Show simple item record

dc.contributor.advisorBhatotia, Pramod
dc.contributor.advisorFranke, Bjoern
dc.contributor.authorThalheim, Jörg
dc.date.accessioned2022-06-28T15:40:46Z
dc.date.available2022-06-28T15:40:46Z
dc.date.issued2022-06-28
dc.identifier.urihttps://hdl.handle.net/1842/39234
dc.identifier.urihttp://dx.doi.org/10.7488/era/2485
dc.description.abstractVirtual machines and containers are widely used in data centres and in the cloud for software deployment and management. Their popularity is based on higher capacity utilisation, lower maintenance costs, and better scalability by creating an abstraction layer on top of physical hardware. The economics and scalability of virtualised applications require that the workloads of multiple customers can run on the same hardware with low overhead without compromising security. To address this need, in this work we introduce a new set of IO middleware that allows users to run smaller containers and virtual machines and deploy them in a more secure manner. The presented contributions can be summarised as follows: • CNTR provides a way to extend application containers at runtime with tools deployed in a different container. In this way, you can create "slim" images that contain only the actual application, while all the tools needed for monitoring, testing, and debugging reside in a "fat" image that only needs to be deployed when needed. CNTR achieves this by creating a nested namespace in the application container that proxies files from a remote container using a FUSE filesystem. • VMSH allows users to attach services to running virtual machines independent of the guest userspace and without any pre-installed agents. Similar to CNTR this allows developers to build more light-weight virtual machines by deploying additional services in a separate user-provided file system image on-demand. VMSH achieves this by side-loading kernel code into the guest and mounting a filesystem based on its own block device in a light-weight container without affecting the applications in the VM. • RKT-IO leverages trusted execution environments to run workloads in containers and virtual machines to protect them from other tenants and the cloud provider on the same host, but without sacrificing on I/O performance that is usually degraded by this protection. It does so by providing a userspace network and storage I/O stack in the form of a library OS based on Linux that directly accesses the hardware from within the TEE by-passing the host kernel.en
dc.language.isoenen
dc.publisherThe University of Edinburghen
dc.relation.hasversionCNTR : Lightweight OS Containers by Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci, In the proceedings of USENIX ATC 2018en
dc.relation.hasversionVMSH : Hypervisor-agnostic Guest Overlays for VMs by Jörg Thalheim, Peter Okelmann, Harshavardhan Unnibhavi, Redha Gouicem, Pramod Bhatotia, In the proceedings of ACM EuroSys 2022en
dc.relation.hasversionRKT-IO : A Direct I/O Stack for Shielded Execution by Jörg Thalheim, Harshavardhan Unnibhavi, Christian Priebe, Pramod Bhatotia, and Peter Pietzuch, In the proceedings of ACM EuroSys 2021en
dc.relation.hasversionSieve : Actionable insights from monitored metrics in distributed systems by Jörg Thalheim, Antonio Rodrigues, Istemi Ekin Akkus, Pramod Bhatotia, Ruichuan Chen, Bimal Viswanath, Lei Jiao, and Christof Fetzer, In the proceedings of Middleware 2017: https://dl.acm.org/doi/10.1145/3135974.3135977en
dc.relation.hasversionSpeicher : Securing LSM-based Key-Value Stores using Shielded Execution by Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, and Kapil Vaswani, In the proceedings of Usenix FAST 2018: https://www.usenix.org/conference/fast19/presentation/bailleuen
dc.relation.hasversionPeter Okelmann Jörg Thalheim. Project site of vmsh. https : / / github . com / Mic92/vmsh. 2021.en
dc.relation.hasversionPeter Okelmann and Jø"rg Thalheim. lambda-pirate. https : / / github . com / pogobanane/lambda-pirate. 2021.en
dc.relation.hasversionJ. Thalheim, P. Bhatotia, and C. Fetzer. “INSPECTOR: Data Provenance Using Intel Processor Trace (PT)”. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 2016en
dc.subjectvirtualisation technology securityen
dc.subjecttrusted execution environmenten
dc.subjectTEEen
dc.subjectRKT-IOen
dc.titleDependable virtualised systemsen
dc.typeThesis or Dissertationen
dc.type.qualificationlevelDoctoralen
dc.type.qualificationnamePhD Doctor of Philosophyen


Files in this item

This item appears in the following Collection(s)

Show simple item record