Introduction to Qubes OS
|
|
|
- Arnold Jefferson
- 6 years ago
- Views:
Transcription
1 Introduction to Qubes OS bhyvecon Tokyo
2 Self-introduction Yuma Takeda KEIO Univ. Researching about security in low-layer Participant of Security Camp '11, '13 CTF EpsilonDelta
3 What is Qubes OS?
4 What is Qubes OS? Secure VM developing by Invisible Things Lab Security by Isolation Open Source(GPL v2) Based on Xen So today I don't speak about bhyve Wish I could supply some inspiration for you!
5 Invisible Things Lab
6 Invisible Things Lab Founded by Joanna Rutkowska in 2007 Blue Pill Who forced Citrix to publish souces of XenClient Published Blue Pill[SyScan'06] when she were in COSEINC VT based rootkit(hypervisor) Previous rootkit were on Ring 0 Hooking System Call Altering Kernel Structure So we can detect it
7 Invisible Things Lab VT based rootkit were on Ring -1 So we can hardly detect it *after infection* For now, VT based rootkit is not serious threat
8 Invisible Things Lab They had been researched about rootkit SMM(System Management Mode) Intel TXT(Trusted Execution Technology) Now they are developing Secure VM focused on mechanism of Xen
9 Well... What's the difference between Xen and KVM?
10 Review: difference betwen Xen and KVM Virtualization methods Intrrupt Memory mapping
11 Review: difference betwen Xen and KVM Xen Para-Virtualized OS Priviledged Domain Para-Virtualized OS Xen Hardware Para-Virtualization Full-Virtualization by Intel VT Full-Virtualized OS
12 Review: difference betwen Xen and KVM KVM Full-Virtualized OS Full-Virtualized OS Linux + KVM Hardware Full-Virtualization Para-Virtualization by virtio Full-Virtualized OS
13 Review: difference betwen Xen and KVM Virtualization methods Para-Virtualization Full-Virtualization Modify OS for virtualized environment No need of full hardware emulation No need of modifying OS Inturrupt Xen uses event channnel KVM uses MSI(-X)
14 Review: difference betwen Xen and KVM Memory mapping KVM Gest-Physical memory space is part of host-virtual memory space of QEMU Xen Mapping Gest-Physical memory space On demand Both use HW-assisted virtualization Intel VT, AMD-V
15 Well... What is Intel VT?
16 Review: Intel VT Handling sensitive instructions How to emulate it? Tired to rewriting instrctuions by hand
17 Review: Intel VT(VMX) 1.Load some settings to VMCS 2.Set CPU to VMCS 3.VMLAUNCH VMEntry, Enter VMX nonroot mode(guest mode) 4.Execute guest environment 5.Cause of trap VMExit, Enter VMX root mode 6.Check VMExit reasons, emulation 7.VMRESUME VMEntry, Enter VMX nonroot mode 4
18 Review: Intel VT(VMX) What is VMCS? Virtual Machine Control Structure Program Counter Register VM What to trap
19 Review: Intel VT(EPT) Simplifying Paging Tired to twice translation Shadow Page Table EPT Extended Page Table Address translation by HW Reduction of Overhead
20 Review: Intel VT(EPT) We can easily make VMM using VT! KVM Xen... Need of HyperCall Full-Virtualization by VT
21 Xen Virtualization Xen has a Dom0(host) and some DomU(guest) VM(Dom0) Driver Backend Driver VM(DomU 1) VM(DomU 2) Frontend Driver Frontend Driver Xen Hardware
22 Xen Virtualization Xen hypervisor execute Dom0 before DomU Dom0 manages other DomU Only Privilege Domain is allowed to access all HW DomU ask Dom0 to HW access via Backend/Frontend Driver Qubes OS apply this architecture to security
23 Concept of Qubes OS
24 Desktop Environment Qubes OS want to provide strong security to desktop environment Spreadsheet with your company's data Web Browser Mail Client
25 Desktop Environment People use different applications there Spreadsheet with your company's data Mail Client Web Browser Game
26 Desktop Environment If this game was malware? Spreadsheet with your company's data Mail Client Information leakage Web Browser Game
27 Desktop Environment If the Web Browser has vulnerability? Spreadsheet with your company's data Information leakage Web Browser Mail Client
28 It's Painful!
29 Two Approaches Security by Correctness Security by Isolation
30 Security by Correctness Code Auditing Developers education Microsoft Security Development Lifecycle Testing Fuzzing Safe Programming Language It doesn't work in practice!
