Fig 9 - uploaded by Rafael Pires
Content may be subject to copyright.
Waiting times for SGX and non-SGX jobs, using binpack and spread scheduling strategies, depending on the memory requested by pods.
Similar publications
Citations
... This increase in vulnerabilities is primarily attributed to the potential use of unsecured container images for microservices [61]. Deployed MSA applications, and containers are considered the default [35,62]. Compromised containers can be targeted through supply chain attacks, which represent a significant threat, as noted in a recent publication by the National Institute of Standards and Technology (NIST) [63]. ...
... This increase in vulnerabilities is primarily attributed to the potential use of unsecured container images for microservices [61]. Deployed MSA applications, and containers are considered the default method [35,62]. Compromised containers can be targeted through supply chain attacks, which represent a significant threat, as noted in a recent publication by the National Institute of Standards and Technology (NIST) [63]. ...
Cloud-native computing enhances the deployment of microservice architecture (MSA) applications by improving scalability and resilience, particularly in Beyond 5G (B5G) environments such as Sixth-Generation (6G) networks. This is achieved through the ability to replace traditional hardware dependencies with software-defined solutions. While service meshes enable secure communication for deployed MSAs, they struggle to identify vulnerabilities inherent to microservices. The reliance on third-party libraries and modules, essential for MSAs, introduces significant supply chain security risks. Implementing a zero-trust approach for MSAs requires robust mechanisms to continuously verify and monitor the software supply chain of deployed microservices. However, existing service mesh solutions lack runtime trust evaluation capabilities for continuous vulnerability assessment of third-party libraries and modules. This paper introduces a mechanism for continuous runtime trust evaluation of microservices, integrating vulnerability assessments within a service mesh to enhance the deployed MSA application. The proposed approach dynamically assigns trust scores to deployed microservices, rewarding secure practices such as timely vulnerability patching. It also enables the sharing of assessment results, enhancing mitigation strategies across the deployed MSA application. The mechanism is evaluated using the Train Ticket MSA, a complex open-source benchmark MSA application deployed with Docker containers, orchestrated using Kubernetes, and integrated with the Istio service mesh. Results demonstrate that the enhanced service mesh effectively supports dynamic trust evaluation based on the vulnerability posture of deployed microservices, significantly improving MSA security and paving the way for future self-adaptive solutions.
... Container Adoption Growth by Industry (2018-2023)[21] ...
... The purpose of an Enclave is to restrict external access and provide confidentiality and integrity protection for sensitive data. [11], [12] Figure 6. An application in the Intel ® SGX architecture can be split into trusted and untrusted parts. ...
... Throughout this entire process, the involved data remains within the trusted memory space, ensuring its utmost security. [11], [12] During the launch of an enclave, a secure log is created to capture important information about the enclave's contents and the manner in which it is loaded. This log, known as the Measurement, serves as a record of the enclave's integrity. ...
Data-intensive applications play a vital role in various domains, ranging from finance and healthcare to e-commerce and IoT. However, the increasing reliance on these applications raises significant concerns about data security and privacy. Trusted Execution Environment (TEE) has emerged as a powerful solution to address these challenges by providing a secure and isolated execution environment within a device's hardware and software framework. This paper explores the use of TEEs, specifically Intel SGX and Arm TrustZone, for enhancing the security of data-intensive applications. It examines the key features and benefits of these TEE technologies, such as hardware-based isolation, cryptographic techniques, secure storage, and remote attestation. The paper also discusses the standardization efforts in TEE frameworks, enabling interoperability and ease of integration across different platforms. Through an analysis of existing research and studies, the effectiveness of SGX and TrustZone in protecting sensitive data, ensuring code integrity, and mitigating various attack vectors is demonstrated. The paper concludes by highlighting the immense potential of TEEs, including SGX and TrustZone, in securing data-intensive applications and emphasizes the necessity for widespread adoption to effectively address the evolving security challenges in the digital landscape, particularly in securing Complex Event Processing.
