嵌入式虚拟化技术

计算机系统虚拟化技术是IT领域近几年的热点技术。虚拟化技术的下一步发展方向是嵌入式系统。嵌入式系统进行虚拟化是在嵌入式硬件平台和操作系统之间加入一层叫做虚拟机管理器的软件,由后者构造出可运行多种操作系统的虚拟机。国外多家公司和大学已对嵌入式虚拟化技术展开研究。嵌入式虚拟化的好处包括减少嵌入式系统开发成本、缩短产品上市周期、利于整合功能、减少功耗、软件资产保值和增强安全性与可靠性。嵌入式虚拟化技术面临的问题包括实时调度问题、嵌入式硬件平台多样性问题、电源管理问题以及跨虚拟机通信问题。嵌入式虚拟化技术将给嵌入式领域带来重大变化,值得关注。     

Heterogeneous Computing and Parallel Genetic Algorithms

This paper analyzes some technical and practical issues concerning the heterogeneous execution of parallel genetic algorithms (PGAs). In order to cope with a plethora of different operating systems, security restrictions, and other problems associated to multi-platform execution, we use Java to implement a distributed PGA model. The distributed PGA runs at the same time on different machines linked by different kinds of communication networks. This algorithm benefits from the computational resources offered by modern LANs and by Internet, therefore allowing researchers to solve more difficult problems by using a large set of available machines. We analyze the way in which such heterogeneous systems affect the genetic search for two problems. Our conclusion is that super-linear performance can be achieved not only in homogeneous but also in heterogeneous clusters of machines. In addition, we study some special features of the running platforms for PGAs, and basically find out that heterogeneous computing can be as efficient or even more efficient than homogeneous computing for parallel heuristics.     

Security-Preserving Live Migration of Virtual Machines in the Cloud

Hypervisor-based process protection is a novel approach that provides isolated execution environments for applications running on untrusted commodity operating systems. It is based on off-the-shelf hardware and trusted hypervisors while it meets the requirement of security and trust for many cloud computing models, especially third-party data centers and a multi-tenant public cloud, in which sensitive data are out of the control of the users. However, as the hypervisor extends semantic protection to the process granularity, such a mechanism also breaks the platform independency of virtual machines and thus prohibits live migration of virtual machines, which is another highly desirable feature in the cloud. In this paper, we extend hypervisor-based process protection systems with live migration capabilities by migrating the protection-related metadata maintained in the hypervisor together with virtual machines and protecting sensitive user contents using encryption and hashing. We also propose a security-preserving live migration protocol that addresses several security threats during live migration procedures including timing-related attacks, replay attacks and resumption order attacks. We implement a prototype system base on Xen and Linux. Evaluation results show that performance degradation in terms of both total migration time and downtime are reasonably low compared to the unmodified Xen live migration system.     

基于容器技术的水文水动力模型软硬件适配方法

随着国产化软硬件系统的发展和普及,将现行的计算程序适配到国产硬件和操作系统上是科学研究和业务化应用的关键,亟待探索提出专业计算模型的软硬件适配方法。现有关于专业计算模型的软硬件适配方法存在缺乏通用性、硬件依赖性强等问题。鉴于此,系统解析了国产化适配需要解决的关键问题,并对比了现行的软件适配技术,筛选出容器技术作为水文水动力模型的国产适配技术。容器技术可将应用程序打包成独立的运行环境,摆脱对底层架构和操作系统的依赖。以水文水动力模型TELEMAC为例,详细说明了Docker镜像构成原理,并通过Dockerfile文件构建了TELEMAC镜像环境,开展了计算案例的验证。结果表明TELEMAC镜像能够安全运行在以鲲鹏920处理器为核心的openEuler和麒麟V10等国产软硬件平台上,且案例计算结果与标准结果相一致,模型计算效率高,实现了专业科学计算模型的国产化软硬件适配,该研究可为其他软件国产化适配提供参考借鉴。     

