DOCSLIB.ORG

Zerovm Backgroud Institute for Cyber Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Zerovm Backgroud Institute for Cyber Security Institute for Cyber Security ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April 23, 2014 Institute of Cyber Security, ICS @ UTSA World-Leading Research with Real-World Impact! 1 Institute for Cyber Security Motivation Behind ZeroVM 1. In Amazon map/reduces a considerable amount of overhead was due to fetching the data from s3 to EC2 Instances and put it back to s3. 2. The overhead was hurting when the customers need to remake to cluster and do the map/reduce again. 3. A significant amount of customer’s money was spent due to moving the data back and forth. World-Leading Research with Real-World Impact! 2 Institute for Cyber Security Motivation Behind ZeroVM(continued) 1. can we bring to Application to the data(very limited I/O overhead)? Challenge with High I/O 2. How can we ensure no harm even if the application is malicious? Challenge with Application Isolation World-Leading Research with Real-World Impact! 3 Institute for Cyber Security What is ZeroVM ZeroVM is an open–source lightweight virtualization platform based on the Chromium Native Client project. World-Leading Research with Real-World Impact! 4 Institute for Cyber Security ZeroVM Properties 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource Channel based I/O Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 5 Institute for Cyber Security ZeroVM Properties 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource Channel based I/O Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 6 Institute for Cyber Security Popular Virtualizations 1. ZeroVM virtualizes Application not Operating System. 2. Does zeroVM uses process level virtualization ? No OS Level Virtualization Process Level Virtualization World-Leading Research with Real-World Impact! 7 Institute for Cyber Security Popular Virtualizations Pros: Pros: 1. Easy to maintain 1. Complete Isolation 2. Comparative low overhead. Dedicated V. Memory Dedicated V. Storage Dedicated V. CPU Cons: 2. Flexible Architecture Almost all OS is supported 1. Single Large Fault domain 3. Fault Tolerance a. One malicious app may crush the whole system. Cons: 2. No Complete isolation. 1. High Resource Overhead 2. High Maintenance Cost. OS Level Virtualization Process Level Virtualization World-Leading Research with Real-World Impact! 8 Institute for Cyber Security ZeroVM Virtualization Pros: 1. Nearly Complete Isolation - Uses Google Native Client (NaCl) Project 2. Low Resource overhead. 3. Fault Tolerant Cons: 1. Run Only special Process Level Virtualization executables/ binary. 2. 3. No support for existing World-Leading Research with Real-World Impact! 9 Institute for Cyber Security ZeroVM Properties 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource Channel based I/O Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 10 Institute for Cyber Security ZeroVM Properties Single Threaded Execution: 1. ZeroVM virtualizes Application not 1. No Fork Operating System. 2. No Context Switch 2. Single threaded (thus deterministic) execution 3. No Fault due to Undeterministi c concurrency 3. Constraint Resource Channel based I/O Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 11 Institute for Cyber Security ZeroVM Properties 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource Channel based I/O Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 12 Institute for Cyber Security Channel Based Input / Output Before execution ZeroVM is given a manifest/ configuration file which specify predefined Resources through Channel. Input file, Output file / File System 1. ZeroVM virtualizes Application not Operating System. Network (socket, DNS) Memory 2. Single threaded (thus deterministic) execution Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000, 3. Constraint Resource 0x1000, 0, 0 Channel based I/O Which means : Predefine socket port / network Zerovm input (/dev/stdin) comes from : /tmp/input.txt of Restricted Memory Access Limited Read/ Write (in bytes) local filesystem. Limited life time / Predefined 0: Only sequential Read / Write is allowed timeout 0x1000: only 1000 bytes is allowed to be read from input file. 0: 0 bytes can be written to /tmp/input.txt World-Leading Research with Real-World Impact! 13 Institute for Cyber Security An example Manifest file Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0 1. ZeroVM virtualizes Application not Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999 Operating System. Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999 2. Single threaded (thus deterministic) execution Version = 20130611 Program = hello.nexe 3. Constraint Resource Memory = 33554432, 1 Channel based I/O Timeout = 1 Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 14 Institute for Cyber Security ZeroVM Properties Single Threaded Execution: 1. ZeroVM virtualizes Application not Operating System. 