computing environments
play

Computing Environments Saeid Mofrad, Ishtiaq Ahmed, Shiyong Lu, Ping - PowerPoint PPT Presentation

Apr 30, 2023 •135 likes •530 views

SecDATAVIEW: A Secure Big Data Workflow Management System for Heterogeneous Computing Environments Saeid Mofrad, Ishtiaq Ahmed, Shiyong Lu, Ping Yang, Heming Cui, Fengwei Zhang* {saeid.mofrad, ishtiaq, shiyong, fengwei}@wayne.edu

  1. SecDATAVIEW: A Secure Big Data Workflow Management System for Heterogeneous Computing Environments Saeid Mofrad, Ishtiaq Ahmed, Shiyong Lu, Ping Yang, Heming Cui, Fengwei Zhang* {saeid.mofrad, ishtiaq, shiyong, fengwei}@wayne.edu pyang@binghamton.edu heming@cs.hku.hk *The corresponding author, and he is currently affiliated with SUSTech. WAYNE STATE UNIVERSITY 1

  2. Outline ➢ Introduction ➢ x86 TEE technology background ➢ Previous data analytics systems with TEE support ➢ SecDATAVIEW ➢ Performance results and security comparison ➢ Conclusions and future work WAYNE STATE UNIVERSITY 2

  3. Outline ➢ Introduction ➢ x86 TEE technology background ➢ Previous data analytics systems with TEE support ➢ SecDATAVIEW ➢ Performance results and security comparison ➢ Conclusions and future work WAYNE STATE UNIVERSITY 3

  4. Cloud Platform for Big Data Analytics ➢ Cloud platforms are common for big data analytics APP APP AP APP AP AP APP ➢ Isolation through software virtualization is used to achieve trusted execution environment (TEE) in cloud infrastructure ➢ Downsides of virtualization [3]: OS OS OS OS OS OS OS OS 1) Virtualization uses shared hardware, hypervisor and cloud system software thus increases the software and hardware TCB of the cloud platform VM VM VM VM VM VM VM VM 2) Hypervisor and cloud’s system software contain thousands of lines of code and may have security flaws HYPER ERVISOR ISOR 3) Many hypervisor exploits have been reported in clouds [5,6] 4) Increased TCB size means less security HARD ARDWA WARE WAYNE STATE UNIVERSITY 4

  5. Outline ➢ Introduction ➢ x86 TEE technology background ➢ Previous data analytics systems with TEE support ➢ SecDATAVIEW ➢ Performance results and security comparison ➢ Conclusions and future work WAYNE STATE UNIVERSITY 5

  6. Hardware-Assisted Trusted Execution Environment in x86 Architecture [3] ➢ Hardware-Assisted TEE couples hardware with TEE abstraction so mitigates the downsides of the software only TEEs ➢ Hardware-Assisted TEE may be faster since it uses dedicated hardware ➢ Hardware-Assisted TEE exposes small size of hardware TCB and smaller TCB means better security ➢ “Older” Hardware -Assisted TEE: Intel ME, AMD PSP, and x86 SMM [4] ➢ Two general-purpose Hardware-Assisted TEE in x86 architecture: 1. Intel Software Guard eXtensions (SGX) [HASP 2013], [1] 2. AMD Memory Encryption Technology [White Paper 2016], [2] WAYNE STATE UNIVERSITY 6

  7. Background: Intel SGX and AMD SEV [3] App Untrusted part of App Enclave (Trusted part of App) 1- App creates an Call Gates enclave. 3- The trusted 2- App calls a trusted function processes the function. security-sensitive data. 5- App continues its 4- The trusted normal execution. function returns. Privileged System Software, OS, Hypervisor, SMM, and BIOS Intel SGX AMD SEV WAYNE STATE UNIVERSITY 7

