Bryan Nairn discusses security considerations for virtualization. He notes that over 40% of virtual machines will be less secure than physical machines by 2014. The document outlines common virtualization security myths and describes the hypervisor architecture. It discusses isolation between virtual machines and the hypervisor's security goals of protecting data confidentiality and integrity. The document also covers common attack vectors and provides potential solutions for securing the host system and virtual machines.
1. The presentation discusses separating fact from fiction regarding virtualization security threats such as VM escape scenarios. While theoretically possible, VM escape is very difficult to achieve due to VMware's isolation techniques and security practices.
2. Operational security threats from issues like weak passwords, lack of patching, and overprivileged user accounts are identified as more likely and higher impact risks. Least privilege approaches like RBAC and workflow-based policies are recommended to mitigate these risks.
3. Attendees are encouraged to adopt security best practices like isolating management networks, embracing micro-segmentation with NSX, and keeping ESXi systems up-to-date with patches. Questions are taken at the end.
This document provides an overview of virtualization security topics. It discusses various virtualization threats including guest VM attacks, hypervisor attacks, and management API attacks. Specific vulnerabilities are also mentioned, such as directory traversal issues and buffer overflows in hypervisor components like the virtual floppy disk controller. Attack methods like privilege escalation, denial of service, and taking control of the hypervisor are covered at a high level.
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
Virtualization in enterprises has been a growing trend for years, offering attractive opportunities for scaling, efficiency, and flexibility. According to Forrester Research1, over 70 percent of organizations are planning to use server virtualization by the end of 2015.
Often, companies delay implementing virtualization due to security concerns or adopt virtualization before deploying advanced security measures. However, virtual machines and their hosting servers are not immune to attack. Introducing virtualization technology to a business creates new attack vectors that need to be addressed, such as monitoring the virtual networks between virtual machines. We have seen malware specifically designed to compromise virtual machines and have observed attackers directly targeting hosting servers. Around 18 percent of malware detects virtual machines and stops executing if it arrives on one.
Virtual systems are increasingly being used to automatically analyze and detect malware. Symantec has noticed that attackers are creating new methods to avoid this analysis. For example, some Trojans will wait for multiple left mouse clicks to occur before they decrypt themselves and start their payload. This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short timeframe. Attackers are clearly not ignoring virtual environments in their plans, so these systems need to be protected as well.
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
The document summarizes information about Hyper-V virtualization. It provides an overview of Hyper-V architecture, including that the hypervisor partitions the hardware and manages guest partitions through the virtualization stack. It also discusses Hyper-V security, noting that guests are isolated from each other and the root to prevent attacks, and that delegated administration and role-based access control can be used to manage virtual machine access.
CSA Presentation 26th May Virtualization securityv2vivekbhat
Bryan Nairn discusses security considerations for virtualization. Virtual machines are increasingly common but over 40% will be less secure than physical servers by 2014. Key risks include compromised host machines which could then control VMs, and unpatched guest operating systems. Defenses include hardening host servers, protecting virtual machine files, isolating guest networks, and using access control lists to manage permissions for VMs. Securing the virtualization platform requires attention to both host and guest security.
The document discusses the history and future of virtual machines. It summarizes that virtual machines were originally developed in the 1960s for mainframe computers but fell out of favor. Modern virtualization technologies like VMware have enabled running multiple operating systems on commodity hardware simultaneously with good performance. The document outlines VMware's virtualization technology and products, and provides examples of how virtual machines can be used for testing, server consolidation, application compatibility, and security.
VMware ESXi is a free bare-metal hypervisor that can be used to virtualize laptops. It has low resource usage which allows laptops to run virtual machines all day without overheating. The document provides instructions for installing ESXi on laptops and ensuring the network drivers are correctly configured by replacing the OEM file. Examples are given of running ESXi on different laptops and using it to virtualize an OpenSolaris environment.
Bryan Nairn discusses security considerations for virtualization. He notes that over 40% of virtual machines will be less secure than physical machines by 2014. The document outlines common virtualization security myths and describes the hypervisor architecture. It discusses isolation between virtual machines and the hypervisor's security goals of protecting data confidentiality and integrity. The document also covers common attack vectors and provides potential solutions for securing the host system and virtual machines.
