云计算平台可信性增强技术的研究
|
摘要
云计算是当前计算模型的一次重要革新。通过将各种互联的计算资源进行有效整合并实现多层次的虚拟化与抽象,云计算有效地将大规模的计算资源以可靠服务的形式提供给用户,从而将用户从复杂的底层硬件逻辑,软件栈,与网络协议解放出来。目前,主要IT企业如Google,Microsoft,IBM,EMC,Amazon等纷纷推出其云计算解决方案。同时,学术界也不断的对云计算平台进行深入研究。
云计算的一个关键需求是其基础架构与服务的可信性。其中包括:(1)平台的安全性,云计算平台必须提供可靠的安全保障技术,以防止来自网络的安全攻击;(2)可维护性,云计算平台必须有效地处理各种软硬件维护需求,从而有效地降低各种软件硬件维护对云计算服务的可用性造成影响;(3)可用性,云计算平台必须有效地屏蔽各种软硬件错误,从而为云计算服务提供24X7的可用性;(4)可信性,云计算平台必须确保用户的各种应用的可信性,从而避免包含商业机密的用户隐私数据和代码的泄露等。
当前,云计算方兴未艾,针对云计算平台的可信性研究也在不断进行。目前,针对云计算系统可信性的研究主要可以分为以下几个方面:(1)计算机系统结构级的研究,致力于通过对当前处理器结构,设备,总线等进行扩展以提供硬件级的安全,容错等解决方案。例如,XOM通过对CPU增加加密模块,扩展缓存和寄存器等,以提高运行于处理器上的关键应用的安全性和隐私性;(2)操作系统级的解决方案,力图对当前操作系统的安全和可靠性进行增强,包括重新设计新的安全操作系统,以提高关键应用的安全性,隐私性与容错性。例如,Asbestos,HiStar等基于强制访问控制的操作系统通过对应用的信息流进行控制,以提高应用的安全性;(3)应用级的解决方案,力图提供在编译器、二进制翻译器以及程序语言层次的支持,以增强应用程序的可信性。例如Ginseng通过对编译器进行扩展,以支持软件的动态更新,从而提高软件的高可用性。LIFT通过在动态二进制翻译的过程中对数据流进行跟踪和控制,以提高应用程序的安全性。
然而,当前针对计算机系统乃至云计算系统的可信性的研究尚存在着一些问题:大多数研究仅关注于系统的某一个方面,而较大地忽略或者牺牲了其他方面。例如,一些研究在提高计算机系统的安全性同时,却对于系统的功能,后向兼容性以及易用性方面带来较大的限制,使得其较难应用到实际系统中去。如Asbestos和Eros均不支持现有应用,而是要求用户将应用移植到这些系统并且限制了应用程序的功能。另外,一些系统在增强系统可信性的同时,却造成了较大的性能损失,从而限制了其在性能敏感场合下的应用。如LIFT对运行于其中的SPECINT-2000造成平均3.6倍的性能损失。此外,一些系统可信性增强技术需要特殊的软硬件支持,从而很难应用到通用的系统中去。如XOM需要相当数目的处理器扩展,而目前尚不存在提供这些扩展的处理器。
本文在充分分析当前云计算平台软硬件与服务的可信性需求的基础上,提出了一个系统的解决方案,以提高云计算平台的可信性。本文将从计算机硬件,操作系统与应用级三个方面对云计算系统可信性进行研究,以提高云计算平台的可用性,可维护性,可信性,安全性与容错性等。相对之前的研究工作而言,该研究致力于提供一套实际、有效以及高性能的解决方案,从而使现有应用与系统能利用该研究的成果,并且对于当前的系统性能的影响降到最低。并且,本文提出的可信性增强技术不仅仅对于云计算具有重要意义,并且在其他应用场合如桌面应用等也具有较好的应用前景。
具体而言,本文的主要贡献如下:
1.首次提出基于猜测执行硬件的信息安全技术,设计并实现了SHIFT与BOSH系统以提高云计算平台中软件的安全性。SHIFT系统利用处理器对延迟异常的支持,设计并实现高效的动态信息流跟踪技术。该系统能有效地检测缓冲区攻击等底层攻击,同时还能有效地防御基于SQL注入攻击(SQLInjection)与跨目录遍历(Directory Traversal)等高层语义攻击。该系统的性能是目前所有基于动态信息流跟踪技术的实际系统中最好:对ApacheWebServer只有1%的性能损失,对SPECINT-2000也只有不到1.27X的性能损失。
BOSH系统则有效地利用信息流跟踪技术对程序的控制流与数据流进行混淆,从而有效地防御代码注入攻击以及对软件版权进行有效保护。该系统能将程序的全部控制流进行混淆,并且在SPECINT-2000上只带来平均不到28%的性能损失。
2.首次提出了基于双向写穿同步的动态软件更新技术,以支持对操作系统与多线程应用等复杂系统的动态更新。设计并实现LUCOS与POLUS动态软件更新系统以提高云计算平台中系统的可维护性与可用性。LUCOS系统首次提出了使用虚拟机监控器对操作系统进行动态更新,使得操作系统在不需要重启的情况下对操作系统的进行升级以及打补丁,从而有效的提高了操作系统以及运行于其上的可用性与可维护性。LUCOS对操作系统完全透明,并且造成的性能损失不到1%。
POLUS是第一个支持对多线程应用进行数据结构动态更新的系统。POLUS能对当前主流的服务器软件(如vsftpd,sshd,Apache WebServer)在不同版本之间进行动态切换。并且,POLUS还提供特定编译器以支持自动生成动态热补丁。同时,POLUS所造成的平均性能损失不到1%。
3.首次提出了并实现基于软件的动态虚拟化技术,以允许操作系统动态地在真实硬件与具备完整功能的虚拟机监控器上进行切换,从而在获得系统虚拟化带来的高可用性的同时保证系统性能。设计并实现的Mercury系统通过动态的将一个计算平台进行自虚拟化,即将一个虚拟机监控器动态地插入到一个运行的操作系统下,从而使一台物理机器具备迁移以及在线维护等功能,并且有效地避免了虚拟化所带来的性能损失。实验结果表明Mercury系统所带来的平均性能损失小于1%。
4.首次提出了对云计算平台及其应用的双向行为约束机制(代号为Talos)。设计并实现CHAOS与Shepherd系统,分别实现对操作系统的行为约束,以防止恶意操作系统窃取应用的数据,以及对应用的行为约束,以防止云计算应用对操作系统与运行环境进行破坏。CHAOS系统使用虚拟机监控器保护云计算应用的隐私性,从而在操作系统与其他应用不可信的情况下保证应用的隐私数据不会被恶意泄露。Shepherd通过对云计算应用进程的系统调用进行权限审计,异常检测以及将应用对关键系统资源的修改进行隔离,以防止一个恶意的云计算应用对云计算平台的攻击。目前Talos可信计算框架已经被EMC的可信云计算平台Daoli采用作为其可信基础。
Cloud computing is an appealing innovation of modern computing mode. By integrating networked computing resources and virtualizing them through different levels of abstractions,cloud computing provides users massive computing resources using a common interface.Further,cloud computing hides the complexity in deployment and management of hardware resources,software stack and networking protocols from users.Being aware of its importance,both researchers and industry have put significant efforts in cloud computing.
One of the indispensable requirement of cloud computing systems is the dependability of the infrastructure as well as the running services.Specifically,a cloud computing system should satisfy the following criteria:(1) security,which requires the cloud system can protect both the computing systems and the running services;(2) maintainability,which requires that the system be easy to maintain, thus mitigate the impact of inevitable hardware and software failures and deployment of new features to suit business need;(3) availability,which demands the system be constantly operable and be providing correct services,even in the present of possible hardware and service failures.(4) trustworthiness,that the cloud system should provide trustworthy services that users's code and data,which may contain business secrets,will not be improperly divulged and abused.
Dependability has always been the major concern of computing systems and been the focus of both researchers and industry.The emerging cloud computing have put even more challenges on it due to the scale of a cloud computing system. A larger scale means more complexity in management and more probability to fail,thus less MTTF(Mean Time To Fail).Generally,previous research efforts can be categorized into three levels:(1) computer architecture level,which investigates solutions in enhancing the existing processors,memory and I/O systems to improving the dependability.For example,the XOM system,which extends the instruction set architecture,bus and registers to enhance the trustworthiness of the mission-critcial applications running on commodity operating systems.(2) operating system level,by enhancing the dependability of subsystems of existing operating systems,or even implementing new operating systems.For example, Nooks improves the dependability of driver subsystems in Linux while asbestos is an OS built from scratch to improve the security of applications.(3) applica- tion level,which aims to utilize advances in language,compiler,binary translator technologies to improve the security and availability of applications.For example, Ginseng is a dynamic update system by extending existing compiler while LIFT utilizes a binary translator to do taint tracking to defeat possible software attacks.
However,there are still several problems in existing researches in dependability. Most currently research usually only focus on one aspect,while neglects or sacrificing other aspects:some architecture level solutions require non-trivial changes to the processor architecture,memory,and bus,which are not easy to be quickly commercially available,examples include the XOM trust system;some operating system solutions requires a new re-constructions of the existing software stack,breaking backward compatibility.For example,the Singularity and Asbestos provides completely new operating system abstractions,making existing application hard to benefit from them;some existing security systems bring prohibitive performance overhead,preventing their uses in production runs.For example,the TaintCheck system incurs up to 36X performance degradation while LIFT,currently the system with best performance for taint tracking systems, brings about 3.6X performance slowdown.
Based on a detailed analysis on the requirement of the dependability in currently cloud computing system,this dissertation proposes a practical and systematic solution to improve various aspects of currently cloud computing system from different levels,while not sacrificing the performance and not mandating design changes to existing architecture,OS abstractions and applications.
Specifically,the proposed solution is composed of the following key techniques and systems that solve different problems in different levels:
1.Practical and efficient security enhancement by combining speculative execution and dynamic information flow tracking.Design and implementation of the SHIFT and BOSH secure systems based the idea.The SHIFT system leverages existing hardware support for deferred exception handling to implement a practical,efficient taint tracking systems.The SHIFT system is with be best performance among real-world taint tracking systems, with only 1%performance overhead to server applications,and about 1.27X performance overhead for SPECINT-2000.
Based on the idea and design of SHIFT,the BOSH system further leverages the hardware support for taint tracking to support a low-overhead binary obfuscation scheme.BOSH can obfuscate the whole control and data flow of a program to defeat attacks that alter the control and data flow,as well as protecting software copyright,with only 27%performance overhead.
