Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00035
Takumi Kawamura, Kenichi Kourai
Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still be attacked. To address this issue, secure IDS offloading using Intel SGX has been proposed. However, IDS development requires kernel-level programming, which is difficult for most IDS developers. This paper proposes SCwatcher for enabling user-level HIDS running on top of the operating system (OS) to be securely offloaded using VM-compatible OS emulation layers for SGX. SCwatcher provides the standard OS interface used in a target VM to in-enclave IDS. Especially, the virtual proc filesystem called vProcFS analyzes OS data using VM introspection and returns the system information inside the target VM. We have implemented SCwatcher using Xen supporting SGX virtualization and two types of OS emulation layers for SGX called SCONE and Occlum. Then, we confirmed that SCwatcher could offload legacy HIDS and showed that the performance could be comparable to insecure IDS offloading.
{"title":"Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX","authors":"Takumi Kawamura, Kenichi Kourai","doi":"10.1109/CLOUD55607.2022.00035","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00035","url":null,"abstract":"Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still be attacked. To address this issue, secure IDS offloading using Intel SGX has been proposed. However, IDS development requires kernel-level programming, which is difficult for most IDS developers. This paper proposes SCwatcher for enabling user-level HIDS running on top of the operating system (OS) to be securely offloaded using VM-compatible OS emulation layers for SGX. SCwatcher provides the standard OS interface used in a target VM to in-enclave IDS. Especially, the virtual proc filesystem called vProcFS analyzes OS data using VM introspection and returns the system information inside the target VM. We have implemented SCwatcher using Xen supporting SGX virtualization and two types of OS emulation layers for SGX called SCONE and Occlum. Then, we confirmed that SCwatcher could offload legacy HIDS and showed that the performance could be comparable to insecure IDS offloading.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"197 1","pages":"157-166"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84460286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00070
Hongyun Liu, Ruyue Xin, Peng Chen, Zhiming Zhao
Workflow offloading in the edge-to-cloud continuum copes with an extended calculation network among edge devices and cloud platforms. With the growing significance of edge and cloud technologies, workflow offloading among these environments has been investigated in recent years. However, the dynamics of offloading optimization objectives, i.e., latency, resource utilization rate, and energy consumption among the edge and cloud sides, have hardly been researched. Consequently, the Quality of Service(QoS) and offloading performance also experience uncertain deviation. In this work, we propose a multi-objective robust offloading algorithm to address this issue, dealing with dynamics and multi-objective optimization. The workflow request model in this work is modeled as Directed Acyclic Graph(DAG). An LSTM-based sequence-to-sequence neural network learns the offloading policy. We then conduct comprehensive implementations to validate the robustness of our algorithm. As a result, our algorithm achieves better offloading performance regarding each objective and faster adaptation to newly changed environments than fine-tuned typical single-objective RL-based offloading methods.
{"title":"Multi-Objective Robust Workflow Offloading in Edge-to-Cloud Continuum","authors":"Hongyun Liu, Ruyue Xin, Peng Chen, Zhiming Zhao","doi":"10.1109/CLOUD55607.2022.00070","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00070","url":null,"abstract":"Workflow offloading in the edge-to-cloud continuum copes with an extended calculation network among edge devices and cloud platforms. With the growing significance of edge and cloud technologies, workflow offloading among these environments has been investigated in recent years. However, the dynamics of offloading optimization objectives, i.e., latency, resource utilization rate, and energy consumption among the edge and cloud sides, have hardly been researched. Consequently, the Quality of Service(QoS) and offloading performance also experience uncertain deviation. In this work, we propose a multi-objective robust offloading algorithm to address this issue, dealing with dynamics and multi-objective optimization. The workflow request model in this work is modeled as Directed Acyclic Graph(DAG). An LSTM-based sequence-to-sequence neural network learns the offloading policy. We then conduct comprehensive implementations to validate the robustness of our algorithm. As a result, our algorithm achieves better offloading performance regarding each objective and faster adaptation to newly changed environments than fine-tuned typical single-objective RL-based offloading methods.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"20 1","pages":"469-478"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85774346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00077
Minseo Kim, Hyerean Jang, Young-joo Shin
WebAssembly, abbreviated as Wasm, has emerged as a new paradigm in cloud-native developments owing to its promising properties. Native execution speed and fast startup time make Wasm an alternative for container-based cloud applications. Despite its security-by-design strategy, however, WebAssembly suffers from a variety of vulnerabilities and weaknesses, which hinder its rapid adoption in cloud computing. For instance, the native execution performance attracted cybercriminals to abuse Wasm binaries for the purpose of resource stealing such as cryptojacking. Without proper defense mechanisms, Wasm-based malware would proliferate, causing huge financial loss of cloud users. Moreover, the design principle that allows type-unsafe languages such as C/C++ inherently induces various memory bugs in an Wasm binary. Efficient and robust vulnerability analysis techniques are necessary to protect benign cloud-native Wasm applications from being exploited by attackers. Due to the young age of WebAssembly, however, there are few works in the literature that provide developers guidance to such security techniques. This makes developers to hesitate considering Wasm as their cloud-native platform. In this paper, we surveyed various techniques and methods for Wasm binary security proposed in the literature and systematically classified them according to certain criteria. As a result, we propose future research directions regarding the current lack of WebAssembly binary security research.
