Resource virtualization methodology for on-demand allocation in cloud computing systems

The resources’ heterogeneity and unbalanced capability, together with the diversity of resource requirements in cloud computing systems, have produced great contradictions between resources’ tight coupling characteristics and user’s multi-granularities requirements. We propose a resource virtualization model and its on-demand allocation oriented infrastructure mainly providing computing services to solve that problem. A loosely coupled resource environment centered on resource users is created to complete a mapping from physical view of resources to logic view of resources. Heuristic resource combination algorithm (HRCA) is proposed to transform physical resources to logic resources, which meets two requirements: randomness in combination and fluctuation control to the size of resources granularities. On the basis of the appraisal indexes presented for the on-demand allocation, resource matching algorithm (RMA), targeting at resource satisfaction with the highest resource utilization, is designed to reuse resources. RMA can satisfy users’ requirement in limited time and keep resource satisfaction in the highest level in the condition of logic resources granularities being less than their required size. Resource reconfiguration algorithm (RRA) is presented to implement resource matching in the condition that virtual computing resource pool cannot match granularities of resource requirements. RRA assures the lowest resource refusal rate and the greatest resource satisfaction. We verify the effectiveness, performance and accuracy of algorithms in implementing the goal of resource virtualization centered on resource users and on-demand allocation.     

按需披露的区块链隐私保护机制

隐私保护已经成为区块链技术真正从理论到现实应用必须解决的关键问题。实际应用中存在一种按需披露的隐私保护需求,受组播安全通信机制的启发,提出一种按需披露的区块链隐私保护机制(PPM-ODB,privacy protection mechanism of on-demand disclosure on blockchain)。该机制通过改进基于RSA的匿名多接收者加密方案来实现隐私信息一对多的加解密、知情者的匿名性保护和隐私泄露的可追溯,通过采用Quorum链隐私保护机制来实现密钥在隐私信息拥有者和知情者间的安全高效分发。实验证明了PPM-ODB机制可保证隐私数据的保密性,及其在时间和存储开销上的优越性,并建议知情者的个数少于100,以获得良好的用户体验。     

基于虚拟存储技术的持续数据保护机制

为了解决信息系统中数据失效的问题,详细记录数据的变化情况,在灾难发生时能够最低限度的减小损失,分析了当前持续数据保护(CDP)技术的现状,立足现有的TRAP-4持续数据保护思想,提出了一种基于虚拟存储技术的持续数据保护机制(VPS_ CDP).在虚拟层改进了日志生成方式,减轻了系统工作负载,缩短了数据备份与恢复时间,并提出了基于文件块的持续保护思想,增强了系统对于核心数据的持续全备份能力.     

面向云计算虚拟化的信息安全防护方案研究

云计算通过虚拟化技术实现网络按需调用集中共享资源,也引入了新的信息安全风险。文章分析了虚拟化面临各种威胁所对应的解决技术,通过无代理方式,从虚拟机外部为虚拟机中运行的系统提供高级保护。同时,从入侵检测、通信访问控制、防恶意软件以及防病毒等方面制定有效、全面的安全防护方案,完善企业云计算虚拟化信息安全防护体系,提高企业云计算虚拟化信息安全防护水平。     

进程内细粒度保护域模型及其实现

提出了一种利用细粒度保护域方法实现进程权限动态改变的机制。根据进程的不同执行阶段对系统资源和程序地址空间访问方式的不同，将其划分为多个保护域。设置各个保护域对程序地址空间的访问方式，使之能有效地防御用户态代码注入攻击；保护域对系统资源访问的控制通过一个强制访问控制框架来实施，以此满足系统的安全策略。     

桌面虚拟化技术在多媒体教室管理中的应用

本文分析了多媒体教室管理的现状,提出通过桌面虚拟化技术解决日常管理中存在的管理难度大、维护人员多、管理效率低等问题,努力提高多媒体教室管理的集中化、安全性和高效率。     

服务器虚拟化在高速公路监控系统中的应用

为解决高速公路监控系统服务器资源利用率低,容灾能力低,空闲负荷整合不足等缺点,本文将通过服务器虚拟化技术,运用服务器虚拟化软件,完成服务器虚拟化系统的相关环境部署,实现高速公路监控系统的服务器虚拟化。服务器虚拟化在高速公路监控系统的应用,很大地提高了系统的整体稳定性,提高了资源的利用率,减少了不必要的投入与开支。     