2.The idea of a bi-directional write-through based synchronization scheme for dynamic updating operating system kernel and multi-threaded software,and the LUCOS and POLUS dynamic updating systems that embody the idea. LUCOS is the first system that uses virtual machine monitors to dynamically update the operating systems running on,with less than 1%performance slowdown.It is the first system that support updating Linux with changes to the data structure,without modifying the the Linux kernel.
POLUS is the first system that support online switches of multi-threaded applications among different versions,both backwards and forwards,with less than 5%performance degradation.
3.The Mercury on-demand virtualization system,that improve the availability of the cloud by tolerating possible hardware failures.Mercury supports dynamically inserting a virtual machine monitor beneath a running operating system and the uses the VMM to migrate the whole operating system environments to other node upon a machine failures.
4.The Talos trust system infrastructure that provides behavior conformity to both the cloud computing platform and cloud application.Two systems implements Talos behavior conformity:CHAOS utilizes a VMM to protect the application running in a commodity(and untrusted) operating system, to prevent the code and data in a cloud application from being divulged and abused;Shepherd process shepherding system that prevents cloud services from attacking the cloud platform.The performance overhead in CHAOS and shepherd are also modest.
云计算的一个关键需求是其基础架构与服务的可信性。其中包括:(1)平台的安全性,云计算平台必须提供可靠的安全保障技术,以防止来自网络的安全攻击;(2)可维护性,云计算平台必须有效地处理各种软硬件维护需求,从而有效地降低各种软件硬件维护对云计算服务的可用性造成影响;(3)可用性,云计算平台必须有效地屏蔽各种软硬件错误,从而为云计算服务提供24X7的可用性;(4)可信性,云计算平台必须确保用户的各种应用的可信性,从而避免包含商业机密的用户隐私数据和代码的泄露等。
当前,云计算方兴未艾,针对云计算平台的可信性研究也在不断进行。目前,针对云计算系统可信性的研究主要可以分为以下几个方面:(1)计算机系统结构级的研究,致力于通过对当前处理器结构,设备,总线等进行扩展以提供硬件级的安全,容错等解决方案。例如,XOM通过对CPU增加加密模块,扩展缓存和寄存器等,以提高运行于处理器上的关键应用的安全性和隐私性;(2)操作系统级的解决方案,力图对当前操作系统的安全和可靠性进行增强,包括重新设计新的安全操作系统,以提高关键应用的安全性,隐私性与容错性。例如,Asbestos,HiStar等基于强制访问控制的操作系统通过对应用的信息流进行控制,以提高应用的安全性;(3)应用级的解决方案,力图提供在编译器、二进制翻译器以及程序语言层次的支持,以增强应用程序的可信性。例如Ginseng通过对编译器进行扩展,以支持软件的动态更新,从而提高软件的高可用性。LIFT通过在动态二进制翻译的过程中对数据流进行跟踪和控制,以提高应用程序的安全性。
然而,当前针对计算机系统乃至云计算系统的可信性的研究尚存在着一些问题:大多数研究仅关注于系统的某一个方面,而较大地忽略或者牺牲了其他方面。例如,一些研究在提高计算机系统的安全性同时,却对于系统的功能,后向兼容性以及易用性方面带来较大的限制,使得其较难应用到实际系统中去。如Asbestos和Eros均不支持现有应用,而是要求用户将应用移植到这些系统并且限制了应用程序的功能。另外,一些系统在增强系统可信性的同时,却造成了较大的性能损失,从而限制了其在性能敏感场合下的应用。如LIFT对运行于其中的SPECINT-2000造成平均3.6倍的性能损失。此外,一些系统可信性增强技术需要特殊的软硬件支持,从而很难应用到通用的系统中去。如XOM需要相当数目的处理器扩展,而目前尚不存在提供这些扩展的处理器。
本文在充分分析当前云计算平台软硬件与服务的可信性需求的基础上,提出了一个系统的解决方案,以提高云计算平台的可信性。本文将从计算机硬件,操作系统与应用级三个方面对云计算系统可信性进行研究,以提高云计算平台的可用性,可维护性,可信性,安全性与容错性等。相对之前的研究工作而言,该研究致力于提供一套实际、有效以及高性能的解决方案,从而使现有应用与系统能利用该研究的成果,并且对于当前的系统性能的影响降到最低。并且,本文提出的可信性增强技术不仅仅对于云计算具有重要意义,并且在其他应用场合如桌面应用等也具有较好的应用前景。
具体而言,本文的主要贡献如下:
1.首次提出基于猜测执行硬件的信息安全技术,设计并实现了SHIFT与BOSH系统以提高云计算平台中软件的安全性。SHIFT系统利用处理器对延迟异常的支持,设计并实现高效的动态信息流跟踪技术。该系统能有效地检测缓冲区攻击等底层攻击,同时还能有效地防御基于SQL注入攻击(SQLInjection)与跨目录遍历(Directory Traversal)等高层语义攻击。该系统的性能是目前所有基于动态信息流跟踪技术的实际系统中最好:对ApacheWebServer只有1%的性能损失,对SPECINT-2000也只有不到1.27X的性能损失。
BOSH系统则有效地利用信息流跟踪技术对程序的控制流与数据流进行混淆,从而有效地防御代码注入攻击以及对软件版权进行有效保护。该系统能将程序的全部控制流进行混淆,并且在SPECINT-2000上只带来平均不到28%的性能损失。
2.首次提出了基于双向写穿同步的动态软件更新技术,以支持对操作系统与多线程应用等复杂系统的动态更新。设计并实现LUCOS与POLUS动态软件更新系统以提高云计算平台中系统的可维护性与可用性。LUCOS系统首次提出了使用虚拟机监控器对操作系统进行动态更新,使得操作系统在不需要重启的情况下对操作系统的进行升级以及打补丁,从而有效的提高了操作系统以及运行于其上的可用性与可维护性。LUCOS对操作系统完全透明,并且造成的性能损失不到1%。
POLUS是第一个支持对多线程应用进行数据结构动态更新的系统。POLUS能对当前主流的服务器软件(如vsftpd,sshd,Apache WebServer)在不同版本之间进行动态切换。并且,POLUS还提供特定编译器以支持自动生成动态热补丁。同时,POLUS所造成的平均性能损失不到1%。
3.首次提出了并实现基于软件的动态虚拟化技术,以允许操作系统动态地在真实硬件与具备完整功能的虚拟机监控器上进行切换,从而在获得系统虚拟化带来的高可用性的同时保证系统性能。设计并实现的Mercury系统通过动态的将一个计算平台进行自虚拟化,即将一个虚拟机监控器动态地插入到一个运行的操作系统下,从而使一台物理机器具备迁移以及在线维护等功能,并且有效地避免了虚拟化所带来的性能损失。实验结果表明Mercury系统所带来的平均性能损失小于1%。
4.首次提出了对云计算平台及其应用的双向行为约束机制(代号为Talos)。设计并实现CHAOS与Shepherd系统,分别实现对操作系统的行为约束,以防止恶意操作系统窃取应用的数据,以及对应用的行为约束,以防止云计算应用对操作系统与运行环境进行破坏。CHAOS系统使用虚拟机监控器保护云计算应用的隐私性,从而在操作系统与其他应用不可信的情况下保证应用的隐私数据不会被恶意泄露。Shepherd通过对云计算应用进程的系统调用进行权限审计,异常检测以及将应用对关键系统资源的修改进行隔离,以防止一个恶意的云计算应用对云计算平台的攻击。目前Talos可信计算框架已经被EMC的可信云计算平台Daoli采用作为其可信基础。
Cloud computing is an appealing innovation of modern computing mode. By integrating networked computing resources and virtualizing them through different levels of abstractions,cloud computing provides users massive computing resources using a common interface.Further,cloud computing hides the complexity in deployment and management of hardware resources,software stack and networking protocols from users.Being aware of its importance,both researchers and industry have put significant efforts in cloud computing.
One of the indispensable requirement of cloud computing systems is the dependability of the infrastructure as well as the running services.Specifically,a cloud computing system should satisfy the following criteria:(1) security,which requires the cloud system can protect both the computing systems and the running services;(2) maintainability,which requires that the system be easy to maintain, thus mitigate the impact of inevitable hardware and software failures and deployment of new features to suit business need;(3) availability,which demands the system be constantly operable and be providing correct services,even in the present of possible hardware and service failures.(4) trustworthiness,that the cloud system should provide trustworthy services that users's code and data,which may contain business secrets,will not be improperly divulged and abused.
Dependability has always been the major concern of computing systems and been the focus of both researchers and industry.The emerging cloud computing have put even more challenges on it due to the scale of a cloud computing system. A larger scale means more complexity in management and more probability to fail,thus less MTTF(Mean Time To Fail).Generally,previous research efforts can be categorized into three levels:(1) computer architecture level,which investigates solutions in enhancing the existing processors,memory and I/O systems to improving the dependability.For example,the XOM system,which extends the instruction set architecture,bus and registers to enhance the trustworthiness of the mission-critcial applications running on commodity operating systems.(2) operating system level,by enhancing the dependability of subsystems of existing operating systems,or even implementing new operating systems.For example, Nooks improves the dependability of driver subsystems in Linux while asbestos is an OS built from scratch to improve the security of applications.(3) applica- tion level,which aims to utilize advances in language,compiler,binary translator technologies to improve the security and availability of applications.For example, Ginseng is a dynamic update system by extending existing compiler while LIFT utilizes a binary translator to do taint tracking to defeat possible software attacks.
However,there are still several problems in existing researches in dependability. Most currently research usually only focus on one aspect,while neglects or sacrificing other aspects:some architecture level solutions require non-trivial changes to the processor architecture,memory,and bus,which are not easy to be quickly commercially available,examples include the XOM trust system;some operating system solutions requires a new re-constructions of the existing software stack,breaking backward compatibility.For example,the Singularity and Asbestos provides completely new operating system abstractions,making existing application hard to benefit from them;some existing security systems bring prohibitive performance overhead,preventing their uses in production runs.For example,the TaintCheck system incurs up to 36X performance degradation while LIFT,currently the system with best performance for taint tracking systems, brings about 3.6X performance slowdown.
Based on a detailed analysis on the requirement of the dependability in currently cloud computing system,this dissertation proposes a practical and systematic solution to improve various aspects of currently cloud computing system from different levels,while not sacrificing the performance and not mandating design changes to existing architecture,OS abstractions and applications.
Specifically,the proposed solution is composed of the following key techniques and systems that solve different problems in different levels:
1.Practical and efficient security enhancement by combining speculative execution and dynamic information flow tracking.Design and implementation of the SHIFT and BOSH secure systems based the idea.The SHIFT system leverages existing hardware support for deferred exception handling to implement a practical,efficient taint tracking systems.The SHIFT system is with be best performance among real-world taint tracking systems, with only 1%performance overhead to server applications,and about 1.27X performance overhead for SPECINT-2000.
