SlideShare a Scribd company logo

Slide used at ACM-SAC 2014 by Suzaki

Kuniyasu Suzaki
Kuniyasu Suzaki

This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.

TechnologyEducation
1 of 22
Download to read offline
National Institute of Advanced Industrial Science and Technology Rollback MechanismRollback Mechanism of Nested Virtual Machines for Protocol Fuzz Testing Kuniyasu Suzaki*, Toshiki Yagi*, Akira Tanaka*, Y taka Oi a* Ets a Shiba ama*‡Yutaka Oiwa , Etsuya Shibayama ‡ * National Institute of Advanced Industrial Science and Technology(AIST)National Institute of Advanced Industrial Science and Technology(AIST) ‡The University of Tokyo ACM SAC(Symposium On Applied Computing)2014 at Gyeongju, South Korea March 25
National Institute of Advanced Industrial Science and Technology Motivation 1/2Motivation 1/2 • Sec re protocols (SSL/TLS SSH etc) are important for• Secure protocols (SSL/TLS, SSH, etc) are important for Internet commerce. l bili i f i l i f• However, vulnerabilities of implementation of secure protocols are discovered repeatedly. – Incidents of SSL/TLS vulnerabilities • Insufficient entropy of random numbers [2012] – It creates same secret-keys for SSL/TLS certificates.It creates same secret keys for SSL/TLS certificates. – EFF offers a site to check SSL certificates. » https://www.eff.org/observatory • CRIME[2012]• CRIME[2012] – It attacks to the data compression used by the TLS and SPDY. • Lucky Thirteen[2013] – It attacks padding oracle using timing side-channel.
National Institute of Advanced Industrial Science and Technology Motivation 2/2Motivation 2/2 • The implementations of secure protocols should be verified. • Our group increases TLS security with 2 approaches. F l ifi i– Formal verification • Verify important parts of protocol hander program. – “Formal Network Packet Processing with Minimal Fuss: Invertible Syntax Descriptions atFormal Network Packet Processing with Minimal Fuss: Invertible Syntax Descriptions at Work.” [PLPV’12] – “Towards Formal Verification of TLS Network Packet Processing Written in C” [PLPV’13] – Exhaustive Protocol Fuzz Testing • Try to check all reaction of protocol handler. – Protocol Test Generator creates and sends many fuzzed packets to check implementation of protocol handler. – (Today’s Topic) Computing environment for protocol fuzz testing
National Institute of Advanced Industrial Science and Technology O liOutline M i i• Motivation • Protocol Test Generator: fuzz testing on a protocol handler • Why we use nested VM for protocol fuzz testing? • Design issuesDesign issues • Implementation P f l i• Performance evaluation on current prototype. • Conclusion
National Institute of Advanced Industrial Science and Technology Protocol Test Generator V if t l h d f h t l t t• Verify a protocol hander for each protocol state – Repeat the following sequence for each protocol state 1. Creates a fuzzed packet 2. Send it to a protocol hander 3. Check the reply • Fuzzed packets are tested on each protocol stateFuzzed packets are tested on each protocol state many times. • Snapshot and rollback mechanism is required.S p q
National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal TargetProtocol Generator Client Hello Take Snapshot Client Hello Server Hello Server Certificate Snapshot1 Server Hello Done Take SnapshotTake Snapshot Client Key Exchange … Snapshot 2
National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal Fuzz for Client Hello TargetProtocol Generator TargetProtocol Generator Client Hello Take Snapshot [Fuzz1] Client Hello Rollback Snapshot1 Client Hello Server Hello Server Certificate Snapshot1 [Fuzz1] Client Hello ???? Good or Bad? Rollback1 Server Hello Done Take Snapshot Rollback Snapshot1 Good or Bad? Take Snapshot Client Key Exchange … Snapshot 2 [Fuzz2] Client Hello ???? Rollback 1 Good or Bad? [FuzzN] Client Hello
National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal Fuzz for Client Hello Fuzz for Client Key Exchange TargetProtocol Generator TargetProtocol Generator TargetProtocol Generator Client Hello Take Snapshot [Fuzz1] Client Hello Rollback Snapshot1 [Fuzz1] Client Key Rollback Snapshot2 Client Hello Server Hello Server Certificate [Fuzz1] Client Hello ???? Good or Bad? Snapshot1 Rollback 1 [Fuzz1] Client Key Exchange ??? Rollback2 Server Hello Done Take Snapshot Rollback Snapshot1 Good or Bad? Rollback Snapshot2 Good or Bad? Take Snapshot Client Key Exchange … [Fuzz2] Client Hello ???? Snapshot 2 Rollback 1 Rollback 2 [Fuzz2] Client Key Exchange ??? [FuzzN] Client Hello Good or Bad? ??? Good or Bad? [FuzzN] Client Key Exchange
National Institute of Advanced Industrial Science and Technology Requirement for Protocol Test GeneratorRequirement for Protocol Test Generator 1. Packet level granularity control – Generator wants to take a snapshot just before sending a packet. 2. Hardware-level repeatability B l biliti d b it ti i t (– Because some vulnerabilities are caused by its computing environment (e.g., random number) 3. Consistency between generator and target protocol hander3. Consistency between generator and target protocol hander – Most snapshot/rollback mechanism does not care of packets on a wire. 1. We propose a special protocol to control target computing environment. 2. We uses Virtual Machine which offers hardware-level repeatability f h / llb kfor snapshot/rollback. 3. Design issues. (Mention in later slides)