1. The presentation discusses separating fact from fiction regarding virtualization security threats such as VM escape scenarios. While theoretically possible, VM escape is very difficult to achieve due to VMware's isolation techniques and security practices.
2. Operational security threats from issues like weak passwords, lack of patching, and overprivileged user accounts are identified as more likely and higher impact risks. Least privilege approaches like RBAC and workflow-based policies are recommended to mitigate these risks.
3. Attendees are encouraged to adopt security best practices like isolating management networks, embracing micro-segmentation with NSX, and keeping ESXi systems up-to-date with patches. Questions are taken at the end.
This document provides an overview of virtualization security topics. It discusses various virtualization threats including guest VM attacks, hypervisor attacks, and management API attacks. Specific vulnerabilities are also mentioned, such as directory traversal issues and buffer overflows in hypervisor components like the virtual floppy disk controller. Attack methods like privilege escalation, denial of service, and taking control of the hypervisor are covered at a high level.
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
Virtualization in enterprises has been a growing trend for years, offering attractive opportunities for scaling, efficiency, and flexibility. According to Forrester Research1, over 70 percent of organizations are planning to use server virtualization by the end of 2015.
Often, companies delay implementing virtualization due to security concerns or adopt virtualization before deploying advanced security measures. However, virtual machines and their hosting servers are not immune to attack. Introducing virtualization technology to a business creates new attack vectors that need to be addressed, such as monitoring the virtual networks between virtual machines. We have seen malware specifically designed to compromise virtual machines and have observed attackers directly targeting hosting servers. Around 18 percent of malware detects virtual machines and stops executing if it arrives on one.
Virtual systems are increasingly being used to automatically analyze and detect malware. Symantec has noticed that attackers are creating new methods to avoid this analysis. For example, some Trojans will wait for multiple left mouse clicks to occur before they decrypt themselves and start their payload. This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short timeframe. Attackers are clearly not ignoring virtual environments in their plans, so these systems need to be protected as well.
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
The document summarizes information about Hyper-V virtualization. It provides an overview of Hyper-V architecture, including that the hypervisor partitions the hardware and manages guest partitions through the virtualization stack. It also discusses Hyper-V security, noting that guests are isolated from each other and the root to prevent attacks, and that delegated administration and role-based access control can be used to manage virtual machine access.
CSA Presentation 26th May Virtualization securityv2vivekbhat
Bryan Nairn discusses security considerations for virtualization. Virtual machines are increasingly common but over 40% will be less secure than physical servers by 2014. Key risks include compromised host machines which could then control VMs, and unpatched guest operating systems. Defenses include hardening host servers, protecting virtual machine files, isolating guest networks, and using access control lists to manage permissions for VMs. Securing the virtualization platform requires attention to both host and guest security.
The document discusses the history and future of virtual machines. It summarizes that virtual machines were originally developed in the 1960s for mainframe computers but fell out of favor. Modern virtualization technologies like VMware have enabled running multiple operating systems on commodity hardware simultaneously with good performance. The document outlines VMware's virtualization technology and products, and provides examples of how virtual machines can be used for testing, server consolidation, application compatibility, and security.
VMware ESXi is a free bare-metal hypervisor that can be used to virtualize laptops. It has low resource usage which allows laptops to run virtual machines all day without overheating. The document provides instructions for installing ESXi on laptops and ensuring the network drivers are correctly configured by replacing the OEM file. Examples are given of running ESXi on different laptops and using it to virtualize an OpenSolaris environment.
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceStarWind Software
High availability in a virtualized workload may require to sacrifice failover cluster performance. Using an optimized for virtualization approach on data storage and virtual machines placement and protection will give you desired boost of performance.
The presentation shows how to:
- Achieve true Hyper-V cluster high availability with just 2 Hyper-V hosts and zero storage hardware
- Boost Hyper-V cluster performance by configuring automatic dynamic optimization
- Effectively track VMs resources usage
- Save an extra 30% of Hyper-V cluster resources by utilizing agentless antivirus
VMware is transitioning its hypervisor architecture to exclusively use ESXi starting with the next release of vSphere. ESXi provides improvements over the previous ESX architecture such as a smaller code footprint that requires fewer patches, improved security since it runs without a separate operating system, and more streamlined deployment and management. The presented document reviews the architectural differences between ESX and ESXi, hardware monitoring and management capabilities in ESXi, security features, deployment options, command line interfaces, diagnostic tools, and addressing common questions about the transition.
