SlideShare a Scribd company logo
1 of 49
Lars Kurth
Community Manger, Xen Project
Chairman, Xen Project Advisory Board
Director, Open Source/Xen Project, Citrix
lars_kurth
Was a contributor to various projects
Worked in parallel computing, tools,
mobile and now virtualization
Community guy for the Xen Project
Working for Citrix
Member of the group that develops XenServer
Chairman of Xen Project Advisory Board
I
I: Vulnerability Introduced
D: Vulnerability Discovered
D
Discoverer exploits
issue for his own
purpose
I
I: Vulnerability Introduced
D: Vulnerability Discovered
Discoverer reports security issues to
security@yourproject
D
A team-effort to ensure that …
• All (known) doors are closed
• All (known) doors are locked
• All (known) windows are
boarded up
• Fences have no (known)
weaknesses
• …
XF
R: Vulnerability Reported
T: Triage
A: Vulnerability Announced
F: Fix Available
X: Fix Deployed
Vulnerability is known by the reporter and the security team
Note: It may also be known and used by black hats
Vulnerability is known publicly with no fix available
Vulnerability is known publicly with fix available
Basic
Description
R T A
Patch/fix creation
and validation
X
R: Vulnerability Reported
T: Triage
P: Vulnerability Pre-disclosed
A: Vulnerability Announced
F: Fix Available
X: Fix Deployed
Vulnerability is known by the reporter and the security team
Note: It may also be known and used by black hats
Vulnerability is known about by a privileged and small group of users
Vulnerability is known publicly
A
Pre-disclosure period
R P
Patch/fix creation
and validation
FT
Users Safe
Encourage discoverers to report security issues
to security@yourproject
Discoverers are in control
You can’t stop them from releasing/using information
A robust vulnerability process encourages discoverers to work with you
Ensure that your project fixes security issues
as quickly as possible
You don’t want unaddressed vulnerabilities
Exposure time to security issues is minimized
A maximum of users* apply patches quickly
Minimize risk
Linux Kernel/LXC/KVM if reported via OSS Security
Linux Kernel/LXC/KVM if reported via security@kernel.org
OpenStack, QEMU, … for low impact issues
Full
Linux Kernel/LXC/KVM if reported via OSS Security Distros
Linux Distributions (both open source and commercial)
QEMU, Libvirt, oVirt, ...
OpenStack for intermediate to high impact issues
OPNFV, OpenDayLight : process modeled on OpenStack
Xen Project for all issues (also handles 3rd party issues, e.g. QEMU)
Docker : states responsible disclosure; but policy docs empty / some CVEs
Responsible
Cloud Foundry : no clearly stated process; no published CVE’s
CoreOS: just a mail to report issues
Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info)
Not clearly
stated
Approach Used by Projects
Open-source software projects are often well
intended, but security can take a back seat to
making the code work. OpenDaylight, the
multivendor software-defined networking
(SDN) project, learned that the hard way last
August after a critical vulnerability was found
in its platform. It took until December for the
flaw, called Netdump, to get patched …
PC World, March 2015
Using the pre-dominant model as baseline
Applies to Linux Distros, OSS Sec Distros, QEMU, …
Mike Licht @ Flickr
A X
Typically fixed time during which the security issue is handled secretly
Depends on discoverer’s wishes
R: Vulnerability Reported
T: Triage
P: Vulnerability Pre-disclosed
A: Vulnerability Announced
F: Fix Available
X: Fix Deployed
Vulnerability is known by the reporter and the security team
Note: It may also be known and used by black hats
Vulnerability is known about by a privileged and small group of users
Vulnerability is known publicly
Description, CVE
allocation, …
