OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making Progress within the Auto Industry and Beyond - Lars Kurth, Citrix Systems UK Ltd.
This document summarizes a discussion around enabling functional safety certification for the Xen open source hypervisor project. Key points discussed include:
- Establishing a split development model with open and closed parts to balance community needs and safety requirements.
- Developing reference implementations and stacks supported by multiple vendors to demonstrate safety certification feasibility.
- Creating plans and processes around requirements, documentation, verification testing, and tooling integration to begin filling gaps for certification.
- Addressing challenges around funding, resources, expertise, and maintaining contributions to ensure any initial work is sustainable long-term.
- Taking an iterative, agile approach to make early progress while further securing necessary funding and support from interested parties.
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)The Linux Foundation
The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories.
We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press.
The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
Hypervisors are key to enable mixed-criticality systems: a critical workload, typically with real-time requirements, running alongside a larger operating system, such as Linux. The interrupt latency needs to be deterministic, and the boot time of the critical function only a fraction of a second. Hypervisors are also the enabling technology to securely deploy new customers apps at runtime, without affecting system safety.
This presentation will give an overview of hypervisor technologies for Xilinx platforms. It will introduce the most recent developments of the Xen hypervisor, including the "null" scheduler and dom0less, and it will explain how to make use of the new features to best configure Xen for embedded environments.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)The Linux Foundation
The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories.
We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press.
The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
Hypervisors are key to enable mixed-criticality systems: a critical workload, typically with real-time requirements, running alongside a larger operating system, such as Linux. The interrupt latency needs to be deterministic, and the boot time of the critical function only a fraction of a second. Hypervisors are also the enabling technology to securely deploy new customers apps at runtime, without affecting system safety.
This presentation will give an overview of hypervisor technologies for Xilinx platforms. It will introduce the most recent developments of the Xen hypervisor, including the "null" scheduler and dom0less, and it will explain how to make use of the new features to best configure Xen for embedded environments.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
Many projects start out with the intention of staying single license FOSS projects. As your project grows, reality hits: some components or files may need to use different licenses than originally anticipated. There are many reasons why this can happen: you may need to interface with projects of another license, you may want to import code from other projects or your developers may not understand the subtleties of the licenses in use. Besides the obvious challenges of managing mixed license FOSS projects, such as license compatibility and tracking what licenses you use, you are running the risk of exposing your project to unintended consequences.
This talk will explore unintended consequences, risks and best practices using some examples from the recent history of the Xen Project. In particular we will cover:
Refactoring can lead to licensing changes: best practices and unintended consequences when importing code from elsewhere.
Making code archeology easy from a licensing perspective and why it is important.
A worked example of a license change of a key component: process, pain points, their causes and how they could have been avoided
The perils of LGPL/GPL vX (or Later): the unintended consequences of not providing pre-defined copyright headers in your source base
We will conclude with a summary of lessons and best practices from both the Xen Project and a quick overview of how usage of SPDX and other tools may help you.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...The Linux Foundation
The members of the Automotive Grade Linux (AGL) project have been developing the Unified Code Base (UCB) distribution for automotive use since 2015. Initially the focus was on In-Vehicle Infotainment systems, but lately the project has turned towards instrument cluster, telematics, heads-up display, and other safety critical systems that require ISO 26262 ASIL-B certification. Car and truck manufacturers are looking for AGL to provide a solution that makes use of AGL in a way that meets the demands of ISO 26262 and is readily available to a broad community. Walt takes a look at what has been done on the AGL community to prepare for this and looks to how AGL can work with the Xen project to make this a reality.
OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...The Linux Foundation
Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time.
In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...The Linux Foundation
Despite the popularity of the Xen hypervisor, there are very few tools capable of performing virtual machine introspection (VMI) on Xen guests — not even a full-featured debugger! This is in large part because Xen's VMI APIs are obscure and poorly documented; even among Xen developers, there are very few people who know how to use them. This has serious consequences for projects targeting Xen, as the lack of tooling makes it difficult to verify the correctness and security of software running on Xen. In this presentation, Spencer will introduce and explain Xen's VMI APIs in detail, with the goal of providing all the information necessary to construct fully-featured Xen VMI API clients and analysis tools. In doing so, he will share the hands-on experience he gained while developing his recently-released tool Xendbg, a feature-complete reference implementation of a modern Xen VMI debugger.