31 Security by Isolation We want the OS to provide isolation between various apps If some of them get compromised... Spreadsheet with your company's data Mail Client Web Browser Game Cutoff
32 Security by Isolation We want to even decompose some apps... e.g. Web Browser Internal Systems Shopping News Googling
33 Security by Isolation Isolation provided by OSes are not enogh? Address space isolation User accounts isolation ACL Kernel/User space separation chroot systrace SELinux Secure level of BSD They don't work in practice!
34 Security by Isolation Monolithic kernels are buggy! Hundreds of 3rd-party drivers cannot be made secure! One bug to rule them all!
35 Then, Qubes OS
36 Virtualization for rescue!
37 Melits of virtualization Bug(vuln) is proportional to LOC[SOSP01] Linux: ten of millions LOC! Bare-metal hypervisor: 100k~300k LOC only!
38 Conceptual Diagram App Domain Strage Domain Network Domain Domain 0 Come true Isolation!!!
39 Dom0 Provides secure environment and manager Dom0 doesn't contain Network function and Storage function Only 25k LOC!!!!!!!!
40 Strage Domain Non-privileged VM Only support Storage function
41 Network Domain Non-privileged VM Only support Network function
42 AppVM Main Qubes building blocks(cubes) Hosts user applications We can create VM(Domain) depending on their Use Work Shopping Personal Domains are isolated each other SECURE! Created by Template VM(Read Only)
43 AppVM Disposable VM Lightweight Only supports ONE application If compromised, there are no informations 400MB per VM Centrally Updatable Each app gets a label (VM name + color frame) that is applied by the Window Manager running in Dom0
44 AppVM Work VM Shopping VM Desktop ハイパーバイザによるIsolation Work VM
45 Screenshot 列 1 列 2 列 行 1 行 2 行 3 行 4
46 Introducing Qubes OS qubes-intro-apr-2010.pdf GUI Virtualization
47 VM Protection Research about VM Protections Overshadow[ASPLO08] Get context of Guest OS from VMM Encrypt pages at memory access Show process to not-encrypted memory Need original loader SP3[Vee08] Process memory encyption from VMM Set accsess control per page Has both encrypted page and not-encrypted page Reduction of Overhead
48 VM Protection Qubes OS uses Intel VT-d and Intel TXT Protecting VM DMA Protection Direct Memory Access R/W memory from HW No need of CPU
49 DMA Virtualization by Intel VT-d 1.HW DMA Request 2.DMA Remapping Engine refers to Device Assignment Structure 3.Get Address Translation Structure
50 DMA Virtualization by Intel VT-d Prevents access from the address range other than the VM at address translation At early boot sequense before VT-d initialized, Intel TXT protects VM
51 Intel TXT Trust All work as expected! Identity and Measurement Establish Trust by RTM(Root of Trust for Measurement) Reliable engine makes a measurement of integrity Root of Trust Chain of Trust
52 Intel TXT RTM Static RTM RTM cannot measures itself RTM is firmware Building Chain of Trust from booting Dynamic RTM RTM is GETSEC[SENTER] instruction Building Chain of Trust from executing instruction SENTER enable DMA protection so we can protect VM! Kill two birds with one stone
53 Intel TXT Intel TXT uses both SRTM and DRTM BIOS(chip) (SRTM) bootloader (SRTM) os (DRTM) hypervisor
54 Introducing Qubes OS qubes-intro-apr-2010.pdf Strage
55 Cross-VM Qubes OS has some Cross-VM functions Clipboard sharing File transfer via virtual disk Cross VM vulnerability is easily targeted Insert rootkit at LiveMigration[BlackHat DC08] Cross VM Side Channel Attack[CCS12] Estimate the access from another VM from response when malicious VM access physical cache continuously Might steal the key
56 Introducing Qubes OS qubes-intro-apr-2010.pdf Filesystem
57 Summaly Domain oriented VM Creates Xen's VM per use Seamless operation by GUI virtualization DMA protection by Intel VT-d Strage protection by Intel TXT Filesystem protection by VM-specific key
