This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
The document discusses adding Ethernet connectivity support to Android. It begins with an introduction of the speaker and their background. It then describes the existing network interfaces in Android like WiFi, Bluetooth, NFC, and cellular. It notes that Ethernet is supported at the Linux level but not integrated into the Android framework. The remainder of the document discusses modifications made to integrate Ethernet, including updating settings, connectivity manager, and other areas. It also covers workarounds tried for issues like DNS, proxy, NTP, and app connectivity over Ethernet.
The document contains technical information about software vulnerabilities and security exploits. It discusses memory corruption issues like buffer overflows, use-after-free vulnerabilities, and heap overflow attacks. It also covers injection attacks, deserialization of untrusted data, container escapes, and other common software vulnerabilities. The document emphasizes the importance of secure coding practices, threat modeling, code reviews, and security testing to identify and address vulnerabilities.
In this you learn about
Access Modifiers in Java / Visibility Modifiers in Java
1. Default access modifier
2. private access modifier
3. protected access modifier
4. public access modifier
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
The document discusses arrays in JavaScript. It defines arrays as data structures that can hold related items and notes they are dynamic. Arrays in JavaScript allow each element to be referenced by its index number starting from zero. Individual elements can be accessed using the name of the array, brackets, and the element index number. The length property allows arrays to know their size. Examples are provided for declaring, initializing, and manipulating arrays including using for loops and passing arrays to functions.
The document discusses concepts of object-oriented programming including classes, objects, encapsulation, inheritance, polymorphism, and abstraction. It defines a Shape class and subclasses like Rectangle, Circle, and Triangle. It demonstrates inheritance by having the subclasses inherit attributes and behaviors from the Shape class. It also shows polymorphism through method overriding to calculate the area for different shapes.
The document discusses adding Ethernet connectivity support to Android. It begins with an introduction of the speaker and their background. It then describes the existing network interfaces in Android like WiFi, Bluetooth, NFC, and cellular. It notes that Ethernet is supported at the Linux level but not integrated into the Android framework. The remainder of the document discusses modifications made to integrate Ethernet, including updating settings, connectivity manager, and other areas. It also covers workarounds tried for issues like DNS, proxy, NTP, and app connectivity over Ethernet.
The document contains technical information about software vulnerabilities and security exploits. It discusses memory corruption issues like buffer overflows, use-after-free vulnerabilities, and heap overflow attacks. It also covers injection attacks, deserialization of untrusted data, container escapes, and other common software vulnerabilities. The document emphasizes the importance of secure coding practices, threat modeling, code reviews, and security testing to identify and address vulnerabilities.
In this you learn about
Access Modifiers in Java / Visibility Modifiers in Java
1. Default access modifier
2. private access modifier
3. protected access modifier
4. public access modifier
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
The document discusses arrays in JavaScript. It defines arrays as data structures that can hold related items and notes they are dynamic. Arrays in JavaScript allow each element to be referenced by its index number starting from zero. Individual elements can be accessed using the name of the array, brackets, and the element index number. The length property allows arrays to know their size. Examples are provided for declaring, initializing, and manipulating arrays including using for loops and passing arrays to functions.
The document discusses concepts of object-oriented programming including classes, objects, encapsulation, inheritance, polymorphism, and abstraction. It defines a Shape class and subclasses like Rectangle, Circle, and Triangle. It demonstrates inheritance by having the subclasses inherit attributes and behaviors from the Shape class. It also shows polymorphism through method overriding to calculate the area for different shapes.
This document provides an overview of the Django web framework. It discusses what Django is, how to install and create a Django project and app. It also covers Django's MVT architecture, model definitions, templates, views, URLs and common tags used in templates. Key topics covered include installing Django, generating a project and app, model definitions, template usage, URL mapping and parameters, the admin interface, forms, and sessions. The document serves as a tutorial for getting started with basic Django development.
The document provides an agenda for a talk on modeling a Rubik's Cube in JavaScript. It begins with an introduction to scripting languages and ECMAScript. It then discusses modeling a Rubik's Cube by first walking through the code, then modeling the cube and finding moves to solve it. The document covers topics like scripting languages, ECMAScript, object-oriented programming concepts in JavaScript, and modeling a Rubik's Cube to be manipulated programmatically.
Java 11 is the second LTS release after Java 8. Java 11 onwards, Oracle JDK would no longer be free for commercial use.
Agenda:
~ Java 11
~ How to download Java 11 free version
~ Important changes and information.
~ Java 11 Features and Enhancements
~ Removed Features
~ Deprecated Features
~ Migration to Java 11
The document discusses authorization and implementing authorization policies. It begins by stating that authorization is an important but complex task that every application needs. It then discusses common approaches like ACLs, RBAC, IAM and their tradeoffs. The document introduces Open Policy Agent (OPA) as a general purpose policy engine that can support multiple models and decouples policy decisions from enforcement. It provides an example of how OPA could be used to implement an authorization policy for a pet database service and demos this integration.
This document discusses Java 8 features including anonymous functions, functional interfaces, lambda expressions, default and static methods, and forEach(). Anonymous functions allow defining functions without naming them. Functional interfaces specify a single abstract method that can be implemented using lambda expressions. Default and static methods allow adding new methods to interfaces without breaking existing code. The forEach() method is used to iterate over elements of a collection and can take a lambda expression.
This document provides an overview of JSP/Servlet architecture. It describes how a web request is handled from the browser to the web server and JSP/Servlet container. It then discusses key components like servlets, JSPs, the request and response objects. It provides examples of basic servlet and JSP code to output text and access request parameters. It also covers servlet configuration, mappings, and the use of forwards and redirects.
This document discusses object-oriented programming concepts related to inheritance. It defines inheritance as inheriting properties and capabilities from a base class to a derived class. Inheritance allows for code reusability, reliability, better problem-solving and supports polymorphism. There are three main types of inheritance: simple, multi-level, and multiple. Simple inheritance involves a base class deriving one or more derived classes. Multi-level inheritance occurs when a derived class serves as a base class for further derivation. Multiple inheritance involves deriving a class from more than one base class. Examples are provided to illustrate inheritance concepts.