The presentation will cover Xen Automotive. We will elaborate technical solutions for the identified gaps:
1. ARM architecture - support HW virtualization extensions for embedded systems
2. Stability requirements
3. RT Scheduler
4. Rich virtualized peripheral support (WiFi, Gfx, MM, USB, etc.)
5. Performance benchmarking
6. Security
XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARMThe Linux Foundation
Unikernels have good performance and a very tiny footprint. But the process of converting an application to a Unikernel requires expert porting work and a considerable amount of time.
Wei will introduce a new Unikernel development model – Unikraft. Unikraft aims to free Unikernels from the fundamental drawback of manual porting costs. Since Unikraft was announced, Wei has been actively working with the community to get involved in this project. In this presentation Wei intends to share some knowledge of Unikraft, including:
1) The concept and architecture of Unikraft,
2) The tool stack and config menu,
3) Features available on Arm,
4) Upcoming features on Arm.
Wei also will run a demo on an Arm server showing:
1) Conversion of an application to Unikernel,
2) Configuration of this Unikernel through a menu system,
3) The converted Unikernel running!
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
There are three interconnected stories of how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. The talk will cover the impact these technologies have on sys admins and in general.
The development world has come to realize that the way we build applications opens the door to hackers.
We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the
development team to build software that is inherently impervious to attack. Catching and dealing with
security defects earlier in the development lifecycle is much more economical than dealing with them once
the applications have been deployed.
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
Many projects start out with the intention of staying single license FOSS projects. As your project grows, reality hits: some components or files may need to use different licenses than originally anticipated. There are many reasons why this can happen: you may need to interface with projects of another license, you may want to import code from other projects or your developers may not understand the subtleties of the licenses in use. Besides the obvious challenges of managing mixed license FOSS projects, such as license compatibility and tracking what licenses you use, you are running the risk of exposing your project to unintended consequences.
This talk will explore unintended consequences, risks and best practices using some examples from the recent history of the Xen Project. In particular we will cover:
Refactoring can lead to licensing changes: best practices and unintended consequences when importing code from elsewhere.
Making code archeology easy from a licensing perspective and why it is important.
A worked example of a license change of a key component: process, pain points, their causes and how they could have been avoided
The perils of LGPL/GPL vX (or Later): the unintended consequences of not providing pre-defined copyright headers in your source base
We will conclude with a summary of lessons and best practices from both the Xen Project and a quick overview of how usage of SPDX and other tools may help you.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...The Linux Foundation
The members of the Automotive Grade Linux (AGL) project have been developing the Unified Code Base (UCB) distribution for automotive use since 2015. Initially the focus was on In-Vehicle Infotainment systems, but lately the project has turned towards instrument cluster, telematics, heads-up display, and other safety critical systems that require ISO 26262 ASIL-B certification. Car and truck manufacturers are looking for AGL to provide a solution that makes use of AGL in a way that meets the demands of ISO 26262 and is readily available to a broad community. Walt takes a look at what has been done on the AGL community to prepare for this and looks to how AGL can work with the Xen project to make this a reality.
OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...The Linux Foundation
Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time.
In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...The Linux Foundation
Despite the popularity of the Xen hypervisor, there are very few tools capable of performing virtual machine introspection (VMI) on Xen guests — not even a full-featured debugger! This is in large part because Xen's VMI APIs are obscure and poorly documented; even among Xen developers, there are very few people who know how to use them. This has serious consequences for projects targeting Xen, as the lack of tooling makes it difficult to verify the correctness and security of software running on Xen. In this presentation, Spencer will introduce and explain Xen's VMI APIs in detail, with the goal of providing all the information necessary to construct fully-featured Xen VMI API clients and analysis tools. In doing so, he will share the hands-on experience he gained while developing his recently-released tool Xendbg, a feature-complete reference implementation of a modern Xen VMI debugger.
The presentation will cover Xen Automotive. We will elaborate technical solutions for the identified gaps:
1. ARM architecture - support HW virtualization extensions for embedded systems
2. Stability requirements
3. RT Scheduler
4. Rich virtualized peripheral support (WiFi, Gfx, MM, USB, etc.)
5. Performance benchmarking
6. Security
XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARMThe Linux Foundation
Unikernels have good performance and a very tiny footprint. But the process of converting an application to a Unikernel requires expert porting work and a considerable amount of time.