The document discusses the history and usage of virtualization technology, provides an overview of CPU, memory, and I/O virtualization, compares the Xen and KVM virtualization architectures, and describes some Intel work to support virtualization in OpenStack including the Open Attestation service.
Hypervisors are a kind of software which runs different virtual systems called virtual machines on a single computer giving the view to guest running on each virtual machine that it is running on its own single computer. This presentation talks about hypervisors and different techniques of their implementation in brief.
This document introduces security features of the Xen hypervisor for securing cloud installations. It begins with an overview of Xen Project architecture including driver domains and control domains. It then discusses potential attack surfaces like the network path and PyGrub boot loader. It analyzes what could be compromised from successful exploits, such as control of the entire system. The document recommends security features like driver domains, which isolate hardware drivers in a limited VM, and fixed kernels, which remove the ability to choose the kernel and thus block that attack path.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
VMware vSphere 6.0 - Troubleshooting Training - Day 1Sanjeev Kumar
This document provides an introduction and overview of VMware vSphere: Install, Configure, Manage training course. It discusses how the course aligns with the VCP-Core certification exam blueprint and objectives. It also provides definitions of key data center concepts like tiers and an overview of the evolution of data centers. Finally, it discusses the history and benefits of data center virtualization using VMware technologies like ESXi, virtual machines, and vCenter Server.
This document discusses full virtualization techniques. It defines full virtualization as simulating hardware to allow any OS to run unmodified in a virtual machine. It describes the challenges of virtualizing the x86 architecture and how binary translation is used to allow guest OSes to run at a higher privilege level. The document outlines hosted and bare-metal virtualization architectures and their pros and cons. It provides examples of using full virtualization for desktop and server virtualization/cloud computing. It also gives steps to implement hosted full virtualization using Oracle VM VirtualBox on Windows 7.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
This document discusses hardware-assisted virtual machines (HVM). It covers the history of virtualization from 1960s to present, virtualization techniques including full virtualization, para-virtualization and direct execution. It then focuses on HVM, how it virtualizes the CPU using AMD-V and VT-x extensions, I/O using AMD-Vi and VT-d, and networking using VT-c. It describes the HVM instructions, data structures including the VMCS region, and how a VMM can initialize, run and handle exits from a virtual machine using HVM. Related works exploring HVM for security applications are also briefly mentioned.
Securing Your Cloud with Xen (CloudOpen NA 2013)Russell Pavlicek
Russell Pavlicek presented on securing clouds with Xen Project's advanced security features. He introduced key security tools in Xen Project like driver domains and PVGrub. Driver domains move device drivers out of the privileged control domain into an unprivileged virtual machine, reducing the attack surface. PVGrub is the Python program that reads guest filesystems and boots virtual machines, so securing it is important to prevent control of the control domain. The presentation aimed to help users understand and start implementing Xen Project's security features on their clouds.
- vSphere 5.0 introduces new features for platforms, networking, availability, vMotion, DRS/DPM, vCenter Server, storage, and Site Recovery Manager.
- Key enhancements include support for larger VMs, 3D graphics, more devices, an ESXi firewall, image builder tool, and auto deploy for faster host provisioning using host profiles.
- Auto deploy allows rapid initial deployment and patching of ESXi hosts using a "on the fly" model coordinated with vSphere Host Profiles.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
The document discusses a framework for creating virtual machine monitors (VMMs) using hardware virtualization on x86 processors. It reviews x86 virtualization methods and Intel VT/AMD SVM extensions. The framework abstracts the complexities of directly using virtualization instructions, providing an easier API to develop type-II VMMs as Windows device drivers. It supports features like SMP, error reporting, and a plugin architecture. The goal is to simplify the creation of hypervisors for research and application development.
This document provides an overview of securing a Xen virtualization environment. It begins with introducing Russell Pavlicek, a Xen Project Evangelist from Citrix Systems. It then discusses some key security features of Xen like driver domains, stub domains, PVgrub, and the FLASK security module. It examines potential attack surfaces like the network interface, PyGrub bootloader, Qemu device model, and the Xen hypervisor itself. It explains how the security features can be used to mitigate attacks and limit the impact of potential exploits. The document provides basic instructions on configuring some of these security features.
