Russell Pavlicek presented on securing clouds with Xen Project's advanced security features. He introduced key security tools in Xen Project like driver domains and PVGrub. Driver domains move device drivers out of the privileged control domain into an unprivileged virtual machine, reducing the attack surface. PVGrub is the Python program that reads guest filesystems and boots virtual machines, so securing it is important to prevent control of the control domain. The presentation aimed to help users understand and start implementing Xen Project's security features on their clouds.
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...The Linux Foundation
The Xen Hypervisor is 15 years old, but like Linux, it is still undergoing significant upgrades and improvements. This talk will cover recent and upcoming developments in Xen on the x86 architecture, including the newly-released 'PVH' guest virtualization mode, the future of PV mode, qemu deprivileging, and more. We will cover why these new features are important for a wide range of environments, from cloud to embedded.
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekThe Linux Foundation
Many people have difficulty understanding the difference between the Xen Hypervisor, XenServer, and XAPI. In this session, James Bulpin, Director of Technology for XenServer, and Russell Pavlicek, Evangelist for the Xen Project, will attempt to clarify what each project is, what it does, and how it compares with the others. We will cover some of the basic features and functions, the tasks for which each is suitable, and where the projects overlap. Attendees will come away with a better sense of where these three projects fit in the world of Xen virtualization.
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
The Xen Project produces a mature, enterprise-grade virtualization technology designed for the Cloud featuring many advanced and unique security features. For this reason, it's a hypervisor of choice for government agencies like NSA and the DoD, as well as for new security-minded projects the QubesOS Secure Desktop. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, and Xen Security Modules (XSM), are not enabled by default. This session will describe many of the advanced security features of Xen, as well as explaining why Xen is an excellent choice for secure Clouds
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...The Linux Foundation
With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...The Linux Foundation
The Xen Hypervisor is 15 years old, but like Linux, it is still undergoing significant upgrades and improvements. This talk will cover recent and upcoming developments in Xen on the x86 architecture, including the newly-released 'PVH' guest virtualization mode, the future of PV mode, qemu deprivileging, and more. We will cover why these new features are important for a wide range of environments, from cloud to embedded.
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekThe Linux Foundation
Many people have difficulty understanding the difference between the Xen Hypervisor, XenServer, and XAPI. In this session, James Bulpin, Director of Technology for XenServer, and Russell Pavlicek, Evangelist for the Xen Project, will attempt to clarify what each project is, what it does, and how it compares with the others. We will cover some of the basic features and functions, the tasks for which each is suitable, and where the projects overlap. Attendees will come away with a better sense of where these three projects fit in the world of Xen virtualization.
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
The Xen Project produces a mature, enterprise-grade virtualization technology designed for the Cloud featuring many advanced and unique security features. For this reason, it's a hypervisor of choice for government agencies like NSA and the DoD, as well as for new security-minded projects the QubesOS Secure Desktop. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, and Xen Security Modules (XSM), are not enabled by default. This session will describe many of the advanced security features of Xen, as well as explaining why Xen is an excellent choice for secure Clouds
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...The Linux Foundation
With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPThe Linux Foundation
The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, Xen powers the largest clouds in production. This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors.
It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, shine some light on common challenges for KVM and Xen, such as the NUMA performance tax and securing the cloud. It will introduce the concept of domain disaggregation as an approach to increase security, robustness and scalability: all important factors for building clouds at scale. The talk will conclude with an update on Xen support in Linux, Xen for ARM servers and other exciting developments in the Xen community and their implications for building open source clouds.
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary sessionThe Linux Foundation
The Xen on ARM effort has had a short, but impressive, history. In late 2011, Citrix seeded a Xen.org community project to port Xen to ARMv7 with virtualization extensions targeting the Cortex A15 as the reference platform. In 2012, the project scope was expanded to include the ARMv8 architecture. Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Very soon now (Q2 2013), Xen 4.3 will fully support several different ARM platforms, including Samsung Chromebooks, Versatile Express Cortex A15 and Arndale development boards.
