SlideShare a Scribd company logo

Rootlinux17: An introduction to Xen Project Virtualisation

The Linux Foundation
The Linux Foundation

This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports. The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k

Technology
1 of 66
Download to read offline
Lars Kurth Community Manager, Xen Project Chairman, Xen Project Advisory Board Director, Open Source, Citrix lars_kurth www.slideshare.net/xen_com_mgr/presentations
Was a contributor to various projects Worked in parallel computing, tools, mobile and now virtualization Community guy for the Xen Project Working for Citrix Accountable to the Xen Project Community Chairman of Xen Project Advisory Board
Consolidation Servers/Equipment, Cooling, Floor space Faster provisioning Flexibility Less dependency on specific Hardware Co-existing OS environments Increased uptime Live migration, storage migration, fault tolerance, HA Enhanced security
Strong Isolation Architecture provides strong isolation between VMs Grant tables System Partitioning Disaggregation: sandboxing parts of the system Fine-grain control of VM capabilities Enables multi-layered security approach Secure I/O Sandboxing disk, memory, etc. drivers New classes of threat detection Virtual Machine Introspection, alt2pm
Consolidation Single SoC Maintainability, BoM Flexibility Less dependency on specific Hardware Co-existing OS environments Additional Requirements Security requirements (same as on previous slide) Minimal IRQ latency Safety Certification Low or 0 scheduling overhead Drivers for special I/O devices
Benefits to the entire Community
Benefits to the entire Community
Introduction of key concepts
HWCPUsMemoryI/O VM1 (DomU1) Guest OS Applications VM0 (or Dom0) Dom0 Kernel Native Driver VM2 VMn Applications Guest OS Applications Guest OS Toolstack Scheduler MMU Timers InterruptsConfig *Back Driver *Front Driver
Marketing Term Mode With HVM / Fully Virtualized HVM HVM + PV drivers 1 HVM PV Drivers PVH PV pvh=1 PV PV Qemu Qemu HW PV Qemu HW HWPV PV PV PV PV WindowsLinux,BSDs,… ARM N/A PV PV HW 1) When running a Linux/BSD guest on HVM with PV drivers, we also use the term PVHVM User perspective (config file)
HW P HW PVH PV PV PV PV PV PV PV ARM N/A PV PV Simplicity: Less code & fewer Interfaces in Linux/FreeBSD Security : smaller TCB and attack surface, fewer possible exploits Clean-up : simplify Xen-Linux kernel, Xen-Any-OS interface Better Performance & Lower Latency for some workloads Dom0 must be a PV guest: run Dom0 using hardware extensions 32 bit: PV guest kernels were run in ring 1, userspace in ring 3 (HW isolation) 64 bit: no ring 1 & 2  kernel & user space must share ring 3 (TLB flushes) This is the most complex part of Xen today!
Recent developments
A tale of improved collaboration within the Xen Project Community
2015 2016 2017 4.84.7 P Why did we develop Live Patching? Affected AWS, Rackspace, IBM SoftLayer and many others Deploying security patches may require reboots; Inconveniences users How did we fix this? 2015: Design with input from AWS, Alibaba, Citrix, Oracle and SUSE Replace functions while running (old with new) in a payload Stackable payloads can be applied and removed 2016: Xen 4.7 came with Live Patching for x86 2016: Xen 4.8 added extra x86 use-cases and ARM support 2017: XenServer 7.1 releases Live Patching in first commercial product … D
Pratap Sankar @ Flickr Specification & Status xenbits.xen.org/docs/unstable/misc/livepatch.html wiki.xenproject.org/wiki/LivePatch Presentations, Videos, Demos bit.do/live-patch-detailed-ppt bit.do/live-patch-detailed-video bit.do/live-patch-short-ppt bit.do/live-patch-short-video
A new way to protect against malware
2007 2009 2011 2013 2015 2017 Enablers: from xenaccess/xenprobes to LibVMI Interesting research topic Originally used for forensics (too intrusive for server virt) AA A Xenaccess/Xenprobes LibVMI A Products AIS Introvirt, BitDefender Hypervisor Introspection, Zentific Zazen VMI: enabling commercial applications Hardware assisted VMI solves the intrusion problem Collaboration between: Zentific, Citrix, BitDefender, Intel and others VMI: HW Support (EPT, …) ARM, alt2pm, .. C CC
VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Dom0 Dom0 Kernel Drivers Agent(s) Agent(s) Agent(s) Installed in-guest agents, e.g. anti-virus software, VM disk & memory scanner, network monitor, etc. Can be disabled by rootkits and advanced persistent threats (APT)
Several VM3 VMnVM2Dom0 Dom0 Kernel Drivers VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Security Appliance VM1 Introspection Engine Protected area XSM/Flask or another mechanism to protect the IF Uses HW extensions to monitor memory (e.g. Intel EPT)  Low Intrusion Register rules with Xen to trap on and inspect suspicious activities (e.g. execution of memory on the dynamic heap)
All malware need an attack technique to gain a foothold Attack techniques exploit specific software bugs/vulnerability The number of available attack techniques is small Buffer Overflows, Heap Sprays, Code Injection, API Hooking, … Because VMI protects against attack techniques It can protect against entirely new malware Verified to block these advanced attacks in real-time APT28, Energetic Bear, DarkHotel, Epic Turla, Regin, ZeuS, Dyreza, … solely by relying on VMI
Rootkits & APTs Exploit 0-days in Operating Systems/System Software Can disable agent based security solutions (mask their own existence) VMI solutions operate from outside the VM Thus, it cannot be disabled using traditional attack vectors BUT: VMI is not a replacement, for traditional security solutions It is an extra tool that can be used to increase protection
Pratap Sankar @ Flickr Documentation wiki.xenproject.org/wiki/Virtual_Machine_Introspection Products AIS Introvirt XenServer www.ainfosec.com Zentific Zazen (Apr 17) Xen & XenServer & … www.zentific.com Protection & Remedial Monitoring & Admin Forensics & Data gathering Malware analysis BitDefender HVI XenServer www.bitdefender.com Protection & Remedial Monitoring & Admin
