The document describes a project to bridge the semantic gap in virtualized environments. It aims to generate a complete view of a guest VM by connecting the Volatility memory forensics framework to QEMU. This allows leveraging Volatility plugins to live monitor the guest OS without modifying the guest. It implements a QEMU monitor command to dump VM memory and execute Volatility commands. Performance evaluation and malware analysis demonstrations are provided. The open problem of interpreting low-level VM state as high-level guest OS semantic information is discussed.
This talk with discuss the design and implementation of a new type of hypervisor derived from the Xen code base. µ-Xen has been built and optimized for modern CPUs and chipsets, and thus assumes the presence of CPU and IO MMUs that are virtualization capable. µ-Xen borrows extensively from the production-proven and tuned Xen code base, but removal of support for older hardware and PV-MMU guests has enabled significant simplification of the code. µ-Xen supports optimizations in support of running large numbers of very similar virtual machines, through the support of a native 'vmfork' optimization and efficient re-merging of shareable pages.
The primary goal of µ-Xen has been to run as a late-load hypervisor on an existing OS. It has a narrow and well-defined interface to the services it expects from the underlying OS, which makes it easy to port to other OSes, or to enable it to run on bare metal. During initialisation, µ-Xen can de-privilege the running host OS into a VM container, enabling it to establish itself as the most privileged software component in the system. Thus, µ-Xen enforces the privacy and integrity of itself and VMs that it is running, against a faulty or malicious host OS, while co-operating with the host OS on the actual allocation of physical resources.
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem.
In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.
This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs.
Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
As delivered by Russell Pavlicek at Linuxfest Northwest 2014. Some of the key security features which can be enabled when using the Xen Project Hypervisor.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
This talk with discuss the design and implementation of a new type of hypervisor derived from the Xen code base. µ-Xen has been built and optimized for modern CPUs and chipsets, and thus assumes the presence of CPU and IO MMUs that are virtualization capable. µ-Xen borrows extensively from the production-proven and tuned Xen code base, but removal of support for older hardware and PV-MMU guests has enabled significant simplification of the code. µ-Xen supports optimizations in support of running large numbers of very similar virtual machines, through the support of a native 'vmfork' optimization and efficient re-merging of shareable pages.
The primary goal of µ-Xen has been to run as a late-load hypervisor on an existing OS. It has a narrow and well-defined interface to the services it expects from the underlying OS, which makes it easy to port to other OSes, or to enable it to run on bare metal. During initialisation, µ-Xen can de-privilege the running host OS into a VM container, enabling it to establish itself as the most privileged software component in the system. Thus, µ-Xen enforces the privacy and integrity of itself and VMs that it is running, against a faulty or malicious host OS, while co-operating with the host OS on the actual allocation of physical resources.
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem.
In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.
This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs.
Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
As delivered by Russell Pavlicek at Linuxfest Northwest 2014. Some of the key security features which can be enabled when using the Xen Project Hypervisor.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
Dealing with Hardware Heterogeneity Using EmbeddedXEN, a Virtualization Frame...The Linux Foundation
EmbeddedXEN is a particularly efficient virtualization framework tailored to ARM-based core embedded systems.
While security and OS isolation are key features of conventional virtualizuation frameworks, the main concerns for EmbeddedXEN are device heterogeneity and realtime aspects, which are particularly important in the embedded world.
EmbeddedXEN mainly relies on the original XEN architecture but with major differences in the way guest OS are handled: the hypervisor has been simplified, and only two guest OS (dom0 and domU) can run simultaneously; while dom0 is used to manage the native OS with drivers (original and backend splitted drivers), a paravirtualized OS (domU) can be cross-compiled on a different ARM device, and user applications can run seamlessly on the (virtualized) host device. Another important difference is that no user space tools are required to manage the VMs; the framework produces a compact single binary image containing both dom0 and domU guests, which can be easily deployed. The Xenbus architecture has been adapted to that context.
EmbeddedXEN therefore allows the porting of an OS and its applications from an ARM embedded device to last generation ARM hardware, such as HTC Smartphone for example.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...CODE BLUE
Chromebook is one of the most secure laptops so far. It is running the Linux-based Chrome OS as its operation system. Google Chrome team has applied many effective mitigations on Chrome OS and will also release security updates for it every a few weeks.