CQRS and Event Sourcing in a Symfony applicationSamuel ROZE
The document discusses using CQRS and event sourcing in a Symfony application. It covers building the domain model to use events, storing events in a repository, using a message bus for commands and events, and creating projections from events for querying. Event handlers can trigger new commands, and projections rebuild data from events for fast reads. The approach allows an application to handle commands asynchronously through decoupled services while maintaining an immutable record of events for audit purposes.
This document provides information about Java collections framework. It discusses various collection interfaces like Collection, List, Set, Queue, Map and their implementations like ArrayList, LinkedList, HashSet, TreeSet, HashMap, TreeMap. It also covers topics like sorting collections using Comparable and Comparator interfaces, overriding equals() and hashCode() methods.
Spring Data is a high level SpringSource project whose purpose is to unify and ease the access to different kinds of persistence stores, both relational database systems and NoSQL data stores.
There are many books, articles and paper publications about Android and related applications but only a few are related to how Android operating system works internally.In this talk we will see how android boots up , an overview of zygote , how system server and package manager works. This talk will be extremely helpful to foster understanding among android developers about Android Internals as well as everybody else who desires a general understanding of the internal working of Android powered devices.
This document presents an overview of object-oriented PHP. It discusses key concepts like classes, objects, inheritance, interfaces and magic methods. It provides examples of how to define classes and objects in PHP and utilize various OOP features like visibility, abstraction, static methods and autoloading. The goal is to help PHP programmers understand object-oriented programming principles and their implementation in PHP.
Android uses cgroups to monitor system memory usage via the Low Memory Killer daemon and to group processes for effective CPU sharing. Cgroups are used to create mount points for memory and CPU control groups. The LMK daemon uses cgroups to receive memory pressure events and kill processes as needed. Init.rc uses cgroups to create groups for real-time and background tasks and assign CPU shares. Android further groups processes by scheduling policy for scheduling priorities.
This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Maven is a build tool that can manage a project's build process, dependencies, documentation and reporting. It uses a Project Object Model (POM) file to store build configuration and metadata. Maven has advantages over Ant like built-in functionality for common tasks, cross-project reuse, and support for conditional logic. It works by defining the project with a POM file then running goals bound to default phases like compile, test, package to build the project.
This document provides an overview of Java basics including:
- Java is an object-oriented programming language like C++.
- The basic unit in Java is the object, which contains both state in the form of variables and behavior in the form of methods.
- Classes define the structure and behavior of objects through methods and variables. The main method is required to execute a Java program.
Collections Framework is a unified architecture for managing collections, Main Parts of Collections Framework
1. Interfaces :- Core interfaces defining common functionality exhibited by collections
2. Implementations :- Concrete classes of the core interfaces providing data structures
3. Operations :- Methods that perform various operations on collections
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes security vulnerabilities in the Xen hypervisor virtualization platform. It describes two attacks:
1) A denial of service attack where a malicious domain can pad a large file to its kernel image, consuming significant system resources during booting and preventing other domains from accessing resources.
2) An attack where an insider with dom0 privileges can use the "dump-core" command to take a memory snapshot of a target domain, allowing extraction of plaintext passwords and sensitive data from the domain's memory.
The document analyzes these issues and argues that Xen's architecture, with the dom0 control domain having elevated privileges, is the root cause of vulnerabilities. It suggests the privileges of dom0 should be reduced to
This document discusses enhancing an automation framework called vdNet Framework for testing virtual networking in VMware ESX. It first provides background on virtual networking concepts and components in VMware, including virtual switches, virtual network adapters, and network isolation. It then describes the vdNet Framework, how it is used to automate testing of virtual networking features using a master controller machine and test virtual machines. It also discusses how the framework utilizes the STAF automation framework to remotely execute tests on the system under test.
This document provides an overview of the Django web framework. It discusses what Django is, how to install and create a Django project and app. It also covers Django's MVT architecture, model definitions, templates, views, URLs and common tags used in templates. Key topics covered include installing Django, generating a project and app, model definitions, template usage, URL mapping and parameters, the admin interface, forms, and sessions. The document serves as a tutorial for getting started with basic Django development.
The document provides an agenda for a talk on modeling a Rubik's Cube in JavaScript. It begins with an introduction to scripting languages and ECMAScript. It then discusses modeling a Rubik's Cube by first walking through the code, then modeling the cube and finding moves to solve it. The document covers topics like scripting languages, ECMAScript, object-oriented programming concepts in JavaScript, and modeling a Rubik's Cube to be manipulated programmatically.
Java 11 is the second LTS release after Java 8. Java 11 onwards, Oracle JDK would no longer be free for commercial use.
Agenda:
~ Java 11
~ How to download Java 11 free version
~ Important changes and information.
~ Java 11 Features and Enhancements
~ Removed Features
~ Deprecated Features
~ Migration to Java 11
The document discusses authorization and implementing authorization policies. It begins by stating that authorization is an important but complex task that every application needs. It then discusses common approaches like ACLs, RBAC, IAM and their tradeoffs. The document introduces Open Policy Agent (OPA) as a general purpose policy engine that can support multiple models and decouples policy decisions from enforcement. It provides an example of how OPA could be used to implement an authorization policy for a pet database service and demos this integration.
This document discusses Java 8 features including anonymous functions, functional interfaces, lambda expressions, default and static methods, and forEach(). Anonymous functions allow defining functions without naming them. Functional interfaces specify a single abstract method that can be implemented using lambda expressions. Default and static methods allow adding new methods to interfaces without breaking existing code. The forEach() method is used to iterate over elements of a collection and can take a lambda expression.
