SlideShare a Scribd company logo

Hot sec10 slide-suzaki

Kuniyasu Suzaki
Kuniyasu Suzaki

This document proposes replacing the logical sharing of guest OS components through dynamic linking and symbolic links with physical sharing through memory and storage deduplication on virtual machines. It discusses vulnerabilities in logical sharing and how self-contained binaries integrated with deduplication can improve security while reducing resource usage. Experimental results on Gentoo show that while statically compiling binaries increases size, deduplication recovers over 40% of physical memory and storage. Some overhead is introduced but vulnerabilities are eliminated. Further research directions involve increasing code sharing safely and defending against new deduplication attacks.

1 of 22
Download to read offline
Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine Kuniyasu Suzaki, T hiki Y i K K i S ki Toshiki Yagi, Kengo Iiji Iijima, N Nguyen Anh Quynh, C ill A th A hQ h Cyrille Artho Research Center of Information Security National Institute of Advanced Industrial Science and Technology & Yoshihito Watanebe Alpha Systems Inc.
Contents • Vulnerability of logical sharing (Dynamic-Link Shared Library and Symbolic Link) • Propose replacement of logical sharing by physical sharing – Physical sharing • Deduplication on Memory and Storage – Self-contained binary • It is NOT static-Link binary. • Experimental results • Conclusions with discussing topics
Logical Sharing • Logical sharing is OS technique to reduce consumption of memory and storage. – “Dynamic-Link Shared Library” for memory and storage – “Symbolic Link” for storage • Unfortunately, they include vulnerability caused by dynamic management. d i t – Search Path Replacement Attack – GOT (Global Offset Table) overwrite attack – Dependency Hell – Etc.
Search Path Replacement Attack • Dynamic-link searches a shared library at run time using a search path. – Search path is defined by environment variables. • Example: “LD_LIBRARY_PATH” – It allows us to change shared libraries in any directories. • Unfortunately, the search path is easily replaced by an attacker and leads to malicious shared libraries. – Caller program has no methods to certify libraries. • Static-link solves this problem but it wastes memory and storage.
GOT Overwrite Attack • ELF format has GOT (Global Offset Table) to locate position-independent function address of shared library. The value of GOT is assigned at run time. – GOT is created on Data Segment and vulnerable for overwrite attack. • Static link solves this problem but it wastes memory and storage. Program Library Call Routine Code Code Segment Segment PLT PLT Data Data GOT GOT Segment Segment Attack
Dependency Hell (DLL Hell in Windows) • Dependency Hell is a management problem of shared libraries. – Package manager maintains versions of libraries. However, the version mismatch may occur, when a user updates a library without package manager. – Caller program has no methods to certify libraries libraries. • Dependency Hell is escalated by symbolic-link, because most shared libraries use symbolic-link to manage minor updates. – /lib/libc.so.6 -> libc-2.10.1.so – # ln –s libc-2.11.1.so libc.so.6 • Static link solves this problem but it wastes memory and storage.
Solution, and further problems • The problems are solved by static-link, but it increase consumption of memory and storage. – Fortunately, the increased consumption is mitigated by new technique, deduplication. – SLINY[USENIX’05] developed deduplication in Linux kernel. – It looks the problems are solved … • Two trends – Current applications assume dynamic-link and are not re-compiled as static-link easily . – Current virtualization offers us deduplication. • SLINKY uses special Linux kernel. It is not applied on any OSes. • Using virtualization, guest OS only has to consider the solution without regard to physical consumption.
Static-Link is not easy • Current applications deeply depend on dynamic-link shared libraries for flexibility and for avoiding license contamination problems. • We tried to re-compile /bin, /sbin, /usr/bin, and /usr/sbin dynamic-linked binaries (1,162) with static-link on Gentoo. – 185 (15.9%) binaries are re-compiled with static-link. • Binary packages make it difficult to re-compile, because they are not easy to get all source code. – Commercial applications make problem more difficult.
Self-Contained Binaries • Self-contained binary translator • It is developed to bring a binary to another machine. • It integrates shared libraries into an ELF binary file. – Advantage • Prevent Search Path Replacement Attack and Dependency Hell, Hell because it integrates all libraries. libraries • Mitigate GOT Overwrite Attack, because the addresses are prefixed for each execution. – Disadvantage • Consume more memory and storage than static-link • Tools – Statifier, Autopacage, Ermine for Linux – VMWare “ThinApps(was Thinstall)” for Windows
Statifier (1/2) • Statifier includes shared library into an ELF binary. • On Normal binary ① _dl_start() of ld-linux.so • Reallocate dynamic link libraries and map them ② _dl_start_user() of ld-linux.so • Call initialization functions in libraries • Statifier creates self-contained binary – Take snapshot before _dl_start_user() and analyze relocation information of functions of libraries from /proc/PID/maps. – The libraries and relocation information are embedded into the binary.
