Show simple item record

dc.contributor.authorShen, Zhiming
dc.date.accessioned2018-10-03T19:27:58Z
dc.date.available2018-10-03T19:27:58Z
dc.date.issued2017-12-30
dc.identifier.otherShen_cornellgrad_0058F_10690
dc.identifier.otherhttp://dissertations.umi.com/cornellgrad:10690
dc.identifier.otherbibid: 10474230
dc.identifier.urihttps://hdl.handle.net/1813/59127
dc.description.abstractCloud computing infrastructures serving mutually untrusted users provide security isolation to protect user computation and resources. Additionally, clouds should also support flexibility and efficiency, so that users can customize resource management policies and optimize performance and resource utilization. However, flexibility and efficiency are typically limited due to security requirements. This dissertation investigates the question of how to offer flexibility and efficiency as well as strong security in cloud infrastructures. Specifically, this dissertation addresses two important platforms in cloud infrastructures: the containers and the Infrastructure as a Service (IaaS) platforms. The containers platform supports efficient container provisioning and executing, but does not provide sufficient security and flexibility. Different containers share an operating system kernel which has a large attack surface, and kernel customization is generally not allowed. The IaaS platform supports secure sharing of cloud resources among mutually untrusted users, but does not provide sufficient flexibility and efficiency. Many powerful management primitives enabled by the underlying virtualization platform are hidden from users, such as live virtual machine migration and consolidation. The main contribution of this dissertation is the proposal of an approach inspired by the exokernel architecture that can be generalized to any multi-tenant system to improve security, flexibility, and efficiency. This approach is called the exokernel approach --- a principle of separating protection and management. By separating protection and management, the protection layer can focus on security isolation and resource multiplexing, making security guarantees easier to maintain and verify. Resource management components are dedicated to each user or application for customization and optimization, greatly improving flexibility and efficiency. We investigate the effectiveness of this approach by applying it to the containers and the Infrastructure as a Service (IaaS) platforms, and introduce X-Containers and Library Cloud. X-Containers is a new exokernel+LibOS architecture that is fully compatible with Linux containers and provides competitive or superior performance to native Docker Containers as well as other LibOS designs. Library Cloud is a new abstraction that enables more flexible and efficient user-level cloud resource management without breaking security isolation between different users. Together, these systems represent important steps towards secure, flexible, and efficient cloud infrastructures.
dc.language.isoen_US
dc.subjectcloud computing
dc.subjectcontainer
dc.subjectexokernel
dc.subjectLibrary Cloud
dc.subjectSupercloud
dc.subjectX-Container
dc.subjectComputer science
dc.titleSeparating Protection and Management in Cloud Infrastructures
dc.typedissertation or thesis
thesis.degree.disciplineComputer Science
thesis.degree.grantorCornell University
thesis.degree.levelDoctor of Philosophy
thesis.degree.namePh. D., Computer Science
dc.contributor.chairVan Renesse, Robbert
dc.contributor.committeeMemberMyers, Andrew C.
dc.contributor.committeeMemberWeatherspoon, Hakim
dc.contributor.committeeMemberMankad, Shawn Pankaj
dcterms.licensehttps://hdl.handle.net/1813/59810
dc.identifier.doihttps://doi.org/10.7298/X44X5606


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

Statistics