1. No Fork 2. Single threaded (thus deterministic) 2. No Context Switch execution 3. No Fault due to 3. Constraint Resource Undeterministic Channel based I/O concurrency Predefine socket port / network Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined timeout World-Leading Research with Real-World Impact! 15 Institute for Cyber Security Binary Support for ZeroVM ZeroVM executables have to be precompiled in .nexe format. Currently only C (C99) and python executables are supported. Existing C executables and python interpreter need recompilation to modify / eliminate sensitive system calls. World-Leading Research with Real-World Impact! 16 Institute for Cyber Security ZeroVM from a theoretical standpoint ZeroVM Functional Dependency and Security Google Native Client Feature Software Fault Isolation World-Leading Research with Real-World Impact! 17 Institute for Cyber Security ZeroVM from a theoretical standpoint ZeroVM Functional Dependency and Security Google Native Client Feature Software Fault Isolation World-Leading Research with Real-World Impact! 18 Institute for Cyber Security Software Fault Isolation Fault Isolation Techniques: Untrusted 1. Address Space Abstraction by Code OS ( Ex: Trusted Code Third party Cons: ( Ex: extensions) 1. Communication between address Distributed by Google ) space is very costly. Ex: Google Chrome Project Malicious access Valid access World-Leading Research with Real-World Impact! 19 Institute for Cyber Security Software Fault Isolation Fault Domain: -- Contiguous region of memory. -- have different code and data segment Fault Fault -- Code from different trust level have own fault domain. domain1 doman2 Cross Domain Communication: -- No direct memory access -- All call are implemented by RPC Fault Single Domain Restricted Access: -- the module cannot change Code segment. (dangerous, domain3 self modifying code) -- Every jump instruction must not pass single domain. -- Most Jumps are statically verified otherwise -- verified at run time with help of checking code. Distributed code / extensions must be recompiled/rewritten. World-Leading Research with Real-World Impact! 20 Institute for Cyber Security Google Native Client (NaCl) Fault Domain: -- Contiguous region of memory. -- have different code and data segment Fault Fault -- Code from different trust level have own fault domain. domain1 doman2 Cross Domain Communication: -- No direct memory access -- All call are implemented by RPC Fault Single Domain Restricted Access: -- the module cannot change Code segment. (dangerous, domain3 self modifying code) -- Every jump instruction must not pass single domain. -- Most Jumps are statically verified otherwise -- verified at run time with help of checking code. Distributed code / extensions must be recompiled/rewritten. World-Leading Research with Real-World Impact! 21 Thank You World-Leading Research with Real-World Impact!.
Load more

Recommended publications
  • Distributing an SQL Query Over a Cluster of Containers
    2019 IEEE 12th International Conference on Cloud Computing (CLOUD) Distributing an SQL Query Over a Cluster of Containers David Holland∗ and Weining Zhang† Department of Computer Science, University of Texas at San Antonio Email: ∗[email protected], †[email protected] Abstract—Emergent software container technology is now across a cluster of containers in a cloud. A feasibility study available on any cloud and opens up new opportunities to execute of this with performance analysis is reported in this paper. and scale data intensive applications wherever data is located. A containerized query (henceforth CQ) uses a deployment However, many traditional relational databases hosted on clouds have not scaled well. In this paper, a framework and deployment methodology that is unique to each query with respect to the methodology to containerize relational SQL queries is presented, number of containers and their networked topology effecting so that, a single SQL query can be scaled and executed by data flows. Furthermore a CQ can be scaled at run-time a network of cooperating containers, achieving intra-operator by adding more intra-operators. In contrast, the traditional parallelism and other significant performance gains. Results of distributed database query deployment configurations do not container prototype experiments are reported and compared to a real-world RDBMS baseline. Preliminary result on a research change at run-time, i.e., they are static and applied to all cloud shows up to 3-orders of magnitude performance gain for queries. Additionally, traditional distributed databases often some queries when compared to running the same query on a need to rewrite an SQL query to optimize performance.