  8. Intel SGX VS VS AMD SEV [3] TEE Runtime Memory SDK Software Platform TEE Protection TEE TEE performance Technology Access Size Change Attestation guarantee TCB Privilege Limits Mechanism SIZE Intel SGX Ring 3 Up to Provided Required Attested Confidentiality Smaller Performs 128MB through Intel and Integrity than slower than remote protection of the SEV SEV attestation enclave’s code and data at runtime AMD SEV Ring 0 Up to Not Not Attested Confidentiality Larger Performs available Required required through AMD protection of the than faster than system guest VM’s memory SGX SGX memory attestation image at runtime WAYNE STATE UNIVERSITY 8

  9. Outline ➢ Introduction ➢ X86 TEE technology background ➢ Previous data analytics systems with TEE support ➢ SecDATAVIEW ➢ Performance results and security comparison ➢ Conclusions and future work WAYNE STATE UNIVERSITY 9

  10. Previous Data Analytics Systems with TEE Support ➢ VC3: A trustworthy Hadoop based data analytics platform in the cloud that leverages SGX to protect unmodified Map-Reduce tasks written in C/C++ [S&P 2015], [7] ➢ A lightweight, Map-Reduce framework with Lua , a high-level language that interprets the Map-Reduce Lua scripts in Intel SGX [CCGRID 2017], [8] ➢ Opaque: An oblivious and encrypted distributed analytics platform that enhanced the security of the Spark SQL with SGX [NSDI 2017], [9] ❑ Shortcoming with previous data analytics platforms with TEE support: 1. Limited functionality: They only support Map/Reduce or SQL query data types 2. Lack of support for heterogeneous cloud infrastructure: They only support Intel SGX platform WAYNE STATE UNIVERSITY 10

  11. Outline ➢ Introduction ➢ X86 TEE technology background ➢ Previous data analytics systems with TEE support ➢ SecDATAVIEW ➢ Performance results and security comparison ➢ Conclusions and future work WAYNE STATE UNIVERSITY 11

  12. SecDATAVIEW: A Secure Data Analytics System with Heterogeneous TEE Support SecDATAVIEW main characteristics: ❑ Different data types: 1. Supports scientific big data workflow [10] and considers each task as a black box 2. Supports many type of workflows (Map-Reduce, Query, Machine learning, Deep learning, Image-Video processing, etc..) ❑ Heterogeneous TEE: 1. Supports both Intel SGX and AMD SEV at the same time ❑ Strong security guarantee: 1. Protects the confidentiality and integrity of code and data for workflows running on public untrusted clouds 2. Supports High-level and managed code programming language (Java) that protects memory leaks vulnerability (buffer overflow) 3. Provides minimal hardware and software TCB for general purpose cloud based big data analytics platform ❑ Flexible system settings (SGX mode, SEV mode, Hybrid mode) for enhanced security and performance requirements: 1. Supports trade-off between enhanced security (SGX mode) and performance (SEV mode) for workflows with different user requirements. WAYNE STATE UNIVERSITY 12

  13. SecDATAVIEW: Leverages Heterogenous Workers with TEE Support ❑ SecDATAVIEW Intel SGX Worker: ❑ SecDATAVIEW AMD Worker: 1) Uses SGX shield [19] programming 1) Uses AMD Secure Encrypted model Virtualization (SEV) 2) SGX-LKL [20] is incorporated to provide 2) SEV-protected VM is used to protect the Java virtual machine in the SGX enclave the worker memory image at runtime 3) Encrypted SGX-LKL disk image is used to protect the confidentiality of user code 3) Java virtual machine is used in every and data at rest SEV-protected VM 4) Java reflection and class loader are incorporated to overcome lack of multi- process support in the SGX-LKL WAYNE STATE UNIVERSITY 13

  14. SecDATAVIEW: Adversary Model ❑ SecDATAVIEW threat model targeted attacks that happen on untrusted cloud: 1) Attacks that exploit flaws or vulnerabilities in the hypervisor, or cloud’s system software layer trying to gain access to the user data or results stored on unprotected memory 2) Attacks that could happen by dishonest administrator to gain access to data or results stored on the user storage medium ❑ Attacks, including network traffic-analysis [11], denial-of-service, access pattern leakage [12], side-channels [13], and fault injections [14], are out of the scope WAYNE STATE UNIVERSITY 14

