933 research outputs found
Time Protection: the Missing OS Abstraction
Timing channels enable data leakage that threatens the security of computer
systems, from cloud platforms to smartphones and browsers executing untrusted
third-party code. Preventing unauthorised information flow is a core duty of
the operating system, however, present OSes are unable to prevent timing
channels. We argue that OSes must provide time protection in addition to the
established memory protection. We examine the requirements of time protection,
present a design and its implementation in the seL4 microkernel, and evaluate
its efficacy as well as performance overhead on Arm and x86 processors
A New Approach to Coding in Content Based MANETs
In content-based mobile ad hoc networks (CB-MANETs), random linear network
coding (NC) can be used to reliably disseminate large files under intermittent
connectivity. Conventional NC involves random unrestricted coding at
intermediate nodes. This however is vulnerable to pollution attacks. To avoid
attacks, a brute force approach is to restrict the mixing at the source.
However, source restricted NC generally reduces the robustness of the code in
the face of errors, losses and mobility induced intermittence. CB-MANETs
introduce a new option. Caching is common in CB MANETs and a fully reassembled
cached file can be viewed as a new source. Thus, NC packets can be mixed at all
sources (including the originator and the intermediate caches) yet still
providing protection from pollution. The hypothesis we wish to test in this
paper is whether in CB-MANETs with sufficient caches of a file, the performance
(in terms of robustness) of the restricted coding equals that of unrestricted
coding.
In this paper, we examine and compare unrestricted coding to full cache
coding, source only coding, and no coding. As expected, we find that full cache
coding remains competitive with unrestricted coding while maintaining full
protection against pollution attacks
Faster enclave transitions for IO-intensive network applications
Process-based confidential computing enclaves such as Intel SGX have been proposed for protecting the confidentiality and integrity of network applications, without the overhead of virtualization. However, these solutions introduce other types of overhead, particularly the cost transitioning in and out of an enclave context. This makes the use of enclaves impractical for running IO-intensive applications, such as network packet processing. We build on ear- lier approaches to improve the IO performance of workloads in Intel SGX enclaves and propose the HotCall-Bundler library that helps reduce the cost of individual single enclave transitions and the total number of enclave transitions in trusted applications running in Intel SGX enclaves. We describe the implementation of the HotCall-Bundler library, evaluate its performance and demonstrate its practicality using the case study of Open vSwitch, a widely used software switch implementation
TrIMS: Transparent and Isolated Model Sharing for Low Latency Deep LearningInference in Function as a Service Environments
Deep neural networks (DNNs) have become core computation components within
low latency Function as a Service (FaaS) prediction pipelines: including image
recognition, object detection, natural language processing, speech synthesis,
and personalized recommendation pipelines. Cloud computing, as the de-facto
backbone of modern computing infrastructure for both enterprise and consumer
applications, has to be able to handle user-defined pipelines of diverse DNN
inference workloads while maintaining isolation and latency guarantees, and
minimizing resource waste. The current solution for guaranteeing isolation
within FaaS is suboptimal -- suffering from "cold start" latency. A major cause
of such inefficiency is the need to move large amount of model data within and
across servers. We propose TrIMS as a novel solution to address these issues.
Our proposed solution consists of a persistent model store across the GPU, CPU,
local storage, and cloud storage hierarchy, an efficient resource management
layer that provides isolation, and a succinct set of application APIs and
container technologies for easy and transparent integration with FaaS, Deep
Learning (DL) frameworks, and user code. We demonstrate our solution by
interfacing TrIMS with the Apache MXNet framework and demonstrate up to 24x
speedup in latency for image classification models and up to 210x speedup for
large models. We achieve up to 8x system throughput improvement.Comment: In Proceedings CLOUD 201
- …