The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem.
In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...The Linux Foundation
AMD recently disclosed new security technologies which leverage hardware-based memory encryption to provide additional security protections. This talk will focus primarily on technology which supports encrypted virtual machines for extra isolation and protection from the hypervisor itself. The presentation will discuss the technical details of this technology with a focus on how it can be integrated within the Xen infrastructure.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...The Linux Foundation
AMD recently disclosed new security technologies which leverage hardware-based memory encryption to provide additional security protections. This talk will focus primarily on technology which supports encrypted virtual machines for extra isolation and protection from the hypervisor itself. The presentation will discuss the technical details of this technology with a focus on how it can be integrated within the Xen infrastructure.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
As the first ARM servers and microservers hit the market, Xen on ARM is becoming more mature, stable and reaching feature parity with x86. This talk will present the current status of the project, will describe the latest improvements, the gaps that still need to be filled and the roadmap going forward. ARMv8 silicon is now available for purchase: we can measure how well Xen on ARM 64-bit is performing on real hardware and compare the performance figures with other hypervisors. The presentation will show these results, it will measure the overhead introduced by Xen on ARM and will compare it with the overhead introduced by Xen and KVM on x86. The talk will explain the reasons behind performance shortfalls and present ideas on how to address them in the future. The performance results will be used to determine when it makes sense to use Xen on ARM and what are the best use cases for it.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
As delivered by Russell Pavlicek at Linuxfest Northwest 2014. Some of the key security features which can be enabled when using the Xen Project Hypervisor.
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...The Linux Foundation
For many years, the Xen community has been delivering a solid virtualization platform for the enterprise. In support of the Xen community innovation effort, Oracle has been translating our enterprise experience with mission-critical workloads and large-scale infrastructure deployments into upstream contributions for the Linux and Xen efforts. In this session, you'll hear from a key Oracle expert, and community member, about Oracle contributions that focus on large-scale Xen deployments, networking, PV drivers, new PVH architecture, performance enhancements, dynamic memory usage with ‘tmem', and much more. This is your chance to get an under the hood view and see why the Xen architecture is the ideal choice for the enterprise.
Static partitioning is becoming increasingly common in embedded. A static hypervisor, such as Xen dom0less, is employed to split the hardware resources into multiple domains and run a different OS in each domain. For instance, Linux and Zephyr. Only the simplest static partitioning configurations don't involve any data exchanges between the domains. Often, communication and data exchanges between two or more environments are required to complete the data processing pipeline that implements the target application. However, the VM-to-VM communication mechanisms available in static partitioning configurations are typically more limited compared to general-purpose hypervisors. For example, PV drivers are not available to Xen dom0less domains. This presentation will discuss the need for communication in static partitioning setups and it will present the technical challenges involved in getting traditional communication methods to work, including Xen PV drivers and VirtIO. The talk will also provide simpler alternatives based on shared memory and interrupt notifications to set up domain-to-domain data streams: simpler techniques that are easily exploitable both by Linux and by tiny baremetal applications as well.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
This talk with discuss the design and implementation of a new type of hypervisor derived from the Xen code base. µ-Xen has been built and optimized for modern CPUs and chipsets, and thus assumes the presence of CPU and IO MMUs that are virtualization capable. µ-Xen borrows extensively from the production-proven and tuned Xen code base, but removal of support for older hardware and PV-MMU guests has enabled significant simplification of the code. µ-Xen supports optimizations in support of running large numbers of very similar virtual machines, through the support of a native 'vmfork' optimization and efficient re-merging of shareable pages.
The primary goal of µ-Xen has been to run as a late-load hypervisor on an existing OS. It has a narrow and well-defined interface to the services it expects from the underlying OS, which makes it easy to port to other OSes, or to enable it to run on bare metal. During initialisation, µ-Xen can de-privilege the running host OS into a VM container, enabling it to establish itself as the most privileged software component in the system. Thus, µ-Xen enforces the privacy and integrity of itself and VMs that it is running, against a faulty or malicious host OS, while co-operating with the host OS on the actual allocation of physical resources.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs.
Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.
XPDS16: Xen Scalability Analysis - Weidong Han, Zhichao Huang & Wei Yang, HuaweiThe Linux Foundation
As CPU integrates more cores, server will have more and more cores. It requires hypervisor to have good scalability. This talk will introduce our analysis on many core scalability of Xen, and share some findings and lessons.