... They are utilized in IoT services [8] [9], smart cars, fog computing [10], and service meshes [11] [12]. Major organizations, including Amazon, Spotify, and Netflix, have established containers as the standard for cloud deployment [13] [14]. Various runtimes/engines like Docker, LXC, RunC, Singularity, Podman, and Containerd exist, with Docker being the most popular. ...
In the evolving tech landscape, various container technologies coexist and offer compelling advantages in quickly deploying applications and efficiently utilizing resources on edge devices. Despite the potential benefits of containerization in general, limited research has explored how various container technologies perform in specific domains. In response, this paper provides an extensive evaluation of container technologies (e.g., RunC, LXC, Containerd, Docker, Podman, and Singularity) in the context of OpenCV-based computer vision applications on ARM-based edge devices. Experiments verify that the performance of containerized computer vision applications is comparable to that of non-containerized ones. While the performance is roughly equivalent across all container runtimes/engines, Docker consistently demonstrates superior efficiency for computer vision applications on ARM-based edge devices. These insights contribute to bridge the existing gap to the integration of containers in IoT and ARM-based edge computing scenarios.
... The issue of security in container deployment is of utmost importance. Although the work proposed in [29] and [30] considers the security aspect in their research work, further extensive research is required. Work in [29] Techniques to ensure the integrity and authenticity of container images and to preventing the deployment of compromised or malicious images can be developed. ...
... Although the work proposed in [29] and [30] considers the security aspect in their research work, further extensive research is required. Work in [29] Techniques to ensure the integrity and authenticity of container images and to preventing the deployment of compromised or malicious images can be developed. This can involve digital signatures, secure registries, and image provenance tracking. ...
Cloud computing, which offers computing resources on a pay-per-usage basis, faces the challenges associated with managing fluctuating traffic loads and resource allocation. Virtualization technology, including containers and virtual machines, facilitates efficient resource sharing and allocation. Containers, in particular, provide benefits such as resource efficiency, rapid deployment, scalability, portability, and modularity. However, optimizing container scheduling and deployment for performance and cost-efficiency remains a challenging task. This paper discusses the container deployment problem, performance metrics, and reviews related works. A Particle Swarm Optimization based algorithm for container allocation, aiming to minimize resource wastage is also proposed. The performance evaluation of the proposed model, compared to other optimization techniques, demonstrates its effectiveness. Furthermore, the paper highlights various issues and challenges in container deployment optimization in cloud computing, and outlines future research directions.
... Containers have been adopted for a variety of applications, including Internet of Things (IoT) services [18] [19], smart cars, fog computing [9], and service meshes [14] [25]. Many organizations, such as Amazon, Spotify, Netflix, and Twitter, have adopted microservices as a way to deliver their software, and containers have become the de facto standard for deploying microservices and applications to the cloud [37] [40]. ...
The proliferation of IoT devices has led to various computer vision applications, where addressing bandwidth and latency challenges through edge nodes presents significant benefits. However, there are still existing gaps and a need for improvements to optimize IoT applications, especially in the field of computer vision, by overcoming limited resources and enhancing device performance. Addressing these challenges is essential to unlock the full potential of IoT applications in real-world scenarios. This paper evaluates the use of lightweight container technology for computer vision applications which using different algorithms, such as Haar Cascades, HOG and CNN with YOLO algorithm, on edge devices and provides a comprehensive comparison and analysis of different versions of computer vision applications in containers in terms of processing ability, and performance. It focuses on containerizing computer vision applications using Docker to achieve safe execution of multiple applications on these devices without interference and to enable flexibility, efficiency, portability, scalability, and isolation. The study also examines the resource usage, execution time, and receiving time of containerized computer vision applications. The research findings significantly advance our understanding of computer vision processing in IoT and edge computing, thereby opening up new avenues for real-time computing scenarios. These insights have the potential to drive transformative advancements in the field, enabling more efficient and accurate computer vision applications in IoT and paving the way for enhanced real-time decision-making, automation, and intelligent systems.