Based on the idea and design of SHIFT,the BOSH system further leverages the hardware support for taint tracking to support a low-overhead binary obfuscation scheme.BOSH can obfuscate the whole control and data flow of a program to defeat attacks that alter the control and data flow,as well as protecting software copyright,with only 27%performance overhead.
2.The idea of a bi-directional write-through based synchronization scheme for dynamic updating operating system kernel and multi-threaded software,and the LUCOS and POLUS dynamic updating systems that embody the idea. LUCOS is the first system that uses virtual machine monitors to dynamically update the operating systems running on,with less than 1%performance slowdown.It is the first system that support updating Linux with changes to the data structure,without modifying the the Linux kernel.
POLUS is the first system that support online switches of multi-threaded applications among different versions,both backwards and forwards,with less than 5%performance degradation.
3.The Mercury on-demand virtualization system,that improve the availability of the cloud by tolerating possible hardware failures.Mercury supports dynamically inserting a virtual machine monitor beneath a running operating system and the uses the VMM to migrate the whole operating system environments to other node upon a machine failures.
4.The Talos trust system infrastructure that provides behavior conformity to both the cloud computing platform and cloud application.Two systems implements Talos behavior conformity:CHAOS utilizes a VMM to protect the application running in a commodity(and untrusted) operating system, to prevent the code and data in a cloud application from being divulged and abused;Shepherd process shepherding system that prevents cloud services from attacking the cloud platform.The performance overhead in CHAOS and shepherd are also modest.
引文
[1] Gannon D. Head in the clouds[J]. Nature, 2007, 449.
[2] Buyya R, Yeo C S, Venugopal S. Market-oriented cloud computing: Vision,hype, and reality for delivering it services as computing utilities[C]. Keynote at the 10th IEEE International Conference on High Performance Computing and Communications (HPCC-08). IEEE, 2008 5-13.
[3] Nurmi D, Wolski R, Grzegorczyk C, Obertelli G, Soman S, Youseff L,Zagorodnov D. Eucalyptus: A Technical Report on an Elastic Utility Computing Architecture Linking Your Programs to Useful Systems. Technical Report 2008-10, UCSB Computer Science, 2008.
[4] Weiss A. Computing in the clouds[J]. net Worker, 2007, 11(4): 16-25.
[5] Laprie J C, Avizienis A, Kopetz H, editors. Dependability: Basic Concepts and Terminology[M]. Springer-Verlag New York, Inc., Secaucus, NJ, USA,1992.
[6] Avizienis A, Laprie J, Randell B. Fundamental Concepts of Dependability[J]. TECHNICAL REPORT SERIES-UNIVERSITY OF NEWCASTLE UPON TYNE COMPUTING SCIENCE, 2001.
[7] Patterson D, Brown A, Broadwell P, Candea G, Chen M, Cutler J, Enriquez P, Fox A, Kiciman E, Merzbacher M, et al. Recovery-Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies. Technical Report Technical Report UCB//CSD-02-1175, UC Berkeley Computer Science, 2002.
[8] Oppenheimer D, Ganapathi A, Patterson D. Why Do Internet Services Fail, and What Can Be Done About It?[C]. Proceedings of Usenix Symposium on Internet Technologies and Systems. 2003 1-16.
[9] Ford R, Thompson H, Casteron F. Role Comparison Report: Web Server Role.http://whitepapers.techrepublic.com.com/whitepaper.aspx?docid=267751,2005.
[10]Moore D,Shannon C.Code-Red:a case study on the spread and victims of an internet worm[J].Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment,2002,273-284.
[11]Bailey M,Cooke E,Jahanian F,Watson D,Nazario J.The Blaster Worm:Then and Now[J].IEEE SECURITY & PRIVACY,2005,26-31.
[12]Gray J.What next?:A dozen information-technology research goals[J].Journal of the ACM(JACM),2003,50(1):41-57.
[13]Lampson B.Computer systems research:Past and future(invited talk)[C].Proceedings of ACM Symposium on Operating Systems Principles.ACM New York,NY,USA,1999.
[14]Hennessy J.Back to the future:Time to return to some long standing problems in computer systems[J].Plenary talk at FCRC,1999.
[15]Heiser J,Nicolett M.assessing the security risks of cloud computing.http://www.gartner.com/DisplayDocument?id=685308,2008.
[16]Dean J,Ghemawat S.MapReduce:Simplified Data Processing on Large Clusters[C].Proceedings of Usenix Symposium on Operating System Design and Implementation.2004 137-150.
[17]Yang H,Dasdan A,Hsiao R,Parker D.Map-reduce-merge:simplified relational data processing on large clusters[J].Proceedings of the 2007 ACM SIGMOD international conference on Management of data,2007,1029-1040.
[18]Isard M,Budiu M,Yu Y,Birrell A,Fetterly D.Dryad:distributed dataparallel programs from sequential building blocks[J].Proceedings of the 2007 conference on EuroSys,2007,59-72.
[19]Linderman M,Collins J,Wang H,Meng T.Merge:a programming model for heterogeneous multi-core systems[C].Proceedings of ACM Symposium on Architecture Support on Programming Language and Operating Systems.ACM New York,NY,USA,2008 287-296.
[20]Ghemawat S,Gobioff H,Leung S.The Google file system[J].ACM SIGOPS Operating Systems Review,2003,37(5):29-43.
[21] Chang F, Dean J, Ghemawat S, Hsieh W, Wallach D, Burrows M, Chandra T, Fikes A, Gruber R. Bigtable: A distributed storage system for structured data[C]. Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. 2006 205-218.
[22] Nelson M, Lim B, Hutchins G. Fast transparent migration for virtual machines[C]. Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA, 2005 25-25.
[23] Goldberg R. Survey of Virtual Machine Research[J]. IEEE Computer, 1974,7(6): 34-45.
[24] Robin J, Irvine C. Analysis of the Intel Pentium's ability to support a secure virtual machine monitor[C]. Proceedings of the 9th conference on USENIX Security Symposium. USENIX Association, 2000 129-144.
[25] Sugerman J, Venkitachalam G, Lim B. Virtualizing I/O Devices on VMware Workstation' s Hosted Virtual Machine Monitor[C]. USENIX Annual Technical Conference. 2001 1-14.
[26] Waldspurger C A. Memory resource management in vmware esx server[J].ACM SIGOPS Operating Systems Review, 2002, 36(SI): 181-194.
[27] Whitaker A, Shaw M, Gribble S D. Scale and performance in the denali isolation kernel[J]. ACM SIGOPS Operating Systems Review, 2002, 36(SI):195-209.
[28] Barham P, Dragovic B, Eraser K, Hand S, Harris T, Ho A, Neugebauer R,Pratt I, Warfield A. Xen and the art of virtualization[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 164-177.
[29] Adams K, Agesen O. A comparison of software and hardware techniques for x86 virtualization[C]. Proceedings of the 12th international conference on Architectural support for programming languages and operating systems.ACM New York, NY, USA, 2006 2-13.
[30] Chen P, Noble B. When virtual is better than real[C]. Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS). 2001133-138.
[31] Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]. Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS). 2003 191-206.
[32] Seshadri A, Qu N. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[C]. Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles. ACM Press New York, NY,USA, 2007 335-350.
[33] SALTZER J, SCHROEDER M. The protection of information in computer systems[J]. IEEE, Proceedings, 1975, 63: 1278-1308.
[34] Schneider F. Least privilege and more [computer security][J]. Security &Privacy Magazine, IEEE, 2003, 1(5): 55-59.
[35] Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D. Terra: a virtual machine-based platform for trusted computing[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 193-206.
[36] Peinado M, Chen Y, England P, Manferdelli J. NGSCB: A Trusted Open System[J]. LECTURE NOTES IN COMPUTER SCIENCE., 2004, 86-97.
[37] Intel. Intel trusted execution technology.http://www.intel.com/technology/security/, 2006.
[38] Bressoud T, Schneider F. Hypervisor-based fault tolerance[J]. ACM Transactions on Computer Systems, 1996, 14(1): 80-107.
[39] Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119, Microsoft Research, 2005.
[40] King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines[C]. ATEC '05: Proceedings of the annual conference on USENIX Annual Technical Conference. USENIX Association,Berkeley, CA, USA, 2005 1-1.
[41] Dunlap G, King S, Cinar S, Basrai M, Chen P. ReVirt: enabling intrusion analysis through virtual-machine logging and replay[J]. ACM SIGOPS Operating Systems Review, 2002, 36: 211-224.
[42] Provos N. A Virtual Honeypot Framework[C]. Proceedings of the 13th USENIX Security Symposium. 2004 1-14.
[43] Lie D, Thekkath C, Mitchell M, Lincoln P, Boneh D, Mitchell J, Horowitz M. Architectural support for copy and tamper resistant software[J]. ACM SIGPLAN Notices, 2000, 35(11): 168-177.
[44] Lie D, Thekkath C, Horowitz M. Implementing an untrusted operating system on trusted hardware[J]. ACM SIGOPS Operating Systems Review,2003, 37(5): 178-192.
[45] Suh G, Clarke D, Gassend B, van Dijk M, Devadas S. AEGIS: architecture for tamper-evident and tamper-resistant processing[C]. Proceedings of the 17th annual international conference on Supercomputing. ACM New York,NY, USA, 2003 160-171.
[46] Witchel E, Cates J, Asanovic K. Mondrian memory protection[J]. ACM SIGARCH Computer Architecture News, 2002, 30(5): 304-316.
[47] Witchel E, Rhee J, Asanovic K. Mondrix: memory isolation for linux using mondriaan memory protection[C]. Proceedings of the twentieth ACM symposium on Operating systems principles. ACM New York, NY, USA, 2005 31-44.
[48] Qin F, Lu S, Zhou Y. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs[C]. Proceedings of the 11th International Symposium on High-Performance Computer Architecture. IEEE Computer Society Washington, DC, USA, 2005 291-302.
[49] Crandall J, Chong F. Minos: Control Data Attack Prevention Orthogonal to Memory Model[J]. Proceedings of Micro, 2004, 221-232.
[50] Suh G, Lee J, Zhang D, Devadas S. Secure program execution via dynamic information flow tracking[C]. Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems.2004 85-96.
[51] Dalton M, Kannan H, Kozyrakis C. Raksha: a flexible information flow architecture for software security[C]. Proceedings of ISCA. 2007 482-493.
[52]Venkataramani G,Doudalis I,Solihin Y,Prvulovic M.FlexiTaint:Programmable Architectural Support for Efficient Dynamic Taint Propagation[C].Proceedings of HPCA.2008.