58 See qubes-os.org
59 Q&A?
60 Thank you!
CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II
CS-580K/480K Advanced Topics in Cloud Computing VM Virtualization II 1 How to Build a Virtual Machine? 2 How to Run a Program Compiling Source Program Loading Instruction Instruction Instruction Instruction
Module 1: Virtualization. Types of Interfaces
Module 1: Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform
Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
Virtual Machines Part 2: starting 19 years ago Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Operating Systems In Depth IX 2 Copyright 2018 Thomas W. Doeppner.
Virtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
Micro VMMs and Nested Virtualization
Micro VMMs and Nested Virtualization For the TCE 4th summer school on computer security, big data and innovation Baruch Chaikin, Intel 9 September 2015 Agenda Virtualization Basics The Micro VMM Nested
Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand
Introduction to Virtual Machines Nima Honarmand Virtual Machines & Hypervisors Virtual Machine: an abstraction of a complete compute environment through the combined virtualization of the processor, memory,
Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization
Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.
Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized
Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.
Virtual Machine Virtual Machine Types System Virtual Machine: virtualize a machine Container: virtualize an OS Program Virtual Machine: virtualize a process Language Virtual Machine: virtualize a language
Virtualization. Pradipta De
Virtualization Pradipta De pradipta.de@sunykorea.ac.kr Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation
Advanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
Advanced Operating Systems (CS 202) Virtualization
Advanced Operating Systems (CS 202) Virtualization Virtualization One of the natural consequences of the extensibility research we discussed What is virtualization and what are the benefits? 2 Virtualization
Cloud Computing Virtualization
Cloud Computing Virtualization Anil Madhavapeddy anil@recoil.org Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. x86 support for virtualization. Full and
COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy
COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:
Nested Virtualization Update From Intel. Xiantao Zhang, Eddie Dong Intel Corporation
Nested Virtualization Update From Intel Xiantao Zhang, Eddie Dong Intel Corporation Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED,
The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36
The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware,
Making Nested Virtualization Real by Using Hardware Virtualization Features
Making Nested Virtualization Real by Using Hardware Virtualization Features May 28, 2013 Jun Nakajima Intel Corporation 1 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com
Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Virtual Machines Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today's Topics History and benefits of virtual machines Virtual machine technologies
Chapter 5 C. Virtual machines
Chapter 5 C Virtual machines Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple guests Avoids security and reliability problems Aids sharing
What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks
LINUX-KVM The need for KVM x86 originally virtualization unfriendly No hardware provisions Instructions behave differently depending on privilege context(popf) Performance suffered on trap-and-emulate
CS 550 Operating Systems Spring Introduction to Virtual Machines
CS 550 Operating Systems Spring 2018 Introduction to Virtual Machines 1 How to share a physical computer Operating systems allows multiple processes/applications to run simultaneously Via process/memory
CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University
Virtualization Dr. Yong Guan Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University Outline for Today s Talk Introduction Virtualization Technology Applications
Extended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing
Advanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
CSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
CSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 16: Virtual Machine Monitors Geoffrey M. Voelker Virtual Machine Monitors 2 Virtual Machine Monitors Virtual Machine Monitors (VMMs) are a hot
Virtualisation: The KVM Way. Amit Shah
Virtualisation: The KVM Way Amit Shah amit.shah@qumranet.com foss.in/2007 Virtualisation Simulation of computer system in software Components Processor Management: register state, instructions, exceptions
Nested Virtualization and Server Consolidation
Nested Virtualization and Server Consolidation Vara Varavithya Department of Electrical Engineering, KMUTNB varavithya@gmail.com 1 Outline Virtualization & Background Nested Virtualization Hybrid-Nested
4th Generation Intel Core vpro Processors with Intel VMCS Shadowing
white paper 4th Generation Intel Core vpro Processors with Intel VMCS Shadowing Enhancing the Performance of Citrix XenClient and McAfee Deep Defender* Contents Executive Summary... 1 Hardware-Assisted
CSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
COSC6376 Cloud Computing Lecture 14: CPU and I/O Virtualization
COSC6376 Cloud Computing Lecture 14: CPU and I/O Virtualization Instructor: Weidong Shi (Larry), PhD Computer Science Department University of Houston Outline CPU Virtualization I/O Virtualization Types
Virtualization (II) SPD Course 17/03/2010 Massimo Coppola
Virtualization (II) SPD Course 17/03/2010 Massimo Coppola The players The Hypervisor (HV) implements the virtual machine emulation to run a Guest OS Provides resources and functionalities to the Guest
Virtual Machine Monitors!
