Secure Server Project. Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek
|
|
- Prudence Gilmore
- 5 years ago
- Views:
Transcription
1 Secure Server Project Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek 1
2 Outline I. Mo9va9on, Objec9ves II. Threat Landscape III. Design IV. Status V. Roadmap 2
3 Mo9va9on In a nutshell: Secure Server Mul9plexing In a cloud environment Mul9ple tenants Goals: Ensure data and processing are safe from co- tenants Ensure controls on informa9on separa9on and flow are sa9sfied Today: Xen hypervisor, hardware- assisted virtualiza9on provide tools necessary to isolate hardware Problem: many shared components in dom0, insufficient isola9on The easy way out: Dedicated hardware for each tenant Imprac9cal when there are a large number of tenants, rela9onships are evolving 3
4 Objec9ve Cloud Management Green Orange SecureServe SecureServe ideal Enables mul9ple tenants to share a single pla[orm securely High- assurance, isolated so]ware par99ons Enables controlled informa9on sharing between tenants Supports enterprise- ready management Low cost Xen 4
5 Current State Green Orange netback xapi XenStore dom0 Xen Weakest guest is the weakest link in the system Guest aaack vector: many shared components in dom0 Device emula9on, virtual devices, toolstack, XenStore Cross- VM side channel aaacks Cloud management provides an addi9onal aaack vector Users must be able to manage and configure their VMs. XAPI: Complex (130K LOC) Interfaces with many other components. 5
6 Current State Green Compliance Orange netback xapi XenStore dom0 Desire controlled informa9on sharing between tenants Inter- VM networking Can define separate networks in dom0 Separa9on in dom0 is weaker than separa9on provided by hypervisor Goal: enable high- assurance private networks Xen 6
7 Threat Landscape Recent ( ) Xen- tagged CVE vulnerabili9es (tag cloud below) 73 vulnerabili9es represented, some with mul9ple poten9al effects 65 "guest", e.g. "allows local guest administrators to" 8 TMEM (transcendental memory) 4 "overflow" 4 3 "drivers" (all in reference to backends) 2 xenstore 7
8 Threat Landscape Aaackers target toolstack, hypervisor, management so]ware, with varying goals: Denial of Service Escala9on of Privilege Acquisi9on of Informa9on Vulnerability types on the radar: API - - arguments not adequately sanity checked Aspects of Intel/AMD instruc9on set that emulator handles incorrectly Failure to completely and correctly check permissions Weakness in recovering from error condi9ons Exploitable PCI pass- through devices, especially bus mastering capable ones Logic errors that can be triggered by unusual condi9ons Memory leaks or similar unbounded resource sinks 8
9 Near- Term Project Objec9ves Improve security posture of dom0 Isolate the network stack Isolate the storage stack Isolate the device model () Adapt the toolstack as necessary to support this configura9on Apply well- known security principles Secure the weak links, separate privileges, do not share mechanisms (disaggrega9on) Grant (and enforce) least privilege (hypervisor MAC) Defense- in- depth (aaesta9on) Establish a baseline for future research and development 9
10 Requirements Defined a set of high- level requirements based on NIST and CNSSI 1253: Categories: Confiden9ality, Integrity, Access Control, Accountability, Usability Examples: Informa7on in Shared Resources: The system must prevent unauthorized and unintended informa9on transfers via shared objects.. MAC Policies: The system must use mandatory access control policies to control the flow of informa9on among processing domains. SoAware, Firmware, and Hardware Integrity: The system should support integrity verifica9on tools to detect unauthorized changes to selected so]ware, firmware and hardware. 10