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
During the last few months of 2011 the Xen Community started an effort to port Xen to ARMv7 with virtualization extensions, using the Cortex A15 processor as reference platform.
The new Xen port is exploiting this set of hardware capabilities to run guest VMs in the most efficient way possible while keeping the ARM specific changes to the hypervisor and the Linux kernel to a minimum. Developing the new port we took the chance to remove legacy concepts like PV or HVM guests and only support a single kind of guests that is comparable to "PVH" in the Xen X86 world.
Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Xen 4.3, out in July 2013, is the first hypervisor release to support ARMv7 with virtualization extensions and ARMv8.
This talk will explain why ARM virtualization is set to be increasingly relevant for the automotive industry in the coming years. We will go on to describe how Xen exploits the strengths of the hardware to meet the requirements of the industry. We will illustrate the early design choices and we will evaluate whether they were proven successful or a failure.
Containers are incredibly convenient to package applications and deploy them quickly across the data center.
This talk will introduce RunX, a new project under LF Edge that aims at bringing containers to the edge with extra benefits. At the core, RunX is an OCI-compatible container runtime to run software packaged as containers as Xen micro-VMs. RunX allows traditional containers to be executed with a minimal overhead as virtual machines, providing additional isolation and real-time support.
It also introduces new types of containers designed with edge and embedded deployments in mind. RunX enables RTOSes, and baremetal apps to be packaged as containers, delivered to the target using the powerful containers infrastructure, and deployed at runtime as Xen micro-VMs. Physical resources can be dynamically assigned to them, such as accelerators and FPGA blocks.
This presentation will go through the architecture of RunX and the new deployment scenarios it enables. It will provide an overview of the integration with Yocto Project via the meta-virtualization layer and describe how to build a complete system with Xen and RunX.
The presentation will come with a live demo on embedded hardware.
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...ICS
Updating device software has always been a complicated process. Today, widespread use of connected IoT device fleets, along with escalating concern over cybersecurity, has made that process even more complex. Fortunately, there are a number of well-established open source solutions to help you address software update needs. But, with so many options, how do you determine which solution is right for your device?
This webinar will provide the foundation you need to make an informed decision. We’ll examine several different industry approaches, including A/B updates with a dual-redundant scheme, delta updates, container-based updates and combined strategies, as well as the leading technologies that support these approaches. Open source technologies such as Mender, RAUC and libostree-based solutions implement these strategies and provide tools to manage updates of multiple devices.
We’ll also review a variety of open source Linux software update technologies, and offer practical examples for integrating them using the Yocto Project and OpenEmbedded. In order to help you better understand the strengths and weaknesses of each technology, we’ll deep dive into various real-world use cases, including leveraging CAAM (Cryptographic Accelerator and Assurance Module) hardware on Freescale i.MX6 hardware for encrypted and signed updates and using Microsoft Azure IoT to host software updates from the cloud.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
As the first ARM servers and microservers hit the market, Xen on ARM is becoming more mature, stable and reaching feature parity with x86. This talk will present the current status of the project, will describe the latest improvements, the gaps that still need to be filled and the roadmap going forward. ARMv8 silicon is now available for purchase: we can measure how well Xen on ARM 64-bit is performing on real hardware and compare the performance figures with other hypervisors. The presentation will show these results, it will measure the overhead introduced by Xen on ARM and will compare it with the overhead introduced by Xen and KVM on x86. The talk will explain the reasons behind performance shortfalls and present ideas on how to address them in the future. The performance results will be used to determine when it makes sense to use Xen on ARM and what are the best use cases for it.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
As delivered by Russell Pavlicek at Linuxfest Northwest 2014. Some of the key security features which can be enabled when using the Xen Project Hypervisor.
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...The Linux Foundation
For many years, the Xen community has been delivering a solid virtualization platform for the enterprise. In support of the Xen community innovation effort, Oracle has been translating our enterprise experience with mission-critical workloads and large-scale infrastructure deployments into upstream contributions for the Linux and Xen efforts. In this session, you'll hear from a key Oracle expert, and community member, about Oracle contributions that focus on large-scale Xen deployments, networking, PV drivers, new PVH architecture, performance enhancements, dynamic memory usage with ‘tmem', and much more. This is your chance to get an under the hood view and see why the Xen architecture is the ideal choice for the enterprise.
