Sikker: A Distributed System Architecture for Secure High Performance Computing

After decades of evolution, the network requirements of data centers, supercomputers, and cloud computing facilities are beginning to converge requiring high performance network access while supporting a secure computing environment for numerous concurrently running applications with complex interaction policies. Unfortunately, current network technologies are unable to simultaneously provide high performance network access and robust application isolation and security. As a result, system designers and application developers are forced into making trade-offs between these requirements. We propose Sikker1, a new network architecture for distributed systems under a single administrative domain. Sikker includes a novel service-oriented security and isolation model with a corresponding network interface controller, called a Network Management Unit (NMU), that enforces this model while providing high performance network access. We show that Sikker’s security model satisfies the complex interaction policies of modern large-scale distributed applications. Our experimentation results show that even when implemented on very large clusters under worst case access patterns, the message latency incurred by Sikker is 52ns on average and 66ns at the 99th percentile, a negligible increase. Smaller clusters and/or more realistic access patterns bring these overheads down in the 35-45ns range. Sikker’s serviceoriented security and isolation mechanism removes the need for high overhead software-based implementations imposed by current systems. Sikker allows distributed applications to operate in a secure environment while experiencing network performance on par with modern supercomputers.