National Institute of Advanced Industrial Science and Technology Proposed Protocol (VTP: Virtual Test Protocol)Proposed Protocol (VTP: Virtual Test Protocol) • VTP treats packets of test-target protocol as data. T t t t k t l t d t “C l ” k t– Test-target packets are en-capsulated to “Capsule” packets – “Capsule” packets must be de-capsulated on target computing environment. • VTP has special packets to control target computing environment• VTP has special packets to control target computing environment – “Take_Snapshot” and “Rollback” Protocol Action Capsule Packets of secure communication are encapsulated with capsule protocol. The flow of capsulated packets is managed h t k h t llb k k t i i dwhen take_snapshot or rollback packet is issued. Take_ Snapshot Take VM snapshot image. Packets on the wire must be managed by a certain method. Return snapshot ID. R h i C i f Rollback (with ID) Resume snapshot image. Connection of secure communication must be operative, when a previous image is resumed. Target computing environment (VM) has to deal with the VTP.
National Institute of Advanced Industrial Science and Technology Design Issues for VM (Computing environment)Design Issues for VM (Computing environment) • Virtual Machine runs a protocol handler. • En-capsulated packets by VTP must be de-capsulated on a target VM. – Original packets must be passed to a target protocol handler on the VM. • The control packets (take_snapshot and rollback) must be dealt by the VM. • The VTP packets on the network must be maintained. – We have to deal with consistent global state defied by [Chandy-Lamport, 1985]. Protocol Generator Target Environment Snapshots of VM VTP Protocol handler TLS VTP VM deals with VTP protocol. Packets on the network must be maintained. VM
National Institute of Advanced Industrial Science and Technology Design choice for handling VTPDesign choice for handling VTP • Customize VM’s network function for VTPCustomize VM s network function for VTP – We planned to customize SLiRP of QEMU • However VM control (snapshot/rollback) from SLiRP is strange, because it( p ) g , is a part of VM. It is not flexible. • Nested VM and Proxies (external & internal) – External proxy manages VTP control packets and takes snapshot of External VM. – A snapshot of External VM keeps connectivity of network between internal proxy and a protocol handler on Internal VM. • Pros: Easy and flexible implementation. » It utilizes existing VM control commands. Don’t need to change VM. • Cons: Overhead? Performance is improved by many previous researchesCons: Overhead? Performance is improved by many previous researches.
National Institute of Advanced Industrial Science and Technology Design: Nested VM and Proxiesg • External VM (a unit of snapshot) – It is used to take snapshot of Internal VM and Internal Proxy. • Internal VM (hardware repeatability)( p y) – It includes protocol hander and keeps connection with Internal Proxy, when External VM is taken a snapshot. • External Proxy – Connects to Protocol Generator directly, and controls snapshot/rollback of External VM. Real Machine External VMControl the target VM • Internal Proxy – Maintain connectivity of VTP Protocol when a snapshot image is resumed. Real Machine External VM Internal VM Control the  target VM (SAVEVM, LOADVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal ProxyTLS VTP TLSTLS VTP External VM Internal VM External VM Internal VM Protocol Generator “take_snapshot” packet make a  round‐trip between external  and internal proxy to confirm  no VTP packets on the wire 13 Internal VM SSH openSSL Keep connectionSnapshots no  VTP packets on the wire. Rollback TLS
National Institute of Advanced Industrial Science and Technology Handling VTP “capsule” packetHandling VTP capsule packet • Protocol Generator en-casuplates test-target packets with “capsule” packets. • External Proxy passes capsule packets to Internal Proxy without change. • Internal Proxy de-capsulates VTP packets and passes original packets to protocol hander on Internal VMhander on Internal VM. Real Machine External VMReal Machine External VM Internal VM Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal ProxyTLS VTP TLSTLS VTP Protocol Generator
National Institute of Advanced Industrial Science and Technology Handling VTP “take snapshot” packetHandling VTP take_snapshot packet • When a “take_snapshot” packet is issued, the packet makes a round trip between External and Internal Proxy to confirm that there is no VTP packet on the wire (consistent global state defied by Chandy Lamport)(consistent global state defied by Chandy-Lamport). • After that, External Proxy sends SAVEM command to External VM to take a snapshot. • Connection between Internal Proxy and protocol handler is kept in a snapshot. Real Machine External VMControl the  target VMReal Machine External VM Internal VM g (SAVEVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal Proxy P t l TLS VTP TLSTLS VTP External VM Internal VM External VM Internal VM Protocol Generator “take_snapshot” packet make a  round‐trip between external  and internal proxy to confirm  no VTP packets on the wire. 15 Internal VM SSH openSSL Keep connectionSnapshots no  VTP packets on the wire. TLS