Static partitioning is becoming increasingly common in embedded. A static hypervisor, such as Xen dom0less, is employed to split the hardware resources into multiple domains and run a different OS in each domain. For instance, Linux and Zephyr. Only the simplest static partitioning configurations don't involve any data exchanges between the domains. Often, communication and data exchanges between two or more environments are required to complete the data processing pipeline that implements the target application. However, the VM-to-VM communication mechanisms available in static partitioning configurations are typically more limited compared to general-purpose hypervisors. For example, PV drivers are not available to Xen dom0less domains. This presentation will discuss the need for communication in static partitioning setups and it will present the technical challenges involved in getting traditional communication methods to work, including Xen PV drivers and VirtIO. The talk will also provide simpler alternatives based on shared memory and interrupt notifications to set up domain-to-domain data streams: simpler techniques that are easily exploitable both by Linux and by tiny baremetal applications as well.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
This talk with discuss the design and implementation of a new type of hypervisor derived from the Xen code base. µ-Xen has been built and optimized for modern CPUs and chipsets, and thus assumes the presence of CPU and IO MMUs that are virtualization capable. µ-Xen borrows extensively from the production-proven and tuned Xen code base, but removal of support for older hardware and PV-MMU guests has enabled significant simplification of the code. µ-Xen supports optimizations in support of running large numbers of very similar virtual machines, through the support of a native 'vmfork' optimization and efficient re-merging of shareable pages.
The primary goal of µ-Xen has been to run as a late-load hypervisor on an existing OS. It has a narrow and well-defined interface to the services it expects from the underlying OS, which makes it easy to port to other OSes, or to enable it to run on bare metal. During initialisation, µ-Xen can de-privilege the running host OS into a VM container, enabling it to establish itself as the most privileged software component in the system. Thus, µ-Xen enforces the privacy and integrity of itself and VMs that it is running, against a faulty or malicious host OS, while co-operating with the host OS on the actual allocation of physical resources.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs.
Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.
XPDS16: Xen Scalability Analysis - Weidong Han, Zhichao Huang & Wei Yang, HuaweiThe Linux Foundation
As CPU integrates more cores, server will have more and more cores. It requires hypervisor to have good scalability. This talk will introduce our analysis on many core scalability of Xen, and share some findings and lessons.
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
During the last few months of 2011 the Xen Community started an effort to port Xen to ARMv7 with virtualization extensions, using the Cortex A15 processor as reference platform.
The new Xen port is exploiting this set of hardware capabilities to run guest VMs in the most efficient way possible while keeping the ARM specific changes to the hypervisor and the Linux kernel to a minimum. Developing the new port we took the chance to remove legacy concepts like PV or HVM guests and only support a single kind of guests that is comparable to "PVH" in the Xen X86 world.
Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Xen 4.3, out in July 2013, is the first hypervisor release to support ARMv7 with virtualization extensions and ARMv8.
This talk will explain why ARM virtualization is set to be increasingly relevant for the automotive industry in the coming years. We will go on to describe how Xen exploits the strengths of the hardware to meet the requirements of the industry. We will illustrate the early design choices and we will evaluate whether they were proven successful or a failure.
Containers are incredibly convenient to package applications and deploy them quickly across the data center.
This talk will introduce RunX, a new project under LF Edge that aims at bringing containers to the edge with extra benefits. At the core, RunX is an OCI-compatible container runtime to run software packaged as containers as Xen micro-VMs. RunX allows traditional containers to be executed with a minimal overhead as virtual machines, providing additional isolation and real-time support.
It also introduces new types of containers designed with edge and embedded deployments in mind. RunX enables RTOSes, and baremetal apps to be packaged as containers, delivered to the target using the powerful containers infrastructure, and deployed at runtime as Xen micro-VMs. Physical resources can be dynamically assigned to them, such as accelerators and FPGA blocks.
This presentation will go through the architecture of RunX and the new deployment scenarios it enables. It will provide an overview of the integration with Yocto Project via the meta-virtualization layer and describe how to build a complete system with Xen and RunX.
The presentation will come with a live demo on embedded hardware.
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...ICS
Updating device software has always been a complicated process. Today, widespread use of connected IoT device fleets, along with escalating concern over cybersecurity, has made that process even more complex. Fortunately, there are a number of well-established open source solutions to help you address software update needs. But, with so many options, how do you determine which solution is right for your device?
This webinar will provide the foundation you need to make an informed decision. We’ll examine several different industry approaches, including A/B updates with a dual-redundant scheme, delta updates, container-based updates and combined strategies, as well as the leading technologies that support these approaches. Open source technologies such as Mender, RAUC and libostree-based solutions implement these strategies and provide tools to manage updates of multiple devices.
