specifying security policy orca
play

SPECIFYING SECURITY POLICY: ORCA Ken Birman CS6410 Context As we - PowerPoint PPT Presentation

Oct 02, 2022 •346 likes •761 views

SPECIFYING SECURITY POLICY: ORCA Ken Birman CS6410 Context As we roll out increasingly ambitious distributed platforms, and share them among demanding users who have its all mine mentalities, we get really challenging resource

  1. SPECIFYING SECURITY POLICY: ORCA Ken Birman CS6410

  2. Context  As we roll out increasingly ambitious distributed platforms, and share them among demanding users who have “it’s all mine” mentalities, we get really challenging resource sharing scenarios  Today’s PlanetLab illustrates the risks  Internet-scale experimental resource (created by Larry Peterson and team members)  More than 400 small clusters that comprise a global platform for experiments  Used by researchers worldwide

  3. How does Planetlab fit the “cloud”?  Cloud platforms are supported by data centers: large clusters (very large), but the similarity is real  And at multiple locations worldwide  They try to keep their systems running near full load  But PlanetLab has no way to limit users from overloading their machines  So in the cloud, we often see “full” but not “massive overload”; PlanetLab can easily be totally swamped

  4. GENI  Goal is to replace PlanetLab the GENI testbed  Eventually, a world-wide infrastructure  Whereas PlanetLab offers a standard Unix VM environment, GENI permits “raw” access to layer -2 of the network. So one can define new kinds of routing services and “tunnel” traffic through GENI applications  GENI vision: developers create services or even entire overlay networks that could even control dedicated network links, if those are available  Notice that this is actually like a VLAN in a datacenter...

  5. What might these services do?  One could imagine a wide range  A system for monitoring the Internet and continuously tracking loads: a form of continuous tomography  A new kind of service for building secure end-to-end network paths  A next generation of cloud-hosted technologies for “monitoring” the real world (the “Internet of Things”)  A completely new “overlay” Internet with great realtime (or security, or “streaming”...) properties  A platform that caches objects on behalf of mobile users so that their connectivity experience is improved  New kinds of discovery services, fancier than DNS...

  6. So... GENI’s job is to...  ... host the experimental prototypes of these kinds of next-generation Internet applications and services  Our hope would be that many result in fantastic research papers in the networks community (SIGCOMM, NSDI, SOSP , SIGCOMM-IMC) and that some transition and become exciting new products  GENI could be an incredible enabler... if successful

  7. What’s the big risk?  Even in the cloud, sharing machines is a really hard thing to pull off successfully  Not every style of computing works well in the cloud  Some applications experience too many delays and break: various scheduling requirements are violated  Hakim: In Planetlab, as much as 60% of the resources in your slice tend to be unavailable or flakey!  In GENI, where many services will have realtime needs, special resource ownership requirements or other kinds of “rules”, overload could be a disaster

  8. How to deal with contention?  On today’s cloud platforms, the approach is fairly ad-hoc  Scheduler tries to “pack” each physical machine with enough work to keep it fairly busy  Because of variable loads, the usual approach is to “learn” a load model for each application and use the learned behavior in the scheduler packing algorithm  This works, but can leave nodes overcommitted  If that happens, many cloud systems just kill some of the excess load and restart those tasks elsewhere

  9. GENI goals  Each user has an associated “slice” of GENI  Slices has a predicted resource use profile  GENI wants to guarantee that these profiles will be respected  Better to refuse a requested allocation than to grant it but then be overloaded and unable to meet demand  Leads to a requirement: a way for GENI users to specify their needs

  10. Principals 10 Researcher: A user that A slice authority (SA) is A management authority (MA) is wishes to run an responsible for the behavior of responsible for some subset of substrate experiment or service in a set of slices, vouching for the components: providing operational stability for a slice, or a developer users running experiments in those components, ensuring the components that provides a service each slice and taking behave according to acceptable use policies, used by other appropriate action should the and executing the resource allocation wishes researchers. slice misbehave. of the component owner. Next few slides By Aaron Falk

  11. Components & Resources 11 Component Transmission Computer Optical Channel Resource Switch ρ r Route ρ CPU Fiber ID ρ c Cable Some resources Memory Switch Port describe non- ρ f configurable Fiber Disk Channel characteristics of the component. ρ s Spectrum BW Band ρ e Endpoint ID Some measurements S/N measurements μ e Other resources are pools which may be are available as allocated under some constraints. resources Spectrum Analyzer Component : An object representing a physical device in the GENI Location substrate. A component consists of collection of resources . Such physical resources belong to precisely one component. Each Sample period component runs a component manager that implements a well- Measurement equipment may also defined interface for the component. In addition to describing physical appear as Sample BW devices, components may be defined that represent logical devices as components well.