[53]MYERS A,LISKOV B.Protecting Privacy Using the Decentralized Label Model[J].ACM Transactions on Software Engineering and Methodology,2000,9(4):410-442.
[54]Efstathopoulos P,Krohn M,VanDeBogart S,Frey C,Ziegler D,Kohler E,Mazieres D,Kaashoek F,Morris R.Labels and event processes in the asbestos operating system[C].Proceedings of the twentieth ACM symposium on Operating systems principles.ACM New York,NY,USA,2005 17-30.
[55]Zeldovich N,Boyd-Wickizer S,Kohler E,Mazieres D.Making Information Flow Explicit in HiStar[C].Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation.2006 279-292.
[56]Krohn M,Brodsky M,Kaashoek M,Morris R.Information flow control for standard OS abstractions[C].Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles.ACM Press New York,NY,USA,2007 321-334.
[57]Chou A,Yang J,Chelf B,Hallem S,Engler D.An empirical study of operating systems errors[C].Proceedings of the eighteenth ACM symposium on Operating systems principles.ACM New York,NY,USA,2001 73-88.
[58]Orgovan V,Tricker M.An introduction to driver quality[J].Microsoft WinHec,2004.
[59]SWIFT M,BERSHAD B,LEVY H.Improving the Reliability of Commodity Operating Systems[J].ACM Transactions on Computer Systems,2005,23(1):77-110.
[60]Swift M,Annamalai M,Bershad B,Levy H.Recovering device drivers[C].ACM Transactions on Computer Systems,volume 24.2006 333-360.
[61]Zhou F,Condit J,Anderson Z,Bagrak I,Ennals R,Harren M,Necula G,Brewer E.SafeDrivc:Safe and Recoverable Extensions Using Language-Based Techniques[C].Proceedings of the 7th symposium on Operating systems design and implementation.2006 45-60.
[62] Baumann A, Heiser G, Appavoo J, Krieger O, Wisniewski R, Kerr J. Providing dynamic update in an operating system[C]. Proceedings of the USENIX Annual Technical Conference. USENIX Association, 2005 32-32.
[63] Lowell D, Saito Y, Samberg E. Devirtualizable virtual machines enabling general, single-node, online maintenance[J]. ACM SIGPLAN Notices, 2004,39(11): 211-223.
[64] Arnold J. Ksplice: An Automatic System for Rebootless Kernel Security Updates. Ph.D. thesis, Massachusetts Institute of Technology, 2008.
[65] Hunt G C, Larus J R. Singularity: rethinking the software stack[J]. ACM SIGOPS Operating Systems Review, 2007, 41(2): 37-49.
[66] Engler D, Chen D, Hallem S, Chou A, Chelf B. Bugs as deviant behavior: a general approach to inferring errors in systems code[J]. ACM SIGOPS Operating Systems Review, 2001, 35(5): 57-72.
[67] Yang J, Sar C, Engler D. EXplode: a Lightweight, General System for Finding Serious Storage System Errors[C]. Proceedings of the 7th symposium on Operating systems design and implementation. 2006 131-146.
[68] Savage S, Burrows M, Nelson G, Sobalvarro P, Anderson T. Eraser: a dynamic data race detector for multithreaded programs[J]. ACM Transactions on Computer Systems, 1997, 15(4): 391-411.
[69] Frieder O, Segal M E. On dynamically updating a computer program: from concept to prototype[J]. The Journal of System Software, 1991, 14(2): 111—128.
[70] Neamtiu I, Hicks M, Stoyle G, Oriol M. Practical dynamic software updating for c[C]. Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation. 2006 72-83.
[71] Makris K, Ryu K. Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels[C]. Proceedings of the 2007 conference on EuroSys. ACM Press New York, NY, USA, 2007 327-340.
[72] Minnich R. A dynamic kernel modifier for Linux[C]. Proceedings of the LACSI Symposium. 2002 .
[73]Collberg C,Thomborson C,Low D.Manufacturing cheap,resilient,and stealthy opaque constructs[C].Proceedings of POPL.1998 184-196.
[74]Myles G,Collberg C.Software watermarking via opaque predicates:Implementation,analysis,and attacks[J].Electronic Commerce Research,2006,6(2):155-171.
[75]Udupa S,Debray S,Madou M.Deobfuscation:Reverse Engineering Obfuscated Code[C].Proceedings of Working Conference on Reverse Engineering.2005 45-54.
[76]Popov I,Debray S,Andrews G.Binary Obfuscation Using Signals[C].Proceedings of Usenix Security Symposium.2007 275-290.
[77]Qin F,Wang C,Li Z,Kim H,Zhou Y,Wu Y.LIFT:A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks[C].Proceedings of Micro.2006 135-148.
[78]Hicks M,Nettles S.Dynamic software updating[J].ACM Transactions on Programming Languages and Systems(TOPLAS),2005,27(6):1049-1096.
[79]Neamtiu I,Hicks M,Stoyle G,Oriol M.Practical dynamic software updating for C[C].Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation.ACM New York,NY,USA,200672-83.
[80]Cybersecurity:A crisis of prioritization.Technical report,President's Information Technology Advisory Committee(PITAC),2005.
[81]Zou C,Gong W,Towsley D.Code red worm propagation modeling and analysis[C].Proceedings of CCS.2002 138-147.
[82]Chen H,Wu X,Yuan L,Zang B,chung Yew P,Chong F T.From speculation to security:Practical and efficient information flow tracking using speculative hardware[C].ISCA'08:Proceedings of the 35th International Symposium on Computer Architecture.IEEE Computer Society,Washington,DC,USA,2008 401-412.
[83]Christey S,Martin R A.Vulnerability type distributions in cve.http://cwe.mitre.org/documents/vuln-trends/index.html,2007.
[84] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature .generation of exploits on commodity software[C]. Proceedings of the Network and Distributed System Security Symposium. 2005
[85] Wang C, Davidson J, Hill J, Knight J. Protection of software-based surviv-ability mechanisms[C]. Proceedings of DSN. 2001 .
[86] Chen H, Yuan L, Wu X, Huang B, Zang B. Binary obfuscation using taint tracking[C]. Sumbitted to International Conference on Architectural Support on Programming Language and Operating Systems. 2008 .
[87] Clause J, Li W, Orso A. Dytan: a generic dynamic taint analysis framework[C]. Proceedings of ISSTA. 2007 196-206.
[88] Thekkath C, Levy H. Hardware and software support for efficient exception handling[C]. Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 1994 110-119.
[89] Collberg C, Thomborson C, Low D. A taxonomy of obfuscating transformations[J]. University of Auckland Technical Report, 1997, 170.
[90] Kruegel C, Robertson W, Valeur F, Vigna G. Static Disassembly of Obfuscated Binaries[C]. Proceedings of Usenix Security Symposium. 2004 .
[91] Cifuentes C, Gough K. Decompilation of Binary Programs[J]. Software -Practice and Experience, 1995, 25(7): 811-829.
[92] Linn C, Debray S. Obfuscation of executable code to improve resistance to static disassembly[C]. Proceedings of the 10th ACM conference on Computer and communications security. 2003 290-299.
[93] Chow S, Gu Y, Johnson H, Zakharov V. An approach to the obfuscation of control-flow of sequential computer programs[C]. Proceedings of Information Security Conference. 2001 144-155.
[94] OGISO T, SAKABE Y, SOSHI M, MIYAJI A. Software Obfuscation on a Theoretical Basis and Its Implementation[J]. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences,2003, 86(1): 176-186.
[95]Weiser M.Program slicing[C].Proceedings of the 5th international conference on Software engineering.IEEE Press Piscataway,NJ,USA,1981439-449.
[96]Majumdar A,Drape S,Thomborson C.Slicing obfuscations:design,correctness,and evaluation[C].Proceedings of the 2007 ACM workshop on Digital Rights Management.ACM New York,NY,USA,2007 70-81.
[97]Dalton M,Kannan H,Kozyrakis C.Real-World Buffer Overflow Protection for Userspace & Kernelspace[C].Usenix Security Symposium.2008.
[98]Larochelle D,Evans D.Statically detecting likely buffer overflow vulnerabilities[C].Proceedings of USENIX Security Symposium.2001.
[99]Christey S,Martin R.Vulnerability type distributions in cve.http://cwe.mitre.org/documents/vuln-trends/index.html,2008.
[100]Neamtiu I,Foster J,Hicks M.Uuderstanding source code evolution using abstract syntax tree matching[J].ACM SIGSOFT Software Engineering Notes,2005,30(4):1-5.
[101]Microsoft Corp.Windows update and automatic updates.http://windowsupdate.microsoft.com/,2007.
[102]Lee I.Dymos:a dynamic modification system.Ph.D.thesis,The University of Wisconsin-Madison,1983.
[103]Bloom T,Day M.Reconfiguration and module replacement in argus:theory and practice[J].Software Engineering Journal,Mar 1993,8(2):102-108.
[104]Gupta D,Jalote P,Barua G.A formal framework for on-line software version change[J].IEEE Transaction on Software Ettgineering,1996,22(2):120-131.
[105]Gilmore S,Kirli D,Walton C.Dynamic ml without dynamic types.Technical Report ECS-LFCS-97-378,Laboratory for the Foundations of Computer Science,The University of Edinburgh,1997.
[106]Hjalmtysson G,Gray R.Dynamic c++ classes:a lightweight mechanism to update code in a running program[C].ATEC'98:Proceedings of the Annual Technical Conference on USENIX Annual Technical Conference,1998.. USENIX Association, Berkeley, CA, USA, 1998 6-6.
[107] Malabarba S, Pandey R, Gragg J, Barr E, Barnes J F. Runtime support for type-safe dynamic Java classes[C]. ECOOP '00: Proceedings of the 14th European Conference on Object-Oriented Programming. Springer-Verlag,London, UK, 2000 337-361.
[108] Buck B, Hollingsworth J K. An api for runtime code patching[J]. Int. J.High Perform. Comput. Appl., 2000, 14(4): 317-329.
[109] Duggan D. Type-based hot swapping of running modules[C]. Proceedings of International Conference on Functional Programming. 2001 62-73.
[110] Boyapati C, Liskov B, Shrira L, Moh C H, Richman S. Lazy modular upgrades in persistent object stores[C]. Proceedings of OOPSLA. 2003 .
[111] Soules C A N, Appavoo J, Hui K, Wisniewski R W, Silva D D, Ganger G R, Krieger O, Stumm M, Auslander M A, Ostrowski M, Rosenburg B S,Xenidis J. System support for online reconfiguration[C]. USENIX Annual Technical Conference, General Track. 2003 141-154.