We’ll also review a variety of open source Linux software update technologies, and offer practical examples for integrating them using the Yocto Project and OpenEmbedded. In order to help you better understand the strengths and weaknesses of each technology, we’ll deep dive into various real-world use cases, including leveraging CAAM (Cryptographic Accelerator and Assurance Module) hardware on Freescale i.MX6 hardware for encrypted and signed updates and using Microsoft Azure IoT to host software updates from the cloud.
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageMayaData Inc
Webinar Session - https://youtu.be/_5MfGMf8PG4
In this webinar, we share how the Container Attached Storage pattern makes performance tuning more tractable, by giving each workload its own storage system, thereby decreasing the variables needed to understand and tune performance.
We then introduce MayaStor, a breakthrough in the use of containers and Kubernetes as a data plane. MayaStor is the first containerized data engine available that delivers near the theoretical maximum performance of underlying systems. MayaStor performance scales with the underlying hardware and has been shown, for example, to deliver in excess of 10 million IOPS in a particular environment.
Red Hat multi-cluster management & what's new in OpenShiftKangaroot
More and more organisations are not only using container platforms but starting to run multiple clusters of containers. And with that comes new headaches of maintaining, securing, and updating those multiple clusters. In this session we'll look into how Red Hat has solved multi-cluster management, covering cluster lifecycle, app lifecycle, and governance/risk/compliance.
Presented at NSA User Group. Steps through recent activities and technologies in use across NSA and the IC. Specifically mentions data ingress/egress with JBoss Messaging and MRG-M, storage of data with XFS and GFS, and data presentation capabilities with JBoss Enterprise Middleware Portfolio. 15-20min on Security Automation with SCAP.
Automated Deployment and Management of Edge CloudsJay Bryant
This presentation discusses the challenges of cloud computing at the edge. From the exploding number of nodes, the need for integrated monitoring and zero touch discovery. We introduce Lenovo Open Cloud Automation, an automated framework built in collaboration with Red Hat to help address these challenges.
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
The idea of making Xen secret-free has been floating since Spectre and Meltdown came into light. In this talk we will discuss what is being done and what needs to be done next.
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional.
Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings.
The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices.
In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency.
In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management.
During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM).
Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'.
In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests.
This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
Volodymyr will speak about TEE mediators. This is a new feature in Xen which allows multiple virtual machines to interact with Trusted Execution Environment available on platform. He developed mediator for one of TEEs, namely OP-TEE.
He will give background information on why TEE is needed at all and share some implementation details.
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform.
XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
Doug has long advocated for more CI/CD (Continuous Integration / Continuous Delivery) processes to be adopted by the Xen Project from the use of Travis CI and now GitLab CI. This talk aims to propose ideas for building upon the existing process and transforming the development process to provide users a higher quality with each release by the Xen Project.
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
1. OpenXT Project in 2016
Christopher Clark
BAE Systems
Xen Developer Summit, 25-26th
August, 2016
2. Presenter: Christopher Clark
Xen affiliations:
Projects:
Roles:
● BAE Systems and the OpenXT Project - since January 2016.
● { non-Xen engineering work, 4 years }
● Citrix Systems
● XenSource Inc.
● Intel Corporation
● Cambridge University Computer Laboratory
OpenXT - XenClient XT - XenClient - XenServer - Xen hypervisor
● Interoperability Architect
● Release Manager
● Principal Engineer
● Graduate Student
Focus of work in 2016: Governance for the OpenXT Project ; Security review of OpenXT software.
3. Outline
● Introduction to OpenXT
● Distinguishing aspects of OpenXT
● Current activity within the OpenXT Project
○ Recent developments
○ Work in progress
○ Roadmap items
4. OpenXT : motivation*
● Advance progress towards more secure computing
through a modern, practical, open system architecture
● Provide a common platform of software to build upon,
prioritizing extensibility, adaptable to diverse use cases,
to promote collaboration and sharing of common components
● Support building usable systems that are robust to partial compromise
*Note: these are the opinion of the presenter
5. OpenXT nutshell
● Core technology : Virtualization. Xen.
● Toolkit : full software stack for a virtualized system
○ OpenEmbedded toolchain, Linux kernels, VM filesystems, toolstack, … . “Batteries included.”
