logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Alexander Dalsgaard Krog Vulnerability Researcher at Vectorize, Alexander Skovsende Grad Student at Technical University of Denmark
2023-08-01

In this work, we present the novel results of our research on Intel CPU microcode. Building upon prior research on Intel Goldmont CPUs, we have reverse-engineered the implementations of complex x86 instructions, leading to the discovery of hidden microcode which serves to prevent the persistence of any changes made. Using this knowledge, we were able to patch those discovered sections, allowing us to make persistent microcode changes from userspace on Linux. We have developed and improved microcode tracing tools, giving us deeper insight into Intel Atom microcode than was previously possible, by allowing more dynamic analysis of the ROM. Along with this presentation, we provide a C library for making microcode changes and documentation on the reverse-engineered microcode. We show that vendor updates to the microcode, which cannot be verified by the user, impose a security risk by demonstrating how a Linux system can be compromised through a backdoor within a CPU core's microcode.
Authors: Felix Hoffmann
2023-04-19

tldr - powered by Generative AI

The presentation discusses resource management in Kubernetes from the perspective of an application developer, highlighting the importance of setting resource requests and limits appropriately to avoid cluster crashes and scheduling issues.
  • Resource management in Kubernetes involves setting CPU and memory requests and limits for containers
  • Memory limits result in termination of pods when exceeded, while CPU limits can lead to throttling or termination
  • Setting appropriate requests and limits is crucial for efficient scheduling and avoiding noisy neighbors
  • Developers should be aware of namespace limits and available resources when setting requests and limits
  • In general, it is advisable to set memory requests equal to memory limits and avoid setting CPU limits
  • Exceptions include cases where consistent workloads or overcommitment of memory are preferred
Authors: Jeremi Piotrowski
2023-04-19

tldr - powered by Generative AI

Confidential Computing is a secure computing environment that allows users to protect their data and workloads from unauthorized access. The presentation discusses the different models of attestation and how they are implemented in real-world scenarios using Microsoft Azure and the Confidential Containers project. The attestation report is a key component of remote attestation, which is made possible by the unique key inside the AMD secure processor that signs the report. Confidential Computing is an answer to the security concerns of industries that deal with personal and financial data.
  • Confidential Computing is a secure computing environment that protects data and workloads from unauthorized access
  • Different models of attestation are used in real-world scenarios
  • The attestation report is a key component of remote attestation
  • Confidential Computing is an answer to the security concerns of industries that deal with personal and financial data
Conference:  ContainerCon 2022
Authors: Phu Tran, Vinay Kulkarni
2022-06-23

tldr - powered by Generative AI

The presentation discusses the use of ebpf technology in achieving cni networking with Mizar and XDP. The speaker also talks about future plans for enhancing the technology and proposes a formal EPA change to Kubernetes.
  • Ebpf technology was used to achieve cni networking with Mizar and XDP without changing any lines of kernel code
  • Future plans include enhancing the technology with a tx hook for XDP, proposing a formal EPA change to Kubernetes, and improving performance measurement
  • The speaker also discusses the need for a management plane and multi-tenant networking
  • The presentation includes a demo of the technology using four virtual machines
Authors: Bowen Li, huichao zhao
2022-05-18

tldr - powered by Generative AI

The presentation discusses the design principles and architecture of a cloud-native Spark on Kubernetes platform, highlighting the benefits of cloud and Kubernetes and the need for auto-scaling based on cost-saving and elasticity.
  • Cloud and Kubernetes can solve problems of legacy infrastructure by providing on-demand, elastic, and scalable resources with strong resource isolation and cutting-edge security techniques.
  • Design principles include fully embracing public cloud and cognitive way of thinking, containerization for elasticity and reproducibility, and decoupling compute and storage for independent scaling.
  • The architecture of the cloud-native Spark on Kubernetes platform involves multiple Spark Kubernetes clusters, a Spark service gateway, and a multi-tenant platform with advanced features such as physical isolation and min/max capacity setting.
  • Auto-scaling is necessary for cost-saving and elasticity, and the presentation discusses the design of reactive auto-scaling and its productionization.
  • The platform has been running in production for a year, supporting many business-critical workloads for Apple AML.
Authors: Mauro Pessina
2022-05-18