  15. SecDATAVIEW System Architecture WAYNE STATE UNIVERSITY 15

  16. WCPAC: Workflow Code Provisioning and Communication Protocol ❑ The WCPAC protocol’s main functionality includes: 1. to provision and attest secure worker nodes 2. to provision securely the code for the Task Executor and workflow tasks on each participating worker node 3. to establish the secure communication and file transfers between the master node and worker nodes 4. to ensure secure file transfers among worker nodes WAYNE STATE UNIVERSITY 16

  17. WCPAC: Workflow Code Provisioning and Communication Protocol Worker Node Untrusted SGX OS / SEV hypervisor SecDATAVIEW Master Trusted SGX Enclave / SEV VM (Trusted premise) Trusted Task Executor Cloud Resource Management Cloud Resource Management Message Workflow Executor Activation SFTP Server/SSL Data (j) SSL Socket / Socket SSL Socket (k) SFTP SFTP Return Data SEV Guest OS / SGX-LKL Activation / Return (i) Executor (c) (h) Data Task Trusted Code Provisioner Code Provisioning Attestation SFTP Server/ (f) SSL Socket/SFTP SFTP /SSL Socket (g) SSL Socket Message Child Worker Node in the Workflow Provisioner (e) Code SFTP Server SFTP (Java) (b) (d) Command Disk Image Worker Node Host SSH/SFTP SSH/SFTP Server (a) WAYNE STATE UNIVERSITY 17

  18. WCPAC: Workflow Code Provisioning and Communication Protocol Worker Node Untrusted SGX OS / SEV hypervisor SecDATAVIEW Master Trusted SGX Enclave / SEV VM (Trusted premise) Trusted Task Executor Cloud Resource Management Cloud Resource Management Message Workflow Executor Activation SFTP Server/SSL Data (j) SSL Socket / Socket SSL Socket (k) SFTP SFTP Return Data SEV Guest OS / SGX-LKL Activation / Return (i) Executor (c) (h) Data Task Trusted Code Provisioner Code Provisioning Attestation SFTP Server/ (f) SSL Socket/SFTP SFTP /SSL Socket (g) SSL Socket Message Child Worker Node in the Workflow Provisioner (e) Code SFTP Server SFTP (Java) (b) (d) Command Disk Image Worker Node Host SSH/SFTP SSH/SFTP Server (a) WAYNE STATE UNIVERSITY 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark An

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark An

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark An Introduction to Spark Environments Josep Ll. Berral @BSC Intel Academic Education Mindshare Initiative for AI Presentation Distributed computing

188 views • 14 slides
Collaborative Environments for Scientific Computing: The Task of Algorithm/Software Selection N.

Collaborative Environments for Scientific Computing: The Task of Algorithm/Software Selection N.

Collaborative Environments for Scientific Computing 11th ICMCM & SC 97 Collaborative Environments for Scientific Computing: The Task of Algorithm/Software Selection N. Ramakrishnan, A. Joshi, E.N. Houstis and J.R. Rice Department of

373 views • 21 slides
Distributed Computing Environments 1 Distributed computing environment consists of entities

Distributed Computing Environments 1 Distributed computing environment consists of entities

Distributed Computing Environments 1 Distributed computing environment consists of entities entities communicate with each other the goal is to find a solution to a common problem 2 Entities entity: a computational unit of a

564 views • 13 slides
Design of Semantic Information Broker for Localized Computing Environments in the Internet of

Design of Semantic Information Broker for Localized Computing Environments in the Internet of

Design of Semantic Information Broker for Localized Computing Environments in the Internet of Things Ivan V. Galov, Aleksandr A. Lomov, Dmitry G. Korzun Petrozavodsk State University Department of Computer Science Supported by the Ministry of

569 views • 13 slides
Search-Based Agents Computing Driving Directions Appropriate in Static Environments where a

