-
Implementation of New Security Features in CMSWEB Kubernetes Cluster at CERN
Authors:
Aamir Ali,
Muhammad Imran,
Valentin Kuznetsov,
Spyridon Trigazis,
Aroosha Pervaiz,
Andreas Pfeiffer,
Marco Mascheroni
Abstract:
The CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. The security of these services and the corresponding data is crucial to CMS. Any malicious attack can compromise the availability of our services. Therefore, it is important to construct a robust security infrastructu…
▽ More
The CMSWEB cluster is pivotal to the activities of the Compact Muon Solenoid (CMS) experiment, as it hosts critical services required for the operational needs of the CMS experiment. The security of these services and the corresponding data is crucial to CMS. Any malicious attack can compromise the availability of our services. Therefore, it is important to construct a robust security infrastructure. In this work, we discuss new security features introduced to the CMSWEB Kubernetes ("k8s") cluster. The new features include the implementation of network policies, deployment of Open Policy Agent (OPA), enforcement of OPA policies, and the integration of Vault. The network policies act as an inside-the-cluster firewall to limit the network communication between the pods to the minimum necessary, and its dynamic nature allows us to work with microservices. The OPA validates the objects against some custom-defined policies during create, update, and delete operations to further enhance security. Without recompiling or changing the configuration of the Kubernetes API server, it can apply customized policies on Kubernetes objects and their audit functionality enabling us to detect pre-existing conflicts and issues. Although Kubernetes incorporates the concepts of secrets, they are only base64 encoded and are not dynamically configured. This is where Vault comes into play: Vault dynamically secures, stores, and tightly controls access to sensitive data. This way, the secret information is encrypted, secured, and centralized, making it more scalable and easier to manage. Thus, the implementation of these three security features corroborate the enhanced security and reliability of the CMSWEB Kubernetes infrastructure.
△ Less
Submitted 24 May, 2024;
originally announced May 2024.
-
SCOPE: Safe Exploration for Dynamic Computer Systems Optimization
Authors:
Hyunji Kim,
Ahsan Pervaiz,
Henry Hoffmann,
Michael Carbin,
Yi Ding
Abstract:
Modern computer systems need to execute under strict safety constraints (e.g., a power limit), but doing so often conflicts with their ability to deliver high performance (i.e. minimal latency). Prior work uses machine learning to automatically tune hardware resources such that the system execution meets safety constraints optimally. Such solutions monitor past system executions to learn the syste…
▽ More
Modern computer systems need to execute under strict safety constraints (e.g., a power limit), but doing so often conflicts with their ability to deliver high performance (i.e. minimal latency). Prior work uses machine learning to automatically tune hardware resources such that the system execution meets safety constraints optimally. Such solutions monitor past system executions to learn the system's behavior under different hardware resource allocations before dynamically tuning resources to optimize the application execution. However, system behavior can change significantly between different applications and even different inputs of the same applications. Hence, the models learned using data collected a priori are often suboptimal and violate safety constraints when used with new applications and inputs. To address this limitation, we introduce the concept of an execution space, which is the cross product of hardware resources, input features, and applications. To dynamically and safely allocate hardware resources from the execution space, we present SCOPE, a resource manager that leverages a novel safe exploration framework. We evaluate SCOPE's ability to deliver improved latency while minimizing power constraint violations by dynamically configuring hardware while running a variety of Apache Spark applications. Compared to prior approaches that minimize power constraint violations, SCOPE consumes comparable power while improving latency by up to 9.5X. Compared to prior approaches that minimize latency, SCOPE achieves similar latency but reduces power constraint violation rates by up to 45.88X, achieving almost zero safety constraint violations across all applications.
△ Less
Submitted 21 April, 2022;
originally announced April 2022.
-
Cello: Efficient Computer Systems Optimization with Predictive Early Termination and Censored Regression
Authors:
Yi Ding,
Alex Renda,
Ahsan Pervaiz,
Michael Carbin,
Henry Hoffmann
Abstract:
Sample-efficient machine learning (SEML) has been widely applied to find optimal latency and power tradeoffs for configurable computer systems. Instead of randomly sampling from the configuration space, SEML reduces the search cost by dramatically reducing the number of configurations that must be sampled to optimize system goals (e.g., low latency or energy). Nevertheless, SEML only reduces one c…
▽ More
Sample-efficient machine learning (SEML) has been widely applied to find optimal latency and power tradeoffs for configurable computer systems. Instead of randomly sampling from the configuration space, SEML reduces the search cost by dramatically reducing the number of configurations that must be sampled to optimize system goals (e.g., low latency or energy). Nevertheless, SEML only reduces one component of cost -- the total number of samples collected -- but does not decrease the cost of collecting each sample. Critically, not all samples are equal; some take much longer to collect because they correspond to slow system configurations. This paper present Cello, a computer systems optimization framework that reduces sample collection costs -- especially those that come from the slowest configurations. The key insight is to predict ahead of time whether samples will have poor system behavior (e.g., long latency or high energy) and terminate these samples early before their measured system behavior surpasses the termination threshold, which we call it predictive early termination. To predict the future system behavior accurately before it manifests as high runtime or energy, Cello uses censored regression to produces accurate predictions for running samples. We evaluate Cello by optimizing latency and energy for Apache Spark workloads. We give Cello a fixed amount of time to search a combined space of hardware and software configuration parameters. Our evaluation shows that compared to the state-of-the-art SEML approach in computer systems optimization, Cello improves latency by 1.19X for minimizing latency under a power constraint, and improves energy by 1.18X for minimizing energy under a latency constraint.
