This document proposes replacing the logical sharing of guest OS components through dynamic linking and symbolic links with physical sharing through memory and storage deduplication on virtual machines. It discusses vulnerabilities in logical sharing and how self-contained binaries integrated with deduplication can improve security while reducing resource usage. Experimental results on Gentoo show that while statically compiling binaries increases size, deduplication recovers over 40% of physical memory and storage. Some overhead is introduced but vulnerabilities are eliminated. Further research directions involve increasing code sharing safely and defending against new deduplication attacks.
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...Novell
LUM it or leave it! Join us in this session to explore the inner workings of Linux User Management. You'll learn about the architecture, configuration and implementation of Linux User Management on Novell Open Enterprise Server and SUSE Linux Enterprise Desktop. We'll also cover placement of LUM objects in a tree, services and tree design to enhance performance for LUM-enabled users, and LUM considerations when upgrading from NetWare to Linux.
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS StorageGlusterFS
Gluster has partnered with Redapt, Inc., an innovative data center architecture and infrastructure solutions provider, to integrate GlusterFS with hardware providing customers with highly-scalable NAS storage technology for on-premise, virtual and cloud environments. Gluster's storage technology enables Redapt to offer a comprehensive, cost-effective storage solution delivering the scalability, performance and reliability that companies need to effectively run their data centers.
This webinar will provide an overview of the partnership, benefits of the joint solution, and include use cases of how customers today are deploying the joint solution. .
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...Novell
LUM it or leave it! Join us in this session to explore the inner workings of Linux User Management. You'll learn about the architecture, configuration and implementation of Linux User Management on Novell Open Enterprise Server and SUSE Linux Enterprise Desktop. We'll also cover placement of LUM objects in a tree, services and tree design to enhance performance for LUM-enabled users, and LUM considerations when upgrading from NetWare to Linux.
Webinar Sept 22: Gluster Partners with Redapt to Deliver Scale-Out NAS StorageGlusterFS
Gluster has partnered with Redapt, Inc., an innovative data center architecture and infrastructure solutions provider, to integrate GlusterFS with hardware providing customers with highly-scalable NAS storage technology for on-premise, virtual and cloud environments. Gluster's storage technology enables Redapt to offer a comprehensive, cost-effective storage solution delivering the scalability, performance and reliability that companies need to effectively run their data centers.
This webinar will provide an overview of the partnership, benefits of the joint solution, and include use cases of how customers today are deploying the joint solution. .
In this Introduction to GlusterFS webinar, introduction and review of the GlusterFS architecture and key functionalities. Learn how GlusterFS is deployed in the datacenter, in the cloud, or between the two. We’ll also cover a brief update on GlusterFS v3.3 which is currently in beta.
Cloud Storage Adoption, Practice, and DeploymentGlusterFS
In this webinar, leading storage analyst firm Storage Strategies NOW, will discuss the findings from their comprehensive outlook report on the state of the cloud storage market and storage services that are layered on top of it. We will review: the definition of cloud storage, requirements, deployment, the market and its trends, API’s, cloud computing initiatives, best practices and infrastructure providers. Tom Trainer, Director of Product Marketing at Gluster, will provide an overview of Gluster’s storage products along with case studies demonstrating the strategic deployment of Gluster storage in both the public and private cloud.
With NetWare general support ending in March, now is the time to upgrade to Novell Open Enterprise Server 2. You can take advantage of brand new capabilities, as well as retain the NetWare services you know and love (many of them are even better on Linux). Attend this session for an overview of Novell Open Enterprise Server running SUSE Linux Enterprise. You'll also learn how NetWare has evolved into Novell Open Enterprise Server and how simple the upgrade path can be.
A Retasking Framework For Wireless Sensor NetworksMichele Weigle
Presented by Yang He
Military Communications Conference (MILCOM)
October 6-8, 2014
Baltimore, MD
Michael Ruffing, Yang He, Jason Hallstrom, Mat Kelly, Stephan Olariu and Michele C. Weigle, "A Retasking Framework For Wireless Sensor Networks," In Proceedings of the Military Communications Conference (MILCOM). Baltimore, MD, October 2014.
