为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥...为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥技术面向基层的全面推广变得更为可行。展开更多
近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编...近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编辑基础上实现了常见的外业编辑业务。展开更多
Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users...Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.展开更多
Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of th...Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.展开更多
Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns...Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.展开更多
To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is propose...To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.展开更多
The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing rese...The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.展开更多
Dynamic optimization relies on runtime profile information to improve the performance of program execution. Traditional profiling techniques incur significant overhead and are not suitable for dynamic optimization. In...Dynamic optimization relies on runtime profile information to improve the performance of program execution. Traditional profiling techniques incur significant overhead and are not suitable for dynamic optimization. In this paper, a new profiling technique is proposed, that incorporates the strength of both software and hardware to achieve near-zero overhead profiling. The compiler passes profiling requests as a few bits of information in branch instructions to the hardware, and the processor executes profiling operations asynchronously in available free slots or on dedicated hardware. The compiler instrumentation of this technique is implemented using an Itanium research compiler. The result shows that the accurate block profiling incurs very little overhead to the user program in terms of the program scheduling cycles. For example, the average overhead is 0.6% for the SPECint95 benchmarks. The hardware support required for the new profiling is practical. The technique is extended to collect edge profiles for continuous phase transition detection. It is believed that the hardware-software collaborative scheme will enable many profile-driven dynamic optimizations for EPIC processors such as the Itanium processors.展开更多
The execution of composite Web services with WS-BPEL relies on externally autonomous Web services. This implies the need to constantly monitor the running behavior of the involved parties. Moreover, monitoring the exe...The execution of composite Web services with WS-BPEL relies on externally autonomous Web services. This implies the need to constantly monitor the running behavior of the involved parties. Moreover, monitoring the execution of composite Web services for particular patterns is critical to enhance the reliability of the processes. In this paper, we propose an aspect-oriented framework as a solution to provide monitoring and recovery support for composite Web services. In particular, this framework includes 1) a stateful aspect based template, where history-based pointcut specifies patterns of interest cannot be violated within a range, while advice specifies the associated recovery action; 2) a tool support for runtime monitoring and recovery based on aspect-oriented execution environment. Our experiments indicate that the proposed monitoring approach incurs minimal overhead and is efficient.展开更多
The internet of things (loT) attracts great interest in many application domains concerned with monitoring and :ontrol of physical phenomena. However, application devel- opment is still one of the main hurdles to a...The internet of things (loT) attracts great interest in many application domains concerned with monitoring and :ontrol of physical phenomena. However, application devel- opment is still one of the main hurdles to a wide adoption of IoT technology. Application development is done at a low level, very close to the operating system and requires pro- grammers to focus on low-level system issues. The under- lying APIs can be very complicated and the amount of data collected can be huge. This can be very hard to deal with as a developer. In this paper, we present a runtime model based approach to IoT application development. First, the manage- ability of sensor devices is abstracted as runtime models that are automatically connected with the corresponding systems. Second, a customized model is constructed according to a personalized application scenario and the synchronization be- tween the customized model and sensor device runtime mod- els is ensured through model transformation. Thus, all the application logic can be carried out by executing programs on the customized model. An experiment on a real-world ap- plication scenario demonstrates the feasibility, effectiveness, and benefits of the new approach to IoT application develop- ment.展开更多
Workload consolidation is a common method to improve the resource utilization in clusters or data centers. In order to achieve efficient workload consolidation, the runtime characteristics of a program should be taken...Workload consolidation is a common method to improve the resource utilization in clusters or data centers. In order to achieve efficient workload consolidation, the runtime characteristics of a program should be taken into con-sideration in scheduling. In this paper, we propose a novel index system for efficiently describing the program runtime characteristics. With the help of this index system, programs can be classified by the following runtime characteristics: 1) dependence to multi-dimensional resources including CPU, disk I/O, memory and network I/O;and 2) impact and vulnerability to resource sharing embodied by resource usage and resource sensitivity. In order to verify the effectiveness of this novel index system in workload consolidation, a scheduling strategy, Sche-index, using the new index system for workload consolidation is proposed. Experiment results show that compared with traditional least-loaded scheduling strategy, Sche-index can improve both program performance and system resource utilization significantly.展开更多