This document provides an overview of JSP/Servlet architecture. It describes how a web request is handled from the browser to the web server and JSP/Servlet container. It then discusses key components like servlets, JSPs, the request and response objects. It provides examples of basic servlet and JSP code to output text and access request parameters. It also covers servlet configuration, mappings, and the use of forwards and redirects.
This document discusses object-oriented programming concepts related to inheritance. It defines inheritance as inheriting properties and capabilities from a base class to a derived class. Inheritance allows for code reusability, reliability, better problem-solving and supports polymorphism. There are three main types of inheritance: simple, multi-level, and multiple. Simple inheritance involves a base class deriving one or more derived classes. Multi-level inheritance occurs when a derived class serves as a base class for further derivation. Multiple inheritance involves deriving a class from more than one base class. Examples are provided to illustrate inheritance concepts.
CQRS and Event Sourcing in a Symfony applicationSamuel ROZE
The document discusses using CQRS and event sourcing in a Symfony application. It covers building the domain model to use events, storing events in a repository, using a message bus for commands and events, and creating projections from events for querying. Event handlers can trigger new commands, and projections rebuild data from events for fast reads. The approach allows an application to handle commands asynchronously through decoupled services while maintaining an immutable record of events for audit purposes.
This document provides information about Java collections framework. It discusses various collection interfaces like Collection, List, Set, Queue, Map and their implementations like ArrayList, LinkedList, HashSet, TreeSet, HashMap, TreeMap. It also covers topics like sorting collections using Comparable and Comparator interfaces, overriding equals() and hashCode() methods.
Spring Data is a high level SpringSource project whose purpose is to unify and ease the access to different kinds of persistence stores, both relational database systems and NoSQL data stores.
There are many books, articles and paper publications about Android and related applications but only a few are related to how Android operating system works internally.In this talk we will see how android boots up , an overview of zygote , how system server and package manager works. This talk will be extremely helpful to foster understanding among android developers about Android Internals as well as everybody else who desires a general understanding of the internal working of Android powered devices.
This document presents an overview of object-oriented PHP. It discusses key concepts like classes, objects, inheritance, interfaces and magic methods. It provides examples of how to define classes and objects in PHP and utilize various OOP features like visibility, abstraction, static methods and autoloading. The goal is to help PHP programmers understand object-oriented programming principles and their implementation in PHP.
Android uses cgroups to monitor system memory usage via the Low Memory Killer daemon and to group processes for effective CPU sharing. Cgroups are used to create mount points for memory and CPU control groups. The LMK daemon uses cgroups to receive memory pressure events and kill processes as needed. Init.rc uses cgroups to create groups for real-time and background tasks and assign CPU shares. Android further groups processes by scheduling policy for scheduling priorities.
This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Maven is a build tool that can manage a project's build process, dependencies, documentation and reporting. It uses a Project Object Model (POM) file to store build configuration and metadata. Maven has advantages over Ant like built-in functionality for common tasks, cross-project reuse, and support for conditional logic. It works by defining the project with a POM file then running goals bound to default phases like compile, test, package to build the project.
This document provides an overview of Java basics including:
- Java is an object-oriented programming language like C++.
- The basic unit in Java is the object, which contains both state in the form of variables and behavior in the form of methods.
- Classes define the structure and behavior of objects through methods and variables. The main method is required to execute a Java program.
Collections Framework is a unified architecture for managing collections, Main Parts of Collections Framework
1. Interfaces :- Core interfaces defining common functionality exhibited by collections
2. Implementations :- Concrete classes of the core interfaces providing data structures
3. Operations :- Methods that perform various operations on collections
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes security vulnerabilities in the Xen hypervisor virtualization platform. It describes two attacks:
1) A denial of service attack where a malicious domain can pad a large file to its kernel image, consuming significant system resources during booting and preventing other domains from accessing resources.
2) An attack where an insider with dom0 privileges can use the "dump-core" command to take a memory snapshot of a target domain, allowing extraction of plaintext passwords and sensitive data from the domain's memory.
The document analyzes these issues and argues that Xen's architecture, with the dom0 control domain having elevated privileges, is the root cause of vulnerabilities. It suggests the privileges of dom0 should be reduced to
This document discusses enhancing an automation framework called vdNet Framework for testing virtual networking in VMware ESX. It first provides background on virtual networking concepts and components in VMware, including virtual switches, virtual network adapters, and network isolation. It then describes the vdNet Framework, how it is used to automate testing of virtual networking features using a master controller machine and test virtual machines. It also discusses how the framework utilizes the STAF automation framework to remotely execute tests on the system under test.
The document describes IBM's SmartCloud Desktop Infrastructure solution which provides virtual desktop solutions using Citrix XenDesktop running on IBM Flex System hardware. The solution offers robust, cost-effective, and manageable virtual desktops to increase flexibility and productivity while reducing complexity. It supports various platforms and provides tailored solutions from simple to enterprise-wide. Key benefits include simplified administration, enhanced security, improved availability, mobility, and growth support. The solution includes Flex System servers and storage, Citrix XenDesktop software, and integration services. Use cases discussed are in healthcare and education.
This document discusses various types of virtualization technologies. It begins by describing characteristics of virtualized environments such as sharing, aggregation, emulation, and isolation. It then discusses different virtualization techniques including hardware-assisted virtualization, full virtualization, paravirtualization, operating system-level virtualization, programming language-level virtualization, and application-level virtualization. For each technique, it provides examples and discusses advantages and performance implications. It also includes diagrams illustrating the virtualization reference model and taxonomy of virtualization techniques.
Learn about the IBM SmartCloud Desktop Infrastructure.The SmartCloud Desktop Infrastructure solution with VMware View running on IBM Flex System simplifies IT manageability and control. It delivers high fidelity user experiences across devices and networks. The features of VMware View that are included in the SmartCloud Desktop Infrastructure solution provide enhanced security, high availability, centralized management and control, and scalability. For more information on Pure Systems, visit http://ibm.co/18vDnp6.
Visit the official Scribd Channel of IBM India Smarter Computing at http://bit.ly/VwO86R to get access to more documents.
