Multi-tenant cloud, which features utility-like computing resources to tenants in a "pay-as-you-go" style, has been commercially popular for years. As one of the sole purposes of such a cloud is maximizing resource usages to increase its revenue, it usually uses virtualization to consolidate VMs from different and even mutually-malicious tenants atop a powerful physical machine. This, however, also enables a malicious tenant to steal securitycritical information such as crypto keys from victims, due to the shared physical resources such as caches.In this paper, we show that stealing crypto keys in a virtualized cloud may be a real threat by evaluating a cache-based side-channel attack against an encryption process. To mitigate such attacks while not notably degrading performance, we propose an approach that leverages dynamic cache coloring: when an application is doing security-sensitive operations, the VMM is notified to swap the associated data to a safe and isolated cache line. This approach may eliminate cache-based side-channel for security-critical operations, yet ensure efficient resource sharing during normal operations. We demonstrate the applicability by illustrating a preliminary implementation based on Xen and its performance overhead.
In the era of digitalization, utilization of datadriven control approaches to minimize energy consumption of residential/commercial building is of far-reaching significance. Meanwhile, A number of recent approaches based on the application of Willems' fundamental lemma for data-driven controller design from input/output measurements are very promising for deterministic LTI systems. This paper addresses the key noise-free assumption, and extends these data-driven control schemes to adaptive building control with measured process noise and unknown measurement noise via a robust bilevel formulation, whose upper level ensures robustness and whose lower level guarantees prediction quality. Corresponding numerical improvements and an active excitation mechanism are proposed to enable a computationally efficient reliable operation. The efficacy of the proposed scheme is validated by a numerical example and a real-world experiment on a lecture hall on EPFL campus.
Live VM migration is one of the major primitive operations to manage virtualized cloud platforms. Such operation is usually missioncritical and disruptive to the running services, and thus should be completed as fast as possible. Unfortunately, with the increasing amount of resources configured to a VM, such operations are becoming increasingly time-consuming. In this paper, we make a comprehensive analysis on the parallelization opportunities of live VM migration on two popular open-source VMMs (i.e., Xen and KVM). By leveraging abundant resources like CPU cores and NICs in contemporary server platforms, we design and implement a system called PMigrate that leverages data parallelism and pipeline parallelism to parallelize the operation. As the parallelization framework requires intensive mmap/munmap operations that tax the address space management system in an operating system, we further propose an abstraction called range lock, which improves scalability of concurrent mutation to the address space of an operating system (i.e., Linux) by selectively replacing the perprocess address space lock inside kernel with dynamic and finegrained range locks that exclude costly operations on the requesting address range from using the per-process lock. Evaluation with our working prototype on Xen and KVM shows that PMigrate accelerates the live VM migration ranging from 2.49X to 9.88X, and decreases the downtime ranging from 1.9X to 279.89X. Performance analysis shows that our integration of range lock to Linux significantly improves parallelism in mutating the address space in VM migration and thus boosts the performance ranging from 2.06X to 3.05X. We also show that PMigrate makes only small disruption to other co-hosted production VMs.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.