At the beginning of this year, my colleagues planned to build a full exploit chain to achieve code execution on Chromebook remotely and persistently, which is very challenging. I joined their project in middle stage,attempted to find bugs for local privilege escalation in limited time, and finally contributed a kernel vulnerability on Chrome OS to finish the full chain.
The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel, exposes an API that user-space programs can use to send commands and data to the GPU, and to perform operations such as configuring the mode setting of the display. Meanwhile,DRM is also an awesome attack surface for attackers to escalate local privilege on Linux.
In this talk, I’m going to share the full story of exploiting a new DRM vulnerability on Chrome OS. First, I’ll introduce the implementation of DRM subsystem briefly,and explain why a kernel exploit is helpful for us to bypass some mitigations like ‘Verified Boot’ on Chrome OS. Second, I’ll describe how I found the kernel bug on DRM in very limited time. After that, I’ll show you how to exploit an integer overflow, bypass the annoying mitigation “HARDENED_USERCOPY” in Linux kernel and successfully gain root privilege. At the end there will also be a demonstration of this exploit, as a proof of content.
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMvwchu
With co-presenter Maninder Singh, delivered a presentation about hypervisors and virtualization technology for an independent topic study project for the Operating System Design (EECS 4221) course at York University, Canada in October 2014.
Virtualization, briefly, is the separation of resources or requests for a service from the underlying physical delivery of that service. It is a concept in which access to a single underlying piece of hardware is coordinated so that multiple guest operating systems can share a single piece of hardware, with no guest operating system being aware that it is actually sharing anything at all.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
Demand-Based Coordinated Scheduling for SMP VMsHwanju Kim
Hwanju Kim, Sangwook Kim, Jinkyu Jeong, Joonwon Lee, and Seungryoul Maeng, “Demand-Based Coordinated Scheduling for SMP VMs”, International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Houston, Texas, USA, Mar. 2013.
In this session we examined the Xen PV performance on the latest platforms in a few cases that covers CPU/memory intensive, disk intensive and network intensive workloads. We compared Xen PV guest vs. HVM/PVOPS to see whether PV guest still have advantage over HVM on a system with state-of-the-art VT features. KVM was also compared as a reference. We also compared PV driver performance against bare-metal and pass-through/SR-IOV. The identified issues were discussed and we presented our proposal on fixing those issues.
The virtualization can be described in a generic way as a separation of the service request from the underlying physical delivery of that service. In computer virtualization, an additional layer called hypervisor is typically added between the hardware and the operating system. The hypervisor layer is responsible for both sharing of hardware resource and the enforcement of mandatory access control rules based on the available hardware resources.
There are three types of virtualization: full virtualization, para-virtualization and operating system level (OS-level) virtualization.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
Dealing with Hardware Heterogeneity Using EmbeddedXEN, a Virtualization Frame...The Linux Foundation
EmbeddedXEN is a particularly efficient virtualization framework tailored to ARM-based core embedded systems.
While security and OS isolation are key features of conventional virtualizuation frameworks, the main concerns for EmbeddedXEN are device heterogeneity and realtime aspects, which are particularly important in the embedded world.
EmbeddedXEN mainly relies on the original XEN architecture but with major differences in the way guest OS are handled: the hypervisor has been simplified, and only two guest OS (dom0 and domU) can run simultaneously; while dom0 is used to manage the native OS with drivers (original and backend splitted drivers), a paravirtualized OS (domU) can be cross-compiled on a different ARM device, and user applications can run seamlessly on the (virtualized) host device. Another important difference is that no user space tools are required to manage the VMs; the framework produces a compact single binary image containing both dom0 and domU guests, which can be easily deployed. The Xenbus architecture has been adapted to that context.
EmbeddedXEN therefore allows the porting of an OS and its applications from an ARM embedded device to last generation ARM hardware, such as HTC Smartphone for example.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...CODE BLUE
Chromebook is one of the most secure laptops so far. It is running the Linux-based Chrome OS as its operation system. Google Chrome team has applied many effective mitigations on Chrome OS and will also release security updates for it every a few weeks.