桌面虚拟化应用中虚拟环境评估与规划的研究

为实现完全桌面虚拟化技术,需要重点解决集中管理带来的诸多风险和压力问题。在实施桌面虚拟化之前,重点在六个方面对桌面虚拟化环境进行详细有效的评估和规划,最终可以采取有效的策略来部署桌面虚拟化。     

嵌入式系统可信虚拟化技术的研究与应用

嵌入式系统在生活中的应用日益广泛,传统的安全增强手段已无法有效应对各种安全问题,增强嵌入式系统的安全性成为目前亟需解决的问题。为提高嵌入式系统及其应用程序的安全性,结合嵌入式系统的虚拟化技术与可信计算技术,设计并实现基于虚拟TCM的可信计算平台框架,实现了虚拟TCM和基于虚拟TCM的可信增强技术,提出并实现了一个基于虚拟TCM的会话认证方法,将信任链从硬件操作系统层扩展到了虚拟域的应用软件层。实验结果表明,虚拟TCM与物理TCM相结合能够有效保证嵌入式系统、虚拟域和应用程序的安全可信。     

Using virtualization to protect application address space inside untrusted environment

The paper describes a virtualization-based approach to protecting context of trusted processes running inside potentially compromised environment. Suggested protection system is based on a hypervisor that monitors all events inside operating system and prevents unauthorized access to process resources. The approach does not require modification of OS or applications; the only requirement for hardware is support for virtualization.     

虚拟化技术及其在制造业信息化中的应用综述

首先介绍了虚拟化的基本含义,接着从虚拟化方法和虚拟化管理两个方面介绍了虚拟化实现的关键技术。在此基础上,有针对性地提出了制造业信息化中虚拟化技术的应用框架和作用,总结并展望了虚拟化在制造业中的应用前景。指出虚拟化在制造业信息化中应用存在的不足及未来的研究工作。     

High performance network virtualization with SR-IOV

Virtualization poses new challenges to I/O performance. The single-root I/O virtualization (SR-IOV) standard allows an I/O device to be shared by multiple Virtual Machines (VMs), without losing performance. We propose a generic virtualization architecture for SR-IOV-capable devices, which can be implemented on multiple Virtual Machine Monitors (VMMs). With the support of our architecture, the SR-IOV-capable device driver is highly portable and agnostic of the underlying VMM. Because the Virtual Function (VF) driver with SR-IOV architecture sticks to hardware and poses a challenge to VM migration, we also propose a dynamic network interface switching (DNIS) scheme to address the migration challenge. Based on our first implementation of the network device driver, we deployed several optimizations to reduce virtualization overhead. Then, we conducted comprehensive experiments to evaluate SR-IOV performance. The results show that SR-IOV can achieve a line rate throughput (9.48 Gbps) and scale network up to 60 VMs, at the cost of only 1.76% additional CPU overhead per VM, without sacrificing throughput and migration.     

Transparent VPN failure recovery with virtualization

Cloud computing is widely used to provide today’s Internet services. Since its service scope is being extended to a wide range of business applications, the security of network communications between clients and clouds are becoming important. Several cloud vendors support virtual private networks (VPNs) for connecting their clouds. Unfortunately, cloud services become unavailable when a VPN failure occurred in a VPN gateway or networks. We propose a transparent VPN failure recovery scheme that can hide VPN failures from users and operating systems (OSs). This scheme transparently recovers from VPN failures by establishing VPN connections in a virtualization layer. When a VPN failure occurs, a client virtual machine monitor (VMM) automatically reconnects to an available VPN gateway which is geographically distributed and connected via leased lines in clouds. IP address changes are hidden from client OSs and servers via a packet relay system implemented by a relay client in the client VMM and a relay server. We implemented a prototype system based on BitVisor, a small client VMM supporting IPsec VPN, and evaluated the prototype system in a wide-area distributed Internet environment in Japan. Experimental results show that our scheme can maintain TCP connections on VPN failures, and performance overhead with the virtualization layer is around 0.6 ms to latency and 8%-30% to throughput.     