Wei will introduce a new Unikernel development model – Unikraft. Unikraft aims to free Unikernels from the fundamental drawback of manual porting costs. Since Unikraft was announced, Wei has been actively working with the community to get involved in this project. In this presentation Wei intends to share some knowledge of Unikraft, including:
1) The concept and architecture of Unikraft,
2) The tool stack and config menu,
3) Features available on Arm,
4) Upcoming features on Arm.
Wei also will run a demo on an Arm server showing:
1) Conversion of an application to Unikernel,
2) Configuration of this Unikernel through a menu system,
3) The converted Unikernel running!
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
There are three interconnected stories of how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. The talk will cover the impact these technologies have on sys admins and in general.
Similar to OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making Progress within the Auto Industry and Beyond - Lars Kurth, Citrix Systems UK Ltd.
The development world has come to realize that the way we build applications opens the door to hackers.
We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the
development team to build software that is inherently impervious to attack. Catching and dealing with
security defects earlier in the development lifecycle is much more economical than dealing with them once
the applications have been deployed.
Agile and continuous delivery – How IBM Watson Workspace is builtVincent Burckhardt
Journey and transformations that we have been taking at IBM to implement Cloud Native application. Covers culture, architecture and pipeline changes. This presentation was given at IBM Connect 2017 in San Francisco in Feb 2017.
As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
Our presentation from the DevOps CTO Masterclass
Businesses can drive many benefits from adopting DevOps – from streamlining timely tasks, to improving the stability of development and deployment. But you can only secure these through implementing the right strategy. Only that exercise can inspire your dev team towards success.
Open-DO: Towards a Lean Approach for Certification (Cyrille Comar)AdaCore
In this series of talks, our panel of experts present real world examples that illustrate how Lean Production concepts are being successfully applied to software development. In particular to applications that have to meet the highest levels of safety and security.
This talk was geared around the concept of showing developers what goes into getting enterprise products out the door. Unit testing, release process, continuous integration, security, social engineering, bug bashes.
Migrating to Cloud: Inhouse Hadoop to Databricks (3)Knoldus Inc.
Modernize your Enterprise Data Lake to Serverless Data Lake, where data, workloads, and orchestrations can be automatically migrated to the cloud-native infrastructure.
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about:
1. How to balance the risk and controls in the "great shift left" paradigm (agile)
2. DevOps activities
3. How to seamlessly integrate security into DevOps
4. How to "shift left" the security"
5. Get started with Secure DevOps / DevSecOps
6. Case Study about DevSecOps implementation
For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Similar to OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making Progress within the Auto Industry and Beyond - Lars Kurth, Citrix Systems UK Ltd. (20)
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
The idea of making Xen secret-free has been floating since Spectre and Meltdown came into light. In this talk we will discuss what is being done and what needs to be done next.
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional.
Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings.
The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency.
In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management.
During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM).
Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'.
In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests.
This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
Volodymyr will speak about TEE mediators. This is a new feature in Xen which allows multiple virtual machines to interact with Trusted Execution Environment available on platform. He developed mediator for one of TEEs, namely OP-TEE.
He will give background information on why TEE is needed at all and share some implementation details.
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform.
XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
Doug has long advocated for more CI/CD (Continuous Integration / Continuous Delivery) processes to be adopted by the Xen Project from the use of Travis CI and now GitLab CI. This talk aims to propose ideas for building upon the existing process and transforming the development process to provide users a higher quality with each release by the Xen Project.
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityThe Linux Foundation
The use of Virtual GPUs (vGPUs) has widely grown in server farms to give Virtual Machines (VMs) dedicated graphics. Software rendering with virtual CPUs can only take us so far and even with Intel-GVT, which uses integrated graphics, there isn't enough power to do the fun stuff. In this presentation, Jon Farrell will be talking about the process of implementing AMD MxGPU on Xen, challenges that he encountered while doing it, and discussing performance metrics of bare metal and vGPU VM on popular benchmarks like 3D Mark* and The Witcher 3. To wrap up his presentation, Jon will share his thoughts about future research and where this technology can take us.
XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSEThe Linux Foundation
Current support of nested virtualization with Xen is limited to fully emulated devices for the L1 hypervisor (L0 hypervisor being the one running on the physical machine). For being able to let L2 dom0 make use of L1 PV devices several new interfaces are needed.