This document discusses different levels and approaches to virtualization including instruction set architecture level, hardware abstraction level, operating system level, library support level, and user-application level virtualization. It also covers virtualization of CPU, memory, I/O devices, and virtual clusters. Key points include hardware-assisted virtualization using features like VT-x, two-stage memory mapping using EPT, different approaches to I/O virtualization, and live VM migration involving transferring memory and synchronizing state changes.
The interest in virtualization has been growing rapidly in the IT industry because of inherent benefits like better resource utilization and ease of system manageability. The experimentation and use of virtualization as well as the simultaneous deployment of virtual software are increasingly getting popular and in use by educational institutions for research and teaching. This paper stresses on the potential advantages associated with virtualization and the use of virtual machines for scenarios, which cannot be easily implemented and/or studied in a traditional academic network environment, but need to be explored and experimented by students to meet the raising needs and knowledge-base demanded by the IT industry. In this context, we discuss various aspects of virtualization – starting from the working principle of virtual machines, installation procedure for a virtual guest operating system on a physical host operating system, virtualization options and a performance study measuring the throughput obtained on a network of virtual machines and physical host machines. In addition, the paper extensively evaluates the
use of virtual machines and virtual networks in an academic environment and also specifically discusses sample projects on network security, which may not be feasible enough to be conducted in a physical network of personal computers; but could be conducted only using virtual machines.
The document provides an overview of server virtualization, including:
- A definition of virtualization as dividing computer resources into multiple execution environments using concepts like hardware/software partitioning and emulation.
- A brief history of virtual machines dating back to the 1960s on IBM mainframes.
- How virtualization allows consolidating multiple servers onto fewer physical servers, improving hardware utilization.
- Common virtualization platforms like VMware ESX Server, and differences between Type 1 and Type 2 hypervisors.
Virtualization is a technology that allows multiple operating systems and applications to run on a single physical machine simultaneously. It provides a layer of abstraction between the physical hardware and the applications running on top of it. The document discusses concepts of virtualization like partitioning, full virtualization, paravirtualization, and VMware's product portfolio for data center, desktop, and mobile virtualization.
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
The document discusses and compares two open source hypervisors, Xen and KVM, that can be used to manage virtual machines (VMs) on cloud computing platforms. Both hypervisors allow for virtualization of hardware and enable multiple VMs to run concurrently on the same physical machine. Xen uses a model where one privileged VM (Domain 0) manages other VMs, while KVM implements each VM as a Linux process. The document analyzes the hypervisors' approaches to security, memory management, and performance to determine their suitability for cloud environments.
Virtualization allows multiple virtual machines to run on a single physical server. This improves hardware utilization, reduces costs, and increases flexibility. There are several popular virtualization software options, including VMWare, XenServer, and Microsoft Virtual Server. These software solutions allow virtual machines to access server resources through a virtualization layer, improving consolidation and management of servers. Overall, virtualization provides significant benefits for data center operations and management.
Citrix and Intel are collaborating to provide application delivery solutions that optimize productivity for end users and address challenges for IT managers through centralized management, security, and cost containment. Citrix Presentation Server and Provisioning Server offer centralized image and application delivery that execute locally on Intel devices, satisfying both IT and users. Intel vPro and Citrix solutions bring complementary capabilities to manage systems, strengthen security, and reduce costs.
This document discusses virtualization and provides information on different types of virtualization including hardware virtualization, desktop virtualization, and operating system virtualization. It describes virtual machines and how they operate based on the architecture and functions of real computers. Benefits of virtualization include conserving energy, improving ease of management, enabling testing and learning, reducing backup times, and maintaining legacy applications. Potential disadvantages include performance impacts if the server hosting virtual machines fails and demands for powerful hardware. The document also provides details about Oracle VM VirtualBox software.
Virtualization 101 presents a history of virtualization and defines key concepts. It describes how virtual machines isolate operating systems and applications from each other and the physical hardware. Benefits include ease of deployment, mobility, backup/recovery, and hardware independence. Server virtualization partitions physical servers, while desktop virtualization hosts desktops centrally. Application virtualization protects operating systems from application changes. Major virtualization vendors include Citrix, Microsoft, and VMWare.
This document discusses various virtualization technologies. It describes Ubuntu Server Edition which offers Kernel-based Virtual Machine (KVM) virtualization. It also discusses virtualization software from Altiris, Windows Server, VMware, Intel, Red Hat, Microsoft Softgrid Application, and Linux-based virtualization technologies including para-virtualization, hardware assisted virtualization, Xen, KVM, and Coopvirt.
This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs.
Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.
The document discusses several concepts related to virtualization and delivering applications/desktops. It defines key terms like hypervisor, virtual machine manager, and desktop virtualization. It then provides overviews of specific virtualization platforms:
- XenServer allows pooling and sharing of server resources across physical servers.
- vSphere is designed for organizations to virtualize entire datacenters and deliver IT as a service.
- Hyper-V exists as a standalone product or Windows role for creating virtual machines on a single physical computer.
- XenDesktop is a desktop virtualization solution that delivers Windows desktops, applications, and data from the datacenter to any device.
Virtualization: Introduction, Characteristics of Virtualized Environment, Taxonomy of Virtualization Techniques, Virtualization and Cloud computing, Pros and Cons of Virtualization, Technology Examples- VMware and Microsoft Hyper-V.
The document provides an overview of virtualization, including definitions, types of virtualization, and popular hypervisors. It discusses how virtualization addresses issues with underutilized servers in data centers by consolidating workloads. Full virtualization provides a complete hardware simulation but has challenges virtualizing certain architectures like x86. Paravirtualization modifies the guest OS, while hardware-assisted virtualization uses new CPU features to simplify virtualization. Memory, storage, network, and application virtualization are also summarized.
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
- The document discusses how ordinary people can understand Windows code despite it previously being kept secret.