Statifier (2/2) • Self-Contained Binary – Relocation information and shared libraries are loaded by the starter of statifier. • Includes special libraries: linux-gate.so, ld-linux.so – The ELF binary has no INTERP segment to call ld-linux.so – ldd command shows no dynamic-link shared libraries • However, Statifier makes a larger binary than static link.
Deduplication • Technique to share same-content chunks at block level (memory and storage). • Same-content chunks are shared by indirect link. – It is easy to implement when a virtual layer exists to access a block device device. – Some virtualizations include deduplication mechanism.
Storage Deduplication • Used by CAS (Content addressable Storage) – data is not addressed by its physical location. Data is addressed by a unique name derived from the content (a secure hash is used as a unique name usually) – Same contents are expressed by one original content (same hash) and addressed by indirected link. • Plan9 has Venti [USENIX FAST02] • NetApp Deduplication (Data Domain) [USENIX FAST08] • LBCAS (Loopback Content Addressable Storage) [LinuxSymp09] Virtual Disk CAS Storage Archive Indexing Address SHA-1 0000000-0003FFF 4ad36ffe8… New block is 0004000-0007FFF 974daf34a… created with 0008000-000BFFF 2d34ff3e1… new SHA-1 000C000-000FFFF 974daf34a… … … sharing Deduplication
Memory Deduplication • Memory deduplication is mainly used for virtual machines. • Very effective when same guest OS runs on several virtual machines. • On Virtual Machine Monitor – Disco[OSDI97] has Transparent Page Sharing – VMWare ESX has Content-Based Page Sharing [SOSP02] – Xen has Satori[USENIX09] and Differential Engine[OSDI08] • On Kernel – Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09] Guest Physical Memory VM1 VM2 VM(n) • Memory of Process(es) are deduplicated • KVM uses this mechanism • These targets are virtual machines, but our proposal uses memory deduplication on a single OS image, which increase same pages with copy of libraries (self-contained binary). Real Physical Memory
Evaluation • Evaluate the effect of moving form logical sharing to physical sharing. – Effect of Statifier • Applied on binaries under /bin,/sbin,/usr/bin,/usr/sbin of Gentoo (installed on 32GB virtual disk for KVM virtual ( machine) – Memory Deduplication • KSM (Kernel Samepage merging) of Linux with KVM virtual machine (758MB). – Storage Deduplication • LBCAS (Loopback Content Addressable Storage)
Static Analysis of Statifier • Gentoo was customized by statifier. – The ELF (1,162) binaries under /bin (82 files), /sbin (74), /usr/bin (912), /usr/sbin (94) were customized by statifier. Original Statifier Increase (Dynamic-link) Total 87,865,480 3,572,936,704 40.66 Average 75,615 3,074,816 40.66 Max (gnome-open) 5,400 8,732,672 1617.16 Min (qmake) 3,426,340 6,094,848 1.78 • The disk image (includes non-statifiered files) was expnaded from 3.75GB to 7.08GB (1.88 times).
Effect of Memory Deduplication • Memory usage at the end of login • Statifier expanded memory consumption from the view of GuestOS, • but Deduplication reduced physical memory consumption. 80000 34.4% 4KB GuestOS View page 70000 60000 50000 GuestOS 93.0% 45 332 View Duplicated 40000 86056 8.9% Deduplicate 22 96 17.3% 30000 48 1 44 41 29732 Unique physical 20000 32706 30410 memory 2 9929 physical 25 291 10000 memory 0 Normal Gentoo Statifier Gentoo
Effect of Storage Deduplication • Storage usage (static) and total read data at boot (dynamic) . • Statifier expanded storage consumption from the view of GuestOS on both cases, but Deduplication reduced physical storage consumption in static and dynamic. • Smaller chunk is easy to be deduplicated but time overhead is large. Static Dynamic ( (boot) ) normal statifier normal statifier On Loopback 3,754MB 7,075MB 151.7MB 341.0MB (Guest OS View) (1.88) (2.25) 4352MB 268,454 LBCAS 16KB [278,499] --- ---- [4195MB] (1.04) 83,863 304MB 74,679 218MB LBCAS 64KB [5241MB] [4,866] [4667MB] [3,481] (1.12) (1.40) 6723MB 505MB 22,806 390MB LBCAS 256KB [26,892] [2,019] [5701MB] [1,560 ] (1.18) (1.29)
Trace of memory consumption Normal Gentoo Statifer Gentoo Loopback GuestOS View Physical Physical Mem View Mem View GuestOS View Auto Auto login login LBCAS (256KB) GuestOS View Physical GuestOS View Mem View Physical Mem View Auto Auto login login
Time overhead at boot • Statifier reduced the boot time, because it eliminated dynamic reallocation overhead. • Deduplication increased the boot time. The overhead of KSM and LBCAS was less than 37%. – The overhead is a penalty to remove the vulnerabilities of logical sharing. Without KSM With KSM Normal Statifier Normal Statifier Loopback 95s 84s 95s 105s Reduced LBCAS 107s 108s 115s 130s (256KB)
Conclusion & Discussion (1/2) • Self-Contained binaries strengthen OS security. – Prevent Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell – Easy to apply on normal OS. It does not require source code and re-compile. – Increase consumption of memory and storage. • Deduplication mitigates the consumption of memory and storage caused by self-contained binary. – Encourage moving from Logical sharing to Physical Sharing • Deduplication is utilized to increase security on single OS.
Conclusion & Discussion (2/2) • Deduplication will be mainly used on IaaS type (multi-tenants) Cloud Computing. • Two directions of research • Increase code sharing – “R t “Return-Oriented P O i t d Programming” style b i ” t l becomes popular?l ? » Tools: Return Oriented Rootkit [USENIX Security 09] • Keep security – Code sharing will increase a chance to attack – Attack for deduplication will be presented in Rump Session of USENIX Security.