Virtualization allows multiple virtual machines to run on a single physical server. There are different types of virtualization including server, desktop, application, network and storage virtualization. Key virtualization concepts include the hypervisor, host and guest systems, and virtual components like CPUs, memory and disks. Licensing of guest operating systems is important. Virtualization provides benefits like server consolidation and high availability.
This document summarizes Russell Pavlicek's presentation on the bare-metal hypervisor as a platform for innovation. Some key innovations enabled by the bare-metal hypervisor discussed include Xen Automotive for developing embedded automotive systems, real-time virtualization support, an ARM-based hypervisor for new applications on ARM architecture, and unikernel systems that create highly secure and efficient cloud applications. A bare-metal hypervisor provides advantages like density, scalability, security and custom scheduling that facilitate these innovations.
1) The document discusses 30 important interview questions about virtualization and VMware. It covers topics like the VMware kernel, ESX server networking, vMotion, snapshots, port groups, cloning templates, and more.
2) Each question is accompanied by an answer that provides details about the topic. For example, it explains that the VMware kernel is proprietary and works with the service console, while port groups separate network traffic types.
3) Common virtualization challenges and their solutions are also addressed, such as issues taking snapshots of VMs configured with physical LUN mappings that need to be changed to virtual first.
The document discusses the history and capabilities of the Xen virtualization platform. It outlines how Xen has been adopted by many organizations and embedded in various hardware platforms. The document also explores how virtualization enables benefits like server consolidation, manageability, security and unlocking new hardware features. It discusses how Xen is powering large-scale cloud computing platforms and envisions virtualization becoming ubiquitous across all devices.
Virtualization: Security and IT Audit PerspectivesJason Chan
A brief overview of server virtualization for information security and audit professionals. I gave earlier versions of this talk at the SV and SF ISACA conferences in 2010, this version is for the UC Compliance and Audit Symposium.
Security and Virtualization in the Data CenterCisco Canada
This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceStarWind Software
High availability in a virtualized workload may require to sacrifice failover cluster performance. Using an optimized for virtualization approach on data storage and virtual machines placement and protection will give you desired boost of performance.
The presentation shows how to:
- Achieve true Hyper-V cluster high availability with just 2 Hyper-V hosts and zero storage hardware
- Boost Hyper-V cluster performance by configuring automatic dynamic optimization
- Effectively track VMs resources usage
- Save an extra 30% of Hyper-V cluster resources by utilizing agentless antivirus
VMware is transitioning its hypervisor architecture to exclusively use ESXi starting with the next release of vSphere. ESXi provides improvements over the previous ESX architecture such as a smaller code footprint that requires fewer patches, improved security since it runs without a separate operating system, and more streamlined deployment and management. The presented document reviews the architectural differences between ESX and ESXi, hardware monitoring and management capabilities in ESXi, security features, deployment options, command line interfaces, diagnostic tools, and addressing common questions about the transition.
The document discusses the history and usage of virtualization technology, provides an overview of CPU, memory, and I/O virtualization, compares the Xen and KVM virtualization architectures, and describes some Intel work to support virtualization in OpenStack including the Open Attestation service.
Hypervisors are a kind of software which runs different virtual systems called virtual machines on a single computer giving the view to guest running on each virtual machine that it is running on its own single computer. This presentation talks about hypervisors and different techniques of their implementation in brief.
This document introduces security features of the Xen hypervisor for securing cloud installations. It begins with an overview of Xen Project architecture including driver domains and control domains. It then discusses potential attack surfaces like the network path and PyGrub boot loader. It analyzes what could be compromised from successful exploits, such as control of the entire system. The document recommends security features like driver domains, which isolate hardware drivers in a limited VM, and fixed kernels, which remove the ability to choose the kernel and thus block that attack path.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
VMware vSphere 6.0 - Troubleshooting Training - Day 1Sanjeev Kumar
This document provides an introduction and overview of VMware vSphere: Install, Configure, Manage training course. It discusses how the course aligns with the VCP-Core certification exam blueprint and objectives. It also provides definitions of key data center concepts like tiers and an overview of the evolution of data centers. Finally, it discusses the history and benefits of data center virtualization using VMware technologies like ESXi, virtual machines, and vCenter Server.
