SlideShare a Scribd company logo

OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)

The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories. We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press. The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.

1 of 43
Presentations on www.slideshare.net/xen_com_mgr/presentations
Lars Kurth
Community Manager, Xen Project
Chairman, Xen Project Advisory Board
Director, Open Source, Citrix lars_kurth
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
www.xenproject.org
www.xenserver.org
Vulnerability
A weakness in the computational logic of software that, when exploited, results in a negative
impact to confidentiality, integrity, OR availability of that software.
Patch / Live Patch
A fix for a security vulnerability.
A live patch can be applied to a running system
Known vulnerabilities
with patches
Ad

Recommended

Alphorm.com Formation Blockchain : Découvrir les fondamentaux
Alphorm.com Formation Blockchain : Découvrir les fondamentauxAlphorm.com Formation Blockchain : Découvrir les fondamentaux
Alphorm.com Formation Blockchain : Découvrir les fondamentauxAlphorm
 
Maîtrise du temps unitaire bâtiment télécharger : http://goo.gl/wfk89F
Maîtrise du temps unitaire bâtiment télécharger : http://goo.gl/wfk89FMaîtrise du temps unitaire bâtiment télécharger : http://goo.gl/wfk89F
Maîtrise du temps unitaire bâtiment télécharger : http://goo.gl/wfk89FHani sami joga
 
Ogc6 préparation et aménagement des chantiers 1
Ogc6 préparation et aménagement des chantiers 1Ogc6 préparation et aménagement des chantiers 1
Ogc6 préparation et aménagement des chantiers 1IRBarry
 
La technologie xDSL
La technologie xDSLLa technologie xDSL
La technologie xDSLAymen Bouzid
 
Chap 1: Algèbre de bool
Chap 1:  Algèbre de boolChap 1:  Algèbre de bool
Chap 1: Algèbre de boolEPST_INFO
 

More Related Content

What's hot

Signature electronique CertSign
Signature electronique CertSignSignature electronique CertSign
Signature electronique CertSigncerteurope
 
Chapitre 3 la recherche tabou
Chapitre 3 la recherche tabouChapitre 3 la recherche tabou
Chapitre 3 la recherche tabouAchraf Manaa
 
Video surveillance fr_web
Video surveillance fr_webVideo surveillance fr_web
Video surveillance fr_webghkamel
 
IDEA StatiCa Assemblages Acier
IDEA StatiCa Assemblages AcierIDEA StatiCa Assemblages Acier
IDEA StatiCa Assemblages AcierJo Gijbels
 
Développement Noyau Et Driver Sous Gnu Linux
Développement Noyau Et Driver Sous Gnu LinuxDéveloppement Noyau Et Driver Sous Gnu Linux
Développement Noyau Et Driver Sous Gnu LinuxThierry Gayet
 
Modélisation par Objets - Introduction - De Merise à UML
Modélisation par Objets - Introduction - De Merise à UMLModélisation par Objets - Introduction - De Merise à UML
Modélisation par Objets - Introduction - De Merise à UMLMireille Blay-Fornarino
 
BigData_TP1: Initiation à Hadoop et Map-Reduce
BigData_TP1: Initiation à Hadoop et Map-ReduceBigData_TP1: Initiation à Hadoop et Map-Reduce
BigData_TP1: Initiation à Hadoop et Map-ReduceLilia Sfaxi
 
Infrastructure - Monitoring - Cacti
Infrastructure - Monitoring - CactiInfrastructure - Monitoring - Cacti
Infrastructure - Monitoring - CactiFrédéric FAURE
 
Chapitre ii architecture interne des processeurs
Chapitre ii architecture interne des processeursChapitre ii architecture interne des processeurs
Chapitre ii architecture interne des processeursSana Aroussi
 
Systeme embarque td1
Systeme embarque td1Systeme embarque td1
Systeme embarque td1SinGuy
 
QCM basique sur les réseaux informatiques
QCM basique sur les réseaux informatiquesQCM basique sur les réseaux informatiques
QCM basique sur les réseaux informatiquesFrust Rados
 
la logique floue et sa contribution dans un probleme de decision.pptx
la logique floue et sa contribution dans un probleme de decision.pptxla logique floue et sa contribution dans un probleme de decision.pptx
la logique floue et sa contribution dans un probleme de decision.pptxBenkanounYazid
 
Ch1 systemenumeration
Ch1 systemenumerationCh1 systemenumeration
Ch1 systemenumerationmickel iron
 
