SlideShare a Scribd company logo

SecPod: A Framework for Virtualization-based Security Systems

Yue Chen
Yue Chen

The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest’s page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel’s paging operations to a secure space; execution trapping intercepts the (compromised) kernel’s attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Science
1 of 43
Download to read offline
SecPod: A Framework for Virtualization-based Security Systems Xiaoguang Wang: 6, Yue Chen:, Zhi Wang:, Yong Qi6, Yajin Zhou; Florida State University: Xi’an Jiaotong University6 Qihoo 360; SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 1/22
Outline 1. Motivation 2. SecPod Design 3. Implementation 4. Evaluation 5. Related Work SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 2/22
Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection § e.g. Data Execution Prevention (Write ‘ eXecute) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection § e.g. Data Execution Prevention (Write ‘ eXecute) However, page tables are always writable in the kernel § Kernel needs to frequently change memory mapping § Kernel protection can be subverted by manipulating page tables SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Ż SPTs are synchronized with GPTs by the hypervisor Ñsecurity tools can intercept guest page table updates Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Ż SPTs are synchronized with GPTs by the hypervisor Ñsecurity tools can intercept guest page table updates Ż SPTs supersede GPTs for address translation Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation § Nested paging has big performance advantage over SPT Ż An acceleration of up to 48% for MMU-intensive tasks 1 Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation § Nested paging has big performance advantage over SPT Ż An acceleration of up to 48% for MMU-intensive tasks 1 § Security tools cannot intercept guest memory updates with NPT Ż Guest is free to change its GPTs, without notifying hypervisor Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
Motivation Why SecPod Our Goal: A framework for virtualization-based security tools on the modern virtualization hardware with nested paging SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
Motivation Why SecPod Our Goal: A framework for virtualization-based security tools on the modern virtualization hardware with nested paging Our Solution: SecPod: A Framework for Virtualization-based Security Systems SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks § Hypervisor is trusted Ż Formal verification [seL4, SOSP’09], integrity protection and monitoring [HyperSafe, S&P’10] SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks § Hypervisor is trusted Ż Formal verification [seL4, SOSP’09], integrity protection and monitoring [HyperSafe, S&P’10] § Kernel is benign but contains vulnerabilities Ż Powerful attackers can change arbitrary memory of the kernel SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
SecPod Design SecPod Architecture SecPod & Security Tool Code/Data SPT Pool Entry Gate pv_mmu_ops.alloc_pud pv_mmu_ops.set_pud pv_mmu_ops.write_cr3 ... Normal Space Secure Space Hypervisor Trusted Boot DMA Protection Guest GPT Exit Gate User Mode Kernel Mode Key Technique I: Paging Delegation VMExit Handler Sensitive Instructions Key Technique II: Execution Trapping Up Call SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 8/22
SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel § Secure space maintains SPTs for the guest Ż SPTs are the only effective page tables for the guest Ż SPTs mirror GPTs (if no memory protection violation) GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel § Secure space maintains SPTs for the guest Ż SPTs are the only effective page tables for the guest Ż SPTs mirror GPTs (if no memory protection violation) § SecPod forwards guest page table updates to secure space GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
SecPod Design SecPod Address Space Layout § Normal/secure spaces use page-table based isolation Ż Entry/exit gates are the only passage Normal Space Secure Space KernelUserProcess Kernel Data RW- Kernel RO Data R-- Kernel Code R-X Kernel Data RW- Kernel RO Data R-- Kernel Code R-- SecPod Data RW- SecPod Code R-X Security Tool Data RW- Security Tool Code R-X Gate Data RW- Entry/Exit Gates R-XUser Data RW- User Code R-X SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
SecPod Design SecPod Address Space Layout § Normal/secure spaces use page-table based isolation Ż Entry/exit gates are the only passage § Guest kernel is mapped in secure space Ż Security tools can access guest memory, but not execute it Normal Space Secure Space KernelUserProcess Kernel Data RW- Kernel RO Data R-- Kernel Code R-X Kernel Data RW- Kernel RO Data R-- Kernel Code R-- SecPod Data RW- SecPod Code R-X Security Tool Data RW- Security Tool Code R-X Gate Data RW- Entry/Exit Gates R-XUser Data RW- User Code R-X SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