  12. Component Managers 12 Computer CPU Memory Disk BW Each component is controlled via a component manager (CM), which exports a well-defined, remotely accessible interface. The component manager defines the operations available to user- level services to manage the allocation of component resources to different users and their experiments. A management authority (representing the wishes of the owner) establishes policies about how the component's resources are assigned to users. 2/10/08

  13. Slivers & Slices 13 Transmission Transmission Computer Optical Channel Channel Switch ρ r Route ρ r Route CPU ρ 1 , ρ 2 , ρ 3 , ρ 4 Fiber ID ρ c Cable ρ c Cable Memory Switch Port ρ f Fiber ρ f Fiber Disk Channel ρ s Spectrum ρ s Spectrum BW Band ρ e Endpoint ID ρ e Endpoint ID slice slice sliver sliver sliver sliver sliver From a researcher's perspective, a slice is a substrate-wide network of computing and communication resources capable of running an experiment or a wide-area network service. From an operator's perspective, slices are the primary abstraction for accounting and accountability — resources are acquired and consumed by slices, and external program behavior is traceable to a slice, respectively. A slice is defined by a set of slivers spanning a set of network components, plus an associated set of users that are allowed to access those slivers for the purpose of running an experiment on the substrate. That is, a slice has a name, which is bound to a set of users associated with the slice and a (possibly empty) set of slivers.

  14. Identifiers 14 Held by component/slice possessing the GID Easy-to-use handle private key GID (X.509 cert) 128bit UUID For verifying integrity & authenticity of GID, UUID. All researchers, slices, and components have a Global Identifier (GID). A GID is represented as an public key X.509 certificate [X509, RFC-3280] that binds a Universally Unique Identifier (UUID) [X.667] to a Says who is responsible by public key. The object identified by the GID holds the pointing up the chain of authority. private key, thereby forming the basis for (optional). authentication. authority’s signature 2/10/08

  15. Registries & Names 15 Names are human- readable and hierarchical Top-level authority name: geni GID Top-level authority GID: Sub-authority name Sub-authority GID Sub-authority contact info other (e.g., URI, etc) geni.sl http://geni.net/ops/sl GID geni.cm http://geni.net/ops/cmp GID A name registry binds strings to GIDs, as well as to other domain-specific information about the corresponding object (e.g., the URI at which the object’s manager can be reached, an IP or hardware address for the machine on which the object is implemented, the name and postal address of the organization that hosts the object, and so on). The component registry maintains information about a hierarchy of The slice registry maintains information about a hierarchy of slice management authorities, along with the set of components for which the authorities, along with the set of slices for which the SAs have MAs are responsible. This registry binds a human-readable name for taken responsibility. This registry binds a human-readable name for components and MAs to a GID, along with a record of information that slices and SAs to a GID, along with a record of information that includes the URI at which the component’s manager can be accessed; includes email addresses, contact information, and public keys for other attributes and identifiers that might commonly be associated with a the set of users associated with the slice; and in the case of an SA, component (e.g., hardware addresses, IP addresses, DNS names); and in contact information for the organization and people responsible for the case of an MA, contact information for the organization and operators the set of slices. responsible for the set of components.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cards and Transit Education Provide $10 ORCA Youth State funded Cards Joint effort

Cards and Transit Education Provide $10 ORCA Youth State funded Cards Joint effort

ORCA Youth Cards and Transit Education Provide $10 ORCA Youth State funded Cards Joint effort with the Regional Partners Coordinated marketing campaign To King County Teens Goals Increase long-term ORCA usage in teens by