{"title":"Avengers, Assemble! Survey of WebAssembly Security Solutions","authors":"Minseo Kim, Hyerean Jang, Young-joo Shin","doi":"10.1109/CLOUD55607.2022.00077","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00077","url":null,"abstract":"WebAssembly, abbreviated as Wasm, has emerged as a new paradigm in cloud-native developments owing to its promising properties. Native execution speed and fast startup time make Wasm an alternative for container-based cloud applications. Despite its security-by-design strategy, however, WebAssembly suffers from a variety of vulnerabilities and weaknesses, which hinder its rapid adoption in cloud computing. For instance, the native execution performance attracted cybercriminals to abuse Wasm binaries for the purpose of resource stealing such as cryptojacking. Without proper defense mechanisms, Wasm-based malware would proliferate, causing huge financial loss of cloud users. Moreover, the design principle that allows type-unsafe languages such as C/C++ inherently induces various memory bugs in an Wasm binary. Efficient and robust vulnerability analysis techniques are necessary to protect benign cloud-native Wasm applications from being exploited by attackers. Due to the young age of WebAssembly, however, there are few works in the literature that provide developers guidance to such security techniques. This makes developers to hesitate considering Wasm as their cloud-native platform. In this paper, we surveyed various techniques and methods for Wasm binary security proposed in the literature and systematically classified them according to certain criteria. As a result, we propose future research directions regarding the current lack of WebAssembly binary security research.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"28 1","pages":"543-553"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80697945","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00032
Amardeep Mehta, Lackis Eleftheriadis
With the increased 5G deployments across the world, new use-cases are emerging in many new domains, such as autonomous vehicles, smart cities, smart grid and potentially the proliferation of augmented reality. Some of these applications require high availability, bandwidth and/or extremely low latency that depends on the applied service.Currently the cost of deployment of distributed edge nodes and its relation to the availability of power infrastructure is not well known. In this work, we demystify the cost of edge resources by proposing a cost estimation framework by considering the various existing edge related constraints, such as power grid and edge power node infrastructure. We consider Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) as well as time value of money in relation to the Hardware (HW) redundancy and depreciation for edge cloud resource estimation. The cost of resources are made in relation to the local edge power infrastructure conditions for the applied services and required Service Level Agreement (SLA). The availability of application is estimated using Reliability Block Diagram (RBD) of the edge components including power and cooling systems.We propose a new method, called Smart Edge Power Management (SEPM), that includes identification of the relevant parameters and states of the edge power infrastructure and how to overcome the various edge power related constraints and to further improve the cost efficiency during operation. The performance and evaluation are made on country wide edge deployments for a mobile operator in Sweden. With our new proposed method SEPM, the cost efficiency of edge resources can be improved upto 10%.
