| With the development of edge computing,a large number of latency-sensitive applications with high security requirements have been deployed on the edge platform.ARM machines have become the typical choice for edge platforms due to the low power characteristics and high cost-effective of ARM platforms.To provide protection of applications and data on the ARM platform,a Trust Zone based multi-security domain architecture has been proposed.The multi-security domain architecture provides an isolated execution environment(called a userspace enclave)located in the normal world,enabling application developers to deploy selfdeveloped sensitive applications on the ARM platform.However,current multi-security domain architectures are designed for mobile computing with low-frequency execution of sensitive applications and suffer from low performance and slow response time when deployed in edge computing scenarios with diverse and high-density loads.In this thesis,we address the problem of multi-security domain architecture in edge computing scenarios,and designed and implemented VaultTec,an efficient execution system for sensitive applications with dynamic load,which significantly optimizes the performance and response latency of edge sensitive applications while ensuring multi-security domain isolation.The main work and contributions of this thesis can be summarized in two aspects.(1)A fast CPU allocation method based on CPU hotplug is proposed.The current multi-security domain architecture uses CPU hotplug mechanism to allocate CPU resources for userspace enclave,but the traditional CPU hotplug mechanism suffers from high CPU allocation latency and cannot meet the real-time requirements of diverse dynamic loads.In this thesis,a fast CPU allocation method is proposed.The method adopts key technologies such as CPU fast allocation path,callback function delegated execution,callback function optimization and hotplug lock optimization.It effectively reduces the latency of allocating CPU resources for userspace enclave while ensuring the isolation characteristics.The fast CPU allocation method proposed in this thesis supports the fast expansion of computing resources in the userspace enclave,thus achieving the high performance execution of sensitive applications.(2)A fast establishment method of userspace enclave based on checkpoint and recovery mechanism is proposed.Due to the long time to establish userspace enclave instances,the current implementation of multi-security domain cannot meet the demand for fast response of sensitive applications.In this thesis,we propose to take a checkpoint of the execution context of the userspace enclave instance,so that the execution of sensitive applications can be quickly recovered directly using the checkpoint information when the execution is triggered again.In this thesis,the concept and design of processor control block is proposed for the first time to describe the execution context of userspace enclave,which effectively implements the checkpoint and recovery of userspace enclave.In this thesis,a prototype system,Vault Tec,is implemented and its performance is evaluated.The experimental results show that Vault Tec allocates CPU resources to the userspace enclave 85 times faster than the current multi-security domain architecture implementation; the response speed of sensitive applications is 1.61 times faster than the current multi-security domain architecture implementation for the first execution of sensitive applications and 49 times faster than the current multi-security domain architecture implementation for the second execution. |
PDF Full Text Request