This document discusses full virtualization techniques. It defines full virtualization as simulating hardware to allow any OS to run unmodified in a virtual machine. It describes the challenges of virtualizing the x86 architecture and how binary translation is used to allow guest OSes to run at a higher privilege level. The document outlines hosted and bare-metal virtualization architectures and their pros and cons. It provides examples of using full virtualization for desktop and server virtualization/cloud computing. It also gives steps to implement hosted full virtualization using Oracle VM VirtualBox on Windows 7.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
This document discusses hardware-assisted virtual machines (HVM). It covers the history of virtualization from 1960s to present, virtualization techniques including full virtualization, para-virtualization and direct execution. It then focuses on HVM, how it virtualizes the CPU using AMD-V and VT-x extensions, I/O using AMD-Vi and VT-d, and networking using VT-c. It describes the HVM instructions, data structures including the VMCS region, and how a VMM can initialize, run and handle exits from a virtual machine using HVM. Related works exploring HVM for security applications are also briefly mentioned.
Securing Your Cloud with Xen (CloudOpen NA 2013)Russell Pavlicek
Russell Pavlicek presented on securing clouds with Xen Project's advanced security features. He introduced key security tools in Xen Project like driver domains and PVGrub. Driver domains move device drivers out of the privileged control domain into an unprivileged virtual machine, reducing the attack surface. PVGrub is the Python program that reads guest filesystems and boots virtual machines, so securing it is important to prevent control of the control domain. The presentation aimed to help users understand and start implementing Xen Project's security features on their clouds.
- vSphere 5.0 introduces new features for platforms, networking, availability, vMotion, DRS/DPM, vCenter Server, storage, and Site Recovery Manager.
- Key enhancements include support for larger VMs, 3D graphics, more devices, an ESXi firewall, image builder tool, and auto deploy for faster host provisioning using host profiles.
- Auto deploy allows rapid initial deployment and patching of ESXi hosts using a "on the fly" model coordinated with vSphere Host Profiles.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
The document discusses a framework for creating virtual machine monitors (VMMs) using hardware virtualization on x86 processors. It reviews x86 virtualization methods and Intel VT/AMD SVM extensions. The framework abstracts the complexities of directly using virtualization instructions, providing an easier API to develop type-II VMMs as Windows device drivers. It supports features like SMP, error reporting, and a plugin architecture. The goal is to simplify the creation of hypervisors for research and application development.
This document provides an overview of securing a Xen virtualization environment. It begins with introducing Russell Pavlicek, a Xen Project Evangelist from Citrix Systems. It then discusses some key security features of Xen like driver domains, stub domains, PVgrub, and the FLASK security module. It examines potential attack surfaces like the network interface, PyGrub bootloader, Qemu device model, and the Xen hypervisor itself. It explains how the security features can be used to mitigate attacks and limit the impact of potential exploits. The document provides basic instructions on configuring some of these security features.
Virtualization allows multiple virtual machines to run on a single physical server. There are different types of virtualization including server, desktop, application, network and storage virtualization. Key virtualization concepts include the hypervisor, host and guest systems, and virtual components like CPUs, memory and disks. Licensing of guest operating systems is important. Virtualization provides benefits like server consolidation and high availability.
This document summarizes Russell Pavlicek's presentation on the bare-metal hypervisor as a platform for innovation. Some key innovations enabled by the bare-metal hypervisor discussed include Xen Automotive for developing embedded automotive systems, real-time virtualization support, an ARM-based hypervisor for new applications on ARM architecture, and unikernel systems that create highly secure and efficient cloud applications. A bare-metal hypervisor provides advantages like density, scalability, security and custom scheduling that facilitate these innovations.
1) The document discusses 30 important interview questions about virtualization and VMware. It covers topics like the VMware kernel, ESX server networking, vMotion, snapshots, port groups, cloning templates, and more.
2) Each question is accompanied by an answer that provides details about the topic. For example, it explains that the VMware kernel is proprietary and works with the service console, while port groups separate network traffic types.
3) Common virtualization challenges and their solutions are also addressed, such as issues taking snapshots of VMs configured with physical LUN mappings that need to be changed to virtual first.
The document discusses the history and capabilities of the Xen virtualization platform. It outlines how Xen has been adopted by many organizations and embedded in various hardware platforms. The document also explores how virtualization enables benefits like server consolidation, manageability, security and unlocking new hardware features. It discusses how Xen is powering large-scale cloud computing platforms and envisions virtualization becoming ubiquitous across all devices.
