DOCSLIB.ORG

Singularity Vs. the Hard Way Part 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Singularity Vs. the Hard Way Part 1 Singularity vs. the Hard Way Part 1 Jeff Chase Today • Singularity: abstractions User processes / • vs. the “Hard Way” (e.g., *i*x) VAS / segments – Processes vs. SIPs user – Protection: hard vs. soft – Kernel vs. microkernel kernel kernel – Extensibility: open vs. closed code+data • Questions – How is the kernel protected? – How does it control access to data? – How does it keep control? Sealing OS Processes to Improve Dependability and Safety Galen Hunt, Mark Aiken, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber Microsoft Research One Microsoft Way Redmond, WA 98052 USA [email protected] ABSTRACT General Terms In most modern operating systems, a process is a Design, Reliability, Experimentation. hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common Keywords mechanisms—dynamic code loading, run-time code Open process architecture, sealed process architecture, sealed generation, shared memory, and intrusive system APIs— kernel, software isolated process (SIP). make the barrier between processes very permeable. This paper argues that this traditional open process architecture 1. INTRODUCTION exacerbates the dependability and security weaknesses of Processes debuted, circa 1965, as a recognized operating modern systems. system abstraction in Multics [48]. Multics pioneered As a remedy, this paper proposes a sealed process many attributes of modern processes: OS-supported architecture, which prohibits dynamic code loading, self- dynamic code loading, run-time code generation, cross- modifying code, shared memory, and limits the scope of process shared memory, and an intrusive kernel API that the process API. This paper describes the implementation permitted one process to modify directly the state of of the sealed process architecture in the Singularity another process. operating system, discusses its merits and drawbacks, and Today, this architecture—which we call the open process evaluates its effectiveness. Some benefits of this sealed architecture—is nearly universal. Although aspects of this process architecture are: improved program analysis by architecture, such as dynamic code loading and shared tools, stronger security and safety guarantees, elimination memory, were not in Multics’ immediate successors (early of redundant overlaps between the OS and language versions of UNIX [35] or early PC operating systems), runtimes, and improved software engineering. today’s systems, such as FreeBSD, Linux, Solaris, and Windows, embrace all four attributes of the open process ConventionalSealing OS Processes wisdom saysto Improve open processes Dependability are required and Safety, for EuroSys 2007 performance; our experience suggests otherwise. We architecture . present the first macrobenchmarks for a sealed-process The open process architecture is commonly used to extend operating system and applications. The benchmarks show an OS or application by dynamically loading new features that an experimental sealed-process system can achieve and functionality directly into a kernel or running process. performance competitive with highly-tuned, commercial, For example, Microsoft Windows supports over 100,000 open-process systems. third-party, in-kernel modules ranging in functionality Categories and Subject Descriptors from device drivers to anti-virus scanners. Dynamically loaded extensions are also widely used as web server D.2.3 [Software Engineering] Coding Tools and Techniques; D.2.4 [Software Engineering] Software/Program Verification; extensions (e.g., ISAPI extensions for Microsoft’s IIS or D.4.1 [Operating Systems]: Process Management; D.4.5 modules for Apache), stored procedures in databases, [Operating Systems]: Reliability; D.4.6 [Operating Systems]: email virus scanners, web browser plug-ins, application Organization and Design; D.4.7 [Operating Systems]: Security plug-ins, shell extensions, etc. While the role of open and Protection. processes in Windows is widely recognized, like any versatile technology they are widely use in other systems Permission to make digital or hard copies of part or all of this work for as well [10, 42]. personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy 1.1. Problems with Open Processes otherwise, to republish, to post on servers, or to redistribute to lists, Systems that support open processes almost always requires prior specific permission and/or a fee. EuroSys’07, March 21–23, 2007, Lisbon, Portugal. implement process isolation through hardware mechanisms Copyright 2007 ACM 978-1-59593-636-3/07/0003 such as memory management protection and differentiated Singularity OS Architecture channels • Safe micro-kernel content web TCP/IP network – 95% written in C# extension server stack driver • 17% of files contain unsafe C# • 5% of files contain x86 asm or C++ ext. server tcp driver – services and device drivers in processes class class class class library library library library • Software isolated processes (SIPs) processes – all user code is verifiably safe runtime runtime runtime runtime – some unsafe code in trusted runtime – processes and kernel sealed at start time kernel API • Communication via channels kernel kernel – channel behavior is specified and checked page mgr scheduler class – fast and efficient communication chan mgr library proc mgr • Working research prototype i/o mgr runtime – not Windows replacement HAL Singularity Processes and the kernel Programs Each process run as data data has a private independent virtual address processes. space and one or more threads. Protected ...and upcalls system calls, (e.g., signals) and faults, Protected OS Threads kernel enter the mediates kernel for access to OS shared services. resources. The kernel code and data are protected from untrusted processes. 