11 Dom0 Disaggrega9on Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 Xen Secure weak links, separate mechanisms / privileges 11
12 Hypervisor Mandatory Access Controls Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen Grant and enforce least privilege 12
13 Isn t that overkill? Green Orange xapi XenStore dom0 netback Xen Proposal: Encrypt orange and green traffic 13
14 Isn t that overkill? Green Orange xapi XenStore dom0 netback Xen Compromise of dom0 via malicious tenant provides unfepered access to memory! 14
15 Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen If one tenant on Secure Server is compromised... 15
16 Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen the apack is contained because the compromised tenant lacks privileges necessary to access co- tenant resources. 16
17 Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen Provides stronger data confiden7ality assurance as well 17
18 Dynamic Mandatory Access Controls Green Purple Orange netback xapi XenStore dom0 Xen Can easily define a sta9c policy for mul9- tenant environments Not good enough Tenants come and go Rela9onships evolve How can we support a dynamic XSM policy? 18
19 TCB: Trust, but verify Un9l now, assumed a trusted compu9ng base that includes Xen and the hardware Don t really intend to trust these things: Use measured launch to check integrity Use dynamic aaesta9on to verify run9me integrity Especially important on servers 19
20 SRTM, DRTM and Dynamic Aaesta9on Knowledge (trust) Knowledge (trust) Core Root Trust Core Root Trust Gap Dynamic Launch Entry Dynamically Launched Measured Environment (e.g., tboot) Sta9c Root of Trust Entropy leads to decay of Hardware? knowledge of system state: Firmware? Configura9on? Drivers? 9me Dynamic Root of Trust 9me AAer ini7al boot, knowledge of system state decays with 7me 10/16/13 Adven9um Labs
21 Current Status Started with XenServer 6.2 appliance Built network driver domain (working) openvswitch or bridged networking Built storage driver domain (working) iscsi and SATA controller backend Developing stub domain Defined MAC policy for a specific use case; verified, validated Challenges Built tools for genera9ng sta9c policies based on high- level specifica9on Deducing rela9onship between XAPI and Xen constructs Adap9ng toolstack to support disaggregated opera9on 21
22 Roadmap Secure inter- VMcommua9on Survey: more than a dozen published mechanisms More fine- grained disaggrega9on XenAPI, XenStore, domain builder Informed by prior work: Windsor, Xoar, Murray et al., Qubes, Service VM model Reduce footprint, maintain generality Assess scalability Per tenant sharing Iden9fy future R&D challenges Migra9on Server longevity High availability configura9ons 22
23 Conclusion Secure Server Mul9plexing Ensure data and processing are safe from co- tenants Ensure controls on informa9on separa9on and flow are sa9sfied Building a baseline prototype By drawing on past dom0 disaggrega9on, MAC and aaesta9on R&D Targe9ng EOY 2013 release Prototype can be used as a founda9on for future R&D Phase 2: iden9fy outstanding challenges and long- term R&D roadmap Call for Par9cipa9on Collabora9ng via xs- devel mailing list Feedback welcome 23
SoK: A Study of Using Hardwareassisted. Environments for Security. Fengwei Zhang and Hongwei Zhang. Wayne State University Detroit, Michigan, USA
SoK: A Study of Using Hardwareassisted Isolated Execu
More informationVirtualization. Introduction. Why we interested? 11/28/15. Virtualiza5on provide an abstract environment to run applica5ons.
Virtualization Yifu Rong Introduction Virtualiza5on provide an abstract environment to run applica5ons. Virtualiza5on technologies have a long trail in the history of computer science. Why we interested?