SecPod Design Protecting Secure Space Attacker might try to: § Enter secure space without security checks § Request malicious page table updates Ż e.g., to map secure memory in guest § Misuse privileged instructions Ż e.g., to load a malicious page table, to disable paging... SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
SecPod Design Protecting Secure Space Attacker might try to: § Enter secure space without security checks § Request malicious page table updates Ż e.g., to map secure memory in guest § Misuse privileged instructions Ż e.g., to load a malicious page table, to disable paging... Our countermeasures: § Secure and efficient context switch § Page table update validation § Execution trapping of privileged instructions SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) § Loading CR3 is a privileged instruction trapped by SecPod Ż Performance overhead is high if each context switch is trapped SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) § Loading CR3 is a privileged instruction trapped by SecPod Ż Performance overhead is high if each context switch is trapped § Intel CR3 target list to the rescue: Ż Four page tables can be loaded without being trapped by CPU Ż There are many SPTs for the guest Ñ use a fixed top-Level page table for all SPTs SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
SecPod Design Page Table Update Validation § SecPod enforces basic kernel memory integrity for guest Ż No mapping is allowed to the secure space code/data Ż Enforce kernel W‘X Guest Page Table Shadow Page Table SPT Update Verification ① ③ ④ ② Fast Index Tables PT PD SPD SPT NormalSpace SecureSpace SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 13/22
SecPod Design Key Technique II: Execute Trapping § SecPod traps malicious privileged instructions executed by guest Ż It can trap intended and unintended2 privileged instructions § Hypervisor notifies secure space trapped instructions via upcalls Ż Similar to signal delivery in the traditional OS 2 X86 has variable-length instructions, unintended instructions can be “created” by jumping to the middle of an instruction. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 14/22
SecPod Design Trapped Sensitive Instructions Instruction Semantics LGDT Load global descriptor table LLDT load local descriptor table LIDT load interrupt descriptor table LMSW load machine status word MOV to CR0 write to CR0 MOV to CR4 write to CR4 MOV to CR8 write to CR8 MOV to CR3 load a new page table WRMSR write machine-specific registers SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 15/22
Implementation Implementation § Paging delegation Ż Leverage Linux paravirtualization interface: pv mmu ops § Execution trapping implemented in the Hypervisor (KVM) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
Implementation Implementation § Paging delegation Ż Leverage Linux paravirtualization interface: pv mmu ops § Execution trapping implemented in the Hypervisor (KVM) § Security tools: Ż Compiled as ELF libraries and loaded into secure space Ż Implemented an example tool to prevent unauthorized kernel code from execution (Patagonix [USENIX Sec ’08], NICKLE [RAID ’08]) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ż Ask SecPod to map secure memory SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ð SPT is isolated Ż Ask SecPod to map secure memory Ð SPT update validation SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ð SPT is isolated Ż Ask SecPod to map secure memory Ð SPT update validation § Misuse privileged instructions Ż Privileged instructions by guest are trapped and verified SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
Evaluation Performance Evaluation: LMBench 0% 20% 40% 60% 80% 100% null open/close fork signal_installm m ap TCP_bandw idth file(create)select(250fd)stat ctxsw (4p/16k) Bcopy(libc)m ain_m em PerformanceOverhead SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 18/22
Evaluation Performance Evaluation: SysBench OLTP 0 100 200 300 400 500 600 700 2 4 8 16 32 64 128 Throughput(trans/sec) Number of Threads Linux SecPod SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 19/22
Related Work Related Work § Virtualization-based security Ż Malware analysis: Ether[CCS’08] Ż Rootkit detection and prevention: PoKeR[EuroSys’09] Ż Virtual machine introspection: Virtuoso[S&P’11], SIM[CCS’09] § Kernel/user application security Ż Exploit mitigation techniques: ASLR, DEP, CFI[CCS’07] Ż Kernel/hypervisor memory integrity: TZ-RKP[CCS’14], HyperSafe[S&P’10], Nested Kernel[ASPLOS’15] SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 20/22
Summary Summary SecPod & Security Tool Code/Data SPT Pool Entry Gate pv_mmu_ops.alloc_pud pv_mmu_ops.set_pud pv_mmu_ops.write_cr3 ... Normal Space Secure SpaceHypervisor Trusted Boot DMA Protection Guest GPT Exit Gate User Mode Kernel Mode Key Technique I: Paging Delegation VMExit Handler Sensitive Instructions Key Technique II: Execution Trapping Up Call § SecPod: A Framework for Virtualization-based Security Systems SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 21/22
Summary Thank you & Questions? SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 22/22

