Your SlideShare is downloading. ×
0
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citrix Systems UK Ltd

793

Published on

In our interconnected world of mobile and cloud computing, particularly with the rise of governmental spying, corporate espionage, and theft of data by organized crime syndicates, security is more …

In our interconnected world of mobile and cloud computing, particularly with the rise of governmental spying, corporate espionage, and theft of data by organized crime syndicates, security is more important than ever. Many claims are being made about the security of open-source cloud technologies: How can administrators, users, and developers separate fact from fiction?

This talk will equip the audience with the principles needed to evaluate security claims. We will talk the nature of risk, of vulnerabilities and exploits; the various factors that reduce the risk of vulnerabilities in software; and about TCB, threat models, and defense-in-depth.

We will then apply these principles to three open-source cloud technologies: containers, KVM, and Xen, to see how they stack up. These will be backed up with numbers: lines of code, security advisories, entry points, and so on.

Published in: Internet, Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
793
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
20
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security in the Cloud: Xen, KVM, Containers Or, Surviving and the Zombie Apocalypse
  • 2. “Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker.” –Dan Walsh (Mr. SELinux)
  • 3. “There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running secure containers for at least 10 years.” –James Bottomley, Linux Maintainer and Parallels CTO
  • 4. “Virtual Machines might be more secure today, but containers are definitely catching up.” –Jerome Petazzoni, Senior Software Engineer at Docker
  • 5. “You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” –Theo de Raadt, OpenBSD project lead
  • 6. "Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker." -Dan Walsh "There's contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we've been running secure containers for at least 10 years.” -James Bottomley "Virtual Machines might be more secure today, but containers are definitely catching up." -Jerome Petazzoni "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes." -Theo de Raadt
  • 7. Who am I?
  • 8. What I’m going to talk about
  • 9. Security and Risk
  • 10. Vulnerabilities and Exploits
  • 11. A vulnerability is a mistake.
  • 12. Configuration vulnerabilities
  • 13. Software vulnerabilities
  • 14. Intel SYSRET
  • 15. Zombie Apocalypse.
  • 16. Every window is an opportunity to make a mistake
  • 17. Every element of every interface is an opportunity to make a mistake
  • 18. But does this really matter?
  • 19. Would this affect a system configured reasonably for security?
  • 20. Xen: Access to HV memory >5TiB during migration
  • 21. Xen: Unsecured PV console parameters
  • 22. Xen: 1 year, 1-4 known vulnerabilities
  • 23. KVM: Escalation in vhost
  • 24. KVM: PUSHA instruction emulation
  • 25. KVM: vcpu hypercall boundary check
  • 26. KVM: vlapic shared page crossing a page boundary
  • 27. KVM: 1 year, 4 solid vulnerabilities
  • 28. qemu: VMWare emulated device
  • 29. qemu: virtio-net mac address update
  • 30. qemu: 1 year, 2 known vulnerabilities
  • 31. Linux: ping
  • 32. Linux: tty race condition
  • 33. Linux: ptrace and SYSRET
  • 34. Linux: AIO, arbitrary read of kernel memory
  • 35. Linux: Futex not checking if two pointers were different (2)
  • 36. Linux: AMD math coprocessor
  • 37. Linux: 2 months, 6 vulnerabilities
  • 38. Hypervisors: Low (but not zero) risk
  • 39. General-purpose containers: Not so good
  • 40. Application-specific containers + seccomp2?
  • 41. Questions?

×