In this talk, we will outline how virtualization enabled server consolidation and cloud computing, as well as innovative and secure solutions for both desktops and mobile devices. We will explain why Citrix saw the need for the project, and why it is highly relevant in today’s cloud-centric virtualization landscape. We will discuss the opportunities this has brought to the Xen ecosystem, and then peek into the future possibilities which Xen on ARM will enable. While Xen is best known as technology powering some of the biggest clouds in the industry, but could also be powering virtual machines on devices that fit in your pocket.
The talk will also include a brief overview of the Xen on ARM architecture, including the key design principles employed. The techniques pioneered during the ARM port will allow the Xen community to remove many legacy components from the Xen code base, streamlining both the ARM and x86 implementations. We will share some data on the challenges in porting Xen to new ARM boards. Due to full reliance on Device Tree and to the minimal hardware requirements of the hypervisor, ports to new boards require surprisingly little effort.
Finally, the talk will conclude by outlining the immediate roadmap for Xen on ARM.
The 4.5 release no a minor "point" update: it is one of the most feature-rich releases in the project's history. It contains several important additions. Most notably, new Xen PVH virtualization mode now supports running as dom0, enhanced support for Remus, significant ARM architecture updates, security improvements, real-time scheduling, support for Intel Cache Monitoring Technology (CMT), as well as improvements for automotive and embedded use-cases. Other enhancements include additional support for FreeBSD, systemd support, additional libvirt support, the release of Mirage OS 2.0, and more.
Besides giving an overview of Xen 4.5, we will explain the project's roadmap process and share what's ahead for 2015: such as improved OpenStack integration and hotpatching (applying security fixes without the need to reboot).
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
LF Collaboration Summit: Xen Project 4 4 Features and FuturesThe Linux Foundation
Xen Project 4.4 Release Information.
Delivered by Russell Pavlicek at Linux Foundation Collaborative Summit on March 27, 2014.
Updated for LinuxCon/CloudOpen North America in August 2014.
LCEU14: Integrating Linux and the Real-Time ERIKA OS Through the Xen Hypervis...The Linux Foundation
Modern cars, as well as aircrafts, are equipped not only with more and more complex control systems, but also with increasingly advanced user interfaces and infotainment systems. The growing computational demand of these applications can now be met only with multi-core systems, which are actually supplanting single-core ones. Also, safety-critical and non-safety-critical components must be isolated from each other. In this presentation we show a double-OS system, running on a dual-core ARM platform and using the Xen hypervisor to run, in two isolated domains, (1) the automotive-grade ERIKA Enterprise OS, a small-footprint real-time OS suitable for safety-critical control tasks, and (2) a full-featured Linux OS, which is then able to support any complex user interface or multimedia service. The system also provides a basic, safe communication mechanism between the two operating systems.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
XPDS13: HVM Dom0 - Any unmodified OS as Dom0 - Will Auld, IntelThe Linux Foundation
It should be great if we can use an unmodified guest for dom0 or the driver domain. We found a way to achieve that. Since Xen's inception, the first guest on Xen is always a para-virtualized domain, and it can be modified Linux, NetBSD, and Solaris etc. In this way, dom0 can achieve near-native performance, so it is commonly used in the server market. However, modifications to guest kernels also implies limitations. For example, it can't support Windows OS as the dom0 or the driver domain. With the rapid evolution of hardware-assisted virtualization (e.g. VMX, VT-d technologies), HVM domains also can achieve comparable performance with para-virtualization. And, it's high time for Xen to such an unmodified guest as the dom0. In the presentation, we discuss its architectural changes and its benefits compared with the traditional PV or HVM dom0, and we also introduce what we have done.
It is no accident that Xen software powers some of the largest Clouds in existence. From its outset, the Xen Project was intended to enable what we now call Cloud Computing. This session will explore how the Xen Architecture addresses the needs of the Cloud in ways which facilitate security, throughput, and agility. It will also cover some of the hot new developments of the Xen Project.