    [Show full text]
  • Hypervisors Vs. Lightweight Virtualization: a Performance Comparison
    2015 IEEE International Conference on Cloud Engineering Hypervisors vs. Lightweight Virtualization: a Performance Comparison Roberto Morabito, Jimmy Kjällman, and Miika Komu Ericsson Research, NomadicLab Jorvas, Finland [email protected], [email protected], [email protected] Abstract — Virtualization of operating systems provides a container and alternative solutions. The idea is to quantify the common way to run different services in the cloud. Recently, the level of overhead introduced by these platforms and the lightweight virtualization technologies claim to offer superior existing gap compared to a non-virtualized environment. performance. In this paper, we present a detailed performance The remainder of this paper is structured as follows: in comparison of traditional hypervisor based virtualization and Section II, literature review and a brief description of all the new lightweight solutions. In our measurements, we use several technologies and platforms evaluated is provided. The benchmarks tools in order to understand the strengths, methodology used to realize our performance comparison is weaknesses, and anomalies introduced by these different platforms in terms of processing, storage, memory and network. introduced in Section III. The benchmark results are presented Our results show that containers achieve generally better in Section IV. Finally, some concluding remarks and future performance when compared with traditional virtual machines work are provided in Section V. and other recent solutions. Albeit containers offer clearly more dense deployment of virtual machines, the performance II. BACKGROUND AND RELATED WORK difference with other technologies is in many cases relatively small. In this section, we provide an overview of the different technologies included in the performance comparison.
    [Show full text]
  • Erlang on Physical Machine
    on $ whoami Name: Zvi Avraham E-mail: [email protected] /ˈkɒm. pɑː(ɹ)t. mɛntl̩. aɪˌzeɪ. ʃən/ Physicalization • The opposite of Virtualization • dedicated machines • no virtualization overhead • no noisy neighbors – nobody stealing your CPU cycles, IOPS or bandwidth – your EC2 instance may have a Netflix “roommate” ;) • Mostly used by ARM-based public clouds • also called Bare Metal or HPC clouds Sandbox – a virtual container in which untrusted code can be safely run Sandbox examples: ZeroVM & AWS Lambda based on Google Native Client: A Sandbox for Portable, Untrusted x86 Native Code Compartmentalization in terms of Virtualization Physicalization No Virtualization Virtualization HW-level Virtualization Containerization OS-level Virtualization Sandboxing Userspace-level Virtualization* Cloud runs on virtual HW HARDWARE Does the OS on your Cloud instance still supports floppy drive? $ ls /dev on Ubuntu 14.04 AWS EC2 instance • 64 teletype devices? • Sound? • 32 serial ports? • VGA? “It’s DUPLICATED on so many LAYERS” Application + Configuration process* OS Middleware (Spring/OTP) Container Managed Runtime (JVM/BEAM) VM Guest Container OS Container Guest OS Hypervisor Hardware We run Single App per VM APPS We run in Single User mode USERS Minimalistic Linux OSes • Embedded Linux versions • DamnSmall Linux • Linux with BusyBox Min. Linux OSes for Containers JeOS – “Just Enough OS” • CoreOS • RancherOS • RedHat Project Atomic • VMware Photon • Intel Clear Linux • Hyper # of Processes and Threads per OS OSv + CLI RancherOS processes CoreOS threads
    [Show full text]
  • Containerized SQL Query Evaluation in a Cloud
    Containerized SQL Query Evaluation in a Cloud Dr. Weining Zhang and David Holland Department of Computer Science The University of Texas at San Antonio {Weining.Zhang, david.holland}@utsa.edu Abstract—Recent advance in cloud computing and light- management system (DBMS) inside a virtual ma- weight software container technology opens up opportu- chine (VM). The user must administer most sys- nities to execute data intensive applications where data tem management activities, including software li- is located. Noticeably, current database services offered censing, installation, configuration, management, on cloud platforms have not fully utilized container tech- nologies. In this paper we present an architecture of a backup, and recovery. This option is difficult to cloud-based, relational database as a service (DBaaS) that scale. Two) Use a NoSQL database, e.g. Apache can package and deploy a query evaluation plan using HBase[1], Google BigQuery[2], and Cassandra[3]. light-weight container technology and the underlying cloud These services are highly efficient and scalable for storage system. We then focus on an example of how a some types of large data, but the user is forced to select-join-project-order query can be containerized and deal with the lack of structured data and strong deployed in ZeroCloud. Our preliminary experimental results confirm that a containerized query can achieve data integrity that is present in relational models. a high degree of elasticity and scalability, but effective Three) Use a managed SQL database service, e.g. mechanisms are needed to deal with data skew. Amazon RDS[4], Google Cloud SQL[5], and MS Index Terms—Database, DBaaS, query evaluation, soft- Azure SQL[6].