Cours de programmation en c
Cours de programmation en cCours de programmation en c
Cours de programmation en cbenouini rachid
 

What's hot (20)

Signature electronique CertSign
Signature electronique CertSignSignature electronique CertSign
Signature electronique CertSign
 
Microcontroleurs
MicrocontroleursMicrocontroleurs
Microcontroleurs
 
Chapitre 3 la recherche tabou
Chapitre 3 la recherche tabouChapitre 3 la recherche tabou
Chapitre 3 la recherche tabou
 
Video surveillance fr_web
Video surveillance fr_webVideo surveillance fr_web
Video surveillance fr_web
 
Ch2 la carte mère
Ch2 la carte mèreCh2 la carte mère
Ch2 la carte mère
 
Ingenierie des reseaux radiomobiles 3
Ingenierie des reseaux radiomobiles 3Ingenierie des reseaux radiomobiles 3
Ingenierie des reseaux radiomobiles 3
 
IDEA StatiCa Assemblages Acier
IDEA StatiCa Assemblages AcierIDEA StatiCa Assemblages Acier
IDEA StatiCa Assemblages Acier
 
Les trames reseaux
Les trames reseauxLes trames reseaux
Les trames reseaux
 
Développement Noyau Et Driver Sous Gnu Linux
Développement Noyau Et Driver Sous Gnu LinuxDéveloppement Noyau Et Driver Sous Gnu Linux
Développement Noyau Et Driver Sous Gnu Linux
 
Modélisation par Objets - Introduction - De Merise à UML
Modélisation par Objets - Introduction - De Merise à UMLModélisation par Objets - Introduction - De Merise à UML
Modélisation par Objets - Introduction - De Merise à UML
 
BigData_TP1: Initiation à Hadoop et Map-Reduce
BigData_TP1: Initiation à Hadoop et Map-ReduceBigData_TP1: Initiation à Hadoop et Map-Reduce
BigData_TP1: Initiation à Hadoop et Map-Reduce
 
Infrastructure - Monitoring - Cacti
Infrastructure - Monitoring - CactiInfrastructure - Monitoring - Cacti
Infrastructure - Monitoring - Cacti
 
Chapitre ii architecture interne des processeurs
Chapitre ii architecture interne des processeursChapitre ii architecture interne des processeurs
Chapitre ii architecture interne des processeurs
 
Systeme embarque td1
Systeme embarque td1Systeme embarque td1
Systeme embarque td1
 
Programmation en C
Programmation en CProgrammation en C
Programmation en C
 
QCM basique sur les réseaux informatiques
QCM basique sur les réseaux informatiquesQCM basique sur les réseaux informatiques
QCM basique sur les réseaux informatiques
 
Windev
WindevWindev
Windev
 
la logique floue et sa contribution dans un probleme de decision.pptx
la logique floue et sa contribution dans un probleme de decision.pptxla logique floue et sa contribution dans un probleme de decision.pptx
la logique floue et sa contribution dans un probleme de decision.pptx
 
Ch1 systemenumeration
Ch1 systemenumerationCh1 systemenumeration
Ch1 systemenumeration
 
Cours de programmation en c
Cours de programmation en cCours de programmation en c
Cours de programmation en c
 

Similar to OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)

LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 -  Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 -  Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Prueba de Presentacion
Prueba de PresentacionPrueba de Presentacion
Prueba de Presentacionrubychavez
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareJoxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Softwarerahmanprojectd
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 

Similar to OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos) (20)

LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 -  Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 -  Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
 
A Xen Case Study
A Xen Case StudyA Xen Case Study
A Xen Case Study
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Prueba de Presentacion
Prueba de PresentacionPrueba de Presentacion
Prueba de Presentacion
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD Proposal
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 

Recently uploaded

LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfThomas Poetter
 
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPQ1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPMemory Fabric Forum
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut meManoj Prabakar B
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!XfilesPro
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 

Recently uploaded (20)

5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
 
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IPQ1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
Q1 Memory Fabric Forum: Building Fast and Secure Chips with CXL IP
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut me
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 

OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)