310 Processes and the kernel • A (classical) OS lets us run programs as processes. A process is a running program instance (with a thread). – Program code runs with the CPU core in untrusted user mode. • Processes are protected/isolated. – Virtual address space is a “fenced pasture” – Sandbox: can’t get out. Lockbox: nobody else can get in. • The OS kernel controls everything. – Kernel code runs with the core in trusted kernel mode. 310 Threads I draw my threads like this. • A thread is a stream of control…. – Executes a sequence of instructions. – Thread identity is defined by CPU register context (PC, SP, …, page table base registers, …) – Generally: a thread’s context is its register values and referenced memory state (stacks, page tables). • Multiple threads can execute independently: – They can run in parallel on multiple cores... • physical concurrency – …or arbitrarily interleaved on some single core. • logical concurrency Some people draw threads as • A thread is also an OS abstraction to spawn and squiggly lines. manage a stream of control. 310 User/kernel user space Safe control transfer kernel code kernel space kernel data 310 Threads and the kernel process • Modern operating systems have multi- VAS threaded processes. data user mode • A program starts with one main thread, but user space once running it may create more threads. • Threads may enter the kernel (e.g., syscall). threads • (We assume that) threads are known to the OS kernel. trap – Kernel has syscalls to create threads (e.g., fault Linux clone). / resume • Implementations vary. – This model applies to Linux, MacOS-X, kernel mode Windows, Android, and pthreads or Java on kernel space those systems. 310 2.1 Software-Isolated Processes Like processes in many operating systems, a SIP is a holder of processing resources and provides the context for program execution. Execution of each user program occurs within the context of a SIP. Associated with a SIP is a set of memory pages containing code and data. A SIP contains one or more threads of execution. A SIP executes with a security identity and has associated OS security attributes. Finally, SIPs provide information hiding and failure isolation. Singularity: Rethinking the Software Stack 3.2. Software Isolated Processes A Singularity process is called a software isolated process (SIP): • A SIP consists of a set of memory pages, a set of threads, and a set of channel endpoints…. • A SIP starts with a single thread, enough memory to hold its code, an initial set of channel endpoints, and a small heap. • It obtains additional memory by calling the kernel’s page manager, which returns new, unshared pages. • These pages need not be adjacent to the SIP’s existing address space, since safe programming languages do not require contiguous address spaces. Sealing OS Processes to Improve Dependability and Safety Process Model • Process contains only safe code • No shared memory – communicates via messages • Messages flow over channels – well-defined & verified Software • Lightweight threads for concurrency Isolated Process • Small binary interface to kernel – threads, memory, & channels “SIP” • Seal the process on execution – no dynamic code loading ABI – no in-process plug-ins • Everything can run in ring 0 in kernel memory! Kernel Singularity SIP safety/isolation • Language safety ensures that untrusted code cannot create or mutate pointers to access the memory pages of another SIP. • SIPs do not share data, so all communications occurs through the exchange of messages over message-passing
Load more

Recommended publications
  • Industrial Control Via Application Containers: Migrating from Bare-Metal to IAAS
    Industrial Control via Application Containers: Migrating from Bare-Metal to IAAS Florian Hofer, Student Member, IEEE Martin A. Sehr Antonio Iannopollo, Member, IEEE Faculty of Computer Science Corporate Technology EECS Department Free University of Bolzano-Bozen Siemens Corporation University of California Bolzano, Italy Berkeley, CA 94704, USA Berkeley, CA 94720, USA fl[email protected] [email protected] [email protected] Ines Ugalde Alberto Sangiovanni-Vincentelli, Fellow, IEEE Barbara Russo Corporate Technology EECS Department Faculty of Computer Science Siemens Corporation University of California Free University of Bolzano-Bozen Berkeley, CA 94704, USA Berkeley, CA 94720, USA Bolzano, Italy [email protected] [email protected] [email protected] Abstract—We explore the challenges and opportunities of control design full authority over the environment in which shifting industrial control software from dedicated hardware to its software will run, it is not straightforward to determine bare-metal servers or cloud computing platforms using off the under what conditions the software can be executed on cloud shelf technologies. In particular, we demonstrate that executing time-critical applications on cloud platforms is viable based on computing platforms due to resource virtualization. Yet, we a series of dedicated latency tests targeting relevant real-time believe that the principles of Industry 4.0 present a unique configurations. opportunity to explore complementing traditional automation Index Terms—Industrial Control Systems, Real-Time, IAAS, components with a novel control architecture [3]. Containers, Determinism We believe that modern virtualization techniques such as application containerization [3]–[5] are essential for adequate I. INTRODUCTION utilization of cloud computing resources in industrial con- Emerging technologies such as the Internet of Things and trol systems.