Pratap Sankar @ Flickr How secure is the Xen Project Hypervisor really?
Vulnerability data from cvdetails.com 0 50 100 150 200 250 2016 2015 2014 2013 2012 All CVE’s 2015+ Active initiatives to find bugs XTF to help find bugs Fuzzing of some components Very few ARM issues 2016: 2/33 2015: 6/47 Does not use QEMU  Xen  Linux Kernel  QEMU
0 200 400 600 800 1000 0 97 4 CVE’s by CVSS Severity Average CSSV Scores Xen: 4.7 Linux Kernel: 5.9 QEMU: 4.3 Known 0-Day Exploits Xen: 0 Linux Kernel: 18 QEMU: 0 Low = 0.1-3.9; Medium = 4.0-6.9; High = 7.0-8.9; Critical = 9.0-10.0  Xen  Linux Kernel  QEMU
Team Process Severity 1 Type CVEs Days 2 Who? 3 Xen Hypervisor Includes Linux & QEMU vulnerabilities in supported Xen configurations Yes Yes All Responsible Yes 14 D, S, P OpenStack OSSA OpenStack OSSN Yes Yes Yes Yes > Low <= Low Responsible Full, post-fix Yes 3-5 D, S, P Linux Kernel via OSS security distros OSS security Yes Yes Partly 4 Yes No > Low <= Low Responsible Full, immediate Yes 14-19 D 4 QEMU via OSS security distros OSS security Yes Partly 4 > Low <= Low Responsible 5 Full, immediate Yes 14-19 D 4 Jailhouse No No 3) D = Distros/Products, S = Public Service, P = Private Downstream 4) No own pre-disclosure list 5) Only handles x86 KVM bugs 1) Is the CVE severity used as cut-off for the process? 2) Days embargoed Responsible only
HWCPUsMemoryI/O Dom0 Dom0 Kernel VM1 uKernel xtf.git arch xtf.git common Each test is a file in xtf.git tests test_main() In essence a unikernel per test, with fewer safeguards in place to allow for easy testing of corner cases Also used for Vulnerability Investigation and Testing Qemu Xenstore *Back Drivers hypercalls evtchn gnttab x86 emulator
Picture by Lars Kurth
Track Record 81% of Vulnerabilities Low and Medium Average severity of vulnerabilities getting lower Hardening Activities Security Audits by Cloud and Product Vendors Testing (fuzzing, XTF, code inspection, …) Industry Leading Vulnerability Process Includes QEMU and Kernel XSAs Designed with input from Cloud Providers Isolation Limits impact of exploits Picture by Lars Kurth
2007 2009 2011 2013 2015 2017 A A A Q Q C C C CC Technology enablers: XSM, vTPM & TXT (TEE), Disaggregation & Driver Domains Qubes OS Architecture, Qubes OS 1.0, … 2009: Project Independence (Intel / Citrix) 2010: XenClient 1.0 2013: XenClient XT 2014: Became OpenXT (BAE Systems, Assured Information Security) 2015: Support for Cell Phones, Tablets and Embedded Devices Crucible:Defense uXen (Bromium) – Windows only, thus never made it upstream Du
Dom0 Toolstack HWI/O DomU Guest OS Applications Dom0 Kernel Native Driver *Back Driver *Front Driver Config
DomU Guest OS Applications Dom0 Dom0 Kernel NetFront Driver BlockFront Driver Toolstack Config Driver Domain Guest OS*: Linux, BSD, MiniOS, unikernel, … Disk Controller Storage Domain Guest OS* Disk Driver BlockBack Driver Network Domain Guest OS* Network Driver NetBack Driver Netw Controller Qemu Xenstore
Attack Surface Reduction Similar to Linux Security Modules/SELinux Same policy syntax as SELinux Different types, roles, users and attributes Same tools for policy compilation / verification (checkpolicy) VM hypervisor domain(self) domain(other) memory (grant, mmu, shadow) inter-VM communicationpassthroughsecurity config Fine-grained policy, controlling which hypervisor functionality is accessible to this (class of) VM Effect: limit what an exploit in this VM could do
User defined App VMs for individual apps or groups of apps USB Service Domain Banking Domain Personal Domain Firewall VM enforces network policies Network Domain Dom0 Secure UI and sysadmin domain
User defined App VMs for individual apps or groups of apps USB Service Domain Banking Domain Personal Domain Firewall VM enforces network policies Network Domain Dom0 Secure UI and sysadmin domain Tor VM pre-configured from whonix.org
Pratap Sankar @ Flickr Crucible:Defense starlab.io Xen Project based virtualization platform for technology protection, cyber-hardening, and system integrity for aerospace & defense systems Documentation wiki.xenproject.org/wiki/Dom0_Disaggregation wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK Products & Projects Qubes OS www.qubes-os.org Secure OS OpenXT www.openxt.org FOSS Platform for security research, security application and embedded appliance integration building on Xen & OpenEmbedded
Pratap Sankar @ Flickr AIS ainfosec.com BAE Systems baesystems.com Galois galois.com Maintain FreeRTOS Xen Port Developed and maintain HalVM Dornerworks dornerworks.com/xen Consulting Xen Embedded Distros Xen for Xilinx Zynq Xen for NXP i.MX 8 ARLX Hypervisor DO-178 (EAL6+), IEC 62304, ISO 26262 MILS EAL FACE, VICTORY, ARINC 653 Starlab starlab.io Crucible and Crucible:Defense Xen embedded hypervisor In progress: DO-178, MILS EAL Uses a minimal Dom0 using MiniOS, disaggregation and XSM/FLASK Precedents of military grade certification for Xen based systems www.slideshare.net/xen_com_mgr/art-certification & www.youtube.com/watch?v=UyW5ul_1ct0 www.linux.com/news/xen-project/2017/2/how-shrink-attack-surfaces-hypervisor
Additional Requirements Security requirements Safety certification Low or 0 scheduling overhead Minimal IRQ latency Drivers for special I/O devices
Xen supports several different schedulers with different properties.
Xen supports several different schedulers with different properties. Regular VM scheduler (Credit) Hard real-time (ARINC653) Dedicated to 1 VCPU (pinning)  no scheduler overheads Soft real-time (RTDS)
