CICI: UCSS: Secure Containers in High-Performance Computing Infrastructure

CICI：UCSS：高性能计算基础设施中的安全容器

• 批准号: 2319975
• 负责人: Yuede Ji
• 金额: $ 60万
• 依托单位: University of North Texas
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-08-01 至 2026-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2319975&HistoricalAwards=false
• 关键词: CICI; UCSS; Secure; Containers; Performance

Ensuring the security and privacy of high-performance computing (HPC) infrastructures is of utmost importance due to their handling of sensitive data and critical scientific computations. HPC infrastructures commonly employ containers, which provide lightweight and isolated environments for running applications. Nevertheless, containers in HPC infrastructures encounter security challenges, including insecure container images and vulnerabilities related to isolation. Existing container image scanners face a major challenge of low coverage, while current container runtimes struggle to ensure both security and performance for HPC workloads simultaneously. This project addresses these challenges by developing secure containers specifically tailored for HPC infrastructures. The project introduces innovative solutions, including the development of an efficient image vulnerability scanner and a secure container runtime. These systems incorporate various customized optimizations for security and performance targeting HPC workloads. Additionally, educational efforts are made to integrate the research findings into graduate and undergraduate curriculum development. Outreach activities are conducted to encourage participation from underrepresented groups and promote cybersecurity awareness and HPC expertise in the states of Texas and Delaware.The project consists of two primary tasks. The first task focuses on designing an efficient image vulnerability scanner using innovative and feasible techniques. The research team designs a novel method for container image vulnerability detection based on cross-language code similarity detection. This approach combines graph neural networks with a language-agnostic code representation that leverages natural language processing techniques. Furthermore, it designs an efficient and scalable online search solution. The second task involves developing a secure and high-performance container runtime by utilizing a lightweight virtual machine hypervisor. Additionally, the runtime is optimized based on the characteristics of HPC workloads with the goal of improving both security and performance.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

由于高性能计算 (HPC) 基础设施处理敏感数据和关键科学计算，因此确保其安全和隐私至关重要。 HPC 基础设施通常采用容器，为运行应用程序提供轻量级且隔离的环境。然而，HPC 基础设施中的容器遇到了安全挑战，包括不安全的容器镜像和与隔离相关的漏洞。现有的容器镜像扫描仪面临着覆盖率低的重大挑战，而当前的容器运行时很难同时确保 HPC 工作负载的安全性和性能。该项目通过开发专为 HPC 基础设施定制的安全容器来解决这些挑战。该项目引入了创新的解决方案，包括开发高效的图像漏洞扫描器和安全的容器运行时。这些系统结合了针对 HPC 工作负载的安全性和性能的各种定制优化。此外，教育部门还努力将研究成果纳入研究生和本科生课程的开发中。开展外展活动是为了鼓励代表性不足的群体参与，并提高德克萨斯州和特拉华州的网络安全意识和 HPC 专业知识。该项目包括两项主要任务。第一项任务侧重于使用创新且可行的技术设计高效的图像漏洞扫描器。研究团队设计了一种基于跨语言代码相似度检测的容器镜像漏洞检测新方法。这种方法将图神经网络与利用自然语言处理技术的与语言无关的代码表示相结合。此外，它还设计了一个高效且可扩展的在线搜索解决方案。第二项任务涉及利用轻量级虚拟机管理程序开发安全且高性能的容器运行时。此外，运行时还根据 HPC 工作负载的特征进行了优化，目标是提高安全性和性能。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，认为值得支持。