At the beginning of this year, my colleagues planned to build a full exploit chain to achieve code execution on Chromebook remotely and persistently, which is very challenging. I joined their project in middle stage,attempted to find bugs for local privilege escalation in limited time, and finally contributed a kernel vulnerability on Chrome OS to finish the full chain.
The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel, exposes an API that user-space programs can use to send commands and data to the GPU, and to perform operations such as configuring the mode setting of the display. Meanwhile,DRM is also an awesome attack surface for attackers to escalate local privilege on Linux.
In this talk, I’m going to share the full story of exploiting a new DRM vulnerability on Chrome OS. First, I’ll introduce the implementation of DRM subsystem briefly,and explain why a kernel exploit is helpful for us to bypass some mitigations like ‘Verified Boot’ on Chrome OS. Second, I’ll describe how I found the kernel bug on DRM in very limited time. After that, I’ll show you how to exploit an integer overflow, bypass the annoying mitigation “HARDENED_USERCOPY” in Linux kernel and successfully gain root privilege. At the end there will also be a demonstration of this exploit, as a proof of content.
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMvwchu
With co-presenter Maninder Singh, delivered a presentation about hypervisors and virtualization technology for an independent topic study project for the Operating System Design (EECS 4221) course at York University, Canada in October 2014.
Virtualization, briefly, is the separation of resources or requests for a service from the underlying physical delivery of that service. It is a concept in which access to a single underlying piece of hardware is coordinated so that multiple guest operating systems can share a single piece of hardware, with no guest operating system being aware that it is actually sharing anything at all.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
Demand-Based Coordinated Scheduling for SMP VMsHwanju Kim
Hwanju Kim, Sangwook Kim, Jinkyu Jeong, Joonwon Lee, and Seungryoul Maeng, “Demand-Based Coordinated Scheduling for SMP VMs”, International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Houston, Texas, USA, Mar. 2013.
In this session we examined the Xen PV performance on the latest platforms in a few cases that covers CPU/memory intensive, disk intensive and network intensive workloads. We compared Xen PV guest vs. HVM/PVOPS to see whether PV guest still have advantage over HVM on a system with state-of-the-art VT features. KVM was also compared as a reference. We also compared PV driver performance against bare-metal and pass-through/SR-IOV. The identified issues were discussed and we presented our proposal on fixing those issues.
The virtualization can be described in a generic way as a separation of the service request from the underlying physical delivery of that service. In computer virtualization, an additional layer called hypervisor is typically added between the hardware and the operating system. The hypervisor layer is responsible for both sharing of hardware resource and the enforcement of mandatory access control rules based on the available hardware resources.
There are three types of virtualization: full virtualization, para-virtualization and operating system level (OS-level) virtualization.
Takaya Saeki, Yuichi Nishiwaki, Takahiro Shinagawa, Shinichi Honiden.
A Robust and Flexible Operating System Compatibility Architecture.
In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2020), Mar 2020.
doi:10.1145/3381052.3381327
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable
Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security
présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
Secure Container solution is to enhance container security by isolating memory between Docker containers inside one VM with Intel VT-x EPT HW, which is highly effective to protect container’s memory and at the meantime defends ret2user privilege escalation attack that exploits kernel vulnerabilities (eg. CVE-2017-6074 UAF (use-after-free) vulnerability). It extends KVM interfaces which the guest OS can leverage to isolate container memory from other containers, and the interfaces rely on Intel VT-x EPT hardware extension and provide memory access protection for the container which sits in an isolated memory region. Each secure container has a dedicated EPT table rather than sharing one EPT table with guest OS, which enforces the cross-EPT memory access protection. The whole solution is user-friendly to fit in the existing cloud server infrastructure with very limited changes.
Kernel Mode Threats and Practical DefensesPriyanka Aash
Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commodity kernel mode malware such as TDL4 and ZeroAccess. However, advanced attackers have found ways of evading these protections and continue to leverage kernel mode malware to stay one step ahead of the defenders. We will examine the techniques from malware such as DoublePulsar, SlingShot, and Turla that help attackers evade endpoint defenses. We will also reveal a novel method to execute a fully kernel mode implant without hitting disk or being detected by security products. The method builds on publicly available tools which makes it easily within grasp of novice adversaries.