In this design session I'll present my ideas how to add support of PV devices for L2 dom0. There are several possibilities how to do the work which I'd like to discuss.
XPDDS19: Application Agnostic High Availability Solution On Hypervisor Level ...The Linux Foundation
In today's public and private cloud markets, availability is a very important metric for all cloud service providers. COLO is an ideal Application-agnostic Solution for Non-stop service in the cloud. Our solution can protect user service even from physical network or power interruption. And the the switching process is difficult for users to perceive (TCP connection will not be terminated). Under COLO mode, both primary VM (PVM) and secondary VM (SVM) are running parallel. The COLO has more than ten times performance increase compared with previous solution (like Remus). Current COLO codes has been merged in QEMU community, we can use COLO in upstream without any other addition patches. In this talk, we will talk about the COLO implementation in QEMU and Xen, the new designed COLO-Proxy, discussing on problems we've met while developing COLO. and report the latest progress from Intel.
XPDSS19: Live-Updating Xen - Amit Shah & David Woodhouse, AmazonThe Linux Foundation
Xen currently has two major mechanisms to maintain security while hosting untrusted VMs without causing disruption to those guests: live patching, and live migration. We introduce a third method: live updating Xen. A live-update operation involves loading of the newly-staged hypervisor into RAM, the currently-running Xen serializing its state, and then transferring control to the newly-staged Xen, all without disrupting running instances, beyond a little downtime when neither hypervisor is running guest vCPUs.
We present a proposal on the design of such a feature, and invite comments and feedback.
XPDDS19: Secure Unikraft Applications with Solo5 - Haibo Xu, ARMThe Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...The Linux Foundation
The Open Source Xen-Blanket software was developed by researchers at IBM and Cornell University, as extensions to the Xen hypervisor and its PV drivers, to enable seamless use of Xen PV drivers in guest VMs of nested Xen deployments. It was presented at the EuroSys 2012 conference, with a paper that has been widely cited since, and deployed in Cornell's SuperCloud.
Xen-Blanket has never been presented to the Xen Community and the software left unmaintained. However, recent work by Star Lab has modernized its implementation, aiming to encourage its adoption and incorporation into the Xen Project software.
This session will introduce the Xen-Blanket, describing its motivation and features; present the structure of the implementation in the hypervisor and device drivers; outline an example architecture for its deployment; and summarize its current state and plans within the Xen Project.
XPDSS19: Improve the Reliability and Efficiency of Late Microcode Update - Ch...The Linux Foundation
Microcode update is used to correct errata by loading an Intel-supplied data block (so-called microcode) into the processor. Especially, late microcode update (aka, load microcode to processors at run-time) avoids system reboot which is necessary in early microcode update and greatly reduces system downtime. But, current late microcode update on Xen may fail in some cases as microcode becomes more complex in order to fix some sophisticated security issues. Chao will introduce his work to improve reliability and efficiency of microcode update.
Unikraft allows developers to build unikernels targeted at specific applications easily.
Since Unikraft was announced, Arm has been actively involved to enable it on arm64 kvm platform.
In this presentation I intend to share:
1) Features status on arm64, kvm platform(merged and under review)
2) Scalability: multi-thread, SMP support
3) Todo list
I will also show some demos on Arm64 among them:
1) 2 veth NIC tx/rx using virtio-mmio bus
2) a lightweight web server
What Exactly Is The Common Rail Direct Injection System & How Does It WorkMotor Cars International
Learn about Common Rail Direct Injection (CRDi) - the revolutionary technology that has made diesel engines more efficient. Explore its workings, advantages like enhanced fuel efficiency and increased power output, along with drawbacks such as complexity and higher initial cost. Compare CRDi with traditional diesel engines and discover why it's the preferred choice for modern engines.
"Trans Failsafe Prog" on your BMW X5 indicates potential transmission issues requiring immediate action. This safety feature activates in response to abnormalities like low fluid levels, leaks, faulty sensors, electrical or mechanical failures, and overheating.
What Does the Active Steering Malfunction Warning Mean for Your BMWTanner Motors
Discover the reasons why your BMW’s Active Steering malfunction warning might come on. From electrical glitches to mechanical failures and software anomalies, addressing these promptly with professional inspection and maintenance ensures continued safety and performance on the road, maintaining the integrity of your driving experience.
