SlideShare a Scribd company logo

Zerovm backgroud

Download as PPT, PDF
UT, San Antonio
UT, San Antonio

ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.

Technology
1 of 27
11World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April 23, 2014 Institute of Cyber Security, ICS @ UTSA Institute for Cyber Security
22World-Leading Research with Real-World Impact! Motivation Behind ZeroVM Institute for Cyber Security 1. In Amazon map/reduces a considerable amount of overhead was due to fetching the data from s3 to EC2 Instances and put it back to s3. 2. The overhead was hurting when the customers need to remake to cluster and do the map/reduce again. 3. A significant amount of customer’s money was spent due to moving the data back and forth.
33World-Leading Research with Real-World Impact! Motivation Behind ZeroVM(continued) Institute for Cyber Security 1. can we bring to Application to the data(very limited I/O overhead)? 2. How can we ensure no harm even if the application is malicious? Challenge with High I/O Challenge with Application Isolation
44World-Leading Research with Real-World Impact! What is ZeroVM Institute for Cyber Security ZeroVM is an open–source lightweight virtualization platform based on the Chromium Native Client project.
55World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
66World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
77World-Leading Research with Real-World Impact! Popular Virtualizations Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Does zeroVM uses process level virtualization ? OS Level Virtualization Process Level Virtualization No
88World-Leading Research with Real-World Impact! Popular Virtualizations Institute for Cyber Security OS Level Virtualization Process Level Virtualization Pros: 1.Complete Isolation  Dedicated V. Memory  Dedicated V. Storage  Dedicated V. CPU 2. Flexible Architecture Almost all OS is supported 3. Fault Tolerance Cons: 1.High Resource Overhead 2.High Maintenance Cost. Pros: 1.Easy to maintain 2. Comparative low overhead. Cons: 1.Single Large Fault domain a. One malicious app may crush the whole system. 2.No Complete isolation.
99World-Leading Research with Real-World Impact! ZeroVM Virtualization Institute for Cyber Security Process Level Virtualization Pros: 1.Nearly Complete Isolation - Uses Google Native Client (NaCl) Project 2.Low Resource overhead. 3. Fault Tolerant Cons: 1.Run Only special executables/ binary. 2.Very limited support for existing Application
1010World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
1111World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Single Threaded Execution: 1.No Fork 2.No Context Switch 3.No Fault due to concurrency
1212World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
1313World-Leading Research with Real-World Impact! Channel Based Input / Output Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Before execution ZeroVM is given a manifest/ configuration file which specify predefined Resources through Channel. Input file, Output file / File System Network (socket, DNS) Memory Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000, 0x1000, 0, 0 Which means : Zerovm input (/dev/stdin) comes from : /tmp/input.txt of local filesystem. 0: Only sequential Read / Write is allowed 0x1000: only 1000 bytes is allowed to be read from input file. 0: 0 bytes can be written to /tmp/input.txt
1414World-Leading Research with Real-World Impact! An example Manifest file Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0 Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999 Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999 Version = 20130611 Program = hello.nexe Memory = 33554432, 1 Timeout = 1
1515World-Leading Research with Real-World Impact! Binary Support for ZeroVM Institute for Cyber Security ZeroVM executables have to be precompiled in .nexe format. Currently only C (C99) and python executables are supported. Existing C executables and python interpreter need recompilation to modify / eliminate sensitive system calls.
1616World-Leading Research with Real-World Impact! ZeroVM from a theoretical standpoint Institute for Cyber Security ZeroVM Google Native Client Software Fault Isolation Functional Dependency and Security Feature
1717World-Leading Research with Real-World Impact! ZeroVM from a theoretical standpoint Institute for Cyber Security ZeroVM Google Native Client Software Fault Isolation Functional Dependency and Security Feature
1818World-Leading Research with Real-World Impact! Software Fault Isolation Institute for Cyber Security Trusted Code ( Ex: Distributed by Google ) Untrusted Code ( Ex: Third party extensions) Ex: Google Chrome Browser Malicious access Fault Isolation Techniques: 1.Address Space Abstraction by OS Cons: 1. Communication between address space is very costly. Valid access Ref: Efficient Software-based Fault Isolation
1919World-Leading Research with Real-World Impact! Software Fault Isolation Institute for Cyber Security Fault Domain: -- Contiguous region of memory. -- have different code and data segment -- Code from different trust level have own fault domain. Cross Domain Communication: -- No direct memory access -- All call are implemented by RPC Single Domain Restricted Access: -- the module cannot change Code segment. (dangerous, self modifying code) -- Every jump instruction must not pass single domain. -- Most Jumps are statically verified otherwise -- verified at run time with help of checking code. Fault domain1 Distributed code / extensions must be recompiled/rewritten. Code Segme nt, RO Data , RW Code Segme nt, RO Data, RW Code,RO Data, RW Fault Domain2 Fault Domain3
2020World-Leading Research with Real-World Impact! Google Native Client (NaCl) Institute for Cyber Security Adopted from : https://developers.google.com/native-client/dev/overview
2121World-Leading Research with Real-World Impact! Application Development for Native Client Institute for Cyber Security Adopted from : https://developers.google.com/native-client/dev/overview
2222World-Leading Research with Real-World Impact! Google Native Client (NaCl) Institute for Cyber Security NaCl consists of Two parts: 1.Inner Sandbox: Constraint execution environment for native code to prevent unintended side effects. 2.Outer Sandbox: A Runtime for hosting these native code extensions through which allowable side effects may occur safely. Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2323World-Leading Research with Real-World Impact! Protection Rule for Inner Sandbox Institute for Cyber Security Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2424World-Leading Research with Real-World Impact! Sucurity Application for ZeroVM Institute for Cyber Security S Data Swift Object Request Object S Swift Request Reult App Data zerovm
2525World-Leading Research with Real-World Impact! Sucurity Application for ZeroVM Institute for Cyber Security Application Perspective 1. User Application 2. 3rd party Application 3. Provider Application . Data Perspective: 1. User Data 2. Public Data 3. Protected data (Data + Access Control) .
2626World-Leading Research with Real-World Impact! Security Application for ZeroVM Institute for Cyber Security Provider Application: Authaas - Authorization as a service for object storage ( for JSON Data) Data owner does not create a new application to restrictively publish his data. Instead just specify a AC policy and enforcement is done through Authass . Usecase: Texas State Library has decided to move their digital contents (book, article and so on) to the object store. Their digital content is structured in JSON format. The library has readers of various types (Public, Silver, golden, platinum etc.) and digital contents are also classified into various types (public, paid , protected , secret etc.). .
Thank You  World-Leading Research with Real-World Impact!

Recommended

Docker security - OWASP Seasides
Docker security - OWASP SeasidesDocker security - OWASP Seasides
Docker security - OWASP SeasidesOWASPSeasides
 
IPv6 Security Potpourri
IPv6 Security PotpourriIPv6 Security Potpourri
IPv6 Security Potpourri_xhr_
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsThe Linux Foundation
 
Scada strange love uwn-stuxnet
Scada strange love uwn-stuxnetScada strange love uwn-stuxnet
Scada strange love uwn-stuxnetPositive Hack Days
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesAbhishek Singh
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 

Recommended

Docker security - OWASP Seasides
Docker security - OWASP SeasidesDocker security - OWASP Seasides
Docker security - OWASP SeasidesOWASPSeasides
 
IPv6 Security Potpourri
IPv6 Security PotpourriIPv6 Security Potpourri
IPv6 Security Potpourri_xhr_
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsThe Linux Foundation
 
Scada strange love uwn-stuxnet
Scada strange love uwn-stuxnetScada strange love uwn-stuxnet
Scada strange love uwn-stuxnetPositive Hack Days
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesAbhishek Singh
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...iotcloudserve_tein
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_enAnatoliy Tkachev
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesArtem I. Baranov
 
Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)Mamoon Ismail Khalid
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010nuttakorn nakkerd
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Cheng-Yi Yu
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploitsamiable_indian
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 

More Related Content

What's hot

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...iotcloudserve_tein
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesArtem I. Baranov
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010nuttakorn nakkerd
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Cheng-Yi Yu
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploitsamiable_indian
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 

What's hot (20)

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
 
Avc prot 2012b_en
Avc prot 2012b_enAvc prot 2012b_en
Avc prot 2012b_en
 
Bh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slidesBh us 12_miller_exploit_mitigation_slides
Bh us 12_miller_exploit_mitigation_slides
 
Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010
 
Software security
Software securitySoftware security
Software security
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 

Similar to Zerovm backgroud

Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxsimonlbentley59018
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Dependable Cloud Comuting
Dependable Cloud ComutingDependable Cloud Comuting
Dependable Cloud ComutingKazuhiko Kato
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 

Similar to Zerovm backgroud (20)

Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
 
Android system security
Android system securityAndroid system security
Android system security
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docx
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Dependable Cloud Comuting
Dependable Cloud ComutingDependable Cloud Comuting
Dependable Cloud Comuting
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 

More from UT, San Antonio

digital certificate - types and formats
digital certificate - types and formatsdigital certificate - types and formats
digital certificate - types and formatsUT, San Antonio
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with SonarlintUT, San Antonio
 
Shellshock- from bug towards vulnerability
Shellshock- from bug towards vulnerabilityShellshock- from bug towards vulnerability
Shellshock- from bug towards vulnerabilityUT, San Antonio
 
Big Data Processing: Performance Gain Through In-Memory Computation
Big Data Processing: Performance Gain Through In-Memory ComputationBig Data Processing: Performance Gain Through In-Memory Computation
Big Data Processing: Performance Gain Through In-Memory ComputationUT, San Antonio
 
Enumerated authorization policy ABAC (EP-ABAC) model
Enumerated authorization policy ABAC (EP-ABAC) modelEnumerated authorization policy ABAC (EP-ABAC) model
Enumerated authorization policy ABAC (EP-ABAC) modelUT, San Antonio
 
Where is my Privacy presentation slideshow (one page only)
Where is my Privacy presentation slideshow (one page only)Where is my Privacy presentation slideshow (one page only)
Where is my Privacy presentation slideshow (one page only)UT, San Antonio
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Research seminar group_1_prosunjit
Research seminar group_1_prosunjitResearch seminar group_1_prosunjit
Research seminar group_1_prosunjitUT, San Antonio
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based EncryptionUT, San Antonio
 
Final Project Transciption Factor DNA binding Prediction
Final Project Transciption Factor DNA binding Prediction Final Project Transciption Factor DNA binding Prediction
Final Project Transciption Factor DNA binding Prediction UT, San Antonio
 
Transcription Factor DNA Binding Prediction
Transcription Factor DNA Binding PredictionTranscription Factor DNA Binding Prediction
Transcription Factor DNA Binding PredictionUT, San Antonio
 

More from UT, San Antonio (20)

digital certificate - types and formats
digital certificate - types and formatsdigital certificate - types and formats
digital certificate - types and formats
 
Saml metadata
Saml metadataSaml metadata
Saml metadata
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
Shellshock- from bug towards vulnerability
Shellshock- from bug towards vulnerabilityShellshock- from bug towards vulnerability
Shellshock- from bug towards vulnerability
 
Abac17 prosun-slides
Abac17 prosun-slidesAbac17 prosun-slides
Abac17 prosun-slides
 
Abac17 prosun-slides
Abac17 prosun-slidesAbac17 prosun-slides
Abac17 prosun-slides
 
Recitation
RecitationRecitation
Recitation
 
Recitation
RecitationRecitation
Recitation
 
Big Data Processing: Performance Gain Through In-Memory Computation
Big Data Processing: Performance Gain Through In-Memory ComputationBig Data Processing: Performance Gain Through In-Memory Computation
Big Data Processing: Performance Gain Through In-Memory Computation
 
Enumerated authorization policy ABAC (EP-ABAC) model
Enumerated authorization policy ABAC (EP-ABAC) modelEnumerated authorization policy ABAC (EP-ABAC) model
Enumerated authorization policy ABAC (EP-ABAC) model
 
Where is my Privacy presentation slideshow (one page only)
Where is my Privacy presentation slideshow (one page only)Where is my Privacy presentation slideshow (one page only)
Where is my Privacy presentation slideshow (one page only)
 
Three month course
Three month courseThree month course
Three month course
 
One month-syllabus
One month-syllabusOne month-syllabus
One month-syllabus
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
Research seminar group_1_prosunjit
Research seminar group_1_prosunjitResearch seminar group_1_prosunjit
Research seminar group_1_prosunjit
 
Ksi
KsiKsi
Ksi
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based Encryption
 
Final Project Transciption Factor DNA binding Prediction
Final Project Transciption Factor DNA binding Prediction Final Project Transciption Factor DNA binding Prediction
Final Project Transciption Factor DNA binding Prediction
 
Cyber Security Exam 2
Cyber Security Exam 2Cyber Security Exam 2
Cyber Security Exam 2
 
Transcription Factor DNA Binding Prediction
Transcription Factor DNA Binding PredictionTranscription Factor DNA Binding Prediction
Transcription Factor DNA Binding Prediction
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Zerovm backgroud

  • 1. 11World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April 23, 2014 Institute of Cyber Security, ICS @ UTSA Institute for Cyber Security
  • 2. 22World-Leading Research with Real-World Impact! Motivation Behind ZeroVM Institute for Cyber Security 1. In Amazon map/reduces a considerable amount of overhead was due to fetching the data from s3 to EC2 Instances and put it back to s3. 2. The overhead was hurting when the customers need to remake to cluster and do the map/reduce again. 3. A significant amount of customer’s money was spent due to moving the data back and forth.
  • 3. 33World-Leading Research with Real-World Impact! Motivation Behind ZeroVM(continued) Institute for Cyber Security 1. can we bring to Application to the data(very limited I/O overhead)? 2. How can we ensure no harm even if the application is malicious? Challenge with High I/O Challenge with Application Isolation
  • 4. 44World-Leading Research with Real-World Impact! What is ZeroVM Institute for Cyber Security ZeroVM is an open–source lightweight virtualization platform based on the Chromium Native Client project.
  • 5. 55World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
  • 6. 66World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
  • 7. 77World-Leading Research with Real-World Impact! Popular Virtualizations Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Does zeroVM uses process level virtualization ? OS Level Virtualization Process Level Virtualization No
  • 8. 88World-Leading Research with Real-World Impact! Popular Virtualizations Institute for Cyber Security OS Level Virtualization Process Level Virtualization Pros: 1.Complete Isolation  Dedicated V. Memory  Dedicated V. Storage  Dedicated V. CPU 2. Flexible Architecture Almost all OS is supported 3. Fault Tolerance Cons: 1.High Resource Overhead 2.High Maintenance Cost. Pros: 1.Easy to maintain 2. Comparative low overhead. Cons: 1.Single Large Fault domain a. One malicious app may crush the whole system. 2.No Complete isolation.
  • 9. 99World-Leading Research with Real-World Impact! ZeroVM Virtualization Institute for Cyber Security Process Level Virtualization Pros: 1.Nearly Complete Isolation - Uses Google Native Client (NaCl) Project 2.Low Resource overhead. 3. Fault Tolerant Cons: 1.Run Only special executables/ binary. 2.Very limited support for existing Application
  • 10. 1010World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
  • 11. 1111World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Single Threaded Execution: 1.No Fork 2.No Context Switch 3.No Fault due to concurrency
  • 12. 1212World-Leading Research with Real-World Impact! ZeroVM Properties Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout
  • 13. 1313World-Leading Research with Real-World Impact! Channel Based Input / Output Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Before execution ZeroVM is given a manifest/ configuration file which specify predefined Resources through Channel. Input file, Output file / File System Network (socket, DNS) Memory Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000, 0x1000, 0, 0 Which means : Zerovm input (/dev/stdin) comes from : /tmp/input.txt of local filesystem. 0: Only sequential Read / Write is allowed 0x1000: only 1000 bytes is allowed to be read from input file. 0: 0 bytes can be written to /tmp/input.txt
