基于虚拟机监控技术的可信虚拟域

针对云计算中带内完整性度量方案存在的依赖操作系统安全机制、部署复杂和资源浪费等问题,提出了基于虚拟机监控技术的带外完整性度量方案,可用于为云计算基础设施即服务（IaaS）的租户提供可信的虚拟域。该方案包括域外监控方案和域内外协同监控方案两部分。前者可对开源Linux虚拟域实现完全透明的完整性度量,同时弥补了其他基于系统调用捕获的域外方案所存在的不足。后者将实时度量与预先度量方法、域内度量与域外度量方法、细粒度的注册表度量方法和基于系统调用的域间信息传输方法相结合,可对不完全开源的Windows虚拟域实现完整性度量。实验证明了方案的度量能力是完备的、性能影响是可接受的。     

Design and implementation of a trusted monitoring framework for cloud platforms

Virtualization is a pillar technology in cloud computing for multiplexing computing resources on a single cloud platform for multiple cloud tenants. Monitoring the behavior of virtual machines (VMs) on a cloud platform is a critical requirement for cloud tenants. Existing monitoring mechanisms on virtualized platforms either takes a complete VM as the monitoring granularity, such that they cannot capture the malicious behaviors within individual VMs, or they focus on specific monitoring functions that cannot be used for heterogeneous VMs concurrently running on a single cloud node. Furthermore, the existing monitoring mechanisms have made an assumption that the privileged domain is trusted to act as expected, which causes the cloud tenants’ concern about security because the privileged domain in fact could not act as the tenants’ expectation. We design a trusted monitoring framework, which provides a chain of trust that excludes the untrusted privileged domain, by deploying an independent guest domain for the monitoring purpose, as well as utilizing the trusted computing technology to ensure the integrity of the monitoring environment. Moreover, the feature of fine-grained and general monitoring is also provided. We have implemented the proposed monitoring framework on Xen, and integrated it into OpenNebula. Our experimental results show that it can offer expected functionality, and bring moderate performance overhead.     

云计算环境中的虚拟机同驻安全问题综述

在云计算环境中,为了实现资源共享,不同租户的虚拟机可能运行在同一台物理机器上,即虚拟机同驻,这将带来新的安全问题。为此,文章重点讨论同驻虚拟机所面临的一些新的安全威胁,包括资源干扰、隐蔽通道/侧信道、拒绝服务与虚拟机负载监听等,介绍现有虚拟机同驻探测方法,总结针对虚拟机同驻威胁的四种防御思路,并分析未来的研究趋势。     

Enabling OpenCL support for GPGPU in Kernel‐based Virtual Machine

The importance of heterogeneous multicore programming is increasing, and Open Computing Language (OpenCL) is an open industrial standard for parallel programming that provides a uniform programming model for programmers to write efficient, portable code for heterogeneous computing devices. However, OpenCL is not supported in the system virtualization environments that are often used to improve resource utilization. In this paper, we propose an OpenCL virtualization framework based on Kernel‐based Virtual Machine with API remoting to enable multiplexing of multiple guest virtual machines (guest VMs) over the underlying OpenCL resources. The framework comprises three major components: (i) an OpenCL library implementation in guest VMs for packing/unpacking OpenCL requests/responses; (ii) a virtual device, called virtio‐CL, that is responsible for the communication between guest VMs and the hypervisor (also called the VM monitor); and (iii) a thread, called CL thread, that is used for the OpenCL API invocation. Although the overhead of the proposed virtualization framework is directly affected by the amount of data to be transferred between the OpenCL host and devices because of the primitive nature of API remoting, experiments demonstrated that our virtualization framework has a small virtualization overhead (mean of 6.8%) for six common device‐intensive OpenCL programs and performs well when the number of guest VMs involved in the system increases. These results indirectly infer that the framework allows for effective resource utilization of OpenCL devices.Copyright © 2012 John Wiley & Sons, Ltd.     