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationGood Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy
Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity Cloud Security Today Cloud has lots of momentum
More informationBackground. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW
Virtual Machines Background IBM sold expensive mainframes to large organiza
More informationDOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION
DOUG GOLDSTEIN STAR LAB XEN SUMMIT 2016 25 AUG 2016 ATTACK SURFACE REDUCTION OVERVIEW TOPICS Define attack surface Discuss parts of Xen s attack surface Attack surface metrics for Xen Define attack surface
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationAutonomic Mul,- Agents Security System for mul,- layered distributed architectures. Chris,an Contreras
Autonomic Mul,- s Security System for mul,- layered distributed architectures Chris,an Contreras Agenda Introduc,on Mul,- layered distributed architecture Autonomic compu,ng system Mul,- System (MAS) Autonomic
More informationM 2 R: Enabling Stronger Privacy in MapReduce Computa;on
M 2 R: Enabling Stronger Privacy in MapReduce Computa;on Anh Dinh, Prateek Saxena, Ee- Chien Chang, Beng Chin Ooi, Chunwang Zhang School of Compu,ng Na,onal University of Singapore 1. Mo;va;on Distributed
More informationBackground. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW
Virtual Machines Background IBM sold expensive mainframes to large organiza
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationTransforming XenServer into a proper open-source project
Transforming XenServer into a proper open-source project James Bulpin CTO, XenServer, Citrix About the speaker James Bulpin Head of technology for XenServer group in Citrix; member of the Citrix CTO office
More informationOperating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)
Operating System Security Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own) Hw1 grades out this Friday Announcement Travel: out of town
More informationXen on ARM. Stefano Stabellini
Xen on ARM Stefano Stabellini What is Xen? a type-1 hypervisor small footprint (less than 90K LOC) Xen: Open Source GPLv2 with DCO (like Linux) Diverse contributor community Xen: Open Source source: Mike
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationDesign Principles & Prac4ces
Design Principles & Prac4ces Robert France Robert B. France 1 Understanding complexity Accidental versus Essen4al complexity Essen%al complexity: Complexity that is inherent in the problem or the solu4on
More informationVerifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)
1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s,
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 25 - Virtual machine security December 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Implementation and Results Experimental Platform Exact specification
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationIn-Guest Mechanisms to Strengthen Guest Separation. XenSummit 2013 Philip Tricca
In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca ackground Xen does security well Strong isolation using hardware Doesn t try to do too much Offload
More informationBreaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor
Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Warfield Department
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationBreaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor
Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Warfield Department
More informationVirtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC
Virtualization Security & Audit John Tannahill, CA, CISM, CGEIT, CRISC jtannahi@rogers.com Session Overview Virtualization Concepts Virtualization Technologies Key Risk & Control Areas Audit Programs /
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationGuarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest
Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest Kyle C. Hale Peter Dinda Department of Electrical Engineering and Computer Science Northwestern University hip://halek.co hip://presciencelab.org
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs How to run untrusted programs and not harm your system? Answer: Confinement (some:mes called
More informationTRESCCA Trustworthy Embedded Systems for Secure Cloud Computing
TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing IoT Week 2014, 2014 06 17 Ignacio García Wellness Telecom Outline Welcome Motivation Objectives TRESCCA client platform SW framework for
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationCrashOS: Hypervisor testing tool
ISSRE 2017 Anaïs GANTET - Airbus Digital Security October 2017 Outline 1 Why CrashOS? 2 CrashOS presentation 3 Vulnerability research and results October 2017 2 ISSRE Outline 1 Why CrashOS? 2 CrashOS presentation
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationTrust Eleva,on Architecture v03
Trust Eleva,on Architecture v03 DISCUSSION DRAFT 2015-01- 27 Andrew Hughes 1 Purpose of this presenta,on To alempt to explain the Trust Eleva,on mechanism as a form of ALribute Based Access Control To
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationXen Community Update. Ian Pratt, Citrix Systems and Chairman of Xen.org
Xen Community Update Ian Pratt, Citrix Systems and Chairman of Xen.org 1 Outline Project Status Xen Client Initiative Xen Cloud Platform New Xen 4.0 Features 2 Announcement The Xen Advisory Board is excited
More informationRonny L. Bull & Dr. Jeanna Matthews. DerbyCon 4.0. Sept 27th, 2014
Layer 2 Network Security in Virtualized Environments Ronny L. Bull & Dr. Jeanna Matthews DerbyCon 4.0 Sept 27th, 2014 The Researchers Ronny Bull Computer Science Ph.D. Graduate Student at Clarkson University
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOpenXT Project in 2016
OpenXT Project in 2016 Christopher Clark BAE Systems Xen Developer Summit, 25-26 th August, 2016 Presenter: Christopher Clark Xen affiliations: Projects: Roles: BAE Systems and the OpenXT Project - since
More informationW11 Hyper-V security. Jesper Krogh.
