The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest’s page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel’s paging operations to a secure space; execution trapping intercepts the (compromised) kernel’s attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.
Slides from webinar by Mirantis about how to build a basic edge cloud using surveillance cameras. Watch the webinar recording at: https://bit.ly/mirantis-edge-cloud
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
Slides from webinar by Mirantis about how to build a basic edge cloud using surveillance cameras. Watch the webinar recording at: https://bit.ly/mirantis-edge-cloud
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
A session in the DevNet Zone at Cisco Live, Berlin. Targeted Attacks, which the media refers to as APTs, are threats that must be addressed by any organization requiring networked computers to do business. In this session we will go over the run book techniques used by these threat actors and then go over strategies for mitigating those attacks. In this session we will focus on the concepts that developers of network applications need to be aware of to mitigate these styles of attacks and techniques to use. To finish off, we will delve into pxGrid and what it can offer to break these APT style attack playbooks. Backgrounder: We obtained knowledge of these run book techniques from trusted advisors, peers in the industry and from our own observations. Our own observations included information from our CSIRT, our security products in the field as well as our internal phishing awareness campaign. After studying these techniques we devised strategies to mitigate them. Those strategies were then tested and deployed throughout our ecosystem. The Cisco CSDL initiative and ACT2 chips will also be techniques and tools highlighted in this session.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersCisco DevNet
In this session, participants will gain an insight into how to deploy a continuous integration environment for application delivery using Cisco OpenStack Private Cloud APIs. The session will cover several open source technologies including Gitlab, Jenkins, Docker, OpenStack Heat, Ansible, and Terraform with the purpose of delivering a simple ReactJS application.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
Today, running applications in the cloud is a must-have. But that doesn’t mean it’s risk-free. In this webinar, CircleCI and xMatters will discuss security issues in the application lifecycle, and demo solutions so your team can be confident you’re deploying safely and securely. Join to understand:
Common risks and vulnerabilities in cloud deployments
Patterns and best practices for ease of testing and deployment management
How CircleCi and xMatters make deploying to cloud (especially multi-cloud environments) safer and more secure
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
Software-defined networking has come onto the scene and changed the way we think about moving packets throughout a network. But it has also morphed into multiple definitions and approaches, driven by both vendors and enterprise customers. But how does security fit into this picture? This talk will discuss the convergence of SDN and security and will try to make sense of them both.
Learning Objectives:
1: Understand all types of SDN.
2: Understand SDN and security.
3: Understand how a secure SDN makes a network safer.
(Source: RSA Conference USA 2018)
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Securing your Container Environment with Open SourceMichael Ducy
Cloud Native platforms such as Kubernetes and Cloud Foundry help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDays Riga
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, Security is the highest adoption barrier.
An Introduction to Cloudera Impala, shows how Impala works, and the internal processing of query of Impala, including architecture, frontend, query compilation, backend, code generation, HDFS-related stuff and performance comparison.
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
A session in the DevNet Zone at Cisco Live, Berlin. Targeted Attacks, which the media refers to as APTs, are threats that must be addressed by any organization requiring networked computers to do business. In this session we will go over the run book techniques used by these threat actors and then go over strategies for mitigating those attacks. In this session we will focus on the concepts that developers of network applications need to be aware of to mitigate these styles of attacks and techniques to use. To finish off, we will delve into pxGrid and what it can offer to break these APT style attack playbooks. Backgrounder: We obtained knowledge of these run book techniques from trusted advisors, peers in the industry and from our own observations. Our own observations included information from our CSIRT, our security products in the field as well as our internal phishing awareness campaign. After studying these techniques we devised strategies to mitigate them. Those strategies were then tested and deployed throughout our ecosystem. The Cisco CSDL initiative and ACT2 chips will also be techniques and tools highlighted in this session.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersCisco DevNet
In this session, participants will gain an insight into how to deploy a continuous integration environment for application delivery using Cisco OpenStack Private Cloud APIs. The session will cover several open source technologies including Gitlab, Jenkins, Docker, OpenStack Heat, Ansible, and Terraform with the purpose of delivering a simple ReactJS application.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
Today, running applications in the cloud is a must-have. But that doesn’t mean it’s risk-free. In this webinar, CircleCI and xMatters will discuss security issues in the application lifecycle, and demo solutions so your team can be confident you’re deploying safely and securely. Join to understand:
Common risks and vulnerabilities in cloud deployments
Patterns and best practices for ease of testing and deployment management
How CircleCi and xMatters make deploying to cloud (especially multi-cloud environments) safer and more secure
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
Software-defined networking has come onto the scene and changed the way we think about moving packets throughout a network. But it has also morphed into multiple definitions and approaches, driven by both vendors and enterprise customers. But how does security fit into this picture? This talk will discuss the convergence of SDN and security and will try to make sense of them both.
Learning Objectives:
1: Understand all types of SDN.
2: Understand SDN and security.
3: Understand how a secure SDN makes a network safer.
(Source: RSA Conference USA 2018)
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Securing your Container Environment with Open SourceMichael Ducy
Cloud Native platforms such as Kubernetes and Cloud Foundry help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDays Riga
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, Security is the highest adoption barrier.
An Introduction to Cloudera Impala, shows how Impala works, and the internal processing of query of Impala, including architecture, frontend, query compilation, backend, code generation, HDFS-related stuff and performance comparison.
Impala Architecture Presentation at Toronto Hadoop User Group, in January 2014 by Mark Grover.