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell
Find out how you can replace time-consuming, error-prone and manual business processes with simple, automated forms and workflows. In this session, we'll show you how easy it can be with Novell Teaming. End users can easily create workflows themselves using a simple graphical user interface. We'll also show you the easy-to-customize templates—covering a number of common business processes—found in the Novell Teaming Library.
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Kuniyasu Suzaki
Linux Symposium 2009 Slide Suzaki
"Effect of readahead and file system block reallocation for LBCAS (LoopBack Content Addressable Storage)"
http://www.linuxsymposium.org/2009/
Paper: http://www.kernel.org/doc/ols/2009/ols2009-pages-275-286.pdf
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
Ben Golub gives insight to the latest storage trends including the EMC's latest acquisition of Isilon.
http://blog.gluster.com/2010/11/storage-is-sexy-again/
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1Damir Bersinic
This is the first of a 2-part series delivered at Prairie DevCon in Calgry on March 15. 2012. The sessions provided a quick overview of the new features of Hyper-V in Windows Server "8" Beta and how these compare to VMware vSphere 5.
Award winning scale-up and scale-out storage for XenGlusterFS
This webinar discusses the Gluster Virtual Storage Appliance for Xen which packages GlusterFS in a virtual machine container optimized for ease of use with little to no configuration required. The Virtual Appliance seamlessly integrates with existing virtualization environments such as Citrix Xen, allowing you to deploy virtual storage the same way you deploy virtual machines. Deploy on premise to create a private cloud using any certified Xen server hardware platforms and certified storage: JBOD, DAS, or SAN.
File Access in Novell Open Enterprise Server 2 SP2Novell
This session offers a consolidated view of the various file access protocols (NCP, Novell CIFS, AFP, FTP and Samba) supported in Novell Open Enterprise Server 2 Service Pack 2. We'll also cover the ways in which they can be combined and deployed in order to meet different file access needs. You'll learn about the features and capabilities of each protocol, as well as deployment aspects—such as clustering, auditing and performance—common to them all.
The lecture by Bjoern Doebel for Summer Systems School'12.
Brief introduction to microkernels illustrated by examples (Fiasco.OC and L4Re).
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
Titie: Rethink Package Components on De-Duplication: From Logical Sharing to Physical Sharing
URL: http://events.linuxfoundation.org/2010/linuxcon-japan/suzaki
Abstract: inux distributions include many logical sharing techniques (shared library, symbolic link, etc) on memory and storage. Unfortunately they cause security and management problems, such as GOT (Global Offset Table) overwrite attack, TOCTTOU (Time Of Check To Time Of Use) attack, Dependency hell, etc. In order to mitigate the problems, we propose the replacement of logical sharing by physical sharing (memory and disk deduplication; e.g., KSM: Kernel Samepage Merging, Content Addressable Storage, etc). Original ELF binaries are transformed as self-contained binaries which include dynamic linked shared libraries as “pseudo-static”. The binaries become fat but physical resource usage is mitigated by deduplication. We have investigated the effect on Debian and Ubuntu and confirmed that the physical impact is low. Data centers of Cloud Computing utilize the deduplication techniques. Users and administrators should consider Linux images in terms of security and maintenance, and the usage of deduplicated fat binaries.
In this Introduction to GlusterFS webinar, introduction and review of the GlusterFS architecture and key functionalities. Learn how GlusterFS is deployed in the datacenter, in the cloud, or between the two. We’ll also cover a brief update on GlusterFS v3.3 which is currently in beta.
Cloud Storage Adoption, Practice, and DeploymentGlusterFS
In this webinar, leading storage analyst firm Storage Strategies NOW, will discuss the findings from their comprehensive outlook report on the state of the cloud storage market and storage services that are layered on top of it. We will review: the definition of cloud storage, requirements, deployment, the market and its trends, API’s, cloud computing initiatives, best practices and infrastructure providers. Tom Trainer, Director of Product Marketing at Gluster, will provide an overview of Gluster’s storage products along with case studies demonstrating the strategic deployment of Gluster storage in both the public and private cloud.
With NetWare general support ending in March, now is the time to upgrade to Novell Open Enterprise Server 2. You can take advantage of brand new capabilities, as well as retain the NetWare services you know and love (many of them are even better on Linux). Attend this session for an overview of Novell Open Enterprise Server running SUSE Linux Enterprise. You'll also learn how NetWare has evolved into Novell Open Enterprise Server and how simple the upgrade path can be.