    [Show full text]
  • (12) United States Patent (10) Patent No.: US 9,697,034 B2 Chadha Et Al
    US009697034B2 (12) United States Patent (10) Patent No.: US 9,697,034 B2 Chadha et al. (45) Date of Patent: *Jul. 4, 2017 (54) OFFLOADING PROBABILISTIC (56) References Cited COMPUTATIONS IN DATA ANALYTICS U.S. PATENT DOCUMENTS APPLICATIONS M 7,003,507 B2 * 2/2006 Tip .......................... G06F 9/443 (71) Applicant: Futurewei Technologies, Inc., Plano, 7,318,229 B1* 1/2008 Connor ................... G06F 9/443 TX (US) 71.4/25 7,475,199 B1* 1/2009 Bobbitt ............. GO6F 17,30079 (72) Inventors: Vineet Chadha, San Jose, CA (US); 707,999.2O2 Gopinath Palani, Sunnyvale, CA (US); (Continued) Guangyu Shi, Cupertino, CA (US) FOREIGN PATENT DOCUMENTS (73) Assignee: Futurewei Technologies, Inc., Plano, CN 102109.997 6, 2011 TX (US) CN 103595.720 2, 2014 WO WO-201411.0137 T 2014 (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 OTHER PUBLICATIONS U.S.C. 154(b) by 0 days. “International Application No. PCT/CN2016/09 1776, International claimer.This patent is subject to a terminal dis SNARED.o.o.o. 4,200. Primary Examiner — Gregory A Kessler (21) Appl. No.: 14/821,320 (74) Attorney, Agent, or Firm — Schwegman Lundberg & (22) Filed: Aug. 7, 2015 Woessner, P.A. (65) Prior Publication Data (57) ABSTRACT An approach to offloading probabilistic computations is US 2017/OO3908O A1 Feb. 9, 2017 described. An application server comprising a memory and a processor and coupled to a network-attached storage (51) Int. Cl. device configured to create a dedicated process in response G06F 9/455 (2006.01) to a procedural call to a virtual machine container based on G06F 7/30 (2006.01) a data request is disclosed.
