Abstract: While an application or a virtual machine (VM) is running, a device tracks accesses to cache lines to detect access patterns that indicate security attacks, such as cache-based side channel attacks or row hammer attacks. To enable the device to detect accesses to cache lines, the device is connected to processors via a coherence interconnect, and the application/VM data is stored in a local memory of the device. The device collects the cache lines of the application/VM data that are accessed while the application/VM is running into a buffer and the buffer is analyzed for access patterns that indicate security attacks.

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

Abstract: A method for efficient write-back for journal truncation is provided. A method includes maintaining a journal in a memory of a computing system including a plurality of records. Each record indicates a transaction associated with one or more pages in an ordered data structure and maintaining a dirty list including an entry for each page indicated by a record in the journal. Each entry in the dirty list includes a respective first log sequence number (LSN) associated with a least recent record of the plurality of records that indicates the page and a respective second LSN associated with a most recent record of the plurality of records that indicates the page. The method includes determining to truncate the journal. The method includes identifying one or more records, of the plurality of records, from the journal to write back to a disk, where the identifying is based on the dirty list.

Abstract: Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddings of the nodes and create vectors using the embeddings. Using vectors of two nodes, the server can calculate a vector that represents an edge between the two nodes. The server can apply a binary classifier determine whether the edge should exist. A “true” classification between two nodes can indicate that they should be able to communicate, and vice versa. A “true” classification between a device node and a security group node can indicate that the device should be assigned to the security group, and vice versa.

Abstract: Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

Abstract: This disclosure describes aspects of an efficient blockchain API communication mechanism that reduces the energy usage and data usage. In some examples, a publish-subscribe mechanism is used for completed transaction receipts for blockchain transactions of a blockchain. The publish-subscribe mechanism uses an open source remote procedure call protocol or hypertext transfer protocol (HTTP). Components of a distributed blockchain application use a single transport or communications protocol for both synchronous and asynchronous communications.

Abstract: Various aspects are disclosed for optimization of dependent systems for serverless frameworks that facilitate a function-as-a-service (FaaS). In some examples, an agent can be installed on a dependent system and collect resource consumption data that is reported to a management service. The management service can throttle requests submitted to the FaaS or scale up the infrastructure depending upon the resource consumption data.

Abstract: The disclosure provides a method for virtual volume snapshot creation by a storage array. The method generally includes receiving a request to generate a snapshot of a virtual volume associated with a virtual machine, in response to receiving the request, preparing a file system of the storage array to generate the snapshot, wherein preparing the file system comprises creating a delta storage structure to receive write input/output (I/O) requests directed for the virtual volume when generating the snapshot of the virtual volume, deactivating the virtual volume, activating the delta storage structure, generating the snapshot of the virtual volume, and during the generation of the snapshot of the virtual volume: receiving a write I/O directed for the virtual volume and committing the write I/O in the delta storage structure.

Abstract: The disclosure herein describes performing resynchronization (“resync”) jobs in a distributed storage system based on a parallelism policy. A resync job is obtained from a queue and input/output (I/O) resources that will be used during execution of the resync job are identified. Available bandwidth slots of each I/O resource of the identified I/O resources are determined. The parallelism policy is applied to the identified I/O resources and the available bandwidth slots. Based on the application of the parallelism policy, a bottleneck resource of the I/O resources is determined and a parallel I/O value is calculated based on the available bandwidth slots of the bottleneck resource, wherein the parallel I/O value indicates a quantity of I/O tasks that can be performed in parallel. The resync job is executed using the I/O resources, the execution of the resync job including performance of I/O tasks in parallel based on the parallel I/O value.

Abstract: Example methods and systems for health check as a service are described. One example may involve a computer system receiving a request to perform a health check for a network environment that includes a set of multiple flows. The computer system may select a subset that includes (a) a first flow between a first pair of endpoints and (b) a second flow between a second pair of endpoints. The health check may be initiated for the first flow and the second flow by generating and sending (a) a first instruction to cause injection of a first health check packet, and (b) a second instruction to cause injection of a second health check packet. The computer system may determine health status information associated with the subset based on (a) first observation information triggered by the first health check packet, and (b) second observation information triggered by the second health check packet.