Virtualization: Security and IT Audit PerspectivesJason Chan
A brief overview of server virtualization for information security and audit professionals. I gave earlier versions of this talk at the SV and SF ISACA conferences in 2010, this version is for the UC Compliance and Audit Symposium.
Security and Virtualization in the Data CenterCisco Canada
This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.
This document discusses challenges related to virtual machine (VM) migration in cloud computing. It provides background on cloud computing and virtual machines. Key issues discussed include automated service provisioning, VM migration for server consolidation and energy management, and security challenges. The document also covers motivation for VM migration when workload increases trigger resource requirement changes. Methods for VM migration discussed include memory, network, and device migration techniques. Performance evaluation results of migration are presented. Migration across data centers introduces additional challenges like increased latency. Proposed solutions discussed encryption for security and redirection approaches to handle increased latency.
Live VM migration allows virtual machines to be relocated between physical hosts with little to no downtime. There are two main approaches: pre-copy migration copies memory contents iteratively with little downtime, while post-copy migration copies CPU states first and then memory pages on demand to reduce total migration time. Several research projects use live migration techniques to improve data center efficiency: LiteGreen saves energy by consolidating idle desktop VMs, Jettison uses partial VM migration for quick consolidation, and Kaleidoscope proposes VM state coloring to enable fast micro-elasticity through live cloning of warm VMs.
Virtualization 101: Everything You Need To Know To Get Started With VMwareDatapath Consulting
This document provides an overview of virtualization and VMware's virtualization platform vSphere. It begins with defining virtualization as using software to run multiple virtual machines on a single physical machine, sharing resources to improve utilization. It then discusses VMware's history and role as the market leader in virtualization. The document outlines the key benefits of virtualization such as reducing costs, increasing flexibility and enabling business agility. It provides an overview of vSphere's capabilities to deliver high availability, live migration, storage efficiency and faster disaster recovery. Overall, the document promotes virtualization and vSphere as a way to simplify IT operations and lower costs while increasing business agility.
This document discusses how to port Erlang and OTP to run on OSv without forking or executing external processes. Erlang ports allow communication with external processes but rely on forking and executing the port executable. As OSv does not support forking or execution, an alternative approach for Erlang ports is needed. Suggested approaches include using linked-in drivers written as shared objects, NIFs, or a custom in-process protocol to communicate with external processes without forking.
Small Python Tools for Software Release Engineeringpycontw
The document discusses using Python scripts to automate the provisioning of temporary virtual machines from templates for tasks like software testing using the XenAPI to control XenServer virtualization. It provides code examples for creating a VM from a template, starting it, copying files in, running scripts, and then destroying the VM after use in order to automate volatile computing resources on demand. The scripts allow for non-interactive use by command line options to select templates, preload files, and initialize scripts.
The document discusses moving the NYTimes.com website to the cloud. It describes starting with a basic AWS setup but then facing challenges with scaling, communication between instances, and security when the site grew. The solution involved using open source tools like Nimbul for cloud management, Emissary for messaging, and CloudSource for deployment to extend their existing infrastructure to the cloud in a way that was compatible with their development processes and security requirements for a large established organization.
Server virtualization concepts allow partitioning of physical servers into multiple virtual servers using virtualization software and hardware techniques. This improves resource utilization by running multiple virtual machines on a single physical server. Server virtualization provides benefits like reduced costs, higher efficiency, lower power consumption, and improved availability compared to running each application on its own physical server. Key components of server virtualization include virtual machines, hypervisors, CPU virtualization using techniques like Intel VT-x or AMD-V, memory virtualization, and I/O virtualization through methods like emulated, paravirtualized or direct I/O. KVM and QEMU are popular open source virtualization solutions, with KVM providing kernel-level virtualization support and Q
Virtualization is the ability to run virtual machines on top of a hypervisor.
Virtualization is an emerging IT paradigm that separates computing functions and technology implementations from physical hardware.
Cloud computing, for example, is the virtualization of computer programs through an internet connection rather than installing applications on every office computer.
Virtualization has fundamentally changed the shape of the IT landscape in the past decade. If you haven’t learned the ins and outs of hypervisors, hosts, and guests, attend our virtual webinar to learn about the different kinds of virtualization, the benefits of the technology, and the different players in the industry!