Scheduler Use-cases Xen 4.8 Future plans Credit General Purpose Supported Default Supported Optional Credit 2 General Purpose Optimized for lower latency, higher VM density Supported Default RTDS Soft & Firm Real-time Multicore Embedded, Automotive, Graphics & Gaming in the Cloud, Low Latency Workloads Experimental Better XL support <1μs granularity Supported Hardening Optimization ARINC 653 Hard Real-time Single core Avionics, Drones, Medical Supported Compile time Legend: Likely in 4.9 or 4.10 Possible in 4.10
A53 Programmable Logic (FPGA) R5R5A53 A53 A53 Dom0 Dom0 Kernel Toolstack Bare Metal1 Bare Metal ELF payload FPGA Library VM1 - VMn DomU Kernel Application FPGA Driver Dedicated Bare Metal2 Bare Metal ELF payload Dedicated dornerworks.com/wp-content/uploads/2017/01/Xen-Zynq-Distribution-XZD-Users-Manual.pdf
vCPU 0 pCPU 0 vCPU 1 pCPU 1 irq 109 virq 109 IRQ injection Always on the CPU running the vCPU
vCPU 0 pCPU 0 irq 109 virq 109 vCPU 1 pCPU 1 IF vIRQ target changes or vCPU is moved THEN vIRQ is moved immediately virq 109
vCPU 0 pCPU 0 vCPU 1 pCPU 1 irq 109 virq 109 IRQs always shadow the vIRQ  minimizes latency Xilinx ZynqMP board (four Cortex A53 cores, GICv2) WARM_MAX (excluding the first 3 interrupts): <2000ns marc.info/?l=xen-devel&m=148778423725945 marc.info/?l=xen-devel&m=148839743820338
DomU Xen DomU Xen irq 109 virq 109 GIGC_LH Write EOI DomU Xen Maintenance interrupt GIGC_LH Clear IRQ received by DomU DomU performs EOI The guest kernel issues an "EOI” at the end of the interrupt service routine, to notify the HW that the IRQ handling is finished. No maintenance IRQ Additional context switch to handle EOI. Use EOI support in HW to directly EOI the physical IRQ
Existing net, block, console keyboard, mouse, USB framebuffer, GPU sharing* New 9pfs PVcalls multitouch, sound, display, DRM Developing New Ones Easy to write (GPL and BSD samples) Kernel and User Space *) A number of different approaches by different vendors in different market segments are being deployed, which are PV-like, but not strictly a PV protocol
Vehicles are becoming the ultimate mobile device
Pratap Sankar @ Flickr LG Electronics Demo bit.do/lg-xen-demo-2016 Bosch Car GmbH Contributions 10 smaller features in 2016 Perseus Founded by Xen maintainer bit.do/perseus-2017 GlobalLogic Product: Nautilus bit.do/gl-nautilus First product in production expected in Q1 2018 Supports: HW: Renesas R-Car Gen2 & Gen3, TI Jacinto6, Intel Apollo Lake, Qualcomm 410C, Sinlinx A33 Guests: Linux up to 4.9  Android M, N, N-Car  QNX, ThreadX, FreeRTOS PV Drivers for: GPU, Audio, HW accelerated Video codecs, DRM, … Contributions: 27 smaller features from 2013 to 2016 EPAM Demo youtube.com/watch?v=jMmz1odBZb8 Interesting Features: Container based telematics applications running in a Xen VM that can be downloaded from a cloud service Ongoing Contributions: ABIs for PV Sound, PV Display & PV DRM Leading development of co-processor sharing framework
Dom0 System Control DomU Cluster Domain Automotive Grade Linux or QNX DomU HMI Domain HMI Realtime OS CAN Processing HW Drivers Hypervisor Application Core Realtime Core Watchdog PV back* Drivers HW Drivers Linux Kernel HW DriversPV front* Drivers MW Frameworks RVC, SVS Instrument Cluster Automotive Grade Android HW DriversPV front* Drivers Connectivity Media AUTOSAR / RTOS Tell Tales RVC = Rear View Camera SVS = Service Vehicle Soon HMI = Human Machine Interface Tell Tales = various status indicators
AWS Dom0 - Control DomD – HW Drivers & Cluster Wayland/Weston OpenGL ES Linux Kernel with GPU and other HW Drivers ALSA w PV_ALSAS_BE DomU Fusion Container mgmt tool Linux Kernel w/o HW Drivers Minimal rootfs with systems library Telematics simulation Agent (Acceleration, Braking, Corning, GPS) DomU – Linux IVI MW Frameworks PV DISPLAY Linux Kernel with GPU and w/o other HW Drivers PV EVENTS PV SOUND IVI Simulation App Trusted Apps TrustZone Hypervisor R-Car H3 Platform OP-TEE OS TZ monitor Driver Behavior Based Insurance Backend Telematics Simulation Agent ver 2.0 Telematics Simulation Agent ver 1.0 Monitoring Dashboard Wayland BE (Events/Display) Cluster Simulation AppDom0 Services Minimal rootfs Linux Kernel w/o HW Drivers Containers
0 500 1000 1500 2000 2500 3000 3500 2011 2012 2013 2014 2015 2016 Stats are impacted by release model (code freezes) and our transition to 2 releases per year 4.7 4.84.1 4.2 4.3 4.4 4.5 4.6
Top: Citrix 48% Suse 17% Oracle 6% Intel 6% Red Hat 4% Linaro 3% FreeBSD 2% Star Lab 1% Other 13% Others: Fujitsu Invisible Things Lab BitDefender Huawei Zentific Verizon Cavium GlobalLogic NSA …
Top: Citrix 39% Suse 22% Oracle 7% ARM 5% Red Hat 4% Linaro 3% Intel 3% Star Lab 2% BSD 2% Fujitsu 2% Bitdefender 2% Zentific 1% NSA 1% Zentific 1% Qualcomm 1% Huawei 1% Other 6% First-time contributors in 2016: ARM Aporeto Bosch Car Multimedia Gmbh Netflix Qualcomm Xilinx
Picture by Lars Kurth
Extremely Flexible and Versatile Proven in different markets Easy to port to new environments Easy to develop new PV drivers Highly customizable Security and Resilience Isolation, Partitioning, Security Features Track record in handling security issues Safety Examples of Military Grade Certification Vibrant and Diverse Community Covering Server, Cloud, Security, Embedded, Automotive Picture by Lars Kurth
Developer Portal: bit.do/xen-devs Xen on ARM whitepaper: bit.do/xenarm-white Xen on ARM wiki: bit.do/xenarm-wiki Port Xen to a new SOC: bit.do/xenarm-porting Add Xen support Xen to your OS: bit.do/xenarm-os Device Passthrough presentation: bit.do/xenarm-pt OE meta-virtualization Xen recipe: bit.do/xenmeta OpenXT (Xen + OpenEmbedded): openxt.org Xenbedded presentation: bit.do/xenbedded Monthly ARM Community Call: bit.do/xenarm-call
Lists and IRC on freenode: xen-devel@lists.xenproject.org xen-users@lists.xenproject.org #xenarm or #xen-devel Internships in 2017: Google Summer of Code (Students) Outreachy (Women and other groups) bit.do/xen-internships Xen Project Developer and Design Summit: July 11-13, Budapest, Hungary CfP: open until April 14 bit.do/xensummit17
Picture by Lars Kurth