Recommended

What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
Novell
 
Cache-partitioning
Cache-partitioningCache-partitioning
Cache-partitioning
davidkftam
 
Ph.D. thesis presentation
Ph.D. thesis presentationPh.D. thesis presentation
Ph.D. thesis presentation
davidkftam
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "Kuniyasu Suzaki
 
Module 22 Deployment Configuration
Module 22 Deployment ConfigurationModule 22 Deployment Configuration
Module 22 Deployment Configuration
Courtney Doeing
 
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS StorageWebinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
GlusterFS
 
DTrace in the Non-global Zone
DTrace in the Non-global ZoneDTrace in the Non-global Zone
DTrace in the Non-global Zone
bcantrill
 
Oracle rac 10g best practices
Oracle rac 10g best practicesOracle rac 10g best practices
Oracle rac 10g best practicesHaseeb Alam
 

Recommended

What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
Novell
 
Cache-partitioning
Cache-partitioningCache-partitioning
Cache-partitioning
davidkftam
 
Ph.D. thesis presentation
Ph.D. thesis presentationPh.D. thesis presentation
Ph.D. thesis presentation
davidkftam
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "Kuniyasu Suzaki
 
Module 22 Deployment Configuration
Module 22 Deployment ConfigurationModule 22 Deployment Configuration
Module 22 Deployment Configuration
Courtney Doeing
 
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS StorageWebinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS Storage
GlusterFS
 
DTrace in the Non-global Zone
DTrace in the Non-global ZoneDTrace in the Non-global Zone
DTrace in the Non-global Zone
bcantrill
 