Abstract: Embodiments of the present disclosure relate to container-level monitoring. Embodiments include detecting, by an agent of a virtual machine, an event. Embodiments include determining, by the agent of the virtual machine, an address related to the event. Embodiments include accessing, by the agent of the virtual machine, container mapping information. Embodiments include locating, by the agent of the virtual machine, the address in the container mapping information. Embodiments include determining, by the agent of the virtual machine, based on the locating, that the event is associated with a container. Embodiments include determining, by the agent of the virtual machine, one or more attributes of the container. Embodiments include determining, by the agent of the virtual machine, based on information related to the event and the one or more attributes of the container, whether to block or allow an action related to the event.

Abstract: Example computer-implemented methods, media, and systems for processing input/output (I/O) commands using block size aware polling are disclosed. One example method includes creating multiple polling queues and multiple interrupt queues in a transport drivers layer of a storage stack. A first I/O command is received from a core layer of the storage stack and by the transport drivers layer. A ratio of a total number of multiple small block size commands in the transport drivers layer to a total number of multiple outstanding I/O commands in the transport drivers layer is determined to be larger than a predetermined first threshold. In response to determining that the ratio is larger than the predetermined first threshold, the polling mode is applied to the first I/O command through the submission of the first I/O command to a first polling queue in the multiple polling queues.

Abstract: Described herein are systems, methods, and software to manage new and updated containerized network functions (CNFs). In one implementation, a management service identifies a CNF in a first repository. Once identified, the management service identifies one or more configuration parameters associated with the CNF and updates one or more files for the CN with the one or more configuration parameters. The management service then stores at least the one or more files for the CNF in a second repository. In some implementations, the management service will monitor the first repository for modifications associated with the CNF and will update the files in the second repository based on the modifications.

Abstract: The rate of incoming data records in a data stream is dynamically limited based on stream delay. A current delay representing a latency between a beginning of the data stream and a currently processed data record is obtained. A maximum delay representing a maximum tolerated delay is determined. A threshold delay representing a delay value that triggers calculation of a new drop rate is determined. A drop rate is calculated based on the current delay, the maximum delay, and the threshold delay. The drop rate represents a percentage of the incoming data records. A drop strategy is selected. One or more data records are discarded from the incoming data stream based on the drop rate, according to the drop strategy.

Abstract: A computer-implemented method, computer-readable medium, and computer system that involve operations including receiving, from a computing cluster, a first request for changing a first object type specified by an approval policy resource, where the approval policy resource is a first one of a plurality of custom resources; identifying, in response to receiving the first request and using a second custom resource of the plurality, an approval process associated with the first object type; performing the approval process associated with the first object type; and sending, to the computing cluster, a first notification indicating that the request has been approved.

Abstract: Some embodiments of the invention provide novel methods for performing services on data messages passing through a network connecting one or more datacenters, such as software defined datacenters (SDDCs). The method of some embodiments uses service containers executing on host computers to perform different chains (e.g., ordered sequences) of services on different data message flows. For a data message of a particular data message flow that is received or generated at a host computer, the method in some embodiments uses a service classifier executing on the host computer to identify a service chain that specifies several services to perform on the data message. For each service in the identified service chain, the service classifier identifies a service container for performing the service. The service classifier then forwards the data message to a service forwarding element to forward the data message through the service containers identified for the identified service chain.

Abstract: A method and system for performing a flexible Byzantine fault tolerant (BFT) protocol. The method includes sending, from a client device, a proposed value to a plurality of replica devices and receiving, from at least one of the plurality of replica devices, a safe vote on the proposed value. The replica device sends the safe vote, based on a first quorum being reached, to the client device and each of the other replica devices of the plurality of replica devices. The method further includes determining that a number of received safe votes for the proposed value meets or exceeds a second quorum threshold, selecting the proposed value based on the determination, and setting a period of time within which to receive additional votes. The method further includes, based on the period of time elapsing without receiving the additional votes, committing the selected value for the single view.

Abstract: A method for modifying key-value pairs of a B+ tree is provided. The method receives a request to modify a particular key-value pair. Each node of the tree has a modification number. The method traverses a path on the tree from the root node toward the particular node. The traversing includes upon reaching a parent node of the path, acquiring a shared lock on both the parent node and a child node one level below the parent node. Upon determining that the child node is the particular node, the method stores the modification number of the particular node, releases the shared lock on the particular node, compares a current modification number of the node with its stored number, and acquires an exclusive lock on the node if the numbers are the same. The method increments the current modification number of the node and modifies it while in the exclusive lock.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.