Event details:
http://www.meetup.com/TorontoHUG/events/150328602/
When it comes to the purchase of highly popular Herba Life programmes and products in the UK, NutritionSlim strikes the mind first. Visit its website to buy Herbalife Nutritional meal replacement shakes that contain vitamins & minerals in abundance.
For more information visit us at ;
http://www.nutritionslim.co.uk/herbalife_distributor.php
Kudu: Resolving Transactional and Analytic Trade-offs in Hadoopjdcryans
Presentation given on October 22nd, 2015, at the SF Spark and Friends meetup hosted by Quantcast. A recording should be available soon on the meetup's page: http://www.meetup.com/SF-Spark-and-Friends/events/226023299/
Learn about the uses and benefits of meal replacements and protein shakes!
Meal replacements and protein shakes are popular and versatile dietary supplements used by a wide variety of people, for a number of health goals. For example: by athletes and body-builders for a protein boost, to support their recovery times and performance; by slimmers, looking for low calorie, nutrients-fortified meal substitutes; by those suffering with food allergies or intolerances, such as coeliacs; and by those on low-protein diets, such as vegans and vegetarians.
Specialist Supplements Ltd is a premium supplier of health supplements, including dairy-free, gluten-free and vegan meal replacement shakes and protein powders. We are based in the UK and all of our products are manufactured here under quality assured standards (including ISO 9001).
Our other product ranges include digestive aids, colon cleansers, probiotics, cleanse and detox, antioxidants, superfoods, organic products, weight management support supplements, sports and muscle mass products and vegetarian and vegan supplements.
Visit us today at: http://www.specialistsupplements.co.uk
Data Infused Product Design and Insights at LinkedInYael Garten
Presentation from a talk given at Boston Big Data Innovation Summit, September 2012.
Summary: The Data Science team at LinkedIn focuses on 3 main goals: (1) providing data-driven business and product insights, (2) creating data products, and (3) extracting interesting insights from our data such as analysis of the economic status of the country or identifying hot companies in a certain geographic region. In this talk I describe how we ensure that our products are data driven -- really data infused at the core -- and share interesting insights we uncover using LinkedIn's rich data. We discuss what makes a good data scientist, and what techniques and technologies LinkedIn data scientists use to convert our rich data into actionable product and business insights, to create data-driven products that truly serve our members.
A Perspective from the intersection Data Science, Mobility, and Mobile DevicesYael Garten
Invited talk at Stanford CSEE392I (Seminar on Trends in Computing and Communications) April 24, 2014.
Covered three topics: (1) Data science at LinkedIn. (2) Mobile data science — how is it different, challenges and opportunities. Examples of how data science impacts business and product decisions. (3) Mobile today, and LinkedIn's mobile story.
Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)Yue Chen
Fine-grained live ASLR (address space layout randomization) during runtime, periodically or with random time intervals.
This can significantly leverage the bar of code reuse attack, like return-oriented programming (ROP).
In case of information leak, sine it is runtime dynamic ASLR, the memory layout can be changed.
keywords for search: control-flow integrity, CFI, memory corruption, Oakland, IEEE S&P, CCS, USENIX Security, NDSS, CODASPY, memory bugs, memory error, buffer overflow, crash, use after free, double free, ptrace
Real-time Big Data Analytics Engine using ImpalaJason Shih
Cloudera Impala is an open-source under Apache Licence enable real-time, interactive analytical SQL queries of the data stored in HBase or HDFS. The work was inspired by Google Dremel paper which is also the basis for Google BigQuery. It provide access same unified storage platform base on it's own distributed query engine but does not use mapreduce. In addition, it use also the same metadata, SQL syntax (HiveQL-like) ODBC driver and user interface (Hue Beeswax) as Hive. Besides the traditional Hadoop approach, aim to provide low-cost solution for resiliency and batch-oriented distributed data processing, we found more and more effort in the Big Data world pursuing the right solution for ad-hoc, fast queries and realtime data processing for large datasets. In this presentation, we'll explore how to run interactive queries inside Impala, advantages of the approach, architecture and understand how it optimizes data systems including also practical performance analysis.
Our InShape Meal Shakes are a delicious part of QNET’s weight management range. Here are 8 Recipes for a healthier, happier you! Exclusively available from www.qnet.net
Know more about QNET by visiting these sites:
http://www.qnetlife.net
https://twitter.com/QNetOfficial
https://www.youtube.com/user/QNETofficial
https://play.google.com/store/apps/details?id=com.qnet.estore.android&hl=en
https://www.facebook.com/QNETIndiaOfficial
Building a fraud detection application using the tools in the Hadoop ecosystem. Presentation given by authors of O'Reilly's Hadoop Application Architectures book at Strata + Hadoop World in San Jose, CA 2016.
How to use your data science team: Becoming a data-driven organizationYael Garten
Talk given at Strata Hadoop World conference March 2016.
http://conferences.oreilly.com/strata/hadoop-big-data-ca/public/schedule/detail/48305
In this talk we review the culture, process and tools needed for a data driven organization. We review an example of how companies like LinkedIn use data to make business decisions, and then walk through the culture, process, and tools needed to foster this. We review the spectrum of data science used within an organization and explore organizational needs, such as the democratization of data via self-serve data platforms for experimentation, monitoring, and data exploration, as well as the challenges that come with such systems. Participants leave this session with the ability to identify opportunities for data scientists to contribute within their organization and with an understanding of what investments are needed to drive transformation into a data-driven organization.
Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxCarlo Sacchi
Keynote on Confidential Computing on Microsoft Azure, event that took place at "Sytac Azure Night" in December 2022, Amsterdam.
A Short long story on what is Confidential Computing, why it's so important and some interesting uses case
"This workshop is for pentesters, security researchers or someone looking to get into IoT security but is reluctant due to the wide range of technologies involved and plethora of different tools. While it does require a considerable amount of knowledge in the domain, it is not as difficult as you may think. In this workshop we will introduce you to some of the important concepts and EXPLIoT framework in a very simple way that can be used for the various IoT attack vectors. The primary focus of this workshop is to introduce the attendees to the open source IoT Security Testing and Exploitation Framework - EXPLIoT (https://gitlab.com/expliot_framework/expliot) and enable them to use as well as extend it by writing plugins for new IoT based exploits and analysis test cases. It’s a flexible and extendable framework that would help the security community in writing quick IoT test cases and exploits. The objectives of the framework are:
1. Easy to use
2. Extendable
3. Support for hardware, radio and IoT protocol analysis
EXPLIoT currently supports the following protocols which can be utilized for writing new plugins/exploits:
1. Radio – BLE , Zigbee
2. Network – MQTT, CoAP, DICOM, MODBUS, MDNS, NMAP, TCP, UDP
3. Hardware – CAN, SPI, I2C, UART, JTAG
This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework."
Privileged Access Management for the Software-Defined NetworkCA Technologies
New extensions to CA Privileged Access Manager significantly expand the ability of the product to protect and defend resources in VMware NSX virtualized network environments. In this session, we’ll examine and demonstrate those capabilities, which take advantage of new technologies and methods made available by the NSX infrastructure, in more detail.
For more information, please visit http://cainc.to/Nv2VOe
Security automation in virtual and cloud environments v2rpark31
Virtualization security must be as dynamic as the environment it is protecting. Learn how to build security automation into your virtual and cloud computing environments by using VMware's vShield API.
In this webinar, you will learn:
1. An introduction to security automation and why it matters
2. An overview of VMware's vShield and its API
3. Real world cloud examples of how to use the vShield API for security automation
Docker on a laptop is easy, but Docker in the cloud is hard. What makes that transition so hard, and what can we do about it? How does this challenge affect the hosting infrastructure and application design? Casey will share lessons learned so far and further questions uncovered in Joyent’s work to build support for Docker in public and private cloud environments.
See also http://www.meetup.com/Docker-San-Diego/events/221128898/ and http://www.meetup.com/Docker-Orange-County/events/221129001/
Protecting the Software-Defined Data Center from Data BreachCA Technologies
In this session, learn:
Security Requirements for our next generation software defined data centers
VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center
CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™
For more information, please visit http://cainc.to/Nv2VOe
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
As the Xen hypervisor evolves so do the chances for a potentially exploitable bug to be introduced. This is the case for XSA-105/106, where a number of oversights in the x86 instruction emulator created the opportunity for a number of exploits.
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Learn how to gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Join us to Learn:
How to protect and automate your AWS deployments while maintaining data segregation
Best practices for creating consistent security for data moving to and from the cloud
How to securely extend your application development testing environment to AWS
Speakers:
AWS Speaker: David Wright, Solution Architect
Palo Alto Networks Speaker: Bisham Kishnani, Senior Consulting Engineer
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
Fast innovation requires Fast IT: the new model for IT that transforms the way we deliver new business application capabilities to our clients.
Cisco IT has created solutions that enable automated provisioning of environments and fast deployment of cloud applications through “Software Development-as-a-Service”.
In this session, we’ll provide a hands-on experience of how application teams use an automated toolset to combine quality and agility, while reducing operational expense. We’ll also provide a view of the key technologies that enable this solution.
Finally, there’s a quick glimpse into what’s next: containerization and IOE Application Enablement.
Despite advances in security, hackers continue to break through network defenses. In this hour-long webinar, network security specialist Catherine Paquet will examine the favorite methods and targets of hackers and will introduce you to the different categories of security technologies. In this foundational presentation, you will learn about the benefits of security solutions such as firewalls, VPNs, IPS, identity services and BYOD.
EncExec
A cold boot attack is a powerful physical attack that can dump the
memory of a computer system and extract sensitive data from it. Previous defenses
focus on storing cryptographic keys off the memory in the limited storage
“borrowed” from hardware chips. In this paper, we propose EncExec, a practical
and effective defense against cold boot attacks. EncExec has two key techniques:
spatial cache reservation and secure in-cache execution. The former overcomes
the challenge that x86 processors lack a fine-grained cache control by reserving a
small block of the CPU’s level-3 cache exclusively for use by EncExec; the latter
leverages the reserved cache to enable split views of the protected data: the data
stored in the physical memory is always encrypted, and the plaintext view of the
data is strictly confined to the reserved cache. Consequently, a cold boot attack can
only obtain the encrypted form of the data. We have built a prototype of EncExec
for the FreeBSD system. The evaluation demonstrates that EncExec is a practical
and effective defense against cold boot attacks.
A Time Machine to pinpoint vulnerabilities.