Accelerator Virtualization Framework Based on Inter-VM Exitless Communication

The increasing deployment of artificial intelligence has placed unprecedent requirements on the computing power of cloud computing. Cloud service providers have integrated accelerators with massive parallel computing units in the data center. These accelerators need to be combined with existing virtualization platforms to partition the computing resources. The current mainstream accelerator virtualization solution is through the PCI passthrough approach, which however does not support fine-grained resource provisioning. Some manufacturers also start to provide time-sliced multiplexing schemes and use drivers to cooperate with specific hardware to divide resources and time slices to different virtual machines, which unfortunately suffer from poor portability and flexibility. One alternative but promising approach is based on API forwarding, which forwards the virtual machine''s request to the back-end driver for processing through a separate driver model. Yet, the communication due to API forwarding can easily become the performance bottleneck. This paper proposes Wormhole, an accelerator virtualization framework based on the C/S architecture that supports rapid delegated execution across virtual machines. It aims to provide upper-level users with an efficient and transparent way to accelerate the virtualization of accelerators with API forwarding while ensuring strong isolation between multiple users. By leveraging hardware virtualization feature, the framework minimizes performance degradation through exitless inter-VM control flow switch. Experimental results show that Wormhole''s prototype system can achieve up to 5 times performance improvement over the traditional open-source virtualization solution such as GVirtuS in the training test of the classic model.     

Towards multilaterally secure computing platforms—with open source and trusted computing

We present a security architecture for a trustworthy open computing platform that aims at solving a variety of security problems of conventional platforms by an efficient migration of existing operating system components, a Security Software Layer (PERSEUS), and hardware functionalities offered by the Trusted Computing technology. The main goal is to provide multilateral security, e.g., protecting users' privacy while preventing violations of copyrights. Hence the proposed architecture includes a variety of security services such as secure booting, trusted GUI, secure installation/update, and trusted viewer. The design is flexible enough to support a wide range of hardware platforms, i.e., PC, PDA, and embedded systems. The proposed platform shall serve as a basis for implementing a variety of innovative business models and distributed applications with multilateral security.     

KVM虚拟化动态迁移技术的安全防护模型

虚拟机动态迁移技术是在用户不知情的情况下使得虚拟机在不同宿主机之间动态地转移,保证计算任务的完成,具有负载均衡、解除硬件依赖、高效利用资源等优点,但此技术应用过程中会将虚拟机信息和用户信息暴露到网络通信中,其在虚拟化环境下的安全性成为广大用户担心的问题,逐渐成为学术界讨论和研究的热点问题.本文从研究虚拟化机制、虚拟化操作系统源代码出发,以虚拟机动态迁移的安全问题作为突破点,首先分析了虚拟机动态迁移时的内存泄漏安全隐患;其次结合KVM(Kernel-based Virtual Machine)虚拟化技术原理、通信机制、迁移机制,设计并提出一种新的基于混合随机变换编码方式的安全防护模型,该模型在虚拟机动态迁移时的迁出端和迁入端增加数据监控模块和安全模块,保证虚拟机动态迁移时的数据安全;最后通过大量实验,仿真测试了该模型的安全防护能力和对虚拟机运行性能的影响,仿真结果表明,该安全防护模型可以在KVM虚拟化环境下保证虚拟机动态迁移的安全,并实现了虚拟机安全性和动态迁移性能的平衡.     

Portable virtual cycle accounting for large-scale distributed cycle sharing systems

CPU cycle sharing among distributed heterogeneous computers is the key function in large-scale volunteer computing and desktop grid applications. One important problem in large-scale distributed cycle sharing system is how to account for the amount of computation work performed by a CPU cycle provider, in a uniform and portable fashion across heterogeneous hardware and operating system platforms. Such an accounting mechanism is especially desirable when CPU resources are traded and a lack of uniform workload accounting will hinder the enforcement of market-driven CPU pricing/trading policies in distributed cycle sharing systems. Java Virtual Machine (JVM) has proved to be a good match for distributed cycle sharing because of its abilities to run applications on a wide variety of platforms without modification (portability) and to host untrusted applications (safety). In this paper, we present the design, implementation, and evaluation of an efficient, application-transparent virtual cycle accounting scheme integrated into JVM. Our scheme achieves portable workload accounting across heterogeneous computing platforms by accounting for JVM virtual instructions instead of real processor cycles. Different from the existing JVM CPU accounting mechanisms that involve bytecode rewriting, our scheme is transparent to applications and does not require visible changes to application and library code interfaces which would break applications that use Reflection API. Moreover, our scheme is efficient via the use of processor registers for accounting. Our experimental results demonstrate both high accounting accuracy and low runtime overhead of virtual cycle accounting.     