We present a method and a tool for the verification of causal and temporal properties for embedded systems.We analyze trace streams resulting from the execution of virtual prototypes that combine simulated hardware an...We present a method and a tool for the verification of causal and temporal properties for embedded systems.We analyze trace streams resulting from the execution of virtual prototypes that combine simulated hardware and embedded software.The main originality lies in the use of logical clocks to abstract away irrelevant information from the trace.We propose a model-based approach that relies on domain specific languages(DSL).A first DSL,called TISL(trace item specification language),captures the relevant data structures.A second DSL,called STML(simulation trace mapping language),abstracts the simulation raw data into logical clocks,abstracting simulation data into relevant observation probes and thus reducing the trace streams size.The third DSL,called TPSL,defines a set of behavioral patterns that include widely used temporal properties.This is meant for users who are not familiar with temporal logics.Each pattern is transformed into an automata.All the automata are executed concurrently and each one raises an error if and when the related TPSL property is violated.The contribution is the integration of this pattern-based property specification language into the SimSoC virtual prototyping framework without requiring to recompile all the simulation models when the properties evolve.We illustrate our approach with experiments that show the possibility to use multi-core platforms to parallelize the simulation and verification processes,thus reducing the verification time.展开更多
Stride prefetching is recognized as an important technique to improve memory access performance. The prior work usually profiles and/or analyzes the program behavior offline, and uses the identified stride patterns to...Stride prefetching is recognized as an important technique to improve memory access performance. The prior work usually profiles and/or analyzes the program behavior offline, and uses the identified stride patterns to guide the compilation process by injecting the prefetch instructions at appropriate places. There are some researches trying to enable stride prefetching in runtime systems with online profiling, but they either cannot discover cross-procedural prefetch opportunity, or require special supports in hardware or garbage collection. In this paper, we present a prefetch engine for JVM (Java Virtual Machine). It firstly identifies the candidate load operations during just-in-time (JIT) compilation, and then instruments the compiled code to profile the addresses of those loads. The runtime profile is collected in a trace buffer, which triggers a prefetch controller upon a protection fault. The prefetch controller analyzes the trace to discover any stride patterns, then modifies the compiled code to inject the prefetch instructions in place of the instrumentations. One of the major advantages of this engine is that, it can detect striding loads in any virtual code places for both regular and irregular code, not being limited with plain loop or procedure scopes. Actually we found the cross-procedural patterns take about 30% of all the prefetchings in the representative Java benchmarks. Another major advantage of the engine is that it has runtime overhead much smaller (the maximal is less than 4.0%) than the benefits it brings. Our evaluation with Apache Harmony JVM shows that the engine can achieve an average 6.2% speed-up with SPECJVM98 and DaCapo on Intel Pentium 4 platform, in spite of the runtime overhead.展开更多
文摘Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
基金the National Defence Foundation of China(Grant No.10104010201)
文摘Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.
文摘Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.
基金supported by the Institute of Information&Communications Technology Planning&Evaluation (IITP)grant funded by the Korea Government (MSIT), (No.2020-0-00952,Development of 5G edge security technology for ensuring 5G+service stability and availability,50%)the Institute of Information and Communications Technology Planning and Evaluation (IITP)grant funded by the MSIT (Ministry of Science and ICT),Korea (No.IITP-2023-2020-0-01602,ITRC (Information Technology Research Center)support program,50%).
文摘Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.
文摘To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.
基金supported in part by the Intelligent Policing and National Security Risk Management Laboratory 2023 Opening Project(No.ZHKFYB2304)the Fundamental Research Funds for the Central Universities(Nos.SCU2023D008,2023SCU12129)+2 种基金the Natural Science Foundation of Sichuan Province(No.2024NSFSC1449)the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.
文摘Dynamic optimization relies on runtime profile information to improve the performance of program execution. Traditional profiling techniques incur significant overhead and are not suitable for dynamic optimization. In this paper, a new profiling technique is proposed, that incorporates the strength of both software and hardware to achieve near-zero overhead profiling. The compiler passes profiling requests as a few bits of information in branch instructions to the hardware, and the processor executes profiling operations asynchronously in available free slots or on dedicated hardware. The compiler instrumentation of this technique is implemented using an Itanium research compiler. The result shows that the accurate block profiling incurs very little overhead to the user program in terms of the program scheduling cycles. For example, the average overhead is 0.6% for the SPECint95 benchmarks. The hardware support required for the new profiling is practical. The technique is extended to collect edge profiles for continuous phase transition detection. It is believed that the hardware-software collaborative scheme will enable many profile-driven dynamic optimizations for EPIC processors such as the Itanium processors.
基金supported by the National Natural Science Foundation of China under Grant Nos. 60673112, 90718033the National Basic Research 973 Program of China under Grant No. 2009CB320704the High-Tech Research and Development 863 Program of China under Grand Nos. 2006AA01Z19B, 2007AA010301
文摘The execution of composite Web services with WS-BPEL relies on externally autonomous Web services. This implies the need to constantly monitor the running behavior of the involved parties. Moreover, monitoring the execution of composite Web services for particular patterns is critical to enhance the reliability of the processes. In this paper, we propose an aspect-oriented framework as a solution to provide monitoring and recovery support for composite Web services. In particular, this framework includes 1) a stateful aspect based template, where history-based pointcut specifies patterns of interest cannot be violated within a range, while advice specifies the associated recovery action; 2) a tool support for runtime monitoring and recovery based on aspect-oriented execution environment. Our experiments indicate that the proposed monitoring approach incurs minimal overhead and is efficient.