[112] Baumann A, Heiser G, Appavoo J, Silva D D, Krieger O, Wisniewski R W,Kerr J. Providing dynamic update in an operating system[C]. Proceedings of USENIX ANNUAL TECHNICAL CONFERENCE. USENIX Association,2005 279-291.
[113] Hicks M, Nettles S. Dynamic software updating[J]. ACM Trans. Program.Lang. Syst., 2005, 27(6): 1049-1096.
[114] Stoyle G, Hicks M, Bierman G, Sewell P, Neamtiu I. Mutatis Mutandis: Safe and flexible dynamic software updating (full version)[J]. ACM Transactions on Programming Languages and Systems (TOPLAS), 2007, 29(4). Full version of POPL 05 paper.
[115] Baumann A, Appavoo J, Wisniewski R W, Da Silva D, Krieger O, Heiser G. Reboots are for hardware: Challenges and solutions to updating an operating system on the fly[C]. USENIX Annual Technical Conference.2007.
[116]Neamtiu I,Hicks M,Foster J S,Pratikakis P.Contextual effects for versionconsistent dynamic software updating and safe concurrent programming[C].Proceedings of the ACM Conference on Principles of Programming Languages (POPL).2008 Preprint;to appear.
[117]Ranger C,Raghuraman R,Penmetsa A,Bradski G,Kozyrakis C.Evaluating mapreduce for multi-core and multiprocessor systems[C].Proceedings of 13th International Symposium on High-Performance Computer Architecture (HPCA).2007.
[118]Chen H,Chen R,Zhang F,Zang B,Yew P C.Live updating operating systems using virtualization[C].Proceedings of International Conference on Virtual Execution Environments.Ottawa,Canada,2006 35-44.
[119]Chen H,Yu J,Chen R,Zang B,Yew P C.Polus:A powerful live updating system[C].ICSE'07:Proceedings of the 29th International Conference on Software Engineering.IEEE Computer Society,Washington,DC,USA:2007271-281.
[120]Altekar G,Bagrak I,Burstein P,Schultz A.Opus:Online patches and updates for security[C].Proceedings of USENIX Security Symposium.Baltimore,MD USA,2005 287-302.
[121]Fabry R S.How to design a system in which modules can be changed on the fly[C].Proceedings of ICSE.1976 470-476.
[122]Orso A,Rao A,Harrold M.A technique for dynamic updating of java software[C].Proceedings of the International Conference on Software Maintenance (ICSM'02).IEEE Computer Society,Washington,DC,USA,2002649.
[123]Inc A.Amazon Elastic Compute Cloud(Amazon EC2),2007.
[124]Garfinkel S.Commodity Grid Computing with Amazon's S3 and EC2[J].Login,USENIX,February,2007.
[125]Awadallah A,Rosenblum M.The vmatrix:Server switching[C].Proceedings of the 10th IEEE International Workshop on Future Trends of Distributed Computing Systems.2004.
[126] Govil K, Teodosiu D, Huang Y, Rosenblum M. Cellular disco: resource management using virtual clusters on shared-memory multiprocessors[J].ACM Trans. Comput. Syst., 2000, 18(3): 229-262.
[127] Uhlig V, LeVasseur J, Skoglund E, Dannowski U. Towards scalable multiprocessor virtual machines[C]. Proceedings of the 3rd Virtual Machine Research and Technology Symposium. San Jose, CA, 2004 43-56.
[128] Osman S, Subhraveti D, Su G, Nieh J. The design and implementation of zap: A system for[C]. Proceedings of Usenix Symposium on Operating System Design and Implementation. ACM Press, New York, 2002 361-376.
[129] Sapuntzakis C P, Chandra R, Pfaff B, Chow J, Lam M S, Rosenblum M.Optimizing the migration of virtual computers[C]. Proceedings of the Fifth Symposium on Operating Systems Design and Implementation. Boston,MA, USA., 2002 377-390.
[130] Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren A, Voelker G,Savage S. Scalability, fidelity, and containment in the potemkin virtual honeyfarm[J]. ACM SIGOPS Operating Systems Review, 2005, 39(5): 148-162.
[131] King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines[C]. Proceedings of the USENIX 2005 Annual Technical Conference. Anaheim, CA, 2005 1-15.
[132] Ta-Shma P, Laden G, Ben-Yehuda M, Factor M. Virtual machine time travel using continuous data protection and checkpointing[J]. ACM SIGOPS Operating Systems Review, 2008, 42(1): 127-134.
[133] Theurer A, Rister K, Krieger O, Harper R, Dobbelstein S. Virtual Scalability: Charting the Performance of Linux in a Virtual World[C]. Proceedings of Linux Symposium. 2006 .
[134] Padala P, Zhu X, Wang Z, Singhal S, Shin K. Performance Evaluation of Virtualization Technologies for Server Consolidation. Technical report,Technical Report HPL-2007-59, HP Labs, 2007.
[135] Walker E. Benchmarking amazon ec2 for high-performance scientific computing[J]. Usenix Login, 2008, 33(5): 18-24.
[136]Chen H,Chen R,Zhang F,Zang B,Yew P C.Mercury:Combining performance with dependability using self-virtualization.(awarded best paper)[C].Proceedings of the 2007 International Conference on Parallel Processing.IEEE Computer Society,Washington,DC,USA,2007.
[137]Microsoft Inc.Virtualized technology based on microsoft hyper-v.www.microsoft.com/windowsserver2008/en/us/hyperv.aspx,2008.
[138]Kivity A,Kamay Y,Laor D,Lublin U,Liguori A.kvra:the Linux Virtual Machine Monitor[C].Linux Symposium.2007.
[139]Whitaker A,Shaw M,Gribble S D.Scale and performance in the denali isolation kernel[J].ACM SIGOPS Operating Systems Review,2002,36(SI):195-209.
[140]Intel Inc.Intel vanderpool technology for IA-32 processors(VT-x) preliminary specification,2006.
[141]Strongin G.Trusted computing using AMD "Pacifica'and "Presidio "secure virtual machine technology[J].Information Security Teclmical Report,2005,10(2):120-132.
[142]Hiremane R.Intel(?) Virtualization Technology for Directed I/O(Intel(?)VT-d)[J].Technology(?) Intel Magazine,2007,4(10).
[143]LeVasseur J,Uhlig V,Leslie B,Chapman M,Heiser G.Pre-virtualization:uniting two worlds[C].Proceedings of the twentieth ACM symposium on Operating systems principles.ACM New York,NY,USA,2005 1-2.
[144]Amsden Z,Arai D,Hecht D,Holler A,Subrahmanyam P.VMI:An Interface for Paravirtualization[C].Proceedings of of the Linux Symposium.2006363-378.
[145]Hansen J,Jul E.Self-migration of operating systems[C].Proceedings of the 11th workshop on ACM SIGOPS European workshop.ACM New York,NY,USA,2004.
[146]Soltesz S,P(o|¨)tzl H,Fiuczynski M,Bavier A,Peterson L.Container-based operating system virtualization:a scalable,high-performance alternative to hypervisors[C].Proceedings of the 2007 conference on EuroSys.ACM Press New York,NY,USA,2007 275-287.
[147] CVE-2006-0038. Linux kernel netfilter do_replace local buffer overflow vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0038.
[148] securityfocus. Windows vista voice recognition command execution vulnerability. http://www.securityfocus.com/bid/22359/, 2007.
[149] Krohn M, Efstathopoulos P, Prey C, Kaashoek F, Kohler E, Mazieres D,Morris R, Osborne M, VanDeBogart S, Ziegler D. Make least privilege a right (not a privilege)[C]. Proceedings of Usenix Workshop on Hot Topics in Operating Systems. 2005 .
[150] Loscocco P, Smalley S. Integrating Flexible Support for Security Policies into the Linux Operating System[C]. Proceedings of the FREENIX Track:2001 USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA, 2001 29-42.
[151] Li N, Mao Z, Chen H. Usable mandatory integrity protection for operating systems[C]. Proceedings of the IEEE Symposium on Security and Privacy.2007 164-178.
[152] Petroni Jr N, Hicks M. Automated detection of persistent kernel control-flow attacks[C]. Proceedings of the 14th ACM conference on Computer and communications security. ACM New York, NY, USA, 2007 103-115.
[153] Sailer R, Zhang X, Jaeger T, van Doom L. Design and Implementation of a TCG-based Integrity Measurement Architecture[C]. Proceedings of USENIX Security Symposium. 2004 223-238.
[154] Duc G, Keryell R. Cryptopage: an efficient secure architecture with memory encryption, integrity and information leakage protection[C]. Proceedings of Annual Computer Security Applications Conference. 2006 .
[155] Chen H, Chen J, Mao W, Yan F. Daonity - grid security from two levels of virtualization[J]. Inf. Secur. Tech. Rep., 2007, 12(3): 123-138.
[156] Haibo Chen W M Jun Li, Sadeghi A R. Tpm-performance sensible key management protocols for service provisioning in cloud computing.[C]. Sixteenth International Workshop on Security Protocols (SPW-2008). Cambridge, England, 2008 81-87.
[157]Forrest S,Hofmeyr S A,Somayaji A,Longstaff T A.A sense of self for unix processes[C].SP'96:Proceedings of the 1996 IEEE Symposium on Security aud Privacy.IEEE Computer Society,Washington,DC,USA,1996 120.
[158]Somayaji A,Forrest S.Automated response using system-call delays[C].Proceedings of the 9th conference on USENIX Security Symposium.USENIX Association,Berkeley,CA,USA,2000 14-14.
[159]Jones S T,Arpaci-Dusseau A C,Arpaci-Dusseau R H.Antfarm:tracking processes in a virtual machine environment[C].ATEC'06:Proceedings of the annual conference on USENIX'06 Annual Technical Conference.USENIX Association,Berkeley,CA,USA,2006 1-1.
[160]Anderson D,Cobb J,Korpela E,Lebofsky M,Werthimer D.SETI@ home:an experiment in public-resource computing[J].Communications of the ACM,2002,45(11):56-61.
[161]Chen X,Garfinkel T,Lewis E,Subrahmanyam P,Waldspurger C,Boneh D,Dwoskin J,Ports D.Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems[C].Proceedings of the 13th international conference on Architectural support for programming languages and operating systems.ACM New York,NY,USA,2008 2-13.
[162]Ta-Min R,Litty L,Lie D.Splitting Interfaces:Making Trust Between Applications and Operating Systems Configurable[C].Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation.2006 279-292.
[163]Jiang X,Wang X,Xu D.Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction[C].Proceedings of the 14th ACM conference on Computer and communications security.ACM,New York,NY,USA,2007 128-138.