Pre-disclosure period
R
Patch/fix creation
and validation
FT P
What can and can’t be done with
privileged information can differ
significantly between projects
mindfulness @ Flickr
F A XR
Disclosure Time
Long disclosure times discredit responsible disclosure
From a few days to many months
Long disclosure times create a disincentive for reporters to work with you
Increases the risk of 0 day exploits
Pre-defined disclosure times help manage vendors
Example later
Most successful projects have a 2-3 weeks disclosure period
Assigning CVE numbers is best practice in by
established projects and vendors in the
Linux/Cloud ecosystem
CVE databases (such as www.cvedetails.com) can be used
to evaluate your project
This shows Xen Project CVE stats
Before 2012, we didn’t have fewer vulnerabilities than after
We just didn’t have a process requiring creation of CVEs
A fair comparison between projects/technologies using CVE
data is not easily possible
Not all projects/products create CVEs for all their issues
Example: Linux/QEMU only do so for severe ones
Policies are not always published
Some projects don’t assign CVEs at all
Some technologies/products cannot be easily identified in databases
Example: KVM, LXC
Sometimes CVEs can affect several products
But are counted only against one
Open source product definitions on cvedetails are often sloppy
Mike Licht @ Flickr
Description, CVE
allocation, …
A D
Pre-disclosure period
R
Patch/fix creation
and validation
FT P
What happens here depends
on your process goals
Make sure that a fix is available before disclosure
Make sure that downstream projects and products (e.g. distros) can
package and test the fix in their environment
Allow service providers that use your Software to start planning an
upgrade (at scale this can take a week)
Allow service providers that use your Software to deploy an upgrade
before the embargo completes
What is allowed during pre-disclosure
Who is privileged and trusted to be on the pre-disclosure
mailing list
Disclosure Time
Make sure that a fix is available before disclosure
Make sure that downstream projects and products (e.g. distros) can
package and test the fix in their environment
Allow service providers that use your Software to start planning an
upgrade (at scale this can take a week)
Allow service providers that use your Software to deploy an upgrade
before the embargo completesCloud Model
Distro Model
Emerged recently!
Recognizes the needs of service providers
Pre-Cloud Computing!
Services and their users are vulnerable
immediately after disclosure
Approach Used by Projects
Linux Kernel/LXC/KVM if reported via OSS Security Distros
Linux Distributions (both open source and commercial)
QEMU, Libvirt, oVirt, ...
OpenStack for intermediate to high impact issues
OPNFV, OpenDayLight : process modeled on OpenStack
Xen Project for all issues (also handles 3rd party issues, e.g. QEMU)
Docker: depends on severity, details only available on request
More Cloud/Service users than direct users of your software
Example:
AWS stated in 2014 that they have > 1M users (and a lot more instances)
AliCloud claims that they have > 1M users
…
Just imagine what the reputation damage would have been, if Xen had put AWS,
Rackspace, SoftLayer, … users at real risk of a vulnerability.
There were 100’s of
stories at the time,
despite the fact that
users were never put
at risk, but merely
inconvenienced !
Pre-disclosure list membership:
more members, more risk of leakage
In the Distro Model, the number of privileged users is typically <10
In the Cloud Model, the number could be an order of magnitude higher (50-100)
This increases risk of information being accidentally released
Restricting pre-disclosure list membership