W11 Hyper-V security Jesper Krogh jesper_krogh@dell.com Jesper Krogh Speaker intro Senior Solution architect at Dell Responsible for Microsoft offerings and solutions within Denmark Specialities witin:
More informationRED HAT ENTERPRISE VIRTUALIZATION 3.0
RED HAT ENTERPRISE VIRTUALIZATION 3.0 YOUR STRATEGIC VIRTUALIZATION ALTERNATIVE John Rinehart, Product Marke3ng Manager Mark St. Laurent, Senior Solu3on Architect Email: msl@redhat.com March 28, 2012 AGENDA
More informationDatabase Machine Administration v/s Database Administration: Similarities and Differences
Database Machine Administration v/s Database Administration: Similarities and Differences IOUG Exadata Virtual Conference Vivek Puri Manager Database Administration & Engineered Systems The Sherwin-Williams
More informationXen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems
Xen Project 4.4: Features and Futures Russell Pavlicek Xen Project Evangelist Citrix Systems About This Release Xen Project 4.4.0 was released on March 10, 2014. This release is the work of 8 months of
More informationLeviathan redux. John L. Manferdelli Intel Science and Technology Center for Secure Compu;ng UC, Berkeley
Leviathan redux John L. Manferdelli Intel Science and Technology Center for Secure Compu;ng UC, Berkeley Joint work with Tom Roeder (Google), Fred Schneider (Cornell) And Kevin Walsh of Mt Holyoke College
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOracle VM Workshop Applica>on Driven Virtualiza>on
Oracle VM Workshop Applica>on Driven Virtualiza>on Simon COTER Principal Product Manager Oracle VM & VirtualBox simon.coter@oracle.com hnps://blogs.oracle.com/scoter November 25th, 2015 Copyright 2014
More informationOperating system hardening
Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications
More informationImproving client systems security with Qubes OS
4 Jul 2016 We need secure client systems We need secure client systems Otherwise no security really works: We need secure client systems Otherwise no security really works: Encryption 2-factor authentication
More informationNetwork Virtualiza/on Overlay Control Protocol Requirements
Network iza/on Overlay Control Protocol Requirements dra
More informationScalable Architectural Support for Trusted Software
Scalable Architectural Support for Trusted Software David Champagne and Ruby B. Lee Princeton University Secure Processor Design 11/02/2017 Dimitrios Skarlatos Motivation Apps handle sensitive/secret information
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationNetwork Virtualization Business Case
SESSION ID: GPS2-R01 Network Virtualization Business Case Arup Deb virtual networking & security VMware NSBU adeb@vmware.com I. Data center security today Don t hate the player, hate the game - Ice T,
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationLogical Partitions on Many-core Processors
Logical Partitions on Many-core Processors Ramya Masti, Claudio Marforio, Kari Kostiainen, Claudio Soriente, Srdjan Capkun ETH Zurich ACSAC 2015 1 Infrastructure as a Service (IaaS) App App App App OS
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationThreat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012
Threat modeling Tuomas Aura T- 110.4206 Informa1on security technology Aalto University, autumn 2012 Threats Threat = something bad that can happen Given an system or product Assets: what is there to protect?