    [Show full text]
  • Draft SP 800-125A Rev. 1, Security Recommendations for Server
    The attached DRAFT document (provided here for historical purposes), released on April 11, 2018, has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-125A Rev. 1 Title: Security Recommendations for Server-based Hypervisor Platforms Publication Date: June 2018 • Final Publication: https://doi.org/10.6028/NIST.SP.800-125Ar1 (which links to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125Ar1.pdf). • Related Information on CSRC: Final: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final 1 Draft NIST Special Publication 800-125A 2 Revision 1 3 4 Security Recommendations for 5 Hypervisor Deployment on 6 ServersServer-based Hypervisor 7 Platforms 8 9 10 11 12 Ramaswamy Chandramouli 13 14 15 16 17 18 19 20 21 22 23 C O M P U T E R S E C U R I T Y 24 25 Draft NIST Special Publication 800-125A 26 Revision 1 27 28 29 30 Security Recommendations for 31 Server-based Hypervisor Platforms 32 33 Hypervisor Deployment on Servers 34 35 36 37 Ramaswamy Chandramouli 38 Computer Security Division 39 Information Technology Laboratory 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 April 2018 56 57 58 59 60 61 U.S. Department of Commerce 62 Wilbur L. Ross, Jr., Secretary 63 64 National Institute of Standards and Technology 65 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 66 67 Authority 68 69 This publication has been developed by NIST in accordance with its statutory responsibilities under the 70 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
    [Show full text]
  • Portability: Containers, Cloud
    JEDI Portability Across Platforms Containers, Cloud Computing, and HPC Mark Miesch, Rahul Mahajan, Xin Zhang, David Hahn, Francois Vandenberg, Jim Rosinski, Dan Holdaway, Yannick Tremolet, Maryam Abdioskouei, Steve Herbener, Mark Olah, Benjamin Menetrier, Anna Shlyaeva, Clementine Gas Academy website http://academy.jcsda.org/june2019 ‣ Instructions for accessing AWS ‣ Activity instructions ‣ Presentation slides ‣ Doxygen documentation for fv3-bundle We will add further content throughout the week Outline I) JEDI Portability Overview ✦ Unified vision for software development and distribution II) Container Fundamentals ✦ What are they? How do they work? ✦ Docker, Charliecloud, and Singularity III) Using the JEDI Containers ✦ How they are built and deployed ✦ Mac and Windows (Vagrant) IV) HPC and Cloud Computing ✦ Environment modules ✦ Containers in HPC? V) Summary and Outlook JEDI Software Dependencies ‣ Essential ✦ Compilers, MPI ✦ CMake Common versions among users ✦ SZIP, ZLIB and developers minimize ✦ LAPACK / MKL, Eigen 3 stack-related debugging ✦ NetCDF4, HDF5 ✦ udunits ✦ Boost (headers only) ✦ ecbuild, eckit, fckit ‣ Useful ✦ ODB-API, eccodes ✦ PNETCDF ✦ Parallel IO ✦ nccmp, NCO ✦ Python tools (py-ncepbufr, netcdf4, matplotlib…) ✦ NCEP libs ✦ Debuggers & Profilers (ddt/TotalView, kdbg, valgrind, TAU…) The JEDI Portability Vision I want to run JEDI on… Development ‣ My Laptop/Workstation/PC ✦ We provide software containers ✦ Mac & Windows system need to first establish a linux environment (e.g. a Vagrant/VirtualBox virtual machine) Development
    [Show full text]
  • Designing and Implementing the OP and OP2 Web Browsers
    Designing and Implementing the OP and OP2 Web Browsers CHRIS GRIER, SHUO TANG and SAMUEL T. KING, University of Illinois at Urbana-Champaign Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had lim- ited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems sim- ple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features. To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP.