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...The Linux Foundation
The Open Source Xen-Blanket software was developed by researchers at IBM and Cornell University, as extensions to the Xen hypervisor and its PV drivers, to enable seamless use of Xen PV drivers in guest VMs of nested Xen deployments. It was presented at the EuroSys 2012 conference, with a paper that has been widely cited since, and deployed in Cornell's SuperCloud.
Xen-Blanket has never been presented to the Xen Community and the software left unmaintained. However, recent work by Star Lab has modernized its implementation, aiming to encourage its adoption and incorporation into the Xen Project software.
This session will introduce the Xen-Blanket, describing its motivation and features; present the structure of the implementation in the hypervisor and device drivers; outline an example architecture for its deployment; and summarize its current state and plans within the Xen Project.
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...The Linux Foundation
This talk will give a brief background to the Xen Project Windows PV driver architecture for those who are not already familiar. It will then go on to update the community on recent changes to the drivers, and planned future changed. It will also cover the new HID and console drivers that have been introduced to the supported set, including demonstrations of those drivers.
Delivered by Russell Pavlicek at CentOS Dojo, Denver, CO, April 10. 2014.
A basic introduction to Xen4CentOS: What it provides, how to install it, and where it is going.
Russell Pavlicek explores the security features of Xen within the cloud. Delivered at Build-A-Cloud Day at USENIX LISA 2013 and at Virtual Build-A-Cloud Day in December 2013.
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPThe Linux Foundation
The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, Xen powers the largest clouds in production. This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors.
It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, shine some light on common challenges for KVM and Xen, such as the NUMA performance tax and securing the cloud. It will introduce the concept of domain disaggregation as an approach to increase security, robustness and scalability: all important factors for building clouds at scale. The talk will conclude with an update on Xen support in Linux, Xen for ARM servers and other exciting developments in the Xen community and their implications for building open source clouds.
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary sessionThe Linux Foundation
The Xen on ARM effort has had a short, but impressive, history. In late 2011, Citrix seeded a Xen.org community project to port Xen to ARMv7 with virtualization extensions targeting the Cortex A15 as the reference platform. In 2012, the project scope was expanded to include the ARMv8 architecture. Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Very soon now (Q2 2013), Xen 4.3 will fully support several different ARM platforms, including Samsung Chromebooks, Versatile Express Cortex A15 and Arndale development boards.
In this talk, we will outline how virtualization enabled server consolidation and cloud computing, as well as innovative and secure solutions for both desktops and mobile devices. We will explain why Citrix saw the need for the project, and why it is highly relevant in today’s cloud-centric virtualization landscape. We will discuss the opportunities this has brought to the Xen ecosystem, and then peek into the future possibilities which Xen on ARM will enable. While Xen is best known as technology powering some of the biggest clouds in the industry, but could also be powering virtual machines on devices that fit in your pocket.
The talk will also include a brief overview of the Xen on ARM architecture, including the key design principles employed. The techniques pioneered during the ARM port will allow the Xen community to remove many legacy components from the Xen code base, streamlining both the ARM and x86 implementations. We will share some data on the challenges in porting Xen to new ARM boards. Due to full reliance on Device Tree and to the minimal hardware requirements of the hypervisor, ports to new boards require surprisingly little effort.
Finally, the talk will conclude by outlining the immediate roadmap for Xen on ARM.
The 4.5 release no a minor "point" update: it is one of the most feature-rich releases in the project's history. It contains several important additions. Most notably, new Xen PVH virtualization mode now supports running as dom0, enhanced support for Remus, significant ARM architecture updates, security improvements, real-time scheduling, support for Intel Cache Monitoring Technology (CMT), as well as improvements for automotive and embedded use-cases. Other enhancements include additional support for FreeBSD, systemd support, additional libvirt support, the release of Mirage OS 2.0, and more.
Besides giving an overview of Xen 4.5, we will explain the project's roadmap process and share what's ahead for 2015: such as improved OpenStack integration and hotpatching (applying security fixes without the need to reboot).