Things to remember while upgrading the brakes of your carjennifermiller8137
Upgrading the brakes of your car? Keep these things in mind before doing so. Additionally, start using an OBD 2 GPS tracker so that you never miss a vehicle maintenance appointment. On top of this, a car GPS tracker will also let you master good driving habits that will let you increase the operational life of your car’s brakes.
Symptoms like intermittent starting and key recognition errors signal potential problems with your Mercedes’ EIS. Use diagnostic steps like error code checks and spare key tests. Professional diagnosis and solutions like EIS replacement ensure safe driving. Consult a qualified technician for accurate diagnosis and repair.
In this presentation, we have discussed a very important feature of BMW X5 cars… the Comfort Access. Things that can significantly limit its functionality. And things that you can try to restore the functionality of such a convenient feature of your vehicle.
5 Warning Signs Your BMW's Intelligent Battery Sensor Needs AttentionBertini's German Motors
IBS monitors and manages your BMW’s battery performance. If it malfunctions, you will have to deal with an array of electrical issues in your vehicle. Recognize warning signs like dimming headlights, frequent battery replacements, and electrical malfunctions to address potential IBS issues promptly.
𝘼𝙣𝙩𝙞𝙦𝙪𝙚 𝙋𝙡𝙖𝙨𝙩𝙞𝙘 𝙏𝙧𝙖𝙙𝙚𝙧𝙨 𝙞𝙨 𝙫𝙚𝙧𝙮 𝙛𝙖𝙢𝙤𝙪𝙨 𝙛𝙤𝙧 𝙢𝙖𝙣𝙪𝙛𝙖𝙘𝙩𝙪𝙧𝙞𝙣𝙜 𝙩𝙝𝙚𝙞𝙧 𝙥𝙧𝙤𝙙𝙪𝙘𝙩𝙨. 𝙒𝙚 𝙝𝙖𝙫𝙚 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙥𝙡𝙖𝙨𝙩𝙞𝙘 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙪𝙨𝙚𝙙 𝙞𝙣 𝙖𝙪𝙩𝙤𝙢𝙤𝙩𝙞𝙫𝙚 𝙖𝙣𝙙 𝙖𝙪𝙩𝙤 𝙥𝙖𝙧𝙩𝙨 𝙖𝙣𝙙 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙛𝙖𝙢𝙤𝙪𝙨 𝙘𝙤𝙢𝙥𝙖𝙣𝙞𝙚𝙨 𝙗𝙪𝙮 𝙩𝙝𝙚 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙛𝙧𝙤𝙢 𝙪𝙨.
Over the 10 years, we have gained a strong foothold in the market due to our range's high quality, competitive prices, and time-lined delivery schedules.
What Does the PARKTRONIC Inoperative, See Owner's Manual Message Mean for You...Autohaus Service and Sales
Learn what "PARKTRONIC Inoperative, See Owner's Manual" means for your Mercedes-Benz. This message indicates a malfunction in the parking assistance system, potentially due to sensor issues or electrical faults. Prompt attention is crucial to ensure safety and functionality. Follow steps outlined for diagnosis and repair in the owner's manual.
Why Is Your BMW X3 Hood Not Responding To Release CommandsDart Auto
Experiencing difficulty opening your BMW X3's hood? This guide explores potential issues like mechanical obstruction, hood release mechanism failure, electrical problems, and emergency release malfunctions. Troubleshooting tips include basic checks, clearing obstructions, applying pressure, and using the emergency release.
Comprehensive program for Agricultural Finance, the Automotive Sector, and Empowerment . We will define the full scope and provide a detailed two-week plan for identifying strategic partners in each area within Limpopo, including target areas.:
1. Agricultural : Supporting Primary and Secondary Agriculture
• Scope: Provide support solutions to enhance agricultural productivity and sustainability.
• Target Areas: Polokwane, Tzaneen, Thohoyandou, Makhado, and Giyani.
2. Automotive Sector: Partnerships with Mechanics and Panel Beater Shops
• Scope: Develop collaborations with automotive service providers to improve service quality and business operations.
• Target Areas: Polokwane, Lephalale, Mokopane, Phalaborwa, and Bela-Bela.
3. Empowerment : Focusing on Women Empowerment
• Scope: Provide business support support and training to women-owned businesses, promoting economic inclusion.
• Target Areas: Polokwane, Thohoyandou, Musina, Burgersfort, and Louis Trichardt.
We will also prioritize Industrial Economic Zone areas and their priorities.