    [Show full text]
  • Isolation, Resource Management, and Sharing in Java
    Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java Godmar Back, Wilson C. Hsieh, Jay Lepreau School of Computing University of Utah Abstract many environments for executing untrusted code: for example, applets, servlets, active packets [41], database Single-language runtime systems, in the form of Java queries [15], and kernel extensions [6]. Current systems virtual machines, are widely deployed platforms for ex- (such as Java) provide memory protection through the ecuting untrusted mobile code. These runtimes pro- enforcement of type safety and secure system services vide some of the features that operating systems pro- through a number of mechanisms, including namespace vide: inter-application memory protection and basic sys- and access control. Unfortunately, malicious or buggy tem services. They do not, however, provide the ability applications can deny service to other applications. For to isolate applications from each other, or limit their re- example, a Java applet can generate excessive amounts source consumption. This paper describes KaffeOS, a of garbage and cause a Web browser to spend all of its Java runtime system that provides these features. The time collecting it. KaffeOS architecture takes many lessons from operating To support the execution of untrusted code, type-safe system design, such as the use of a user/kernel bound- language runtimes need to provide a mechanism to iso- ary, and employs garbage collection techniques, such as late and manage the resources of applications, analogous write barriers. to that provided by operating systems. Although other re- The KaffeOS architecture supports the OS abstraction source management abstractions exist [4], the classic OS of a process in a Java virtual machine.
    [Show full text]
  • Cali: Compiler-Assisted Library Isolation
    Cali: Compiler-Assisted Library Isolation Markus Bauer Christian Rossow CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarbrücken, Saarland, Germany Saarbrücken, Saarland, Germany [email protected] [email protected] ABSTRACT the full program’s privileges and address space. This lack of privi- Software libraries can freely access the program’s entire address lege separation and memory isolation has led to numerous critical space, and also inherit its system-level privileges. This lack of sepa- security incidents. ration regularly leads to security-critical incidents once libraries We can significantly reduce this threat surface by isolating the contain vulnerabilities or turn rogue. We present Cali, a compiler- library from the main program. In most cases, a library (i) neither assisted library isolation system that fully automatically shields a requires access to the entire program’s address space, (ii) nor needs program from a given library. Cali is fully compatible with main- the full program’s privileges to function properly. In fact, even line Linux and does not require supervisor privileges to execute. We complex libraries such as parsers require only limited interaction compartmentalize libraries into their own process with well-defined with the program and/or system. Conceptually, there is thus little security policies. To preserve the functionality of the interactions need to grant an untrusted library access to the program or to between program and library, Cali uses a Program Dependence critical system privileges. Basic compartmentalization principles Graph to track data flow between the program and the library dur- thus help to secure a program from misuse by untrusted code.