[164]Jaeger T,Sailer R,Zhang X.Analyzing integrity protection in the SELinux example policy[C].Proceedings of the 12th conference on USENIX Security Symposium-Volume 12 table of contents.USENIX Association Berkeley,CA,USA,2003 5-5.
[165]Shapiro J,Smith J,Farber D.EROS:a fast capability system[J].ACM SIGOPS Operating Systems Review,1999,33(5):170-185.
[166] Boyd-Wickizer S, Chen H, Chen R, Mao Y, Kaashoek F, Morris R, Pesterev A, Stein L, Wu M, Dai Y, et al. Corey: an operating system for many cores[C]. Proceedings of 8th Usenix Symposium on Operating System Design and Implementation. 2008 .
[2] Buyya R, Yeo C S, Venugopal S. Market-oriented cloud computing: Vision,hype, and reality for delivering it services as computing utilities[C]. Keynote at the 10th IEEE International Conference on High Performance Computing and Communications (HPCC-08). IEEE, 2008 5-13.
[3] Nurmi D, Wolski R, Grzegorczyk C, Obertelli G, Soman S, Youseff L,Zagorodnov D. Eucalyptus: A Technical Report on an Elastic Utility Computing Architecture Linking Your Programs to Useful Systems. Technical Report 2008-10, UCSB Computer Science, 2008.
[4] Weiss A. Computing in the clouds[J]. net Worker, 2007, 11(4): 16-25.
[5] Laprie J C, Avizienis A, Kopetz H, editors. Dependability: Basic Concepts and Terminology[M]. Springer-Verlag New York, Inc., Secaucus, NJ, USA,1992.
[6] Avizienis A, Laprie J, Randell B. Fundamental Concepts of Dependability[J]. TECHNICAL REPORT SERIES-UNIVERSITY OF NEWCASTLE UPON TYNE COMPUTING SCIENCE, 2001.
[7] Patterson D, Brown A, Broadwell P, Candea G, Chen M, Cutler J, Enriquez P, Fox A, Kiciman E, Merzbacher M, et al. Recovery-Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies. Technical Report Technical Report UCB//CSD-02-1175, UC Berkeley Computer Science, 2002.
[8] Oppenheimer D, Ganapathi A, Patterson D. Why Do Internet Services Fail, and What Can Be Done About It?[C]. Proceedings of Usenix Symposium on Internet Technologies and Systems. 2003 1-16.
[9] Ford R, Thompson H, Casteron F. Role Comparison Report: Web Server Role.http://whitepapers.techrepublic.com.com/whitepaper.aspx?docid=267751,2005.
[10]Moore D,Shannon C.Code-Red:a case study on the spread and victims of an internet worm[J].Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment,2002,273-284.
[11]Bailey M,Cooke E,Jahanian F,Watson D,Nazario J.The Blaster Worm:Then and Now[J].IEEE SECURITY & PRIVACY,2005,26-31.
[12]Gray J.What next?:A dozen information-technology research goals[J].Journal of the ACM(JACM),2003,50(1):41-57.
[13]Lampson B.Computer systems research:Past and future(invited talk)[C].Proceedings of ACM Symposium on Operating Systems Principles.ACM New York,NY,USA,1999.
[14]Hennessy J.Back to the future:Time to return to some long standing problems in computer systems[J].Plenary talk at FCRC,1999.
[15]Heiser J,Nicolett M.assessing the security risks of cloud computing.http://www.gartner.com/DisplayDocument?id=685308,2008.
[16]Dean J,Ghemawat S.MapReduce:Simplified Data Processing on Large Clusters[C].Proceedings of Usenix Symposium on Operating System Design and Implementation.2004 137-150.
[17]Yang H,Dasdan A,Hsiao R,Parker D.Map-reduce-merge:simplified relational data processing on large clusters[J].Proceedings of the 2007 ACM SIGMOD international conference on Management of data,2007,1029-1040.
[18]Isard M,Budiu M,Yu Y,Birrell A,Fetterly D.Dryad:distributed dataparallel programs from sequential building blocks[J].Proceedings of the 2007 conference on EuroSys,2007,59-72.
[19]Linderman M,Collins J,Wang H,Meng T.Merge:a programming model for heterogeneous multi-core systems[C].Proceedings of ACM Symposium on Architecture Support on Programming Language and Operating Systems.ACM New York,NY,USA,2008 287-296.
[20]Ghemawat S,Gobioff H,Leung S.The Google file system[J].ACM SIGOPS Operating Systems Review,2003,37(5):29-43.
[21] Chang F, Dean J, Ghemawat S, Hsieh W, Wallach D, Burrows M, Chandra T, Fikes A, Gruber R. Bigtable: A distributed storage system for structured data[C]. Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. 2006 205-218.
[22] Nelson M, Lim B, Hutchins G. Fast transparent migration for virtual machines[C]. Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA, 2005 25-25.
[23] Goldberg R. Survey of Virtual Machine Research[J]. IEEE Computer, 1974,7(6): 34-45.
[24] Robin J, Irvine C. Analysis of the Intel Pentium's ability to support a secure virtual machine monitor[C]. Proceedings of the 9th conference on USENIX Security Symposium. USENIX Association, 2000 129-144.
[25] Sugerman J, Venkitachalam G, Lim B. Virtualizing I/O Devices on VMware Workstation' s Hosted Virtual Machine Monitor[C]. USENIX Annual Technical Conference. 2001 1-14.
[26] Waldspurger C A. Memory resource management in vmware esx server[J].ACM SIGOPS Operating Systems Review, 2002, 36(SI): 181-194.
[27] Whitaker A, Shaw M, Gribble S D. Scale and performance in the denali isolation kernel[J]. ACM SIGOPS Operating Systems Review, 2002, 36(SI):195-209.
[28] Barham P, Dragovic B, Eraser K, Hand S, Harris T, Ho A, Neugebauer R,Pratt I, Warfield A. Xen and the art of virtualization[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 164-177.
[29] Adams K, Agesen O. A comparison of software and hardware techniques for x86 virtualization[C]. Proceedings of the 12th international conference on Architectural support for programming languages and operating systems.ACM New York, NY, USA, 2006 2-13.
[30] Chen P, Noble B. When virtual is better than real[C]. Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS). 2001133-138.
[31] Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]. Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS). 2003 191-206.
[32] Seshadri A, Qu N. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[C]. Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles. ACM Press New York, NY,USA, 2007 335-350.
[33] SALTZER J, SCHROEDER M. The protection of information in computer systems[J]. IEEE, Proceedings, 1975, 63: 1278-1308.
[34] Schneider F. Least privilege and more [computer security][J]. Security &Privacy Magazine, IEEE, 2003, 1(5): 55-59.
[35] Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D. Terra: a virtual machine-based platform for trusted computing[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 193-206.
[36] Peinado M, Chen Y, England P, Manferdelli J. NGSCB: A Trusted Open System[J]. LECTURE NOTES IN COMPUTER SCIENCE., 2004, 86-97.
[37] Intel. Intel trusted execution technology.http://www.intel.com/technology/security/, 2006.
[38] Bressoud T, Schneider F. Hypervisor-based fault tolerance[J]. ACM Transactions on Computer Systems, 1996, 14(1): 80-107.
[39] Howell J, Douceur J. Replicated virtual machines. Technical report MSR-TR-2005-119, Microsoft Research, 2005.
[40] King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines[C]. ATEC '05: Proceedings of the annual conference on USENIX Annual Technical Conference. USENIX Association,Berkeley, CA, USA, 2005 1-1.
[41] Dunlap G, King S, Cinar S, Basrai M, Chen P. ReVirt: enabling intrusion analysis through virtual-machine logging and replay[J]. ACM SIGOPS Operating Systems Review, 2002, 36: 211-224.
[42] Provos N. A Virtual Honeypot Framework[C]. Proceedings of the 13th USENIX Security Symposium. 2004 1-14.
[43] Lie D, Thekkath C, Mitchell M, Lincoln P, Boneh D, Mitchell J, Horowitz M. Architectural support for copy and tamper resistant software[J]. ACM SIGPLAN Notices, 2000, 35(11): 168-177.
[44] Lie D, Thekkath C, Horowitz M. Implementing an untrusted operating system on trusted hardware[J]. ACM SIGOPS Operating Systems Review,2003, 37(5): 178-192.
[45] Suh G, Clarke D, Gassend B, van Dijk M, Devadas S. AEGIS: architecture for tamper-evident and tamper-resistant processing[C]. Proceedings of the 17th annual international conference on Supercomputing. ACM New York,NY, USA, 2003 160-171.
[46] Witchel E, Cates J, Asanovic K. Mondrian memory protection[J]. ACM SIGARCH Computer Architecture News, 2002, 30(5): 304-316.
[47] Witchel E, Rhee J, Asanovic K. Mondrix: memory isolation for linux using mondriaan memory protection[C]. Proceedings of the twentieth ACM symposium on Operating systems principles. ACM New York, NY, USA, 2005 31-44.
[48] Qin F, Lu S, Zhou Y. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs[C]. Proceedings of the 11th International Symposium on High-Performance Computer Architecture. IEEE Computer Society Washington, DC, USA, 2005 291-302.
[49] Crandall J, Chong F. Minos: Control Data Attack Prevention Orthogonal to Memory Model[J]. Proceedings of Micro, 2004, 221-232.
[50] Suh G, Lee J, Zhang D, Devadas S. Secure program execution via dynamic information flow tracking[C]. Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems.2004 85-96.
[51] Dalton M, Kannan H, Kozyrakis C. Raksha: a flexible information flow architecture for software security[C]. Proceedings of ISCA. 2007 482-493.
[52]Venkataramani G,Doudalis I,Solihin Y,Prvulovic M.FlexiTaint:Programmable Architectural Support for Efficient Dynamic Taint Propagation[C].Proceedings of HPCA.2008.
[53]MYERS A,LISKOV B.Protecting Privacy Using the Decentralized Label Model[J].ACM Transactions on Software Engineering and Methodology,2000,9(4):410-442.
[54]Efstathopoulos P,Krohn M,VanDeBogart S,Frey C,Ziegler D,Kohler E,Mazieres D,Kaashoek F,Morris R.Labels and event processes in the asbestos operating system[C].Proceedings of the twentieth ACM symposium on Operating systems principles.ACM New York,NY,USA,2005 17-30.
[55]Zeldovich N,Boyd-Wickizer S,Kohler E,Mazieres D.Making Information Flow Explicit in HiStar[C].Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation.2006 279-292.
[56]Krohn M,Brodsky M,Kaashoek M,Morris R.Information flow control for standard OS abstractions[C].Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles.ACM Press New York,NY,USA,2007 321-334.