Restricting membership to large service providers to minimize risk
That creates issues of “fairness”
Which may be incompatible with your communities' values
How the Xen Project got to its
Vulnerability Process
xenproject.org/security-policy.html
Moyan Brenn @ Flickr
2011 2012 2013 2014 2015 2016
Goals:
Allow fixing, packaging and testing;
Allow service providers to prepare (but not deploy) during embargo
Pre-disclosure:
Membership biased towards distros & large service providers
No predefined disclosure time
1.0
2011 2012 2013 2014 2015 2016
July 2012: CVE-2012-0217, Intel SYSRET
Affected FreeBSD, NetBSD, Solaris, Xen and Microsoft Windows
A large pre-disclosure list member put pressure on
key members of the Xen Project Community to get an embargo
extension
They eventually convinced the discoverer to request an extension
1.0
2011 2012 2013 2014 2015 2016
Centered on:
Predetermined disclosure schedule: 1 week to fix, 2 weeks embargo
Who should be allowed on the pre-disclosure list
Fairness issues between small and large service providers
Direct vs. indirect Xen consumers
The risk of larger pre-disclosure list membership
1.0
2011 2012 2013 2014 2015 2016
Strongly recommended disclosure schedule
Inclusive pre-disclosure list membership
Changes to application procedure (based on checkable criteria)
1.0 2.0
2011 2012 2013 2014 2015 2016
Sept 2014: CVE-2014-7118
Leading to the first Cloud Reboot
AWS pre-announced cloud reboot to their customers
Other vendors didn’t.
Policy was interpreted differently by vendors.
This highlighted ambiguities in the project’s security policy
(what can/can’t be said/done during an embargo)
1.0 2.0
2011 2012 2013 2014 2015 2016
Goals:
Allow fixing, packaging and testing
Allow service providers to prepare (and normally to deploy) during embargo
Pre-disclosure:
Clearer application criteria
Public application process (transparency)
Clear information on what is/is not allowed during an embargo (per XSA)
Means for pre-disclosure list members to collaborate
1.0 2.0 3.0
2011 2012 2013 2014 2015 2016
Conducted XSA-133 Retrospective upon request
Process change: Earlier embargoed pre-disclosure without patches
May 2015: CVE-2015-3456
First time we were affected by a branded bug
QEMU bug, which was handled by several security teams: QEMU,
OSS Distro Security, Oracle Security & Xen Project
From a process perspective: were not able to provide a
fix 2 weeks before the embargo date ended
1.0 2.0 3.0
Larger pre-disclosure list has not caused a single issues in two years of
operating an inclusive approach
We have not had a single 0-day vulnerability
A well run vulnerability process builds trust
Willingness to adapt to your stake-holders needs builds more trust
It creates collaboration and understanding of stake-holders
Fairness is a difficult issue
There will always be practical issues, e.g. “interpretations of policy”, etc.
The Xen Project’s process is the only example case, where this issue
has been tackled through a community consultation.
To Contrast:
OpenStack does not publish who is on their pre-disclosure list
OpenStack does not have a formal application process
Avoids dealing with the “fairness” issue head-on
Security stories are “hot”
Xen is widely used, thus security stories “sell”
It’s too easy for reporters to write a story
Reporters just have to check our page,
and know when the next story comes
Source: yanilavigne.net via
domics.me
Very wide range of approaches vs.
The reality that SW stacks contain many layers
Consider the weakest link in your SW stack
Best Practice appears to be emerging
Older projects seem slow to change
New projects, don’t build security management into their culture from the
beginning
New Post-Snowden era pressures
How to effectively deal with media Hype?