Oracle rac 10g best practices
Oracle rac 10g best practicesOracle rac 10g best practices
Oracle rac 10g best practicesHaseeb Alam
 
How swift is your Swift - SD.pptx
How swift is your Swift - SD.pptxHow swift is your Swift - SD.pptx
How swift is your Swift - SD.pptx
OpenStack Foundation
 
Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011
GlusterFS
 
Cloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and DeploymentCloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and Deployment
GlusterFS
 
Novell Open Enterprise Server for Beginners
Novell Open Enterprise Server for BeginnersNovell Open Enterprise Server for Beginners
Novell Open Enterprise Server for Beginners
Novell
 
A Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor NetworksA Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor Networks
Michele Weigle
 
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell
 
Spectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN CachingSpectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN Caching
Sandeep Patil
 
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Kuniyasu Suzaki
 
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von SuchodoletzEmulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
DigitalPreservationEurope
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
Richard McDougall
 
seL4 intro
seL4 introseL4 intro
seL4 intro
microkerneldude
 
Gluster Blog 11.15.2010
Gluster Blog 11.15.2010Gluster Blog 11.15.2010
Gluster Blog 11.15.2010
GlusterFS
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Damir Bersinic
 
Award winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for XenAward winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for Xen
GlusterFS
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2
Novell
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to Microkernels
Vasily Sartakov
 
Java developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and dockerJava developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and docker
Getting value from IoT, Integration and Data Analytics
 
Tuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris EnvironmentTuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris Environment
Jignesh Shah
 
Greenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosaGreenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosa
accessoinformazione
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
Kuniyasu Suzaki
 
LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzaki
Kuniyasu Suzaki
 

More Related Content

What's hot

How swift is your Swift - SD.pptx
How swift is your Swift - SD.pptxHow swift is your Swift - SD.pptx
How swift is your Swift - SD.pptx
OpenStack Foundation
 
Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011
GlusterFS
 
Cloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and DeploymentCloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and Deployment
GlusterFS
 
Novell Open Enterprise Server for Beginners
Novell Open Enterprise Server for BeginnersNovell Open Enterprise Server for Beginners
Novell Open Enterprise Server for Beginners
Novell
 
A Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor NetworksA Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor Networks
Michele Weigle
 
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell
 
Spectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN CachingSpectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN Caching
Sandeep Patil
 
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Kuniyasu Suzaki
 
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von SuchodoletzEmulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
DigitalPreservationEurope
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
Richard McDougall
 
seL4 intro
seL4 introseL4 intro
seL4 intro
microkerneldude
 
Gluster Blog 11.15.2010
Gluster Blog 11.15.2010Gluster Blog 11.15.2010
Gluster Blog 11.15.2010
GlusterFS
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Damir Bersinic
 
Award winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for XenAward winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for Xen
GlusterFS
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2
Novell
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to Microkernels
Vasily Sartakov
 
Java developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and dockerJava developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and docker
Getting value from IoT, Integration and Data Analytics
 
Tuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris EnvironmentTuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris Environment
Jignesh Shah
 
Greenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosaGreenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosa
accessoinformazione
 

What's hot (20)

How swift is your Swift - SD.pptx
How swift is your Swift - SD.pptxHow swift is your Swift - SD.pptx
How swift is your Swift - SD.pptx
 
Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011Intro to GlusterFS Webinar - August 2011
Intro to GlusterFS Webinar - August 2011
 
Cloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and DeploymentCloud Storage Adoption, Practice, and Deployment
Cloud Storage Adoption, Practice, and Deployment
 
Novell Open Enterprise Server for Beginners
Novell Open Enterprise Server for BeginnersNovell Open Enterprise Server for Beginners
Novell Open Enterprise Server for Beginners
 
A Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor NetworksA Retasking Framework For Wireless Sensor Networks
A Retasking Framework For Wireless Sensor Networks
 
Novell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell Teaming: Automating Business Processes with Forms and Workflows
Novell Teaming: Automating Business Processes with Forms and Workflows
 
Spectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN CachingSpectrum Scale Unified File and Object with WAN Caching
Spectrum Scale Unified File and Object with WAN Caching
 
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
 
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von SuchodoletzEmulation Bridging The Past To The Future Dirk Von Suchodoletz
Emulation Bridging The Past To The Future Dirk Von Suchodoletz
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
 
seL4 intro
seL4 introseL4 intro
seL4 intro
 
Gluster Blog 11.15.2010
Gluster Blog 11.15.2010Gluster Blog 11.15.2010
Gluster Blog 11.15.2010
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
 
Award winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for XenAward winning scale-up and scale-out storage for Xen
Award winning scale-up and scale-out storage for Xen
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to Microkernels
 
Java developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and dockerJava developer intro to environment management with vagrant puppet and docker
Java developer intro to environment management with vagrant puppet and docker
 
Tuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris EnvironmentTuning DB2 in a Solaris Environment
Tuning DB2 in a Solaris Environment
 
Greenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosaGreenstone aib 16_feb12_casarosa
Greenstone aib 16_feb12_casarosa
 

Viewers also liked

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
Kuniyasu Suzaki
 
LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzaki
Kuniyasu Suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
Kuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
Kuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Kuniyasu Suzaki
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Kuniyasu Suzaki
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話
Takaaki Fukai
 

Viewers also liked (7)

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
 
LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話
 

Similar to Hot sec10 slide-suzaki

Usenix security10-poster-suzaki
Usenix security10-poster-suzakiUsenix security10-poster-suzaki
Usenix security10-poster-suzaki
Kuniyasu Suzaki
 
Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications
OpenEBS
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
Prashant Rane
 
Design and implementation of a reliable and cost-effective cloud computing in...
Design and implementation of a reliable and cost-effective cloud computing in...Design and implementation of a reliable and cost-effective cloud computing in...
Design and implementation of a reliable and cost-effective cloud computing in...Francesco Taurino
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualizationSisimon Soman
 
Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4
Tony Pearson
 
Pm 01 bradley stone_openstorage_openstack
Pm 01 bradley stone_openstorage_openstackPm 01 bradley stone_openstorage_openstack
Pm 01 bradley stone_openstorage_openstackOpenCity Community
 
Openstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyOpenstorage with OpenStack, by Bradley
Openstorage with OpenStack, by Bradley
Hui Cheng
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
Chester Chen
 
Road show 2015 triangle meetup
Road show 2015 triangle meetupRoad show 2015 triangle meetup
Road show 2015 triangle meetup
wim_provoost
 
SQL Queries on Smalltalk Objects
SQL Queries on Smalltalk ObjectsSQL Queries on Smalltalk Objects
SQL Queries on Smalltalk Objects
ESUG
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
Vinay Rao
 
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
OpenEBS
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1
wim_provoost
 
Storing and distributing data
Storing and distributing dataStoring and distributing data
Storing and distributing data
Phil Cryer
 
Some key value stores using log-structure
Some key value stores using log-structureSome key value stores using log-structure
Some key value stores using log-structure
Zhichao Liang
 
Processes and Threads in Windows Vista
Processes and Threads in Windows VistaProcesses and Threads in Windows Vista
Processes and Threads in Windows VistaTrinh Phuc Tho
 
Storage as a service and OpenStack Cinder
Storage as a service and OpenStack CinderStorage as a service and OpenStack Cinder
Storage as a service and OpenStack Cinderopenstackindia
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
C4Media
 

Similar to Hot sec10 slide-suzaki (20)

Usenix security10-poster-suzaki
Usenix security10-poster-suzakiUsenix security10-poster-suzaki
Usenix security10-poster-suzaki
 
Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications Latest (storage IO) patterns for cloud-native applications
Latest (storage IO) patterns for cloud-native applications
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
Design and implementation of a reliable and cost-effective cloud computing in...
Design and implementation of a reliable and cost-effective cloud computing in...Design and implementation of a reliable and cost-effective cloud computing in...
Design and implementation of a reliable and cost-effective cloud computing in...
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 
Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4
 
