22 research outputs found
Multitenant Containers as a Service (CaaS) for Clouds and Edge Clouds
Cloud computing, offering on-demand access to computing resources through the
Internet and the pay-as-you-go model, has marked the last decade with its three
main service models; Infrastructure as a Service (IaaS), Platform as a Service
(PaaS), and Software as a Service (SaaS). The lightweight nature of containers
compared to virtual machines has led to the rapid uptake of another in recent
years, called Containers as a Service (CaaS), which falls between IaaS and PaaS
regarding control abstraction. However, when CaaS is offered to multiple
independent users, or tenants, a multi-instance approach is used, in which each
tenant receives its own separate cluster, which reimposes significant overhead
due to employing virtual machines for isolation. If CaaS is to be offered not
just at the cloud, but also at the edge cloud, where resources are limited,
another solution is required. We introduce a native CaaS multitenancy
framework, meaning that tenants share a cluster, which is more efficient than
the one tenant per cluster model. Whenever there are shared resources,
isolation of multitenant workloads is an issue. Such workloads can be isolated
by Kata Containers today. Besides, our framework esteems the application
requirements that compel complete isolation and a fully customized environment.
Node-level slicing empowers tenants to programmatically reserve isolated
subclusters where they can choose the container runtime that suits application
needs. The framework is publicly available as liberally-licensed, free,
open-source software that extends Kubernetes, the de facto standard container
orchestration system. It is in production use within the EdgeNet testbed for
researchers
EdgeNet: A Multi-Tenant and Multi-Provider Edge Cloud
International audienceEdgeNet is a public Kubernetes cluster dedicated to network and distributed systems research, supporting experiments that are deployed concurrently by independent groups. Its nodes are hosted by multiple institutions around the world. It represents a departure from the classic Kubernetes model, where the nodes that are available to a single tenant reside in a small number of well-interconnected data centers. The free open-source EdgeNet code extends Kubernetes to the edge, making three key contributions: multi-tenancy, geographical deployments, and single-command node installation. We show that establishing a public Kubernetes cluster over the internet, with multiple tenants and multiple hosting providers is viable. Preliminary results also indicate that the EdgeNet testbed that we run provides a satisfactory environment to run a variety of experiments with minimal network overhead
CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds
Software-update mechanisms are critical to the security of modern systems,
but their typically centralized design presents
a lucrative and frequently attacked target. In this work, we propose
CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides
efficient verifiability of integrity and authenticity for software-release processes.
Independent collectively verify
conformance of software updates to release policies,
validate the source-to-binary correspondence, and a
tamper-proof release log
stores collectively signed updates, thus ensuring
that no release is accepted by clients
before being widely disclosed and validated.
The release log embodies a , a novel data structure,
enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys.
Evaluation of our CHAINIAC prototype on reproducible Debian packages
shows that the automated update process takes the average of 5 minutes
per release for individual packages, and only 20 seconds for the aggregate timeline.
We further evaluate the framework using real-world
data from the PyPI package repository and show that it
offers clients security comparable to verifying every single update themselves
while consuming only one-fifth of the bandwidth and having a minimal
computational overhead
Recommended from our members
Stork: Secure Package Management for VM Environments
Package managers are a common tool for installing, removing, and updating software on modern computer systems. Unfortunately existingpackage managers have two major problems. First, inadequate security leads to vulnerability to attack. Thereare nine feasible attacks against modern package managers, many of which are enabled by flaws in the underlying security architecture. Second, in Virtual Machine (VM) environments such as Xen, VMWare, and VServers,different VMs on the same physical machine are treated as separate systemsby package managers leading to redundant package downloads and installations.This dissertation focuses on the design, development, and evaluation ofa package manager called Stork that does not have these problems. Stork provides a security architecture that prevents the attacks other package managers are vulnerable to. Stork also is efficient in VM environments and reduces redundant package management actions. Stork is a real system thathas been in use for four years and has managed half a million VM instantiations
Finding Sensitive Accounts on Twitter: An Automated Approach Based on Follower Anonymity
We explore the feasibility of automatically finding accounts that publish sensitive content on Twitter, by examining the percentage of anonymous and identifiable followers the accounts have. We first designed a machine learning classifier to automatically determine if a Twitter account is anonymous or identifiable. We then classified an account as potentially sensitive based on the percentages of anonymous and identifiable followers the account has. We applied our approach to approximately 100,000 accounts with 404 million active followers. The approach uncovered accounts that were sensitive for a diverse number of reasons