While attacker techniques have evolved to evade endpoint protections, the current state of the art in kernel malware detection has also advanced to hinder these new kernel mode threats. We will discuss these new defensive techniques to counter kernel mode threats, including real-time detection techniques that leverage hypervisors along with an innovative hardware assisted approach that utilizes performance monitoring units. In addition, we will discuss on-demand techniques that leverage page table entry remapping to hunt for kernel malware at scale. To give defenders a leg up, we will release a tool that is effective at thwarting advanced kernel mode threats. Kernel mode threats will only continue to grow in prominence and impact. This talk will provide both the latest attacker techniques in this area, and a new tool to curtail these attacks, proving real-world strategies for immediate implementation.
Inroduction to Virtualization and Video Playback during a Live Migrated Virtual Machine hosting the server with its time analysis.
OS- Ubuntu
Hypervisor- KVM
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
3. Problem Definition – Semantic Gap
•In virtualization, it is difficult to
interpreting the low level state
of a VM into high level semantic
state of guest OS.
•This will be a obstacle for system
administrator to real-time
observe, inspect and detect the
runtime execution of a VM.
3
From low level data (memory
address) to high level semantic
data (DLL list)
4. Contribution
•The aim of project is to generate a complete
view of a guest VM to bridge the semantic gap.
•Features
1. No modification to guest VM, no additional
program installation in guest OS.
2. Support multiple versions of guest OS.
3. Runtime execution introspection to VM.
4
5. Related Work
•The Volatility is an open source memory
forensics framework.
• Written in Python
• Support Windows, Mac OS X, Linux OS.
• Reference Book - The Art of Memory Forensics
•The Volatility Framework extracts the digital artifacts
from volatile memory samples through some plugins.
• E.g. pslist, dlllist and driverscan etc.
5Volatility Foundation http://www.volatilityfoundation.org/
6. QEMU Monitor Console
• When QEMU is running, it provides a monitor console
for user to interact with QEMU.
• Commands are defined in hmp-commands.hx and monitor.c
under QEMU source code.
6
But, commands only
provide low level info,
not semantic state of VM.
7. QEMU-Volatility Interface
• We have developed a command into QEMU monitor
to connect Volatility framework.
• Usage : (QEMU) volatility [profile_OS] [plugin_com] [args]
• Volatility is a command line tool that we can easily
write a script to use it.
• With the function in QEMU, we can dynamically
dump a memory file for a running VM based on VM
memory size.
7
8. Interface Functionality
• Now, we can leverage volatility to live monitoring guest
OS, including all commands in volatility framework.
• imageinfo
• psscan
• dlldump
• modscan
• thrdscan
• netscan
• Hivedump
• Etc.
8https://code.google.com/p/volatility/wiki/CommandReference22
9. System DEMO (1/2)
• Example 1.
• “Dlllist” command display a process's loaded DLLs.
9
10. System DEMO (2/2)
• Example 2.
• “Driverscan” command finds all drivers in the guest OS.
10
11. Guest OS Support
Windows (32/64 bits) Linux (32/64 bits) Mac OS (32/64 bits)
Windows 2003 SP0,1,2
Linux Kernel
2.6.11 to 4.2.3
10.5.x Leopard
Windows 2008 SP0,SP1 OpenSuSE 10.6.x Snow Leopard
Windows XP SP2, SP3 Ubuntu 10.7.x Lion
Windows Vista SP0,1, 2 Debian 10.8.x Mountain Lion
Windows 7 SP0, SP1 CentOS 10.9.x Mavericks
Windows 8 ,8.1 Fedora 10.10.x Yosemite
Windows 10(init support) Mandriva 10.11.x El Capitan
11
• Volatility supports investigations of the following
memory images:
https://github.com/volatilityfoundation/volatility
12. Evaluation (1/2)
12
• We perform some testings to our interface.
