FUSION: A Unified Application Model for Virtual Mobile InfrastructureWe proposed a unified application model for virtual mobile infrastructure called FUSION. FUSION bridges the gap between the remote VMI server and the client-side mobile device via supporting bi-directional IPC(inter-process communication) and loosely synchronized file system. FUSION classifies IPC events into two types: IPC events without accessing local resources and IPC events accessing local resource. For IPC events without accessing local resources, FUSION simply hooks the IPC events, forwards them to the remote peer and replays them in the remote environment. For complex IPC events involving with accessing files located in the local device, FUSION will analyze each individual IPC event and transmit the corresponding files to the remote peer with respect to each IPC event. Once the remote application completes its job and the user tries to disconnect with the remote peer, FUSION will synchronize those files back to the local side. The synchronization makes the file changes updated by the remote application visible to the local side. Base on our experimental results, FUSION incurs less than 1% overhead on the system. For simple IPC events without local resource access, FUSION can transmit those IPC events to the remote peer under various network conditions in less than 1200ms. For complex IPC events involving local resource access, FUSION can also serialize and transmit the files efficiently.
Software Defined Networking (SDN) allows the construction of virtual networks on top of a datacenter network infrastructure. However, the flexibility also increases the chance of inconsistencies in the network configurations caused by component failures, software bugs, or human errors. The inconsistencies may result in service outage or security policy violation. We propose a model-based verification system to check the consistency of a virtual network. The system models the requirements as logic constraints and extracts the configuration states of a virtual network. The configuration states are checked against the logic constraints by using a SMT solver. The prototype system successfully detects various inconsistencies injected to the testbed and incurs reasonable amount of overheads.
VM WAN MigrationConventional virtual machine (VM) migration focuses on transferring a VM’s memory and CPU states across host machines. The VM’s disk image has to remain accessible to both the source and destination host machines through shared storage during the migration. As a result, conventional virtual machine migration is limited to host machines on the same local area network (LAN) since sharing storage across wide-area network (WAN) is inefficient. As datacenters are being constructed around the globe, we envision the need for VM migration across datacenter boundaries. We thus propose a system aiming to achieve efficient VM migration over wide area network. The system exploits similarity in the storage data of neighboring VMs by first indexing the VM storage images and then using the index to locate storage data blocks from neighboring VMs, as opposed to pulling all data from the remote source VM across WAN. The experiment result shows that the system can achieve an average 66% reduction in the amount of data transmission and an average 59% reduction in the total migration time.
MicroApp Architecting Web Application for Non-Uniform Trustworthiness in Cloud Computing EnvironmentAn increasing number of web applications are now hosted in cloud infrastructures such as Amazon Web Services. Cloud infrastructures generally lack a uniform guarantee on security, reliability, performance, and cost. A privately owned cloud infrastructure may be considered more secure but less performant than a third-party public cloud infrastructure. Infrastructures that span across geographical regions may further incur complications on the trustworthiness of infrastructures due to the varying power of jurisdiction. Application developers have to be aware of the non-uniformity of infrastructure trustworthiness when deploying applications in the cloud. We propose the MicroApp architecture that help address the difficulty in dealing with the non-uniformity. MicroApp splits a web application into multiple micro applications. Each micro application encapsulates a port of the code and data with the same level of security and integrity requirement. The micro applications will then be deployed to corresponding infrastructures that satisfy the respective requirements. MicroApp provides an RPC mechanism to allow control flows across micro applications. The architecture can be transparently applied to existing web applications and allows an application to effectively adapt to the cloud environment.
Hypervisor-based Sensitive Data Leakage DetectorSensitive Data Leakage (SDL) is a major issue faced by organizations due to increasing reliance on data-driven decision-making. Existing Data Leakage Prevention (DLP) solutions are being challenged by the adoption of network trans-port encryption and the presence of privileged-mode malware designed to tamper with the DLP agent programs. We propose a novel DLP system called “HyperSweep” that uses Virtual Machine Memory Introspection (VMI) technology to inspect the memory content of a guest system for sensitive information. The approach is robust against both network transport encryption and malware that attack DLP agent programs. The HyperSweep prototype is implemented on top of the KVM hypervisor. Our experiments have confirmed its applicability to real-world appli-cations, including web browsers, office applications, and social networking applications. The experiments also indicate moderate performance overhead from applying HyperSweep.
VDC Security MonitoringVirtualized datacenter (VDC) has become a popular approach to large-scale system consolidation and the enabling technology for infrastructure-as-a-service cloud computing. The consolidation inevitably aggregates the security threats once faced by individual systems towards a VDC, and a VDC operator should remain vigilant of the threats at all times. We envision the need for on-demand mandatory security monitoring of critical guest systems as a means to track and deter security threats that could jeopardize the operation of a VDC. Unfortunately, existing VDC security monitoring mechanisms all require pre-installed guest components to operate. The security monitoring would either be up to the discretion of individual tenants or require costly direct management of guest systems by the VDC operator. We propose the EagleEye approach for on-demand mandatory security monitoring in VDC environment, which does not depend on pre-installed guest components. We implement a prototype on-access anti-virus monitor to demonstrate the feasibility of the EagleEye approach. We also identify challenges particular to this approach, and provide a set of solutions meant to strengthen future research in this area.
Mobile Device Management
對於攜入個人智慧行動裝置(Bring Your Own Device)於軍事管制區，目前國防部已著手導入行動裝置管理(Mobile Device Management)第三方解決方案來處理其所造成的資安隱憂。但由於管制區內的人事物有其敏感性，若僅仰賴第三方解決方案，恐形成一極大的國安漏洞。因此在本研究中我們對Android智慧行動裝置安全管控各項功能之實作可行性進行評估進而掌握其背後所需的關鍵技術，包括如裝置資訊取得、裝置控制、管控系統自體防護以及架構設計等。本研究的成果可立即作為國防部於初期導入第三方MDM解決方案的採購評量參考，而針對中長期須自行開發MDM系統的目標，本研究所發展的諸項關鍵技術也將具有極高的參考價值。