488 views • 31 slides
appearance with KM3NeT/ORCA T. Eberl, S. Hallmann*, J. Hofestdt for the KM3NeT

appearance with KM3NeT/ORCA T. Eberl, S. Hallmann*, J. Hofestdt for the KM3NeT

appearance with KM3NeT/ORCA T. Eberl, S. Hallmann*, J. Hofestdt for the KM3NeT Collaboration 35 th ICRC, Busan, South Korea, 15/07/2017 *speaker KM3NeT/ORCA A detector to study oscillations of the atmospheric neutrino flux ( e ,

159 views • 13 slides
ORCA: Ownership and Reference Counting based Garbage Collection in the Actor World

ORCA: Ownership and Reference Counting based Garbage Collection in the Actor World

ORCA: Ownership and Reference Counting based Garbage Collection in the Actor World Sylvan Clebsch, Sebastian Blessing, Juliana Franco, Sophia Drossopoulou Motivation Motivation - 2 ORCA - idea The actor which created an

633 views • 34 slides
Octant Sensitivity with KM3NeT-ORCA N. R. Khan Chowdhury 1 14 Jan. 2020 | N. R. Khan Chowdhury |

Octant Sensitivity with KM3NeT-ORCA N. R. Khan Chowdhury 1 14 Jan. 2020 | N. R. Khan Chowdhury |

Octant Sensitivity with KM3NeT-ORCA N. R. Khan Chowdhury 1 14 Jan. 2020 | N. R. Khan Chowdhury | ORCA Phone Call | What is octant degeneracy? The ambiguity in the determination of 23 can be from two sources, 1) Inherent octant degeneracy:

366 views • 12 slides
Development of a Mul/disciplinary Team Protocol for ORCA

Development of a Mul/disciplinary Team Protocol for ORCA

Development of a Mul/disciplinary Team Protocol for ORCA Childrens Advocacy Centre Serena Bedwal, Project Assistant/Researcher Fred Ford, Board Chair/Ac/ng Project

902 views • 24 slides
Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment to Information Security General commitment to Information Security Installation of CorpSec Enabling CSO Installing Information Security Standard

355 views • 8 slides
Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk Overview Why do we need security policies? Joint Security Policy Group (JSPG) Some history

408 views • 28 slides
Evi vidence-Based Pla lanning an and De Development with Com ommunities in in Cor orca Dh

Evi vidence-Based Pla lanning an and De Development with Com ommunities in in Cor orca Dh

Evi vidence-Based Pla lanning an and De Development with Com ommunities in in Cor orca Dh Dhuib ibhne Pleanil agus Forbairt i gCorca Dhuibhne n mbun anos agus bunaithe ar fhianaise Progress report, January 2020 Breandn

410 views • 26 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
iGENI Presentation for ORCA Cluster Meeting, GEC 10 Presented By iGENI Consortium:

iGENI Presentation for ORCA Cluster Meeting, GEC 10 Presented By iGENI Consortium:

iGENI Presentation for ORCA Cluster Meeting, GEC 10 Presented By iGENI Consortium: International Center for Advanced Internet Research, Northwestern University et al GENI Engineering Conference 10 (GEC 10) March 15-17, 2011 San Juan, Puerto

385 views • 4 slides
and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

Anti-Hunger Policy and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska Federal Policy and Advocacy State Policy and Advocacy SNAP FINI Grant Useful Reports Policy

852 views • 12 slides
ORCA/BEN and Cluster D Demo GEC7 Jeff Chase Duke

ORCA/BEN and Cluster D Demo GEC7 Jeff Chase Duke

D D u k e S y s t t e m s ORCA/BEN and Cluster D Demo GEC7 Jeff Chase Duke University and GENI Cluster D Broker Experiments Federation or Etc. Coalition Open

585 views • 29 slides
ORCA LANGUAGE ABSTRACT Microprocessor based shared-memory multiprocessors are becoming widely

ORCA LANGUAGE ABSTRACT Microprocessor based shared-memory multiprocessors are becoming widely

CS5314 RESEARCH PAPER ON PROGRAMMING LANGUAGES FACULTY: Dr. James D. Arthur SUBMITTED BY: Aditya Varanasi Siddharth Anbalahan ORCA LANGUAGE ABSTRACT Microprocessor based shared-memory multiprocessors are becoming widely available and promise

313 views • 9 slides
US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific, Technical and Industrial Directorate of Business Resilience Defence Security Security Protection The DTCT requires the Parties to provide an