Search-Based Agents Computing Driving Directions Appropriate in Static Environments where a

Search-Based Agents Computing Driving Directions Appropriate in Static Environments where a Oradea 71 model of the agent is known and the Neamt You are 87 Zerind environment allows here 151 75 Iasi Arad prediction of the

346 views • 5 slides
The Gain of Resource Delegation in Distributed Computing Environments Alexander Flling,

The Gain of Resource Delegation in Distributed Computing Environments Alexander Flling,

technische universitt Robotics Research Institute dortmund The Gain of Resource Delegation in Distributed Computing Environments Alexander Flling, Christian Grimme, Joachim Lepping, and Alexander Papaspyrou 15th Workshop on Job Scheduling

444 views • 22 slides
Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing Understanding: Distributed Application Design Resource Management Automation Virtualized Computing Environments High-performance Computing

1.02k views • 49 slides
CS 525M Mobile Computing Emmanuel Agu Database Management in Mobile Environments Last week,

CS 525M Mobile Computing Emmanuel Agu Database Management in Mobile Environments Last week,

CS 525M Mobile Computing Emmanuel Agu Database Management in Mobile Environments Last week, talked about applications: wireless web, messaging, MPEG, application-aware adaptation Today focus on data management issues First,

507 views • 7 slides
AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark Distributing Neural Networks using Spark and Intel BigDL Josep Ll. Berral @BSC Intel Academic Education Mindshare Initiative for AI Introduction

276 views • 14 slides
Security Challenges of Small Cell as a Service in Virtualised Mobile Edge Computing Environments

Security Challenges of Small Cell as a Service in Virtualised Mobile Edge Computing Environments

Security Challenges of Small Cell as a Service in Virtualised Mobile Edge Computing Environments Vassilios Vassilakis 1 , Emmanouil (Manos) Panaousis 2 and Haralambos Mouratidis 2 1 University of West London 2 Secure and Dependable Software

630 views • 19 slides
LIGO containers in diverse computing environments Thomas P Downes Center for Gravitation,

LIGO containers in diverse computing environments Thomas P Downes Center for Gravitation,

LIGO containers in diverse computing environments Thomas P Downes Center for Gravitation, Cosmology & Astrophysics University of Wisconsin-Milwaukee LIGO Scientific Collaboration LIGO-Virgo Advanced Detector Network O1: September 2015 --

305 views • 14 slides
OC Organic Computing Middleware for Ubiquitous Environments Status report and outlook Theo

OC Organic Computing Middleware for Ubiquitous Environments Status report and outlook Theo

OC Organic Computing Middleware for Ubiquitous Environments Status report and outlook Theo Ungerer, Benjamin Satzger, Sebastian Schlingmann, Julia Schmitt, University of Augsburg Wolfgang Trumer, Siemens AG 9th OC Colloquium, Augsburg

835 views • 17 slides
New Paradigms in Problem Solving Environments for Scientific Computing George Chin Jr. L. Ruby

New Paradigms in Problem Solving Environments for Scientific Computing George Chin Jr. L. Ruby

New Paradigms in Problem Solving Environments for Scientific Computing George Chin Jr. L. Ruby Leung Karen Schuchardt Deborah Gracio U.S. Department of Energy Pacific Northwest National Laboratory 2/20/200 1 2 Background I Pacific

576 views • 20 slides
AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark

AI and Predictive Analytics in Data-Center Environments Distributed Computing using Spark SparkML (Hands On) Josep Ll. Berral @BSC Intel Academic Education Mindshare Initiative for AI Hands-On: SparkML SparkML Training models

98 views • 5 slides
Organic Computing Middleware for Ubiquitous Environments OC Julia Schmitt , Michael Roth, Rolf

Organic Computing Middleware for Ubiquitous Environments OC Julia Schmitt , Michael Roth, Rolf

Organic Computing Middleware for Ubiquitous Environments OC Julia Schmitt , Michael Roth, Rolf Kiefhaber, Florian Kluge, Theo Ungerer Systems and Networking University of Augsburg Germany 12th OC Colloquium 2011-09-16 Julia Schmitt et al.