National Institute of Advanced Industrial Science and Technology Handling VTP “rollback” packetHandling VTP rollback packet • When a “rollback” packet is issued, the External Proxy send LOADVM command to External VM It resumes an old imageLOADVM command to External VM. It resumes an old image. • After that, External and Internal proxies re-establish the connection between them, because they loses the network states when rollback., y – Internal proxy and protocol handler do not need to care about network connection. Real Machine External VMControl the  target VMReal Machine External VM Internal VM g (LOADVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal Proxy P t l TLS VTP TLSReestablish External VM Internal VM External VM Internal VM Protocol Generator 16 Internal VM SSH openSSL Keep connection Rollback TLS
National Institute of Advanced Industrial Science and Technology OptimizationOptimization • Most overhead of VM is caused by video emulation. – Nested VMs must emulate the GUI of internal VM on external VM again.g • Fortunately QEMU and KVM have “curses mode” which emulates text user interface. • We eliminate GUI on both internal and external VMs. N GUI d d k h t i k– No GUI reduces memory usage and make snapshot quick. GUIs of Nested VMs No GUI of Nested VMs OpenSSL on Linux on Internal VM (QEMU) on External VM (KVM) ith d Internal VM (QEMU) OpenSSL on Windows Extenal Proxy Protocol Tester with curses mode Protocol Tester External Proxy External VM (KVM) Internal Proxy on Linux
National Institute of Advanced Industrial Science and Technology Current ImplementationCurrent Implementation • We implement Nested VM and proxies on normalWe implement Nested VM and proxies on normal Debian GNU Linux x86. – External VM: KVMExternal VM: KVM • The VM is a unit of snapshot and is NOT required hardware repeatability. • KVM is fast with virtualization technology of X86. – Internal VM: QEMU h l h d f bili ( d b• The VM emulates hardware for repeatability (e.g., random number generator). – Proxies are written by PerlProxies are written by Perl. • External Proxy: 430 LOC • Internal Proxy: 132 LOC• Internal Proxy: 132 LOC
National Institute of Advanced Industrial Science and Technology Performance evaluationPerformance evaluation • We evaluated performance on Protocol Test Generator. – Test for hand shake of TLS (PolarSSL) takes 9 snapshots and 2,311 rollbacks. – Effect of GUI and noGUI. – Effct of Memory size (large 1024MB/512MB small 512MB/256MB)– Effct of Memory size (large 1024MB/512MB, small 512MB/256MB) GUI Mem: NoGUI Mem: NoGUI Mem: 1024/512 (sec) 1024/512 (sec) 512/256 (sec) Setting up nested VMs 266 107 93g p Fuzz packet generator 1,307 1,164 1,080 Nested VMs and Proxies Snapshot (9 times) 57 (Av 6.33) 37 (Av 4.11) 24 (Av 2.67) R llb k 3 135 2 197 1 286 VM overhead isRollback (2,311times) 3,135 (Av 1.36) 2,197 (Av 0.96) 1,286 (Av 0.56) Other 12 13 12 Total 5 043 3 622 2 587 VM overhead is almost same to packet generator. Total 5,043 3,622 2,587 ThinkPad T410 (CPU Intel Core i7-M620 2.67Ghz, Memory 4GB).
National Institute of Advanced Industrial Science and Technology R lt f P t l F T tiResults of Protocol Fuzz Testing W ifi d th h d h k f 4 TLS• We verified the handshake of 4 TLS servers. – OpenSSL, GnuTLS, CyaSSL, and PolarSSL. • The fuzz testing found 2 bugs in CyaSSL– 2 bugs in CyaSSL – 1 bug in PolarSSL • We reported the results to the mailing list, and the bugs were fixed.g
National Institute of Advanced Industrial Science and Technology R l t d kRelated works • Nested VM• Nested VM – Migration • Xen-Blanket [EuroSys’12] enables user level migration on CloudXen Blanket [EuroSys 12] enables user level migration on Cloud. – Security • CloudVisor [SOSP’11] is inserted on existing VM on multi-tenant Cloud. • Process level snapshot – DMTCP: Distributed Multi Threaded Check Pointing • http://dmtcp.sourceforge.net/ If d ’t t d t b t h d l l t bilit f• If we don’t not need to care about hardware-level repeatability for rollback, DMTCP will be a candidate for protocol test generator.
National Institute of Advanced Industrial Science and Technology Conclusion • We propose a combination of nested VM and proxies for protocol fuzz testing environment. – It treats hardware-level repeatability (e.g., random number). – It is easy and flexible to implement. • Our method is not limited to protocol testing. It can be applied on other areas (e.g., I/O fuzz testing, memorypp ( g , g, y fuzz testing). Acknowledgement This work is supported by the National Institute of Information and Communications Technology of Japan.