A Retasking Framework For Wireless Sensor NetworksMichele Weigle
Presented by Yang He
Military Communications Conference (MILCOM)
October 6-8, 2014
Baltimore, MD
Michael Ruffing, Yang He, Jason Hallstrom, Mat Kelly, Stephan Olariu and Michele C. Weigle, "A Retasking Framework For Wireless Sensor Networks," In Proceedings of the Military Communications Conference (MILCOM). Baltimore, MD, October 2014.
Novell Teaming: Automating Business Processes with Forms and WorkflowsNovell
Find out how you can replace time-consuming, error-prone and manual business processes with simple, automated forms and workflows. In this session, we'll show you how easy it can be with Novell Teaming. End users can easily create workflows themselves using a simple graphical user interface. We'll also show you the easy-to-customize templates—covering a number of common business processes—found in the Novell Teaming Library.
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Kuniyasu Suzaki
Linux Symposium 2009 Slide Suzaki
"Effect of readahead and file system block reallocation for LBCAS (LoopBack Content Addressable Storage)"
http://www.linuxsymposium.org/2009/
Paper: http://www.kernel.org/doc/ols/2009/ols2009-pages-275-286.pdf
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
Ben Golub gives insight to the latest storage trends including the EMC's latest acquisition of Isilon.
http://blog.gluster.com/2010/11/storage-is-sexy-again/
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1Damir Bersinic
This is the first of a 2-part series delivered at Prairie DevCon in Calgry on March 15. 2012. The sessions provided a quick overview of the new features of Hyper-V in Windows Server "8" Beta and how these compare to VMware vSphere 5.
Award winning scale-up and scale-out storage for XenGlusterFS
This webinar discusses the Gluster Virtual Storage Appliance for Xen which packages GlusterFS in a virtual machine container optimized for ease of use with little to no configuration required. The Virtual Appliance seamlessly integrates with existing virtualization environments such as Citrix Xen, allowing you to deploy virtual storage the same way you deploy virtual machines. Deploy on premise to create a private cloud using any certified Xen server hardware platforms and certified storage: JBOD, DAS, or SAN.
File Access in Novell Open Enterprise Server 2 SP2Novell
This session offers a consolidated view of the various file access protocols (NCP, Novell CIFS, AFP, FTP and Samba) supported in Novell Open Enterprise Server 2 Service Pack 2. We'll also cover the ways in which they can be combined and deployed in order to meet different file access needs. You'll learn about the features and capabilities of each protocol, as well as deployment aspects—such as clustering, auditing and performance—common to them all.
The lecture by Bjoern Doebel for Summer Systems School'12.
Brief introduction to microkernels illustrated by examples (Fiasco.OC and L4Re).
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
Titie: Rethink Package Components on De-Duplication: From Logical Sharing to Physical Sharing
URL: http://events.linuxfoundation.org/2010/linuxcon-japan/suzaki
Abstract: inux distributions include many logical sharing techniques (shared library, symbolic link, etc) on memory and storage. Unfortunately they cause security and management problems, such as GOT (Global Offset Table) overwrite attack, TOCTTOU (Time Of Check To Time Of Use) attack, Dependency hell, etc. In order to mitigate the problems, we propose the replacement of logical sharing by physical sharing (memory and disk deduplication; e.g., KSM: Kernel Samepage Merging, Content Addressable Storage, etc). Original ELF binaries are transformed as self-contained binaries which include dynamic linked shared libraries as “pseudo-static”. The binaries become fat but physical resource usage is mitigated by deduplication. We have investigated the effect on Debian and Ubuntu and confirmed that the physical impact is low. Data centers of Cloud Computing utilize the deduplication techniques. Users and administrators should consider Linux images in terms of security and maintenance, and the usage of deduplicated fat binaries.
sosp2011 socc2011 plos2011 Report
23rd ACM Symposium on Operating Systems Principles (SOSP)October 23-26, 2011, Cascais, Portugal
http://sosp2011.gsd.inesc-id.pt/
2nd ACM Symposium on Cloud Computing October 26-28, 2011, Cascais, Portugal
http://socc2011.gsd.inesc-id.pt/
6th Workshop on Programming Languages and Operating Systems, October 23, 2011, Cascais, Portugal
http://plosworkshop.org/2011/
Latest (storage IO) patterns for cloud-native applications OpenEBS
Applying micro service patterns to storage giving each workload its own Container Attached Storage (CAS) system. This puts the DevOps persona within full control of the storage requirements and brings data agility to k8s persistent workloads. We will go over the concept and the implementation of CAS, as well as its orchestration.