○ Extensible, configurable for diverse use cases and commercial derived products.
○ Supports Service VMs and APIs.
● Security : primary criteria in architecture decisions
○ Design enables strong assurances rooted in hardware.
○ Community has expertise.
● Open Source : OSI-approved licenses, open development
● Client capable : validated support for desktop, laptop hardware and devices
6. What distinguishes OpenXT?
● Security focus of the system architecture and technology selection
● Community
○ Depth of expertise in critical technologies, diversity of experience, direction of focus.
○ Members involved in development of platform security technologies across industry.
● Client use cases supported
● Open Source, OpenEmbedded build and toolchain
○ Participation in upstream communities and commitment to support downstream projects.
● Validated integration
○ An integrated system of many complex software components.
○ Derivative products have been successfully Certified and deployed.
7. Build Product
A current build of OpenXT software today will produce a bootable ISO to run an installer.
Install provisions the Xen hypervisor and a collection of helper VMs running Linux to provide
a hardened desktop environment
for running Windows or Linux desktop workloads.
It provides guest tools with paravirtualized device drivers to install within the guest VMs.
Extensibility of this system:
● At software compile and build time: customizable via OpenEmbedded Layers.
● At deployment time: API support for third-party Service VMs.
8. Platform Properties of OpenXT
Our community has consensus that these properties of the software are important to us:
● Integrity of operating software assured via measured launch and hardware-rooted
enforcement of isolation between components.
● Protection of storage, confidentiality and integrity of system configuration and user data.
● Protection of communications, with isolation between network device control software,
encryption software with network credentials, and user software.
● Protection of concurrent user software execution environments.
● Protection of user input via local keyboard, mouse and touchscreen devices.
● Protection of graphical output, with support for high-performance 3D desktops.
● Policy-based assignment and confinement of hardware peripherals.
● Compatibility with modern computer hardware and contemporary operating systems.
● Architected and licensed to support commercial derivative software.
A maintained list of platform properties is at: https://openxt.atlassian.net/wiki/display/CS/Gov2%3A+OpenXT+Platform+Properties+and+Layers
9. Architecture aspects / Technologies
● OpenEmbedded ecosystem provides toolchain and software platform
● The OpenXT Project is a strong proponent of disaggregation and isolation
○ Provides a distributed network stack with VTd-enforced isolation
● Measured Launch : using Intel TXT, tboot, TPM 1.2, trousers
● Read-only root filesystems with reset upon power operations
● Linux-based stub-domains to encapsulate Qemu instances
● Xen Security Modules enabled and enforcing
● SELinux enabled and enforcing with a tailored policy in Dom0 and NDVM
● Blktap2 storage path, soon to be blktap3
● Modern PV-USB stack with Windows and Linux guest support
● Specialized human interface device input layer
10. OpenEmbedded
A mature Open Source, collaborative, distributed, software packaging project and toolchain.
● OpenEmbedded delivers many software packages.
○ Toolkit for assembling an entirely customized Linux distribution.
● We use it to assemble multiple customized Linux distributions to build OpenXT
○ Domain 0
○ Stubdomains
○ The OpenXT Installer
○ NDVM
○ UIVM
○ SyncVM
○ ...
11. OpenEmbedded
OpenEmbedded delivers many software packages.
● Each package is described in a Recipe.
○ Recipes declare package version, source URL, license, build steps, customizations, etc.
● Collections of recipes are maintained in Layers.
○ Software within a layer is maintained together to ensure compatibility between packages.
○ A layer is a git repository with a curated collection of recipe files with community governance.
12. OpenEmbedded
● Downstream layers can override or extend recipes of upstream layers to apply
customizations, if needed.
● Downstream layers benefit from upstream layers component maintainership.
Maximizes community collaboration on shared common components.
● OpenXT provides its own Layer.
○ In near future, it will be multiple layers - we are clustering our components into separate layers.
○ When you work on OpenXT, you work with git repos containing recipes or source code of components that
recipes compile and package.
● OpenEmbedded is one of several projects “upstream” to OpenXT.
We work to integrate our changes into the highest layer appropriate.