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
Xen virtualization allows multiple virtual machines to run simultaneously on a single physical server. This increases hardware utilization and makes provisioning new servers easier. NFS allows files to be accessed remotely over a network, enabling file sharing between systems. NFS uses RPC to perform file operations like reads, writes and attribute retrieval. It has advantages of flexibility but also security risks if not configured properly. Newer NFS versions aim to improve performance and mandate strong authentication.
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
The document provides an overview of Microsoft's virtualization solutions, including Virtual Server 2005 R2 and Windows Virtualization. It discusses the architecture of virtualization, virtual machine monitors, CPU virtualization techniques, and compares Virtual Server 2005 to Windows Virtualization and Virtual PC 2007. It also provides links for further information on documentation, downloads and scripts related to Microsoft virtualization products.
The document provides an overview of open source virtualization technologies by Kris Buytaert. It discusses the history and evolution of virtualization starting from mainframes in the 1960s to modern virtualization with Xen, KVM, VirtualBox and other open source projects. It also compares different virtualization approaches like full, para and hardware virtualization. Lastly, it discusses popular virtualization platforms and management tools as well as the future of virtualization.
OS vs. VMM provides an overview of the similarities and differences between operating systems (OS) and virtual machine monitors (VMM). Both OS and VMM abstract hardware resources, but VMM provides virtualization while OS provides abstraction. Nested virtualization further complicates resource management by adding additional layers of indirection. Key issues in virtualization include trapping privileged OS operations, scheduling virtual CPUs, managing virtual memory translations, and achieving high performance I/O.
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Spiceworks
This document discusses managing a virtualized environment. It begins with an introduction to virtualization and describes the benefits such as agility, reduced downtime, and Windows licensing flexibility. It then covers advanced uses like snapshots, virtual disks, and networking. Lessons learned are shared around using central storage and virtualizing IT resources gradually. It concludes with a demonstration of scanning and monitoring a virtualized environment.
The document discusses BLADE Network Technologies' VMready product, which provides virtual machine aware networking capabilities that allow network administrators to configure and manage virtual machine network traffic, ensuring network connectivity and security when virtual machines migrate between physical servers. VMready integrates with VMware vCenter to automate configuration of virtual switches and provide visibility of virtual machine information. The VMready switch module from BLADE Network Technologies brings these virtualization-aware networking features to the HP BladeSystem through firmware upgrades.
This document provides an overview of System Center Virtual Machine Manager (SCVMM) including its architecture, supported platforms, high availability options, networking capabilities like software defined networks, bare metal deployment, services templates, hybrid cloud integration with App Controller, and managing third party hypervisors. SCVMM provides centralized management of private clouds and hypervisors. It supports features like VM templates, self-service, and role-based access.
Rmll Virtualization As Is Tool 20090707 V1.0guest72e8c1
Virtualization can be used as a tool for consolidating information systems. There are several common issues that come up with virtualization including ensuring sufficient processor architecture support, network capacity, and dealing with legacy physical hardware. It is important to analyze legacy systems and map application relationships before starting virtualization. Popular hypervisors include KVM, Xen, and OpenVZ. KVM is recommended due to its integration with Linux. Libvirt provides an abstraction layer for different hypervisors. Orchestrators like Enomalism can help manage large virtualized environments through a web interface. Tools were also discussed for snapshotting images, configuring networks, and preventing out-of-memory issues.
Virtualization can be used as a tool for consolidating information systems. There are several common issues to address when starting virtualization including ensuring sufficient processor architecture support, network capacity, and dealing with physical legacy systems. Key steps include analyzing legacy systems and mapping application relationships. Popular hypervisors include KVM, Xen, and OpenVZ. KVM is recommended due to its integration with Linux. Libvirt provides an abstraction layer for different hypervisors. Orchestrators like Enomalism can help manage virtual machines. Useful related tools include those for snapshots, configuration, and dealing with out of memory situations.
Hyper-V and SCVMM 2008 provide virtualization capabilities for Microsoft. SCVMM 2008 allows for managing virtual machines across VMware and Hyper-V environments. It provides features like intelligent placement of VMs, conversion of physical to virtual machines, and delegated administration. SCVMM 2008 integrates with other System Center products and uses PowerShell for administration and monitoring of the virtualized environment.