225 views • 20 slides
TrustICE:*Hardware0assisted* Isolated*Computing*Environments* on*Mobile*Devices

TrustICE:*Hardware0assisted* Isolated*Computing*Environments* on*Mobile*Devices

TrustICE:*Hardware0assisted* Isolated*Computing*Environments* on*Mobile*Devices Presented(by(Zhenyu Ning 1 Contents 1.(Introduction 2.(Motivation 3.(Implementation 4.(Evaluation 5.(Conclusion 2 Contents 1.(Introduction 2.(Motivation

723 views • 33 slides
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Hypervisor-based Virtualization Virtualization App App

539 views • 18 slides
GPU Architecture Alan Gray EPCC The University of Edinburgh Outline Why do we want/need

GPU Architecture Alan Gray EPCC The University of Edinburgh Outline Why do we want/need

GPU Architecture Alan Gray EPCC The University of Edinburgh Outline Why do we want/need accelerators such as GPUs? Architectural reasons for accelerator performance advantages Latest GPU Products From NVIDIA and AMD

333 views • 30 slides
Reaching "EPYC" Virtualization Performance Case Study: Tuning VMs for Best Performance

Reaching "EPYC" Virtualization Performance Case Study: Tuning VMs for Best Performance

Reaching "EPYC" Virtualization Performance Case Study: Tuning VMs for Best Performance on AMD EPYC 7002 / 7742 Processor Series Based Servers Dario Faggioli <dfaggioli@suse.com> Software Engineer - Virtualization Specialist, SUSE

835 views • 52 slides
The Impact of Eczema on Sleep Lisa J. Meltzer, Ph.D., CBSM National Jewish Health August 5, 2017

The Impact of Eczema on Sleep Lisa J. Meltzer, Ph.D., CBSM National Jewish Health August 5, 2017

The Impact of Eczema on Sleep Lisa J. Meltzer, Ph.D., CBSM National Jewish Health August 5, 2017 Conflict of Interest Disclosures Grant/Research Support NIH NEA Consultant Johnson and Johnson Royalties Co-author, Pediatric Sleep

920 views • 22 slides
From Shader Code to a Tera Terafl flop op: How Shader Cores Work Kayvon Fatahalian Stanford

From Shader Code to a Tera Terafl flop op: How Shader Cores Work Kayvon Fatahalian Stanford

From Shader Code to a Tera Terafl flop op: How Shader Cores Work Kayvon Fatahalian Stanford University SIGGRAPH 2009: Beyond Programmable Shading: http://s09.idav.ucdavis.edu/ This talk 1. Three major ideas that make GPU processing cores

1.15k views • 77 slides
Practical DirectX 12 - Programming Model and Hardware Capabilities Gareth Thomas & Alex Dunn

Practical DirectX 12 - Programming Model and Hardware Capabilities Gareth Thomas & Alex Dunn

Practical DirectX 12 - Programming Model and Hardware Capabilities Gareth Thomas & Alex Dunn AMD & NVIDIA Agenda DX12 Best Practices DX12 Hardware Capabilities Questions 2 Expectations Who is DX12 for? Aiming to achieve

706 views • 48 slides
NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve

NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve

NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve 200Gb/s of TLS from FreeBSD) Motivation: Since 2016, Netflix has been able to serve 100Gb/s of TLS encrypted video traffic from a single server.

1.2k views • 71 slides
A Scalable Ordering Primitive for Multicore Machines Sanidhya Kashyap Changwoo Min Kangnyeon Kim

A Scalable Ordering Primitive for Multicore Machines Sanidhya Kashyap Changwoo Min Kangnyeon Kim

A Scalable Ordering Primitive for Multicore Machines Sanidhya Kashyap Changwoo Min Kangnyeon Kim Taesoo Kim Era of multicore machines 2 Scope of multicore machines Huge hardware thread parallelism How are operations executed correctly?

1.37k views • 30 slides

More recommend