文摘The internet of things (loT) attracts great interest in many application domains concerned with monitoring and :ontrol of physical phenomena. However, application devel- opment is still one of the main hurdles to a wide adoption of IoT technology. Application development is done at a low level, very close to the operating system and requires pro- grammers to focus on low-level system issues. The under- lying APIs can be very complicated and the amount of data collected can be huge. This can be very hard to deal with as a developer. In this paper, we present a runtime model based approach to IoT application development. First, the manage- ability of sensor devices is abstracted as runtime models that are automatically connected with the corresponding systems. Second, a customized model is constructed according to a personalized application scenario and the synchronization be- tween the customized model and sensor device runtime mod- els is ensured through model transformation. Thus, all the application logic can be carried out by executing programs on the customized model. An experiment on a real-world ap- plication scenario demonstrates the feasibility, effectiveness, and benefits of the new approach to IoT application develop- ment.
基金National Key Research and Development Program of China (2016YFB1000503)the National Natural Science Foundation of China (Grant Nos. 61133004, 61361126011, 61502019, 61732002, 61373081, 61772322)+1 种基金China Postdoctoral Science Foundation (2017M622263)Natural Science Foundation of Shandong Province (ZR2015PF006).
文摘Workload consolidation is a common method to improve the resource utilization in clusters or data centers. In order to achieve efficient workload consolidation, the runtime characteristics of a program should be taken into con-sideration in scheduling. In this paper, we propose a novel index system for efficiently describing the program runtime characteristics. With the help of this index system, programs can be classified by the following runtime characteristics: 1) dependence to multi-dimensional resources including CPU, disk I/O, memory and network I/O;and 2) impact and vulnerability to resource sharing embodied by resource usage and resource sensitivity. In order to verify the effectiveness of this novel index system in workload consolidation, a scheduling strategy, Sche-index, using the new index system for workload consolidation is proposed. Experiment results show that compared with traditional least-loaded scheduling strategy, Sche-index can improve both program performance and system resource utilization significantly.
基金supported by the Sino-European LIAM A Laboratory and by the INRIA Sophia Antipolis Research Center.
文摘We present a method and a tool for the verification of causal and temporal properties for embedded systems.We analyze trace streams resulting from the execution of virtual prototypes that combine simulated hardware and embedded software.The main originality lies in the use of logical clocks to abstract away irrelevant information from the trace.We propose a model-based approach that relies on domain specific languages(DSL).A first DSL,called TISL(trace item specification language),captures the relevant data structures.A second DSL,called STML(simulation trace mapping language),abstracts the simulation raw data into logical clocks,abstracting simulation data into relevant observation probes and thus reducing the trace streams size.The third DSL,called TPSL,defines a set of behavioral patterns that include widely used temporal properties.This is meant for users who are not familiar with temporal logics.Each pattern is transformed into an automata.All the automata are executed concurrently and each one raises an error if and when the related TPSL property is violated.The contribution is the integration of this pattern-based property specification language into the SimSoC virtual prototyping framework without requiring to recompile all the simulation models when the properties evolve.We illustrate our approach with experiments that show the possibility to use multi-core platforms to parallelize the simulation and verification processes,thus reducing the verification time.
基金the National Natural Science Foundation of China under Grant Nos.60673146,60603049,60736012,and 60703017the National High Technology Development 863 Program of China under Grant No.2006AA010201 and No.2007AA01Z114the National Basic Research Program of China under Grant No.2005CB321601.
文摘Stride prefetching is recognized as an important technique to improve memory access performance. The prior work usually profiles and/or analyzes the program behavior offline, and uses the identified stride patterns to guide the compilation process by injecting the prefetch instructions at appropriate places. There are some researches trying to enable stride prefetching in runtime systems with online profiling, but they either cannot discover cross-procedural prefetch opportunity, or require special supports in hardware or garbage collection. In this paper, we present a prefetch engine for JVM (Java Virtual Machine). It firstly identifies the candidate load operations during just-in-time (JIT) compilation, and then instruments the compiled code to profile the addresses of those loads. The runtime profile is collected in a trace buffer, which triggers a prefetch controller upon a protection fault. The prefetch controller analyzes the trace to discover any stride patterns, then modifies the compiled code to inject the prefetch instructions in place of the instrumentations. One of the major advantages of this engine is that, it can detect striding loads in any virtual code places for both regular and irregular code, not being limited with plain loop or procedure scopes. Actually we found the cross-procedural patterns take about 30% of all the prefetchings in the representative Java benchmarks. Another major advantage of the engine is that it has runtime overhead much smaller (the maximal is less than 4.0%) than the benefits it brings. Our evaluation with Apache Harmony JVM shows that the engine can achieve an average 6.2% speed-up with SPECJVM98 and DaCapo on Intel Pentium 4 platform, in spite of the runtime overhead.