△ Less
Submitted 10 April, 2022;
originally announced April 2022.
-
Language Support for Adaptation: Intent-Driven Programming in FAST
Authors:
Yao-Hsiang Yang,
Adam Duracz,
Ferenc A. Bartha,
Ryuichi Sai,
Ahsan Pervaiz,
Saeid Barati,
Dung Nguyen,
Robert Cartwright,
Henry Hoffmann,
Krishna V. Palem
Abstract:
Historically, programming language semantics has focused on assigning a precise mathematical meaning to programs. That meaning is a function from the program's input domain to its output domain determined solely by its syntactic structure. Such a semantics, fosters the development of portable applications which are oblivious to the performance characteristics and limitations (such as a maximum mem…
▽ More
Historically, programming language semantics has focused on assigning a precise mathematical meaning to programs. That meaning is a function from the program's input domain to its output domain determined solely by its syntactic structure. Such a semantics, fosters the development of portable applications which are oblivious to the performance characteristics and limitations (such as a maximum memory footprint) of particular hardware and software platforms. This paper introduces the idea of intent-driven programming where the meaning of a program additionally depends on an accompanying intent specification expressing how the ordinary program meaning is dynamically modified during execution to satisfy additional properties expressed by the intent. These include both intensional properties---e.g., resource usage---and extensional properties---e.g., accuracy of the computed answer. To demonstrate the intent-driven programming model's value, this paper presents a general-purpose intent-driven programming language---called FAST---implemented as an extension of Swift. FAST consists of an intent compiler, a profiler, a general controller interface and a runtime module which supports interoperation with legacy C/C++ codes. Compared to existing frameworks for adaptive computing, \FAST{} supports dynamic adaptation to changes both in the operating environment and in the intent itself, and enables the mixing of procedural control and control based on feedback and optimization.
△ Less
Submitted 12 July, 2019;
originally announced July 2019.
-
Weighted p-bits for FPGA implementation of probabilistic circuits
Authors:
Ahmed Zeeshan Pervaiz,
Brian M. Sutton,
Lakshmi Anirudh Ghantasala,
Kerem Y. Camsari
Abstract:
Probabilistic spin logic (PSL) is a recently proposed computing paradigm based on unstable stochastic units called probabilistic bits (p-bits) that can be correlated to form probabilistic circuits (p-circuits). These p-circuits can be used to solve problems of optimization, inference and also to implement precise Boolean functions in an "inverted" mode, where a given Boolean circuit can operate in…
▽ More
Probabilistic spin logic (PSL) is a recently proposed computing paradigm based on unstable stochastic units called probabilistic bits (p-bits) that can be correlated to form probabilistic circuits (p-circuits). These p-circuits can be used to solve problems of optimization, inference and also to implement precise Boolean functions in an "inverted" mode, where a given Boolean circuit can operate in reverse to find the input combinations that are consistent with a given output. In this paper we present a scalable FPGA implementation of such invertible p-circuits. We implement a "weighted" p-bit that combines stochastic units with localized memory structures. We also present a generalized tile of weighted p-bits to which a large class of problems beyond invertible Boolean logic can be mapped, and how invertibility can be applied to interesting problems such as the NP-complete Subset Sum Problem by solving a small instance of this problem in hardware.
△ Less
Submitted 1 November, 2018; v1 submitted 12 December, 2017;
originally announced December 2017.
-
Hardware emulation of stochastic p-bits for invertible logic
Authors:
Ahmed Zeeshan Pervaiz,
Lakshmi Anirudh Ghantasala,
Kerem Yunus Camsari,
Supriyo Datta
Abstract:
The common feature of nearly all logic and memory devices is that they make use of stable units to represent 0's and 1's. A completely different paradigm is based on three-terminal stochastic units which could be called "p-bits", where the output is a random telegraphic signal continuously fluctuating between 0 and 1 with a tunable mean. p-bits can be interconnected to receive weighted contributio…
▽ More
The common feature of nearly all logic and memory devices is that they make use of stable units to represent 0's and 1's. A completely different paradigm is based on three-terminal stochastic units which could be called "p-bits", where the output is a random telegraphic signal continuously fluctuating between 0 and 1 with a tunable mean. p-bits can be interconnected to receive weighted contributions from others in a network, and these weighted contributions can be chosen to not only solve problems of optimization and inference but also to implement precise Boolean functions in an inverted mode. This inverted operation of Boolean gates is particularly striking: They provide inputs consistent to a given output along with unique outputs to a given set of inputs. The existing demonstrations of accurate invertible logic are intriguing, but will these striking properties observed in computer simulations carry over to hardware implementations? This paper uses individual micro controllers to emulate p-bits, and we present results for a 4-bit ripple carry adder with 48 p-bits and a 4-bit multiplier with 46 p-bits working in inverted mode as a factorizer. Our results constitute a first step towards implementing p-bits with nano devices, like stochastic Magnetic Tunnel Junctions.
△ Less
Submitted 12 September, 2017; v1 submitted 4 May, 2017;
originally announced May 2017.