Pm 01 bradley stone_openstorage_openstack
Pm 01 bradley stone_openstorage_openstackPm 01 bradley stone_openstorage_openstack
Pm 01 bradley stone_openstorage_openstack
 
Openstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyOpenstorage with OpenStack, by Bradley
Openstorage with OpenStack, by Bradley
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
 
Road show 2015 triangle meetup
Road show 2015 triangle meetupRoad show 2015 triangle meetup
Road show 2015 triangle meetup
 
SQL Queries on Smalltalk Objects
SQL Queries on Smalltalk ObjectsSQL Queries on Smalltalk Objects
SQL Queries on Smalltalk Objects
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
 
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...
 
Hyper v r2 deep dive
Hyper v r2 deep diveHyper v r2 deep dive
Hyper v r2 deep dive
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1
 
Storing and distributing data
Storing and distributing dataStoring and distributing data
Storing and distributing data
 
Some key value stores using log-structure
Some key value stores using log-structureSome key value stores using log-structure
Some key value stores using log-structure
 
Processes and Threads in Windows Vista
Processes and Threads in Windows VistaProcesses and Threads in Windows Vista
Processes and Threads in Windows Vista
 
Storage as a service and OpenStack Cinder
Storage as a service and OpenStack CinderStorage as a service and OpenStack Cinder
Storage as a service and OpenStack Cinder
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 

More from Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
Kuniyasu Suzaki
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
Kuniyasu Suzaki
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
Kuniyasu Suzaki
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Kuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
Kuniyasu Suzaki
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
Kuniyasu Suzaki
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
Kuniyasu Suzaki
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
Kuniyasu Suzaki
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
Kuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Kuniyasu Suzaki
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
Kuniyasu Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアルKuniyasu Suzaki
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
Kuniyasu Suzaki
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Kuniyasu Suzaki
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
Kuniyasu Suzaki
 

More from Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアル
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
 