- It outlines resources now available from Microsoft to learn Windows internals like debuggers, symbol files, documentation and communities. Skills needed are also discussed.
- Case studies are presented showing how tools like debuggers and disassemblers can be used to understand techniques used by rootkits and find undocumented Windows functions.
- In conclusion, the document argues Windows code is not as secret as assumed and many means exist for both security experts and developers to learn it through resources Microsoft now provides.
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionAhmed Sallam
This document discusses the evolution of hardware-assisted server technologies and their benefits for hosted desktops and virtual desktop infrastructure (VDI). It covers technologies like fabric-based infrastructure, in-memory computing, persistent memory, and server virtual IO. These technologies improve security, flexibility, agility and resilience while reducing costs and downtime for VDI deployments. The document provides an overview of key evolving server technologies and how they are shaping the future of desktop virtualization.
Hosted desktop and evolution of hardware server technologies - 2015 editionAhmed Sallam
Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
This paper covers the three of them.
Hosted desktops and server evolution technologies - 2014 EditionAhmed Sallam
Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
The three are covered in this paper.
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
Author, Ahmed Said Sallam is known for his work in the US on computer system security and virtualization. Very little has been told about his work beginning of his career in the period 1992-1999. It was great system work performed at a very early stage of the PC era and Internet time.
This is an attempt to document such journey methodically. Hopefully, it will inspire younger generation to focus on science and technology as a mean to generate value, create jobs, build smart communities and transform societies.
Arm tech con 2014 slides - sallam-publicAhmed Sallam
The document discusses Citrix's initiatives around open source computing and ARM scale out servers. It covers the new era of mega trends driven by mobility, smart devices, and cloud computing. Citrix is working to unify management of virtualized, physicalized, and hybrid infrastructures. Xen now supports ARM architectures and provides low overhead virtualization for ARM scale out servers, which are well suited for cloud, analytics, and other workloads. Citrix aims to deliver a unified experience across all device types, workloads, and infrastructure resources.
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...Ahmed Sallam
The document discusses the problem of terminating hidden orphan processes on Windows NT. It provides technical background on how Windows tracks running processes and enumerates them. Rootkits can conceal processes by removing them from the active process list, leaving orphan processes that are still running hidden. Simply terminating an orphan process can corrupt the active process list. The document proposes a solution of reinserting the orphan process at the end of the list before terminating it, and suggests Microsoft implement checks to prevent execution and termination of processes not in the list.
The document discusses security best practices for virtualized environments. It recommends taking a holistic approach that secures virtual machines, images, networks, and the hypervisor. Specific techniques include scanning offline virtual images and machines, securing the operating system and memory underneath virtual machines, and using features like virtual firewalls and intrusion prevention systems. The document also stresses that virtualization security challenges stem from people and processes, so education on virtualization security issues and capabilities is important.
Virtualization introduces new security risks but also opportunities to enhance security. Key risks include attacks on the hypervisor, virtual environments from within, and virtual machine management interfaces. However, virtualization also allows security software to have deeper control of physical resources like memory and CPU outside of the OS. Technologies like VMsafe aim to provide dedicated security virtual machines that filter network traffic and protect memory and processor operations to address these risks. While promising increased security, VMsafe CPU/Memory also faces performance challenges from VM context switching overhead.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
1. 4th Generation Intel®
Core™
vPro™
Processors with Intel®
VMCS Shadowing
Executive Summary
Responsive and secure desktop virtualization requires tight integration between the
virtualization machine monitor (VMM) software that is used to deploy and manage virtual
machines and the underlying hardware platform. Intel and Citrix have worked closely
together over the past several years to optimize Citrix XenClient®
so it takes fulladvantage
of Intel®
vPro™ Technology1
to address this integration need.
New usage models are now emerging that can require two or more VMMs to be hosted on
the same client system. McAfee Deep Defender* offers a prime example. This advanced
security software complements the security safeguards built into XenClient, yet includes—
and requires—its own VMM.
This paper is a technology preview that describes a new hardware-based capability
known as Intel®
Virtual Machine Control Structure (Intel®
VMCS) Shadowing, which will
be available with 4th generation Intel®
Core™ vPro™ processor and describes the
hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS
Shadowing can enable faster performance for multi-VMM usage models. Both Citrix
and McAfee are evaluating this capability for inclusion in future product releases.
Enhancing the Performance of Citrix XenClient®
and McAfee Deep Defender*
CONTENTS
Executive Summary...........................................1
Hardware-Assisted Client Security
from Citrix and Intel .......................................2
Adding McAfee Deep Defender for
Even Stronger Security ...................................3
The Performance Challenge:
Software-Only VMM Nesting...........................4
The Solution: Intel®
VMCS Shadowing...............5
Conclusion ........................................................6
WHITE PAPER
2. Hardware-Assisted Client Security
from Citrix and Intel
Citrix XenClient®
is a desktop virtualization solution designed to
simplify the delivery and management of mobile client environ-
ments. Citrix offers two distinct product lines. XenClient Enterprise
is built to support the needs of most large businesses. XenClient®
XT provides a more targeted solution for federal government
agencies and vertical security markets. Both versions support
efficient delivery of personalized end-user client environments.
They also enable multiple virtual desktops to be run transparently
on a single client device, each with its own set of applications and
its own instance of the operating system (OS).
XenClient is a bare-metal type-1 hypervisor that provides full
system virtualization for x86 client devices. A bare-metal
hypervisor, also known as a Type 1 hypervisor, is virtualization
software that is installed directly onto the PC’s hardware and runs
below the PC operating system. IT administrators can use this
hypervisor to partition client software components into separate
virtual machine packages. The Microsoft Windows* OS, user
applications, corporate applications, personalized data, and
end-user profiles can all be deployed and managed separately,
which helps to reduce network bandwidth and improve service-
ability and security (Figure 1).