    [Show full text]
  • Introduction to Operating Systems Learning Outcomes What Is An
    Learning Outcomes • High-level understand what is an operating Introduction to Operating system and the role it plays Systems • A high-level understanding of the structure of operating systems, applications, and the relationship between them. Chapter 1 – 1.3 • Some knowledge of the services provided by Chapter 1.5 – 1.9 operating systems. • Exposure to some details of major OS concepts. 2 What is an Operating System? 3 4 Block Diagram of Haswell Platform Architecture http://www.pcquest.com Role 1: The Operating System is Disk Users an Abstract Machine • Extends the basic hardware with added Memory functionality • Provides high-level abstractions – More programmer friendly CPU – Common core for all applications Network • E.g. Filesystem instead of just registers on a disk controller Bandwidth • It hides the details of the hardware – Makes application code portable 5 6 1 Structural (Implementation) View: the Role 2: The Operating System Operating System is the Privileged is a Resource Manager Component • Responsible for allocating resources to users and processes Applications Applications Applications • Must ensure User Mode Requests (System Calls) – No Starvation Privileged Mode – Progress – Allocation is according to some desired policy Operating System • First-come, first-served; Fair share; Weighted fair share; limits (quotas), etc… – Overall, that the system is efficiently used Hardware 7 8 The Operating System is Operating System Kernel Privileged • Portion of the operating system that is • Applications should not be able to interfere
    [Show full text]
  • Sealing OS Processes to Improve Dependability and Security
    Sealing OS Processes to Improve Dependability and Safety Galen Hunt, Mark Aiken, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber Microsoft Research One Microsoft Way Redmond, WA 98052 USA [email protected] ABSTRACT General Terms In most modern operating systems, a process is a Design, Reliability, Experimentation. hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common Keywords mechanisms—dynamic code loading, run-time code Open process architecture, sealed process architecture, sealed generation, shared memory, and intrusive system APIs— kernel, software isolated process (SIP). make the barrier between processes very permeable. This paper argues that this traditional open process architecture 1. INTRODUCTION exacerbates the dependability and security weaknesses of Processes debuted, circa 1965, as a recognized operating modern systems. system abstraction in Multics [48]. Multics pioneered As a remedy, this paper proposes a sealed process many attributes of modern processes: OS-supported architecture, which prohibits dynamic code loading, self- dynamic code loading, run-time code generation, cross- modifying code, shared memory, and limits the scope of process shared memory, and an intrusive kernel API that the process API. This paper describes the implementation permitted one process to modify directly the state of of the sealed process architecture in the Singularity another process. operating system,
    [Show full text]
  • Security Analysis of Browser Extension Concepts
    Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science Bachelor's thesis Security Analysis of Browser Extension Concepts A comparison of Internet Explorer 9, Safari 5, Firefox 8, and Chrome 14 submitted by Karsten Knuth submitted January 14, 2012 Supervisor Prof. Dr. Michael Backes Advisors Raphael Reischuk Sebastian Gerling Reviewers Prof. Dr. Michael Backes Dr. Matteo Maffei Statement in Lieu of an Oath I hereby confirm that I have written this thesis on my own and that I have not used any other media or materials than the ones referred to in this thesis. Saarbr¨ucken, January 14, 2012 Karsten Knuth Declaration of Consent I agree to make both versions of my thesis (with a passing grade) accessible to the public by having them added to the library of the Computer Science Department. Saarbr¨ucken, January 14, 2012 Karsten Knuth Acknowledgments First of all, I thank Professor Dr. Michael Backes for giving me the chance to write my bachelor's thesis at the Information Security & Cryptography chair. During the making of this thesis I have gotten a deeper look in a topic which I hope to be given the chance to follow up in my upcoming academic career. Furthermore, I thank my advisors Raphael Reischuk, Sebastian Gerling, and Philipp von Styp-Rekowsky for supporting me with words and deeds during the making of this thesis. In particular, I thank the first two for bearing with me since the release of my topic. My thanks also go to Lara Schneider and Michael Zeidler for offering me helpful advice.