{"title":"Smart Edge Power Management to Improve Availability and Cost-efficiency of Edge Cloud","authors":"Amardeep Mehta, Lackis Eleftheriadis","doi":"10.1109/CLOUD55607.2022.00032","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00032","url":null,"abstract":"With the increased 5G deployments across the world, new use-cases are emerging in many new domains, such as autonomous vehicles, smart cities, smart grid and potentially the proliferation of augmented reality. Some of these applications require high availability, bandwidth and/or extremely low latency that depends on the applied service.Currently the cost of deployment of distributed edge nodes and its relation to the availability of power infrastructure is not well known. In this work, we demystify the cost of edge resources by proposing a cost estimation framework by considering the various existing edge related constraints, such as power grid and edge power node infrastructure. We consider Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) as well as time value of money in relation to the Hardware (HW) redundancy and depreciation for edge cloud resource estimation. The cost of resources are made in relation to the local edge power infrastructure conditions for the applied services and required Service Level Agreement (SLA). The availability of application is estimated using Reliability Block Diagram (RBD) of the edge components including power and cooling systems.We propose a new method, called Smart Edge Power Management (SEPM), that includes identification of the relevant parameters and states of the edge power infrastructure and how to overcome the various edge power related constraints and to further improve the cost efficiency during operation. The performance and evaluation are made on country wide edge deployments for a mobile operator in Sweden. With our new proposed method SEPM, the cost efficiency of edge resources can be improved upto 10%.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"49 1","pages":"125-133"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73541403","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00055
Bo-wen Song, Marco Paolieri, L. Golubchik
Hybrid cloud architectures, where private clouds or data centers forward part of their workload to public cloud providers to satisfy quality of service (QoS) requirements, are increasingly common due to the availability of on-demand cloud resources that can be provisioned automatically through programming APIs. In this paper, we analyze performance and revenue in federations of hybrid clouds, where private clouds agree to share part of their local computing resources with other members of the federation. Through resource sharing, underprovisioned members can save on public cloud costs, while overprovisioned members can put their idle resources to work. To reward all hybrid clouds for their contributions (computing resources or workload), public cloud savings due to the federation are distributed among members according to Shapley value.We model this cloud architecture with a continuous-time Markov chain and prove that, if all hybrid clouds have the same QoS requirements, their profits are maximized when they join the federation and share all resources. We also show that this result does not hold when hybrid clouds have different QoS requirements, and we provide a solution to evaluate profit for different resource sharing decisions. Finally, our experimental evaluation compares the distribution of public cloud savings according to Shapley value with alternative approaches, illustrating its ability to discourage free riders of the federation.
{"title":"Performance and Revenue Analysis of Hybrid Cloud Federations with QoS Requirements","authors":"Bo-wen Song, Marco Paolieri, L. Golubchik","doi":"10.1109/CLOUD55607.2022.00055","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00055","url":null,"abstract":"Hybrid cloud architectures, where private clouds or data centers forward part of their workload to public cloud providers to satisfy quality of service (QoS) requirements, are increasingly common due to the availability of on-demand cloud resources that can be provisioned automatically through programming APIs. In this paper, we analyze performance and revenue in federations of hybrid clouds, where private clouds agree to share part of their local computing resources with other members of the federation. Through resource sharing, underprovisioned members can save on public cloud costs, while overprovisioned members can put their idle resources to work. To reward all hybrid clouds for their contributions (computing resources or workload), public cloud savings due to the federation are distributed among members according to Shapley value.We model this cloud architecture with a continuous-time Markov chain and prove that, if all hybrid clouds have the same QoS requirements, their profits are maximized when they join the federation and share all resources. We also show that this result does not hold when hybrid clouds have different QoS requirements, and we provide a solution to evaluate profit for different resource sharing decisions. Finally, our experimental evaluation compares the distribution of public cloud savings according to Shapley value with alternative approaches, illustrating its ability to discourage free riders of the federation.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"67 1","pages":"321-330"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86078250","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00028
Ryan Hancock, Sreeharsha Udayashankar, A. Mashtizadeh, S. Al-Kiswany
Serverless computing is rapidly growing area of research. No standardized benchmark currently exists for evaluating orchestration level decisions or executing large serverless workloads because of the limited data provided by cloud providers. Current benchmarks focus on other aspects, such as the cost of running general types of functions and their runtimes.We introduce OrcBench, the first orchestration benchmark based on the recently published Microsoft Azure serverless data set. OrcBench categorizes 8622 serverless functions into 17 distinct models, which represent 5.6 million invocations from the original trace.OrcBench also incorporates a time-series analysis to identify function chains within the dataset. OrcBench can use these to create workloads that mimic complete serverless applications, which includes simulating CPU and memory usage. The modeling allows these workloads to be scaled according to the target hardware configuration.
