Marc X. Makkes

Intercloud Architecture for interoperability and integration

This paper presents on-going research to develop the Intercloud Architecture Framework (ICAF) that addresses problems in multi-provider multi-domain heterogeneous cloud based infrastructure services and applications integration and interoperability. The paper refers to existing standards in Cloud Computing, in particular, recently published NIST Cloud Computing Reference Architecture (CCRA). The proposed ICAF defines four complementary components addressing Intercloud integration and interoperability: multilayer Cloud Services Model that combines commonly adopted cloud service models, such as IaaS, PaaS, SaaS, in one multilayer model with corresponding inter-layer interfaces; Intercloud Control and Management Plane that supports cloud based applications interaction; Intercloud Federation Framework, and Intercloud Operation Framework. The paper briefly describes the architectural framework for cloud based infrastructure services provisioned on-demand being developed in the framework of the GEYSERS project that is used as a basis for building multilayer cloud services integration framework that allows optimized provisioning of both computing, storage and networking resources. The proposed architecture is intended to provide an architectural model for developing Intercloud middleware and in this way will facilitate clouds interoperability and integration.

Multi-data-types interval decision diagrams for XACML evaluation engine

XACML policy evaluation efficiency is an important factor influencing the overall system performance, especially when the number of policies grows. Some existing approaches on high performance XACML policy evaluation can support simple policies with equality comparisons and handle requests with well defined conditions. Such mechanisms do not provide the semantic correctness of combining algorithms in cases with indeterminate and not-applicable states. They ignore the critical attribute setting, a mandatory property in XACML, leading to potential missing attribute attacks. In this paper, we present a solution using data interval partition aggregation together with new decision diagram combinations, that not only optimizes the performance but also provides correctness and completeness of XACML 3.0 features, including complex logical expressions, correctness in indeterminate states processing, critical attribute setting, obligations and advices as well as complex comparison functions for multiple data types.

Efficient implementation of the orlandi protocol

We present an efficient implementation of the Orlandi protocol which is the first implementation of a protocol for multiparty computation on arithmetic circuits, which is secure against up to n-1 static, active adversaries. An efficient implementation of an actively secure selftrust protocol enables a number of multiparty computation where one or more of the parties only trust himself. Examples includes auctions, negotiations, and online gaming. The efficiency of the implementation is largely obtained through an efficient implementation of the Paillier cryptosystem, also described in this paper.

A decision framework for placement of applications in clouds that minimizes their carbon footprint

Cloud computing gives users much freedom on where they host their computation and storage. However the CO2 emission of a job depends on the location and the energy efficiency of the data centers where it is run. We developed a decision framework that determines to move computation with accompanying data from a local to a greener remote data center for lower CO2 emissions. The model underlying the framework accounts for the energy consumption at the local and remote sites, as well as of networks among them. We showed that the type of network connecting the two sites has a significant impact on the total CO2 emission. Furthermore, the task’s complexity is a factor in deciding when and where to move computation.

Hardware Trojan Side-Channels Based on Physical Unclonable Functions

The separation design and fabrication process in the semiconductor industry leads to potential threats such as trojan side-channels (TSCs). In this paper we design a new family of TSCs from physical unclonable functions (PUFs). In particular, a dedicated attack on the PRESENT block cipher is described by using our PUF-based TSCs. Finally we analyze the performance of our PUF-based TSCs and discuss other potential applications.