Recommended

What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
CanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CanSecWest
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
Mirantis
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015William L. Brown Jr., CISSP
 

Recommended

What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
CanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CanSecWest
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
Mirantis
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015William L. Brown Jr., CISSP
 
Tech t18
Tech t18Tech t18
Tech t18SelectedPresentations
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Cisco DevNet
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
Cisco DevNet
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
Priyanka Aash
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015Ken Baugh
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
Yue Chen
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
Yue Chen
 
How Impala Works
How Impala WorksHow Impala Works
How Impala Works
Yue Chen
 

More Related Content

What's hot

Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Cisco DevNet
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
Cisco DevNet
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
Priyanka Aash
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015Ken Baugh
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 

What's hot (19)

Tech t18
Tech t18Tech t18
Tech t18
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
 

Viewers also liked

Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
Yue Chen
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
Yue Chen
 
How Impala Works
How Impala WorksHow Impala Works
How Impala Works
Yue Chen
 
Impala Architecture presentation
Impala Architecture presentationImpala Architecture presentation
Impala Architecture presentation
hadooparchbook
 
The Impala Cookbook
The Impala CookbookThe Impala Cookbook
The Impala Cookbook
Cloudera, Inc.
 
Herba Life
Herba LifeHerba Life
Herba Life
nutritionslim
 
Can you shake your way to better health
Can you shake your way to better healthCan you shake your way to better health
Can you shake your way to better healthbreezycov
 
Kudu: Resolving Transactional and Analytic Trade-offs in Hadoop
Kudu: Resolving Transactional and Analytic Trade-offs in HadoopKudu: Resolving Transactional and Analytic Trade-offs in Hadoop
Kudu: Resolving Transactional and Analytic Trade-offs in Hadoop
jdcryans
 
Meal replacement shakes
Meal replacement shakesMeal replacement shakes
Meal replacement shakes
Specialist Supplements Ltd
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
Yael Garten
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuning
Anil Reddy
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
Yael Garten
 
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
Yue Chen
 
Real-time Big Data Analytics Engine using Impala
Real-time Big Data Analytics Engine using ImpalaReal-time Big Data Analytics Engine using Impala
Real-time Big Data Analytics Engine using Impala
Jason Shih
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in ImpalaCloudera, Inc.
 
InShape Meal Replacement Shake Recipes
InShape Meal Replacement Shake RecipesInShape Meal Replacement Shake Recipes
InShape Meal Replacement Shake Recipes
QNET Ltd
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
hadooparchbook
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance Update
Cloudera, Inc.
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
Yael Garten
 
Cloudera Impala Internals
Cloudera Impala InternalsCloudera Impala Internals
Cloudera Impala Internals
David Groozman
 

Viewers also liked (20)

Cloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and AnalysisCloudera Impala Source Code Explanation and Analysis
Cloudera Impala Source Code Explanation and Analysis
 
