Secure Virtualization and Multicore Platforms State-of-the-Art report

SVaM

Time Protection: the Missing OS Abstraction

Timing channels enable data leakage that threatens the security of computer systems, from cloud platforms to smartphones and browsers executing untrusted third-party code. Preventing unauthorised information flow is a core duty of the operating system, however, present OSes are unable to prevent timing channels. We argue that OSes must provide time protection in addition to the established memory protection. We examine the requirements of time protection, present a design and its implementation in the seL4 microkernel, and evaluate its efficacy as well as performance overhead on Arm and x86 processors

A New Approach to Coding in Content Based MANETs

In content-based mobile ad hoc networks (CB-MANETs), random linear network coding (NC) can be used to reliably disseminate large files under intermittent connectivity. Conventional NC involves random unrestricted coding at intermediate nodes. This however is vulnerable to pollution attacks. To avoid attacks, a brute force approach is to restrict the mixing at the source. However, source restricted NC generally reduces the robustness of the code in the face of errors, losses and mobility induced intermittence. CB-MANETs introduce a new option. Caching is common in CB MANETs and a fully reassembled cached file can be viewed as a new source. Thus, NC packets can be mixed at all sources (including the originator and the intermediate caches) yet still providing protection from pollution. The hypothesis we wish to test in this paper is whether in CB-MANETs with sufficient caches of a file, the performance (in terms of robustness) of the restricted coding equals that of unrestricted coding. In this paper, we examine and compare unrestricted coding to full cache coding, source only coding, and no coding. As expected, we find that full cache coding remains competitive with unrestricted coding while maintaining full protection against pollution attacks

Faster enclave transitions for IO-intensive network applications

Process-based confidential computing enclaves such as Intel SGX have been proposed for protecting the confidentiality and integrity of network applications, without the overhead of virtualization. However, these solutions introduce other types of overhead, particularly the cost transitioning in and out of an enclave context. This makes the use of enclaves impractical for running IO-intensive applications, such as network packet processing. We build on ear- lier approaches to improve the IO performance of workloads in Intel SGX enclaves and propose the HotCall-Bundler library that helps reduce the cost of individual single enclave transitions and the total number of enclave transitions in trusted applications running in Intel SGX enclaves. We describe the implementation of the HotCall-Bundler library, evaluate its performance and demonstrate its practicality using the case study of Open vSwitch, a widely used software switch implementation

TrIMS: Transparent and Isolated Model Sharing for Low Latency Deep LearningInference in Function as a Service Environments

Deep neural networks (DNNs) have become core computation components within low latency Function as a Service (FaaS) prediction pipelines: including image recognition, object detection, natural language processing, speech synthesis, and personalized recommendation pipelines. Cloud computing, as the de-facto backbone of modern computing infrastructure for both enterprise and consumer applications, has to be able to handle user-defined pipelines of diverse DNN inference workloads while maintaining isolation and latency guarantees, and minimizing resource waste. The current solution for guaranteeing isolation within FaaS is suboptimal -- suffering from "cold start" latency. A major cause of such inefficiency is the need to move large amount of model data within and across servers. We propose TrIMS as a novel solution to address these issues. Our proposed solution consists of a persistent model store across the GPU, CPU, local storage, and cloud storage hierarchy, an efficient resource management layer that provides isolation, and a succinct set of application APIs and container technologies for easy and transparent integration with FaaS, Deep Learning (DL) frameworks, and user code. We demonstrate our solution by interfacing TrIMS with the Apache MXNet framework and demonstrate up to 24x speedup in latency for image classification models and up to 210x speedup for large models. We achieve up to 8x system throughput improvement.Comment: In Proceedings CLOUD 201