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
LF Collaboration Summit: Xen Project 4 4 Features and FuturesThe Linux Foundation
Xen Project 4.4 Release Information.
Delivered by Russell Pavlicek at Linux Foundation Collaborative Summit on March 27, 2014.
Updated for LinuxCon/CloudOpen North America in August 2014.
LCEU14: Integrating Linux and the Real-Time ERIKA OS Through the Xen Hypervis...The Linux Foundation
Modern cars, as well as aircrafts, are equipped not only with more and more complex control systems, but also with increasingly advanced user interfaces and infotainment systems. The growing computational demand of these applications can now be met only with multi-core systems, which are actually supplanting single-core ones. Also, safety-critical and non-safety-critical components must be isolated from each other. In this presentation we show a double-OS system, running on a dual-core ARM platform and using the Xen hypervisor to run, in two isolated domains, (1) the automotive-grade ERIKA Enterprise OS, a small-footprint real-time OS suitable for safety-critical control tasks, and (2) a full-featured Linux OS, which is then able to support any complex user interface or multimedia service. The system also provides a basic, safe communication mechanism between the two operating systems.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
XPDS13: HVM Dom0 - Any unmodified OS as Dom0 - Will Auld, IntelThe Linux Foundation
It should be great if we can use an unmodified guest for dom0 or the driver domain. We found a way to achieve that. Since Xen's inception, the first guest on Xen is always a para-virtualized domain, and it can be modified Linux, NetBSD, and Solaris etc. In this way, dom0 can achieve near-native performance, so it is commonly used in the server market. However, modifications to guest kernels also implies limitations. For example, it can't support Windows OS as the dom0 or the driver domain. With the rapid evolution of hardware-assisted virtualization (e.g. VMX, VT-d technologies), HVM domains also can achieve comparable performance with para-virtualization. And, it's high time for Xen to such an unmodified guest as the dom0. In the presentation, we discuss its architectural changes and its benefits compared with the traditional PV or HVM dom0, and we also introduce what we have done.
It is no accident that Xen software powers some of the largest Clouds in existence. From its outset, the Xen Project was intended to enable what we now call Cloud Computing. This session will explore how the Xen Architecture addresses the needs of the Cloud in ways which facilitate security, throughput, and agility. It will also cover some of the hot new developments of the Xen Project.
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...The Linux Foundation
The Open Source Xen-Blanket software was developed by researchers at IBM and Cornell University, as extensions to the Xen hypervisor and its PV drivers, to enable seamless use of Xen PV drivers in guest VMs of nested Xen deployments. It was presented at the EuroSys 2012 conference, with a paper that has been widely cited since, and deployed in Cornell's SuperCloud.
Xen-Blanket has never been presented to the Xen Community and the software left unmaintained. However, recent work by Star Lab has modernized its implementation, aiming to encourage its adoption and incorporation into the Xen Project software.
This session will introduce the Xen-Blanket, describing its motivation and features; present the structure of the implementation in the hypervisor and device drivers; outline an example architecture for its deployment; and summarize its current state and plans within the Xen Project.
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...The Linux Foundation
This talk will give a brief background to the Xen Project Windows PV driver architecture for those who are not already familiar. It will then go on to update the community on recent changes to the drivers, and planned future changed. It will also cover the new HID and console drivers that have been introduced to the supported set, including demonstrations of those drivers.
Delivered by Russell Pavlicek at CentOS Dojo, Denver, CO, April 10. 2014.
A basic introduction to Xen4CentOS: What it provides, how to install it, and where it is going.
Russell Pavlicek explores the security features of Xen within the cloud. Delivered at Build-A-Cloud Day at USENIX LISA 2013 and at Virtual Build-A-Cloud Day in December 2013.
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
As delivered by Russell Pavlicek at Linuxfest Northwest 2014. Some of the key security features which can be enabled when using the Xen Project Hypervisor.