Impala SQL Support
Impala SQL SupportImpala SQL Support
Impala SQL Support
 
How Impala Works
How Impala WorksHow Impala Works
How Impala Works
 
Impala Architecture presentation
Impala Architecture presentationImpala Architecture presentation
Impala Architecture presentation
 
The Impala Cookbook
The Impala CookbookThe Impala Cookbook
The Impala Cookbook
 
Herba Life
Herba LifeHerba Life
Herba Life
 
Can you shake your way to better health
Can you shake your way to better healthCan you shake your way to better health
Can you shake your way to better health
 
Kudu: Resolving Transactional and Analytic Trade-offs in Hadoop
Kudu: Resolving Transactional and Analytic Trade-offs in HadoopKudu: Resolving Transactional and Analytic Trade-offs in Hadoop
Kudu: Resolving Transactional and Analytic Trade-offs in Hadoop
 
Meal replacement shakes
Meal replacement shakesMeal replacement shakes
Meal replacement shakes
 
Data Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedInData Infused Product Design and Insights at LinkedIn
Data Infused Product Design and Insights at LinkedIn
 
White paper hadoop performancetuning
White paper hadoop performancetuningWhite paper hadoop performancetuning
White paper hadoop performancetuning
 
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesA Perspective from the intersection Data Science, Mobility, and Mobile Devices
A Perspective from the intersection Data Science, Mobility, and Mobile Devices
 
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
 
Real-time Big Data Analytics Engine using Impala
Real-time Big Data Analytics Engine using ImpalaReal-time Big Data Analytics Engine using Impala
Real-time Big Data Analytics Engine using Impala
 
Admission Control in Impala
Admission Control in ImpalaAdmission Control in Impala
Admission Control in Impala
 
InShape Meal Replacement Shake Recipes
InShape Meal Replacement Shake RecipesInShape Meal Replacement Shake Recipes
InShape Meal Replacement Shake Recipes
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
 
Apache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance UpdateApache Impala (incubating) 2.5 Performance Update
Apache Impala (incubating) 2.5 Performance Update
 
How to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organizationHow to use your data science team: Becoming a data-driven organization
How to use your data science team: Becoming a data-driven organization
 
Cloudera Impala Internals
Cloudera Impala InternalsCloudera Impala Internals
Cloudera Impala Internals
 

Similar to SecPod: A Framework for Virtualization-based Security Systems

The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
Global Knowledge Training
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Carlo Sacchi
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
CA Technologies
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2
rpark31
 
Docker San Diego 2015-03-25
Docker San Diego 2015-03-25Docker San Diego 2015-03-25
Docker San Diego 2015-03-25
Casey Bisson
 
NSA Capstone Presentation
NSA Capstone PresentationNSA Capstone Presentation
NSA Capstone PresentationMinh Vu
 
emc world keynote gelsinger
emc world keynote gelsinger emc world keynote gelsinger
emc world keynote gelsinger
Orange Business Services Business development IT
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
CA Technologies
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
SDNRG ITB
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
Bitdefender Enterprise
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
Trivadis
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction
Global Knowledge Training
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
Thiago Bertuzzi
 

Similar to SecPod: A Framework for Virtualization-based Security Systems (20)

The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2
 
Docker San Diego 2015-03-25
Docker San Diego 2015-03-25Docker San Diego 2015-03-25
Docker San Diego 2015-03-25
 
NSA Capstone Presentation
NSA Capstone PresentationNSA Capstone Presentation
NSA Capstone Presentation
 
emc world keynote gelsinger
emc world keynote gelsinger emc world keynote gelsinger
emc world keynote gelsinger
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
 

More from Yue Chen

KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
Yue Chen
 
EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache Execution
Yue Chen
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing Vulnerabilities
Yue Chen
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)
Yue Chen
 
Inside Parquet Format
Inside Parquet FormatInside Parquet Format
Inside Parquet Format
Yue Chen
 
Inside HDFS Append
Inside HDFS AppendInside HDFS Append
Inside HDFS Append
Yue Chen
 

More from Yue Chen (6)

KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 
EncExec: Secure In-Cache Execution
EncExec: Secure In-Cache ExecutionEncExec: Secure In-Cache Execution
EncExec: Secure In-Cache Execution
 
Ravel: Pinpointing Vulnerabilities
Ravel: Pinpointing VulnerabilitiesRavel: Pinpointing Vulnerabilities
Ravel: Pinpointing Vulnerabilities
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)
 
Inside Parquet Format
Inside Parquet FormatInside Parquet Format
Inside Parquet Format
 
Inside HDFS Append
Inside HDFS AppendInside HDFS Append
Inside HDFS Append
 

Recently uploaded

THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
Sérgio Sacani
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
Richard Gill
 
Hemoglobin metabolism_pathophysiology.pptx
Hemoglobin metabolism_pathophysiology.pptxHemoglobin metabolism_pathophysiology.pptx
Hemoglobin metabolism_pathophysiology.pptx
muralinath2
 
Structures and textures of metamorphic rocks
Structures and textures of metamorphic rocksStructures and textures of metamorphic rocks
Structures and textures of metamorphic rocks
kumarmathi863
 
RNA INTERFERENCE: UNRAVELING GENETIC SILENCING
RNA INTERFERENCE: UNRAVELING GENETIC SILENCINGRNA INTERFERENCE: UNRAVELING GENETIC SILENCING
RNA INTERFERENCE: UNRAVELING GENETIC SILENCING
AADYARAJPANDEY1
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
moosaasad1975
 
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
muralinath2
 
Nutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technologyNutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technology
Lokesh Patil
 
Lab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerinLab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerin
ossaicprecious19
 
Multi-source connectivity as the driver of solar wind variability in the heli...
Multi-source connectivity as the driver of solar wind variability in the heli...Multi-source connectivity as the driver of solar wind variability in the heli...
Multi-source connectivity as the driver of solar wind variability in the heli...
Sérgio Sacani
 
Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)
aishnasrivastava
 
Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA
SAMIR PANDA
 
erythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptxerythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptx
muralinath2
 
filosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptxfilosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptx
IvanMallco1
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Ana Luísa Pinho
 
Cancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate PathwayCancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate Pathway
AADYARAJPANDEY1
 
insect taxonomy importance systematics and classification
insect taxonomy importance systematics and classificationinsect taxonomy importance systematics and classification
insect taxonomy importance systematics and classification
anitaento25
 
NuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final versionNuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final version
pablovgd
 
Hemostasis_importance& clinical significance.pptx
Hemostasis_importance& clinical significance.pptxHemostasis_importance& clinical significance.pptx
Hemostasis_importance& clinical significance.pptx
muralinath2
 
general properties of oerganologametal.ppt
general properties of oerganologametal.pptgeneral properties of oerganologametal.ppt
general properties of oerganologametal.ppt
IqrimaNabilatulhusni
 

Recently uploaded (20)

THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
 
Hemoglobin metabolism_pathophysiology.pptx
Hemoglobin metabolism_pathophysiology.pptxHemoglobin metabolism_pathophysiology.pptx
Hemoglobin metabolism_pathophysiology.pptx
 
Structures and textures of metamorphic rocks
Structures and textures of metamorphic rocksStructures and textures of metamorphic rocks
Structures and textures of metamorphic rocks
 
RNA INTERFERENCE: UNRAVELING GENETIC SILENCING
RNA INTERFERENCE: UNRAVELING GENETIC SILENCINGRNA INTERFERENCE: UNRAVELING GENETIC SILENCING
RNA INTERFERENCE: UNRAVELING GENETIC SILENCING
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
 
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
Circulatory system_ Laplace law. Ohms law.reynaults law,baro-chemo-receptors-...
 
Nutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technologyNutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technology
 
Lab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerinLab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerin
 
Multi-source connectivity as the driver of solar wind variability in the heli...
Multi-source connectivity as the driver of solar wind variability in the heli...Multi-source connectivity as the driver of solar wind variability in the heli...
Multi-source connectivity as the driver of solar wind variability in the heli...
 
Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)
 
Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA Seminar of U.V. Spectroscopy by SAMIR PANDA
Seminar of U.V. Spectroscopy by SAMIR PANDA
 
erythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptxerythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptx
 
filosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptxfilosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptx
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
 
Cancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate PathwayCancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate Pathway
 
insect taxonomy importance systematics and classification
insect taxonomy importance systematics and classificationinsect taxonomy importance systematics and classification
insect taxonomy importance systematics and classification
 
NuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final versionNuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final version
 
Hemostasis_importance& clinical significance.pptx
Hemostasis_importance& clinical significance.pptxHemostasis_importance& clinical significance.pptx
Hemostasis_importance& clinical significance.pptx
 
general properties of oerganologametal.ppt
general properties of oerganologametal.pptgeneral properties of oerganologametal.ppt
general properties of oerganologametal.ppt
 

SecPod: A Framework for Virtualization-based Security Systems

  • 1. SecPod: A Framework for Virtualization-based Security Systems Xiaoguang Wang: 6, Yue Chen:, Zhi Wang:, Yong Qi6, Yajin Zhou; Florida State University: Xi’an Jiaotong University6 Qihoo 360; SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 1/22
  • 2. Outline 1. Motivation 2. SecPod Design 3. Implementation 4. Evaluation 5. Related Work SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 2/22
  • 3. Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
  • 4. Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
  • 5. Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection § e.g. Data Execution Prevention (Write ‘ eXecute) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
  • 6. Motivation Page Table Integrity Kernel protection requires page table integrity § Page tables decide address translation (from VA to PA) § Page tables control memory protection § e.g. Data Execution Prevention (Write ‘ eXecute) However, page tables are always writable in the kernel § Kernel needs to frequently change memory mapping § Kernel protection can be subverted by manipulating page tables SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
  • 7. Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
  • 8. Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
  • 9. Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Ż SPTs are synchronized with GPTs by the hypervisor Ñsecurity tools can intercept guest page table updates Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
  • 10. Motivation Virtualization-based Kernel Protection § Security tools are isolated “out-of-the-box”, but need to intercept key guest events Ż e.g., guest page table updates, control-register updates § Shadow paging enables reliable kernel memory protection Ż Hypervisor uses shadow paging to virtualize memory Ż SPTs are synchronized with GPTs by the hypervisor Ñsecurity tools can intercept guest page table updates Ż SPTs supersede GPTs for address translation Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
  • 11. Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
  • 12. Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation § Nested paging has big performance advantage over SPT Ż An acceleration of up to 48% for MMU-intensive tasks 1 Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
  • 13. Motivation Virtualization Hardware Obsoletes Shadow Paging § Nested paging introduces two-level address translation for VMs Ż Both GPT and NPT are used by CPU for address translation § Nested paging has big performance advantage over SPT Ż An acceleration of up to 48% for MMU-intensive tasks 1 § Security tools cannot intercept guest memory updates with NPT Ż Guest is free to change its GPTs, without notifying hypervisor Shadow Page Table Guest Virtual Address Physical Address Hypervisor Guest Guest Physical Address Guest Page Table Guest Virtual Address Physical Address Nested Page Table Hypervisor Guest 1 VMware: performance evaluation of Intel EPT hardware assist. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
  • 14. Motivation Why SecPod Our Goal: A framework for virtualization-based security tools on the modern virtualization hardware with nested paging SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
