CICI: UCSS: Secure Containers in High-Performance Computing Infrastructure

Ensuring the security and privacy of high-performance computing (HPC) infrastructures is of utmost importance due to their handling of sensitive data and critical scientific computations. HPC infrastructures commonly employ containers, which provide lightweight and isolated environments for running applications. Nevertheless, containers in HPC infrastructures encounter security challenges, including insecure container images and vulnerabilities related to isolation.

Existing container image scanners face a major challenge of low coverage, while current container runtimes struggle to ensure both security and performance for HPC workloads simultaneously. This project addresses these challenges by developing secure containers specifically tailored for HPC infrastructures. The project introduces innovative solutions, including the development of an efficient image vulnerability scanner and a secure container runtime.

These systems incorporate various customized optimizations for security and performance targeting HPC workloads. Additionally, educational efforts are made to integrate the research findings into graduate and undergraduate curriculum development. Outreach activities are conducted to encourage participation from underrepresented groups and promote cybersecurity awareness and HPC expertise in the states of Texas and Delaware.

The project consists of two primary tasks. The first task focuses on designing an efficient image vulnerability scanner using innovative and feasible techniques. The research team designs a novel method for container image vulnerability detection based on cross-language code similarity detection.

This approach combines graph neural networks with a language-agnostic code representation that leverages natural language processing techniques. Furthermore, it designs an efficient and scalable online search solution. The second task involves developing a secure and high-performance container runtime by utilizing a lightweight virtual machine hypervisor.

Additionally, the runtime is optimized based on the characteristics of HPC workloads with the goal of improving both security and performance.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.