Recommended

Backroll: Production Grade KVM Backup Solution Integrated in CloudStack
Backroll: Production Grade KVM Backup Solution Integrated in CloudStackBackroll: Production Grade KVM Backup Solution Integrated in CloudStack
Backroll: Production Grade KVM Backup Solution Integrated in CloudStackShapeBlue
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18ShapeBlue
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsXen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console EnhancementsShapeBlue
 

Recommended

Backroll: Production Grade KVM Backup Solution Integrated in CloudStack
Backroll: Production Grade KVM Backup Solution Integrated in CloudStackBackroll: Production Grade KVM Backup Solution Integrated in CloudStack
Backroll: Production Grade KVM Backup Solution Integrated in CloudStackShapeBlue
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with JanusLorenzo Miniero
 
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18ShapeBlue
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 
Xen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsXen on ARM for embedded and IoT: from secure containers to dom0less systems
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console EnhancementsShapeBlue
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...The Linux Foundation
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
The Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTORThe Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTORShapeBlue
 
Point of View -Converged Infrastructure
Point of View -Converged InfrastructurePoint of View -Converged Infrastructure
Point of View -Converged InfrastructureChaitanya Gaajula
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 uploadCeph Community
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringShapeBlue
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneYoshikazu Nojima
 
Xen Debugging
Xen DebuggingXen Debugging
Xen DebuggingThe Linux Foundation
 
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...kds850
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modulesdibyajyotig
 
Xen and Apache cloudstack
Xen and Apache cloudstack Xen and Apache cloudstack
Xen and Apache cloudstack The Linux Foundation
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMThe Linux Foundation
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStackShapeBlue
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Nick Fisk - low latency Ceph
Nick Fisk - low latency CephNick Fisk - low latency Ceph
Nick Fisk - low latency CephShapeBlue
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere零壹科技股份有限公司
 
LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondThe Linux Foundation
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 

More Related Content

What's hot

Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...The Linux Foundation
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
The Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTORThe Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTORShapeBlue
 
Point of View -Converged Infrastructure
Point of View -Converged InfrastructurePoint of View -Converged Infrastructure
Point of View -Converged InfrastructureChaitanya Gaajula
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringShapeBlue
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneYoshikazu Nojima
 
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...kds850
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modulesdibyajyotig
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMThe Linux Foundation
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStackShapeBlue
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Nick Fisk - low latency Ceph
Nick Fisk - low latency CephNick Fisk - low latency Ceph
Nick Fisk - low latency CephShapeBlue
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 