Sign up on https://profilesmes.online/welcome/
To be eligible:
1. You must have a registered business and operate in Limpopo
2. Generate revenue
3. Sectors : Agriculture ( primary and secondary) and Automative
Women and Youth are encouraged to apply even if you don't fall in those sectors.
Core technology of Hyundai Motor Group's EV platform 'E-GMP'Hyundai Motor Group
What’s the force behind Hyundai Motor Group's EV performance and quality?
Maximized driving performance and quick charging time through high-density battery pack and fast charging technology and applicable to various vehicle types!
Discover more about Hyundai Motor Group’s EV platform ‘E-GMP’!
Core technology of Hyundai Motor Group's EV platform 'E-GMP'
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making Progress within the Auto Industry and Beyond - Lars Kurth, Citrix Systems UK Ltd.
2. Why Virtualize Embedded Systems
Hardware consolidation, Portability, Flexibility, Cost
Xen and Embedded: A short History
Multiple vendors targeting embedded and safety Use-Cases
Production usage in non-safety and very few in a safety context
The impact on the Xen Project
Functionally a good platform for mixed-criticality workloads
Reference stacks including Xen for automotive
Safety certification needs to be resolved for wider adoption
Safety Certification: A few highlights from our journey
Will cover community aspects in more detail here
static.sched.com/hosted_files/ossalsjp19/45/XenFusa-Overview-converted.pdf
3.
4. Community Challenges
Funding
Yes, but there are many barriers
Requires major changes to the software
Requires good engineering practices and documentation?
Requires tools, infrastructure and expertise
Requires changes in how FOSS projects work
Until recently: assumption was that the two worlds cannot work together
5. The product requirements are defined
Demonstrate that these are correctly implemented by
architecture, unit design, code
–Reviews
–Requirements traceability
–Testing, including measurement of code coverage
–Safety manual and analyses
The requirements, architecture, unit design, code, testing
comply to the best practices defined in the safety standards
6. The development process complies with ISO / IEC
–With tailoring: everyone tailors
Safety case: Demonstrates that the process was followed
–Change management (everything is version controlled)
–Process documentation and other standards (reqs, designs, …)
–Project Infrastructure / automation
The more you tailor, the higher the risk that the safety case
does not pass and the higher the upfront cost
–Tailoring = funding a specialist consultancy
7. Demonstrates that the everything has been done correctly
OR argue that what you have done is as good as what the
standard requires
Performed by an assessor: need to be confident that
Verification will pass, before attempting it
Can only be done if assessors are actively involved in the
process or your developers are experienced in FuSa
8. You must expect:
–Major re-work of the codebase, including interfaces, modularity,
reduction of complexity, …
– Scale depends on target safety integrity/assurance level
– And your starting point
–Addition of missing artefacts: specifications, testing, etc.
–To define your development process and extend/modify where there
are gaps
–Enforce the development process
9.
10. Established developers don’t have a safety background
Could be fixed by training: neither desirable, scalable or indeed necessary
What you need: Sufficient awareness of concepts and terminology
Bringing in new people / developers with relevant expertise
Standards are typically proprietary and complex
MISRA C Standard: licensed to a user @ approx. USD 15
Other standards are more expensive > USD 1000
Significant scope for different interpretations and tailoring
It is absolutely essential that the project has access to specialist expertise
11. You need a support infrastructure with experts at hand
Ideally safety certification assessors who can advise key community members
how to resolve certain situations ➜ needs to be funded
Needs to be done such that the meritocratic community model is not broken
What if?
You had developers and companies with FuSa and OSS expertise?
And also with knowledge of the codebase?
We have this in the Xen Project: multiple consultancies (SMEs)
BUT: needs to be funded
13. 1
2
4
1 Not at at all, or outside
Not a huge effort to retrofit
Valuable for developers & users
Does not change often for a Hypervisor
2
Frequently as good or better
than proprietary. Process discipline
4
A subset of this usually exists, but
typically tests code, not
requirements/specifications.
That’s the most expensive part to
address.