Memory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks. However, developers still need to locate and fix these vulnerabilities, a mostly manual and time-consuming process. They face a number of challenges. Particularly, the manifestation of an attack does not always coincide with the exploited vulnerabilities, and many attacks are hard to reproduce in the lab environment, leaving developers with limited information to locate them. In this paper, we propose Ravel, an architectural approach to pinpoint vulnerabilities from attacks. Ravel consists of an online attack detector and an offline vulnerability locator linked by a record & replay mechanism. Specifically, Ravel records the execution of a production system and simultaneously monitors it for attacks. If an attack is detected, the execution is replayed to reveal the targeted vulnerabilities by analyzing the program's memory access patterns under attack. We have built a prototype of Ravel based on the open-source FreeBSD operating system. The evaluation results in security and performance demonstrate that Ravel can effectively pinpoint various types of memory vulnerabilities and has low performance overhead.
How the new operation of Hadoop Distributed FIle System (HDFS) -- Append works. The internals of the processing. The new states that are more than the write operation.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.Sérgio Sacani
The return of a sample of near-surface atmosphere from Mars would facilitate answers to several first-order science questions surrounding the formation and evolution of the planet. One of the important aspects of terrestrial planet formation in general is the role that primary atmospheres played in influencing the chemistry and structure of the planets and their antecedents. Studies of the martian atmosphere can be used to investigate the role of a primary atmosphere in its history. Atmosphere samples would also inform our understanding of the near-surface chemistry of the planet, and ultimately the prospects for life. High-precision isotopic analyses of constituent gases are needed to address these questions, requiring that the analyses are made on returned samples rather than in situ.
Richard's aventures in two entangled wonderlandsRichard Gill
Since the loophole-free Bell experiments of 2020 and the Nobel prizes in physics of 2022, critics of Bell's work have retreated to the fortress of super-determinism. Now, super-determinism is a derogatory word - it just means "determinism". Palmer, Hance and Hossenfelder argue that quantum mechanics and determinism are not incompatible, using a sophisticated mathematical construction based on a subtle thinning of allowed states and measurements in quantum mechanics, such that what is left appears to make Bell's argument fail, without altering the empirical predictions of quantum mechanics. I think however that it is a smoke screen, and the slogan "lost in math" comes to my mind. I will discuss some other recent disproofs of Bell's theorem using the language of causality based on causal graphs. Causal thinking is also central to law and justice. I will mention surprising connections to my work on serial killer nurse cases, in particular the Dutch case of Lucia de Berk and the current UK case of Lucy Letby.
Introduction:
RNA interference (RNAi) or Post-Transcriptional Gene Silencing (PTGS) is an important biological process for modulating eukaryotic gene expression.
It is highly conserved process of posttranscriptional gene silencing by which double stranded RNA (dsRNA) causes sequence-specific degradation of mRNA sequences.
dsRNA-induced gene silencing (RNAi) is reported in a wide range of eukaryotes ranging from worms, insects, mammals and plants.
This process mediates resistance to both endogenous parasitic and exogenous pathogenic nucleic acids, and regulates the expression of protein-coding genes.
What are small ncRNAs?
micro RNA (miRNA)
short interfering RNA (siRNA)
Properties of small non-coding RNA:
Involved in silencing mRNA transcripts.
Called “small” because they are usually only about 21-24 nucleotides long.
Synthesized by first cutting up longer precursor sequences (like the 61nt one that Lee discovered).
Silence an mRNA by base pairing with some sequence on the mRNA.
Discovery of siRNA?
The first small RNA:
In 1993 Rosalind Lee (Victor Ambros lab) was studying a non- coding gene in C. elegans, lin-4, that was involved in silencing of another gene, lin-14, at the appropriate time in the
development of the worm C. elegans.
Two small transcripts of lin-4 (22nt and 61nt) were found to be complementary to a sequence in the 3' UTR of lin-14.
Because lin-4 encoded no protein, she deduced that it must be these transcripts that are causing the silencing by RNA-RNA interactions.
Types of RNAi ( non coding RNA)
MiRNA
Length (23-25 nt)
Trans acting
Binds with target MRNA in mismatch
Translation inhibition
Si RNA
Length 21 nt.
Cis acting
Bind with target Mrna in perfect complementary sequence
Piwi-RNA
Length ; 25 to 36 nt.
Expressed in Germ Cells
Regulates trnasposomes activity
MECHANISM OF RNAI:
First the double-stranded RNA teams up with a protein complex named Dicer, which cuts the long RNA into short pieces.
Then another protein complex called RISC (RNA-induced silencing complex) discards one of the two RNA strands.
The RISC-docked, single-stranded RNA then pairs with the homologous mRNA and destroys it.
THE RISC COMPLEX:
RISC is large(>500kD) RNA multi- protein Binding complex which triggers MRNA degradation in response to MRNA
Unwinding of double stranded Si RNA by ATP independent Helicase
Active component of RISC is Ago proteins( ENDONUCLEASE) which cleave target MRNA.
DICER: endonuclease (RNase Family III)
Argonaute: Central Component of the RNA-Induced Silencing Complex (RISC)
One strand of the dsRNA produced by Dicer is retained in the RISC complex in association with Argonaute
ARGONAUTE PROTEIN :
1.PAZ(PIWI/Argonaute/ Zwille)- Recognition of target MRNA
2.PIWI (p-element induced wimpy Testis)- breaks Phosphodiester bond of mRNA.)RNAse H activity.
MiRNA:
The Double-stranded RNAs are naturally produced in eukaryotic cells during development, and they have a key role in regulating gene expression .
What is greenhouse gasses and how many gasses are there to affect the Earth.moosaasad1975
What are greenhouse gasses how they affect the earth and its environment what is the future of the environment and earth how the weather and the climate effects.