More informationCitrix XenServer 7.1 Feature Matrix
Citrix XenServer 7.1 Matrix Citrix XenServer 7.1 Matrix A list of Citrix XenServer 7.1 features by product edition, including XenApp and XenDesktop license entitlements. Comprehensive application and desktop
More informationSOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE
SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE 1 EXECUTIVE SUMMARY Attackers have repeatedly demonstrated they can bypass an organization s conventional defenses. To remain effective,
More informationDEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise
DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS Security Without Compromise CONTENTS INTRODUCTION 1 SECTION 1: STRETCHING BEYOND STATIC SECURITY 2 SECTION 2: NEW DEFENSES FOR CLOUD ENVIRONMENTS 5 SECTION
More informationLaying a Secure Foundation for Mobile Devices. Stephen Smalley Trusted Systems Research National Security Agency
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Conduct and sponsor research to provide information assurance for
More informationThe Business of Security in the Cloud
The Business of Security in the Cloud Dr. Pamela Fusco Vice President Industry Solutions Solutionary Inc. CISSP, CISM, CHSIII, IAM, NSA/CSS Adjunct Faculty Promises Promises The promise of cloud computing
More informationMulG-Vendor Key Management with KMIP
MulG-Vendor Key Management with KMIP Tim Hudson CTO Cryptso2 tjh@cryptso2.com GS13A 19-May-2016 1:35pm Key Management 1000011010100100101100101010000010101000101001101001111010001100 Key Management Standards
More informationARM Security Solutions and Numonyx Authenticated Flash
ARM Security Solutions and Numonyx Authenticated Flash How to integrate Numonyx Authenticated Flash with ARM TrustZone* for maximum system protection Introduction Through a combination of integrated hardware
More informationOriginally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison
Virtualization Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison I. Introduction to Virtualization II. Virtual liances III. Benefits to Virtualization IV. Example
More informationXen Project Status Ian Pratt 12/3/07 1
Xen Project Status Ian Pratt 12/3/07 1 Project Status xen.org and the Xen Advisory Board Xen project mission Ubiquitous virtualization Realizing Xen s architectural advantages From servers to clients Interoperability
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationI/O virtualization. Jiang, Yunhong Yang, Xiaowei Software and Service Group 2009 虚拟化技术全国高校师资研讨班
I/O virtualization Jiang, Yunhong Yang, Xiaowei 1 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
More informationWHITE PAPER MICRO-SEGMENTATION. illumio.com
MICRO-SEGMENTATION CONTENTS OVERVIEW Business drivers Current challenges with micro-segmentation The Illumio solution CURRENT APPROACHES TO MICRO-SEGMENTATION IP address rules VLANs Firewall zones Software-defined
More informationSecuring Cloud Computing
Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationIdentity-Based Cyber Defense. March 2017
Identity-Based Cyber Defense March 2017 Attackers Continue to Have Success Current security products are necessary but not sufficient Assumption is you are or will be breached Focus on monitoring, detecting
More informationalign security instill confidence
align security instill confidence cyber security Securing data has become a top priority across all industries. High-profile data breaches and the proliferation of advanced persistent threats have changed
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationAdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android
AdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android Paul Pearce 1, Adrienne Porter Felt 1, Gabriel Nunez 2, David Wagner 1 1 University of California, Berkeley 2 Sandia Na,onal Laboratory
More informationBusiness Case Components
How to Build A SOC Agenda Mission Business Case Components Regulatory requirements SOC Terminology Technology Components Events categories Staff Requirements Organiza>on s Considera>ons Training Requirements
More informationSecuring Your Virtual World Harri Kaikkonen Channel Manager
Securing Your Virtual World Harri Kaikkonen Channel Manager Copyright 2009 Trend Micro Inc. Virtualisation On The Rise 16,000,000 Virtualized x86 shipments 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000
More informationAWS Integration Guide
