| dc.contributor.advisor | Bhatotia, Pramod | |
| dc.contributor.advisor | Franke, Bjoern | |
| dc.contributor.author | Thalheim, Jörg | |
| dc.date.accessioned | 2022-06-28T15:40:46Z | |
| dc.date.available | 2022-06-28T15:40:46Z | |
| dc.date.issued | 2022-06-28 | |
| dc.identifier.uri | https://hdl.handle.net/1842/39234 | |
| dc.identifier.uri | http://dx.doi.org/10.7488/era/2485 | |
| dc.description.abstract | Virtual machines and containers are widely used in data centres and in the cloud for
software deployment and management. Their popularity is based on higher capacity
utilisation, lower maintenance costs, and better scalability by creating an abstraction
layer on top of physical hardware. The economics and scalability of virtualised
applications require that the workloads of multiple customers can run on the same
hardware with low overhead without compromising security. To address this need,
in this work we introduce a new set of IO middleware that allows users to run
smaller containers and virtual machines and deploy them in a more secure manner.
The presented contributions can be summarised as follows:
• CNTR provides a way to extend application containers at runtime with tools
deployed in a different container. In this way, you can create "slim" images that
contain only the actual application, while all the tools needed for monitoring,
testing, and debugging reside in a "fat" image that only needs to be deployed
when needed. CNTR achieves this by creating a nested namespace in the
application container that proxies files from a remote container using a FUSE
filesystem.
• VMSH allows users to attach services to running virtual machines independent
of the guest userspace and without any pre-installed agents. Similar to CNTR
this allows developers to build more light-weight virtual machines by deploying
additional services in a separate user-provided file system image on-demand.
VMSH achieves this by side-loading kernel code into the guest and mounting
a filesystem based on its own block device in a light-weight container without
affecting the applications in the VM.
• RKT-IO leverages trusted execution environments to run workloads in
containers and virtual machines to protect them from other tenants and the
cloud provider on the same host, but without sacrificing on I/O performance
that is usually degraded by this protection. It does so by providing a userspace
network and storage I/O stack in the form of a library OS based on Linux that
directly accesses the hardware from within the TEE by-passing the host kernel. | en |
| dc.language.iso | en | en |
| dc.publisher | The University of Edinburgh | en |
| dc.relation.hasversion | CNTR : Lightweight OS Containers by Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci, In the proceedings of USENIX ATC 2018 | en |
| dc.relation.hasversion | VMSH : Hypervisor-agnostic Guest Overlays for VMs by Jörg Thalheim, Peter Okelmann, Harshavardhan Unnibhavi, Redha Gouicem, Pramod Bhatotia, In the proceedings of ACM EuroSys 2022 | en |
| dc.relation.hasversion | RKT-IO : A Direct I/O Stack for Shielded Execution by Jörg Thalheim, Harshavardhan Unnibhavi, Christian Priebe, Pramod Bhatotia, and Peter Pietzuch, In the proceedings of ACM EuroSys 2021 | en |
| dc.relation.hasversion | Sieve : Actionable insights from monitored metrics in distributed systems by Jörg Thalheim, Antonio Rodrigues, Istemi Ekin Akkus, Pramod Bhatotia, Ruichuan Chen, Bimal Viswanath, Lei Jiao, and Christof Fetzer, In the proceedings of Middleware 2017: https://dl.acm.org/doi/10.1145/3135974.3135977 | en |
| dc.relation.hasversion | Speicher : Securing LSM-based Key-Value Stores using Shielded Execution by Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, and Kapil Vaswani, In the proceedings of Usenix FAST 2018: https://www.usenix.org/conference/fast19/presentation/bailleu | en |
| dc.relation.hasversion | Peter Okelmann Jörg Thalheim. Project site of vmsh. https : / / github . com / Mic92/vmsh. 2021. | en |
| dc.relation.hasversion | Peter Okelmann and Jø"rg Thalheim. lambda-pirate. https : / / github . com / pogobanane/lambda-pirate. 2021. | en |
| dc.relation.hasversion | J. Thalheim, P. Bhatotia, and C. Fetzer. “INSPECTOR: Data Provenance Using Intel Processor Trace (PT)”. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 2016 | en |
| dc.subject | virtualisation technology security | en |
| dc.subject | trusted execution environment | en |
| dc.subject | TEE | en |
| dc.subject | RKT-IO | en |
| dc.title | Dependable virtualised systems | en |
| dc.type | Thesis or Dissertation | en |
| dc.type.qualificationlevel | Doctoral | en |
| dc.type.qualificationname | PhD Doctor of Philosophy | en |