Nutraceutical market, scope and growth: Herbal drug technologyLokesh Patil
As consumer awareness of health and wellness rises, the nutraceutical market—which includes goods like functional meals, drinks, and dietary supplements that provide health advantages beyond basic nutrition—is growing significantly. As healthcare expenses rise, the population ages, and people want natural and preventative health solutions more and more, this industry is increasing quickly. Further driving market expansion are product formulation innovations and the use of cutting-edge technology for customized nutrition. With its worldwide reach, the nutraceutical industry is expected to keep growing and provide significant chances for research and investment in a number of categories, including vitamins, minerals, probiotics, and herbal supplements.
Multi-source connectivity as the driver of solar wind variability in the heli...Sérgio Sacani
The ambient solar wind that flls the heliosphere originates from multiple
sources in the solar corona and is highly structured. It is often described
as high-speed, relatively homogeneous, plasma streams from coronal
holes and slow-speed, highly variable, streams whose source regions are
under debate. A key goal of ESA/NASA’s Solar Orbiter mission is to identify
solar wind sources and understand what drives the complexity seen in the
heliosphere. By combining magnetic feld modelling and spectroscopic
techniques with high-resolution observations and measurements, we show
that the solar wind variability detected in situ by Solar Orbiter in March
2022 is driven by spatio-temporal changes in the magnetic connectivity to
multiple sources in the solar atmosphere. The magnetic feld footpoints
connected to the spacecraft moved from the boundaries of a coronal hole
to one active region (12961) and then across to another region (12957). This
is refected in the in situ measurements, which show the transition from fast
to highly Alfvénic then to slow solar wind that is disrupted by the arrival of
a coronal mass ejection. Our results describe solar wind variability at 0.5 au
but are applicable to near-Earth observatories.
A brief information about the SCOP protein database used in bioinformatics.
The Structural Classification of Proteins (SCOP) database is a comprehensive and authoritative resource for the structural and evolutionary relationships of proteins. It provides a detailed and curated classification of protein structures, grouping them into families, superfamilies, and folds based on their structural and sequence similarities.
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Ana Luísa Pinho
Functional Magnetic Resonance Imaging (fMRI) provides means to characterize brain activations in response to behavior. However, cognitive neuroscience has been limited to group-level effects referring to the performance of specific tasks. To obtain the functional profile of elementary cognitive mechanisms, the combination of brain responses to many tasks is required. Yet, to date, both structural atlases and parcellation-based activations do not fully account for cognitive function and still present several limitations. Further, they do not adapt overall to individual characteristics. In this talk, I will give an account of deep-behavioral phenotyping strategies, namely data-driven methods in large task-fMRI datasets, to optimize functional brain-data collection and improve inference of effects-of-interest related to mental processes. Key to this approach is the employment of fast multi-functional paradigms rich on features that can be well parametrized and, consequently, facilitate the creation of psycho-physiological constructs to be modelled with imaging data. Particular emphasis will be given to music stimuli when studying high-order cognitive mechanisms, due to their ecological nature and quality to enable complex behavior compounded by discrete entities. I will also discuss how deep-behavioral phenotyping and individualized models applied to neuroimaging data can better account for the subject-specific organization of domain-general cognitive systems in the human brain. Finally, the accumulation of functional brain signatures brings the possibility to clarify relationships among tasks and create a univocal link between brain systems and mental functions through: (1) the development of ontologies proposing an organization of cognitive processes; and (2) brain-network taxonomies describing functional specialization. To this end, tools to improve commensurability in cognitive science are necessary, such as public repositories, ontology-based platforms and automated meta-analysis tools. I will thus discuss some brain-atlasing resources currently under development, and their applicability in cognitive as well as clinical neuroscience.
Cancer cell metabolism: special Reference to Lactate PathwayAADYARAJPANDEY1
Normal Cell Metabolism:
Cellular respiration describes the series of steps that cells use to break down sugar and other chemicals to get the energy we need to function.
Energy is stored in the bonds of glucose and when glucose is broken down, much of that energy is released.
Cell utilize energy in the form of ATP.
The first step of respiration is called glycolysis. In a series of steps, glycolysis breaks glucose into two smaller molecules - a chemical called pyruvate. A small amount of ATP is formed during this process.
Most healthy cells continue the breakdown in a second process, called the Kreb's cycle. The Kreb's cycle allows cells to “burn” the pyruvates made in glycolysis to get more ATP.
The last step in the breakdown of glucose is called oxidative phosphorylation (Ox-Phos).
It takes place in specialized cell structures called mitochondria. This process produces a large amount of ATP. Importantly, cells need oxygen to complete oxidative phosphorylation.
If a cell completes only glycolysis, only 2 molecules of ATP are made per glucose. However, if the cell completes the entire respiration process (glycolysis - Kreb's - oxidative phosphorylation), about 36 molecules of ATP are created, giving it much more energy to use.
IN CANCER CELL:
Unlike healthy cells that "burn" the entire molecule of sugar to capture a large amount of energy as ATP, cancer cells are wasteful.
Cancer cells only partially break down sugar molecules. They overuse the first step of respiration, glycolysis. They frequently do not complete the second step, oxidative phosphorylation.
This results in only 2 molecules of ATP per each glucose molecule instead of the 36 or so ATPs healthy cells gain. As a result, cancer cells need to use a lot more sugar molecules to get enough energy to survive.