AWS Integration Guide Cloud-Native Security www.aporeto.com AWS Integration Guide Aporeto integrates with AWS to help enterprises efficiently deploy, manage, and secure applications at scale and the compute
More informationViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project
ViryaOS RFC: Secure Containers for Embedded and IoT A proposal for a new Xen Project sub-project Stefano Stabellini @stabellinist The problem Package applications for the target Contain all dependencies
More informationPrac%cal Control Flow Integrity & Randomiza%on for Binary Executables
Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Chao Zhang Tao Wei Zhaofeng Chen Lei Duan Peking University Peking University UC Berkeley Peking University Peking University László
More informationVM-SERIES FOR VMWARE VM VM
SERIES FOR WARE Virtualization technology from ware is fueling a significant change in today s modern data centers, resulting in architectures that are commonly a mix of private, public or hybrid cloud
More informationTUX : Trust Update on Linux Kernel
TUX : Trust Update on Linux Kernel Suhho Lee Mobile OS Lab, Dankook university suhho1993@gmail.com -- Hyunik Kim, and Seehwan Yoo {eternity13, seehwan.yoo}@dankook.ac.kr Index Intro Background Threat Model
More informationVirtualize More While Improving Your Risk Posture: The 4 Must Haves of VirtualizaJon Security
Virtualize More While Improving Your Risk Posture: The 4 Must Haves of VirtualizaJon Security Hemma Prafullchandra, CTO & SVP Products, HyTrust Mike Foley, Sr Technical Manager, PlaPorm Security, VMware
More informationIntel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com
More informationVANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER
VANGUARD GOVERNMENT INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationApplication Virtualization and Desktop Security
Application Virtualization and Desktop Security Karl MacMillan kmacmillan@tresys.com Tresys Technology 1 Application Virtualization Introduction Encapsulates a single application Bundles application into
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationSecuring Your Amazon Web Services Virtual Networks
Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,
More informationJustifying Integrity Using a Virtual Machine Verifier
Justifying Integrity Using a Virtual Machine Verifier Abstract Emerging distributing computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in
More informationIntel s s Security Vision for Xen
Intel s s Security Vision for Xen Carlos Rozas Intel Corporation Xen Summit April 7-8, 7 2005 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. EXCEPT AS PROVIDED IN INTEL'S TERMS
More informationEnterprise & Cloud Security
Enterprise & Cloud Security Greg Brown VP and CTO: Cloud and Internet of Things McAfee An Intel Company August 20, 2013 You Do NOT Want to Own the Data Intel: 15B 2015 Cisco: 50B 2020 2 August 21, 2013
More informationJim Reavis CEO and Founder Cloud Security Alliance December 2017
CLOUD THREAT HUNTING Jim Reavis CEO and Founder Cloud Security Alliance December 2017 A B O U T T H E BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT C L O U D S E C U R I T Y A L L I A N C E GLOBAL,
More informationSecurity for the Xen Hypervisor Status Quo & Perspective 2006
Security for the Xen Hypervisor Status Quo & Perspective 2006 Reiner Sailer Xen Summit 2006 IBM T J Watson Research Center 1/17/2006 1. Access Control Module 2. Virtual Trusted Platform Module 2 IBM T
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationVirtualization in the Cloud Lars Kurth Xen Community Manager
Virtualization in the Cloud Lars Kurth Xen Community Manager lars.kurth@xen.org @lars_kurth @xen_com_mgr A Brief History of Xen in the Cloud Late 90s XenoServer Project (Cambridge Univ.) The XenoServer
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationMonitoring IPv6 Content Accessibility and Reachability. Contact: R. Guerin University of Pennsylvania
Monitoring IPv6 Content Accessibility and Reachability Contact: R. Guerin (guerin@ee.upenn.edu) University of Pennsylvania Outline Goals and scope So=ware overview Func@onality, performance, and requirements
More informationHyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State
More informationAlterna(ve Architectures
Alterna(ve Architectures COMS W4118 Prof. Kaustubh R. Joshi krj@cs.columbia.edu hep://www.cs.columbia.edu/~krj/os References: Opera(ng Systems Concepts (9e), Linux Kernel Development, previous W4118s Copyright
More information