Revisiting Isolation For System Security And Efficiency In The Era Of Internet Of Things

Isolation is a fundamental paradigm for secure and efficient resource sharing on a computer system. However, isolation mechanisms in traditional cloud computing platforms are heavy-weight or just not feasible to be applied onto the computing environment for Internet of Things(IoT). Most IoT devices have limited resources and their servers are less powerful than cloud servers but are widely distributed over the edge of the Internet. Revisions to the traditional isolation mechanisms are needed in order to improve the system security and efficiency in these computing environments. The first project explores container-based isolation for the emerging edge computing platforms. We show a performance issue of live migration between edge servers where the file system transmission becomes a bottleneck. Then we propose a solution that leverages a layered file system for synchronization before the migration starts, avoiding the usage of impractical networking shared file system as in the traditional solution. The evaluation shows that the migration time is reduced by 56% – 80%. In the second project, we propose a lightweight security monitoring service for edge computing platforms, base on the virtual machine isolation technique. Our framework is designed to monitor program activities from underneath of an operating system, which improves its transparency and avoids the cost of embedding different monitor modules into each layer inside the operating system. Furthermore, the monitor runs in a single process virtual machine which requires only ≤32MB of memory, reduces the scheduling overhead, and saves a significant amount of physical memory, while the performance overhead is an average of 2.7%. In the third project, we co-design the hardware and software system stack to achieve efficient fine-grained intra-address space isolation. We propose a systematic solution to partition a legacy program into multiple security compartments, which we call capsules, with isolation at byte granularity. Vulnerabilities in one capsule will not likely affect another capsule. The isolation is guaranteed by our hardware-based ownership types tagged to every byte in the memory. The ownership types are initialized, propagated, and checked by combining both static and dynamic analysis techniques. Finally, our co-design approach could remove most human refactoring efforts while avoiding the untrustworthiness as well as the cost of the pure software approaches. In brief, this proposal explores a spectrum of isolation techniques and their improvementsfor the IoT computing environment. With our explorations, we have shown the necessity to revise the traditional isolation mechanisms in order to improve the system efficiency and security for the edge and IoT platforms. We expect that many more opportunities will be discovered and various kinds of revised or new isolation mechanisms for the edge and IoT platforms will emerge soon

Satellite Communications

This study is motivated by the need to give the reader a broad view of the developments, key concepts, and technologies related to information society evolution, with a focus on the wireless communications and geoinformation technologies and their role in the environment. Giving perspective, it aims at assisting people active in the industry, the public sector, and Earth science fields as well, by providing a base for their continued work and thinking

Proceedings of the 9th MIT/ONR workshop on C3 Systems, held at Naval Postgraduate School and Hilton Inn Resort Hotel, Monterey, California June 2 through June 5, 1986

GRSN 627729"December 1986."Includes bibliographical references and index.Sponsored by Massachusetts Institute of Technology, Laboratory for Information and Decision Systems, Cambridge, Mass., with support from the Office of Naval Research. ONR/N00014-77-C-0532(NR041-519) Sponsored in cooperation with IEEE Control Systems Society, Technical Committee on C.edited by Michael Athans, Alexander H. Levis

Conceiving systems

The thesis is concerned with the development of innovative, robust design concepts for a class of systems called Information Decision Action (IDA) Systems. IDA systems are typified by Command and Control (C2) and Command, Control, Communications and Intelligence (C3I) systems as used by police, emergency services and the military - the two titles refer respectively to the human activity and the technological systems. The class of systems is much wider, however, and includes, financial, traffic control, business and even governmental systems where information is gathered, used as a basis for human decision-forming, and results in action, all in real, or near-real time. IDA system complexity stems largely from the dominance of robust human activity systems within the overall system, and also from the employment of often-rigid, technology-based, decision support systems which are unable to adapt as swiftly as the humans they serve. The thesis is in two parts. In the first part, the author presents a perspective on "hard" and "soft" systems and the gradual move by so-called "hard" systems engineers towards softer concepts in the search for more satisfactory IDA systems. This progression is presented partly by anecdote, supported by some of the author's papers showing the development of his contribution to understanding of, and partly by an exposition of the essential themes inherent in, IDA systems. Keynote papers in the first part are: MOSAIC: Concepts for the Deployment of Air Power in Europe and The Human Element in C3 I: The first of these presents a highly-survivable alternative to the present force and C2 deployment approaches which have evolved little since World War IT; the second considers the human and his social behaviour as keys to understanding IDA systems. Other papers develop the themes and show their application to systems in which the author has had major involvement The second part is concerned with the process of conceiving and creating IDA systems and it too draws on published papers as direct support for the thesis. Keynote papers here are A General Theory of Command and Control, a unique recent paper which proposes a set of design axioms for an idealized IDA system, the award-winning Managing Systems Creation which presents an engineering framework for Creating Systems, and SEAMS (Systems Engineering, Analysis and Management Support) which signals a major design initiative to develop engineering frameworks into company-wide IT environments. The second part also introduces a complete Conceiving System, called the Seven-Step Continuum (SSC), describes some prototype tools developed by the author to perform some of the tasks of design conception and - in Chapter 9, which is a paper within the thesis - shows results from using the SSC, its methods and tools, in practice. The second part closes with a look forward to the building of flexible future systems which can adapt to their environment