Open Access. Powered by Scholars. Published by Universities.®
Physical Sciences and Mathematics Commons™
Open Access. Powered by Scholars. Published by Universities.®
Articles 1 - 2 of 2
Full-Text Articles in Physical Sciences and Mathematics
Optimal Management Of Virtual Infrastructures Under Flexible Cloud Service Agreements, Zhiling Guo, Jin Li, Ram Ramesh
Optimal Management Of Virtual Infrastructures Under Flexible Cloud Service Agreements, Zhiling Guo, Jin Li, Ram Ramesh
Research Collection School Of Computing and Information Systems
A cloud service agreement entails the provisioning of a required set of virtual infrastructure resources at a specified level of availability to a client. The agreement also lays out the price charged to the client and a penalty to the provider when the assured availability is not met. The availability assurance involves backup resource provisioning, and the provider needs to allocate backups cost-effectively by balancing the resource-provisioning costs with the potential penalty costs. We develop stochastic dynamic optimization models of the backup resource-provisioning problem, leading to cost-effective resource-management policies in different practical settings. We present two sets of dynamic provisioning …
Practical And Effective Sandboxing For Linux Containers, Zhiyuan Wan, David Lo, Xin Xia, Liang Cai
Practical And Effective Sandboxing For Linux Containers, Zhiyuan Wan, David Lo, Xin Xia, Liang Cai
Research Collection School Of Computing and Information Systems
A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to …