开放网络环境完整性按需度量模型

完整性度量是可信计算的关键问题之一.首先分析了目前研究成果在开放网络环境下存在的问题及其原因.提出了一种开放网络环境下完整性按需度量模型.该模型由度量请求者根据具体要求定制完整性度量策略,完整性度量策略由程序指令度量策略和数据流度量策略组成,度量响应者根据度量策略来度量自身组件的完整性,并为每个度量请求构造相应的可信链实例.该模型动态地度量完整性,改善了度量结果的新鲜性,兼顾软件代码和用户数据的完整性度量,克服了度量目标的片面性.在该模型的基础上实现了远程证明及其原型系统.并在流媒体服务网络中进行实验测试,实验结果表明该模型以较低的资源开销解决了存在的问题,能够适应开放网络环境下完整性度量的要求.     

Dynamic resource demand prediction and allocation in multi‐tenant service clouds

Cloud computing is emerging as an increasingly popular computing paradigm, allowing dynamic scaling of resources available to users as needed. This requires a highly accurate demand prediction and resource allocation methodology that can provision resources in advance, thereby minimizing the virtual machine downtime required for resource provisioning. In this paper, we present a dynamic resource demand prediction and allocation framework in multi‐tenant service clouds. The novel contribution of our proposed framework is that it classifies the service tenants as per whether their resource requirements would increase or not; based on this classification, our framework prioritizes prediction for those service tenants in which resource demand would increase, thereby minimizing the time needed for prediction. Furthermore, our approach adds the service tenants to matched virtual machines and allocates the virtual machines to physical host machines using a best‐fit heuristic approach. Performance results demonstrate how our best‐fit heuristic approach could efficiently allocate virtual machines to hosts so that the hosts are utilized to their fullest capacity. Copyright © 2016 John Wiley & Sons, Ltd.     

HPC‐GAP: engineering a 21st‐century high‐performance computer algebra system

Symbolic computation has underpinned a number of key advances in Mathematics and Computer Science. Applications are typically large and potentially highly parallel, making them good candidates for parallel execution at a variety of scales from multi‐core to high‐performance computing systems. However, much existing work on parallel computing is based around numeric rather than symbolic computations. In particular, symbolic computing presents particular problems in terms of varying granularity and irregular task sizes that do not match conventional approaches to parallelisation. It also presents problems in terms of the structure of the algorithms and data. This paper describes a new implementation of the free open‐source GAP computational algebra system that places parallelism at the heart of the design, dealing with the key scalability and cross‐platform portability problems. We provide three system layers that deal with the three most important classes of hardware: individual shared memory multi‐core nodes, mid‐scale distributed clusters of (multi‐core) nodes and full‐blown high‐performance computing systems, comprising large‐scale tightly connected networks of multi‐core nodes. This requires us to develop new cross‐layer programming abstractions in the form of new domain‐specific skeletons that allow us to seamlessly target different hardware levels. Our results show that, using our approach, we can achieve good scalability and speedups for two realistic exemplars, on high‐performance systems comprising up to 32000 cores, as well as on ubiquitous multi‐core systems and distributed clusters. The work reported here paves the way towards full‐scale exploitation of symbolic computation by high‐performance computing systems, and we demonstrate the potential with two major case studies. © 2016 The Authors. Concurrency and Computation: Practice and Experience Published by John Wiley & Sons Ltd.     