13. OpenEmbedded Layers in OpenXT
Layers in OpenXT:
● openembedded-core
● meta-openembedded*1
: meta-xfce, meta-oe, meta-gnome, meta-networking, meta-python
● meta-java
● meta-selinux
● meta-intel
● coming soon: meta-virtualization
● xenclient-oe*2
Other layers of interest:
● meta-security-isafw
● meta-measured
● meta-servicevm
*1
meta-openembedded actually provides multiple layers, rather than just one *2
“xenclient-oe” should be renamed and separated into “meta-openxt-*” layers
14. Xen hypervisor and Qemu device emulator
Numerous modifications vs Upstream Xen + Qemu. Motivated by our secure client use cases.
● Xen Security Modules (XSM): Enabled and Enforcing.
● Suspend, hibernate and power management changes.
● v4v interdomain communication protocol + firewall.
● Modifications to blktap2 storage support for encryption and disk transfers - blktap3 work due to commence soon.
● Cosmetic fixes to correctly display Windows boot graphics.
● ACPI and SMBIOS support for laptop vendor customizations - now upstream and undergoing further development.
● Hardware quirk fixes.
● Setting cache attributes on mapped memory for video support.
The delta vs upstream is decreasing.
Upstream capabilities improve with our involvement and former XenClient features are removed from OpenXT.
Current migration work towards to newer hypervisor versions is reducing our patch queue.
15. Distributed network architecture
A key distinguishing feature of the OpenXT system
Default configuration: All of the physical PCI network devices are assigned to
a single Network Device Virtual Machine (NDVM) and isolated using VTd.
NIC
device
driver
NIC
device
driver
Wi-Fi
device
driver
Bridging & Routing
Netback
Network Manager
Network
Manager
User
Interface
Windows
PV netfront
Linux
PV netfront
Dom0 UIVM NDVM
Toolstack
Windows
Desktop
Linux
Desktop
Xen
16. Distributed network architecture
A key distinguishing feature of the OpenXT system architecture.
Default configuration: All of the physical PCI network devices are assigned to a single Network Device
Virtual Machine (NDVM) and isolated using VTd.
The NDVM contains all the network device drivers.
Exports access to the networks via virtual interfaces into the guest VMs.
Bridging or routing guest networks and physical networks happens in the NDVM.
Dom0 is not part of the guest networking datapath.
User control of networks is via the Network Manager applet in the User Interface VM.
This connects to the network-manager daemon via dbus proxied over v4v.
Architecture isolates network device drivers from all VMs and dom0.
A compromised network device driver only compromises the NDVM and not the rest of the system.
17. Network architecture
Alternative configuration
OpenXT also supports running multiple NDVMs: one per Network Interface Card.
Configuration instructions are in the project documentation.
This stronger configuration enables VTd-enforced isolation between physical networks.
It costs additional resources (RAM, CPU) to run additional NDVMs, and can alter maximum throughput and packet
latency across networks but it enables insertion of protected middlebox VMs into the cross-network path.
18. Network architecture
The OpenXT platform supports development of "NILF-VM"s: Network Interface Layer Function VMs.
This is to support third-party networking software integration.
eg: a VPN interposition NILF-VM.
A VM that provides encapsulation of all network traffic via a VPN,
interposing in-between a guest Windows VM and the NDVM assigned to the physical device NIC.
This isolates VPN credentials from both the guest Windows software and the network device driver.
The unencrypted traffic data is never accessible by the NIC hardware or the network device driver.
Demonstrates Xen’s strength, the advantage provided by a type-1 hypervisor.
19. Measured Launch
Core concept:
A sequence of software measurements is taken during system boot, with each
component measured prior to launching it, and the measurements securely stored
in the hardware Trusted Platform Module.
Measurements are then used to unlock encryption keys that grant access to system
configuration and user data, providing confidentiality and constraining access to
only when the trusted system software is running.
20. Measured Launch
● Implementation built upon hardware platform primitives: Intel TXT and a TPM device.
● Measurements include: Xen binary, Dom0 kernel, kernel command lines, Dom0 initrd, Dom0 rootfs,
tboot, microcode, Intel ACMs, and XSM policy.
● Uses grub version 2, with a fixed, measured grub command line. Interactive grub prompt is disabled.
The measurements of all components must be correct to acquire the decryption key to unlock access to
the host platform configuration data stored on disk and the keys to the disk images of guest VMs.
Notable components:
● Tboot is the Xen launch verifier for TXT.
● TrouSerS, TCG Software Stack. User space software that drives the TPM via a Dom0 kernel device.
● Disk encryption is performed with LUKS. AES-NI accelerates encryption and decryption data paths.
