a simulation executive that addresses each of these issues is described. In this work, the strategy of zooming, which allows codes that model at different levels of fidelity to be integrated within a single simulation, is applied to the fan component of a turbofan propulsion system. A prototype monitoring and control system has been designed for this simulation to support experimentation with expert system techniques for active control of the simulation. An interconnection system provides a transparent means of connecting the heterogeneous systems that comprise the prototype

Integrating VDE into the F2F framework

See lõputöö kirjeldab sõpradevahelise arvutuste raamistikule (F2F framework ) uue laien- duse lisamist, mis võimaldab virtuaalsete hajusate võrguühenduste (VDE ) loomist. F2F raamistik on Tartu Ülikooli hajussüsteemide grupis arendatav tarkvara, mis võimaldab luua privaatseid pilvelahendusi kasutades võrdõiguslike võrgusõlmede (P2P network ) võrgustikke. F2F kasutab oma võrgustike loomiseks olemasolevad sotsiaalvõrgustikke ja sõnumivahetusprotokolle, mis võimaldavad sõlmedevahelist andmevahetust ja täiendavate ühenduste loomist. Sellised ühendused ei ole veakindlad ja on kättesaadavad ainult läbi F2F programmeerimisliidese. Siin kirjeldatav lahendus kasutab VDE tehnoloogiat, et F2F võrgustikule hea jõudluse, veakindluse ja STP protokolli toega virtuaalne Ethernet võrk lisada. Pakutav virtuaalne võrk on disainitud hõlpsalt F2F raamistikus kasutata- vate virtualiseerimistehnoloogiatega integreeruma. Realisatsioon kombineerib Bologna Ülikoolis arendatud vde2 projekti tarkvara, mitteblokeeruva sisend-väljundi mudeli ja F2F raamistiku sõlmedevahelised ühendused. Lõpptulemusena on F2F raamistiku ka- sutajatel võimalik üles seada täisfunktsionaalne virtuaalne Ethernet võrk, mille saab liidestada erinevate virtuaalmasinatega.In this thesis the Virtual Distributed Ethernet (VDE) extension is introduced for the Friend-to-Friend (F2F) framework. F2F is an existing framework for creating Peer-to- Peer (P2P) private computing clouds developed by the Distributed Systems group at University of Tartu. F2F works by bootstrapping a P2P network from the social networks or instant-messenger networks in order to configure direct connections between the joined peers. These connections are not fault tolerant and can be used only through the F2F API. The new VDE extension we discuss here builds a high performance Virtual Ethernet topology, which adds fault recovery features and Spanning Tree Protocol (STP). The extension is designed to seamlessly integrate with existing virtualization tools that are used in F2F cloud computing. The implementation combines tools from the vde2 project (developed at University of Bologna) with non-blocking input/output libraries and peer communication API provided by the F2F framework. The improved framework provides a fully functional Ethernet network between the F2F peers, which is essential for the F2F client applications running on QEMU virtualization platform

Master of Science

thesisOperating system (OS) kernel extensions, particularly device drivers, are one of the primary sources of vulnerabilities in commodity OS kernels. Vulnerabilities in driver code are often exploited by attackers, leading to attacks like privilege escalation, denial-of-service, and arbitrary code execution. Today, kernel extensions are fully trusted and operate within the core kernel without any form of isolation. But history suggests that this trust is often misplaced, emphasizing a need for some isolation in the kernel. We develop a new framework for isolating device drivers in the Linux kernel. Our work builds on three fundamental principles: (1) strong isolation of the driver code; (2) reuse of existing driver while making no or minimal changes to the source; and (3) achieving same or better performance compared to the nonisolated driver. In comparison to existing driver isolation schemes like driver virtual machines and user-level device driver implementations, our work strives to avoid modifying existing code and implements an I/O path without incurring substantial performance overhead. We demonstrate our approach by isolating a unmodified driver for a null block device in the Linux kernel, achieving near-native throughput for block sizes ranging from 512B to 256KB and outperforming the nonisolated driver for block sizes of 1MB and higher

CoAP Infrastructure for IoT

The Internet of Things (IoT) can be seen as a large-scale network of billions of smart devices. Often IoT devices exchange data in small but numerous messages, which requires IoT services to be more scalable and reliable than ever. Traditional protocols that are known in the Web world does not fit well in the constrained environment that these devices operate in. Therefore many lightweight protocols specialized for the IoT have been studied, among which the Constrained Application Protocol (CoAP) stands out for its well-known REST paradigm and easy integration with existing Web. On the other hand, new paradigms such as Fog Computing emerges, attempting to avoid the centralized bottleneck in IoT services by moving computations to the edge of the network. Since a node of the Fog essentially belongs to relatively constrained environment, CoAP fits in well. Among the many attempts of building scalable and reliable systems, Erlang as a typical concurrency-oriented programming (COP) language has been battle tested in the telecom industry, which has similar requirements as the IoT. In order to explore the possibility of applying Erlang and COP in general to the IoT, this thesis presents an Erlang based CoAP server/client prototype ecoap with a flexible concurrency model that can scale up to an unconstrained environment like the Cloud and scale down to a constrained environment like an embedded platform. The flexibility of the presented server renders the same architecture applicable from Fog to Cloud. To evaluate its performance, the proposed server is compared with the mainstream CoAP implementation on an Amazon Web Service (AWS) Cloud instance and a Raspberry Pi 3, representing the unconstrained and constrained environment respectively. The ecoap server achieves comparable throughput, lower latency, and in general scales better than the other implementation in the Cloud and on the Raspberry Pi. The thesis yields positive results and demonstrates the value of the philosophy of Erlang in the IoT space

Biometrics

Biometrics-Unique and Diverse Applications in Nature, Science, and Technology provides a unique sampling of the diverse ways in which biometrics is integrated into our lives and our technology. From time immemorial, we as humans have been intrigued by, perplexed by, and entertained by observing and analyzing ourselves and the natural world around us. Science and technology have evolved to a point where we can empirically record a measure of a biological or behavioral feature and use it for recognizing patterns, trends, and or discrete phenomena, such as individuals' and this is what biometrics is all about. Understanding some of the ways in which we use biometrics and for what specific purposes is what this book is all about