A security-aware virtual machine placement in the cloud using hesitant fuzzy decision-making processes

The introduction of cloud computing systems brought with itself a solution for the dynamic scaling of computing resources leveraging various approaches for providing computing power, networking, and storage. On the other hand, it helped decrease the human resource cost by delegating the maintenance cost of infrastructures and platforms to the cloud providers. Nevertheless, the security risks of utilizing shared resources are recognized as one of the major concerns in using cloud computing environments. To be more specific, an intruder can attack a virtual machine and consequently extend his/her attack to other virtual machines that are co-located on the same physical machine. The worst situation is when the hypervisor is compromised in which all the virtual machines assigned to the physical node will be under security risk. To address these issues, we have proposed a security-aware virtual machine placement scheme to reduce the risk of co-location for vulnerable virtual machines. Four attributes are introduced to reduce the aforementioned risk including the vulnerability level of a virtual machine, the importance level of a virtual machine in the given context, the cumulative vulnerability level of a physical machine, and the capacity of a physical machine for the allocation of new virtual machines. Nevertheless, the evaluation of security risks, due to the various vulnerabilities’ nature as well as the different properties of deployment environments is not quite accurate. To manage the precision of security evaluations, it is vital to consider hesitancy factors regarding security evaluations. To consider hesitancy in the proposed method, hesitant fuzzy sets are used. In the proposed method, the priorities of the cloud provider for the allocation of virtual machines are also considered. This will allow the model to assign more weights to attributes that have higher importance for the cloud provider. Eventually, the simulation results for the devised scenarios demonstrate that the proposed method can reduce the overall security risk of the given cloud data center. The results show that the proposed approach can reduce the risk of attacks caused by the co-location of virtual machines up to 41% compared to the existing approaches.

     

普适计算中间件技术的研究与进展

当前,普适计算已经成为计算机科学中一个极具活力和影响力的研究领域。普适计算环境规模很大并且具有高度异构性,如网络架构的异构性、硬件平台的异构性、操作系统的异构性、应用服务的异构性等,而普适计算中间件技术可以解决异构性和跨平台特征,提供不同服务的集成应用,因此成为普适计算中的一个研究热点。基于此,本文对于目前国外关于普适计算中间件技术的研究现状做了一个总结;通过分析和比较,给出了普适计算中间件的设计原则;探讨了普适计算中间件技术的未来发展方向。     

Taming Virtualization

Although the term virtualization has been around for decades, only recently has it become a buzzword in the computer systems community with the revival of virtual machines (VMs), driven by efforts in industry and academia. VMs are software entities that emulate a real machine's functionality; they execute under the control of a hypervisor that virtualizes and multiplexes low-level hardware resources. Hypervisors come in two flavors: non-hosted, which run directly on top of the hardware, and hosted, which are integrated with a host operating system (OS). The presence of a hypervisor makes VMs subject to a level of visibility and control that's hard to achieve with real machines. The small size, isolation, and mediation power of an ideal hypervisor over VMs make it an interesting candidate for a trusted computing base, with applications in security research fields such as intrusion detection, integrity protection, and malware analysis, among others.     

Trends in multiprocessor and distributed operating systems designs

This paper presents an overview of the developments in operating systems technology for distributed computing systems and multiprocessor machines. We focus on those design principles that are now widely accepted as useful design paradigms. Approaches common to distributed and multiprocessor operating systems are identified. Issues discussed include process scheduling and synchronization, load balancing, virtual and shared-memory management and parallel file systems. The task-thread model and the object model of computing are also discussed.     