[57]Chou A,Yang J,Chelf B,Hallem S,Engler D.An empirical study of operating systems errors[C].Proceedings of the eighteenth ACM symposium on Operating systems principles.ACM New York,NY,USA,2001 73-88.
[58]Orgovan V,Tricker M.An introduction to driver quality[J].Microsoft WinHec,2004.
[59]SWIFT M,BERSHAD B,LEVY H.Improving the Reliability of Commodity Operating Systems[J].ACM Transactions on Computer Systems,2005,23(1):77-110.
[60]Swift M,Annamalai M,Bershad B,Levy H.Recovering device drivers[C].ACM Transactions on Computer Systems,volume 24.2006 333-360.
[61]Zhou F,Condit J,Anderson Z,Bagrak I,Ennals R,Harren M,Necula G,Brewer E.SafeDrivc:Safe and Recoverable Extensions Using Language-Based Techniques[C].Proceedings of the 7th symposium on Operating systems design and implementation.2006 45-60.
[62] Baumann A, Heiser G, Appavoo J, Krieger O, Wisniewski R, Kerr J. Providing dynamic update in an operating system[C]. Proceedings of the USENIX Annual Technical Conference. USENIX Association, 2005 32-32.
[63] Lowell D, Saito Y, Samberg E. Devirtualizable virtual machines enabling general, single-node, online maintenance[J]. ACM SIGPLAN Notices, 2004,39(11): 211-223.
[64] Arnold J. Ksplice: An Automatic System for Rebootless Kernel Security Updates. Ph.D. thesis, Massachusetts Institute of Technology, 2008.
[65] Hunt G C, Larus J R. Singularity: rethinking the software stack[J]. ACM SIGOPS Operating Systems Review, 2007, 41(2): 37-49.
[66] Engler D, Chen D, Hallem S, Chou A, Chelf B. Bugs as deviant behavior: a general approach to inferring errors in systems code[J]. ACM SIGOPS Operating Systems Review, 2001, 35(5): 57-72.
[67] Yang J, Sar C, Engler D. EXplode: a Lightweight, General System for Finding Serious Storage System Errors[C]. Proceedings of the 7th symposium on Operating systems design and implementation. 2006 131-146.
[68] Savage S, Burrows M, Nelson G, Sobalvarro P, Anderson T. Eraser: a dynamic data race detector for multithreaded programs[J]. ACM Transactions on Computer Systems, 1997, 15(4): 391-411.
[69] Frieder O, Segal M E. On dynamically updating a computer program: from concept to prototype[J]. The Journal of System Software, 1991, 14(2): 111—128.
[70] Neamtiu I, Hicks M, Stoyle G, Oriol M. Practical dynamic software updating for c[C]. Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation. 2006 72-83.
[71] Makris K, Ryu K. Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels[C]. Proceedings of the 2007 conference on EuroSys. ACM Press New York, NY, USA, 2007 327-340.
[72] Minnich R. A dynamic kernel modifier for Linux[C]. Proceedings of the LACSI Symposium. 2002 .
[73]Collberg C,Thomborson C,Low D.Manufacturing cheap,resilient,and stealthy opaque constructs[C].Proceedings of POPL.1998 184-196.
[74]Myles G,Collberg C.Software watermarking via opaque predicates:Implementation,analysis,and attacks[J].Electronic Commerce Research,2006,6(2):155-171.
[75]Udupa S,Debray S,Madou M.Deobfuscation:Reverse Engineering Obfuscated Code[C].Proceedings of Working Conference on Reverse Engineering.2005 45-54.
[76]Popov I,Debray S,Andrews G.Binary Obfuscation Using Signals[C].Proceedings of Usenix Security Symposium.2007 275-290.
[77]Qin F,Wang C,Li Z,Kim H,Zhou Y,Wu Y.LIFT:A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks[C].Proceedings of Micro.2006 135-148.
[78]Hicks M,Nettles S.Dynamic software updating[J].ACM Transactions on Programming Languages and Systems(TOPLAS),2005,27(6):1049-1096.
[79]Neamtiu I,Hicks M,Stoyle G,Oriol M.Practical dynamic software updating for C[C].Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation.ACM New York,NY,USA,200672-83.
[80]Cybersecurity:A crisis of prioritization.Technical report,President's Information Technology Advisory Committee(PITAC),2005.
[81]Zou C,Gong W,Towsley D.Code red worm propagation modeling and analysis[C].Proceedings of CCS.2002 138-147.
[82]Chen H,Wu X,Yuan L,Zang B,chung Yew P,Chong F T.From speculation to security:Practical and efficient information flow tracking using speculative hardware[C].ISCA'08:Proceedings of the 35th International Symposium on Computer Architecture.IEEE Computer Society,Washington,DC,USA,2008 401-412.
[83]Christey S,Martin R A.Vulnerability type distributions in cve.http://cwe.mitre.org/documents/vuln-trends/index.html,2007.
[84] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature .generation of exploits on commodity software[C]. Proceedings of the Network and Distributed System Security Symposium. 2005
[85] Wang C, Davidson J, Hill J, Knight J. Protection of software-based surviv-ability mechanisms[C]. Proceedings of DSN. 2001 .
[86] Chen H, Yuan L, Wu X, Huang B, Zang B. Binary obfuscation using taint tracking[C]. Sumbitted to International Conference on Architectural Support on Programming Language and Operating Systems. 2008 .
[87] Clause J, Li W, Orso A. Dytan: a generic dynamic taint analysis framework[C]. Proceedings of ISSTA. 2007 196-206.
[88] Thekkath C, Levy H. Hardware and software support for efficient exception handling[C]. Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems. 1994 110-119.
[89] Collberg C, Thomborson C, Low D. A taxonomy of obfuscating transformations[J]. University of Auckland Technical Report, 1997, 170.
[90] Kruegel C, Robertson W, Valeur F, Vigna G. Static Disassembly of Obfuscated Binaries[C]. Proceedings of Usenix Security Symposium. 2004 .
[91] Cifuentes C, Gough K. Decompilation of Binary Programs[J]. Software -Practice and Experience, 1995, 25(7): 811-829.
[92] Linn C, Debray S. Obfuscation of executable code to improve resistance to static disassembly[C]. Proceedings of the 10th ACM conference on Computer and communications security. 2003 290-299.
[93] Chow S, Gu Y, Johnson H, Zakharov V. An approach to the obfuscation of control-flow of sequential computer programs[C]. Proceedings of Information Security Conference. 2001 144-155.
[94] OGISO T, SAKABE Y, SOSHI M, MIYAJI A. Software Obfuscation on a Theoretical Basis and Its Implementation[J]. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences,2003, 86(1): 176-186.
[95]Weiser M.Program slicing[C].Proceedings of the 5th international conference on Software engineering.IEEE Press Piscataway,NJ,USA,1981439-449.
[96]Majumdar A,Drape S,Thomborson C.Slicing obfuscations:design,correctness,and evaluation[C].Proceedings of the 2007 ACM workshop on Digital Rights Management.ACM New York,NY,USA,2007 70-81.
[97]Dalton M,Kannan H,Kozyrakis C.Real-World Buffer Overflow Protection for Userspace & Kernelspace[C].Usenix Security Symposium.2008.
[98]Larochelle D,Evans D.Statically detecting likely buffer overflow vulnerabilities[C].Proceedings of USENIX Security Symposium.2001.
[99]Christey S,Martin R.Vulnerability type distributions in cve.http://cwe.mitre.org/documents/vuln-trends/index.html,2008.
[100]Neamtiu I,Foster J,Hicks M.Uuderstanding source code evolution using abstract syntax tree matching[J].ACM SIGSOFT Software Engineering Notes,2005,30(4):1-5.
[101]Microsoft Corp.Windows update and automatic updates.http://windowsupdate.microsoft.com/,2007.
[102]Lee I.Dymos:a dynamic modification system.Ph.D.thesis,The University of Wisconsin-Madison,1983.
[103]Bloom T,Day M.Reconfiguration and module replacement in argus:theory and practice[J].Software Engineering Journal,Mar 1993,8(2):102-108.
[104]Gupta D,Jalote P,Barua G.A formal framework for on-line software version change[J].IEEE Transaction on Software Ettgineering,1996,22(2):120-131.
[105]Gilmore S,Kirli D,Walton C.Dynamic ml without dynamic types.Technical Report ECS-LFCS-97-378,Laboratory for the Foundations of Computer Science,The University of Edinburgh,1997.
[106]Hjalmtysson G,Gray R.Dynamic c++ classes:a lightweight mechanism to update code in a running program[C].ATEC'98:Proceedings of the Annual Technical Conference on USENIX Annual Technical Conference,1998.. USENIX Association, Berkeley, CA, USA, 1998 6-6.
[107] Malabarba S, Pandey R, Gragg J, Barr E, Barnes J F. Runtime support for type-safe dynamic Java classes[C]. ECOOP '00: Proceedings of the 14th European Conference on Object-Oriented Programming. Springer-Verlag,London, UK, 2000 337-361.
[108] Buck B, Hollingsworth J K. An api for runtime code patching[J]. Int. J.High Perform. Comput. Appl., 2000, 14(4): 317-329.
[109] Duggan D. Type-based hot swapping of running modules[C]. Proceedings of International Conference on Functional Programming. 2001 62-73.
[110] Boyapati C, Liskov B, Shrira L, Moh C H, Richman S. Lazy modular upgrades in persistent object stores[C]. Proceedings of OOPSLA. 2003 .
[111] Soules C A N, Appavoo J, Hui K, Wisniewski R W, Silva D D, Ganger G R, Krieger O, Stumm M, Auslander M A, Ostrowski M, Rosenburg B S,Xenidis J. System support for online reconfiguration[C]. USENIX Annual Technical Conference, General Track. 2003 141-154.
[112] Baumann A, Heiser G, Appavoo J, Silva D D, Krieger O, Wisniewski R W,Kerr J. Providing dynamic update in an operating system[C]. Proceedings of USENIX ANNUAL TECHNICAL CONFERENCE. USENIX Association,2005 279-291.
[113] Hicks M, Nettles S. Dynamic software updating[J]. ACM Trans. Program.Lang. Syst., 2005, 27(6): 1049-1096.
[114] Stoyle G, Hicks M, Bierman G, Sewell P, Neamtiu I. Mutatis Mutandis: Safe and flexible dynamic software updating (full version)[J]. ACM Transactions on Programming Languages and Systems (TOPLAS), 2007, 29(4). Full version of POPL 05 paper.
[115] Baumann A, Appavoo J, Wisniewski R W, Da Silva D, Krieger O, Heiser G. Reboots are for hardware: Challenges and solutions to updating an operating system on the fly[C]. USENIX Annual Technical Conference.2007.