ISA 673 Operating Systems Security Virtual Machine Monitors! Angelos Stavrou, George Mason University! Virtual Machine Monitors 2! Virtual Machine Monitors (VMMs) are everywhere! Industry commitment! Software:
CSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
CS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 27 Virtualization Slides based on Various sources 1 1 Virtualization Why we need virtualization? The concepts and
Nested Virtualization Friendly KVM
Nested Virtualization Friendly KVM Sheng Yang, Qing He, Eddie Dong 1 Virtualization vs. Nested Virtualization Single-Layer Virtualization Multi-Layer (Nested) Virtualization (L2) Virtual Platform (L1)
Virtualization, Xen and Denali
Virtualization, Xen and Denali Susmit Shannigrahi November 9, 2011 Susmit Shannigrahi () Virtualization, Xen and Denali November 9, 2011 1 / 70 Introduction Virtualization is the technology to allow two
Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels
Virtualization Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels 1 What is virtualization? Creating a virtual version of something o Hardware, operating system, application, network, memory,
Virtualization and memory hierarchy
Virtualization and memory hierarchy Computer Architecture J. Daniel García Sánchez (coordinator) David Expósito Singh Francisco Javier García Blas ARCOS Group Computer Science and Engineering Department
EE 660: Computer Architecture Cloud Architecture: Virtualization
EE 660: Computer Architecture Cloud Architecture: Virtualization Yao Zheng Department of Electrical Engineering University of Hawaiʻi at Mānoa Based on the slides of Prof. Roy Campbell & Prof Reza Farivar
Virtualization Introduction
Virtualization Introduction Simon COTER Principal Product Manager Oracle VM & VirtualBox simon.coter@oracle.com https://blogs.oracle.com/scoter November 21 st, 2016 Safe Harbor Statement The following
CHAPTER 16 - VIRTUAL MACHINES
CHAPTER 16 - VIRTUAL MACHINES 1 OBJECTIVES Explore history and benefits of virtual machines. Discuss the various virtual machine technologies. Describe the methods used to implement virtualization. Show
I/O and virtualization
I/O and virtualization CSE-C3200 Operating systems Autumn 2015 (I), Lecture 8 Vesa Hirvisalo Today I/O management Control of I/O Data transfers, DMA (Direct Memory Access) Buffering Single buffering Double
Xen is not just paravirtualization
Xen is not just paravirtualization Dongli Zhang Oracle Asia Research and Development Centers (Beijing) dongli.zhang@oracle.com December 16, 2016 Dongli Zhang (Oracle) Xen is not just paravirtualization
Hardware assisted Virtualization in Embedded
Hardware assisted Virtualization in Embedded Tanveer Alam Platform Architect Embedded Virtualization Sponsored by: & Agenda Embedded Virtualization What is embedded? Embedded specific requirements Key
OS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017
Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup
Virtualization with XEN. Trusted Computing CS599 Spring 2007 Arun Viswanathan University of Southern California
Virtualization with XEN Trusted Computing CS599 Spring 2007 Arun Viswanathan University of Southern California A g e n d a Introduction Virtualization approaches Basic XEN Architecture Setting up XEN Bootstrapping
Virtually Impossible
Virtually Impossible The Reality of Virtualization Security Gal Diskin / Chief Research Officer / Cyvera LTD. /WhoAmI? Chief Research Officer @ Cvyera LTD Formerly Security Evaluation Architect of the
Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems
Lecture 7 Xen and the Art of Virtualization Paul Braham, Boris Dragovic, Keir Fraser et al. Advanced Operating Systems 16 November, 2011 SOA/OS Lecture 7, Xen 1/38 Contents Virtualization Xen Memory CPU
Lecture 5: February 3