    [Show full text]
  • Web Browsers As Operating Systems: Supporting Robust and Secure Web Programs Charles Reis Final Exam - May 27, 2009
    Web Browsers as Operating Systems: Supporting Robust and Secure Web Programs Charles Reis Final Exam - May 27, 2009 1 Web is Evolving Pages Programs More complex, active content Browser now in role of OS, but faces challenges Browsers aren’t built for programs Web content not designed to express programs 2 Concrete Problems Problems Contributions Program Interference Multi-Process Browsers [EuroSys ’09] In-Flight Page Changes Web Tripwires [NSDI ’08] XSS Script Whitelists Browser Exploits BrowserShield [OSDI ’06] 3 Consider OS Landscape Performance isolation Resource accounting Failure isolation Clear program abstraction 4 Browsers Fall Short Unresponsiveness Jumbled accounting Browser crashes Unclear what a program is! 5 Preserve Web’s Strengths Improve program support, but keep it: Easy to publish content Easy to compose content Generally safe to explore 6 Thesis: Adapt lessons from the OS to improve robustness and security of web browsers and web content Support four architectural principles: 1. Identify program boundaries 2. Isolate programs from each other 3. Authorize program code 4. Enforce policies on program behavior [HotNets ’07] 7 Outline Browser Architecture: Chromium Identify program boundaries Isolate programs from each other Web Tripwires Additional Contributions Future Directions 8 Programs in the Browser Mail Doc List Doc Consider an example Doc browsing session Blog Several independent programs Mail News Article 9 Monolithic Browsers Most browsers put all pages in one process Mail Doc List Doc Poor performance isolation Blog Poor failure isolation Mail Poor security News Article Should re-architect the browser 10 Process per Window? Mail Doc List Doc Breaks pages that directly communicate Shared access to Blog data structures, etc.
    [Show full text]
  • Memento: Learning Secrets from Process Footprints
    Memento: Learning Secrets from Process Footprints Suman Jana and Vitaly Shmatikov The University of Texas at Austin Abstract—We describe a new side-channel attack. By track- Our contributions. In the 2000 movie “Memento,” the main ing changes in the application’s memory footprint, a concurrent character, suffering from anterograde amnesia, writes out his process belonging to a different user can learn its secrets. Using memories in small increments using snapshots and tattoos. Web browsers as the target, we show how an unprivileged, local attack process—for example, a malicious Android app—can When put together, these snippets reveal the answer to a infer which page the user is browsing, as well as finer-grained murder mystery. In this paper, we show that the dynamics information: whether she is a paid customer, her interests, etc. of memory footprints—sequences of snapshots of the pro- This attack is an instance of a broader problem. Many gram’s data resident size (DRS)—are correlated with the isolation mechanisms in modern systems reveal accounting in- program’s secrets and allow accurate adversarial inference. formation about program execution, such as memory usage and This robust side channel can be exploited in any multi-user CPU scheduling statistics. If temporal changes in this public information are correlated with the program’s secrets, they environment: for example, by a malicious app on an Android can lead to a privacy breach. To illustrate the pervasiveness of smartphone or a nosy user on a shared workstation. this problem, we show how to exploit scheduling statistics for We focus on Web browsers as an example of a sophis- keystroke sniffing in Linux and Android, and how to combine ticated application that keeps important secrets (browsing scheduling statistics with the dynamics of memory usage for behavior).
    [Show full text]
  • Introduction to Containers
    Introduction to Containers Martin Čuma Center for High Performance Computing University of Utah [email protected] Overview • Why do we want to use containers? • Containers basics • Run a pre-made container • Build and deploy a container • Containers for complex software 06-Nov-20 http://www.chpc.utah.edu Slide 2 Hands on setup 1. Download the talk slides http://home.chpc.utah.edu/~mcuma/chpc/Containers20s.pdf https://tinyurl.com/yd2xtv5d 2. Using FastX or Putty, ssh to any CHPC Linux machine, e.g. $ ssh [email protected] 3. Load the Singularity and modules $ module load singularity 06-Nov-20 http://www.chpc.utah.edu Slide 3 Hands on setup for building containers 1. Create a GitHub account if you don’t have one https://github.com/join {Remember your username and password!} 2. Go to https://cloud.sylabs.io/home click Remote Builder, then click Sign in to Sylabs and then Sign in with GitHub, using your GitHub account 3. Go to https://cloud.sylabs.io/builder click on your user name (upper right corner), select Access Tokens, write token name, click Create a New Access Token, and copy it 4. In the terminal on frisco, install it to your ~/.singularity/sylabs-token file nano ~/.singularity/sylabs-token, paste, ctrl-x to save 06-Nov-20 http://www.chpc.utah.edu Slide 4 Why to use containers? 06-Nov-20 http://www.chpc.utah.edu Slide 5 Software dependencies • Some programs require complex software environments – OS type and versions – Drivers – Compiler type and versions – Software dependencies • glibc, stdlibc++ versions • Other libraries
    [Show full text]