Scheduling on-demand broadcast with timing constraints

In a distributed system, broadcasting is an efficient way to dispense data in certain highly dynamic environments. While there are several well-known on-line broadcast scheduling strategies that minimize wait time, there has been little research that considers on-demand broadcasting with timing constraints. One application which could benefit from a strategy for on-demand broadcast with timing constraints is a real-time database system. Scheduling strategies are needed in real-time databases that identify which data item to broadcast next in order to minimize missed deadlines. The scheduling decisions required in a real-time broadcast system allow the system to be modeled as a Markov Decision Process (MDP). In this paper, we analyze the MDP model and determine that finding an optimal solution is a hard problem in PSPACE. We propose a scheduling approach, called Aggregated Critical Requests (ACR), which is based on the MDP formulation and present two algorithms based on this approach. ACR is designed for timely delivery of data to clients in order to maximize the reward by minimizing the deadlines missed. Results from trace-driven experiments indicate the ACR approach provides a flexible strategy that can outperform existing strategies under a variety of factors.     

OSPF在按需电路上配置的研究与应用

OSPF是个链接状态路由协议,在同一层的区域内与其它所有路由器交换链接状态公告（LSA）信息。OSPF的LSA中包含连接的接口、使用的metric及其它的变量信息。OSPF路由器积累链接状态信息,并使用SPF算法来计算到各节点的最短路径。OSPF不但已成为目前Internet广域网和Intranet企业网采用最多、应用最广泛的路由协议之一,而且在综合业务数字网（ISDN）、X.25交换式虚电路（SVC）和拨号线路等应用广泛,故OSPF在按需电路上的配置成为目前极为关注的问题。     

虚拟化技术应用的风险分析及对策研究

分析了虚拟化技术应用中由高资源利用率、管理模式变化、期望减少成本、安全、应用迁移和没有统一的虚拟化技术标准引发的五种风险情况。针对虚拟化技术应用存在的风险,从部署虚拟化前的评估、管理策略和安全技术措施三个方面提出了相应对策,为消除虚拟化技术应用风险或将风险最小化,达到虚拟化技术应用目标提出了解决方法。     

Separating computation and storage with storage virtualization

Recent advances of hardware, software, and networks have made the management and security issues increasingly challenging in PC usage. Due to the tight coupling of hardware and software, each one of the hundreds or thousands of PCs connected in a networked environment has to be managed and administrated individually, leading to a high Total Cost of Ownership (TCO). We argue that a centralized storage of software and data, while distributed computation in clients, i.e., transparent computing, can address these challenges potentially and reduce the complexity with reduced software maintenance time, improved system availability, and enhanced security.This paper presents a novel approach, named StoreVirt, to realize transparent computing, which separates computation and storage from inside a single physical machine to different machines with a storage virtualization mechanism. With virtualization, all the OSes, applications, and data of clients are centered on the servers and scheduled on demand to run on different clients in a “block-streaming” way. Therefore, due to the central storage of OSes and applications, the installation, maintenance, and management are also centralized, leaving the clients light-weighted. Further, due to timely patching and upgrading, the system security can be improved. Experimental and real-world experiences demonstrate that this approach is efficient and feasible for real usages.     

Modeling data protection and privacy: application and experience with GDPR

Software and Systems Modeling - In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new...     

Network virtualization substrate with parallelized data plane

Network virtualization provides the ability to run multiple concurrent virtual networks over a shared substrate. However, it is challenging to design such a platform to host multiple heterogenous and often highly customized virtual networks. Not only high degree of flexibility is desired for virtual networks to customize their functions, fast packet forwarding is also required. This paper presents PdP, a flexible network virtualization platform capable of achieving high speed packet forwarding. A PdP node has multiple machines to perform packet processing for virtual networks hosted in the system. To forward packets in high speed, the data plane of a virtual network in PdP can be allocated with multiple forwarding machines to process packets in parallel. Furthermore, a virtual network in PdP can be fully customized. Both the control plane and data plane of a virtual network run in virtual machines so as to be isolated from other virtual networks. We have built a proof-of-concept prototyping PdP platform using off-the-shelf commodity hardware and open source software. The performance evaluation results show that our system can closely match the best-known packet forwarding speed of software router running in commodity hardware.