3
3
Not at all. Difficult to maintain
manually. Should not change that
often
14. 1
2
1 Not at at all, or outside
Not a huge effort to retrofit
Valuable for developers & users
Does not change often for a Hypervisor
2
Frequently as good or better
than proprietary
3
3
Not at all. Difficult to maintain
manually. Should not change that
often
15. Compilers, linkers, etc.
Need to be certified – typically proprietary
Such tools would need to be integrated into a CI gate
In essence this means buying licenses and/or partnering with vendors
Coding standard compliance
Compliance checking tools for MISRA C Standard – typically proprietary
There are some FOSS tools, which check subsets of the standard
Again: needs CI integration and licenses and/or partnering with vendors
Traceability
Proof that tests satisfy requirements (and vice versa)
Linkage between requirements and specifications (and vice versa)
Commercial software is expensive and does not fit into an open source workflow
Only 1 active project which does some of what is needed: Doorstop project
16. Required by most safety standards
Misra C is a de-facto standard
10 Mandatory, 111 Required and 38 Advisory rules
Required rules depend on certification level: can be deviated from
Community Challenges
Proprietary spec and tooling
Coding guidelines and checking (e.g. via CI)
How to avoid unnecessary discussion, while recognizing valid concerns
How to deal with changes with high code churn
(e.g. past supported releases and backporting of security fixes)
17. Fast growing FOSS projects are user adoption driven
The extra cost of safety certification is significant
The risk that upfront investment doesn’t deliver is very high!
FuSa breaks the traditional OSS growth model!
18. How do we fund access to development tools and expertise?
How do you fund filling the “gaps”?
ELISA Project
Founding members: Arm, BMW Car IT GmbH, KUKA, Linutronix, Toyota
Reduce risk by providing tools, processes and patterns
Zephyr
Appears to be funded by Intel and some partners to establish Zephyr as a safety certifiable
open source RTOS
Xen Project
So far on a per contributor basis from various organizations that have a vested in safety
certifying Xen. Possible partnerships with assessors and tooling companies (in progress).
Ultimately this is not going to be enough: approach is to make progress in some areas to
demonstrate progress with reference implementations and unlock further funding.
19.
20. 0
5
10
15
20
25
30 KSLOC 50 KSLOC 100 KSLOC 200 KSLOC
Already investment
of 20-30 man years
on functionality:
distributed and
not all upstream
An investment of 5-15
man years for
1-off safety certification
is not outlandish
But: can FuSa be
maintained
in an adapted
FOSS model?
Cost of certifying Xen based on study assuming a
proprietary fork for DO-178 / DAL-C using
experienced staff (domain +FuSa knowledge)
21. 2012 – now: Xen commercial distros with some support for safety
BUT: no upstream support, no community engagement
2016 – now (and for the foreseeable future)
Technical: develop and upstream functionality needed for mixed-criticality workloads
2019: Start a process to
establish feasibility and to create a plan
2019: Planning - WIP
Agreements, Funding, Plan, Risks
2019: Create Enablers - Plans
Infra, Tools, Community
22. 2 day workshop in March 2019 with 25 attendees
Community Reps and Support
Project leadership team (except for 2)
Kate Stewart as observer /
advisor
Vendors with investment in Xen
Vendors with product interest / skills
Safety Assessors
23. Create an understanding between the community and industry
Terminology, Concepts, etc.
How safety certification works: look at different standards, routes, requirements
Explain assets and processes
Establish “red lines”
Principles the community can agree to or would object to
What level of change would be acceptable
Identify potential obstacles
Establish whether Xen Project is safety certifiable
If so, create a candidate set of feasible certification routes
Establish a rough action plan on how to progress
24. Compared to Zephyr and ACRN it has an established user base in server, cloud and
security applications on x86
Contributor community is diverse
Xen on x86 is not really suitable today for embedded/mixed-criticality
But Xen on Arm is: but was originally designed for servers
Effort to redesign and refresh for mixed-criticality use-cases is scoped and sized
Implementation and funding WIP ➜ opening to make this “safety-friendly”
25%
60%
15%
common
x86
arm
Anything we do for safety can only be
done if there is agreement to implement
changes in a relevant subset of common
code
25. Split development model with an open and a closed part
Everything that is valuable to the wider community in the open part,
e.g. documentation, tests (not all of them), traceability, automation and infrastructure,….
Everything that creates code churn if it wasn’t open as much as possible:
e.g. coding standards (MISRA)
Changes to the open development workflow are minimal
There must be a benefit the community (including for common code)
Broad agreement that codified requirements, more designs, more tests, traceability
information are all beneficial for the project as a whole
BUT: the workflow is git centric and there should not be no parallel universe of additional
infrastructure and tools outside of git
– Requirements, specs, etc. must all be stored in tree and covered by the projects review workflow
– Traceability reports, etc. must be generated from in-tree artefacts
26. Filling the gaps
Gaps in terms of documentation, specifications, safety manual must be developed and
contributed by vendors interested in safety.