What's hot (20)

Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
 
The Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTORThe Best Storage Solution For CloudStack: LINSTOR
The Best Storage Solution For CloudStack: LINSTOR
 
Point of View -Converged Infrastructure
Point of View -Converged InfrastructurePoint of View -Converged Infrastructure
Point of View -Converged Infrastructure
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 upload
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uring
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced Zone
 
Xen Debugging
Xen DebuggingXen Debugging
Xen Debugging
 
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modules
 
Xen and Apache cloudstack
Xen and Apache cloudstack Xen and Apache cloudstack
Xen and Apache cloudstack
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStack
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for Embedded
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Nick Fisk - low latency Ceph
Nick Fisk - low latency CephNick Fisk - low latency Ceph
Nick Fisk - low latency Ceph
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
 

Similar to Rootlinux17: An introduction to Xen Project Virtualisation

CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationThe Linux Foundation
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Scale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneScale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneThe Linux Foundation
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07congvc
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 

Similar to Rootlinux17: An introduction to Xen Project Virtualisation (20)

LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and Beyond
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
 
A Xen Case Study
A Xen Case StudyA Xen Case Study
A Xen Case Study
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Scale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zoneScale17x: Thinking outside of the conceived tech comfort zone
Scale17x: Thinking outside of the conceived tech comfort zone
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
 
Xen Community Update 2011
Xen Community Update 2011Xen Community Update 2011
Xen Community Update 2011
 
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)
 
Cl306
Cl306Cl306
Cl306
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training
 
.ppt
.ppt.ppt
.ppt
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
Aplura virtualization slides
Aplura virtualization slidesAplura virtualization slides
Aplura virtualization slides
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
4 implementation
4 implementation4 implementation
4 implementation
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Rootlinux17: An introduction to Xen Project Virtualisation