  • 14. 1414World-Leading Research with Real-World Impact! An example Manifest file Institute for Cyber Security 1. ZeroVM virtualizes Application not Operating System. 2. Single threaded (thus deterministic) execution 3. Constraint Resource  Channel based I/O  Predefine socket port / network  Restricted Memory Access  Limited Read/ Write (in bytes)  Limited life time / Predefined timeout Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0 Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999 Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999 Version = 20130611 Program = hello.nexe Memory = 33554432, 1 Timeout = 1
  • 15. 1515World-Leading Research with Real-World Impact! Binary Support for ZeroVM Institute for Cyber Security ZeroVM executables have to be precompiled in .nexe format. Currently only C (C99) and python executables are supported. Existing C executables and python interpreter need recompilation to modify / eliminate sensitive system calls.
  • 16. 1616World-Leading Research with Real-World Impact! ZeroVM from a theoretical standpoint Institute for Cyber Security ZeroVM Google Native Client Software Fault Isolation Functional Dependency and Security Feature
  • 17. 1717World-Leading Research with Real-World Impact! ZeroVM from a theoretical standpoint Institute for Cyber Security ZeroVM Google Native Client Software Fault Isolation Functional Dependency and Security Feature
  • 18. 1818World-Leading Research with Real-World Impact! Software Fault Isolation Institute for Cyber Security Trusted Code ( Ex: Distributed by Google ) Untrusted Code ( Ex: Third party extensions) Ex: Google Chrome Browser Malicious access Fault Isolation Techniques: 1.Address Space Abstraction by OS Cons: 1. Communication between address space is very costly. Valid access Ref: Efficient Software-based Fault Isolation
  • 19. 1919World-Leading Research with Real-World Impact! Software Fault Isolation Institute for Cyber Security Fault Domain: -- Contiguous region of memory. -- have different code and data segment -- Code from different trust level have own fault domain. Cross Domain Communication: -- No direct memory access -- All call are implemented by RPC Single Domain Restricted Access: -- the module cannot change Code segment. (dangerous, self modifying code) -- Every jump instruction must not pass single domain. -- Most Jumps are statically verified otherwise -- verified at run time with help of checking code. Fault domain1 Distributed code / extensions must be recompiled/rewritten. Code Segme nt, RO Data , RW Code Segme nt, RO Data, RW Code,RO Data, RW Fault Domain2 Fault Domain3
  • 20. 2020World-Leading Research with Real-World Impact! Google Native Client (NaCl) Institute for Cyber Security Adopted from : https://developers.google.com/native-client/dev/overview
  • 21. 2121World-Leading Research with Real-World Impact! Application Development for Native Client Institute for Cyber Security Adopted from : https://developers.google.com/native-client/dev/overview
  • 22. 2222World-Leading Research with Real-World Impact! Google Native Client (NaCl) Institute for Cyber Security NaCl consists of Two parts: 1.Inner Sandbox: Constraint execution environment for native code to prevent unintended side effects. 2.Outer Sandbox: A Runtime for hosting these native code extensions through which allowable side effects may occur safely. Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
  • 23. 2323World-Leading Research with Real-World Impact! Protection Rule for Inner Sandbox Institute for Cyber Security Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
  • 24. 2424World-Leading Research with Real-World Impact! Sucurity Application for ZeroVM Institute for Cyber Security S Data Swift Object Request Object S Swift Request Reult App Data zerovm
  • 25. 2525World-Leading Research with Real-World Impact! Sucurity Application for ZeroVM Institute for Cyber Security Application Perspective 1. User Application 2. 3rd party Application 3. Provider Application . Data Perspective: 1. User Data 2. Public Data 3. Protected data (Data + Access Control) .
  • 26. 2626World-Leading Research with Real-World Impact! Security Application for ZeroVM Institute for Cyber Security Provider Application: Authaas - Authorization as a service for object storage ( for JSON Data) Data owner does not create a new application to restrictively publish his data. Instead just specify a AC policy and enforcement is done through Authass . Usecase: Texas State Library has decided to move their digital contents (book, article and so on) to the object store. Their digital content is structured in JSON format. The library has readers of various types (Public, Silver, golden, platinum etc.) and digital contents are also classified into various types (public, paid , protected , secret etc.). .
  • 27. Thank You  World-Leading Research with Real-World Impact!