The implementation and evaluation of the use of CORBA in an engineering design application

Many computer applications today require some form of distributed computing to allow different software components to communicate. Several different commercial products now exist based on the Common Object Request Broker Architecture (CORBA) of the Object Management Group. The use of such tools, however, often requires the modification of existing systems, rather than the development of new applications. The objective of this research has been to integrate the use of a CORBA tool into an existing engineering design application for the purpose of (1) evaluating the amount of re‐engineering that is involved to effectively integrate distributed object computing into an existing application, and (2) evaluating the use and performance of distributed object computing in an engineering domain, which often requires the transfer of large amounts of information. The results of this work demonstrate that CORBA technology can be easily integrated into existing applications. The ease of the integration as well as the efficiency of the resulting system, however, depends upon the degree of modification that developers are willing to consider in the re‐engineering process. The most transparent approach to the use of CORBA requires less modification and generally produces less efficient performance. The less transparent approach to the use of CORBA can potentially require significant system modification but produce greater performance gains. This work outlines issues that must be considered for the partitioning of functionality between the client and the server, development of an IDL interface, development of client and server‐side wrappers, and support for concurrent, multi‐user access. In addition, this work also provides performance and implementation comparisons of different techniques for the use of wrappers and for the transfer of large data files between the client and the server. Performance comparisons for the incorporation of concurrent access are also presented. Copyright © 1999 John Wiley & Sons, Ltd.     

Large-scale virtual machines provisioning in clouds: challenges and approaches

The scale of global data center market has been explosive in recent years. As the market grows, the demand for fast provisioning of the virtual resources to support elastic, manageable, and economical computing over the cloud becomes high. Fast provisioning of large-scale virtual machines (VMs), in particular, is critical to guarantee quality of service (QoS). In this paper, we systematically review the existing VM provisioning schemes and classify them in three main categories. We discuss the features and research status of each category, and introduce two recent solutions, VMThunder and VMThunder+, both of which can provision hundreds of VMs in seconds.     

64‐bit versus 32‐bit Virtual Machines for Java

The Java language is popular because of its platform independence, making it useful in a lot of technologies ranging from embedded devices to high‐performance systems. The platform‐independent property of Java, which is visible at the Java bytecode level, is only made possible thanks to the availability of a Virtual Machine (VM), which needs to be designed specifically for each underlying hardware platform. More specifically, the same Java bytecode should run properly on a 32‐bit or a 64‐bit VM. In this paper, we compare the behavioral characteristics of 32‐bit and 64‐bit VMs using a large set of Java benchmarks. This is done using the Jikes Research VM as well as the IBM JDK 1.4.0 production VM on a PowerPC‐based IBM machine. By running the PowerPC machine in both 32‐bit and 64‐bit mode we are able to compare 32‐bit and 64‐bit VMs. We conclude that the space an object takes in the heap in 64‐bit mode is 39.3% larger on average than in 32‐bit mode. We identify three reasons for this: (i) the larger pointer size, (ii) the increased header and (iii) the increased alignment. The minimally required heap size is 51.1% larger on average in 64‐bit than in 32‐bit mode. From our experimental setup using hardware performance monitors, we observe that 64‐bit computing typically results in a significantly larger number of data cache misses at all levels of the memory hierarchy. In addition, we observe that when a sufficiently large heap is available, the IBM JDK 1.4.0 VM is 1.7% slower on average in 64‐bit mode than in 32‐bit mode. Copyright © 2005 John Wiley & Sons, Ltd.     

操作系统内核的动态可信度量模型

动态可信度量是可信计算的研究热点和难点,针对由操作系统内核动态性所引起的可信度量困难问题,提出一种操作系统内核的动态可信度量模型,使用动态度量变量描述和构建系统动态数据对象及其关系,对内核内存进行实时数据采集,采用语义约束描述内核动态数据的动态完整性,通过语义约束检查验证内核动态数据是否维持其动态完整性。给出了模型的动态度量性质分析与证明,模型能够有效地对操作系统内核的动态数据进行可信度量,识别对内核动态数据的非法篡改。     

A taxonomy of market‐based resource management systems for utility‐driven cluster computing

In utility‐driven cluster computing, cluster Resource Management Systems (RMSs) need to know the specific needs of different users in order to allocate resources according to their needs. This in turn is vital to achieve service‐oriented Grid computing that harnesses resources distributed worldwide based on users' objectives. Recently, numerous market‐based RMSs have been proposed to make use of real‐world market concepts and behavior to assign resources to users for various computing platforms. The aim of this paper is to develop a taxonomy that characterizes and classifies how market‐based RMSs can support utility‐driven cluster computing in practice. The taxonomy is then mapped to existing market‐based RMSs designed for both cluster and other computing platforms to survey current research developments and identify outstanding issues. Copyright © 2006 John Wiley & Sons, Ltd.     