  • 1. Lars Kurth Community Manager, Xen Project Chairman, Xen Project Advisory Board Director, Open Source, Citrix lars_kurth www.slideshare.net/xen_com_mgr/presentations
  • 2. Was a contributor to various projects Worked in parallel computing, tools, mobile and now virtualization Community guy for the Xen Project Working for Citrix Accountable to the Xen Project Community Chairman of Xen Project Advisory Board
  • 3.
  • 4. Consolidation Servers/Equipment, Cooling, Floor space Faster provisioning Flexibility Less dependency on specific Hardware Co-existing OS environments Increased uptime Live migration, storage migration, fault tolerance, HA Enhanced security
  • 5. Strong Isolation Architecture provides strong isolation between VMs Grant tables System Partitioning Disaggregation: sandboxing parts of the system Fine-grain control of VM capabilities Enables multi-layered security approach Secure I/O Sandboxing disk, memory, etc. drivers New classes of threat detection Virtual Machine Introspection, alt2pm
  • 6. Consolidation Single SoC Maintainability, BoM Flexibility Less dependency on specific Hardware Co-existing OS environments Additional Requirements Security requirements (same as on previous slide) Minimal IRQ latency Safety Certification Low or 0 scheduling overhead Drivers for special I/O devices
  • 10. HWCPUsMemoryI/O VM1 (DomU1) Guest OS Applications VM0 (or Dom0) Dom0 Kernel Native Driver VM2 VMn Applications Guest OS Applications Guest OS Toolstack Scheduler MMU Timers InterruptsConfig *Back Driver *Front Driver
  • 11. Marketing Term Mode With HVM / Fully Virtualized HVM HVM + PV drivers 1 HVM PV Drivers PVH PV pvh=1 PV PV Qemu Qemu HW PV Qemu HW HWPV PV PV PV PV WindowsLinux,BSDs,… ARM N/A PV PV HW 1) When running a Linux/BSD guest on HVM with PV drivers, we also use the term PVHVM User perspective (config file)
  • 12. HW P HW PVH PV PV PV PV PV PV PV ARM N/A PV PV Simplicity: Less code & fewer Interfaces in Linux/FreeBSD Security : smaller TCB and attack surface, fewer possible exploits Clean-up : simplify Xen-Linux kernel, Xen-Any-OS interface Better Performance & Lower Latency for some workloads Dom0 must be a PV guest: run Dom0 using hardware extensions 32 bit: PV guest kernels were run in ring 1, userspace in ring 3 (HW isolation) 64 bit: no ring 1 & 2  kernel & user space must share ring 3 (TLB flushes) This is the most complex part of Xen today!
  • 14. A tale of improved collaboration within the Xen Project Community
  • 15. 2015 2016 2017 4.84.7 P Why did we develop Live Patching? Affected AWS, Rackspace, IBM SoftLayer and many others Deploying security patches may require reboots; Inconveniences users How did we fix this? 2015: Design with input from AWS, Alibaba, Citrix, Oracle and SUSE Replace functions while running (old with new) in a payload Stackable payloads can be applied and removed 2016: Xen 4.7 came with Live Patching for x86 2016: Xen 4.8 added extra x86 use-cases and ARM support 2017: XenServer 7.1 releases Live Patching in first commercial product … D
  • 16. Pratap Sankar @ Flickr Specification & Status xenbits.xen.org/docs/unstable/misc/livepatch.html wiki.xenproject.org/wiki/LivePatch Presentations, Videos, Demos bit.do/live-patch-detailed-ppt bit.do/live-patch-detailed-video bit.do/live-patch-short-ppt bit.do/live-patch-short-video
  • 17. A new way to protect against malware
  • 18. 2007 2009 2011 2013 2015 2017 Enablers: from xenaccess/xenprobes to LibVMI Interesting research topic Originally used for forensics (too intrusive for server virt) AA A Xenaccess/Xenprobes LibVMI A Products AIS Introvirt, BitDefender Hypervisor Introspection, Zentific Zazen VMI: enabling commercial applications Hardware assisted VMI solves the intrusion problem Collaboration between: Zentific, Citrix, BitDefender, Intel and others VMI: HW Support (EPT, …) ARM, alt2pm, .. C CC
  • 19. VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Dom0 Dom0 Kernel Drivers Agent(s) Agent(s) Agent(s) Installed in-guest agents, e.g. anti-virus software, VM disk & memory scanner, network monitor, etc. Can be disabled by rootkits and advanced persistent threats (APT)
  • 20. Several VM3 VMnVM2Dom0 Dom0 Kernel Drivers VM3 Guest OS App VMn Guest OS App VM2 Guest OS App Security Appliance VM1 Introspection Engine Protected area XSM/Flask or another mechanism to protect the IF Uses HW extensions to monitor memory (e.g. Intel EPT)  Low Intrusion Register rules with Xen to trap on and inspect suspicious activities (e.g. execution of memory on the dynamic heap)
  • 21. All malware need an attack technique to gain a foothold Attack techniques exploit specific software bugs/vulnerability The number of available attack techniques is small Buffer Overflows, Heap Sprays, Code Injection, API Hooking, … Because VMI protects against attack techniques It can protect against entirely new malware Verified to block these advanced attacks in real-time APT28, Energetic Bear, DarkHotel, Epic Turla, Regin, ZeuS, Dyreza, … solely by relying on VMI
  • 22. Rootkits & APTs Exploit 0-days in Operating Systems/System Software Can disable agent based security solutions (mask their own existence) VMI solutions operate from outside the VM Thus, it cannot be disabled using traditional attack vectors BUT: VMI is not a replacement, for traditional security solutions It is an extra tool that can be used to increase protection
  • 23. Pratap Sankar @ Flickr Documentation wiki.xenproject.org/wiki/Virtual_Machine_Introspection Products AIS Introvirt XenServer www.ainfosec.com Zentific Zazen (Apr 17) Xen & XenServer & … www.zentific.com Protection & Remedial Monitoring & Admin Forensics & Data gathering Malware analysis BitDefender HVI XenServer www.bitdefender.com Protection & Remedial Monitoring & Admin
  • 24. Pratap Sankar @ Flickr How secure is the Xen Project Hypervisor really?
