Bhatotia, Pramod

Franke, Bjoern

Thalheim, Jörg

2022-06-28T15:40:46Z

2022-06-28T15:40:46Z

2022-06-28

Virtual machines and containers are widely used in data centres and in the cloud for software deployment and management. Their popularity is based on higher capacity utilisation, lower maintenance costs, and better scalability by creating an abstraction layer on top of physical hardware. The economics and scalability of virtualised applications require that the workloads of multiple customers can run on the same hardware with low overhead without compromising security. To address this need, in this work we introduce a new set of IO middleware that allows users to run smaller containers and virtual machines and deploy them in a more secure manner. The presented contributions can be summarised as follows: • CNTR provides a way to extend application containers at runtime with tools deployed in a different container. In this way, you can create "slim" images that contain only the actual application, while all the tools needed for monitoring, testing, and debugging reside in a "fat" image that only needs to be deployed when needed. CNTR achieves this by creating a nested namespace in the application container that proxies files from a remote container using a FUSE filesystem. • VMSH allows users to attach services to running virtual machines independent of the guest userspace and without any pre-installed agents. Similar to CNTR this allows developers to build more light-weight virtual machines by deploying additional services in a separate user-provided file system image on-demand. VMSH achieves this by side-loading kernel code into the guest and mounting a filesystem based on its own block device in a light-weight container without affecting the applications in the VM. • RKT-IO leverages trusted execution environments to run workloads in containers and virtual machines to protect them from other tenants and the cloud provider on the same host, but without sacrificing on I/O performance that is usually degraded by this protection. It does so by providing a userspace network and storage I/O stack in the form of a library OS based on Linux that directly accesses the hardware from within the TEE by-passing the host kernel.

https://hdl.handle.net/1842/39234

http://dx.doi.org/10.7488/era/2485

en

The University of Edinburgh

CNTR : Lightweight OS Containers by Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci, In the proceedings of USENIX ATC 2018

VMSH : Hypervisor-agnostic Guest Overlays for VMs by Jörg Thalheim, Peter Okelmann, Harshavardhan Unnibhavi, Redha Gouicem, Pramod Bhatotia, In the proceedings of ACM EuroSys 2022

RKT-IO : A Direct I/O Stack for Shielded Execution by Jörg Thalheim, Harshavardhan Unnibhavi, Christian Priebe, Pramod Bhatotia, and Peter Pietzuch, In the proceedings of ACM EuroSys 2021

Sieve : Actionable insights from monitored metrics in distributed systems by Jörg Thalheim, Antonio Rodrigues, Istemi Ekin Akkus, Pramod Bhatotia, Ruichuan Chen, Bimal Viswanath, Lei Jiao, and Christof Fetzer, In the proceedings of Middleware 2017: https://dl.acm.org/doi/10.1145/3135974.3135977

Speicher : Securing LSM-based Key-Value Stores using Shielded Execution by Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, and Kapil Vaswani, In the proceedings of Usenix FAST 2018: https://www.usenix.org/conference/fast19/presentation/bailleu

Peter Okelmann Jörg Thalheim. Project site of vmsh. https : / / github . com / Mic92/vmsh. 2021.

Peter Okelmann and Jø"rg Thalheim. lambda-pirate. https : / / github . com / pogobanane/lambda-pirate. 2021.

J. Thalheim, P. Bhatotia, and C. Fetzer. “INSPECTOR: Data Provenance Using Intel Processor Trace (PT)”. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 2016

virtualisation technology security

trusted execution environment

TEE

RKT-IO

Dependable virtualised systems

Thesis or Dissertation

Doctoral

PhD Doctor of Philosophy