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
What do “Crazy in Love” by Beyonce and the “Xen Project” have in common? They are both 15-year-old hits. Flash forward to today. The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. The Xen Project played a key role in developing technologies outside of the hypervisor, like hardware virtualization, and open source security disclosure standards that impact entire industries.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. We will share how the project has supported new technologies and ideas (sometimes in the form of failures and sometimes wins) and will derive best practices that may help other projects .
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
An important facilitator of Unikernel development, Xen Project continues to develop new and interesting technologies to support the needs of the next generation datacenter. Potentially game-changing technologies like Unikernels will never reach their full potential unless the hypervisor they rely on can handle a large number of potentially tiny VMs effectively and efficiently.
In this talk, Xen Project Advisory Board Chairman Lars Kurth will discuss some of the major advances in the hypervisor produced in last year's releases (4.5 and 4.6). He will also discuss some of the work in development which could appear in upcoming releases.
Note: also see https://www.slideshare.net/xen_com_mgr/ossna18-xen-beginners-training-exercise-script
The Xen Project supports some of the biggest clouds in production today and is moving into new industries, like security and automotive. Usually, you will use Xen indirectly as part of a commercial product, a distro, a hosting or cloud service and only indirectly use Xen. By following this session you will learn how Xen and virtualization work under the hood exploring high-level topics like architecture concepts related to virtualization to more technical attributes of the hypervisor like memory management (ballooning), virtual CPUs, scheduling, pinning, saving/restoring and migrating VMs.
Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013Puppet
"Building a Hyper-Secure VPC on AWS with Puppet" by Tim Nolet, Technical Architect, Xebia.
Presentation Overview: This session will describe the techniques and patterns used in a real life project where the goal was to: build a VPC on AWS, make it extremely secure on all accounts, do it automated.
I will describe how you can take Puppet and AWS and introduce all kinds of real life security measures, all managed by Puppet. These security measures include: Log collection and analysis (in combination with Graylog2), Transparent Proxy Hosts for DMZ separation, Host Based Firewalls to augment the non-logging AWS firewalls/security groups, CIS (Center for Internet Security) Benchmark enforcement on standard AWS Linux AMIs, change tracking with SVN.
Speaker Bio: Tim Nolet is an infrastructure architect and continuous delivery consultant working for Xebia (www.xebia.com). Brought up on a steady diet of Java enterprise applications, he has helped his customers design, build and manage internet infrastructures in diverse areas of travel, retail, banking, energy and public services. Currently, he is on a mission to reap all the benefits of automated deployment and cloud engineering to deliver fast, safe and stable applications. Together with Amazon Web Services, Puppet plays a major role in this mission. Tim also smiles when you let him dive deep into performance, security and stability issues, or let him play guitar for a day.
Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure.
Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.)
Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere.
In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.
Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure.
Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.)
Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere.
In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.
Similar to Securing Your Cloud with Xen (CloudOpen NA 2013) (20)
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...Russell Pavlicek
In most current microservice-based architectures, the machine images powering the microservice are quite traditional: a full software stack from operating system to application, which takes significant resources to host and plenty of time to start and stop. As a result, most current microservice workloads are persistent, having to start before they are needed and sitting idle when there’s no work to do. This wastes precious resources and slows the application’s ability to scale out as workloads require.
The arrival of lightweight technologies like Docker and containers have opened the door to lighter workloads in the microservice arena, but the advent of unikernels might be a game changer. These ultralight, highly secure workloads combine the entire software stack—from operating system functions to application—into a single, tiny package that runs directly on a hypervisor. Start times for many unikernel-based VMs can be measured in milliseconds, raising the question: why waste time and resources with persistent microservices? Why not consider transient microservices, which appear when there is something to do and disappear immediately thereafter?
While the use of transient microservices could free up much computing power, it will also change the architecture and orchestration of software solutions. The concept of services that may have a lifetime measured in seconds—or less—does not currently exist in popular cloud-based systems.