XenClient supports client security in a variety of ways. A feature
known as Citrix Xen hypervisor domain disaggregation isolates I/O
traffic from the guest operating system into separate service virtual
machines, which helps to protect against various kinds of low-level
malware attacks. XenClient also takes advantage of Intel®
vPro™
Technology to deliver a number of advanced security capabilities.
Intel vPro Technology is a set of technologies included in select
Intel®
processors and chipsets. In addition to providing a better
foundation for client security, many of these technologies also
help to accelerate performance, enhance client management,
and virtualization. A few of the capabilities provided by Intel vPro
Technology include:
Intel®
Trusted Execution Technology2
(Intel®
TXT) measures the
boot environment to establish a hardware-assisted dynamic
root-of-trust. Intel TXT can be used so that each client system
can only boot into a “known good state,” which prevents
boot-level and firmware-rooted malware.
Intel®
Virtualization Technology3
(Intel®
VT-x) provides hardware
assists in Intel processors to help improve application perfor-
mance and to enable the operating system to be completely
isolated from the underlying hardware of the client device.
It also provides hardware assistance for locking and wiping
virtual machines.
USER PROFILE
DATA
USER APPS
CORPORATE APPS
OPERATING SYSTEM
XENCLIENT®
ENGINE
XEN HYPERVISOR
XenClient®
Synchronizer
Managed
and
Secured
Compute
Experience
XenClient
Parent
Domain
APP APP APP APP APP
WINDOWS KERNEL
Windows* VM
XENCLIENT ENGINE
XEN HYPERVISOR
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
MALWARE ACTIVE
PROTECTION
DEEP DEFENDERActiveAPP APP APP DEEP DEFENDER* ENGINE
Windows* VM
Figure 1. Citrix XenClient®
supports flexible desktop virtualization to help IT organizations deliver a managed and secure computing experience to diverse individuals
using a wide range of client devices.
2
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING
3. ®
Virtualization Technology for Directed I/O (Intel®
VT-d)
helps to improve I/O efficiency in virtualized environments. It also
enables stronger, hardware-assisted isolation of network,
keyboard, disk, and I/O traffic, which helps to protect against a
number of attack strategies, such as illegitimate key logging,
screen capturing, and covert network channels.
XenClient XT takes advantage of Intel vPro Technology, Intel VT-x,
Intel VT-d, and Intel TXT to:
platform hardware, including processors, memory, and
I/O resources.
networks and storage systems.
-
ware, firmware, and OS loader—to ensure the client system is
not tampered with prior to or during launch.
USER PROFILE
DATA
USER APPS
CORPORATE APPS
OPERATING SYSTEM
XENCLIENT®
ENGINE
XEN HYPERVISOR
XenClient®
Synchronizer
Managed
and
Secured
Compute
Experience
XenClient
Parent
Domain
APP APP APP APP APP
WINDOWS KERNEL
Windows* VM
XENCLIENT ENGINE
XEN HYPERVISOR
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
MALWARE ACTIVE
PROTECTION
DEEP DEFENDER
ENGINE
DEEPSAFE
MICRO-HYPERVISOR
Active
Protection
APP APP APP
WINDOWS KERNEL
DEEP DEFENDER* ENGINE
DEEP DEFENDER
EARLY LAUNCH DRIVER
Windows* VM
DEEPSAFE* MICRO-HYPERVISOR
McAfee ePro Server*
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
TRUE GUEST
GUEST VMM
VM EXIT VM RESUME
Adding McAfee Deep Defender Technology
for Enhanced Security
McAfee Deep Defender provides additional hardware-assisted
security capabilities that can be used to supplement and strength-
en the safeguards that are built into XenClient and into other, more
traditional, security applications. McAfee Deep Defender resides
between platform memory and the OS and provides real-time,
kernel-level monitoring. It is designed to detect, block, and
remediate advanced, hidden attacks, such as kernel-mode
rootkits, stealth attacks, and zero-day malware.
McAfee Deep Defender provides this advanced protection using a
form of system virtualization, which is furnished by a lightweight
hypervisor, or Virtual Machine Monitor (VMM), known as McAfee
DeepSAFE* technology (Figure 2). McAfee DeepSAFE technology
can be thought of as a kind of micro-hypervisor.
Like XenClient, McAfee Deep Defender takes advantage of Intel
vPro Technology and Intel VT-x to provide enhanced, hardware-
assisted security and virtualization. However, unlike XenClient,
McAfee DeepSAFE technology does not provide full system and
I/O virtualization. Instead, it uses hardware-assisted virtualization
to monitor and control memory and processor operations, which
provides the foundational layer for McAfee Deep Defender
security functions.
Figure 2. McAfee Deep Defender* uses a kind of micro-hypervisor, called McAfee DeepSAFE* technology, to enable advanced, kernel-level monitoring. It helps to
protect against advanced, hidden attacks, such as kernel-mode rootkits, stealth attacks, and zero-day malware.
3
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING
4. Together, XenClient and McAfee Deep Defender provide a breadth
and depth of security that neither can provide alone. However,
running these products together requires installing two VMMs on
each client system, the XenClient type-1 hypervisor and the
McAfee DeepSAFE technology micro-hypervisor. Both these VMMs
require access to the underlying hardware and to the capabilities
provided by Intel vPro Technology.
XenClient supports the hosting of two VMMs on a single platform
through a feature called VMM nesting. Nesting allows a root VMM
to support an Intel VT enabled guest VMM. The XenClient hypervi-
sor functions as the root VMM and provides managed access to
key hardware features for the McAfee DeepSAFE technology
hypervisor, which functions as the nested VMM. Although this
software-based nesting solution provides the necessary functional-
ity for running XenClient and McAfee Deep Defender together on
the same hardware platform, it introduces latencies that can
degrade virtual machine performance and potentially impair the
end-user experience.