387 views • 9 slides
KM3NeT/ORCA: measuring neutrino oscillations and the Mass Hierarchy in the Mediterranean Simon

KM3NeT/ORCA: measuring neutrino oscillations and the Mass Hierarchy in the Mediterranean Simon

KM3NeT/ORCA: measuring neutrino oscillations and the Mass Hierarchy in the Mediterranean Simon Bourret Laboratoire APC, CNRS & Universit Paris-Diderot on behalf of the KM3NeT Collaboration XXVI International Workshop on Weak Interactions

465 views • 17 slides
SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications Hella Seebach , Florian Nafz and Wolfgang Reif What has happend in the last months? Software Engineering Guideline for Resource-Flow Systems

828 views • 29 slides
Architecture 2030 @ ISCA16 Luis Ceze, Tom Wenisch Mark Hill (CCC liaison, mentor) Neha

Architecture 2030 @ ISCA16 Luis Ceze, Tom Wenisch Mark Hill (CCC liaison, mentor) Neha

Architecture 2030 @ ISCA16 Luis Ceze, Tom Wenisch Mark Hill (CCC liaison, mentor) Neha Agarwal, Amrita Mazumdar, Aasheesh Kolli LIVE! (Student volunteers) Context Many fantastic community formation/visioning workshops: NSF ACAR,

1.47k views • 21 slides
Assignment 5 groups of 3-4 students Purpose: learning to evaluate orga ganised nised

Assignment 5 groups of 3-4 students Purpose: learning to evaluate orga ganised nised

INF3280 21 Jan 2016 Assignmen nment t 5 Implementation of IT User training User support Learning of IT User competence Learnability Help functionality User documentation Human resource development

466 views • 4 slides
CSE 258 Lecture 4 Web Mining and Recommender Systems Evaluating Classifiers Last lecture

CSE 258 Lecture 4 Web Mining and Recommender Systems Evaluating Classifiers Last lecture

CSE 258 Lecture 4 Web Mining and Recommender Systems Evaluating Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I

1.15k views • 46 slides
Beyond nouns: Exploiting prepositions and comparative adjectives for learning visual classifiers

Beyond nouns: Exploiting prepositions and comparative adjectives for learning visual classifiers

Beyond nouns: Exploiting prepositions and comparative adjectives for learning visual classifiers by Abhinav Gupta & Larry S. Davis presented by Arvie Frydenlund Paper information ECCV 2008 Slides at http://www.cs.cmu.edu/

563 views • 21 slides
An Incomplete History of Computation Charles Babbage 1791-1871 Ada Lovelace 1815-1852 Lucasian

An Incomplete History of Computation Charles Babbage 1791-1871 Ada Lovelace 1815-1852 Lucasian

An Incomplete History of Computation Charles Babbage 1791-1871 Ada Lovelace 1815-1852 Lucasian Professor of Mathematics, Cambridge University, 1827-1839 First computer programmer First computer designer Difference Engine Can compute any

809 views • 45 slides
Introduction Reference scenarios Components Database functions and features Sync architecture

Introduction Reference scenarios Components Database functions and features Sync architecture

DB2 Everyplace V7.2.1 - Mobile and Embedded Database and Synchronization Architecture Joachim Stumpf DB2 Technical sales support Agenda Introduction Reference scenarios Components Database functions and features Sync architecture

490 views • 18 slides
Timetabling and Scheduling Marco Chiarandini Outline 1. Timetabling Educational Timetabling

Timetabling and Scheduling Marco Chiarandini Outline 1. Timetabling Educational Timetabling

LOCAL SEARCH METHODS APPLICATIONS AND ENGINEERING Lecture 8 Timetabling and Scheduling Marco Chiarandini Outline 1. Timetabling Educational Timetabling Solution Methods for the Course Timetabling An Example Workforce Scheduling 2.

366 views • 32 slides
Planning and Optimization Francesco Leofante University of Sassari, Italy University of Genoa,

Planning and Optimization Francesco Leofante University of Sassari, Italy University of Genoa,

Planning and Optimization Francesco Leofante University of Sassari, Italy University of Genoa, Italy AI4CPS 2019 Why? Alice and The Cheshire Cat debating on the relevance of planning F. Leofante AI4CPS 2019 January 29, 2019 2 / 10 Why?

774 views • 32 slides

More recommend