  • 15. Motivation Why SecPod Our Goal: A framework for virtualization-based security tools on the modern virtualization hardware with nested paging Our Solution: SecPod: A Framework for Virtualization-based Security Systems SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
  • 16. Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
  • 17. Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks § Hypervisor is trusted Ż Formal verification [seL4, SOSP’09], integrity protection and monitoring [HyperSafe, S&P’10] SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
  • 18. Motivation Threat Model and Assumption § Trustworthy hardware and trusted booting Ż Load-time integrity is protected by trusted booting Ż IOMMU is properly configured to prevent DMA attacks § Hypervisor is trusted Ż Formal verification [seL4, SOSP’09], integrity protection and monitoring [HyperSafe, S&P’10] § Kernel is benign but contains vulnerabilities Ż Powerful attackers can change arbitrary memory of the kernel SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
  • 19. SecPod Design SecPod Architecture SecPod & Security Tool Code/Data SPT Pool Entry Gate pv_mmu_ops.alloc_pud pv_mmu_ops.set_pud pv_mmu_ops.write_cr3 ... Normal Space Secure Space Hypervisor Trusted Boot DMA Protection Guest GPT Exit Gate User Mode Kernel Mode Key Technique I: Paging Delegation VMExit Handler Sensitive Instructions Key Technique II: Execution Trapping Up Call SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 8/22
  • 20. SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
  • 21. SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel § Secure space maintains SPTs for the guest Ż SPTs are the only effective page tables for the guest Ż SPTs mirror GPTs (if no memory protection violation) GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
  • 22. SecPod Design Key Technique I: Paging Delegation § SecPod creates an isolated address space from the kernel § Secure space maintains SPTs for the guest Ż SPTs are the only effective page tables for the guest Ż SPTs mirror GPTs (if no memory protection violation) § SecPod forwards guest page table updates to secure space GPT SPT NormalSpace GPT SPT Securespace Traditional Shadow Paging Shadow Paging in SecPod NPT Guest HypervisorHypervisor Guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
  • 23. SecPod Design SecPod Address Space Layout § Normal/secure spaces use page-table based isolation Ż Entry/exit gates are the only passage Normal Space Secure Space KernelUserProcess Kernel Data RW- Kernel RO Data R-- Kernel Code R-X Kernel Data RW- Kernel RO Data R-- Kernel Code R-- SecPod Data RW- SecPod Code R-X Security Tool Data RW- Security Tool Code R-X Gate Data RW- Entry/Exit Gates R-XUser Data RW- User Code R-X SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
  • 24. SecPod Design SecPod Address Space Layout § Normal/secure spaces use page-table based isolation Ż Entry/exit gates are the only passage § Guest kernel is mapped in secure space Ż Security tools can access guest memory, but not execute it Normal Space Secure Space KernelUserProcess Kernel Data RW- Kernel RO Data R-- Kernel Code R-X Kernel Data RW- Kernel RO Data R-- Kernel Code R-- SecPod Data RW- SecPod Code R-X Security Tool Data RW- Security Tool Code R-X Gate Data RW- Entry/Exit Gates R-XUser Data RW- User Code R-X SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
  • 25. SecPod Design Protecting Secure Space Attacker might try to: § Enter secure space without security checks § Request malicious page table updates Ż e.g., to map secure memory in guest § Misuse privileged instructions Ż e.g., to load a malicious page table, to disable paging... SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
  • 26. SecPod Design Protecting Secure Space Attacker might try to: § Enter secure space without security checks § Request malicious page table updates Ż e.g., to map secure memory in guest § Misuse privileged instructions Ż e.g., to load a malicious page table, to disable paging... Our countermeasures: § Secure and efficient context switch § Page table update validation § Execution trapping of privileged instructions SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
  • 27. SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
  • 28. SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) § Loading CR3 is a privileged instruction trapped by SecPod Ż Performance overhead is high if each context switch is trapped SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