21. Measured Launch
Recent changes to OpenXT’s Measured Launch:
● LUKS configuration changes to replace a RSA-key wrapped password to an
admin supplied password
● Removal of some platform reboots during install for secret sealing
● Preparatory work towards future support for remote attestation
22. Linux-based Stub-domains
● Motivation: Hardening. Move the large qemu attack surface outside dom0.
○ Has successfully mitigated a number of Xen Security Advisory defects.
○ Acknowledgement: support for disaggregation adds complexity to the hypervisor and tools.
● Limited, read-only root filesystem
● Stateless across domain restarts
● Reduced Linux kernel configuration
23. Access Control
● Xen Security Modules : Enabled and Enforcing
○ Mandatory Access Control within the hypervisor, with the Flask architecture
○ Access control points throughout the hypervisor
○ Governed by a policy loaded at boot
● SELinux : Enabled and Enforcing in Dom0 and NDVM
○ Using a tailored policy for confinement
24. OpenXT PV-USB
● Originally from Virtual Computer’s NXtop, Citrix’s XenClient Enterprise product
○ A production-quality Windows front-end and Linux back-end. Open Source.
○ USB 2.0.
● Linux front-end developed in OpenXT
○ by AIS’s Open Source team. Validated and used in production.
● Orchestrated by a USB control daemon in dom0, also developed in OpenXT
○ Standalone software, primarily interfaces to udev and, to a lesser extent, libUSB.
○ Handles udev events for new devices according to device or device-class policy.
○ Writes XenStore entries to establish connections between the PV-USB front and backends.
25. OpenXT PV-USB
● Uses a novel two-layer “indirect grant refs” ring structure for efficiency
○ Enables bulk transfer of many grant-refs per ring transaction.
● Upstream-suitable : interest or assistance is very welcome
○ OpenXT is adopting other upstream Xen PV drivers and porting PV-USB to upstream xenbus
26. OpenXT PV-USB software references
Windows front-end driver code:
https://github.com/OpenXT/xc-vusb
https://github.com/OpenXT/xc-windows
Linux front-end driver code:
https://github.com/OpenXT/pv-linux-drivers/tree/master/xc-vusb
Linux back-end driver code:
Takes control of the assigned USB device’s configurations and interfaces.
https://github.com/OpenXT/xenclient-oe/blob/master/recipes-kernel/linux/4.4/patches/usbback-base.patch
USB policy control daemon, runs in the privileged USB control domain, ie. dom0:
Controls USB policy, assignment and management. Monitors udev events, applies policy to the types of devices it sees and
assigns devices to VMs by writing XenStore nodes to trigger front-back driver pair to initiate standard xenbus handshake.
https://openxt.atlassian.net/wiki/display/OD/vUSB+Daemon
https://github.com/OpenXT/vusb-daemon
27. Secure Keyboard and Mouse Input
An essential component for client virtualization. The input server runs in Dom0.
● Monitors udev for new input devices
○ Claims HID devices: keyboard, mouse, touchpad, touchscreen
● Demultiplexes input events
● Directs input events to the intended recipient VM
○ Including the UIVM, showing the local console UI
○ Prevents input snooping by other VMs
○ Enforces platform screen lock
○ Performs secure password capture for Dom0 : UIVM cannot snoop.
● Scales mouse movement for guest VMs running at different resolutions
28. v4v : an interdomain communication transport
● An OpenXT technology, originally developed for XenClient.
● Hypervisor-mediated data copies via private ring buffers with notifications.
● Used by OpenXT and in production in its derivative products,
plus a variant in use at Bromium.
● Has benefitted from previous reviews by the Xen Community.
29. v4v : an interdomain communication transport
Motivations for v4v versus any other interdomain communication mechanism:
● Strong isolation between communicating domains
○ No memory is shared between VMs
● Strong enforcement of policy controls on VM communication
○ A firewall within the hypervisor enforces rules that are set externally
● High performance suitable for sustained throughput
● A clean mapping to Linux and Windows native I/O primitives
● Clear separation from guest Operating System networking stacks
● A foundation for the future work that we intend to do
30. v4v : an interdomain communication transport
Known limitations:
● Current implementation has exposure to resource exhaustion
○ To be remedied with consumption constraints
○ DoS and scalability support were lesser concerns for the original client use cases.