More Related Content

What's hot

XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...The Linux Foundation
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesThe Linux Foundation
 
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
 
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...The Linux Foundation
 
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...The Linux Foundation
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...The Linux Foundation
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...The Linux Foundation
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
Securing your cloud with Xen's advanced security features
Securing your cloud with Xen's advanced security featuresSecuring your cloud with Xen's advanced security features
Securing your cloud with Xen's advanced security featuresThe Linux Foundation
 
OSSNA18: Xen Beginners Training (exercise script)
OSSNA18: Xen Beginners Training (exercise script)OSSNA18: Xen Beginners Training (exercise script)
OSSNA18: Xen Beginners Training (exercise script)The Linux Foundation
 
Erlang on Xen: Redefining the cloud software stack
Erlang on Xen:  Redefining the cloud software stackErlang on Xen:  Redefining the cloud software stack
Erlang on Xen: Redefining the cloud software stackViktor Sovietov
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...The Linux Foundation
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016The Linux Foundation
 
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPLinuxcon EU : Virtualization in the Cloud featuring Xen and XCP
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPThe Linux Foundation
 

What's hot (20)

XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...
XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master Slides
 
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
 
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
 
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
 
Xen @ Google, 2011
Xen @ Google, 2011Xen @ Google, 2011
Xen @ Google, 2011
 
Securing your cloud with Xen's advanced security features
Securing your cloud with Xen's advanced security featuresSecuring your cloud with Xen's advanced security features
Securing your cloud with Xen's advanced security features
 
OSSNA18: Xen Beginners Training (exercise script)
OSSNA18: Xen Beginners Training (exercise script)OSSNA18: Xen Beginners Training (exercise script)
OSSNA18: Xen Beginners Training (exercise script)
 
Erlang on Xen: Redefining the cloud software stack
Erlang on Xen:  Redefining the cloud software stackErlang on Xen:  Redefining the cloud software stack
Erlang on Xen: Redefining the cloud software stack
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
 
BSDcon Asia 2015: Xen on FreeBSD
BSDcon Asia 2015: Xen on FreeBSDBSDcon Asia 2015: Xen on FreeBSD
BSDcon Asia 2015: Xen on FreeBSD
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016
 
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPLinuxcon EU : Virtualization in the Cloud featuring Xen and XCP
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP
 

Viewers also liked

XPDS16: Display Handler, a Client Display Framework for Xen - Brendan Kerrig...
XPDS16:  Display Handler, a Client Display Framework for Xen - Brendan Kerrig...XPDS16:  Display Handler, a Client Display Framework for Xen - Brendan Kerrig...
XPDS16: Display Handler, a Client Display Framework for Xen - Brendan Kerrig...The Linux Foundation
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
 
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...The Linux Foundation
 
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Linaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMLinaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMThe Linux Foundation
 
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, Intel
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, IntelXPDS16: Live scalability for vGPU using gScale - Xiao Zheng, Intel
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, IntelThe Linux Foundation
 
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
 
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...The Linux Foundation
 
XPDS16: Making Migration More Secure - John Shackleton, Adventium Labs
XPDS16: Making Migration More Secure - John Shackleton, Adventium LabsXPDS16: Making Migration More Secure - John Shackleton, Adventium Labs
XPDS16: Making Migration More Secure - John Shackleton, Adventium LabsThe Linux Foundation
 
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...The Linux Foundation
 
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEXPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
 
The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecturesreea4
 
Fosdem17 - Mixed License FOSS Projects
Fosdem17 - Mixed License FOSS ProjectsFosdem17 - Mixed License FOSS Projects
Fosdem17 - Mixed License FOSS ProjectsThe Linux Foundation
 

Viewers also liked (20)

XPDS16: Display Handler, a Client Display Framework for Xen - Brendan Kerrig...
XPDS16:  Display Handler, a Client Display Framework for Xen - Brendan Kerrig...XPDS16:  Display Handler, a Client Display Framework for Xen - Brendan Kerrig...
XPDS16: Display Handler, a Client Display Framework for Xen - Brendan Kerrig...
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16:  XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
 
1 Day Arm 2007
1 Day Arm 20071 Day Arm 2007
1 Day Arm 2007
 
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
 
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
Linaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMLinaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARM
 
ARM Fundamentals
ARM FundamentalsARM Fundamentals
ARM Fundamentals
 
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, Intel
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, IntelXPDS16: Live scalability for vGPU using gScale - Xiao Zheng, Intel
XPDS16: Live scalability for vGPU using gScale - Xiao Zheng, Intel
 
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
 
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...
 
XPDS16: Making Migration More Secure - John Shackleton, Adventium Labs
XPDS16: Making Migration More Secure - John Shackleton, Adventium LabsXPDS16: Making Migration More Secure - John Shackleton, Adventium Labs
XPDS16: Making Migration More Secure - John Shackleton, Adventium Labs
 
XPDS16: Xen Development Update
XPDS16: Xen Development UpdateXPDS16: Xen Development Update
XPDS16: Xen Development Update
 
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...
XPDS16: Consideration of Real Time GPU Scheduling of XenGT in Automotive Embe...
 