  • 29. SecPod Design Secure and Efficient Context Switch § Entry/exit gates are only passage between secure/normal spaces Ż Each gate switches the page table, the stack... Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09]) § Loading CR3 is a privileged instruction trapped by SecPod Ż Performance overhead is high if each context switch is trapped § Intel CR3 target list to the rescue: Ż Four page tables can be loaded without being trapped by CPU Ż There are many SPTs for the guest Ñ use a fixed top-Level page table for all SPTs SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
  • 30. SecPod Design Page Table Update Validation § SecPod enforces basic kernel memory integrity for guest Ż No mapping is allowed to the secure space code/data Ż Enforce kernel W‘X Guest Page Table Shadow Page Table SPT Update Verification ① ③ ④ ② Fast Index Tables PT PD SPD SPT NormalSpace SecureSpace SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 13/22
  • 31. SecPod Design Key Technique II: Execute Trapping § SecPod traps malicious privileged instructions executed by guest Ż It can trap intended and unintended2 privileged instructions § Hypervisor notifies secure space trapped instructions via upcalls Ż Similar to signal delivery in the traditional OS 2 X86 has variable-length instructions, unintended instructions can be “created” by jumping to the middle of an instruction. SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 14/22
  • 32. SecPod Design Trapped Sensitive Instructions Instruction Semantics LGDT Load global descriptor table LLDT load local descriptor table LIDT load interrupt descriptor table LMSW load machine status word MOV to CR0 write to CR0 MOV to CR4 write to CR4 MOV to CR8 write to CR8 MOV to CR3 load a new page table WRMSR write machine-specific registers SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 15/22
  • 33. Implementation Implementation § Paging delegation Ż Leverage Linux paravirtualization interface: pv mmu ops § Execution trapping implemented in the Hypervisor (KVM) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
  • 34. Implementation Implementation § Paging delegation Ż Leverage Linux paravirtualization interface: pv mmu ops § Execution trapping implemented in the Hypervisor (KVM) § Security tools: Ż Compiled as ELF libraries and loaded into secure space Ż Implemented an example tool to prevent unauthorized kernel code from execution (Patagonix [USENIX Sec ’08], NICKLE [RAID ’08]) SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
  • 35. Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
  • 36. Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ż Ask SecPod to map secure memory SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
  • 37. Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ð SPT is isolated Ż Ask SecPod to map secure memory Ð SPT update validation SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
  • 38. Evaluation Security Analysis § Maliciously modify secure space memory Ż Secure space memory is not mapped in the normal space Ñ try to map the secure space memory in the guest Ż Directly change the page mapping Ð SPT is isolated Ż Ask SecPod to map secure memory Ð SPT update validation § Misuse privileged instructions Ż Privileged instructions by guest are trapped and verified SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
  • 39. Evaluation Performance Evaluation: LMBench 0% 20% 40% 60% 80% 100% null open/close fork signal_installm m ap TCP_bandw idth file(create)select(250fd)stat ctxsw (4p/16k) Bcopy(libc)m ain_m em PerformanceOverhead SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 18/22
  • 40. Evaluation Performance Evaluation: SysBench OLTP 0 100 200 300 400 500 600 700 2 4 8 16 32 64 128 Throughput(trans/sec) Number of Threads Linux SecPod SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 19/22
  • 41. Related Work Related Work § Virtualization-based security Ż Malware analysis: Ether[CCS’08] Ż Rootkit detection and prevention: PoKeR[EuroSys’09] Ż Virtual machine introspection: Virtuoso[S&P’11], SIM[CCS’09] § Kernel/user application security Ż Exploit mitigation techniques: ASLR, DEP, CFI[CCS’07] Ż Kernel/hypervisor memory integrity: TZ-RKP[CCS’14], HyperSafe[S&P’10], Nested Kernel[ASPLOS’15] SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 20/22
  • 42. Summary Summary SecPod & Security Tool Code/Data SPT Pool Entry Gate pv_mmu_ops.alloc_pud pv_mmu_ops.set_pud pv_mmu_ops.write_cr3 ... Normal Space Secure SpaceHypervisor Trusted Boot DMA Protection Guest GPT Exit Gate User Mode Kernel Mode Key Technique I: Paging Delegation VMExit Handler Sensitive Instructions Key Technique II: Execution Trapping Up Call § SecPod: A Framework for Virtualization-based Security Systems SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 21/22
  • 43. Summary Thank you & Questions? SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 22/22