Hot sec10 slide-suzaki

  • 1. Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine Kuniyasu Suzaki, T hiki Y i K K i S ki Toshiki Yagi, Kengo Iiji Iijima, N Nguyen Anh Quynh, C ill A th A hQ h Cyrille Artho Research Center of Information Security National Institute of Advanced Industrial Science and Technology & Yoshihito Watanebe Alpha Systems Inc.
  • 2. Contents • Vulnerability of logical sharing (Dynamic-Link Shared Library and Symbolic Link) • Propose replacement of logical sharing by physical sharing – Physical sharing • Deduplication on Memory and Storage – Self-contained binary • It is NOT static-Link binary. • Experimental results • Conclusions with discussing topics
  • 3. Logical Sharing • Logical sharing is OS technique to reduce consumption of memory and storage. – “Dynamic-Link Shared Library” for memory and storage – “Symbolic Link” for storage • Unfortunately, they include vulnerability caused by dynamic management. d i t – Search Path Replacement Attack – GOT (Global Offset Table) overwrite attack – Dependency Hell – Etc.
  • 4. Search Path Replacement Attack • Dynamic-link searches a shared library at run time using a search path. – Search path is defined by environment variables. • Example: “LD_LIBRARY_PATH” – It allows us to change shared libraries in any directories. • Unfortunately, the search path is easily replaced by an attacker and leads to malicious shared libraries. – Caller program has no methods to certify libraries. • Static-link solves this problem but it wastes memory and storage.
  • 5. GOT Overwrite Attack • ELF format has GOT (Global Offset Table) to locate position-independent function address of shared library. The value of GOT is assigned at run time. – GOT is created on Data Segment and vulnerable for overwrite attack. • Static link solves this problem but it wastes memory and storage. Program Library Call Routine Code Code Segment Segment PLT PLT Data Data GOT GOT Segment Segment Attack
  • 6. Dependency Hell (DLL Hell in Windows) • Dependency Hell is a management problem of shared libraries. – Package manager maintains versions of libraries. However, the version mismatch may occur, when a user updates a library without package manager. – Caller program has no methods to certify libraries libraries. • Dependency Hell is escalated by symbolic-link, because most shared libraries use symbolic-link to manage minor updates. – /lib/libc.so.6 -> libc-2.10.1.so – # ln –s libc-2.11.1.so libc.so.6 • Static link solves this problem but it wastes memory and storage.
  • 7. Solution, and further problems • The problems are solved by static-link, but it increase consumption of memory and storage. – Fortunately, the increased consumption is mitigated by new technique, deduplication. – SLINY[USENIX’05] developed deduplication in Linux kernel. – It looks the problems are solved … • Two trends – Current applications assume dynamic-link and are not re-compiled as static-link easily . – Current virtualization offers us deduplication. • SLINKY uses special Linux kernel. It is not applied on any OSes. • Using virtualization, guest OS only has to consider the solution without regard to physical consumption.
  • 8. Static-Link is not easy • Current applications deeply depend on dynamic-link shared libraries for flexibility and for avoiding license contamination problems. • We tried to re-compile /bin, /sbin, /usr/bin, and /usr/sbin dynamic-linked binaries (1,162) with static-link on Gentoo. – 185 (15.9%) binaries are re-compiled with static-link. • Binary packages make it difficult to re-compile, because they are not easy to get all source code. – Commercial applications make problem more difficult.
  • 9. Self-Contained Binaries • Self-contained binary translator • It is developed to bring a binary to another machine. • It integrates shared libraries into an ELF binary file. – Advantage • Prevent Search Path Replacement Attack and Dependency Hell, Hell because it integrates all libraries. libraries • Mitigate GOT Overwrite Attack, because the addresses are prefixed for each execution. – Disadvantage • Consume more memory and storage than static-link • Tools – Statifier, Autopacage, Ermine for Linux – VMWare “ThinApps(was Thinstall)” for Windows
  • 10. Statifier (1/2) • Statifier includes shared library into an ELF binary. • On Normal binary ① _dl_start() of ld-linux.so • Reallocate dynamic link libraries and map them ② _dl_start_user() of ld-linux.so • Call initialization functions in libraries • Statifier creates self-contained binary – Take snapshot before _dl_start_user() and analyze relocation information of functions of libraries from /proc/PID/maps. – The libraries and relocation information are embedded into the binary.
  • 11. Statifier (2/2) • Self-Contained Binary – Relocation information and shared libraries are loaded by the starter of statifier. • Includes special libraries: linux-gate.so, ld-linux.so – The ELF binary has no INTERP segment to call ld-linux.so – ldd command shows no dynamic-link shared libraries • However, Statifier makes a larger binary than static link.
