SaTC: CORE: Small: Collaborative: Fine Grained Protection for Scalable Single-Use Services

SaTC：核心：小型：协作：可扩展一次性服务的细粒度保护

• 批准号: 1814234
• 负责人: Timothy Wood
• 金额: $ 26.6万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814234&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Collaborative; Fine

Popular Internet servers and web sites may serve thousands of users simultaneously. To handle this volume of activity, these servers share resources, such as processors, memory, and hard disk space. These shared resources provide an avenue for an attacker to affect other users connected to the server if the attacker successfully exploits a vulnerability in the server. This research project aims to eliminate this risk by creating an individual, customized server instance for each user that runs within an isolated single-use container. When the container isolation is carefully managed, this technique prevents an attacker from being able to affect other users, even if the attacker exploits a server instance within a container. The project explores innovative techniques to achieve scalability and security for these containerized services. With over 3 billion people using the Internet, many of whom interact with user-facing servers multiple times a day, the project's outcomes can broadly impact society's computer security. In addition to preventing attackers from affecting other users, the container approach enables detailed forensics to allow defenders to learn from attacks. The research project additionally provides educational opportunities for undergraduate and graduate students as well as outreach activities for the community.To create these single-use containers, the project explores new techniques across the areas of operating systems, network controllers, authentication, and capability management. The project's first research direction explores opportunities to create new operating system and network-function virtualization techniques to scale to large numbers of containers on each host. A second research direction focuses on the design and implementation of new network and container management algorithms so that flexible security policies can be applied on a per-user basis. A third research direction explores how to manage the access and identity associated with each container to tailor permissions to match those of the user on the client. A final research direction explores automated response mechanisms and forensic collection measures needed to understand and reconstruct attacks. These techniques allow defenders to learn the details surrounding container vulnerabilities each time an attacker compromises a container. In combination, these research activities shift the security advantage to the server operator by transforming previously destructive attacks into instructive lessons for the defenders.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

流行的互联网服务器和网站可以同时为数千个用户提供服务。为了处理如此大量的活动，这些服务器共享资源，例如处理器、内存和硬盘空间。如果攻击者成功利用服务器中的漏洞，这些共享资源将为攻击者提供影响连接到服务器的其他用户的途径。该研究项目旨在通过为每个用户创建一个在隔离的一次性容器中运行的单独的、定制的服务器实例来消除这种风险。当仔细管理容器隔离时，该技术可以防止攻击者影响其他用户，即使攻击者利用容器内的服务器实例也是如此。该项目探索创新技术来实现这些容器化服务的可扩展性和安全性。超过 30 亿人使用互联网，其中许多人每天与面向用户的服务器进行多次交互，该项目的成果可以广泛影响社会的计算机安全。除了防止攻击者影响其他用户之外，容器方法还可以进行详细的取证，使防御者能够从攻击中学习。该研究项目还为本科生和研究生提供教育机会，并为社区提供外展活动。为了创建这些一次性容器，该项目探索了操作系统、网络控制器、身份验证和功能管理等领域的新技术。该项目的第一个研究方向探索创建新操作系统和网络功能虚拟化技术的机会，以扩展到每个主机上的大量容器。第二个研究方向侧重于新网络和容器管理算法的设计和实现，以便可以在每个用户的基础上应用灵活的安全策略。第三个研究方向探索如何管理与每个容器关联的访问和身份，以定制权限以匹配客户端上用户的权限。最终的研究方向探索理解和重建攻击所需的自动响应机制和取证收集措施。这些技术使防御者能够在每次攻击者破坏容器时了解有关容器漏洞的详细信息。结合起来，这些研究活动通过将以前的破坏性攻击转变为对防御者的指导性教训，将安全优势转移给服务器运营商。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查进行评估，被认为值得支持标准。

项目成果

Advancing Network Function Virtualization Platforms with Programmable NICs

使用可编程 NIC 推进网络功能虚拟化平台

• DOI: 10.1109/lanman.2019.8847032
• 发表时间: 2019-07
• 期刊: IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN
• 作者: Ni, Zhen;Liu, Guyue;Afanasev, Dennis;Wood, Timothy;Hwang, Jinho
• 通讯作者: Hwang, Jinho

A SmartNIC-based Load Balancing and Auto Scaling Framework for Middlebox Edge Server

基于SmartNIC的中间盒边缘服务器负载均衡和自动伸缩框架

• DOI: 10.1109/nfv-sdn53031.2021.9665167
• 发表时间: 2021-11-09
• 期刊: 2021 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)
• 作者: Zhen Ni;Cui Wei;Timothy Wood;Nakjung Choi
• 通讯作者: Nakjung Choi

Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge Clouds

可扩展、动态、多租户边缘云的细粒度隔离

• DOI: 10.1016/j.desal.2020.114807
• 发表时间: 2020-07-01
• 期刊: Desalination
• 影响因子: 9.9
• 作者: Yuxin Ren;Guyue Liu;Vlad Nitu;Wenyuan Shao;Riley Kennedy;Gabriel Parmer;Timothy Wood;A. Tchana
• 通讯作者: A. Tchana