Recommended

”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
No[1][1]
No[1][1]No[1][1]
No[1][1]51 lecture
 

Recommended

”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
No[1][1]
No[1][1]No[1][1]
No[1][1]51 lecture
 
y2038 issue
y2038 issuey2038 issue
y2038 issueSZ Lin
 
Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...SZ Lin
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxVivek Kumar
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
6 profiling tools
6 profiling tools6 profiling tools
6 profiling toolsvideos
 
Intel software guard extension
Intel software guard extensionIntel software guard extension
Intel software guard extensionDESMOND YUEN
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorialmanikainth
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
ACS-2010
ACS-2010ACS-2010
ACS-2010Bob Radvanovsky
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Defense
DefenseDefense
DefenseTawfiq Shah
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
A trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M networkA trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M networkMocke Tech
 
A Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M NetworkA Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M NetworkKiyotaka Atsumi
 

More Related Content

What's hot

y2038 issue
y2038 issuey2038 issue
y2038 issueSZ Lin
 
Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...SZ Lin
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxVivek Kumar
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
6 profiling tools
6 profiling tools6 profiling tools
6 profiling toolsvideos
 
Intel software guard extension
Intel software guard extensionIntel software guard extension
Intel software guard extensionDESMOND YUEN
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 

What's hot (20)

y2038 issue
y2038 issuey2038 issue
y2038 issue
 
Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overview
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexity
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
6 profiling tools
6 profiling tools6 profiling tools
6 profiling tools
 
Intel software guard extension
Intel software guard extensionIntel software guard extension
Intel software guard extension
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case study
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
ACS-2010
ACS-2010ACS-2010
ACS-2010
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
Defense
DefenseDefense
Defense
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3
 

Similar to Slide used at ACM-SAC 2014 by Suzaki

A trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M networkA trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M networkMocke Tech
 
A Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M NetworkA Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M NetworkKiyotaka Atsumi
 
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStack
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStackAutomated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStack
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStackNTT Communications Technology Development
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cAjith Narayanan
 
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...GetInData
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataMike Chafin
 
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...PROFIBUS and PROFINET InternationaI - PI UK
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvIntel
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth Pilli
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engFFRI, Inc.
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Dario Faggioli
 
Swimming upstream: OPNFV Doctor project case study
Swimming upstream: OPNFV Doctor project case studySwimming upstream: OPNFV Doctor project case study
Swimming upstream: OPNFV Doctor project case studyOPNFV
 