  • 1. Presentations on www.slideshare.net/xen_com_mgr/presentations Lars Kurth Community Manager, Xen Project Chairman, Xen Project Advisory Board Director, Open Source, Citrix lars_kurth
  • 6. Vulnerability A weakness in the computational logic of software that, when exploited, results in a negative impact to confidentiality, integrity, OR availability of that software. Patch / Live Patch A fix for a security vulnerability. A live patch can be applied to a running system Known vulnerabilities with patches
  • 7. Malware Software designed to disrupt, damage, or gain authorized access to a computer system. Exploit Malware designed to take advantage of a vulnerability This includes file-less/memory based attack techniques (around 14% at end of 2016) 0-Day Exploit An exploit of an undisclosed/previously unknown vulnerability that is/has been exploited Some malware relies on social engineering: e.g. phishing, trojans, adware, …
  • 8. Exploit Framework (e.g. Metasploit, …) A tool for developing and executing exploit code against a remote target machine Rootkit Software tools that enable unauthorized users to gain control of a computer system without being detected, some for for a long period of time
  • 9. A new way to protect against malware Developed by Zentific, Citrix, Bitdefender, Intel and others
  • 10. VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Dom0 Dom0 Kernel Drivers Agent(s) Agent(s) Agent(s) Installed in-guest agents, e.g. anti-virus software, VM disk & memory scanner, network monitor, etc. Can be disabled by rootkits
  • 11. Several VM3 VMnVM2Dom0 Dom0 Kernel Drivers VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Security Appliance VM1 Introspection Engine Protected area authentication mechanism to protect the IF Uses HW extensions to monitor memory (e.g. Intel EPT)  Low Intrusion Register rules with Xen to trap on and inspect suspicious activities (e.g. execution of memory on the dynamic heap)
  • 12. All malware need an attack technique to gain a foothold Attack techniques exploit specific software bugs/vulnerability Most exploits use one of a small set of attack techniques Buffer Overflows, Heap Sprays, Code Injection, API Hooking, … Because VMI protects against attack techniques It can protect against entirely new malware Verified to block these advanced attacks in real-time APT28, Energetic Bear, DarkHotel, Epic Turla, Regin, ZeuS, Dyreza, EternalBlue … solely by relying on VMI WannaCry/EternalBlue blocked in real installations1 1 businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
  • 13. Rootkits Exploit 0-days in Operating Systems/System Software Can disable agent based security solutions (mask their own existence) VMI solutions operate from outside the VM Thus, it cannot be disabled using traditional attack vectors BUT: VMI is not a replacement, for traditional security solutions It is an extra tool that can be used to increase protection
  • 14. Pratap Sankar @ Flickr Documentation wiki.xenproject.org/wiki/Virtual_Machine_Introspection Products Bitdefender HVI XenServer www.bitdefender.com Protection & Remedial Monitoring & Admin Citrix Ready Zentific Zazen Xen & XenServer & … www.zentific.com Protection & Remedial Monitoring & Admin Forensics & Data gathering Malware analysis AIS Introvirt XenServer www.ainfosec.com
  • 15. Pratap Sankar @ Flickr https://www.youtube.com/watch?v=qpQPBvOniUU
  • 16. Result of several community consultations
  • 18. R: Vulnerability reported to security@xenproject.org P: Vulnerability pre-disclosed on xen-security-issues@lists.xenproject.org R P Fixing Security Bugs: Dedicated security team = security experts from within the Xen Project Community Security Team: Triage Creation of fix/patches Validation of fix/patches Assignment of CVE Issue description and risk analysis
  • 19. AR P Fix their systems/software: Eligible Xen Project Users are informed under embargo of the vulnerability Eligible Users = Pre-disclosure list members: Product Companies, Open Source & Commercial Distros (e.g. Huawei, Debian) Service/Cloud Providers (e.g. Alibaba) Large Private Downstream (e.g. Google) Allowed to share information via xen-security-issues- discuss@lists.xenproject.org R: Vulnerability reported to security@xenproject.org P: Vulnerability pre-disclosed on xen-security-issues@lists.xenproject.org A: Vulnerability announced on xen-announce@lists.xenproject.org & xenbits.xen.org/xsa