Blocks is a cool concept and is very much needed for performance improvements and responsiveness. GCD helps run blocks effortlessly by scheduling on a desired queue, priority and lots more.
Inter connect2016 yss1841-cloud-storage-options-v4Tony Pearson
This session will cover private and public cloud storage options, including flash, disk and tape, to address the different types of cloud storage requirements. It will also explain the use of Active File Management for local space management and global access to files, and support for file-and-sync.
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...Chester Chen
Machine Learning at the Limit
John Canny, UC Berkeley
How fast can machine learning and graph algorithms be? In "roofline" design, every kernel is driven toward the limits imposed by CPU, memory, network etc. This can lead to dramatic improvements: BIDMach is a toolkit for machine learning that uses rooflined design and GPUs to achieve two- to three-orders of magnitude improvements over other toolkits on single machines. These speedups are larger than have been reported for *cluster* systems (e.g. Spark/MLLib, Powergraph) running on hundreds of nodes, and BIDMach with a GPU outperforms these systems for most common machine learning tasks. For algorithms (e.g. graph algorithms) which do require cluster computing, we have developed a rooflined network primitive called "Kylix". We can show that Kylix approaches the rooline limits for sparse Allreduce, and empirically holds the record for distributed Pagerank. Beyond rooflining, we believe there are great opportunities from deep algorithm/hardware codesign. Gibbs Sampling (GS) is a very general tool for inference, but is typically much slower than alternatives. SAME (State Augmentation for Marginal Estimation) is a variation of GS which was developed for marginal parameter estimation. We show that it has high parallelism, and a fast GPU implementation. Using SAME, we developed a GS implementation of Latent Dirichlet Allocation whose running time is 100x faster than other samplers, and within 3x of the fastest symbolic methods. We are extending this approach to general graphical models, an area where there is currently a void of (practically) fast tools. It seems at least plausible that a general-purpose solution based on these techniques can closely approach the performance of custom algorithms.
Bio
John Canny is a professor in computer science at UC Berkeley. He is an ACM dissertation award winner and a Packard Fellow. He is currently a Data Science Senior Fellow in Berkeley's new Institute for Data Science and holds a INRIA (France) International Chair. Since 2002, he has been developing and deploying large-scale behavioral modeling systems. He designed and protyped production systems for Overstock.com, Yahoo, Ebay, Quantcast and Microsoft. He currently works on several applications of data mining for human learning (MOOCs and early language learning), health and well-being, and applications in the sciences.
SQL Queries on Smalltalk Objects
First Name: James
Last Name: Foster
Type: Talk
Video: https://www.youtube.com/watch?v=56956-yPofs
Abstract:
Object-oriented programming (OOP) languages are very popular and relational database management systems (RDBMSs) are likewise common, but there is a well-known "impedance mismatch" when they interact. Much work has gone into bridging that gap by allowing objects from an OOP application to be saved in an RDBMS (see GLORP). On the other hand, comparatively little effort has gone into presenting objects from an OOP environment or application directly to RDBMS tools. This functionality would be useful because many RDBMS tools exist that simplify the end-user's exploration of data, but that capability is not available until the data has been stored in the RDBMS. This functionality is one of the most common high-level feature-requests for GemStone/S by those who are evaluating it as a database (“Can I use my familiar query tools?”).
In this talk we will discuss a project to create a library that parses SQL queries (using PetitParser) and evaluates Smalltalk code that builds a result sets to be returned to the external tools.
Bio:
As a junior-high student in 1971, James discovered the local university’s computer center and a life-long obsession with computers began. He was introduced to Smalltalk/V for the Mac in the mid-90s, and became a Smalltalk bigot. James is Director of Operations for GemTalk Systems and is a passionate advocate for GemStone and all things Smalltalk.
Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...OpenEBS
The OpenEBS project has taken a different approach to storage when it comes to containers. Instead of using existing storage systems and making them work with containers; what if you were to redesign something from scratch using the same paradigms used in the container world? This resulted in the effort of containerizing the storage controller. Also, as applications that consume storage are changing over, do we need a scale-out distributed storage systems?
(see NOTES tab under presentation for more detail) An overview talk about decisions I've made so far in architecting the BHL clustered, distributed storage filesystem. Covering background on the proposal, proof of concept, to a current status report and thoughts of future implementations and uses.
Some key value stores using log-structureZhichao Liang
This slides presents three key-value stores using log-structure, includes Riak, RethinkDB, LevelDB. BTW, i state that RethinkDB employs append-only B-tree and that is an estimate made by combining guessing wih reasoning!
Containerization Is More than the New VirtualizationC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1E5GzZX.
Jérôme Petazzoni borrows from his experience at Docker Inc. to explain live applications running in Docker, including reading logs, remote access, and troubleshooting tips. Filmed at qconsf.com.
Jérôme Petazzoni is a senior engineer at dotCloud, where he rotates between Ops, Support and Evangelist duties and the nickname of “master Yoda”, has earned.
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
Side of "Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices" ACSAC (Annual Computer Security Applications Conference) 2020
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
USENIX OSDI 2012 Poster "Nested Virtual Machines and Proxies for Easily Implementable Rollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
1. Moving from Logical Sharing of Guest OS
to Physical Sharing of Deduplication on Virtual Machine
Kuniyasu Suzaki, T hiki Y i K
K i S ki Toshiki Yagi, Kengo Iiji
Iijima, N
Nguyen Anh Quynh, C ill A th
A hQ h Cyrille Artho
Research Center of Information Security
National Institute of Advanced Industrial Science and Technology
&
Yoshihito Watanebe
Alpha Systems Inc.
2. Contents
• Vulnerability of logical sharing (Dynamic-Link Shared
Library and Symbolic Link)
• Propose replacement of logical sharing by physical sharing
– Physical sharing
• Deduplication on Memory and Storage
– Self-contained binary
• It is NOT static-Link binary.
• Experimental results
• Conclusions with discussing topics
3. Logical Sharing
• Logical sharing is OS technique to reduce consumption
of memory and storage.
– “Dynamic-Link Shared Library” for memory and storage
– “Symbolic Link” for storage
• Unfortunately, they include vulnerability caused by
dynamic management.
d i t
– Search Path Replacement Attack
– GOT (Global Offset Table) overwrite attack
– Dependency Hell
– Etc.
4. Search Path Replacement Attack
• Dynamic-link searches a shared library at run time using
a search path.
– Search path is defined by environment variables.
• Example: “LD_LIBRARY_PATH”
– It allows us to change shared libraries in any directories.
• Unfortunately, the search path is easily replaced by an
attacker and leads to malicious shared libraries.
– Caller program has no methods to certify libraries.
• Static-link solves this problem but it wastes memory and
storage.
5. GOT Overwrite Attack
• ELF format has GOT (Global Offset Table) to locate
position-independent function address of shared library.
The value of GOT is assigned at run time.
– GOT is created on Data Segment and vulnerable for overwrite
attack.
• Static link solves this problem but it wastes memory and
storage. Program Library
Call Routine
Code
Code
Segment
Segment PLT
PLT
Data Data
GOT GOT
Segment Segment
Attack
6. Dependency Hell (DLL Hell in Windows)
• Dependency Hell is a management problem of shared
libraries.
– Package manager maintains versions of libraries. However, the
version mismatch may occur, when a user updates a library
without package manager.
– Caller program has no methods to certify libraries
libraries.
• Dependency Hell is escalated by symbolic-link, because
most shared libraries use symbolic-link to manage minor
updates.
– /lib/libc.so.6 -> libc-2.10.1.so
– # ln –s libc-2.11.1.so libc.so.6
• Static link solves this problem but it wastes memory and
storage.
7. Solution, and further problems
• The problems are solved by static-link, but it increase
consumption of memory and storage.