  • 25. Vulnerability data from cvdetails.com 0 50 100 150 200 250 2016 2015 2014 2013 2012 All CVE’s 2015+ Active initiatives to find bugs XTF to help find bugs Fuzzing of some components Very few ARM issues 2016: 2/33 2015: 6/47 Does not use QEMU  Xen  Linux Kernel  QEMU
  • 26. 0 200 400 600 800 1000 0 97 4 CVE’s by CVSS Severity Average CSSV Scores Xen: 4.7 Linux Kernel: 5.9 QEMU: 4.3 Known 0-Day Exploits Xen: 0 Linux Kernel: 18 QEMU: 0 Low = 0.1-3.9; Medium = 4.0-6.9; High = 7.0-8.9; Critical = 9.0-10.0  Xen  Linux Kernel  QEMU
  • 27. Team Process Severity 1 Type CVEs Days 2 Who? 3 Xen Hypervisor Includes Linux & QEMU vulnerabilities in supported Xen configurations Yes Yes All Responsible Yes 14 D, S, P OpenStack OSSA OpenStack OSSN Yes Yes Yes Yes > Low <= Low Responsible Full, post-fix Yes 3-5 D, S, P Linux Kernel via OSS security distros OSS security Yes Yes Partly 4 Yes No > Low <= Low Responsible Full, immediate Yes 14-19 D 4 QEMU via OSS security distros OSS security Yes Partly 4 > Low <= Low Responsible 5 Full, immediate Yes 14-19 D 4 Jailhouse No No 3) D = Distros/Products, S = Public Service, P = Private Downstream 4) No own pre-disclosure list 5) Only handles x86 KVM bugs 1) Is the CVE severity used as cut-off for the process? 2) Days embargoed Responsible only
  • 28. HWCPUsMemoryI/O Dom0 Dom0 Kernel VM1 uKernel xtf.git arch xtf.git common Each test is a file in xtf.git tests test_main() In essence a unikernel per test, with fewer safeguards in place to allow for easy testing of corner cases Also used for Vulnerability Investigation and Testing Qemu Xenstore *Back Drivers hypercalls evtchn gnttab x86 emulator
  • 30. Track Record 81% of Vulnerabilities Low and Medium Average severity of vulnerabilities getting lower Hardening Activities Security Audits by Cloud and Product Vendors Testing (fuzzing, XTF, code inspection, …) Industry Leading Vulnerability Process Includes QEMU and Kernel XSAs Designed with input from Cloud Providers Isolation Limits impact of exploits Picture by Lars Kurth
  • 31.
  • 32. 2007 2009 2011 2013 2015 2017 A A A Q Q C C C CC Technology enablers: XSM, vTPM & TXT (TEE), Disaggregation & Driver Domains Qubes OS Architecture, Qubes OS 1.0, … 2009: Project Independence (Intel / Citrix) 2010: XenClient 1.0 2013: XenClient XT 2014: Became OpenXT (BAE Systems, Assured Information Security) 2015: Support for Cell Phones, Tablets and Embedded Devices Crucible:Defense uXen (Bromium) – Windows only, thus never made it upstream Du
  • 33. Dom0 Toolstack HWI/O DomU Guest OS Applications Dom0 Kernel Native Driver *Back Driver *Front Driver Config
  • 34. DomU Guest OS Applications Dom0 Dom0 Kernel NetFront Driver BlockFront Driver Toolstack Config Driver Domain Guest OS*: Linux, BSD, MiniOS, unikernel, … Disk Controller Storage Domain Guest OS* Disk Driver BlockBack Driver Network Domain Guest OS* Network Driver NetBack Driver Netw Controller Qemu Xenstore
  • 35. Attack Surface Reduction Similar to Linux Security Modules/SELinux Same policy syntax as SELinux Different types, roles, users and attributes Same tools for policy compilation / verification (checkpolicy) VM hypervisor domain(self) domain(other) memory (grant, mmu, shadow) inter-VM communicationpassthroughsecurity config Fine-grained policy, controlling which hypervisor functionality is accessible to this (class of) VM Effect: limit what an exploit in this VM could do
  • 36.
  • 37. User defined App VMs for individual apps or groups of apps USB Service Domain Banking Domain Personal Domain Firewall VM enforces network policies Network Domain Dom0 Secure UI and sysadmin domain
  • 38. User defined App VMs for individual apps or groups of apps USB Service Domain Banking Domain Personal Domain Firewall VM enforces network policies Network Domain Dom0 Secure UI and sysadmin domain Tor VM pre-configured from whonix.org
  • 39. Pratap Sankar @ Flickr Crucible:Defense starlab.io Xen Project based virtualization platform for technology protection, cyber-hardening, and system integrity for aerospace & defense systems Documentation wiki.xenproject.org/wiki/Dom0_Disaggregation wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK Products & Projects Qubes OS www.qubes-os.org Secure OS OpenXT www.openxt.org FOSS Platform for security research, security application and embedded appliance integration building on Xen & OpenEmbedded
  • 40.
  • 41. Pratap Sankar @ Flickr AIS ainfosec.com BAE Systems baesystems.com Galois galois.com Maintain FreeRTOS Xen Port Developed and maintain HalVM Dornerworks dornerworks.com/xen Consulting Xen Embedded Distros Xen for Xilinx Zynq Xen for NXP i.MX 8 ARLX Hypervisor DO-178 (EAL6+), IEC 62304, ISO 26262 MILS EAL FACE, VICTORY, ARINC 653 Starlab starlab.io Crucible and Crucible:Defense Xen embedded hypervisor In progress: DO-178, MILS EAL Uses a minimal Dom0 using MiniOS, disaggregation and XSM/FLASK Precedents of military grade certification for Xen based systems www.slideshare.net/xen_com_mgr/art-certification & www.youtube.com/watch?v=UyW5ul_1ct0 www.linux.com/news/xen-project/2017/2/how-shrink-attack-surfaces-hypervisor
  • 42. Additional Requirements Security requirements Safety certification Low or 0 scheduling overhead Minimal IRQ latency Drivers for special I/O devices
  • 43.
  • 44. Xen supports several different schedulers with different properties.
  • 45. Xen supports several different schedulers with different properties. Regular VM scheduler (Credit) Hard real-time (ARINC653) Dedicated to 1 VCPU (pinning)  no scheduler overheads Soft real-time (RTDS)
  • 46. Scheduler Use-cases Xen 4.8 Future plans Credit General Purpose Supported Default Supported Optional Credit 2 General Purpose Optimized for lower latency, higher VM density Supported Default RTDS Soft & Firm Real-time Multicore Embedded, Automotive, Graphics & Gaming in the Cloud, Low Latency Workloads Experimental Better XL support <1μs granularity Supported Hardening Optimization ARINC 653 Hard Real-time Single core Avionics, Drones, Medical Supported Compile time Legend: Likely in 4.9 or 4.10 Possible in 4.10