{"title":"OrcBench: A Representative Serverless Benchmark","authors":"Ryan Hancock, Sreeharsha Udayashankar, A. Mashtizadeh, S. Al-Kiswany","doi":"10.1109/CLOUD55607.2022.00028","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00028","url":null,"abstract":"Serverless computing is rapidly growing area of research. No standardized benchmark currently exists for evaluating orchestration level decisions or executing large serverless workloads because of the limited data provided by cloud providers. Current benchmarks focus on other aspects, such as the cost of running general types of functions and their runtimes.We introduce OrcBench, the first orchestration benchmark based on the recently published Microsoft Azure serverless data set. OrcBench categorizes 8622 serverless functions into 17 distinct models, which represent 5.6 million invocations from the original trace.OrcBench also incorporates a time-series analysis to identify function chains within the dataset. OrcBench can use these to create workloads that mimic complete serverless applications, which includes simulating CPU and memory usage. The modeling allows these workloads to be scaled according to the target hardware configuration.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"77 1","pages":"103-108"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80215616","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00029
K. Mahajan, Rumit Desai
Serverless computing (SC) in an attractive win-win paradigm for cloud providers and customers, simultaneously providing greater flexibility and control over resource utilization for cloud providers while reducing costs through pay-per-use model and no capacity management for customers. While SC has been shown effective for event-triggered web applications, the use of deep learning (DL) applications on SC is limited due to latency-sensitive DL applications and stateless SC. In this paper, we focus on two key problems impacting deployment of distributed inference (DI) models on SC: resource allocation and cold start latency. To address the two problems, we propose a hybrid scheduler for identifying the optimal server resource allocation policy. The hybrid scheduler identifies container allocation based on candidate allocations from greedy strategy as well as deep reinforcement learning based allocation model.
{"title":"Serving distributed inference deep learning models in serverless computing","authors":"K. Mahajan, Rumit Desai","doi":"10.1109/CLOUD55607.2022.00029","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00029","url":null,"abstract":"Serverless computing (SC) in an attractive win-win paradigm for cloud providers and customers, simultaneously providing greater flexibility and control over resource utilization for cloud providers while reducing costs through pay-per-use model and no capacity management for customers. While SC has been shown effective for event-triggered web applications, the use of deep learning (DL) applications on SC is limited due to latency-sensitive DL applications and stateless SC. In this paper, we focus on two key problems impacting deployment of distributed inference (DI) models on SC: resource allocation and cold start latency. To address the two problems, we propose a hybrid scheduler for identifying the optimal server resource allocation policy. The hybrid scheduler identifies container allocation based on candidate allocations from greedy strategy as well as deep reinforcement learning based allocation model.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"1 1","pages":"109-111"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78832423","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/CLOUD55607.2022.00036
Meng Wang, Cesar A. Stuardo, D. Kurniawan, Ray A. O. Sinurat, Haryadi S. Gunawi
We introduce an ecosystem of contention mitigation supports within the operating system, runtime and library layers. This ecosystem provides an end-to-end request abstraction that enables a uniform type of contention mitigation capabilities, namely request cancellation and delay prediction, that can be stackable together across multiple resource layers. Our evaluation shows that in our ecosystem, multi-resource storage applications are faster by 5-70% starting at 90P (the 90thpercentile) compared to popular practices such as speculative execution and is only 3% slower on average compared to a best-case (no contention) scenario.
{"title":"Layered Contention Mitigation for Cloud Storage","authors":"Meng Wang, Cesar A. Stuardo, D. Kurniawan, Ray A. O. Sinurat, Haryadi S. Gunawi","doi":"10.1109/CLOUD55607.2022.00036","DOIUrl":"https://doi.org/10.1109/CLOUD55607.2022.00036","url":null,"abstract":"We introduce an ecosystem of contention mitigation supports within the operating system, runtime and library layers. This ecosystem provides an end-to-end request abstraction that enables a uniform type of contention mitigation capabilities, namely request cancellation and delay prediction, that can be stackable together across multiple resource layers. Our evaluation shows that in our ecosystem, multi-resource storage applications are faster by 5-70% starting at 90P (the 90thpercentile) compared to popular practices such as speculative execution and is only 3% slower on average compared to a best-case (no contention) scenario.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"1 1","pages":"167-178"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72503857","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: