High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices.
In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
Hypervisors are key to enable mixed-criticality systems: a critical workload, typically with real-time requirements, running alongside a larger operating system, such as Linux. The interrupt latency needs to be deterministic, and the boot time of the critical function only a fraction of a second. Hypervisors are also the enabling technology to securely deploy new customers apps at runtime, without affecting system safety.
This presentation will give an overview of hypervisor technologies for Xilinx platforms. It will introduce the most recent developments of the Xen hypervisor, including the "null" scheduler and dom0less, and it will explain how to make use of the new features to best configure Xen for embedded environments.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices.
In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
Hypervisors are key to enable mixed-criticality systems: a critical workload, typically with real-time requirements, running alongside a larger operating system, such as Linux. The interrupt latency needs to be deterministic, and the boot time of the critical function only a fraction of a second. Hypervisors are also the enabling technology to securely deploy new customers apps at runtime, without affecting system safety.
This presentation will give an overview of hypervisor technologies for Xilinx platforms. It will introduce the most recent developments of the Xen hypervisor, including the "null" scheduler and dom0less, and it will explain how to make use of the new features to best configure Xen for embedded environments.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)The Linux Foundation
The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories.
We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press.
The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
What do “Crazy in Love” by Beyonce and the “Xen Project” have in common? They are both 15-year-old hits. Flash forward to today. The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. The Xen Project played a key role in developing technologies outside of the hypervisor, like hardware virtualization, and open source security disclosure standards that impact entire industries.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. We will share how the project has supported new technologies and ideas (sometimes in the form of failures and sometimes wins) and will derive best practices that may help other projects .
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
NVDIMM is a standard for allowing non-volatile memory to be exposed to as normal RAM, which can be directly mapped to guests. This simple concept has the potential to dramatically change the way software is written; but also has a number of surprising problems to solve. Furthermore, this area is plagued with incomplete specifications and confusing terminology.
This talk will attempt to give an overview of NVDIMMs from an operating system perspective: What the terminology means, how they are discovered and partitioned, issues relating to filesystems, a brief description of the functionality available in Linux, and so on. It will then describe the various issues and design choices a Xen system has to make in order to allow Xen systems to use NVDIMMs effectively.
XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...The Linux Foundation
Despite the popularity of the Xen hypervisor, there are very few tools capable of performing virtual machine introspection (VMI) on Xen guests — not even a full-featured debugger! This is in large part because Xen's VMI APIs are obscure and poorly documented; even among Xen developers, there are very few people who know how to use them. This has serious consequences for projects targeting Xen, as the lack of tooling makes it difficult to verify the correctness and security of software running on Xen. In this presentation, Spencer will introduce and explain Xen's VMI APIs in detail, with the goal of providing all the information necessary to construct fully-featured Xen VMI API clients and analysis tools. In doing so, he will share the hands-on experience he gained while developing his recently-released tool Xendbg, a feature-complete reference implementation of a modern Xen VMI debugger.
XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the ...The Linux Foundation
Thursday, July 13 • 11:55 - 12:25
Edit Speaker Tools Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender
Click here to add to My Sched.
http://sched.co/AjH7
Tweet Share
Feedback form is now closed.
With this presentation, Mihai Donțu will cover the current status of #VE support in Xen, how Bitdefender plans to use it to improve the performance of its Hypervisor Introspection (HVI) solution, and the changes Bitdefender is working on mainlining in the hope that they will find their way into all major Xen deployments. The aim is to make VMI an even more appealing security option for customers running workloads on supporting Intel hardware.
The presentation will cover Xen Automotive. We will elaborate technical solutions for the identified gaps:
1. ARM architecture - support HW virtualization extensions for embedded systems
2. Stability requirements
3. RT Scheduler
4. Rich virtualized peripheral support (WiFi, Gfx, MM, USB, etc.)
5. Performance benchmarking
6. Security
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...The Linux Foundation
The members of the Automotive Grade Linux (AGL) project have been developing the Unified Code Base (UCB) distribution for automotive use since 2015. Initially the focus was on In-Vehicle Infotainment systems, but lately the project has turned towards instrument cluster, telematics, heads-up display, and other safety critical systems that require ISO 26262 ASIL-B certification. Car and truck manufacturers are looking for AGL to provide a solution that makes use of AGL in a way that meets the demands of ISO 26262 and is readily available to a broad community. Walt takes a look at what has been done on the AGL community to prepare for this and looks to how AGL can work with the Xen project to make this a reality.
Many projects start out with the intention of staying single license FOSS projects. As your project grows, reality hits: some components or files may need to use different licenses than originally anticipated. There are many reasons why this can happen: you may need to interface with projects of another license, you may want to import code from other projects or your developers may not understand the subtleties of the licenses in use. Besides the obvious challenges of managing mixed license FOSS projects, such as license compatibility and tracking what licenses you use, you are running the risk of exposing your project to unintended consequences.
This talk will explore unintended consequences, risks and best practices using some examples from the recent history of the Xen Project. In particular we will cover:
Refactoring can lead to licensing changes: best practices and unintended consequences when importing code from elsewhere.
Making code archeology easy from a licensing perspective and why it is important.
A worked example of a license change of a key component: process, pain points, their causes and how they could have been avoided
The perils of LGPL/GPL vX (or Later): the unintended consequences of not providing pre-defined copyright headers in your source base
We will conclude with a summary of lessons and best practices from both the Xen Project and a quick overview of how usage of SPDX and other tools may help you.
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...The Linux Foundation
Software Guard Extensions (SGX) is Intel's unique security feature which has been present in Intel's processors since Skylake generation. Existing HW/SW solutions hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX solves this by using enclave, which is a protected portion of userspace application where the code/data cannot be accessed directly from outside by any software, including privileged ones, such as BIOS and VMM. This discussion is intended for the deep dive introduction to SGX, and the design discussion of adding SGX virtualization to Xen. We will start with SGX deep dive, and then go into SGX virtualization design, from high level design to details, such as EPC management/virtualization, CPUID handling, interaction with VMX, live migration support, etc.
OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...The Linux Foundation
Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time.
In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).
XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARMThe Linux Foundation
Unikernels have good performance and a very tiny footprint. But the process of converting an application to a Unikernel requires expert porting work and a considerable amount of time.
Wei will introduce a new Unikernel development model – Unikraft. Unikraft aims to free Unikernels from the fundamental drawback of manual porting costs. Since Unikraft was announced, Wei has been actively working with the community to get involved in this project. In this presentation Wei intends to share some knowledge of Unikraft, including:
1) The concept and architecture of Unikraft,
2) The tool stack and config menu,
3) Features available on Arm,
4) Upcoming features on Arm.
Wei also will run a demo on an Arm server showing:
1) Conversion of an application to Unikernel,
2) Configuration of this Unikernel through a menu system,
3) The converted Unikernel running!
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)The Linux Foundation
The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories.
We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press.
The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization.
Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.
What do “Crazy in Love” by Beyonce and the “Xen Project” have in common? They are both 15-year-old hits. Flash forward to today. The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. The Xen Project played a key role in developing technologies outside of the hypervisor, like hardware virtualization, and open source security disclosure standards that impact entire industries.
The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. We will share how the project has supported new technologies and ideas (sometimes in the form of failures and sometimes wins) and will derive best practices that may help other projects .
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
NVDIMM is a standard for allowing non-volatile memory to be exposed to as normal RAM, which can be directly mapped to guests. This simple concept has the potential to dramatically change the way software is written; but also has a number of surprising problems to solve. Furthermore, this area is plagued with incomplete specifications and confusing terminology.
This talk will attempt to give an overview of NVDIMMs from an operating system perspective: What the terminology means, how they are discovered and partitioned, issues relating to filesystems, a brief description of the functionality available in Linux, and so on. It will then describe the various issues and design choices a Xen system has to make in order to allow Xen systems to use NVDIMMs effectively.
XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...The Linux Foundation
Despite the popularity of the Xen hypervisor, there are very few tools capable of performing virtual machine introspection (VMI) on Xen guests — not even a full-featured debugger! This is in large part because Xen's VMI APIs are obscure and poorly documented; even among Xen developers, there are very few people who know how to use them. This has serious consequences for projects targeting Xen, as the lack of tooling makes it difficult to verify the correctness and security of software running on Xen. In this presentation, Spencer will introduce and explain Xen's VMI APIs in detail, with the goal of providing all the information necessary to construct fully-featured Xen VMI API clients and analysis tools. In doing so, he will share the hands-on experience he gained while developing his recently-released tool Xendbg, a feature-complete reference implementation of a modern Xen VMI debugger.
XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the ...The Linux Foundation
Thursday, July 13 • 11:55 - 12:25
Edit Speaker Tools Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender
Click here to add to My Sched.
http://sched.co/AjH7
Tweet Share
Feedback form is now closed.
With this presentation, Mihai Donțu will cover the current status of #VE support in Xen, how Bitdefender plans to use it to improve the performance of its Hypervisor Introspection (HVI) solution, and the changes Bitdefender is working on mainlining in the hope that they will find their way into all major Xen deployments. The aim is to make VMI an even more appealing security option for customers running workloads on supporting Intel hardware.
The presentation will cover Xen Automotive. We will elaborate technical solutions for the identified gaps:
1. ARM architecture - support HW virtualization extensions for embedded systems
2. Stability requirements
3. RT Scheduler
4. Rich virtualized peripheral support (WiFi, Gfx, MM, USB, etc.)
5. Performance benchmarking
6. Security
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...The Linux Foundation
The members of the Automotive Grade Linux (AGL) project have been developing the Unified Code Base (UCB) distribution for automotive use since 2015. Initially the focus was on In-Vehicle Infotainment systems, but lately the project has turned towards instrument cluster, telematics, heads-up display, and other safety critical systems that require ISO 26262 ASIL-B certification. Car and truck manufacturers are looking for AGL to provide a solution that makes use of AGL in a way that meets the demands of ISO 26262 and is readily available to a broad community. Walt takes a look at what has been done on the AGL community to prepare for this and looks to how AGL can work with the Xen project to make this a reality.
Many projects start out with the intention of staying single license FOSS projects. As your project grows, reality hits: some components or files may need to use different licenses than originally anticipated. There are many reasons why this can happen: you may need to interface with projects of another license, you may want to import code from other projects or your developers may not understand the subtleties of the licenses in use. Besides the obvious challenges of managing mixed license FOSS projects, such as license compatibility and tracking what licenses you use, you are running the risk of exposing your project to unintended consequences.
This talk will explore unintended consequences, risks and best practices using some examples from the recent history of the Xen Project. In particular we will cover:
Refactoring can lead to licensing changes: best practices and unintended consequences when importing code from elsewhere.
Making code archeology easy from a licensing perspective and why it is important.
A worked example of a license change of a key component: process, pain points, their causes and how they could have been avoided
The perils of LGPL/GPL vX (or Later): the unintended consequences of not providing pre-defined copyright headers in your source base
We will conclude with a summary of lessons and best practices from both the Xen Project and a quick overview of how usage of SPDX and other tools may help you.
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...The Linux Foundation
Software Guard Extensions (SGX) is Intel's unique security feature which has been present in Intel's processors since Skylake generation. Existing HW/SW solutions hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX solves this by using enclave, which is a protected portion of userspace application where the code/data cannot be accessed directly from outside by any software, including privileged ones, such as BIOS and VMM. This discussion is intended for the deep dive introduction to SGX, and the design discussion of adding SGX virtualization to Xen. We will start with SGX deep dive, and then go into SGX virtualization design, from high level design to details, such as EPC management/virtualization, CPUID handling, interaction with VMX, live migration support, etc.
OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...The Linux Foundation
Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time.
In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).
XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARMThe Linux Foundation
Unikernels have good performance and a very tiny footprint. But the process of converting an application to a Unikernel requires expert porting work and a considerable amount of time.
Wei will introduce a new Unikernel development model – Unikraft. Unikraft aims to free Unikernels from the fundamental drawback of manual porting costs. Since Unikraft was announced, Wei has been actively working with the community to get involved in this project. In this presentation Wei intends to share some knowledge of Unikraft, including:
1) The concept and architecture of Unikraft,
2) The tool stack and config menu,
3) Features available on Arm,
4) Upcoming features on Arm.
Wei also will run a demo on an Arm server showing:
1) Conversion of an application to Unikernel,
2) Configuration of this Unikernel through a menu system,
3) The converted Unikernel running!
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Forge - DevCon 2016: Implementing Rich Applications in the BrowserAutodesk
Sebastian Dunkel, Autodesk
Cloud based web applications running in the browser have fundamental advantages over their desktop based siblings: They run on any device and are not tied to a certain operating system. The transition to web applications can solve many of the deployment problems and facilitates effortless real-time collaboration in a connected world.
However, implementing rich browser applications is challenging. Besides general technical limitations, leveraging existing technology is far from trivial. In this presentation we will discuss these and other challenges based on selected browser-based applications developed at Autodesk. Moreover, we will show how Forge technology can help to accelerate application development and improve the development experience.
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Developing a mobile cross-platform libraryKostis Dadamis
Here, I am including the experience I had while exploring solutions for developing a mobile cross-platform library, i.e. a single codebase that could be part of mobile apps running under different platforms. It covers my journey from mobile cross-platform developments tools (PhoneGap, Titanium, and the likes), code porting tools, and WebViews that weren't up to the task, to C++ and JavaScript engines that did work. There aren't many resources out there explaining how to approach this problem, so we thought it could be helpful if we shared this experience.
A Tail of Two Containers: How docker made ci great againKyle Rames
Codeship has been powered by containers from the very beginning. In this talk we will discuss our initial implementation using LXC, how we use it and the limitations that we have encountered. Using the lessons we learned from our first gen implementation, we’ll look at the evolution of our next generation Docker service. We’ll dive into how this implementation works and discover some of the benefits and challenges of using Docker for CI.
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Codemotion
At the Cloud, Big Data and Internet division of the Dutch National Police, 4 DevOps teams use the latest open source technology to build high tech, cloud native web applications using Spring Boot, Angular 5, Spark, Kafka and Jenkins 2. I'll share our experiences and real-world use cases for microservices. I’ll show how 4 teams work together on one product and I’ll talk about how we apply the principles of DevOps and Continuous Delivery. I’ll show how we handle security, build pipelines, test automation, performance tests, service discovery, automated deployments, monitoring and more!
As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel!
Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.
Everything-as-code - A polyglot adventureQAware GmbH
Devoxx 2017, Poland: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware).
Abstract: As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel!
Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.
ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...Frank Lyaruu
OSGi offers an excellent service discovery mechanism, but it is limited to services inside the JVM. With Docker nowadays it is trivially easy to deploy all kind of (micro) services, using pretty much any technology stack, so we’d like to discover those as easily as the ones inside the JVM. We will have a look at how we can use the Docker API to discover services in other containers, and how we can use Consul to expand service discovery to other hosts.
Similar to XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc. (20)
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
The idea of making Xen secret-free has been floating since Spectre and Meltdown came into light. In this talk we will discuss what is being done and what needs to be done next.
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional.
Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings.
The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency.
In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management.
During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM).
Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'.
In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests.
This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
Volodymyr will speak about TEE mediators. This is a new feature in Xen which allows multiple virtual machines to interact with Trusted Execution Environment available on platform. He developed mediator for one of TEEs, namely OP-TEE.
He will give background information on why TEE is needed at all and share some implementation details.
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform.
XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
Doug has long advocated for more CI/CD (Continuous Integration / Continuous Delivery) processes to be adopted by the Xen Project from the use of Travis CI and now GitLab CI. This talk aims to propose ideas for building upon the existing process and transforming the development process to provide users a higher quality with each release by the Xen Project.
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityThe Linux Foundation
The use of Virtual GPUs (vGPUs) has widely grown in server farms to give Virtual Machines (VMs) dedicated graphics. Software rendering with virtual CPUs can only take us so far and even with Intel-GVT, which uses integrated graphics, there isn't enough power to do the fun stuff. In this presentation, Jon Farrell will be talking about the process of implementing AMD MxGPU on Xen, challenges that he encountered while doing it, and discussing performance metrics of bare metal and vGPU VM on popular benchmarks like 3D Mark* and The Witcher 3. To wrap up his presentation, Jon will share his thoughts about future research and where this technology can take us.
XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSEThe Linux Foundation
Current support of nested virtualization with Xen is limited to fully emulated devices for the L1 hypervisor (L0 hypervisor being the one running on the physical machine). For being able to let L2 dom0 make use of L1 PV devices several new interfaces are needed.
In this design session I'll present my ideas how to add support of PV devices for L2 dom0. There are several possibilities how to do the work which I'd like to discuss.
XPDDS19: Application Agnostic High Availability Solution On Hypervisor Level ...The Linux Foundation
In today's public and private cloud markets, availability is a very important metric for all cloud service providers. COLO is an ideal Application-agnostic Solution for Non-stop service in the cloud. Our solution can protect user service even from physical network or power interruption. And the the switching process is difficult for users to perceive (TCP connection will not be terminated). Under COLO mode, both primary VM (PVM) and secondary VM (SVM) are running parallel. The COLO has more than ten times performance increase compared with previous solution (like Remus). Current COLO codes has been merged in QEMU community, we can use COLO in upstream without any other addition patches. In this talk, we will talk about the COLO implementation in QEMU and Xen, the new designed COLO-Proxy, discussing on problems we've met while developing COLO. and report the latest progress from Intel.
XPDSS19: Live-Updating Xen - Amit Shah & David Woodhouse, AmazonThe Linux Foundation
Xen currently has two major mechanisms to maintain security while hosting untrusted VMs without causing disruption to those guests: live patching, and live migration. We introduce a third method: live updating Xen. A live-update operation involves loading of the newly-staged hypervisor into RAM, the currently-running Xen serializing its state, and then transferring control to the newly-staged Xen, all without disrupting running instances, beyond a little downtime when neither hypervisor is running guest vCPUs.
We present a proposal on the design of such a feature, and invite comments and feedback.
XPDDS19: Secure Unikraft Applications with Solo5 - Haibo Xu, ARMThe Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...The Linux Foundation
The Open Source Xen-Blanket software was developed by researchers at IBM and Cornell University, as extensions to the Xen hypervisor and its PV drivers, to enable seamless use of Xen PV drivers in guest VMs of nested Xen deployments. It was presented at the EuroSys 2012 conference, with a paper that has been widely cited since, and deployed in Cornell's SuperCloud.
Xen-Blanket has never been presented to the Xen Community and the software left unmaintained. However, recent work by Star Lab has modernized its implementation, aiming to encourage its adoption and incorporation into the Xen Project software.
This session will introduce the Xen-Blanket, describing its motivation and features; present the structure of the implementation in the hypervisor and device drivers; outline an example architecture for its deployment; and summarize its current state and plans within the Xen Project.
XPDSS19: Improve the Reliability and Efficiency of Late Microcode Update - Ch...The Linux Foundation
Microcode update is used to correct errata by loading an Intel-supplied data block (so-called microcode) into the processor. Especially, late microcode update (aka, load microcode to processors at run-time) avoids system reboot which is necessary in early microcode update and greatly reduces system downtime. But, current late microcode update on Xen may fail in some cases as microcode becomes more complex in order to fix some sophisticated security issues. Chao will introduce his work to improve reliability and efficiency of microcode update.
Unikraft allows developers to build unikernels targeted at specific applications easily.
Since Unikraft was announced, Arm has been actively involved to enable it on arm64 kvm platform.
In this presentation I intend to share:
1) Features status on arm64, kvm platform(merged and under review)
2) Scalability: multi-thread, SMP support
3) Todo list
I will also show some demos on Arm64 among them:
1) 2 veth NIC tx/rx using virtio-mmio bus
2) a lightweight web server
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Developing Distributed High-performance Computing Capabilities of an Open Sci...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.
1. Client Virtualization Toolstack in Go
Nicholas Rosbrook, Software Engineer, Assured Information Security
Brendan Kerrigan, Principal Software Engineer, Assured Information Security
3. Introduction
• Brendan Kerrigan – Principal Engineer at Assured Information
Security, Inc.
• Hypervisors
• Graphics virtualization
• Embedded
• Nicholas Rosbrook – Software Engineer at Assured Information
Security, Inc.
• Cryptography
• VPNs and Networking
• Go expert
4. Motivation
• We do a lot of client virtualization work
• Utilizing hypervisors to do end point security
• Mostly OpenXT based products now
• OpenXT isn’t the easiest project to work on (10 years of development
means there are lots of components)
• Sometimes key high-security features can be a hindrance to some use
cases
• Client virtualization is pretty different than server virtualization
• Especially when it comes to toolstacks
5. Evaluation
• What’s out there we can leverage?
• XenMgr
• Libvirt (+ qubectl)
• What if we had a clean slate?
6. XenMgr
• XenMgr is high friction
• Haskell
• Esoteric
• Tough to find developers
• Lots of legacy interfaces that are unexercised and unaudited (audit in
progress)
• A lot of cryptic code that essentially reads a database and writes an xl
config and calls exec/fork
• Local and remote APIs are different
• The command line tool is great
7. Libvirt
• One layer of abstraction too many
• XML domain configurations are too complex
• Designed to work with several virtualization technologies – KVM, Xen,
LXC, etc.
• We want to work with Xen and do it well
• Does a lot more than we need it to
• There is an existing Go package (developed by DigitalOcean)
8. redctl
• Introducing redctl, the client toolstack to our Xen
distribution, Redfield
• The good:
• A client toolstack where remote and local management
APIs are unified
• Utilize gRPC
• Don’t dictate transport (IPv4, IPv6, PV channels, Argo, vsock)
• Easy to understand and test language (Go)
• Make the command line tool awesome (like XenMgr’s)
• The bad:
• Still doing exec/fork a lot when dealing with libxl…
9. What is cgo?
• Cgo enables Go programs to call C code through a pseudo-
package, “C”
• Allows access of C types, variables, and functions
• E.g. C.size_t, C.stdout, C.printf
• The “preamble”
• A block comment used to include headers, set CFLAGS, LDFLAGS, etc.
• Immediately precedes the import “C” statement
11. What is cgo?
• C fields that cannot be expressed in Go are omitted
• The C type void* is represented by Go’s unsafe.Pointer
• Cannot call C function pointers from Go
• There are some restrictions on passing pointers between C and Go
12. Writing a Go Package for libxl
• Writing the cgo code by hand is tedious
• Cgo is simple enough to make code generation easy
• We use c-for-go: https://github.com/xlab/c-for-go
• Define translation and generation rules with a YAML configuration file
• Accept or ignore symbols, rename variables, apply rules to a given scope,
and more
17. Future Work
• Continue writing wrappers
• Trim the size of the package
• Integrate into redctl
• Upstream
• Current fork: https://github.com/enr0n/xen/tree/libxl-go