    [Show full text]
  • Software-Defined Object Storage
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by UPCommons. Portal del coneixement obert de la UPC IOStack: Software-Defined Object Storage Raúl Gracia-Tinedo, Yosef Moatti, Eran Rom, Ramon Nou, Pedro García-López, Dalit Naor Toni Cortés Marc Sánchez-Artigas, IBM Research Barcelona Supercomputing Josep Sampé Haifa, Israel Center Universitat Rovira i Virgili moatti,eranr,[email protected] Barcelona, Spain Tarragona, Spain ramon.nou,[email protected] pedro.garcia,marc.sanchez, raul.gracia,[email protected] William Oppermann Pietro Michiardi MPStor Eurecom Cork, Ireland Sophia-Antipolis, France [email protected] [email protected] ABSTRACT timization, and iii) policy-based provisioning [15, 7]. Typ- The complexity and scale of today’s cloud storage systems ically, this is achieved by explicitly decoupling the control is growing fast. In response to these challenges, Software- plane from the data plane at the storage layer. Defined Storage (SDS) has recently become a prime candi- Automation enables a datacenter administrator to easily date to simplify storage management in the cloud. provision resources and services to tenants. This includes This article presents IOStack: The first SDS architecture the virtualization of storage services (volumes, filesystems) for object stores (OpenStack Swift). At the control plane, on top of performance-specific servers and network fabrics the provisioning of SDS services to tenants is made accord- orchestrated by the SDS system. Optimization refers to the ing to a set of policies managed via a high-level DSL. Policies seamless ability to automatically allocate resources to meet may target storage automation and/or specific SLA objec- the performance goals of the different workloads [7].
    [Show full text]
  • Storlet Engine for Executing Biomedical Processes Within the Storage System
    Storlet Engine for Executing Biomedical Processes within the Storage System Simona Rabinovici-Cohen, Ealan Henis, John Marberg, and Kenneth Nagin IBM Research { Haifa, Mount Carmel, Haifa 31905, Israel {simona,ealan,marberg,nagin}@il.ibm.com Abstract. The increase in large biomedical data objects stored in long term archives that continuously need to be processed and analyzed re- quires new storage paradigms. We propose expanding the storage system from only storing biomedical data to directly producing value from the data by executing computational modules - storlets - close to where the data is stored. This paper describes the Storlet Engine, an engine to sup- port computations in secure sandboxes within the storage system. We describe its architecture and security model as well as the programming model for storlets. We experimented with several data sets and storlets including de-identification storlet to de-identify sensitive medical records, image transformation storlet to transform images to sustainable formats, and various medical imaging analytics storlets to study pathology images. We also provide a performance study of the Storlet Engine prototype for OpenStack Swift object storage. 1 Introduction Two trends are emerging in the context of storage for large biomedical data objects. The amount of biomedical data objects generated by various biomed- ical devices such as diagnostic imaging equipment, medical sensors, wearable devices and genomic sequencers, is increasingly growing both in the number of objects and in the size of each object. Additionally, these large data sets which may be stored in geographically dispersed archives over many years, need to be continuously maintained, processed and analyzed to reveal new insights.
    [Show full text]
  • Zerovm and Openstack Swift
    ZeroVM and OpenStack Swift Blake Yeager Director of Next Generation Markets, Rackspace Camuel Gilyadov Creator of ZeroVM, Director of Engineering, Rackspace May 14th, 2014 What is ZeroVM? The Simple Description ZeroVM creates a secure isolated execution environment that allows users to run a single application or program. ZeroVM can be embedded in storage systems to allow users to process their data within the storage system. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Some Technical Details • Based on the Chromium Native Client (NaCl) project • Leverages ZeroMQ for networking • Includes a full compiler toolchain • ZRT provides a subset of the POSIX API • ZRT also includes a port of the CPython interpreter RACKSPACE® HOSTING | WWW.RACKSPACE.COM To put it another way… ZeroVM is a computing platform, consisting of a group of technologies, built around a set of core principles. RACKSPACE® HOSTING | WWW.RACKSPACE.COM The Principles Behind ZeroVM Small, Light, Fast Secure Hyper-Elastic Embeddable Functional (Deterministic) Open Source RACKSPACE® HOSTING | WWW.RACKSPACE.COM Virtualization Technologies VM vs. Container vs. ZeroVM Traditional VM Container ZeroVM Shared Hardware Shared Hardware Shared Hardware Dedicated Kernel/OS Shared Kernel/OS No Kernel/OS High Overhead Low Overhead Very Low Overhead Slow Startup Fast Startup Fast Startup Very Secure Somewhat Secure Very Secure RACKSPACE® HOSTING | WWW.RACKSPACE.COM Use cases enabled by ZeroVM Data Local Computing Instead of users having to pull data to their applications they can now push their applications to their data. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Simple Scale Out Architectures Working within the constraints of ZeroVM ensures developers design and build applications that can scale horizontally.
    [Show full text]
  • Otimizando Redes Virtuais Ao Longo Do Tempo Através Da Integração De Modelos Multiplicativos Da Data Envelopment Analysis (Dea) Com a Avaliação Da Estrutura Fractal
    Pós-Graduação em Ciência da Computação FRANCISCO DALADIER MARQUES JÚNIOR OTIMIZANDO REDES VIRTUAIS AO LONGO DO TEMPO ATRAVÉS DA INTEGRAÇÃO DE MODELOS MULTIPLICATIVOS DA DATA ENVELOPMENT ANALYSIS (DEA) COM A AVALIAÇÃO DA ESTRUTURA FRACTAL Universidade Federal de Pernambuco [email protected] www.cin.ufpe.br/~posgraduacao Recife 2019 FRANCISCO DALADIER MARQUES JÚNIOR OTIMIZANDO REDES VIRTUAIS AO LONGO DO TEMPO ATRAVÉS DA INTEGRAÇÃO DE MODELOS MULTIPLICATIVOS DA DATA ENVELOPMENT ANALYSIS (DEA) COM A AVALIAÇÃO DA ESTRUTURA FRACTAL Tese apresentada ao Programa de Pós- Graduação em Ciências da Computação da Universidade Federal de Pernambuco, como requisito parcial para a obtenção do título de Doutor em Ciências da Computação. Área de concentração: Redes de Computadores Orientador: Paulo Roberto Freire Cunha Co-orientador: Kelvin Lopes Dias Recife 2019 Catalogação na fonte Bibliotecária Arabelly Ascoli CRB4-2068 M357o Marques Júnior, Francisco Daladier Otimizando redes virtuais ao longo do tempo através da integração de modelos multiplicativos da Data Envelopment Analysis (DEA) com a avaliação da estrutura fractal / Francisco Daladier Marques Júnior. – 2019. 175 f.: il., fig., tab. Orientador: Paulo Roberto Freire Cunha Tese (Doutorado) – Universidade Federal de Pernambuco. CCEN. Ciências da Computação. Recife, 2019. Inclui referências e apêndices. 1. Autossimilaridade. 2. Multiplicativos DEA. 3. Absorção multifotônica. 4. Termometria óptica. I. Cunha, Paulo Roberto Freire (orientador). II. Título. 004.6 CDD (22. ed.) UFPE-MEI 2019-126 FRANCISCO DALADIER MARQUES JÚNIOR OTIMIZANDO REDES VIRTUAIS AO LONGO DO TEMPO ATRAVÉS DA INTEGRAÇÃO DE MODELOS MULTIPLICATIVOS DA DATA ENVELOPMENT ANALYSIS COM A AVALIAÇÃO DA ESTRUTURA FRACTAL Tese apresentada ao Programa de Pós- Graduação em Ciências da Computação da Universidade Federal de Pernambuco, como requisito parcial para a obtenção do título de Doutor em Ciências da Computação.