Vincent Van der Kussen discusses KVM and related virtualization tools. KVM is a kernel module that allows Linux to function as a hypervisor. It supports x86, PowerPC and s390 architectures. Key tools discussed include libvirt (the virtualization API), virsh (command line tool for libvirt), Qemu (runs virtual machines), and virt-tools like virt-install. The document provides an overview of using these tools to manage virtual machines and storage.
This document describes Mike Laverick's journey setting up a home lab with vCloud Director. It details his previous vSphere setup and the changes made to support vCD, including using virtual appliances, establishing compute clusters, tiered storage, and distributed virtual switches. Lessons learned include properly configuring VLANs, IP ranges, and edge gateways before using them in vCD. The document also discusses potential future directions for the lab like nested ESX environments and vInception levels.
Similar to Hypervisor Security - OpenStack Summit Hong Kong (20)
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
8. Virtualization Technologies
• Hosted OS Virtualization – VMware Desktop
Solutions
• Para Virtualization – The guest needs to know
it’s running in a virtualized environment
• Full Virtualization – The guest is un-aware
that it is running on a virtualized platform.
12. Generalized Virtualization Stack
Compute Host
Alice
VM
Alice
VM
Alice
VM
Hardware
Hypervisor / Host OS / Dom0
QEMU
Compute Instances
Device Emulation
/ Paravirt
Hardware Interfacing
/ Enabling
Hardware
Memory, Disk, CPU etc
17. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
KVM / XEN
QEMU
18. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
KVM / XEN
QEMU
Dom0
Linux Kernel
Linux OS
19. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM KVM / XEN
QEMU
Dom0
Linux Kernel
Linux OS
20. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Basic VM to VM network Attacks
KVM / XEN
QEMU
Dom0
Linux Kernel
Linux OS
21. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM KVM / XEN
QEMU
VM to hypervisor attacks
KVM / XEN
QEMU
Dom0
Linux Kernel
Linux OS
22. Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM KVM / XEN
QEMU
VM to QEMU / Device attacks
KVM / XEN
QEMU
Dom0
Linux Kernel
Linux OS
23. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to QEMU
KVM / XEN
QEMU
24. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to QEMU
KVM / XEN
QEMU
25. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
1.
VM to QEMU
KVM / XEN
QEMU
2.
26. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
1.
VM to QEMU
KVM / XEN
QEMU
2.
27. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to hypervisor attacks
KVM / XEN
QEMU
28. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to hypervisor attacks
KVM / XEN
QEMU
29. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to hypervisor attacks
KVM / XEN
QEMU
30. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to OS / Management / Linux Kernel / Dom0
KVM / XEN
QEMU
31. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
VM to OS / Management / Linux Kernel / Dom0
KVM / XEN
QEMU
32. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
1.
2.
VM to OS / Management / Linux Kernel / Dom0
KVM / XEN
QEMU
33. Dom0
Compute Instance Attack Vectors
Compute Host [Nova]
Alice
VM
Alice
VM
Bob
VM
Bob
VM
Mal
VM
QEMU
Linux Kernel
Linux OS
1.
2.
3.
VM to OS / Management / Linux Kernel / Dom0
KVM / XEN
QEMU
35. Cloud Issues - Scale
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
36. Cloud Issues - Scale
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
37. Cloud Issues - Scale
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
38. Cloud Issues – Flat Exploitation
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
39. Cloud Issues – Flat Exploitation
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
40. Cloud Issues – Service Trust
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
41. Cloud Issues – Service Trust
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
42. Cloud Issues – Nova RPC
Compute Host [Nova]
Cher
VM
Dave
VM
Compute Host [Nova]
Alice
VM
Bob
VM
Compute Manager
Block Storage
Network Nodes
Operations Systems
Object Storage
Mal
VM
61. Protections – Reduce Attack Surface
• Out of the box you probably support
– 3D Graphics
– Multiple Network Devices
– Sound
– Bluetooth!?
• Compile them out!
62. Protections – Mandatory Access
Controls
• Limit the capabilities of a successful exploit
• Define and constrain with QEMU should be
doing
• Provide isolation for VM processes (KVM)
• SELinux
• AppArmour
64. Protection
• Reduce Attack Surface
• Harden Compilation
• Isolate, detect and alert on exploitation
through MAC
• Harden your base OS/Dom0 using the same
techniques
• Apply MAC to other OpenStack components