  • 12. Deduplication • Technique to share same-content chunks at block level (memory and storage). • Same-content chunks are shared by indirect link. – It is easy to implement when a virtual layer exists to access a block device device. – Some virtualizations include deduplication mechanism.
  • 13. Storage Deduplication • Used by CAS (Content addressable Storage) – data is not addressed by its physical location. Data is addressed by a unique name derived from the content (a secure hash is used as a unique name usually) – Same contents are expressed by one original content (same hash) and addressed by indirected link. • Plan9 has Venti [USENIX FAST02] • NetApp Deduplication (Data Domain) [USENIX FAST08] • LBCAS (Loopback Content Addressable Storage) [LinuxSymp09] Virtual Disk CAS Storage Archive Indexing Address SHA-1 0000000-0003FFF 4ad36ffe8… New block is 0004000-0007FFF 974daf34a… created with 0008000-000BFFF 2d34ff3e1… new SHA-1 000C000-000FFFF 974daf34a… … … sharing Deduplication
  • 14. Memory Deduplication • Memory deduplication is mainly used for virtual machines. • Very effective when same guest OS runs on several virtual machines. • On Virtual Machine Monitor – Disco[OSDI97] has Transparent Page Sharing – VMWare ESX has Content-Based Page Sharing [SOSP02] – Xen has Satori[USENIX09] and Differential Engine[OSDI08] • On Kernel – Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09] Guest Physical Memory VM1 VM2 VM(n) • Memory of Process(es) are deduplicated • KVM uses this mechanism • These targets are virtual machines, but our proposal uses memory deduplication on a single OS image, which increase same pages with copy of libraries (self-contained binary). Real Physical Memory
  • 15. Evaluation • Evaluate the effect of moving form logical sharing to physical sharing. – Effect of Statifier • Applied on binaries under /bin,/sbin,/usr/bin,/usr/sbin of Gentoo (installed on 32GB virtual disk for KVM virtual ( machine) – Memory Deduplication • KSM (Kernel Samepage merging) of Linux with KVM virtual machine (758MB). – Storage Deduplication • LBCAS (Loopback Content Addressable Storage)
  • 16. Static Analysis of Statifier • Gentoo was customized by statifier. – The ELF (1,162) binaries under /bin (82 files), /sbin (74), /usr/bin (912), /usr/sbin (94) were customized by statifier. Original Statifier Increase (Dynamic-link) Total 87,865,480 3,572,936,704 40.66 Average 75,615 3,074,816 40.66 Max (gnome-open) 5,400 8,732,672 1617.16 Min (qmake) 3,426,340 6,094,848 1.78 • The disk image (includes non-statifiered files) was expnaded from 3.75GB to 7.08GB (1.88 times).
  • 17. Effect of Memory Deduplication • Memory usage at the end of login • Statifier expanded memory consumption from the view of GuestOS, • but Deduplication reduced physical memory consumption. 80000 34.4% 4KB GuestOS View page 70000 60000 50000 GuestOS 93.0% 45 332 View Duplicated 40000 86056 8.9% Deduplicate 22 96 17.3% 30000 48 1 44 41 29732 Unique physical 20000 32706 30410 memory 2 9929 physical 25 291 10000 memory 0 Normal Gentoo Statifier Gentoo
  • 18. Effect of Storage Deduplication • Storage usage (static) and total read data at boot (dynamic) . • Statifier expanded storage consumption from the view of GuestOS on both cases, but Deduplication reduced physical storage consumption in static and dynamic. • Smaller chunk is easy to be deduplicated but time overhead is large. Static Dynamic ( (boot) ) normal statifier normal statifier On Loopback 3,754MB 7,075MB 151.7MB 341.0MB (Guest OS View) (1.88) (2.25) 4352MB 268,454 LBCAS 16KB [278,499] --- ---- [4195MB] (1.04) 83,863 304MB 74,679 218MB LBCAS 64KB [5241MB] [4,866] [4667MB] [3,481] (1.12) (1.40) 6723MB 505MB 22,806 390MB LBCAS 256KB [26,892] [2,019] [5701MB] [1,560 ] (1.18) (1.29)
  • 19. Trace of memory consumption Normal Gentoo Statifer Gentoo Loopback GuestOS View Physical Physical Mem View Mem View GuestOS View Auto Auto login login LBCAS (256KB) GuestOS View Physical GuestOS View Mem View Physical Mem View Auto Auto login login
  • 20. Time overhead at boot • Statifier reduced the boot time, because it eliminated dynamic reallocation overhead. • Deduplication increased the boot time. The overhead of KSM and LBCAS was less than 37%. – The overhead is a penalty to remove the vulnerabilities of logical sharing. Without KSM With KSM Normal Statifier Normal Statifier Loopback 95s 84s 95s 105s Reduced LBCAS 107s 108s 115s 130s (256KB)
  • 21. Conclusion & Discussion (1/2) • Self-Contained binaries strengthen OS security. – Prevent Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell – Easy to apply on normal OS. It does not require source code and re-compile. – Increase consumption of memory and storage. • Deduplication mitigates the consumption of memory and storage caused by self-contained binary. – Encourage moving from Logical sharing to Physical Sharing • Deduplication is utilized to increase security on single OS.
  • 22. Conclusion & Discussion (2/2) • Deduplication will be mainly used on IaaS type (multi-tenants) Cloud Computing. • Two directions of research • Increase code sharing – “R t “Return-Oriented P O i t d Programming” style b i ” t l becomes popular?l ? » Tools: Return Oriented Rootkit [USENIX Security 09] • Keep security – Code sharing will increase a chance to attack – Attack for deduplication will be presented in Rump Session of USENIX Security.