The Performance Challenge:
Software-Only VMM Nesting
To understand the performance challenges of software-based
VMM nesting, it helps to understand how Intel VT can improve
virtualization performance in a typical, single-VMM scenario. The
VMM manages hardware resources and allocates them as needed
to the various VMs running on the platform. Whenever a VM
encounters a “privileged” software instruction that impacts shared
resources, it hands over control to the VMM to perform the
instruction. This helps to ensure there are no conflicts between the
guest VMs. The process of transferring control from the guest VM
to the VMM is known as a VM exit.
Once the privileged instruction is completed, the VMM hands
control back to the guest VM, so the application in the VM can
continue to run. This is known as a VM entrance. Intel VT helps to
accelerate VM exits and entrances by providing a high-speed,
hardware-based memory structure called a Virtual Machine
Control Structure (VMCS). The VMCS holds the processor register
states of the guest and the host. By providing low-latency access
to this information, the VMCS enables VMM exits and entrances to
be performed very quickly.
Figure 3. Software-based VMM nesting allows two VMMs to run on the
same physical system, but this approach can result in significant
performance penalties.
Figure 4. With Intel®
VMCS Shadowing, two VMMs can be hosted on the
same physical system, without the performance penalties of software-only
nested solutions.
M
DEEPSAFE* MICRO-HYPERVISOR
McAfee ePro Se
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VM
REA
TRUE GUEST
GUEST VMM
TIME
READS AND
WRITES TO
VMCS
VM EXIT VM RESUME
EXPENSIVE
TRIPS TO
ROOT VMM
VIRTUAL VMCS
ROOT VMM
TRUE GUEST
GUEST VMM
ROOT VMM
TIME
SHADOW VMCS
VM EXIT VM RESUME
DE
EN
DE
MI
Active
Protection
WINDOWS KERNEL DEEP DEFENDER
EARLY LAUNCH DRIVER
DEEPSAFE* MICRO-HYPERVISOR
McAfee ePro Se
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VMM
REA
TRUE GUEST
GUEST VMM
TIME
READS AND
WRITES TO
VMCS
VM EXIT VM RESUME
EXPENSIVE
TRIPS TO
ROOT VMM
VIRTUAL VMCS
ROOT VMM
TRUE GUEST
GUEST VMM
ROOT VMM
TIME
SHADOW VMCS
VM EXIT VM RESUME
4
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING
5. When VMM nesting is used, one VMM resides above another on a
virtualized platform (Figure 3). The root VMM controls the physical
VMCS, and the guest VMM is provided with a software-based
“virtual VMCS.” Although this approach allows multiple VMMs to
operate simultaneously, it can also incur significant performance
penalties, because the Nested VMM requires access to the root
VMM any time a read/write operation is performed (and also for
read and write synchronizations between the physical VMCS and
the virtual VMCS). Intel findings show that even a well optimized
VMM can have up to 12 reads and 6 writes for every VM exit.4
The Solution: Intel®
VMCS Shadowing
4th generation Intel Core vPro processors include a capability
called Intel VMCS Shadowing that greatly reduces the frequency
with which the guest VMM must access the root VMM in a nested
environment. With Intel VMCS Shadowing, the root VMM is able to
define a shadow VMCS in hardware. A guest VMM can access this
shadow VMCS directly, without interrupting the root VMM. This
capability can significantly reduce the number of VM entrance and
exits. And since the shadow VMCS is implemented in hardware,
required accesses can be completed nearly as fast as in a
non-nested environment (Figure 4).
Regardless of whether nesting is done using the software-only
approach or with Intel VMCS Shadowing, there is additional
processing overhead created each time the virtual or shadow
VMCS is synchronized with the physical VMCS that is used by the
root VMM. When the software-only approach is used, the root
VMM knows exactly what needs to be synchronized since it was
directly involved in every access. It can therefore perform the
synchronization efficiently. However, if Intel VMCS Shadowing is
used, the root VMM has no idea which of the more than 130
VMCS fields were accessed, since it was not involved in those
accesses. The root VMM must therefore synchronize every field
that could have possibly been accessed, even though most of the
fields are never touched (Figure 5).
Results from Intel Labs profiling across a wide variety of VMMs,
shows that approximately 90 percent of VMCS fields are never
read and more than 95 percent are never written. As a result, for
most VMMs, a full VMCS synchronization can take approximately
15 times longer than necessary.4
Figure 5. Without specialized hardware support, nearly all 130 plus fields of the physical VMCS and the shadow VMCS must be synchronized, which can result in
excessive overhead and slower overall performance of the virtual environment.
Sync by
Root VMM
PHYSICAL VMS
FIELD SYNCRONIZED BY ROOT FIELD READ BY GUEST FIELD WRITTEN BY GUEST
SHADOW VMS
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VMM
READ AND WRITE
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VMM
READ AND WRITE
TIME
VMCS
EXPENSIVE
TRIPS TO
ROOT VMM
VIRTUAL VMCS
ROOT VMM
TRUE GUEST
GUEST VMM
ROOT VMM
TIME
SHADOW VMCS
VM EXIT VM RESUME
5
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING
6. To reduce this synchronization overhead, Intel incorporated an
additional feature into Intel VMCS Shadowing called VMREAD
and VMWRITE bitmaps. These bitmaps allow for selective access
to the shadow VMCS. The root VMM can tune the bitmaps so that
the 5-10 percent of VMCS fields that are commonly accessed
are written directly to the shadow VMCS, while the very rarely
accessed fields are synchronized through the slower path that is
managed by the root VMM (Figure 6).
By using the VMREAD/VMWRITE bitmaps, the root VMM gets the
best of both worlds. Nearly all of the accesses go directly to the
fast shadow VMCS and very few extraneous fields need to be
synchronized. As a result, Intel VMCS Shadowing enables near-
native performance for two VMMs running simultaneously on the
same hardware platform.
With the help of Intel VMCS Shadowing, Citrix XenClient and
McAfee Deep Defender can be hosted on the same PC, while
greatly reducing any potential impact on the user experience.
Other multi-VMM usage models can also be accommodated
(Figure 7).