An e‐Science data infrastructure for simulations within Grid computing environment: methods,approaches and practice

Grid‐based simulation usually involves large quantities of data at each stage of the simulation process. These data include simulation input and output files, intermediate results files, log and error files, associated metadata, and information capturing the processes that generate the data. The question of how to effectively store and manage data files within a Grid computing environment is increasingly becoming an important issue. This paper illustrates how we built a lightweight e‐Science infrastructure for data management within a Grid computing environment, including the integration of data curation activities into the entire Grid‐based simulation process. Rather than focusing on specific implementation details, we aim to identify the key issues and research challenges, describing how various existing technologies and tools can be best integrated to address these requirements and challenges. Although the case of quantum mechanical simulation of materials properties is used in the paper, much of the discussion is as generic as possible so that approaches, methods and practice (e.g. integrated approach, workflow taxonomy and development approach, simple but useful semantic annotation approach) can be applied to wider domains and disciplines to facilitat the digital research. A comparison between our approach and Cloud computing, and lessons learned in data management within the Grid computing environment, are also presented. Copyright © 2012 John Wiley & Sons, Ltd.     

The effects of scheduling, workload type and consolidation scenarios on virtual machine performance and their prediction through optimized artificial neural networks

The aim of this paper is to study and predict the effect of a number of critical parameters on the performance of virtual machines (VMs). These parameters include allocation percentages, real-time scheduling decisions and co-placement of VMs when these are deployed concurrently on the same physical node, as dictated by the server consolidation trend and the recent advances in the Cloud computing systems. Different combinations of VM workload types are investigated in relation to the aforementioned factors in order to find the optimal allocation strategies. What is more, different levels of memory sharing are applied, based on the coupling of VMs to cores on a multi-core architecture. For all the aforementioned cases, the effect on the score of specific benchmarks running inside the VMs is measured. Finally, a black box method based on genetically optimized artificial neural networks is inserted in order to investigate the degradation prediction ability a priori of the execution and is compared to the linear regression method.     

应用内存超售在虚拟化环境中优化SGX的性能

随着安全性在云计算中越来越受到关注,英特尔自2015年起提出了SGX.它提供enclave,并保护enclave中的应用程序免受不信任的软件(包括客户操作系统和虚拟机监视器)和硬件(英特尔CPU包除外)的攻击.然而,SGX只能支持256MB的enclave内存EPC.因此,在不同的虚拟机之间高效分配宝贵的EPC资源对整...     

A secure fog-based platform for SCADA-based IoT critical infrastructure

The rapid proliferation of Internet of things (IoT) devices, such as smart meters and water valves, into industrial critical infrastructures and control systems has put stringent performance and scalability requirements on modern Supervisory Control and Data Acquisition (SCADA) systems. While cloud computing has enabled modern SCADA systems to cope with the increasing amount of data generated by sensors, actuators, and control devices, there has been a growing interest recently to deploy edge data centers in fog architectures to secure low-latency and enhanced security for mission-critical data. However, fog security and privacy for SCADA-based IoT critical infrastructures remains an under-researched area. To address this challenge, this contribution proposes a novel security “toolbox” to reinforce the integrity, security, and privacy of SCADA-based IoT critical infrastructure at the fog layer. The toolbox incorporates a key feature: a cryptographic-based access approach to the cloud services using identity-based cryptography and signature schemes at the fog layer. We present the implementation details of a prototype for our proposed secure fog-based platform and provide performance evaluation results to demonstrate the appropriateness of the proposed platform in a real-world scenario. These results can pave the way toward the development of a more secure and trusted SCADA-based IoT critical infrastructure, which is essential to counter cyber threats against next-generation critical infrastructure and industrial control systems. The results from the experiments demonstrate a superior performance of the secure fog-based platform, which is around 2.8 seconds when adding five virtual machines (VMs), 3.2 seconds when adding 10 VMs, and 112 seconds when adding 1000 VMs, compared to the multilevel user access control platform.     