Geek Empowerment - The Real Heart of Open SourceRussell Pavlicek
As delivered at Linuxfest Northwest 2014. Open Source has succeeded in so many ways. But is it in danger of losing its greatest single value: empowering geeks to be more than just obedient coders?
openSUSE Summit-15 Years of Open Source: It's About the PeopleRussell Pavlicek
Open Source has flourished in the past decade and a half, but we need to make sure we don't lose our soul in the process. We must tend to the roots of the plant and not allow the corporate influence to compromise the liberation which Open Source provided to geeks.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
1. Introduction Network path Bootloader Device model Xen Conclusion
Securing Your Cloud with Xen Project’s
Advanced Security Features
Russell Pavlicek, Xen Project Evangelist
CloudOpen North America 2013
2. Introduction Network path Bootloader Device model Xen Conclusion
Who is the Old, Fat Geek Up Front?
Xen Project Evangelist
Employed by Citrix, focused entirely on the Xen Project
History with Open Source begins in 1997
Former columnist with Infoworld, Processor magazines
Former panelist on The Linux Show webcast, repeat guest on
The Linux Link Tech Show
Over 150 pieces published, plus one book on Open Source
development and several blogs
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 2 / 32
3. Introduction Network path Bootloader Device model Xen Conclusion
Introduction: Xen Project and Security
Xen Project is an enterprise-grade Type I hypervisor
Built for the Cloud before it was called the Cloud
A number of advanced security features
Driver Domains, Stub Domains, FLASK, and more
Most of them are not (or cannot) be turned on by default
Although they are simple to use, sometimes they can appear
to be complicated
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 3 / 32
4. Introduction Network path Bootloader Device model Xen Conclusion
Presentation Goals
Introduce you to key Xen Project Security Tools
Discuss some key Xen security features
Get you started in the right direction toward securing your
Xen installation
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 4 / 32
5. Introduction Network path Bootloader Device model Xen Conclusion
Presentation Outline
A few thoughts on the problem of securing the Cloud
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces and Xen features we can use to
mitigate them:
Driver Domains
PVgrub
Stub Domains
Paravirtualization (PV) mode vs Hardware Virtualization
(HVM) mode
FLASK example policy
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 5 / 32
6. Introduction Network path Bootloader Device model Xen Conclusion
The Cloud Security Conundrum
Security: The 800 pound gorilla of the Cloud world
Nothing generates more fear in specific, and FUD in general
Probably the single greatest barrier to Cloud adoption
Immediately behind it is the inability to get out of a 20th
century IT mindset (i.e., ”Change is Bad”)
The good news: we don’t need to fear it – we just need to
solve it
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 6 / 32
7. Introduction Network path Bootloader Device model Xen Conclusion
Cloud Security: New Visibility to Old Problem
Security has always been an issue
Putting a truly secure system in the open does not reduce its
security, just increases the frequency of attack
Unfortunately, system security behind the firewall has not
always been comprehensive
Having solutions in Clouds forces us to solve the security
issues we should have already solved
Security through obscurity is no longer sufficient
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 7 / 32
8. Introduction Network path Bootloader Device model Xen Conclusion
Security by Design, not by Wishful Thinking
Security by Wishful Thinking is Officially Dead
Merely hoping that your firewall holds off the marauding
hordes is NOT good enough
Addressing security in one area while ignoring others is NOT
good enough
Saying, ”We’ve never had a problem before” is NOT good
enough
Comprehensive security starts with design
It needs to planned and carefully thought through
It needs to be implemented at multiple levels
It needs components which are themselves securable
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 8 / 32
9. Introduction Network path Bootloader Device model Xen Conclusion
Xen Project: Security by Design
Xen Project was designed for Clouds before the term ”Cloud”
was coined in the industry
Designers foresaw the day of an ”infrastructure for wide-area
distributed computing” which we now call ”the Cloud”
http://www.cl.cam.ac.uk/research
/srg/netos/xeno/publications.html
Xen is designed to thwart attacks from many attack vectors,
using different defensive techniques
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 9 / 32
10. Introduction Network path Bootloader Device model Xen Conclusion
Xen Architecture: A Basic Picture
Xen Hypervisor
Hardware
device model
(qemu)
toolstack
dom 0
Hardware
Drivers
I/O Devices CPU Memory
Paravirtualized
(PV)
Domain
Fully
Virtualized
(HVM)
Domainnetback
blkback
netfront
blkfront
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 10 / 32
11. Introduction Network path Bootloader Device model Xen Conclusion
Security Overview
Threat Models:
Attacker can access network
Attacker controls one Guest VM
Security considerations to evaluate:
How much code is accessible?