On improvement of cloud virtual machine availability with virtualization fault tolerance mechanism

Virtualization, particularly in the field of cloud computing, is a common strategy to improve existing computing resources. Hadoop, one of the Apache projects, is designed to scale up from single servers to thousands of machines, each offering local computation and storage capabilities. However, how to guarantee both stability and reliability of virtualization have become important topics. In this article, to reach this goal we used current open-source software and platforms, for instance, the Xen-Hypervisor virtualization technology, and the OpenNebula virtual machines management tool. After extending components capabilities, we developed a mechanism to support our ideas and reached high availability with Hadoop that is also called as virtualization fault tolerance (VFT). We considered a practical problem, i.e., the single-point-of-failure issue that occurs frequently in virtualization systems, and the experimental results confirm that the downtime interval can be greatly shortened even if failure occurred. As a result, VFT is useful not only for Hadoop applications, but also for more areas in cluster-based systems.     

Spin detection hardware for improved management of multithreaded systems

Spinning is a synchronization mechanism commonly used in applications and operating systems. Excessive spinning, however, often indicates performance or correctness (e.g., livelock) problems. Detecting if applications and operating systems are spinning is essential for achieving high performance, especially in consolidated servers running virtual machines. Prior research has used source or binary instrumentation to detect spinning. However, these approaches place a significant burden on programmers and may even be infeasible in certain situations. In this paper, we propose efficient hardware to detect spinning in unmodified applications and operating systems. Based on this hardware, we develop 1) scheduling and power policies that adaptively manage resources for spinning threads, 2) system support that helps detect when a multithreaded program is livelocked, and 3) hardware performance counters that accurately reflect system performance. Using full-system simulation with SPEC OMP, SPLASH-2, and Wisconsin commercial workloads, we demonstrate that our mechanisms effectively improve the management of multithreaded systems.     

Network virtualization substrate with parallelized data plane

Network virtualization provides the ability to run multiple concurrent virtual networks over a shared substrate. However, it is challenging to design such a platform to host multiple heterogenous and often highly customized virtual networks. Not only high degree of flexibility is desired for virtual networks to customize their functions, fast packet forwarding is also required. This paper presents PdP, a flexible network virtualization platform capable of achieving high speed packet forwarding. A PdP node has multiple machines to perform packet processing for virtual networks hosted in the system. To forward packets in high speed, the data plane of a virtual network in PdP can be allocated with multiple forwarding machines to process packets in parallel. Furthermore, a virtual network in PdP can be fully customized. Both the control plane and data plane of a virtual network run in virtual machines so as to be isolated from other virtual networks. We have built a proof-of-concept prototyping PdP platform using off-the-shelf commodity hardware and open source software. The performance evaluation results show that our system can closely match the best-known packet forwarding speed of software router running in commodity hardware.     

The 3D Model Acquisition Pipeline

Three-dimensional (3D) image acquisition systems are rapidly becoming more affordable, especially systems based on commodity electronic cameras. At the same time, personal computers with graphics hardware capable of displaying complex 3D models are also becoming inexpensive enough to be available to a large population. As a result, there is potentially an opportunity to consider new virtual reality applications as diverse as cultural heritage and retail sales that will allow people to view realistic 3D objects on home computers.
Although there are many physical techniques for acquiring 3D data—including laser scanners, structured light and time-of-flight—there is a basic pipeline of operations for taking the acquired data and producing a usable numerical model. We look at the fundamental problems of range image registration, line-of-sight errors, mesh integration, surface detail and color, and texture mapping. In the area of registration we consider both the problems of finding an initial global alignment using manual and automatic means, and refining this alignment with variations of the Iterative Closest Point methods. To account for scanner line-of-sight errors we compare several averaging approaches. In the area of mesh integration, that is finding a single mesh joining the data from all scans, we compare various methods for computing interpolating and approximating surfaces. We then look at various ways in which surface properties such as color (more properly, spectral reflectance) can be extracted from acquired imagery. Finally, we examine techniques for producing a final model representation that can be efficiently rendered using graphics hardware.     