CMPSCI 677 Operating Systems Spring 2014 Lecture 5: February 3 Lecturer: Prashant Shenoy Scribe: Aditya Sundarrajan 5.1 Virtualization Virtualization is a technique that extends or replaces an existing
LINUX Virtualization. Running other code under LINUX
LINUX Virtualization Running other code under LINUX Environment Virtualization Citrix/MetaFrame Virtual desktop under Windows NT. aka Windows Remote Desktop Protocol VNC, Dameware virtual console. XWindows
DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION
DOUG GOLDSTEIN STAR LAB XEN SUMMIT 2016 25 AUG 2016 ATTACK SURFACE REDUCTION OVERVIEW TOPICS Define attack surface Discuss parts of Xen s attack surface Attack surface metrics for Xen Define attack surface
Secure Containers with EPT Isolation
Secure Containers with EPT Isolation Chunyan Liu liuchunyan9@huawei.com Jixing Gu jixing.gu@intel.com Presenters Jixing Gu: Software Architect, from Intel CIG SW Team, working on secure container solution
The only open-source type-1 hypervisor
Monika Danikáková What is Xen? The only open-source type-1 hypervisor For Unix and Unix-like OS Linux, NetBSD and OpenSolaris From ancient greek term Xenos (ξένος), guest-friends Developed by the University
Introduction Construction State of the Art. Virtualization. Bernhard Kauer OS Group TU Dresden Dresden,
Virtualization Bernhard Kauer OS Group TU Dresden bk@vmmon.org Dresden, 2010-07-15 Motivation The vision: general-purpose OS secure trustworthy small fast fancy First problem: Legacy Application Supporting
LINUX KVM FRANCISCO JAVIER VARGAS GARCIA-DONAS CLOUD COMPUTING 2017
LINUX KVM FRANCISCO JAVIER VARGAS GARCIA-DONAS CLOUD COMPUTING 2017 LINUX KERNEL-BASED VIRTUAL MACHINE KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware
Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.
Virtualization...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania April 6, 2009 (CIS 399 Unix) Virtualization April 6, 2009 1 / 22 What
CSC 5930/9010 Cloud S & P: Virtualization
CSC 5930/9010 Cloud S & P: Virtualization Professor Henry Carter Fall 2016 Recap Network traffic can be encrypted at different layers depending on application needs TLS: transport layer IPsec: network
I Don't Want to Sleep Tonight:
I Don't Want to Sleep Tonight: Subverting Intel TXT with S3 Sleep Seunghun Han, Jun-Hyeok Park (hanseunghun parkparkqw)@nsr.re.kr Wook Shin, Junghwan Kang, HyoungChun Kim (wshin ultract khche)@nsr.re.kr
Multi-Hypervisor Virtual Machines: Enabling An Ecosystem of Hypervisor-level Services
Multi-Hypervisor Virtual Machines: Enabling An Ecosystem of Hypervisor-level s Kartik Gopalan, Rohith Kugve, Hardik Bagdi, Yaohui Hu Binghamton University Dan Williams, Nilton Bila IBM T.J. Watson Research
Zdeněk Kubala Senior QA
(Kernel) Isolation PV, HVM, OS-V technologies in Linux Introduction and description of the isolation diferences between HM, PV and OS-level virt. technologies. Zdeněk Kubala Senior QA Engineer zkubala@suse.com
CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives
CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives Virtual Machines Resource Virtualization Separating the abstract view of computing resources from the implementation of these resources
Optimizing and Enhancing VM for the Cloud Computing Era. 20 November 2009 Jun Nakajima, Sheng Yang, and Eddie Dong
Optimizing and Enhancing VM for the Cloud Computing Era 20 November 2009 Jun Nakajima, Sheng Yang, and Eddie Dong Implications of Cloud Computing to Virtualization More computation and data processing
Computer Architecture Background
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 2b Computer Architecture Background Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering
About the XenClient Enterprise Solution