Monitoring in Big Data Platform - Albert Lewandowski, GetInData
Monitoring in Big Data Platform - Albert Lewandowski, GetInDataMonitoring in Big Data Platform - Albert Lewandowski, GetInData
Monitoring in Big Data Platform - Albert Lewandowski, GetInDataGetInData
 

Similar to Slide used at ACM-SAC 2014 by Suzaki (20)

A trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M networkA trial investigation system for vulnerability on M2M network
A trial investigation system for vulnerability on M2M network
 
A Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M NetworkA Trial Investigation System for Vulnerability on M2M Network
A Trial Investigation System for Vulnerability on M2M Network
 
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStack
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStackAutomated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStack
Automated Deployment & Benchmarking with Chef, Cobbler and Rally for OpenStack
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_final
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
SDI to IP 2110 Transition Part 2
SDI to IP 2110 Transition Part 2SDI to IP 2110 Transition Part 2
SDI to IP 2110 Transition Part 2
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12c
 
ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN
 
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...
Functioning incessantly of Data Science Platform with Kubeflow - Albert Lewan...
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
 
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...
C08 – Updated planning and commissioning guidelines for Profinet - Xaver Sch...
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_eng
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)
 
Swimming upstream: OPNFV Doctor project case study
Swimming upstream: OPNFV Doctor project case studySwimming upstream: OPNFV Doctor project case study
Swimming upstream: OPNFV Doctor project case study
 
Monitoring in Big Data Platform - Albert Lewandowski, GetInData
Monitoring in Big Data Platform - Albert Lewandowski, GetInDataMonitoring in Big Data Platform - Albert Lewandowski, GetInData
Monitoring in Big Data Platform - Albert Lewandowski, GetInData
 
Pipelining In computer
Pipelining In computer Pipelining In computer
Pipelining In computer
 

More from Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)Kuniyasu Suzaki
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)Kuniyasu Suzaki
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告Kuniyasu Suzaki
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Kuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?Kuniyasu Suzaki
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)Kuniyasu Suzaki
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationKuniyasu Suzaki
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224Kuniyasu Suzaki
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Kuniyasu Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアルKuniyasu Suzaki
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点Kuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...Kuniyasu Suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportKuniyasu Suzaki
 
私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会Kuniyasu Suzaki
 
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Kuniyasu Suzaki
 

More from Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアル
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
 
私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会
 
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Slide used at ACM-SAC 2014 by Suzaki

