There has been a dramatic transformation of IT infrastructure in the past decade with the adoption of cloud computing, where processes that used to run on-site at a company are now running in data centers on hardware shared with other customers. This migration to the cloud encompasses computing, storage, and networking. Using hosted infrastructure increases the velocity of deployments, as it allows for rapid up- and down-scaling of systems.
Recently, there has been a proliferation of deployment technologies that trade off isolation against cost/performance/efficiency. While many cloud platforms started offering complete virtual machines, more recently, containers and serverless computing that have less isolation but also less overhead and greater performance have become popular. Alongside, there has been a trend in software to decompose large applications into smaller microservices or lambda functions that can be written, and deployed independently; importantly, each function or component can be scaled or failed over independently as well. While the move to microservices started with compute, network functions virtualization has shown that networking functionality can also benefit from the same decomposition into lighter-weight services. Similar to the move to the cloud, microservices increase development and deployment velocity, cost-efficiency, and availability (via component elasticity and failover).
This project addresses two fundamental issues that arise in securing microservices-based applications in modern cloud environments: how to accommodate the inherent tension between isolation and performance/cost/efficiency; and how to ensure that microservices-based implementations are equivalent to their monolithic counterparts under dynamics.
We surveyed open-source serverless applications and identified several common design patterns that could be leveraged to improve serverless security. Our key insights are that - (a) state externalization of serverless functions could be monitored for anomalies as the functions are stateless by definition, (b) given that an application is decomposed into dedicated-task functions, we can individually model each function and construct a global view of the application and (c) decomposition of an application provides us opportunities to enforce customized polciies foe each component.
Inspired by the insights from our survey, we designed a novel serverless security framework that we call SecLambda. More details regarding our survey and SecLambda can be found here.
To provide effective performance isolation for storage accesses across competing entities, we must understand the performance characteristics of the underlying storage device. Through a set of detailed microbenchmarks, we have begun to characterize the relevant characteristics of Optane SSD for obtaining high performance and performance isolation. Additionally, another challenge with leveraging low-latency storage devices is removing software from the critical path.
To address this problem, we have begun to develop a new architecture, file systems as processes (FSPs), which enable a true direct-access file system as a user-level process. More details regarding FSP can be found here.
Network Functions Virtualization (NFV) vastly improves network management. It allows operators to implement rich security and access control policies using NF chains. Operators can overcome NF failure and performance issues by spinning up additional instances, and dynamically redistributing traffic. To be applicable to enforcing policies correctly, NFV must provide chain output equivalence (COE): given an input packet stream, at any point in time, the collective action taken by all NF instances in an NFV chain must match that taken by an hypothetical equivalent chain with infinite capacity always available single NFs.
We develop a new NFV framework known as CHC("correct, high-performance chains"), which overcomes the drawbacks of exisiting solutions and provides COE. More details regarding CHC can be found here.
Acknowledgments. This project is supported by NSF.