[116]Neamtiu I,Hicks M,Foster J S,Pratikakis P.Contextual effects for versionconsistent dynamic software updating and safe concurrent programming[C].Proceedings of the ACM Conference on Principles of Programming Languages (POPL).2008 Preprint;to appear.
[117]Ranger C,Raghuraman R,Penmetsa A,Bradski G,Kozyrakis C.Evaluating mapreduce for multi-core and multiprocessor systems[C].Proceedings of 13th International Symposium on High-Performance Computer Architecture (HPCA).2007.
[118]Chen H,Chen R,Zhang F,Zang B,Yew P C.Live updating operating systems using virtualization[C].Proceedings of International Conference on Virtual Execution Environments.Ottawa,Canada,2006 35-44.
[119]Chen H,Yu J,Chen R,Zang B,Yew P C.Polus:A powerful live updating system[C].ICSE'07:Proceedings of the 29th International Conference on Software Engineering.IEEE Computer Society,Washington,DC,USA:2007271-281.
[120]Altekar G,Bagrak I,Burstein P,Schultz A.Opus:Online patches and updates for security[C].Proceedings of USENIX Security Symposium.Baltimore,MD USA,2005 287-302.
[121]Fabry R S.How to design a system in which modules can be changed on the fly[C].Proceedings of ICSE.1976 470-476.
[122]Orso A,Rao A,Harrold M.A technique for dynamic updating of java software[C].Proceedings of the International Conference on Software Maintenance (ICSM'02).IEEE Computer Society,Washington,DC,USA,2002649.
[123]Inc A.Amazon Elastic Compute Cloud(Amazon EC2),2007.
[124]Garfinkel S.Commodity Grid Computing with Amazon's S3 and EC2[J].Login,USENIX,February,2007.
[125]Awadallah A,Rosenblum M.The vmatrix:Server switching[C].Proceedings of the 10th IEEE International Workshop on Future Trends of Distributed Computing Systems.2004.
[126] Govil K, Teodosiu D, Huang Y, Rosenblum M. Cellular disco: resource management using virtual clusters on shared-memory multiprocessors[J].ACM Trans. Comput. Syst., 2000, 18(3): 229-262.
[127] Uhlig V, LeVasseur J, Skoglund E, Dannowski U. Towards scalable multiprocessor virtual machines[C]. Proceedings of the 3rd Virtual Machine Research and Technology Symposium. San Jose, CA, 2004 43-56.
[128] Osman S, Subhraveti D, Su G, Nieh J. The design and implementation of zap: A system for[C]. Proceedings of Usenix Symposium on Operating System Design and Implementation. ACM Press, New York, 2002 361-376.
[129] Sapuntzakis C P, Chandra R, Pfaff B, Chow J, Lam M S, Rosenblum M.Optimizing the migration of virtual computers[C]. Proceedings of the Fifth Symposium on Operating Systems Design and Implementation. Boston,MA, USA., 2002 377-390.
[130] Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren A, Voelker G,Savage S. Scalability, fidelity, and containment in the potemkin virtual honeyfarm[J]. ACM SIGOPS Operating Systems Review, 2005, 39(5): 148-162.
[131] King S T, Dunlap G W, Chen P M. Debugging operating systems with time-traveling virtual machines[C]. Proceedings of the USENIX 2005 Annual Technical Conference. Anaheim, CA, 2005 1-15.
[132] Ta-Shma P, Laden G, Ben-Yehuda M, Factor M. Virtual machine time travel using continuous data protection and checkpointing[J]. ACM SIGOPS Operating Systems Review, 2008, 42(1): 127-134.
[133] Theurer A, Rister K, Krieger O, Harper R, Dobbelstein S. Virtual Scalability: Charting the Performance of Linux in a Virtual World[C]. Proceedings of Linux Symposium. 2006 .
[134] Padala P, Zhu X, Wang Z, Singhal S, Shin K. Performance Evaluation of Virtualization Technologies for Server Consolidation. Technical report,Technical Report HPL-2007-59, HP Labs, 2007.
[135] Walker E. Benchmarking amazon ec2 for high-performance scientific computing[J]. Usenix Login, 2008, 33(5): 18-24.
[136]Chen H,Chen R,Zhang F,Zang B,Yew P C.Mercury:Combining performance with dependability using self-virtualization.(awarded best paper)[C].Proceedings of the 2007 International Conference on Parallel Processing.IEEE Computer Society,Washington,DC,USA,2007.
[137]Microsoft Inc.Virtualized technology based on microsoft hyper-v.www.microsoft.com/windowsserver2008/en/us/hyperv.aspx,2008.
[138]Kivity A,Kamay Y,Laor D,Lublin U,Liguori A.kvra:the Linux Virtual Machine Monitor[C].Linux Symposium.2007.
[139]Whitaker A,Shaw M,Gribble S D.Scale and performance in the denali isolation kernel[J].ACM SIGOPS Operating Systems Review,2002,36(SI):195-209.
[140]Intel Inc.Intel vanderpool technology for IA-32 processors(VT-x) preliminary specification,2006.
[141]Strongin G.Trusted computing using AMD "Pacifica'and "Presidio "secure virtual machine technology[J].Information Security Teclmical Report,2005,10(2):120-132.
[142]Hiremane R.Intel(?) Virtualization Technology for Directed I/O(Intel(?)VT-d)[J].Technology(?) Intel Magazine,2007,4(10).
[143]LeVasseur J,Uhlig V,Leslie B,Chapman M,Heiser G.Pre-virtualization:uniting two worlds[C].Proceedings of the twentieth ACM symposium on Operating systems principles.ACM New York,NY,USA,2005 1-2.
[144]Amsden Z,Arai D,Hecht D,Holler A,Subrahmanyam P.VMI:An Interface for Paravirtualization[C].Proceedings of of the Linux Symposium.2006363-378.
[145]Hansen J,Jul E.Self-migration of operating systems[C].Proceedings of the 11th workshop on ACM SIGOPS European workshop.ACM New York,NY,USA,2004.
[146]Soltesz S,P(o|¨)tzl H,Fiuczynski M,Bavier A,Peterson L.Container-based operating system virtualization:a scalable,high-performance alternative to hypervisors[C].Proceedings of the 2007 conference on EuroSys.ACM Press New York,NY,USA,2007 275-287.
[147] CVE-2006-0038. Linux kernel netfilter do_replace local buffer overflow vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0038.
[148] securityfocus. Windows vista voice recognition command execution vulnerability. http://www.securityfocus.com/bid/22359/, 2007.
[149] Krohn M, Efstathopoulos P, Prey C, Kaashoek F, Kohler E, Mazieres D,Morris R, Osborne M, VanDeBogart S, Ziegler D. Make least privilege a right (not a privilege)[C]. Proceedings of Usenix Workshop on Hot Topics in Operating Systems. 2005 .
[150] Loscocco P, Smalley S. Integrating Flexible Support for Security Policies into the Linux Operating System[C]. Proceedings of the FREENIX Track:2001 USENIX Annual Technical Conference table of contents. USENIX Association Berkeley, CA, USA, 2001 29-42.
[151] Li N, Mao Z, Chen H. Usable mandatory integrity protection for operating systems[C]. Proceedings of the IEEE Symposium on Security and Privacy.2007 164-178.
[152] Petroni Jr N, Hicks M. Automated detection of persistent kernel control-flow attacks[C]. Proceedings of the 14th ACM conference on Computer and communications security. ACM New York, NY, USA, 2007 103-115.
[153] Sailer R, Zhang X, Jaeger T, van Doom L. Design and Implementation of a TCG-based Integrity Measurement Architecture[C]. Proceedings of USENIX Security Symposium. 2004 223-238.
[154] Duc G, Keryell R. Cryptopage: an efficient secure architecture with memory encryption, integrity and information leakage protection[C]. Proceedings of Annual Computer Security Applications Conference. 2006 .
[155] Chen H, Chen J, Mao W, Yan F. Daonity - grid security from two levels of virtualization[J]. Inf. Secur. Tech. Rep., 2007, 12(3): 123-138.
[156] Haibo Chen W M Jun Li, Sadeghi A R. Tpm-performance sensible key management protocols for service provisioning in cloud computing.[C]. Sixteenth International Workshop on Security Protocols (SPW-2008). Cambridge, England, 2008 81-87.
[157]Forrest S,Hofmeyr S A,Somayaji A,Longstaff T A.A sense of self for unix processes[C].SP'96:Proceedings of the 1996 IEEE Symposium on Security aud Privacy.IEEE Computer Society,Washington,DC,USA,1996 120.
[158]Somayaji A,Forrest S.Automated response using system-call delays[C].Proceedings of the 9th conference on USENIX Security Symposium.USENIX Association,Berkeley,CA,USA,2000 14-14.
[159]Jones S T,Arpaci-Dusseau A C,Arpaci-Dusseau R H.Antfarm:tracking processes in a virtual machine environment[C].ATEC'06:Proceedings of the annual conference on USENIX'06 Annual Technical Conference.USENIX Association,Berkeley,CA,USA,2006 1-1.
[160]Anderson D,Cobb J,Korpela E,Lebofsky M,Werthimer D.SETI@ home:an experiment in public-resource computing[J].Communications of the ACM,2002,45(11):56-61.
[161]Chen X,Garfinkel T,Lewis E,Subrahmanyam P,Waldspurger C,Boneh D,Dwoskin J,Ports D.Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems[C].Proceedings of the 13th international conference on Architectural support for programming languages and operating systems.ACM New York,NY,USA,2008 2-13.
[162]Ta-Min R,Litty L,Lie D.Splitting Interfaces:Making Trust Between Applications and Operating Systems Configurable[C].Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation.2006 279-292.
[163]Jiang X,Wang X,Xu D.Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction[C].Proceedings of the 14th ACM conference on Computer and communications security.ACM,New York,NY,USA,2007 128-138.
[164]Jaeger T,Sailer R,Zhang X.Analyzing integrity protection in the SELinux example policy[C].Proceedings of the 12th conference on USENIX Security Symposium-Volume 12 table of contents.USENIX Association Berkeley,CA,USA,2003 5-5.
[165]Shapiro J,Smith J,Farber D.EROS:a fast capability system[J].ACM SIGOPS Operating Systems Review,1999,33(5):170-185.
[166] Boyd-Wickizer S, Chen H, Chen R, Mao Y, Kaashoek F, Morris R, Pesterev A, Stein L, Wu M, Dai Y, et al. Corey: an operating system for many cores[C]. Proceedings of 8th Usenix Symposium on Operating System Design and Implementation. 2008 .