CSR: Medium: Security and Isolation in the Era of Microservices

CSR：中：微服务时代的安全与隔离

• 批准号: 1763810
• 负责人: Aditya Akella
• 金额: $ 120万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-08-01 至 2022-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1763810&HistoricalAwards=false
• 关键词: CSR; Medium; Security; Isolation; Era

Years ago, applications such as news, e-commerce, or banking websites ran on computers deployed at organizations owning them. Today, with the advent of "cloud computing", such applications instead run in a far-away server farm operated by third-parties. Because the computers are shared by many applications, it is crucial to ensure that one application in the cloud, such as a news website, does not compromise the confidentiality or integrity of another application (e.g., a banking website) running on the same set of computers. The goal of this project is to develop systems that ensure cloud applications are suitably protected without sacrificing their performance and ability to grow/shrink. This goal will be realized by developing two core building blocks to achieve optimal trade-offs between isolation and performance/agility. The first is variable isolation, where we automatically determine the least privilege and best isolation techniques needed for components of an application, and deploy the highest (weakest) isolation where needed most (least). The second is isolation-aware replication, where tenants selectively replicate their compute and storage within higher-isolation sandboxes. Finally, the project will develop new programming models for correct distributed execution of microservices-based applications.The research, if successful, will improve both the performance and the security posture of cloud-based applications. Research outcomes of the project, including the experimental harnesses and datasets, will be released open-source, enabling others in research and industry to directly build on them. The project will lead to the development of new courses and boot camps that focus on microservices, lambda-style computation, and isolation. The course/boot camp material will be made publicly available. The project aims to integrate the research into outreach efforts aimed at women, under-represented minorities, non-traditional students, and high school students.The project and its research artifacts will be hosted at https://bitbucket.org/uw-madison-networking-research/isolation. This site will include research publications, software, datasets, presentations, and tutorials. This site will be kept up to date for the entire duration of the project and for 2-3 years immediately following the project's culmination.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

几年前，新闻，电子商务或银行网站等应用程序运行在拥有它们的组织部署的计算机上。如今，随着“云计算”的出现，此类应用程序而不是在第三方经营的遥远服务器农场中运行。由于计算机是由许多应用程序共享的，因此必须确保云中的一个应用程序（例如新闻网站）不会损害另一个应用程序（例如，银行网站）在同一计算机集上运行的另一个应用程序的机密性或完整性。该项目的目的是开发系统，以确保云应用程序得到适当保护，而不会牺牲其性能和成长/收缩的能力。通过开发两个核心构建块，以实现隔离和性能/敏捷性之间的最佳权衡，可以实现这一目标。第一个是可变隔离，在其中我们会自动确定应用程序组件所需的最低特权和最佳隔离技术，并在最需要的情况下（最少）部署最高（最弱的）隔离。第二个是隔离感知的复制，其中租户选择性地将其计算和存储在更高分离的沙箱中。最后，该项目将开发新的编程模型，以正确的基于微服务的应用程序的分布式执行。如果成功的话，将改善基于云的应用程序的性能和安全姿势。该项目的研究成果，包括实验线束和数据集，将被发布开源，使研究和行业中的其他人能够直接建立在其基础上。该项目将导致开发新课程和新兵训练营，这些课程专注于微服务，兰巴达风格的计算和隔离。该课程/新兵训练营的资料将公开提供。该项目旨在将针对妇女，代表性不足的少数民族，非传统学生和高中生的外展努力进行研究。该项目及其研究文物将于https://bitbucket.org/uw-madison-networking-research-research/isolation举办。该站点将包括研究出版物，软件，数据集，演示文稿和教程。该网站将在项目的整个过程中保持最新状态，并在该项目的高潮结束后立即进行2 - 3年。该奖项反映了NSF的法定任务，并且使用基金会的知识分子优点和更广泛的影响审查标准，认为值得通过评估值得支持。

项目成果

Can Applications Recover from fsync Failures?

应用程序可以从 fsync 失败中恢复吗？

• 发表时间: 2020
• 期刊: The 2020 USENIX Annual Technical Conference (USENIX ATC '20
• 作者: Rebello, Anthony;Patel, Yuvraj;Alagappan, Ramnatthan;Arpaci-Dusseau, Andrea;Arpaci-Dusseau, Remzi
• 通讯作者: Arpaci-Dusseau, Remzi

Strong and Efficient Consistency with Consistency-Aware Durability

强大而高效的一致性以及一致性感知的持久性

• 发表时间: 2020
• 期刊: 18th USENIX Conference on File and Storage Technologies (FAST '20
• 作者: Ganesan, Aishwarya;Alagappan, Ramnatthan;Arpaci-Dusseau, Andrea;Arpaci-Dusseau, Remzi
• 通讯作者: Arpaci-Dusseau, Remzi

Blending containers and virtual machines: a study of firecracker and gVisor

混合容器和虚拟机：Firecracker 和 gVisor 的研究

• DOI: 10.1145/3381052.3381315
• 发表时间: 2020
• 期刊: 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
• 作者: Anjali, FNU;Caraza-Harter, Tyler;Swift, Michael M.
• 通讯作者: Swift, Michael M.

Avoiding Scheduler Subversion using Scheduler–Cooperative Locks

使用 Scheduler 合作锁避免 Scheduler 颠覆

• 发表时间: 2020
• 期刊: European Conference on Computer Systems (EuroSys
• 作者: Patel, Yuvraj;Yang, Leon;Arulraj, Leo;Arpaci-Dusseau, Andrea;Arpaci-Dusseau, Remzi;Swift, Michael
• 通讯作者: Swift, Michael

Read as Needed: Building WiSER, a Flash-Optimized Search Engine

• 发表时间: 2020
• 作者: Jun He;Kan Wu;Sudarsun Kannan;Andrea C. Arpaci-Dusseau;Remzi H. Arpaci-Dusseau