Unlike healthy cells that "burn" the entire molecule of sugar to capture a large amount of energy as ATP, cancer cells are wasteful.
Cancer cells only partially break down sugar molecules. They overuse the first step of respiration, glycolysis. They frequently do not complete the second step, oxidative phosphorylation.
This results in only 2 molecules of ATP per each glucose molecule instead of the 36 or so ATPs healthy cells gain. As a result, cancer cells need to use a lot more sugar molecules to get enough energy to survive.
introduction to WARBERG PHENOMENA:
WARBURG EFFECT Usually, cancer cells are highly glycolytic (glucose addiction) and take up more glucose than do normal cells from outside.
Otto Heinrich Warburg (; 8 October 1883 – 1 August 1970) In 1931 was awarded the Nobel Prize in Physiology for his "discovery of the nature and mode of action of the respiratory enzyme.
WARNBURG EFFECT : cancer cells under aerobic (well-oxygenated) conditions to metabolize glucose to lactate (aerobic glycolysis) is known as the Warburg effect. Warburg made the observation that tumor slices consume glucose and secrete lactate at a higher rate than normal tissues.
SecPod: A Framework for Virtualization-based Security Systems
1. SecPod: A Framework for Virtualization-based
Security Systems
Xiaoguang Wang:
6, Yue Chen:, Zhi Wang:, Yong Qi6, Yajin Zhou;
Florida State University:
Xi’an Jiaotong University6
Qihoo 360;
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 1/22
2. Outline
1. Motivation
2. SecPod Design
3. Implementation
4. Evaluation
5. Related Work
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 2/22
3. Motivation
Page Table Integrity
Kernel protection requires page table integrity
§ Page tables decide address translation (from VA to PA)
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
4. Motivation
Page Table Integrity
Kernel protection requires page table integrity
§ Page tables decide address translation (from VA to PA)
§ Page tables control memory protection
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
5. Motivation
Page Table Integrity
Kernel protection requires page table integrity
§ Page tables decide address translation (from VA to PA)
§ Page tables control memory protection
§ e.g. Data Execution Prevention (Write ‘ eXecute)
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
6. Motivation
Page Table Integrity
Kernel protection requires page table integrity
§ Page tables decide address translation (from VA to PA)
§ Page tables control memory protection
§ e.g. Data Execution Prevention (Write ‘ eXecute)
However, page tables are always writable in the kernel
§ Kernel needs to frequently change memory mapping
§ Kernel protection can be subverted by manipulating page tables
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 3/22
7. Motivation
Virtualization-based Kernel Protection
§ Security tools are isolated “out-of-the-box”, but need to
intercept key guest events
Ż e.g., guest page table updates, control-register updates
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
8. Motivation
Virtualization-based Kernel Protection
§ Security tools are isolated “out-of-the-box”, but need to
intercept key guest events
Ż e.g., guest page table updates, control-register updates
§ Shadow paging enables reliable kernel memory protection
Ż Hypervisor uses shadow paging to virtualize memory
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
9. Motivation
Virtualization-based Kernel Protection
§ Security tools are isolated “out-of-the-box”, but need to
intercept key guest events
Ż e.g., guest page table updates, control-register updates
§ Shadow paging enables reliable kernel memory protection
Ż Hypervisor uses shadow paging to virtualize memory
Ż SPTs are synchronized with GPTs by the hypervisor
Ñsecurity tools can intercept guest page table updates
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
10. Motivation
Virtualization-based Kernel Protection
§ Security tools are isolated “out-of-the-box”, but need to
intercept key guest events
Ż e.g., guest page table updates, control-register updates
§ Shadow paging enables reliable kernel memory protection
Ż Hypervisor uses shadow paging to virtualize memory
Ż SPTs are synchronized with GPTs by the hypervisor
Ñsecurity tools can intercept guest page table updates
Ż SPTs supersede GPTs for address translation
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 4/22
11. Motivation
Virtualization Hardware Obsoletes Shadow Paging
§ Nested paging introduces two-level address translation for VMs
Ż Both GPT and NPT are used by CPU for address translation
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
Guest Physical
Address
Guest
Page Table
Guest Virtual
Address
Physical
Address
Nested
Page Table
Hypervisor
Guest
1
VMware: performance evaluation of Intel EPT hardware assist.
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
12. Motivation
Virtualization Hardware Obsoletes Shadow Paging
§ Nested paging introduces two-level address translation for VMs
Ż Both GPT and NPT are used by CPU for address translation
§ Nested paging has big performance advantage over SPT
Ż An acceleration of up to 48% for MMU-intensive tasks 1
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
Guest Physical
Address
Guest
Page Table
Guest Virtual
Address
Physical
Address
Nested
Page Table
Hypervisor
Guest
1
VMware: performance evaluation of Intel EPT hardware assist.
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
13. Motivation
Virtualization Hardware Obsoletes Shadow Paging
§ Nested paging introduces two-level address translation for VMs
Ż Both GPT and NPT are used by CPU for address translation
§ Nested paging has big performance advantage over SPT
Ż An acceleration of up to 48% for MMU-intensive tasks 1
§ Security tools cannot intercept guest memory updates with NPT
Ż Guest is free to change its GPTs, without notifying hypervisor
Shadow
Page Table
Guest Virtual
Address
Physical
Address
Hypervisor
Guest
Guest Physical
Address
Guest
Page Table
Guest Virtual
Address
Physical
Address
Nested
Page Table
Hypervisor
Guest
1
VMware: performance evaluation of Intel EPT hardware assist.