  • 47. A53 Programmable Logic (FPGA) R5R5A53 A53 A53 Dom0 Dom0 Kernel Toolstack Bare Metal1 Bare Metal ELF payload FPGA Library VM1 - VMn DomU Kernel Application FPGA Driver Dedicated Bare Metal2 Bare Metal ELF payload Dedicated dornerworks.com/wp-content/uploads/2017/01/Xen-Zynq-Distribution-XZD-Users-Manual.pdf
  • 48. vCPU 0 pCPU 0 vCPU 1 pCPU 1 irq 109 virq 109 IRQ injection Always on the CPU running the vCPU
  • 49. vCPU 0 pCPU 0 irq 109 virq 109 vCPU 1 pCPU 1 IF vIRQ target changes or vCPU is moved THEN vIRQ is moved immediately virq 109
  • 50. vCPU 0 pCPU 0 vCPU 1 pCPU 1 irq 109 virq 109 IRQs always shadow the vIRQ  minimizes latency Xilinx ZynqMP board (four Cortex A53 cores, GICv2) WARM_MAX (excluding the first 3 interrupts): <2000ns marc.info/?l=xen-devel&m=148778423725945 marc.info/?l=xen-devel&m=148839743820338
  • 51. DomU Xen DomU Xen irq 109 virq 109 GIGC_LH Write EOI DomU Xen Maintenance interrupt GIGC_LH Clear IRQ received by DomU DomU performs EOI The guest kernel issues an "EOI” at the end of the interrupt service routine, to notify the HW that the IRQ handling is finished. No maintenance IRQ Additional context switch to handle EOI. Use EOI support in HW to directly EOI the physical IRQ
  • 52.
  • 53. Existing net, block, console keyboard, mouse, USB framebuffer, GPU sharing* New 9pfs PVcalls multitouch, sound, display, DRM Developing New Ones Easy to write (GPL and BSD samples) Kernel and User Space *) A number of different approaches by different vendors in different market segments are being deployed, which are PV-like, but not strictly a PV protocol
  • 54. Vehicles are becoming the ultimate mobile device
  • 55. Pratap Sankar @ Flickr LG Electronics Demo bit.do/lg-xen-demo-2016 Bosch Car GmbH Contributions 10 smaller features in 2016 Perseus Founded by Xen maintainer bit.do/perseus-2017 GlobalLogic Product: Nautilus bit.do/gl-nautilus First product in production expected in Q1 2018 Supports: HW: Renesas R-Car Gen2 & Gen3, TI Jacinto6, Intel Apollo Lake, Qualcomm 410C, Sinlinx A33 Guests: Linux up to 4.9  Android M, N, N-Car  QNX, ThreadX, FreeRTOS PV Drivers for: GPU, Audio, HW accelerated Video codecs, DRM, … Contributions: 27 smaller features from 2013 to 2016 EPAM Demo youtube.com/watch?v=jMmz1odBZb8 Interesting Features: Container based telematics applications running in a Xen VM that can be downloaded from a cloud service Ongoing Contributions: ABIs for PV Sound, PV Display & PV DRM Leading development of co-processor sharing framework
  • 56. Dom0 System Control DomU Cluster Domain Automotive Grade Linux or QNX DomU HMI Domain HMI Realtime OS CAN Processing HW Drivers Hypervisor Application Core Realtime Core Watchdog PV back* Drivers HW Drivers Linux Kernel HW DriversPV front* Drivers MW Frameworks RVC, SVS Instrument Cluster Automotive Grade Android HW DriversPV front* Drivers Connectivity Media AUTOSAR / RTOS Tell Tales RVC = Rear View Camera SVS = Service Vehicle Soon HMI = Human Machine Interface Tell Tales = various status indicators
  • 57. AWS Dom0 - Control DomD – HW Drivers & Cluster Wayland/Weston OpenGL ES Linux Kernel with GPU and other HW Drivers ALSA w PV_ALSAS_BE DomU Fusion Container mgmt tool Linux Kernel w/o HW Drivers Minimal rootfs with systems library Telematics simulation Agent (Acceleration, Braking, Corning, GPS) DomU – Linux IVI MW Frameworks PV DISPLAY Linux Kernel with GPU and w/o other HW Drivers PV EVENTS PV SOUND IVI Simulation App Trusted Apps TrustZone Hypervisor R-Car H3 Platform OP-TEE OS TZ monitor Driver Behavior Based Insurance Backend Telematics Simulation Agent ver 2.0 Telematics Simulation Agent ver 1.0 Monitoring Dashboard Wayland BE (Events/Display) Cluster Simulation AppDom0 Services Minimal rootfs Linux Kernel w/o HW Drivers Containers
  • 58.
  • 59. 0 500 1000 1500 2000 2500 3000 3500 2011 2012 2013 2014 2015 2016 Stats are impacted by release model (code freezes) and our transition to 2 releases per year 4.7 4.84.1 4.2 4.3 4.4 4.5 4.6
  • 60. Top: Citrix 48% Suse 17% Oracle 6% Intel 6% Red Hat 4% Linaro 3% FreeBSD 2% Star Lab 1% Other 13% Others: Fujitsu Invisible Things Lab BitDefender Huawei Zentific Verizon Cavium GlobalLogic NSA …
  • 61. Top: Citrix 39% Suse 22% Oracle 7% ARM 5% Red Hat 4% Linaro 3% Intel 3% Star Lab 2% BSD 2% Fujitsu 2% Bitdefender 2% Zentific 1% NSA 1% Zentific 1% Qualcomm 1% Huawei 1% Other 6% First-time contributors in 2016: ARM Aporeto Bosch Car Multimedia Gmbh Netflix Qualcomm Xilinx
  • 63. Extremely Flexible and Versatile Proven in different markets Easy to port to new environments Easy to develop new PV drivers Highly customizable Security and Resilience Isolation, Partitioning, Security Features Track record in handling security issues Safety Examples of Military Grade Certification Vibrant and Diverse Community Covering Server, Cloud, Security, Embedded, Automotive Picture by Lars Kurth
  • 64. Developer Portal: bit.do/xen-devs Xen on ARM whitepaper: bit.do/xenarm-white Xen on ARM wiki: bit.do/xenarm-wiki Port Xen to a new SOC: bit.do/xenarm-porting Add Xen support Xen to your OS: bit.do/xenarm-os Device Passthrough presentation: bit.do/xenarm-pt OE meta-virtualization Xen recipe: bit.do/xenmeta OpenXT (Xen + OpenEmbedded): openxt.org Xenbedded presentation: bit.do/xenbedded Monthly ARM Community Call: bit.do/xenarm-call
  • 65. Lists and IRC on freenode: xen-devel@lists.xenproject.org xen-users@lists.xenproject.org #xenarm or #xen-devel Internships in 2017: Google Summer of Code (Students) Outreachy (Women and other groups) bit.do/xen-internships Xen Project Developer and Design Summit: July 11-13, Budapest, Hungary CfP: open until April 14 bit.do/xensummit17