About the XenClient Enterprise Solution About the XenClient Enterprise Solution About the XenClient Enterprise Solution XenClient Enterprise is a distributed desktop virtualization solution that makes
Operating system hardening
Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications
Virtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
A Survey on Security Isolation of Virtualization, Containers, and Unikernels
ARL-TR-8029 MAY 2017 US Army Research Laboratory A Survey on Security Isolation of Virtualization, Containers, and Unikernels by Michael J De Lucia NOTICES Disclaimers The findings in this report are not
Lecture 5. KVM for ARM. Christoffer Dall and Jason Nieh. 5 November, Operating Systems Practical. OSP Lecture 5, KVM for ARM 1/42
Lecture 5 KVM for ARM Christoffer Dall and Jason Nieh Operating Systems Practical 5 November, 2014 OSP Lecture 5, KVM for ARM 1/42 Contents Virtualization KVM Virtualization on ARM KVM/ARM: System architecture
ACRN: A Big Little Hypervisor for IoT Development
ACRN: A Big Little Hypervisor for IoT Development Eddie Dong, Intel Open Source Technology Center Key contributors: Christopher Cormack, Matthew Curfman, Jeff Jackson Table of Contents PART 1: ACRN Overview..
Distributed Systems COMP 212. Lecture 18 Othon Michail
Distributed Systems COMP 212 Lecture 18 Othon Michail Virtualisation & Cloud Computing 2/27 Protection rings It s all about protection rings in modern processors Hardware mechanism to protect data and
Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay
Introduction to Cloud Computing and Virtualization By Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay Talk Layout Cloud Computing Need Features Feasibility Virtualization of Machines What
Hardware- assisted Virtualization
Hardware- assisted Virtualization Pra$k Shah (pcshah) Rohan Pa$l (rspa$l) 15-612 Opera,ng System Prac,cum Carnegie Mellon University 1 Agenda Introduc)on to VT- x CPU virtualiza)on with VT- x VMX VMX Transi$ons
VIRTUALIZATION: IBM VM/370 AND XEN
1 VIRTUALIZATION: IBM VM/370 AND XEN CS6410 Hakim Weatherspoon IBM VM/370 Robert Jay Creasy (1939-2005) Project leader of the first full virtualization hypervisor: IBM CP-40, a core component in the VM
Multiprocessor Scheduling. Multiprocessor Scheduling
Multiprocessor Scheduling Will consider only shared memory multiprocessor or multi-core CPU Salient features: One or more caches: cache affinity is important Semaphores/locks typically implemented as spin-locks:
IBM Research Report. The Turtles Project: Design and Implementation of Nested Virtualization
H-0282 (H1001-004) January 9, 2010 Computer Science IBM Research Report The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda 1, Michael D. Day 2, Zvi Dubitzky 1, Michael
Xen VT status and TODO lists for Xen-summit. Arun Sharma, Asit Mallick, Jun Nakajima, Sunil Saxena
Xen VT status and TODO lists for Xen-summit Arun Sharma, Asit Mallick, Jun Nakajima, Sunil Saxena R Outline VMX Guests Status Summary Status Domain0 restructuring PCI/IOAPIC X86-64 VMX guests enhancements
Confinement. Steven M. Bellovin November 1,
Confinement Steven M. Bellovin November 1, 2016 1 Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many
Dune: Safe User- level Access to Privileged CPU Features
Dune: Safe User- level Access to Privileged CPU Features Adam Belay, Andrea Bi>au, Ali MashAzadeh, David Terei, David Mazières, and Christos Kozyrakis Stanford University A quick review of VirtualizaAon
The Price of Safety: Evaluating IOMMU Performance
The Price of Safety: Evaluating IOMMU Performance Muli Ben-Yehuda 1 Jimi Xenidis 2 Michal Ostrowski 2 Karl Rister 3 Alexis Bruemmer 3 Leendert Van Doorn 4 1 muli@il.ibm.com 2 {jimix,mostrows}@watson.ibm.com
MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. Pedro Fonseca, Xi Wang, Arvind Krishnamurthy
MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy Hypervisor correctness is critical Hypervisors need to virtualize correctly