tldr - powered by Generative AI

The presentation discusses an AI-powered optimization methodology for improving cost efficiency and performance of digital services provided by a company.
  • The challenge faced by the customer was to optimize their application while keeping on releasing application updates to introduce new business functionalities and align to new regulations.
  • The tuning practice in place was manual and took almost two months to tune one single macro service.
  • The AI-powered optimization methodology works in five steps: applying new configuration suggested by AI, applying workload to target system, collecting KPIs, analyzing results, and producing new configuration to be tested in the next iteration.
  • The methodology allows setting constraints and goals, such as minimizing application cost and ensuring service reliability.
  • The presentation provides an anecdote of how the methodology was used to optimize a customer's authentication service on Kubernetes, resulting in a 49% improvement on cost efficiency compared to the baseline configuration.
Authors: Natalie Serrino
2022-05-18

tldr - powered by Generative AI

Autoscaling Kubernetes Deployments is a flexible and rich option for ensuring stable performance when the load on the application changes over time.
  • Factors to consider when sizing your Kubernetes application
  • Horizontal vs Vertical autoscaling
  • Selecting the right auto scaling metric for your application
  • A Turing-complete autoscaler demo
Authors: Vincent Sevel
2022-05-18

Container orchestrators have become the de-facto standard to deploy a wide variety of workloads. As the number of deployments increases, so is the pressure on resource usage, and hardware costs. Container runtimes and Kubernetes come with a set of tools that help make the most out of your infrastructure such as cgroups with resource usage limitation and prioritization, requests and limits on cpu and memory, quality of services. Even with those tools, it can be challenging to understand how they work, and how to use them. In this talk, the speaker will offer a review of the available mechanisms, how they map at the orchestrator and runtime levels, and introduce the Vertical Pod Autoscaler as a mean to optimize resource tuning at scale. He will share some of the lessons the company learned since starting this effort. And finally he will describe where they are in the deployment phase, and give some perspective on the direction where they are headed.Click here to view captioning/translation in the MeetingPlay platform!
Authors: Madalina Lazar, Denisio Togashi
2022-05-18

tldr - powered by Generative AI

Telemetry Aware Scheduling is an open-source project that uses telemetry to make smarter scheduling decisions for workloads in Kubernetes clusters.
  • Telemetry Aware Scheduling (TAS) is an open-source project that extends Kubernetes' scheduling paradigm to use knowledge of resources to impact scheduling decisions.
  • TAS uses telemetry to help make scheduling decisions and is an extender of the Kubernetes scheduler.
  • TAS allows for filtering and scoring nodes and utilizes node affinity rules via fixed and custom labels.
  • TAS uses telemetry where scheduling policies that are structurally based on rules which are based on metrics that come from the cluster.
  • TAS requires a metrics pipeline to expose, collect, store, and make metrics available to the Kubernetes custom metrics API.
  • TAS works together with the default scheduler and returns a suggested outcome of pod placement to the default scheduler.
  • TAS supports multi-metric rules that contain multiple metrics and can link them together with operators such as any off or all of.
Authors: Peter Hunt, Antti Kervinen
2021-10-15

tldr - powered by Generative AI

The presentation discusses the implementation of QoS (Quality of Service) in Kubernetes using block I/O classes and CPU manager policies to prioritize critical workloads.
  • QoS can be implemented in Kubernetes using block I/O classes and CPU manager policies
  • Block I/O classes can be used to prioritize workloads based on their importance
  • CPU manager policies can be used to assign specific CPU affinity to critical processes
  • Throttling can be used to limit resource contention and prioritize critical workloads
  • An anecdote is provided to illustrate the importance of prioritizing critical workloads