MeTRO: Low latency network paths with routers-on-demand

The current Internet is a loose federation of independent providers (ISPs) That manually manage inter-domain (ASes) route policies To primarily serve Their own interests. The end-user experience may be hindered by Two aspects: The ASes only optimize locally, possibly delivering sub-optimal end-To-end connections; The manual management of routing policies for a large amount of prefixes is error-prone. Infrastructure as a Service (IaaS) clouds let users allocate compute resources on demand, at different geographical locations, while Internet connectivity is guaranteed. Therefore, cloud providers represent untapped resources for a better end-user (application) Internet connectivity experience. In This work we present MeTRO, a framework To construct better Than best-effort routed Internet paths. Our method exploits The fact That cloud computer resources may host virtual routers and That one such router can be part of a path between Two end systems. We perform an extensive evaluation of our method, by deploying it over 75 NLNOG Ring hosts. We show That our method, practically acting as an overlay network, decreases The latency in 58% of The cases studied, albeit increasing The number of hops. Our framework is specifically useful for monitoring and debugging failures, as well as configuration errors related To Internet reachability.

Bringing secure Bitcoin transactions to your smartphone

To preserve the Bitcoin ledgers integrity, a node that joins the system must download a full copy of the entire Bitcoin blockchain if it wants to verify newly created blocks. At the time of writing, the blockchain weights 79 GiB and takes hours of processing on high-end machines. Owners of low-resource devices (known as thin nodes), such as smart-phones, avoid that cost by either opting for minimum verification or by depending on full nodes, which weakens their security model. In this work, we propose to harden the security model of thin nodes by enabling them to verify blocks in an adaptive manner, with regards to the level of targeted confidence, with low storage requirements and a short bootstrap time. Our approach exploits sharding within a distributed hash table (DHT) to distribute the storage load, and a few additional hashes to prevent attacks on this new system.

Deployment Strategies for Distributed Applications on Cloud Computing Infrastructures

Cloud computing enables on-demand access to a shared pool of IT resources. In the case of Infrastructure as a Service (IaaS), the cloud user typically acquires Virtual Machines (VMs) from the provider. It is up to the user to decide at what time and for how long they want to use these VMs. Because of the pay-per-use nature of most clouds, there is a strong incentive to use as few resources as possible and release them quickly when they are no longer needed. Every step of the deployment process, i.e., acquiring VMs, creating network links, and installing, configuring and starting software components on them, should therefore be as fast as possible. The amount of time the deployment process takes can be influenced by the user by performing some steps in parallel or using timing knowledge of previous deployments. This paper presents four different strategies for deploying applications on cloud computing infrastructures. Performance measurements of application deployments on three public IaaS clouds are used to show the speed differences between these strategies.

Flowchart description of security primitives for controlled physical unclonable functions

Physical Unclonable Functions (PUFs) are physical objects that are unique, practically unclonable and that behave like a random function when subjected to a challenge. Their use has been proposed for authentication tokens and anti-counterfeiting. A Controlled PUF (CPUF) consists of a PUF and a control layer that restricts a user’s access to the PUF input and output. CPUFs can be used for secure key storage, authentication, certified execution of programs, and certified measurements. In this paper we modify a number of protocols involving CPUFs in order to improve their security. Our modifications mainly consist of encryption of a larger portion of the message traffic, and additional restrictions on the CPUF accessibility which prevents some denial of service attacks. We simplify the description of CPUF protocols by using flowchart notation. Furthermore we explicitly show how the helper data for the PUFs is handled.

Kea: A Computation Offloading System for Smartphone Sensor Data

Nowadays smartphones are equipped with many sensors which applications can continuously invoke to acquire real-time sensor information, such as GPS tracking. Due to the resource-constrained nature of the smartphones, it is often beneficial if the processing of the sensor data is offloaded to a remote resource. However, the decision to offload the computation depends on a multitude of factors such as the hardware capabilities of the phone, the communication energy and latency and the characteristics of the stream computations, e.g., window size, sensor frequency and operational complexity.In this paper we introduce Kea, a profiling-based computation offloading system that automatically decides whether offloading is beneficial for smartphones. The decision making is based on two criteria: the power consumption of the application and the elapsed time for processing the sensor data. Our evaluation results show that unexpected factors such as CPU frequency scaling and the network state also influence the decision-making process. In addition, we show that Keas profiling overhead is negligible.