What is the interface like? (e.g., pointers vs scalars)
Defense-in-depth
Then combine security tactics to secure the installation
There is no single ”magic bullet”
Individual tactics reduce danger; combined tactics go even
farther
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 11 / 32
12. Introduction Network path Bootloader Device model Xen Conclusion
Example System, for our Discussion
Hardware setup
Two networks: one Control network, one Guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2) to
allow for full Hardware Virtualization (HVM)
Default configuration
Network drivers in the Control Domain (aka ”Domain 0” or
just ”Dom0”)
Paravirtualized (PV) guests using PyGrub (grub-like boot
utility within context of Guest Domain)
Hardware Virtualized (HVM) guests using Qemu (as the device
model) running in the Control Domain
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 12 / 32
13. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NIC
Driver
Control NIC
Rogue
Domain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
Where might an exploit focus?
Bugs in hardware driver
Bugs in bridging / filtering
Bugs in netback (via the ring protocol)
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 13 / 32
14. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NIC
Driver
Control NIC
Rogue
Domain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
What could a successful exploit yield?
Control of Domain 0 kernel
Pretty much control of the whole system
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 14 / 32
15. Introduction Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NIC
Driver
Control NIC
Rogue
Domain
netback
netfront
Guest NIC
bridgeiptables
Domain
netfront
NIC
Driver
Driver Domain
What is a Driver Domain?
Unprivileged VM which drives hardware, provides access to
guests
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 15 / 32
16. Introduction Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NIC
Driver
Control NIC
Rogue
Domain
netback
netfront
Guest NIC
bridgeiptables
Domain
netfront
NIC
Driver
Driver Domain
Now a successful exploit could yield:
Control of the Driver Domain (PV hypercall interface)
Control of that guest’s network traffic
Control of NIC
An opportunity to attack netfront of other guests
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 16 / 32
17. Introduction Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Use any distribution suitable as a Control Domain
Install the Xen-related hotplug scripts
Just installing the Xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the Driver domain
Just like you would for the Control Domain
Configure the guest Virtual Network Interface (vif) to use the
new domain ID
Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
http://wiki.xenproject.org/wiki/Driver Domain
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 17 / 32
18. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: PyGrub
Xen Hypervisor
toolstackdom 0
Paravirtualized
(PV)
Domain
domain
builder
pygrub
guest
disk
What is PyGrub?
grub implementation for PV guests
Python program running in Control Domain
Reads guest filesystem, parses grub.conf, shows menu
Passes resulting kernel image to domain builder
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 18 / 32
19. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: PyGrub
Xen Hypervisor
toolstackdom 0
Paravirtualized
(PV)
Domain
domain
builder
pygrub
guest
disk
Where might an exploit focus?
Bugs in file system parser
Bugs in menu parser
Bugs in domain builder
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 19 / 32
20. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: PyGrub
Xen Hypervisor
toolstackdom 0
Paravirtualized
(PV)
Domain
domain
builder
pygrub
guest
disk
kernel
What could a successful exploit yield?
Control of Domain 0 user space
Pretty much control of the whole system
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 20 / 32
21. Introduction Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized
(PV)
Domain
domain
builder
kernel
image
guest
disk
What is a fixed kernel?
Passing a known-good kernel from Control Domain
Removes attacker avenue to domain builder
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 21 / 32
22. Introduction Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized
(PV)
Domain
domain
builder
kernel
image
guest
disk
Disadvantages
Host admin must keep up with kernel updates
Guest admin can’t pass kernel parameters, custom kernels,
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 22 / 32
23. Introduction Network path Bootloader Device model Xen Conclusion
Security feature: PVgrub
Xen Hypervisor
toolstackdom 0
domain
builder
guest
disk
MiniOS
pvgrub
What is PVgrub?