  • 20. A XR P General Publication: Information about vulnerability is made public Everyone else: Patches their systems either through security updates from distros/products or builds them from source. Users of service/cloud providers will not be impacted R: Vulnerability reported to security@xenproject.org P: Vulnerability pre-disclosed on xen-security-issues@lists.xenproject.org A: Vulnerability announced on xen-announce@lists.xenproject.org & xenbits.xen.org/xsa
  • 21. A XR P R: Vulnerability reported to security@xenproject.org P: Vulnerability pre-disclosed on xen-security-issues@lists.xenproject.org A: Vulnerability announced on xen-announce@lists.xenproject.org & xenbits.xen.org/xsa Product Vendors: Create and test live patches Product customers: Apply live patches here Service Providers: Create, test and deploy live patches Users of service/cloud providers will not be impacted Security Team: Can a Livepatch can be created? No? If possible, re-write fix/patches
  • 22. A tale of close collaboration within the Xen Project Community
  • 23. 2015 2016 2017 4.84.7 P Why did we develop Live Patching? Cloud reboot affected AWS, Rackspace, IBM SoftLayer and others Deploying security patches may require reboots; Inconveniences users How did we fix this? 2015: Design with input from AWS, Alibaba, Citrix, Oracle and SUSE 2016: Xen 4.7 came with Live Patching for x86 2016: Xen 4.8 added extra x86 use-cases and ARM support 2017: XenServer 7.1 releases Live Patching in first commercial product D 10% 1%
  • 24. const char *xen_extra_version(void) { return XEN_EXTRAVERSION; } push %rbp mov %rsp,%rbp lea 0x16698b(%rip),%rax leaveq retq const char *xen_extra_version(void) { return “Hello World”; } push %rbp mov %rsp,%rbp lea 0x29333b(%rip),%rax leaveq Retq Replacing compiled functions with new code, encoded in an ELF file called payload, while the hypervisor is running without impacting running guests. Design: xenbits.xenproject.org/docs/unstable/misc/livepatch.html
  • 25. The exact source tree used to build the running Xen instance. The .config from the original build of Xen. A build-id onto which the livepatch will be applied. A source patch. livepatch- build- tools The exact same compilation toolchain used to build the running Xen. Livepatch payload
  • 26. Supports stacking of different payloads; payloads depend on build-id Functionality: list: lists loaded and applied live patches upload: load & verify a live patch unload: unload a live patch apply: apply a live patch revert: un-apply a live patch Xen 4.8.1 XSA 213 XSA 214 XSA 215 Depends on build-id of 4.8.1 Depends on build-id of XSA 213 Depends on build-id of XSA 214
  • 27. Target Dom0 & Guest Linux Kernel Hypervisor Technology Kernel Live Patching kPatch (RedHat) Xen LivePatch kSplice (Oracle) kGraft (SUSE) Function + Data ✔ ✔ ✔ Xen 4.7 ✔ ✔ Inline f() patching ✗ ✗ ✗ Future ✔ ✗ Data Structures ✗ ✔ via hooks ✔ ✔ ✗ Xen 4.8 via hooks XenServer LivePatch Integrates different solutions into a single user experience For Dom0 (CentOS) For Xen
  • 28. Source patches + other build artifacts Hot Fixes contain Per valid patch level: a Xen or Dom0 Live Patch Matching RPMs for most recent patch level In case of a reboot or for Xen/Dom0 not capable of Live Patching Extensive Verification and Validation: The process of patching a live hypervisor or kernel is not an easy task. What happens is a little bit like open heart surgery. The patient is the hypervisor and/or Dom0 itself, and precision and care are needed to get things right. One wrong move and it is game over. Live Patch Live Patch Live Patch build for each patch level package Hot Fix LPsRPMs RPMRPMRPM build for most recent patch level Hot Fix LPsRPMs Publication SigningValidation Verification Q&A (livepatch-build or kpatch-build) (iso)
  • 29. XAPI Toolstack Hot Fix LPsRPM downloadHot Fix LPsRPM Dom0 Dom0 Kernel (CentOS) Hypervisor XenCenter or xe Initiates host update SysAdmin Running System instance that supports live patching Disk updates (such that after reboot the patches are applied) works out correct LP & updates (using native live patching tools or APIs)
  • 30. Pratap Sankar @ Flickr xenbits.xenproject.org/people/larsk/LCC17 - Build LivePatch.mp4 xenbits.xenproject.org/people/larsk/LCC17 - Apply LivePatch.mov
  • 32. Pratap Sankar @ Flickr Xen Project LivePatch Specification & Status xenbits.xenproject.org/docs/unstable/misc/livepatch.html wiki.xenproject.org/wiki/LivePatch Xen Project LivePatch Presentations & Videos xenbits.xenproject.org/people/larsk/FOSDEM17-LivePatch.pdf (Short) people/larsk/XPDS16-LivePatch.pdf (Long) Xen Project LivePatch Videos fosdem.org/2017/schedule/event/iaas_livepatxen/ XenServer xenserver.org