  • 1. National Institute of Advanced Industrial Science and Technology Rollback MechanismRollback Mechanism of Nested Virtual Machines for Protocol Fuzz Testing Kuniyasu Suzaki*, Toshiki Yagi*, Akira Tanaka*, Y taka Oi a* Ets a Shiba ama*‡Yutaka Oiwa , Etsuya Shibayama ‡ * National Institute of Advanced Industrial Science and Technology(AIST)National Institute of Advanced Industrial Science and Technology(AIST) ‡The University of Tokyo ACM SAC(Symposium On Applied Computing)2014 at Gyeongju, South Korea March 25
  • 2. National Institute of Advanced Industrial Science and Technology Motivation 1/2Motivation 1/2 • Sec re protocols (SSL/TLS SSH etc) are important for• Secure protocols (SSL/TLS, SSH, etc) are important for Internet commerce. l bili i f i l i f• However, vulnerabilities of implementation of secure protocols are discovered repeatedly. – Incidents of SSL/TLS vulnerabilities • Insufficient entropy of random numbers [2012] – It creates same secret-keys for SSL/TLS certificates.It creates same secret keys for SSL/TLS certificates. – EFF offers a site to check SSL certificates. » https://www.eff.org/observatory • CRIME[2012]• CRIME[2012] – It attacks to the data compression used by the TLS and SPDY. • Lucky Thirteen[2013] – It attacks padding oracle using timing side-channel.
  • 3. National Institute of Advanced Industrial Science and Technology Motivation 2/2Motivation 2/2 • The implementations of secure protocols should be verified. • Our group increases TLS security with 2 approaches. F l ifi i– Formal verification • Verify important parts of protocol hander program. – “Formal Network Packet Processing with Minimal Fuss: Invertible Syntax Descriptions atFormal Network Packet Processing with Minimal Fuss: Invertible Syntax Descriptions at Work.” [PLPV’12] – “Towards Formal Verification of TLS Network Packet Processing Written in C” [PLPV’13] – Exhaustive Protocol Fuzz Testing • Try to check all reaction of protocol handler. – Protocol Test Generator creates and sends many fuzzed packets to check implementation of protocol handler. – (Today’s Topic) Computing environment for protocol fuzz testing
  • 4. National Institute of Advanced Industrial Science and Technology O liOutline M i i• Motivation • Protocol Test Generator: fuzz testing on a protocol handler • Why we use nested VM for protocol fuzz testing? • Design issuesDesign issues • Implementation P f l i• Performance evaluation on current prototype. • Conclusion
  • 5. National Institute of Advanced Industrial Science and Technology Protocol Test Generator V if t l h d f h t l t t• Verify a protocol hander for each protocol state – Repeat the following sequence for each protocol state 1. Creates a fuzzed packet 2. Send it to a protocol hander 3. Check the reply • Fuzzed packets are tested on each protocol stateFuzzed packets are tested on each protocol state many times. • Snapshot and rollback mechanism is required.S p q
  • 6. National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal TargetProtocol Generator Client Hello Take Snapshot Client Hello Server Hello Server Certificate Snapshot1 Server Hello Done Take SnapshotTake Snapshot Client Key Exchange … Snapshot 2
  • 7. National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal Fuzz for Client Hello TargetProtocol Generator TargetProtocol Generator Client Hello Take Snapshot [Fuzz1] Client Hello Rollback Snapshot1 Client Hello Server Hello Server Certificate Snapshot1 [Fuzz1] Client Hello ???? Good or Bad? Rollback1 Server Hello Done Take Snapshot Rollback Snapshot1 Good or Bad? Take Snapshot Client Key Exchange … Snapshot 2 [Fuzz2] Client Hello ???? Rollback 1 Good or Bad? [FuzzN] Client Hello
  • 8. National Institute of Advanced Industrial Science and Technology Sequence of Protocol Test Generator (TLS)Sequence of Protocol Test Generator (TLS) Normal Fuzz for Client Hello Fuzz for Client Key Exchange TargetProtocol Generator TargetProtocol Generator TargetProtocol Generator Client Hello Take Snapshot [Fuzz1] Client Hello Rollback Snapshot1 [Fuzz1] Client Key Rollback Snapshot2 Client Hello Server Hello Server Certificate [Fuzz1] Client Hello ???? Good or Bad? Snapshot1 Rollback 1 [Fuzz1] Client Key Exchange ??? Rollback2 Server Hello Done Take Snapshot Rollback Snapshot1 Good or Bad? Rollback Snapshot2 Good or Bad? Take Snapshot Client Key Exchange … [Fuzz2] Client Hello ???? Snapshot 2 Rollback 1 Rollback 2 [Fuzz2] Client Key Exchange ??? [FuzzN] Client Hello Good or Bad? ??? Good or Bad? [FuzzN] Client Key Exchange
  • 9. National Institute of Advanced Industrial Science and Technology Requirement for Protocol Test GeneratorRequirement for Protocol Test Generator 1. Packet level granularity control – Generator wants to take a snapshot just before sending a packet. 2. Hardware-level repeatability B l biliti d b it ti i t (– Because some vulnerabilities are caused by its computing environment (e.g., random number) 3. Consistency between generator and target protocol hander3. Consistency between generator and target protocol hander – Most snapshot/rollback mechanism does not care of packets on a wire. 1. We propose a special protocol to control target computing environment. 2. We uses Virtual Machine which offers hardware-level repeatability f h / llb kfor snapshot/rollback. 3. Design issues. (Mention in later slides)
