Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns...Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.展开更多
The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing rese...The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.展开更多
Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of th...Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.展开更多
为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥...为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥技术面向基层的全面推广变得更为可行。展开更多
近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编...近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编辑基础上实现了常见的外业编辑业务。展开更多
Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users...Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.展开更多
To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is propose...To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.展开更多
近日,武汉大学国家网络安全学院教授陈晶课题组2022级博士生梁瑞超的研究成果被第46届IEEE/ACM International Conference on Software Engineering(ICSE 2024)会议录用。会议将在2024年4月14日至20日在葡萄牙里斯本举行。梁瑞超为第一...近日,武汉大学国家网络安全学院教授陈晶课题组2022级博士生梁瑞超的研究成果被第46届IEEE/ACM International Conference on Software Engineering(ICSE 2024)会议录用。会议将在2024年4月14日至20日在葡萄牙里斯本举行。梁瑞超为第一作者,陈晶为通讯作者,武汉大学为第一单位。论文题为“PonziGuard:Detecting Ponzi Schemes on Ethereum with Contract Runtime Behavior Graph(CRBG)”,在陈晶教授、杜瑞颖教授、何琨副研究员、吴聪博士后联合指导下完成。展开更多
针对目前管线大数据量数据库难以在移动端加载问题,同时顾及管线外业数据采集内外业一体化、离线保密等测量作业需求,本文基于GPKG(GeoPackage)数据库,使用ArcGIS Runtime API for Android开发包,设计并开发一款管线外业调查的离线式And...针对目前管线大数据量数据库难以在移动端加载问题,同时顾及管线外业数据采集内外业一体化、离线保密等测量作业需求,本文基于GPKG(GeoPackage)数据库,使用ArcGIS Runtime API for Android开发包,设计并开发一款管线外业调查的离线式Android端软件。软件通过数据库MDB到GPKG转化方式,解决了大数据量数据库管线图流畅显示问题;使用GPKG数据库存储卫星影像切片,可以离线加载大区域的卫星影像,并且实现管线数据的采集基本功能。测试软件测试实验显示,十万级别数量的管线以及GB级别的卫星影像切片均可在秒内加载和显示。展开更多
基金supported by the Institute of Information&Communications Technology Planning&Evaluation (IITP)grant funded by the Korea Government (MSIT), (No.2020-0-00952,Development of 5G edge security technology for ensuring 5G+service stability and availability,50%)the Institute of Information and Communications Technology Planning and Evaluation (IITP)grant funded by the MSIT (Ministry of Science and ICT),Korea (No.IITP-2023-2020-0-01602,ITRC (Information Technology Research Center)support program,50%).
文摘Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.
基金supported in part by the Intelligent Policing and National Security Risk Management Laboratory 2023 Opening Project(No.ZHKFYB2304)the Fundamental Research Funds for the Central Universities(Nos.SCU2023D008,2023SCU12129)+2 种基金the Natural Science Foundation of Sichuan Province(No.2024NSFSC1449)the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.
文摘Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.
文摘Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
基金the National Defence Foundation of China(Grant No.10104010201)
文摘Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.
文摘To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.
文摘近日,武汉大学国家网络安全学院教授陈晶课题组2022级博士生梁瑞超的研究成果被第46届IEEE/ACM International Conference on Software Engineering(ICSE 2024)会议录用。会议将在2024年4月14日至20日在葡萄牙里斯本举行。梁瑞超为第一作者,陈晶为通讯作者,武汉大学为第一单位。论文题为“PonziGuard:Detecting Ponzi Schemes on Ethereum with Contract Runtime Behavior Graph(CRBG)”,在陈晶教授、杜瑞颖教授、何琨副研究员、吴聪博士后联合指导下完成。
文摘针对目前管线大数据量数据库难以在移动端加载问题,同时顾及管线外业数据采集内外业一体化、离线保密等测量作业需求,本文基于GPKG(GeoPackage)数据库,使用ArcGIS Runtime API for Android开发包,设计并开发一款管线外业调查的离线式Android端软件。软件通过数据库MDB到GPKG转化方式,解决了大数据量数据库管线图流畅显示问题;使用GPKG数据库存储卫星影像切片,可以离线加载大区域的卫星影像,并且实现管线数据的采集基本功能。测试软件测试实验显示,十万级别数量的管线以及GB级别的卫星影像切片均可在秒内加载和显示。