– Fortunately, the increased consumption is mitigated by new
technique, deduplication.
– SLINY[USENIX’05] developed deduplication in Linux kernel.
– It looks the problems are solved …
• Two trends
– Current applications assume dynamic-link and are not re-compiled
as static-link easily .
– Current virtualization offers us deduplication.
• SLINKY uses special Linux kernel. It is not applied on any OSes.
• Using virtualization, guest OS only has to consider the solution
without regard to physical consumption.
8. Static-Link is not easy
• Current applications deeply depend on dynamic-link shared
libraries for flexibility and for avoiding license
contamination problems.
• We tried to re-compile /bin, /sbin, /usr/bin, and /usr/sbin
dynamic-linked binaries (1,162) with static-link on Gentoo.
– 185 (15.9%) binaries are re-compiled with static-link.
• Binary packages make it difficult to re-compile, because
they are not easy to get all source code.
– Commercial applications make problem more difficult.
9. Self-Contained Binaries
• Self-contained binary translator
• It is developed to bring a binary to another machine.
• It integrates shared libraries into an ELF binary file.
– Advantage
• Prevent Search Path Replacement Attack and Dependency
Hell,
Hell because it integrates all libraries.
libraries
• Mitigate GOT Overwrite Attack, because the addresses are
prefixed for each execution.
– Disadvantage
• Consume more memory and storage than static-link
• Tools
– Statifier, Autopacage, Ermine for Linux
– VMWare “ThinApps(was Thinstall)” for Windows
10. Statifier (1/2)
• Statifier includes shared library into an ELF binary.
• On Normal binary
① _dl_start() of ld-linux.so
• Reallocate dynamic link libraries and map them
② _dl_start_user() of ld-linux.so
• Call initialization functions in libraries
• Statifier creates self-contained binary
– Take snapshot before _dl_start_user() and analyze relocation
information of functions of libraries from /proc/PID/maps.
– The libraries and relocation information are embedded into the
binary.
11. Statifier (2/2)
• Self-Contained Binary
– Relocation information and shared libraries are loaded by the
starter of statifier.
• Includes special libraries: linux-gate.so, ld-linux.so
– The ELF binary has no INTERP segment to call ld-linux.so
– ldd command shows no dynamic-link shared libraries
• However, Statifier makes a larger binary than static link.
12. Deduplication
• Technique to share same-content chunks at block level
(memory and storage).
• Same-content chunks are shared by indirect link.
– It is easy to implement when a virtual layer exists to access a
block device
device.
– Some virtualizations include deduplication mechanism.
13. Storage Deduplication
• Used by CAS (Content addressable Storage)
– data is not addressed by its physical location. Data is addressed by
a unique name derived from the content (a secure hash is used as
a unique name usually)
– Same contents are expressed by one original content (same hash)
and addressed by indirected link.
• Plan9 has Venti [USENIX FAST02]
• NetApp Deduplication (Data Domain) [USENIX FAST08]
• LBCAS (Loopback Content Addressable Storage) [LinuxSymp09]
Virtual Disk CAS Storage Archive
Indexing
Address SHA-1
0000000-0003FFF 4ad36ffe8… New block is
0004000-0007FFF 974daf34a… created with
0008000-000BFFF 2d34ff3e1… new SHA-1
000C000-000FFFF 974daf34a…
…
… sharing
Deduplication
14. Memory Deduplication
• Memory deduplication is mainly used for virtual machines.
• Very effective when same guest OS runs on several virtual machines.
• On Virtual Machine Monitor
– Disco[OSDI97] has Transparent Page Sharing
– VMWare ESX has Content-Based Page Sharing [SOSP02]
– Xen has Satori[USENIX09] and Differential Engine[OSDI08]
• On Kernel
– Linux has KSM (Kernel Samepage Merging)
from 2.6.32 [LinuxSymp09] Guest Physical Memory
VM1 VM2 VM(n)
• Memory of Process(es) are deduplicated
• KVM uses this mechanism
• These targets are virtual machines, but our
proposal uses memory deduplication on a
single OS image, which increase same pages
with copy of libraries (self-contained binary). Real Physical Memory
15. Evaluation
• Evaluate the effect of moving form logical sharing to
physical sharing.