Tests can be proprietary, if there is a 3rd party CI integration and commitment to triage and
fix issues upstream (similar to what OpenStack does)
There must be investment in necessary project infrastructure to enable this.
Contributions have to be reviewed to go into mainline: there must be a commitment to
“build new maintainers” (by above vendors performing code reviews)
Maintaining
Vendors will need to step up with maintainership, code reviews, test triage, supporting the
new infrastructure, …
Otherwise: all the initial work will become stale and will create burden for everyone else
27. You might have the coolest open-source project with a super
complete feature-matrix that is safety-certifiable
No-one will use it unless there is a clearly identified entity that is
responsible for the safety sign-off for that project
In the Split Development Model this can be done by
–A commercial entity which is accountable: either a single vendor,
multiple vendors or a group/consortium that collaborates with the
community
–Projects such as ELISA are also looking at this
28. Create reference stacks for safety use-cases supported by
different vendors and eco-systems
–Already have the EPAM automotive stack
–Have a XILINX mixed-criticality stack
–Another one in the pipeline (under NDA)
–Others are being discussed/proposed by groups that previously
were not engaged with Xen
29.
30. Subgroups meet at least every other week. Partly resourced
Community Reps
Lars Kurth (chair and project mgmt)
George Dunlap (committers)
Stream Owners and Implementers
Other Members
Assessors
Lars Kurth
31.
32. Certification scope route and overall plan and strategy
A set of very early drafts: still in bootstrap mode
Following an agile approach
Starting to break down dependencies and priorities
Funding and Resourcing
Some secured
More needed
Some ideas around business models/research grants for funding
Possibly additional SIG members volunteering time and resources
33. Safety Management System (for the closed part)
Resourced to create plan/strategy
Must be designed to co-exist with Xen mainline development
Documentation
Draft strategy (not yet published)
– Around inputs into certification process (Requirements, Specs, API docs, …)
– A set of leads for in-code, in-tree encoding
– Ideas for traceability, which need to be verified
– Some can live in closed part
Some Xen vendors have content that could be used as seed
Better dev docs is what committers want and support
34. Verification Tests
Focusing on CI capability vision and implementation first (CI v2 and v3)
Some is resourced and aligns with plans the project already had
Something the community wants and agreed to last week
Capacity issue with traditional CIs that test on lots of different HW
– Can’t integrate CI before start of code review
– Too expensive to purchase HW and to maintain HW to enable needed scale
– Issue: can’t test EVERY merge request
– Front-load the review process with additional CI capability
– Use automation bots as much as possible
– For e-mail based code-review
– Recently patchew, patchwork, lore have improved
35. Community Interactions and Processes
Focusing on using FuSa to help address long-standing problems
– With funding and resources
This seems to work for now: the devil will be in the detail
MISRA C compliance:
needs planning and a process to find a compromise
Process Automation Tools
Surveying what is available, usable and a good baseline to extend
– Dependency on ELISA Project
MISRA C: looking at Perforce QA Verify, Bugseng Éclair and cppcheck
37. Most Challenges in FuSa are not solely Community
Issues
They only appear to be
For Example:
If there was adequate tooling for traceability which fits into a Git workflow, then
moving closer to the V model (assuming it does not have to be serialized) only
throws up community issues which have been resolved before
– E.g. scaling up a community
So the first question to ask is why to virtualize embedded systems at all
And there we will look at Consolidation, Security and Safety and Special Requirements for Embedded Systems
Need to make sure that what happens on the right sider: feeback
The problem with funding:
Most fast growing open source communities are driven by rapid end-user adoption which drives investment in the community (applies to all of CNCF and many other projects)BUT: to enable safety certification, the “prize” of a safety certifiable open source project, is much further down the line and investment is risky In other words: business cases are difficult to express and sell
The Open Source movement has been though this before!
2 reference implementations
Another one in the pipeline
16 mins
22 mins
This is why proprietary vendors thrive in this spaceAnd why there are proprietary “forks” of open source software
16 mins
16 mins
Unless you have significant resources it is not possible to test developer branches, and every merge requests for every configuration/HW combination before starting code reviews