  • 10. National Institute of Advanced Industrial Science and Technology Proposed Protocol (VTP: Virtual Test Protocol)Proposed Protocol (VTP: Virtual Test Protocol) • VTP treats packets of test-target protocol as data. T t t t k t l t d t “C l ” k t– Test-target packets are en-capsulated to “Capsule” packets – “Capsule” packets must be de-capsulated on target computing environment. • VTP has special packets to control target computing environment• VTP has special packets to control target computing environment – “Take_Snapshot” and “Rollback” Protocol Action Capsule Packets of secure communication are encapsulated with capsule protocol. The flow of capsulated packets is managed h t k h t llb k k t i i dwhen take_snapshot or rollback packet is issued. Take_ Snapshot Take VM snapshot image. Packets on the wire must be managed by a certain method. Return snapshot ID. R h i C i f Rollback (with ID) Resume snapshot image. Connection of secure communication must be operative, when a previous image is resumed. Target computing environment (VM) has to deal with the VTP.
  • 11. National Institute of Advanced Industrial Science and Technology Design Issues for VM (Computing environment)Design Issues for VM (Computing environment) • Virtual Machine runs a protocol handler. • En-capsulated packets by VTP must be de-capsulated on a target VM. – Original packets must be passed to a target protocol handler on the VM. • The control packets (take_snapshot and rollback) must be dealt by the VM. • The VTP packets on the network must be maintained. – We have to deal with consistent global state defied by [Chandy-Lamport, 1985]. Protocol Generator Target Environment Snapshots of VM VTP Protocol handler TLS VTP VM deals with VTP protocol. Packets on the network must be maintained. VM
  • 12. National Institute of Advanced Industrial Science and Technology Design choice for handling VTPDesign choice for handling VTP • Customize VM’s network function for VTPCustomize VM s network function for VTP – We planned to customize SLiRP of QEMU • However VM control (snapshot/rollback) from SLiRP is strange, because it( p ) g , is a part of VM. It is not flexible. • Nested VM and Proxies (external & internal) – External proxy manages VTP control packets and takes snapshot of External VM. – A snapshot of External VM keeps connectivity of network between internal proxy and a protocol handler on Internal VM. • Pros: Easy and flexible implementation. » It utilizes existing VM control commands. Don’t need to change VM. • Cons: Overhead? Performance is improved by many previous researchesCons: Overhead? Performance is improved by many previous researches.
  • 13. National Institute of Advanced Industrial Science and Technology Design: Nested VM and Proxiesg • External VM (a unit of snapshot) – It is used to take snapshot of Internal VM and Internal Proxy. • Internal VM (hardware repeatability)( p y) – It includes protocol hander and keeps connection with Internal Proxy, when External VM is taken a snapshot. • External Proxy – Connects to Protocol Generator directly, and controls snapshot/rollback of External VM. Real Machine External VMControl the target VM • Internal Proxy – Maintain connectivity of VTP Protocol when a snapshot image is resumed. Real Machine External VM Internal VM Control the  target VM (SAVEVM, LOADVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal ProxyTLS VTP TLSTLS VTP External VM Internal VM External VM Internal VM Protocol Generator “take_snapshot” packet make a  round‐trip between external  and internal proxy to confirm  no VTP packets on the wire 13 Internal VM SSH openSSL Keep connectionSnapshots no  VTP packets on the wire. Rollback TLS
  • 14. National Institute of Advanced Industrial Science and Technology Handling VTP “capsule” packetHandling VTP capsule packet • Protocol Generator en-casuplates test-target packets with “capsule” packets. • External Proxy passes capsule packets to Internal Proxy without change. • Internal Proxy de-capsulates VTP packets and passes original packets to protocol hander on Internal VMhander on Internal VM. Real Machine External VMReal Machine External VM Internal VM Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal ProxyTLS VTP TLSTLS VTP Protocol Generator
  • 15. National Institute of Advanced Industrial Science and Technology Handling VTP “take snapshot” packetHandling VTP take_snapshot packet • When a “take_snapshot” packet is issued, the packet makes a round trip between External and Internal Proxy to confirm that there is no VTP packet on the wire (consistent global state defied by Chandy Lamport)(consistent global state defied by Chandy-Lamport). • After that, External Proxy sends SAVEM command to External VM to take a snapshot. • Connection between Internal Proxy and protocol handler is kept in a snapshot. Real Machine External VMControl the  target VMReal Machine External VM Internal VM g (SAVEVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal Proxy P t l TLS VTP TLSTLS VTP External VM Internal VM External VM Internal VM Protocol Generator “take_snapshot” packet make a  round‐trip between external  and internal proxy to confirm  no VTP packets on the wire. 15 Internal VM SSH openSSL Keep connectionSnapshots no  VTP packets on the wire. TLS