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22
14. Motivation
Why SecPod
Our Goal:
A framework for virtualization-based security tools on the modern
virtualization hardware with nested paging
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
15. Motivation
Why SecPod
Our Goal:
A framework for virtualization-based security tools on the modern
virtualization hardware with nested paging
Our Solution:
SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 6/22
16. Motivation
Threat Model and Assumption
§ Trustworthy hardware and trusted booting
Ż Load-time integrity is protected by trusted booting
Ż IOMMU is properly configured to prevent DMA attacks
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
17. Motivation
Threat Model and Assumption
§ Trustworthy hardware and trusted booting
Ż Load-time integrity is protected by trusted booting
Ż IOMMU is properly configured to prevent DMA attacks
§ Hypervisor is trusted
Ż Formal verification [seL4, SOSP’09], integrity protection and
monitoring [HyperSafe, S&P’10]
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
18. Motivation
Threat Model and Assumption
§ Trustworthy hardware and trusted booting
Ż Load-time integrity is protected by trusted booting
Ż IOMMU is properly configured to prevent DMA attacks
§ Hypervisor is trusted
Ż Formal verification [seL4, SOSP’09], integrity protection and
monitoring [HyperSafe, S&P’10]
§ Kernel is benign but contains vulnerabilities
Ż Powerful attackers can change arbitrary memory of the kernel
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 7/22
19. SecPod Design
SecPod Architecture
SecPod &
Security Tool
Code/Data
SPT Pool
Entry Gate
pv_mmu_ops.alloc_pud
pv_mmu_ops.set_pud
pv_mmu_ops.write_cr3
...
Normal Space Secure Space
Hypervisor
Trusted
Boot
DMA
Protection
Guest
GPT
Exit Gate
User Mode
Kernel Mode
Key Technique I:
Paging Delegation
VMExit
Handler
Sensitive
Instructions
Key Technique II:
Execution Trapping
Up Call
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 8/22
20. SecPod Design
Key Technique I: Paging Delegation
§ SecPod creates an isolated address space from the kernel
GPT
SPT
NormalSpace
GPT SPT
Securespace
Traditional Shadow Paging Shadow Paging in SecPod
NPT
Guest
HypervisorHypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
21. SecPod Design
Key Technique I: Paging Delegation
§ SecPod creates an isolated address space from the kernel
§ Secure space maintains SPTs for the guest
Ż SPTs are the only effective page tables for the guest
Ż SPTs mirror GPTs (if no memory protection violation)
GPT
SPT
NormalSpace
GPT SPT
Securespace
Traditional Shadow Paging Shadow Paging in SecPod
NPT
Guest
HypervisorHypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
22. SecPod Design
Key Technique I: Paging Delegation
§ SecPod creates an isolated address space from the kernel
§ Secure space maintains SPTs for the guest
Ż SPTs are the only effective page tables for the guest
Ż SPTs mirror GPTs (if no memory protection violation)
§ SecPod forwards guest page table updates to secure space
GPT
SPT
NormalSpace
GPT SPT
Securespace
Traditional Shadow Paging Shadow Paging in SecPod
NPT
Guest
HypervisorHypervisor
Guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 9/22
23. SecPod Design
SecPod Address Space Layout
§ Normal/secure spaces use page-table based isolation
Ż Entry/exit gates are the only passage
Normal Space Secure Space
KernelUserProcess
Kernel Data
RW-
Kernel RO Data
R--
Kernel Code
R-X
Kernel Data
RW-
Kernel RO Data
R--
Kernel Code
R--
SecPod Data
RW-
SecPod Code
R-X
Security Tool Data
RW-
Security Tool Code
R-X
Gate Data
RW-
Entry/Exit Gates
R-XUser Data
RW-
User Code
R-X
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
24. SecPod Design
SecPod Address Space Layout
§ Normal/secure spaces use page-table based isolation
Ż Entry/exit gates are the only passage
§ Guest kernel is mapped in secure space
Ż Security tools can access guest memory, but not execute it
Normal Space Secure Space
KernelUserProcess
Kernel Data
RW-
Kernel RO Data
R--
Kernel Code
R-X
Kernel Data
RW-
Kernel RO Data
R--
Kernel Code
R--
SecPod Data
RW-
SecPod Code
R-X
Security Tool Data
RW-
Security Tool Code
R-X
Gate Data
RW-
Entry/Exit Gates
R-XUser Data
RW-
User Code
R-X
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 10/22
25. SecPod Design
Protecting Secure Space
Attacker might try to:
§ Enter secure space without security checks
§ Request malicious page table updates
Ż e.g., to map secure memory in guest
§ Misuse privileged instructions
Ż e.g., to load a malicious page table, to disable paging...
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
26. SecPod Design
Protecting Secure Space
Attacker might try to:
§ Enter secure space without security checks
§ Request malicious page table updates
Ż e.g., to map secure memory in guest
§ Misuse privileged instructions
Ż e.g., to load a malicious page table, to disable paging...
Our countermeasures:
§ Secure and efficient context switch
§ Page table update validation
§ Execution trapping of privileged instructions
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 11/22
27. SecPod Design
Secure and Efficient Context Switch
§ Entry/exit gates are only passage between secure/normal spaces
Ż Each gate switches the page table, the stack...
Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09])
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
28. SecPod Design
Secure and Efficient Context Switch
§ Entry/exit gates are only passage between secure/normal spaces
Ż Each gate switches the page table, the stack...
Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09])
§ Loading CR3 is a privileged instruction trapped by SecPod
Ż Performance overhead is high if each context switch is trapped
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
29. SecPod Design
Secure and Efficient Context Switch
§ Entry/exit gates are only passage between secure/normal spaces
Ż Each gate switches the page table, the stack...
Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09])
§ Loading CR3 is a privileged instruction trapped by SecPod
Ż Performance overhead is high if each context switch is trapped
§ Intel CR3 target list to the rescue:
Ż Four page tables can be loaded without being trapped by CPU
Ż There are many SPTs for the guest
Ñ use a fixed top-Level page table for all SPTs
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 12/22
30. SecPod Design
Page Table Update Validation
§ SecPod enforces basic kernel memory integrity for guest
Ż No mapping is allowed to the secure space code/data
Ż Enforce kernel W‘X
Guest Page Table Shadow Page Table
SPT Update
Verification
①
③
④
②
Fast Index
Tables
PT
PD SPD
SPT
NormalSpace
SecureSpace
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 13/22
31. SecPod Design
Key Technique II: Execute Trapping
§ SecPod traps malicious privileged instructions executed by guest
Ż It can trap intended and unintended2
privileged instructions
§ Hypervisor notifies secure space trapped instructions via upcalls
Ż Similar to signal delivery in the traditional OS
2
X86 has variable-length instructions, unintended instructions can be “created” by jumping to the middle of an instruction.
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 14/22
32. SecPod Design
Trapped Sensitive Instructions
Instruction Semantics
LGDT Load global descriptor table
LLDT load local descriptor table
LIDT load interrupt descriptor table
LMSW load machine status word
MOV to CR0 write to CR0
MOV to CR4 write to CR4
MOV to CR8 write to CR8
MOV to CR3 load a new page table
WRMSR write machine-specific registers
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 15/22
33. Implementation
Implementation
§ Paging delegation
Ż Leverage Linux paravirtualization interface: pv mmu ops
§ Execution trapping implemented in the Hypervisor (KVM)
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
34. Implementation
Implementation
§ Paging delegation
Ż Leverage Linux paravirtualization interface: pv mmu ops
§ Execution trapping implemented in the Hypervisor (KVM)
§ Security tools:
Ż Compiled as ELF libraries and loaded into secure space
Ż Implemented an example tool to prevent unauthorized kernel
code from execution (Patagonix [USENIX Sec ’08], NICKLE [RAID ’08])
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 16/22
35. Evaluation
Security Analysis
§ Maliciously modify secure space memory
Ż Secure space memory is not mapped in the normal space
Ñ try to map the secure space memory in the guest
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
36. Evaluation
Security Analysis
§ Maliciously modify secure space memory
Ż Secure space memory is not mapped in the normal space
Ñ try to map the secure space memory in the guest
Ż Directly change the page mapping
Ż Ask SecPod to map secure memory
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
37. Evaluation
Security Analysis
§ Maliciously modify secure space memory
Ż Secure space memory is not mapped in the normal space
Ñ try to map the secure space memory in the guest
Ż Directly change the page mapping Ð SPT is isolated
Ż Ask SecPod to map secure memory Ð SPT update validation
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
38. Evaluation
Security Analysis
§ Maliciously modify secure space memory
Ż Secure space memory is not mapped in the normal space
Ñ try to map the secure space memory in the guest
Ż Directly change the page mapping Ð SPT is isolated
Ż Ask SecPod to map secure memory Ð SPT update validation
§ Misuse privileged instructions
Ż Privileged instructions by guest are trapped and verified
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 17/22
39. Evaluation
Performance Evaluation: LMBench
0%
20%
40%
60%
80%
100% null
open/close
fork
signal_installm
m
ap
TCP_bandw
idth
file(create)select(250fd)stat
ctxsw
(4p/16k)
Bcopy(libc)m
ain_m
em
PerformanceOverhead
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 18/22
40. Evaluation
Performance Evaluation: SysBench OLTP
0
100
200
300
400
500
600
700
2 4 8 16 32 64 128
Throughput(trans/sec)
Number of Threads
Linux
SecPod
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 19/22
41. Related Work
Related Work
§ Virtualization-based security
Ż Malware analysis: Ether[CCS’08]
Ż Rootkit detection and prevention: PoKeR[EuroSys’09]
Ż Virtual machine introspection: Virtuoso[S&P’11], SIM[CCS’09]
§ Kernel/user application security
Ż Exploit mitigation techniques: ASLR, DEP, CFI[CCS’07]
Ż Kernel/hypervisor memory integrity: TZ-RKP[CCS’14],
HyperSafe[S&P’10], Nested Kernel[ASPLOS’15]
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 20/22
42. Summary
Summary
SecPod &
Security Tool
Code/Data
SPT Pool
Entry Gate
pv_mmu_ops.alloc_pud
pv_mmu_ops.set_pud
pv_mmu_ops.write_cr3
...
Normal Space Secure SpaceHypervisor
Trusted
Boot
DMA
Protection
Guest
GPT
Exit Gate
User Mode
Kernel Mode
Key Technique I:
Paging Delegation
VMExit
Handler
Sensitive
Instructions
Key Technique II:
Execution Trapping
Up Call
§ SecPod: A Framework for Virtualization-based Security Systems
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 21/22
43. Summary
Thank you & Questions?
SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 22/22