Declarative security-aware computation placement

Security is a major concern for developers and operators of applications in the Cloud-Edge continuum. This thesis aims at leveraging security-by-design approaches to improve applications security by proposing and prototyping suitable declarative methodologies to support the deployment of applications. On one hand, we propose a methodology for the placement of Function-as-a-Service (FaaS) orchestrations onto heterogeneous infrastructures of the Cloud-Edge continuum, considering hardware and software requirements, latency constraints on function-function and function-service interactions, and exploiting information-flow techniques to prevent information leaks through side channels. On the other hand, we present a methodology to determine safe partitionings of Cloud multi-component applications to allow their placement on Separation Kernel (SK) technologies so as to safely isolate software components in different domains. Through a probabilistic cost model, we enable application operators to select the best trade-off partitioning in terms of future re-partitioning costs and the number of domains. Our methodologies exploit information-flow security techniques to protect the data confidentiality of applications, by relying on declarative methods to model applications and their data flow. All proposed solutions are implemented into prototypes and experimentally assessed to estimate the performances.