  • 16. National Institute of Advanced Industrial Science and Technology Handling VTP “rollback” packetHandling VTP rollback packet • When a “rollback” packet is issued, the External Proxy send LOADVM command to External VM It resumes an old imageLOADVM command to External VM. It resumes an old image. • After that, External and Internal proxies re-establish the connection between them, because they loses the network states when rollback., y – Internal proxy and protocol handler do not need to care about network connection. Real Machine External VMControl the  target VMReal Machine External VM Internal VM g (LOADVM) Decapsulate control  commands Internal Proxy openSSL Port forward External Proxy External Proxy Internal Proxy P t l TLS VTP TLSReestablish External VM Internal VM External VM Internal VM Protocol Generator 16 Internal VM SSH openSSL Keep connection Rollback TLS
  • 17. National Institute of Advanced Industrial Science and Technology OptimizationOptimization • Most overhead of VM is caused by video emulation. – Nested VMs must emulate the GUI of internal VM on external VM again.g • Fortunately QEMU and KVM have “curses mode” which emulates text user interface. • We eliminate GUI on both internal and external VMs. N GUI d d k h t i k– No GUI reduces memory usage and make snapshot quick. GUIs of Nested VMs No GUI of Nested VMs OpenSSL on Linux on Internal VM (QEMU) on External VM (KVM) ith d Internal VM (QEMU) OpenSSL on Windows Extenal Proxy Protocol Tester with curses mode Protocol Tester External Proxy External VM (KVM) Internal Proxy on Linux
  • 18. National Institute of Advanced Industrial Science and Technology Current ImplementationCurrent Implementation • We implement Nested VM and proxies on normalWe implement Nested VM and proxies on normal Debian GNU Linux x86. – External VM: KVMExternal VM: KVM • The VM is a unit of snapshot and is NOT required hardware repeatability. • KVM is fast with virtualization technology of X86. – Internal VM: QEMU h l h d f bili ( d b• The VM emulates hardware for repeatability (e.g., random number generator). – Proxies are written by PerlProxies are written by Perl. • External Proxy: 430 LOC • Internal Proxy: 132 LOC• Internal Proxy: 132 LOC
  • 19. National Institute of Advanced Industrial Science and Technology Performance evaluationPerformance evaluation • We evaluated performance on Protocol Test Generator. – Test for hand shake of TLS (PolarSSL) takes 9 snapshots and 2,311 rollbacks. – Effect of GUI and noGUI. – Effct of Memory size (large 1024MB/512MB small 512MB/256MB)– Effct of Memory size (large 1024MB/512MB, small 512MB/256MB) GUI Mem: NoGUI Mem: NoGUI Mem: 1024/512 (sec) 1024/512 (sec) 512/256 (sec) Setting up nested VMs 266 107 93g p Fuzz packet generator 1,307 1,164 1,080 Nested VMs and Proxies Snapshot (9 times) 57 (Av 6.33) 37 (Av 4.11) 24 (Av 2.67) R llb k 3 135 2 197 1 286 VM overhead isRollback (2,311times) 3,135 (Av 1.36) 2,197 (Av 0.96) 1,286 (Av 0.56) Other 12 13 12 Total 5 043 3 622 2 587 VM overhead is almost same to packet generator. Total 5,043 3,622 2,587 ThinkPad T410 (CPU Intel Core i7-M620 2.67Ghz, Memory 4GB).
  • 20. National Institute of Advanced Industrial Science and Technology R lt f P t l F T tiResults of Protocol Fuzz Testing W ifi d th h d h k f 4 TLS• We verified the handshake of 4 TLS servers. – OpenSSL, GnuTLS, CyaSSL, and PolarSSL. • The fuzz testing found 2 bugs in CyaSSL– 2 bugs in CyaSSL – 1 bug in PolarSSL • We reported the results to the mailing list, and the bugs were fixed.g
  • 21. National Institute of Advanced Industrial Science and Technology R l t d kRelated works • Nested VM• Nested VM – Migration • Xen-Blanket [EuroSys’12] enables user level migration on CloudXen Blanket [EuroSys 12] enables user level migration on Cloud. – Security • CloudVisor [SOSP’11] is inserted on existing VM on multi-tenant Cloud. • Process level snapshot – DMTCP: Distributed Multi Threaded Check Pointing • http://dmtcp.sourceforge.net/ If d ’t t d t b t h d l l t bilit f• If we don’t not need to care about hardware-level repeatability for rollback, DMTCP will be a candidate for protocol test generator.
  • 22. National Institute of Advanced Industrial Science and Technology Conclusion • We propose a combination of nested VM and proxies for protocol fuzz testing environment. – It treats hardware-level repeatability (e.g., random number). – It is easy and flexible to implement. • Our method is not limited to protocol testing. It can be applied on other areas (e.g., I/O fuzz testing, memorypp ( g , g, y fuzz testing). Acknowledgement This work is supported by the National Institute of Information and Communications Technology of Japan.