    [Show full text]
  • Rethinking the Architecture of the Web
    Rethinking the Architecture of the Web A Dissertation Presented by Liang Zhang to The College of Computer and Information Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Northeastern University Boston, Massachusetts July 2016 To my family i Contents List of Figures v List of Tables viii Acknowledgments ix Abstract of the Dissertation x 1 Introduction 1 1.1 Contributions . .5 1.2 Outline . .7 2 Background 8 2.1 Web browsers . .8 2.1.1 Dynamic web pages . .9 2.1.2 Browser plug-ins . 10 2.1.3 HTML5 . 11 2.1.4 Mobile web browsers . 12 2.2 JavaScript . 13 2.2.1 The web and beyond . 13 2.3 Web servers . 14 2.3.1 Web application servers . 15 2.3.2 Privacy . 15 2.4 Cloud services . 16 2.4.1 Content distribution networks (CDNs) . 17 3 Maygh: Rethinking web content distribution 19 3.1 Motivation . 19 3.2 Maygh potential . 21 3.3 Maygh design . 22 3.3.1 Web browser building blocks . 22 3.3.2 Model, interaction, and protocol . 23 3.3.3 Maygh client . 25 3.3.4 Maygh coordinator . 28 ii 3.3.5 Multiple coordinators . 28 3.4 Security, privacy, and impact on users . 30 3.4.1 Security . 30 3.4.2 Privacy . 31 3.4.3 Impact on users . 32 3.4.4 Mobile users . 32 3.5 Implementation . 33 3.6 Evaluation . 33 3.6.1 Client-side microbenchmarks . 34 3.6.2 Coordinator scalability . 36 3.6.3 Trace-based simulation .
    [Show full text]
  • Enhancing the Programmability of Cloud Object Storage
    ENHANCING THE PROGRAMMABILITY OF CLOUD OBJECT STORAGE Josep Sampé Domenech ADVERTIMENT. L'accés als continguts d'aquesta tesi doctoral i la seva utilització ha de respectar els drets de la persona autora. Pot ser utilitzada per a consulta o estudi personal, així com en activitats o materials d'investigació i docència en els termes establerts a l'art. 32 del Text Refós de la Llei de Propietat Intel·lectual (RDL 1/1996). Per altres utilitzacions es requereix l'autorització prèvia i expressa de la persona autora. En qualsevol cas, en la utilització dels seus continguts caldrà indicar de forma clara el nom i cognoms de la persona autora i el títol de la tesi doctoral. No s'autoritza la seva reproducció o altres formes d'explotació efectuades amb finalitats de lucre ni la seva comunicació pública des d'un lloc aliè al servei TDX. Tampoc s'autoritza la presentació del seu contingut en una finestra o marc aliè a TDX (framing). Aquesta reserva de drets afecta tant als continguts de la tesi com als seus resums i índexs. ADVERTENCIA. El acceso a los contenidos de esta tesis doctoral y su utilización debe respetar los derechos de la persona autora. Puede ser utilizada para consulta o estudio personal, así como en actividades o materiales de investigación y docencia en los términos establecidos en el art. 32 del Texto Refundido de la Ley de Propiedad Intelectual (RDL 1/1996). Para otros usos se requiere la autorización previa y expresa de la persona autora. En cualquier caso, en la utilización de sus contenidos se deberá indicar de forma clara el nombre y apellidos de la persona autora y el título de la tesis doctoral.
    [Show full text]
  • Docker for Fun and Profit
    Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or containers in general? Hypervisor vs Containers Hypervisors are based on Emulating Virtual Hardware - emulate virtual hardware and BIOS, run full OS - every instance is totally separate - size several GB Containers are based on Sharing the Operating System - instance shares the kernel (limited to running only Linux container on Linux host) - in theory the container can share everything or almost nothing with the host - start time - size can be couple of MB - application container Containers and Linux 2005 OpenVZ - first open source container technology (out of the Linux kernel source tree) 2006 Process Containers (CGroups) 2007 Google use CGroups to containerise search (Googleplex went pretty much fully containerized) 2008 LXC version 0.1.0 released 2011 Container Unification agreement on fringes of Kernel Summit - agreed there would be one container technology in Linux - work began on Container Unification at Kernel API level - CGroups and Namespaces now agreed API (in Kernel source tree) - only one underlying kernel technology for containers which is used by everybody (OpenVZ, LXC, Docker, ZeroVM….) 2013 First Linux Kernel Supporting OpenVZ with no patches (3.12) released Containers and Linux Namespaces isolate processes. CGroups control resources. There are 12 CGroups and 6 Namespaces in the kernel. Containers can use all of these or any combination. Container security: As part of the agreement from 2011, User Namespaces became the container security mechanism.
    [Show full text]