– Effect of Statifier
• Applied on binaries under /bin,/sbin,/usr/bin,/usr/sbin of
Gentoo (installed on 32GB virtual disk for KVM virtual
(
machine)
– Memory Deduplication
• KSM (Kernel Samepage merging) of Linux with KVM virtual
machine (758MB).
– Storage Deduplication
• LBCAS (Loopback Content Addressable Storage)
16. Static Analysis of Statifier
• Gentoo was customized by statifier.
– The ELF (1,162) binaries under /bin (82 files), /sbin (74),
/usr/bin (912), /usr/sbin (94) were customized by statifier.
Original Statifier Increase
(Dynamic-link)
Total 87,865,480 3,572,936,704 40.66
Average 75,615 3,074,816 40.66
Max (gnome-open) 5,400 8,732,672 1617.16
Min (qmake) 3,426,340 6,094,848 1.78
• The disk image (includes non-statifiered files) was
expnaded from 3.75GB to 7.08GB (1.88 times).
17. Effect of Memory Deduplication
• Memory usage at the end of login
• Statifier expanded memory consumption from the view of
GuestOS,
• but Deduplication reduced physical memory consumption.
80000 34.4%
4KB GuestOS
View
page 70000
60000
50000 GuestOS 93.0% 45 332
View Duplicated
40000 86056
8.9% Deduplicate
22 96 17.3%
30000 48 1
44 41 29732 Unique
physical
20000 32706 30410 memory
2 9929 physical
25 291
10000 memory
0
Normal Gentoo Statifier Gentoo
18. Effect of Storage Deduplication
• Storage usage (static) and total read data at boot (dynamic) .
• Statifier expanded storage consumption from the view of
GuestOS on both cases, but Deduplication reduced physical
storage consumption in static and dynamic.
• Smaller chunk is easy to be deduplicated but time overhead is
large.
Static Dynamic (
(boot)
)
normal statifier normal statifier
On Loopback 3,754MB 7,075MB 151.7MB 341.0MB
(Guest OS View) (1.88) (2.25)
4352MB
268,454
LBCAS 16KB [278,499] --- ----
[4195MB]
(1.04)
83,863 304MB
74,679 218MB
LBCAS 64KB [5241MB] [4,866]
[4667MB] [3,481]
(1.12) (1.40)
6723MB 505MB
22,806 390MB
LBCAS 256KB [26,892] [2,019]
[5701MB] [1,560 ]
(1.18) (1.29)
19. Trace of memory consumption
Normal Gentoo Statifer Gentoo
Loopback
GuestOS View
Physical Physical
Mem View Mem View
GuestOS View
Auto Auto
login login
LBCAS (256KB)
GuestOS View
Physical
GuestOS View Mem View Physical
Mem View
Auto Auto
login login
20. Time overhead at boot
• Statifier reduced the boot time, because it eliminated
dynamic reallocation overhead.
• Deduplication increased the boot time. The overhead
of KSM and LBCAS was less than 37%.
– The overhead is a penalty to remove the vulnerabilities of
logical sharing.
Without KSM With KSM
Normal Statifier Normal Statifier
Loopback 95s 84s 95s 105s
Reduced
LBCAS 107s 108s 115s 130s
(256KB)
21. Conclusion & Discussion (1/2)
• Self-Contained binaries strengthen OS security.
– Prevent Search Path Replacement Attack, GOT (Global Offset
Table) overwrite attack, Dependency Hell
– Easy to apply on normal OS. It does not require source code
and re-compile.
– Increase consumption of memory and storage.
• Deduplication mitigates the consumption of memory and
storage caused by self-contained binary.
– Encourage moving from Logical sharing to Physical Sharing
• Deduplication is utilized to increase security on single OS.
22. Conclusion & Discussion (2/2)
• Deduplication will be mainly used on IaaS type (multi-tenants)
Cloud Computing.
• Two directions of research
• Increase code sharing
– “R t
“Return-Oriented P
O i t d Programming” style b
i ” t l becomes popular?l ?
» Tools: Return Oriented Rootkit [USENIX Security 09]
• Keep security
– Code sharing will increase a chance to attack
– Attack for deduplication will be presented in Rump Session of USENIX
Security.