CICI: UCSS: Secure Containers in High-Performance Computing Infrastructure

CICI：UCSS：高性能计算基础设施中的安全容器

• 批准号: 2319975
• 负责人: Yuede Ji
• 金额: $ 60万
• 依托单位: University of North Texas
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-08-01 至 2026-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2319975&HistoricalAwards=false
• 关键词: CICI; UCSS; Secure; Containers; Performance

Ensuring the security and privacy of high-performance computing (HPC) infrastructures is of utmost importance due to their handling of sensitive data and critical scientific computations. HPC infrastructures commonly employ containers, which provide lightweight and isolated environments for running applications. Nevertheless, containers in HPC infrastructures encounter security challenges, including insecure container images and vulnerabilities related to isolation. Existing container image scanners face a major challenge of low coverage, while current container runtimes struggle to ensure both security and performance for HPC workloads simultaneously. This project addresses these challenges by developing secure containers specifically tailored for HPC infrastructures. The project introduces innovative solutions, including the development of an efficient image vulnerability scanner and a secure container runtime. These systems incorporate various customized optimizations for security and performance targeting HPC workloads. Additionally, educational efforts are made to integrate the research findings into graduate and undergraduate curriculum development. Outreach activities are conducted to encourage participation from underrepresented groups and promote cybersecurity awareness and HPC expertise in the states of Texas and Delaware.The project consists of two primary tasks. The first task focuses on designing an efficient image vulnerability scanner using innovative and feasible techniques. The research team designs a novel method for container image vulnerability detection based on cross-language code similarity detection. This approach combines graph neural networks with a language-agnostic code representation that leverages natural language processing techniques. Furthermore, it designs an efficient and scalable online search solution. The second task involves developing a secure and high-performance container runtime by utilizing a lightweight virtual machine hypervisor. Additionally, the runtime is optimized based on the characteristics of HPC workloads with the goal of improving both security and performance.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

确保高性能计算（HPC）基础设施的安全性和隐私性至关重要，因为它们要处理敏感数据和关键科学计算。HPC基础设施通常采用容器，为运行应用程序提供轻量级和隔离的环境。然而，HPC基础设施中的容器遇到了安全挑战，包括不安全的容器映像和与隔离相关的漏洞。现有的容器映像扫描器面临着低覆盖率的主要挑战，而当前的容器运行时则难以同时确保HPC工作负载的安全性和性能。该项目通过开发专为HPC基础设施量身定制的安全容器来应对这些挑战。该项目引入了创新的解决方案，包括开发一个高效的图像漏洞扫描器和一个安全的容器运行时。这些系统整合了针对HPC工作负载的安全性和性能的各种定制优化。此外，教育方面的努力，将研究成果纳入研究生和本科生课程开发。在德克萨斯州和特拉华州开展外联活动，鼓励代表性不足的群体参与，并促进网络安全意识和HPC专业知识。该项目包括两项主要任务。第一个任务的重点是设计一个有效的图像漏洞扫描器使用创新和可行的技术。研究团队设计了一种基于跨语言代码相似性检测的集装箱图像漏洞检测新方法。这种方法将图神经网络与利用自然语言处理技术的语言无关代码表示相结合。此外，它设计了一个有效的和可扩展的在线搜索解决方案。第二个任务涉及通过利用轻量级虚拟机管理程序开发安全和高性能的容器运行时。此外，运行时基于HPC工作负载的特性进行了优化，旨在提高安全性和性能。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。