  • 33. Security Process Number of Vulnerabilities Media Coverage Other Considerations
  • 34. A XR P Responsible Disclosure: fix critical systems/software before publication R: Vulnerability reported to security@... P: Vulnerability pre-disclosed to eligible users A: Vulnerability announced publicly F: Fix available Full Disclosure, immediate (no-fix): public disclosure without a fix A XR F A XR Full Disclosure, post-fix: public disclosure with a fix F F
  • 35. 4) New members: http://seclists.org/oss-sec/2017/q2/638 5) http://www.openwall.com/lists/oss-security or devel list 6) https://wiki.qemu.org/index.php/SecurityProcess Only handles x86 KVM bugs (no ARM or other bugs) 1) Is the CVE severity used to handle vulnerabilities differently? 2) Days embargoed (information is classified) 3) D = Distros/Products, S = Public Service, P = Private Downstream 4) http://oss-security.openwall.org/wiki/mailing-lists/distros Responsible only Days 2 Who? 3FOSS Project Bug Severity 1 Process Type 14-19 D 4 Linux Kernel via OSS-security distros 4 ≥ Medium – Critical Responsible Disclosure 14-19 D 4 QEMU (KVM) via QEMU Security Process 6 ≥ Medium – Critical ≤ Low Responsible Disclosure Full Disclosure, no-fix 3-5 D, S, POpenStack OSSA OpenStack OSSN ≥ Medium – Critical ≤ Low Responsible Disclosure Full Disclosure, post-fix Xen Hypervisor Includes Linux & QEMU vulnerabilities in supported Xen configurations Low – Critical Responsible Disclosure 14 D, S, P 14-19 Linux Kernel via OSS-security distros 4 OSS-security 5 ≥ Medium – Critical ≤ Low Responsible Disclosure Full Disclosure, no-fix
  • 36. Impacts how long a user (aka you) is at risk Is my distro/vendor on a pre-disclosure list? A surprisingly large number of distros are not: including a few on Linux.com’s Best Linux Distros of 2016 list Impacts cloud / service providers As a user, are security issues fixed before public disclosure? Low Severity vulnerabilities can still be High Risk Temporal and Environmental CVSS scores are not covered by CVE databases (neither cvedetails.com or nvd.nist.gov) Vulnerabilities can be chained together, making the combo High Severity (e.g. Hot Potato used 3 old unpatched vulnerabilities to gain root access)
  • 37. cvedetails.com (bit.do/guide-cvedetails) Easy to use interface for vulnerability data Data from several sources Browsable by vendor, product, version, type, date… Vulnerability statistics, trends, reports BUT: rigid ➜ getting data outside pre-defined vendor/product categories is near-impossible vulners.com (good guides on slideshare.net – search for vulners) In many ways more accurate and flexible than cvedetails type:cve AND (description:kvm OR description:qemu) AND published: [2012 TO *] ➜307 type:cve AND (description:xen) AND published: [2012 TO *] ➜ 245 … Works best when used through its API (in particular if you want to visualize the data)
  • 38. Vulnerability data from vulners.com 0 50 100 150 200 250 300 350 2012 2013 2014 2015 2016 2017  Linux Kernel  KVM w. QEMU  Xen Project *) Data up to Sept 4th, 2017 169 517 222 197 129 120 51 7 63 143 34 5 Legend: CVSS Score Distribution Low Medium High Critical *
  • 39. Data covering September 2016 – September 2017: from vulners.com, mention.com and theregister.com Clips covering vulnerabilities (US only) % of Vulnerability Stories on The Register155 370 314 7283 0 1000 2000 3000 4000 5000 6000 7000 8000 Xen KVM QEMU Linux 0 50 100 150 200 250 300 350 400 450 Xen KVM QEMU Linux Number of Vulnerabilities 0% 5% 10% 15% 20% 25% 30% 35% 40% Xen KVM QEMU Linux 33% of Xen stories cover Vulnerabilities 2.5% 16% 6.5%
  • 40. Does the Project Look for Vulnerabilities? Approach to Quality and Testing: e.g. Fuzzing, Audits of components Does the project award Bug Bounties (e.g. NetBSD)? Do vendors supporting the project offer Bug Bounties? Infrastructure related to Vulnerabilities Transparency: How well are processes documented Vulnerability Testing: XTF (in Xen) Vulnerability Tooling: XSATool, XSAMatch (in Xen)
  • 42. Xen Project: Only Hypervisor with VMI Protection from new classes of malware Several security companies working with XenServer Live Patching Disruption free application of vulnerabilities Used by several cloud providers Used best in commercial products, e.g. XenServer Industry Leading Vulnerability Process Includes QEMU and Kernel XSAs General: Tools do assess project’s track records Not an easy task Harder for proprietary products due to lack of information Picture by Lars Kurth