... Furthermore, containers isolate the computation environment, as well as put constraints in place, making them well suited for multi-tenant environments. Hence, the industry has been experiencing a shift towards container-based software deployment from bare-metal installations [1]. Containers also lends themselves well to the microservice-based development, which is an architecture we have been observing more in recent software deployment trends from large companies [2]. ...
Container security involves a broad spectrum of concerns, including the security of the operating system, auditing the supply chain and the application security of the running containers. This wide attack surface will also include the security of the container orchestration system and its components once a container orchestration system is introduced to manage the fleet of containers in an environment. In order to advance the research in this field, prior work should be comparable and reproducible. However, we identified a research gap for this aspect; publicly available datasets for container security is sparse and reproducibility of the research output so far is arduous. In this study, we share a dataset consisting of network flows, collected from a Kubernetes cluster. Furthermore, we performed a preliminary analysis on the data as a sanity check to evaluate its quality. By sharing this dataset publicly, we hope to help further studies and establish benchmarks in the field of container networking security.
... Containers are lightweight and portable abstractions that contain the binary of an application, as well as the necessary and suf icient minimal dependencies to run them. Using containers to deploy software on the cloud has replaced bare metal installations as the industry standard [1] due to microservice-based architecture's demand for scalable and lightweight computation environments. Companies such as Amazon, Net lix, Spotify and Twitter use microservices architecture in their products [2], which is becoming increasingly commonplace in many enterprise systems. ...
The rising use of microservice-based software deployment on the cloud leverages containerized software extensively. The security of applications running inside containers, as well as the container environment itself, are critical for infrastructure in cloud settings and 5G. To address security concerns, research efforts have been focused on container security with subfields such as intrusion detection, malware detection and container placement strategies. These security efforts are roughly divided into two categories: rule-based approaches and machine learning that can respond to novel threats. In this study, we survey the container security literature focusing on approaches that leverage machine learning to address security challenges.
... Containers are lightweight and portable abstractions that contain the binary of an application as well as the necessary and sufficient minimal dependencies to run them. Using containers to deploy software on the cloud has replaced the bare metal installations as the industry standard [1] due to microservices based architecture's demand for scalable and lightweight computation environments. Companies such as Amazon, Netflix, Spotify and Twitter are using microservices architecture in their products [2]. ...
The rising use of microservices based software deployment on the cloud leverages containerized software extensively. The security of applications running inside containers as well as the container environment itself are critical infrastructure in the cloud setting and 5G. To address the security concerns, research efforts have been focused on container security with subfields such as intrusion detection, malware detection and container placement strategies. These security efforts are roughly divided into two categories: rule based approaches and machine learning that can respond to novel threats. In this study, we have surveyed the container security literature focusing on approaches that leverage machine learning to address security challenges.
... Another emerging aspect is that of energy efficiency [13,14], a strategy applied by a specific set of schedulers among the wider group of topology-aware [15] and hardware-aware schedulers. Examples of the latter are a GPU-aware scheduler making use of historic pod executions to speed up calculations [16] and an Intel SGX-aware scheduler [17]. Another crucial aspect focuses on the real-time utilization of node resources to schedule workloads [18]. ...
A group of organizations wishing to collaborate urgently, for example in case of a crisis, need to have a way to quickly deploy applications which enable them to speed up a potentially crisis-resolving decision-making process. A cross-organizational Kubernetes cluster, which is orchestrated by a central operator, allows to initiate these deployments in an ad hoc way. Performance issues may however arise at runtime, for example, a video pipeline belonging to a CCTV camera may produce a too low number of frames per second. The ad hoc cross-organizational collaboration case is especially prone to such issues as the set of candidate nodes and the environment in which they run may not be fully known to the operator. This article therefore motivates and describes the usage of a probe swarm architecture, which allows the operator to quickly generate an overview of the resource capabilities of a set of nodes, by executing code fragments locally. The obtained measurements can then enable the operator to decide on rescheduling operations. Evaluation of an illustrative probe swarm intervention shows that the performance of an example application could improve with factor five, ten or hundred when the pod would be rescheduled. This indicates that the proposed probe swarm architecture may complement other performance bottleneck detection techniques to improve performance of applications that need to be deployed urgently.