Conclusion
As the value and popularity of client virtualization continues to
increase, new usage models are emerging that can require two
VMMs to run simultaneously on the same physical system. A prime
example is McAfee Deep Defender, which runs on top of its own
micro-hypervisor to provide advanced, kernel-based monitoring
that helps to protect against sophisticated new threats, such as
kernel-mode rootkits, stealth attacks, and zero-day malware.
PCs powered by 4th generation Intel Core vPro processors include
Intel VMCS Shadowing, which provides hardware assistance for
this and other multi-VMM usage models. Both Citrix and McAfee
are evaluating this capability for inclusion in future product release.
With this support, customers would have the ability to use Citrix
XenClient and McAfee Deep Defender together to enable a more
secure client environment, while maintaining fast, responsive client
performance. They will also have the flexibility to support additional
multi-VMM usage models as they emerge.
Figure 6. VMREAD/VMWRITE Bitmaps greatly reduce synchronization overhead, while accelerating overall performance by allowing the guest VMM to directly access
the shadow VMCS for the majority of fields.
USER PROFILE
DATA
USER APPS
CORPORATE APPS
OPERATING SYSTEM
XENCLIENT®
ENGINE
Managed
and
Secured
Compute
Experience
XenClient
Parent
Domain
Active
Protection
APP APP APP
WINDOWS KERNEL
DEEP DEFENDER*
ENGINE
DEEP DEFENDER
EARLY LAUNCH DRIVER
Windows* VM
MALWARE
ACTIVE
PROTECTION
DEEP DEFENDER
ENGINE
DEEPSAFE
MICRO-
Sync by
Root VMM
PHYSICAL VMS
FIELD SYNCRONIZED BY ROOT FIELD READ BY GUEST FIELD WRITTEN BY GUEST
SHADOW VMS
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VMM
READ AND WRITE
Sync by
Root VMM
PHYSICAL VMS
FIELD SYNCRONIZED BY ROOT FIELD READ BY GUEST FIELD WRITTEN BY GUEST
SHADOW VMS
INTEL VT-X HARDWARE
VM EXIT TO ROOT VMM
GUEST VMM
READ AND WRITE
ROOT VMM
TIME
SHADOW VMCS
6
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING
7. Figure 7. Working together, Citrix XenClient®
, McAfee Deep Defender*, and 4th generation Intel®
vPro™ Technology (with Intel®
VMCS Shadowing) provide strong,
deep security protection—without significantly impairing client performance.
About the Authors:
Ahmed Sallam is VP of Product Strategy/ CTO of Client Virtualization at Citrix
Systems where he drives technology innovation and product strategy for
emerging client virtualization, management, and security solutions. He works
closely with software and hardware ecosystem partners as they adopt and
integrate new capabilities into Citrix’s open, extensible virtualization platforms.
Prior to Citrix, Ahmed was CTO of Advanced Technology and Chief Architect at
McAfee, which is now part of Intel Corporation. Ahmed was a co-inventor and
architect of Intel/ McAfee DeepSAFE and a co-designer of VMware’s VMM CPU
security technology known as VMsafe. Prior to McAfee, Ahmed was a Senior
Architect with Nokia’s security division and a Principal Engineer at Symantec.
Ahmed is a renowned expert across the industry for pioneering new models in
computer system security that help to provide proactive, preventive, predictive
and highly-assured safe computing environments to computer networks and
devices. Ahmed holds 18 issued patents and has more than 40 published and
pending patent applications. He earned a bachelor’s degree in Computer Science
and Automatic Control from the University of Alexandria.
Greg Boitano is a Senior Product Marketing Engineer with Intel Corporation
where he’s been part of Intel’s Business Client Platform Division for the past
several years. Greg has an extensive background working with end customers,
ISVs and IT solution providers. Greg is currently responsible for Intel Business
Client desktop virtualization marketing. Prior to joining Intel, Greg spent several
years in the Telecom industry working with enterprise customers both as a sales
manager and an engineering manager. He earned a Bachelor’s Degree in
Marketing from Western Washington University, and holds an MBA from the
University of Oregon.
Ron Talwalkar is a Senior Director of Product Management DeepSAFE at McAfee
Labs. In this role, he owns the platform roadmap for DeepSAFE, providing
hardware-enhanced capabilities supporting enterprise and consumer security
products. Ron has been at McAfee for over eight years working in a variety of
roles, from Development Manager to Director of Engineering, and now Product
Management. Prior to McAfee, he worked at Intel for 12 years as a Senior
Engineering Manager across many organizations, the last of which was the Intel
Software Solution Group. Ron holds both bachelor’s and master’s degrees in
Computer Science, as well as a master’s degree in engineering management
from the Oregon Graduate Institute.
USER PROFILE
DATA
USER APPS
CORPORATE APPS
OPERATING SYSTEM
XENCLIENT®
ENGINE
XEN HYPERVISOR
XenClient®
Synchronizer
Managed
and
Secured
Compute
Experience
XenClient
Parent
Domain
XENCLIENT ENGINE
XEN HYPERVISOR
Active
Protection
APP APP APP
WINDOWS KERNEL
DEEP DEFENDER*
ENGINE
DEEP DEFENDER
EARLY LAUNCH DRIVER
Windows* VM
DEEP SAFE* MICRO-HYPERVISOR
SHADOW VMCS
McAfee
ePro Server*
MALWARE
ACTIVE
PROTECTION
DEEP DEFENDER
ENGINE
DEEPSAFE
MICRO-
HYPERVISOR
INTEL®
TXT INTEL®
VT-x
INTEL®
vPro™ TECHNOLOGY
INTEL®
VT-d
Sync by
Root VMM
PHYSICAL VMS
FIELD SYNCRONIZED BY ROOT FIELD READ BY GUEST FIELD WRITTEN BY GUEST
SHADOW VMS
7
4TH GENERATION INTEL®
CORE™ VPRO™ PROCESSORS WITH INTEL®
VMCS SHADOWING