Migration of existing software systems to mobile computing platforms: a systematic mapping study

Mobile computing has fast emerged as a pervasive technology to replace the old computing paradigms with portable computation and context-aware communication. Existing software systems can be migrated (while preserving their data and logic) to mobile computing platforms that support portability, context-sensitivity, and enhanced usability. In recent years, some research and development efforts have focused on a systematic migration of existing software systems to mobile computing platforms.To investigate the research state-of-the-art on the migration of existing software systems to mobile computing platforms. We aim to analyze the progression and impacts of existing research, highlight challenges and solutions that reflect dimensions of emerging and futuristic research.We followed evidence-based software engineering (EBSE) method to conduct a systematic mapping study (SMS) of the existing research that has progressed over more than a decade (25 studies published from 1996–2017).We have derived a taxonomical classification and a holistic mapping of the existing research to investigate its progress, impacts, and potential areas of futuristic research and development.The SMS has identified three types of migration namely Static, Dynamic, and State-based Migration of existing software systems to mobile computing platforms.Migration to mobile computing platforms enables existing software systems to achieve portability, context-sensitivity, and high connectivity. However, mobile systems may face some challenges such as resource poverty, data security, and privacy. The emerging and futuristic research aims to support patterns and tool support to automate the migration process. The results of this SMS can benefit researchers and practitioners–by highlighting challenges, solutions, and tools, etc., –to conceptualize the state-ofthe- art and futuristic trends that support migration of existing software to mobile computing.     

Executing secured virtual machines within a manycore architecture

Manycore processors are a way to face the always growing demand in digital data processing. However, by putting closer distinct and possibly private data, they open up new security breaches. Splitting the architecture into several partitions managed by a hypervisor is a way to enforce isolation between the running virtual machines. Thanks to their high number of cores, these architectures can mitigate the impact of dedicating cores both to the virtual machines and the hypervisor, while allowing an efficient execution of the virtualized operating systems. We present such an architecture allowing the execution of fully virtualized multicore operating systems benefiting of hardware cache coherence. The physical isolation is made by the means of address space via the introduction of a light hardware module similar to a memory-management unit at the network-on-chip entrance, but without the drawback of relying on a page table. We designed a cycle-accurate virtual prototype of the architecture, controlled by a light blind hypervisor with minimum rights, only able to start and stop virtual machines. Experiments made on our virtual prototype shows that our solution has a low time overhead – typically 3% on average.     

Middleware for pervasive computing: A survey

The rapidly emerging area of pervasive computing faces many challenging research issues critical to application developers. Wide heterogeneity of hardware, software, and network resources pose veritable coordination problems and demand thorough knowledge of individual elements and technologies. In order to ease this problem and to aid application developers, different middleware platforms have been proposed by researchers. Though the existing middleware solutions are useful, they themselves have varied features and contribute partially, for context, data, or service management related application developments. There is no single middleware solution that can address a majority of pervasive computing application development issues, due to the diverse underlying challenges. In this survey paper, we identify different design dimensions of pervasive computing middleware and investigate their use in providing various system services. In-depth analysis of the system services have been carried out and middleware systems have been carefully studied. With a view to aid future middleware developers, we also identify some challenging open research issues that have received little or no attention in existing middleware solutions.     

A Java/CORBA virtual machine architecture for remote execution of optimization solvers in heterogeneous networks

Virtual machines for remote execution are a useful tool for utilizing light user interfaces and intensive application cores in different physical machines connected through the Internet. In a virtual machine, application cores are distributed in a network. Specific locations, operating systems and hardware characteristics are hidden by virtual machines. They make it possible to use a PC to execute user interfaces and (a few) high‐performance computers for application cores. We present a Java/CORBA‐based brokerage platform that allows remote execution of optimization solvers from a client running on any platform. The system offers a dynamic library of available problem solvers, and a graphic interface to browse several defined properties and metadata on available solvers. In addition, an embedded file compression module to reduce data transfer time is included as a plug‐in feature of the proposed virtual machine. Analogous systems could be constructed for applications in which interaction traffic time is much lower than execution time. Copyright © 2001 John Wiley & Sons, Ltd.