CPU Intel® Core™ i3 2367M
RAM 6 GB DDR3 1600 MHz
HDD 120 GB SANDISK SSD
Host OS Ubuntu 14.04.1 Kernel 3.16.0
Guest OS Windows 7 SP1 Professional
14. Malware Analysis
• We also perform malware analysis by executing a
malware in VM.
• Malware name : Virus.Win32.HLLP.Lassa.40960
• Trend Micro Engine classified it to worm.
14
http://www.trendmicro.com.ph/vinfo/ph/threat-encyclopedia/archive/malware/worm_lassa.a
15. Scan for the malicious process
• (QMEU)volatility Win7SP1x64 psscan
15
PID : 1896
19. Conclusion
• We believed that our interface between QEMU and
volatility is a powerful capability for runtime
inspecting to VM, offering system administrator a
visibility to the state of VM.
19
20. Open Problem – Semantic Gap
• In virtualization, it is difficult to
interpreting the low level state of a
VM into high level semantic state of
guest OS.
• View exposed by hypervisor is low-level
state (binary state, CPU state, memory
address)
• What we want is high-level state
(processes, files, DLL information)
• It is difficult for security administrator
to real-time observe, inspect and
detect the runtime execution of a VM.
20
From low level data(memory
address) to high level
semantic data (DLL list)
21. Introduction (1/2)
• Virtual machine (VM) is first proposed in the 1960s and
experiences a revival in the commercial and research
communities.
• With virtual machine technology arises, it provides OS
developer and security researcher a new opportunity to
deploy innovation solution.
• Virtual machine provides many features including
• Equivalent execution: programs running in virtual machine
must run identically to running natively.
• Efficiency: a “statistically dominant” subset of instructions
must be executed directly on the CPU.
• Isolation: a virtual machine must completely control system
resource.
21
22. Volatility Windows Profiles
• In Volatility source code, it has lots of windows OS profiles
for each version.
• Support Windows 2003, XP, Vista, Win 7, Win 8 profiles.
22
23. Introduction (2/2)
•Chen, Peter M. and Noble, Brian D.[1] state that
current virtualization technologies are sufferring
from two main challenges.
• One is performance.
• The other is semantic gap.
•Virtual machine introspection (VMI) technique is
the method of inspecting a VM from the “outside”
for analyzing the software running in the machine.
23
Chen, Peter M., and Brian D. Noble. "When virtual is better than real" Hot Topics in Operating
Systems, 2001. Proceedings of the Eighth Workshop on. IEEE, 2001.
24. Implementation Environment
•Host OS : Ubuntu-14.04.1
• Linux kernel : 3.16.0
•Guest OS : Windows 7 SP1 x64
•We will implement some forensics functionalities
into QEMU-2.3 to traverse guest OS memory.
• A free open-source emulator that performs system
virtualization .
• May use KVM as accelerator.
24
25. Related Work (2/2)
• LibVMI is an introspection library focused on reading
and writing memory from running VM.
• Support multiple hypervisor, such as Xen, KVM/Qemu.
• Support multiple guest, like x86 and x64 Windows /Linux
• Provides many APIs to access the memory of a VM.
• Libvmi patch QEMU source code to create a server
socket inside QEMU.
• When libvmi need to access VM memory , it uses qemu
monitor command to get the corresponding mapped pages
back.
• With low system performance.
25LibVMI http://libvmi.com/
27. EPROCESS Doubly Linked List
27
• KDBG (Kernel Debugger Block) is kernel symbol
structure maintained by Windows kernel for debugging
purposes.
• KDBG has a reference to the PsActiveProcessHead
which is the list head of all processes required for
process listing.
(Kernel Debugger Block)
28. Kernel Debugger Block
Data Structure
KDBG Header will be a constant
signatures in hex value.
Use windbg in guest OS
to reverse engineering
windows internal.
28
29. KBDG constant pattern for Win7 x64
• Use kdbgscan plugin to find KDBG address
• Use volshell to hexdump the KDBG
OwnerTag : set to KDBG size : /x40/x03
LISTENTRY64 : last bytes
29
30. EPROCESS data structure
30
// PID
// Doubly linked list chains active
processes together.
// kernel process control block (contains CR3)
// Process enivornment block
// Process name
// Doubly linked list chains all
the process’ threads together.
// PPID