Energy-efficient sender-initiated threshold-based load balancing (e-STLB) in cloud computing environment

Cloud computing has transformed service delivery through its pay-per-use model, supporting diverse users with multiple heterogeneous Virtual Machines (VMs). However, energy consumption has emerged as a critical concern, necessitating cloud resource optimization for environment-friendly practices. This research paper presents an innovative energy-efficient threshold-based sender-initiated load-balancing strategy (e-STLB) to address this concern. The approach employs threshold values to trigger task migration between VMs, ensuring optimal performance while maximizing energy efficiency. The proposed strategy significantly reduces Makespan and increases Resource Utilization in an energy-conscious manner. Experimental evaluations using Cloudsim 3.0 demonstrate that the e-STLB outperforms other state-of-the-art solutions, offering a compelling approach to sustainable cloud computing.     

Power‐aware provisioning of virtual machines for real‐time Cloud services

Reducing power consumption has been an essential requirement for Cloud resource providers not only to decrease operating costs, but also to improve the system reliability. As Cloud computing becomes emergent for the Anything as a Service (XaaS) paradigm, modern real‐time services also become available through Cloud computing. In this work, we investigate power‐aware provisioning of virtual machines for real‐time services. Our approach is (i) to model a real‐time service as a real‐time virtual machine request; and (ii) to provision virtual machines in Cloud data centers using dynamic voltage frequency scaling schemes. We propose several schemes to reduce power consumption by hard real‐time services and power‐aware profitable provisioning of soft real‐time services. Copyright © 2011 John Wiley & Sons, Ltd.     

一种适应数据与计算密集型任务的私有云系统实现研究*

与公有云计算相比,针对数据与计算双重密集型任务的私有云计算系统对计算效率和系统管理效率提出了更高的要求,目前的公有云计算系统显得过于复杂和繁琐,因此需要一种简便易用的能够适应数据与计算密集型任务的私有云计算系统实现。借鉴公有云计算的相关理论和实现方法,提出了一种针对数据与计算双重密集型任务的私有云计算系统实现方案。该方案通过作业文件描述用户的计算任务,确定计算任务的计算模型和计算的输入输出文件;针对私有云的特点,简化Google云计算系统的MapReduce并行处理框架,得到更加直观的数据计算模型;自动连     

Libra: a computational economy‐based job scheduling system for clusters

Clusters of computers have emerged as mainstream parallel and distributed platforms for high‐performance, high‐throughput and high‐availability computing. To enable effective resource management on clusters, numerous cluster management systems and schedulers have been designed. However, their focus has essentially been on maximizing CPU performance, but not on improving the value of utility delivered to the user and quality of services. This paper presents a new computational economy driven scheduling system called Libra, which has been designed to support allocation of resources based on the users' quality of service requirements. It is intended to work as an add‐on to the existing queuing and resource management system. The first version has been implemented as a plugin scheduler to the Portable Batch System. The scheduler offers market‐based economy driven service for managing batch jobs on clusters by scheduling CPU time according to user‐perceived value (utility), determined by their budget and deadline rather than system performance considerations. The Libra scheduler has been simulated using the GridSim toolkit to carry out a detailed performance analysis. Results show that the deadline and budget based proportional resource allocation strategy improves the utility of the system and user satisfaction as compared with system‐centric scheduling strategies. Copyright © 2004 John Wiley & Sons, Ltd.