Virtual machine architecture and KVM analysis D 陳彥霖 B 郭宗倫
Virtual machine architecture and KVM analysis D97942011 陳彥霖 B96902030 郭宗倫 Virtual machine monitor serves as an interface between hardware and software; no matter what kind of hardware under, software can
IBM Research Report. The Turtles Project: Design and Implementation of Nested Virtualization
H-0282 (H1001-004) January 9, 2010 Computer Science IBM Research Report The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda 1, Michael D. Day 2, Zvi Dubitzky 1, Michael
RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
Xen on ARM. Stefano Stabellini
Xen on ARM Stefano Stabellini What is Xen? a type-1 hypervisor small footprint (less than 90K LOC) Xen: Open Source GPLv2 with DCO (like Linux) Diverse contributor community Xen: Open Source source: Mike
Hardware Virtualization Trends
Hardware Virtualization Trends Leendert van Doorn Hardware Virtualization Trends 6/14/2006 2 Hardware Virtualization Trends 6/14/2006 Outline Virtualization 101 The world is changing Processor virtualization
Linux Virtualization Update
Linux Virtualization Update Chris Wright Japan Linux Symposium, November 2007 Intro Virtualization mini summit Paravirtualization Full virtualization Hardware changes Libvirt Xen Virtualization
Programmed I/O accesses: a threat to Virtual Machine Monitors?
Programmed I/O accesses: a threat to Virtual Machine Monitors? Loïc Duflot & Laurent Absil Central Department for Information Systems Security SGDN/DCSSI 51 boulevard de la Tour Maubourg 75007 Paris Introduction
CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:
CS 470 Spring 2018 Mike Lam, Professor Virtualization and Cloud Computing Content taken from the following: A. Silberschatz, P. B. Galvin, and G. Gagne. Operating System Concepts, 9 th Edition (Chapter
Björn Döbel. Microkernel-Based Operating Systems. Exercise 3: Virtualization
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Björn Döbel Microkernel-Based Operating Systems Exercise 3: Virtualization Emulation Virtualization Emulation / Simulation
Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems
Xen Project 4.4: Features and Futures Russell Pavlicek Xen Project Evangelist Citrix Systems About This Release Xen Project 4.4.0 was released on March 10, 2014. This release is the work of 8 months of
OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.
Virtualization Basics Motivation OS Virtualization CSC 456 Final Presentation Brandon D. Shroyer Types of Virtualization Process virtualization (Java) System virtualization (classic, hosted) Emulation
1 Virtualization Recap
1 Virtualization Recap 2 Recap 1 What is the user part of an ISA? What is the system part of an ISA? What functionality do they provide? 3 Recap 2 Application Programs Libraries Operating System Arrows?
Course Review. Hui Lu
Course Review Hui Lu Syllabus Cloud computing Server virtualization Network virtualization Storage virtualization Cloud operating system Object storage Syllabus Server Virtualization Network Virtualization
I/O virtualization. Jiang, Yunhong Yang, Xiaowei Software and Service Group 2009 虚拟化技术全国高校师资研讨班
I/O virtualization Jiang, Yunhong Yang, Xiaowei 1 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
W11 Hyper-V security. Jesper Krogh.
W11 Hyper-V security Jesper Krogh jesper_krogh@dell.com Jesper Krogh Speaker intro Senior Solution architect at Dell Responsible for Microsoft offerings and solutions within Denmark Specialities witin:
CLOUD COMPUTING IT0530. G.JEYA BHARATHI Asst.Prof.(O.G) Department of IT SRM University
CLOUD COMPUTING IT0530 G.JEYA BHARATHI Asst.Prof.(O.G) Department of IT SRM University What is virtualization? Virtualization is way to run multiple operating systems and user applications on the same