● v4vtables firewall is a basic implementation
○ A new firewall is proposed to replace or extend v4vtables with XSM/Flask and support for in-guest SELinux
● Linux driver software requires improvement
● libvchan bindings have been requested
● Documentation is required
○ v4v comparison with other interdomain communication technologies
○ Hypervisor hypercall interface, Linux and Windows v4v driver interface and user-space library interface
○ Mechanisms to constrain v4v: XSM and the v4vtables-successor
31. v4v : an interdomain communication transport
Strong isolation avoids these concerns that affect inter-VM shared-memory technologies:
Impact on protocol integrity
● Peer domains can directly tamper with control structures in the shared memory region.
Impact on peer authentication
● Cannot directly know which principal wrote the protocol payload into memory to authenticate sender.
Impact on confidentiality
● Data may intentionally or accidentally leak through parts of shared memory not in use by the protocol.
● Page ownership may be intentionally or accidentally shared with additional domains, allowing observation of
data intended for one receiver.
Cost of extra assurance dependencies
● Protocol connection via XenStore forces XenStore into the TCB for communicating components.
32. v4v : an interdomain communication transport
Upcoming work:
● New firewall using XSM/Flask architecture
○ Work towards a unified access control architecture in OpenXT
with clear policy representation, better tooling, fewer opportunities for gaps or error
○ XSM/Flask to enforce Mandatory Access Control over v4v connections between domains
○ v4vtables may be extended to enable guests to express self-protection rules
○ SELinux to control v4v bind, send operations by individual processes
○ Add support for obtaining Flask peer labels for v4v, as per event channels
○ Convey SELinux security context across domain boundaries for access checks at recipient
● Address the known limitations described in the earlier slide.
We continue to be interested in engaging upstream Xen with v4v.
33. Recent Developments
● OpenXT Summit : June 2016, Washington, D.C.
○ 48 attendees from 24 organizations
○ Two days of presentations and moderated discussions on ecosystem topics
● Version 6.0 of OpenXT software release
○ Update the core distribution to OpenEmbedded Jethro release
○ Skylake hardware platform support
○ Xen hypervisor upgrade to 4.3.4 - Xen 4.6.1 is now in our master branch; work on 4.7 is next
○ Linux kernel upgrade to 4.4.16 - OpenXT 6.0.x point releases will track 4.4.x kernel updates
○ Qemu build configuration security hardened
○ Codebase security review. Package updates and selective patch inclusion for security fixes
○ Containerized build system, improved ease of use
● Project Governance
○ Project charter documents and codifying project processes
34. Work in Progress
Major focus is on accelerated tracking and engagement with upstream projects.
● Restructuring OpenXT into distinct OpenEmbedded Layers
○ Simplifies work for derivative projects to choose just the components they need
○ Optionality addresses the tension between feature addition vs. increase in attack surface
● Reducing specialized components of the OpenXT software
○ Adopting versions present in upstream OpenEmbedded layers
○ Working with upstream layers to add capabilities we need, assist with maintenance
○ Shrinking OpenXT Project codebase to just that which is unique to OpenXT requirements
● Xen hypervisor upgrade
○ 4.6.1 has just been successfully tested and merged into master development branch
○ 4.7.x will be immediate next target
35. Work in Progress
● Toolstack refactoring
○ Port to introduce libxl into the OpenXT Haskell toolstack running outside dom0
● v4v improvement
○ Please come and talk to community members about this
● Measured Launch enhancements
○ Towards forward-sealing across software upgrades
● Adopting upstream Windows PV-drivers
○ For network and block devices, to use in addition to our PV drivers for other devices
● Alternative graphics display architecture
○ Developed on an OpenXT-derivative platform
○ Please see the AIS presentation at this Xen Developer Summit
36. Roadmap items
● Community members have plans to integrate Xen’s vTPM and vTPM manager
into OpenXT in the near future.
● OpenXT community intends to adopt and maintain blktap3, working with the
XenServer team to assist support of their existing customer requirements.
● Make tboot into a UEFI module.
37. Where we work on OpenXT
● Public mailing list : openxt@googlegroups.com
● IRC #OpenXT on freenode
● Monthly community telephone call, open to all
● Confluence public wiki
● JIRA issue tracker on Atlassian cloud
● Presence in upstream projects: OpenEmbedded, Xen, Linux TPM tools, ...
You are welcome to join us!
openxt.org
38. EOF
Thank-you for your attention.
Thanks to the members of the OpenXT community for the work described here
and material supporting this presentation.
-xtopher
Copyright (c) 2016 BAE Systems, Inc.
Created by Christopher Clark.
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
openxt.org