A&S Graduate Studies
[PAST EVENT] Lele Ma, Computer Science - Ph.D. Dissertation Defense
Abstract:
Isolation is a fundamental paradigm for secure and efficient resource sharing on a computer system. However, isolation mechanisms in traditional cloud computing platforms are heavy-weight or just not feasible to be applied onto the computing environment for Internet of Things(IoT). Most IoT devices have limited resources and their servers are less powerful than cloud servers but are widely distributed over the edge of the Internet. Revisions to the traditional isolation mechanisms are needed in order to improve the system security and efficiency in these computing environments.
The first project explores container-based isolation for the emerging edge computing platforms. We show a performance issue of live migration between edge servers where the file system transmission becomes a bottleneck. Then we propose a solution that leverages a layered file system for synchronization before the migration starts, avoiding the usage of impractical networking shared file system as in the traditional solution. The evaluation shows that the migration time is reduced by 56% – 80%.
In the second project, we propose a lightweight security monitoring service for edge computing platforms, base on the virtual machine isolation technique. Our framework is designed to monitor program activities from underneath of an operating system, which improves its transparency and avoids the cost of embedding different monitor modules into each layer inside the operating system. Furthermore, the monitor runs in a single process virtual machine which requires only <32MB of memory, reduces the scheduling overhead, and saves a significant amount of physical memory, while the performance overhead is an average of 2.7%.
In the third project, we co-design the hardware and software system stack to achieve efficient fine-grained intra-address space isolation. We propose a systematic solution to partition a legacy program into multiple security compartments, which we call capsules, with isolation at byte granularity. Vulnerabilities in one capsule will not likely affect another capsule. The isolation is guaranteed by our hardware-based ownership types tagged to every byte in the memory. The ownership types are initialized, propagated, and checked by combining both static and dynamic analysis techniques. Finally, our co-design approach could remove most human refactoring efforts while avoiding the untrustworthiness as well as the cost of the pure software approaches.
In brief, this proposal explores a spectrum of isolation techniques and their improvements for the IoT computing environment. With our explorations, we have shown the necessity to revise the traditional isolation mechanisms in order to improve the system efficiency and security for the edge and IoT platforms. We expect that many more opportunities will be discovered and various kinds of revised or new isolation mechanisms for the edge and IoT platforms will emerge soon.
Bio:
Lele Ma is a Ph.D. Candidate in the Computer Science Department at William & Mary, supervised by Professor Qun Li. His research interests lie in system support for edge computing and the internet of things, with emphasis on designing secure and efficient operating systems leveraging a wide spectrum of isolation techniques. He received a master’s degree from the University of Chinese Academy of Sciences, and a bachelor’s degree from Shandong University, China. He had been a visiting student at University of Rochester in 2018-2019, and a research intern at Pacific Northwest National Lab in 2020. His writings have been seen in SEC 2017, SOFC 2018, TMC 2019, and co-authored writings in Proceedings of IEEE 2019, USENIX Security 2020.