MiniOS + PV port of grub running in a guest context
PV equivalent of HVM “BIOS + grub”
Now a successful exploit could yield:
Control of the attacked guest domain alone
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 23 / 32
24. Introduction Network path Bootloader Device model Xen Conclusion
HowTo: PVgrub
Make sure that you have the PVgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Use appropriate PVgrub as bootloader in guest configuration
kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"
http://wiki.xenproject.org/wiki/Pvgrub
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 24 / 32
25. Introduction Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (Qemu)
Where might an exploit focus?
Bugs in NIC emulator parsing packets
Bugs in emulation of virtual devices
What could a successful exploit yield?
Control Domain privileged userspace
Pretty much control of the whole system
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 25 / 32
26. Introduction Network path Bootloader Device model Xen Conclusion
Security feature: Qemu stub domains
What is a stub domain?
Stub domain: a small “service” domain running just one
application
Qemu stub domain: run each Qemu in its own domain
What could a successful exploit yield?
Control only of the stub domain VM (which, if FLASK is
employed, is a relatively small universe)
You need to devise another attack entirely to do anything
more significant
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 26 / 32
27. Introduction Network path Bootloader Device model Xen Conclusion
HowTo: Qemu stub domains
Make sure that you have the PVgrub image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
On Debian (and offshoots), you will need to build it yourself
Specify stub domains in your guest config
device_model_stubdomain_override = 1
http://wiki.xenproject.org/wiki/Device Model Stub Domains
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 27 / 32
28. Introduction Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen Hypervisor itself
Where might an exploit focus?
On Paravirtualized (PV) Guests:
PV Hypercalls
On full Hardware Virtualized (HVM) Guests:
HVM hypercalls (Subset of PV hypercalls)
Instruction emulation (MMIO, shadow pagetables)
Emulated platform devices: APIC, HPET, PIT
Nested virtualization
Security practice: Use PV VMs whenever possible
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 28 / 32
29. Introduction Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
What is FLASK?
Xen Security Module (XSM): Xen equivalent of LSM
FLASK: Framework for XSM developed by NSA
Xen equivalent of SELinux
Uses same concepts and tools as SELinux
Allows a policy to restrict hypercalls
What can FLASK do?
Basic: Restricts hypercalls to those needed by a particular
guest
Advanced: Allows more fine-grained granting of privileges
FLASK example policy
This contains example roles for the Control Domain (dom0),
User/Guest Domain(domU), stub domains, driver domains,
etc.
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 29 / 32
30. Introduction Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
seclabel=[foo]
stubdom label=[foo]
Make sure you TEST the example policy in your environment
BEFORE putting it into production!
NOTE: As an example policy, it is not as rigorously tested as
other parts of Xen during release, and it may not be suitable
as-is if you are doing unusual things
http://wiki.xenproject.org/wiki
/Xen Security Modules : XSM-FLASK
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 30 / 32
31. Introduction Network path Bootloader Device model Xen Conclusion
ARM: Right solution for security
Stays in ARM Hypervisor Mode
The ARM architecture has separate Hypervisor and Kernel
modes
Because Xen’s architecture maps so well to the ARM
architecture, Xen never has to use Kernel mode
Other hypervisors have to flip back and forth between modes
If a hypervisor has to enter Kernel mode, it loses the security
of running in a privileged mode, isolated from the rest of the
system
This is a non-issue with the Xen Hypervisor on ARM
Does not need to use device emulation
No emulation means a smaller attack surface for bad guys
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 31 / 32
32. Introduction Network path Bootloader Device model Xen Conclusion
For More Information...
Details at http://wiki.xenproject.org/wiki/Securing Xen
Thanks to George Dunlap for supplying much of the information
presented here, and Stefano Stabellini for ARM information
Check out our blog: http://blog.xenproject.org/
Contact me at russell.pavlicek@xenproject.org
——————————–
Thank You!
CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 32 / 32