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEXPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
 
The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecture
 
Fosdem17 - Mixed License FOSS Projects
Fosdem17 - Mixed License FOSS ProjectsFosdem17 - Mixed License FOSS Projects
Fosdem17 - Mixed License FOSS Projects
 

Similar to Scale14x: Are today's foss security practices robust enough in the cloud era final

LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...The Linux Foundation
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebula Project
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Deployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meetingDeployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meetingXebiaLabs
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Vulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container EnvironmentsVulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container EnvironmentsFlawCheck
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxsimonlbentley59018
 
Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Kim Jensen
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.anilpmuvvala
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.anilpmuvvala
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...The Linux Foundation
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 

Similar to Scale14x: Are today's foss security practices robust enough in the cloud era final (20)

LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
Deployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meetingDeployit overview for JUG-Italy meeting
Deployit overview for JUG-Italy meeting
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Vulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container EnvironmentsVulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container Environments
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docx
 
Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
XPDDS18: LCC18: Disclosure policies in the world of cloud - a look behind the...
 
What_is_DevOps.pptx
What_is_DevOps.pptxWhat_is_DevOps.pptx
What_is_DevOps.pptx
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
Webinar Docker Tri Series
Webinar Docker Tri SeriesWebinar Docker Tri Series
Webinar Docker Tri Series
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityThe Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
 

Recently uploaded

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Recently uploaded (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Scale14x: Are today's foss security practices robust enough in the cloud era final

  • 1. Lars Kurth Community Manger, Xen Project Chairman, Xen Project Advisory Board Director, Open Source/Xen Project, Citrix lars_kurth
  • 2. Was a contributor to various projects Worked in parallel computing, tools, mobile and now virtualization Community guy for the Xen Project Working for Citrix Member of the group that develops XenServer Chairman of Xen Project Advisory Board
  • 3.
  • 4. I I: Vulnerability Introduced D: Vulnerability Discovered D Discoverer exploits issue for his own purpose
  • 5. I I: Vulnerability Introduced D: Vulnerability Discovered Discoverer reports security issues to security@yourproject D
  • 6. A team-effort to ensure that … • All (known) doors are closed • All (known) doors are locked • All (known) windows are boarded up • Fences have no (known) weaknesses • …
  • 7. XF R: Vulnerability Reported T: Triage A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known publicly with no fix available Vulnerability is known publicly with fix available Basic Description R T A Patch/fix creation and validation
  • 8. X R: Vulnerability Reported T: Triage P: Vulnerability Pre-disclosed A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known about by a privileged and small group of users Vulnerability is known publicly A Pre-disclosure period R P Patch/fix creation and validation FT
  • 10. Encourage discoverers to report security issues to security@yourproject Discoverers are in control You can’t stop them from releasing/using information A robust vulnerability process encourages discoverers to work with you
  • 11. Ensure that your project fixes security issues as quickly as possible You don’t want unaddressed vulnerabilities
  • 12. Exposure time to security issues is minimized A maximum of users* apply patches quickly Minimize risk
  • 13. Linux Kernel/LXC/KVM if reported via OSS Security Linux Kernel/LXC/KVM if reported via security@kernel.org OpenStack, QEMU, … for low impact issues Full Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Docker : states responsible disclosure; but policy docs empty / some CVEs Responsible Cloud Foundry : no clearly stated process; no published CVE’s CoreOS: just a mail to report issues Kubernetes: : just a mail to report issues (when I wrote this talk in Aug, no info) Not clearly stated Approach Used by Projects
  • 14. Open-source software projects are often well intended, but security can take a back seat to making the code work. OpenDaylight, the multivendor software-defined networking (SDN) project, learned that the hard way last August after a critical vulnerability was found in its platform. It took until December for the flaw, called Netdump, to get patched … PC World, March 2015
  • 15. Using the pre-dominant model as baseline Applies to Linux Distros, OSS Sec Distros, QEMU, … Mike Licht @ Flickr
  • 16. A X Typically fixed time during which the security issue is handled secretly Depends on discoverer’s wishes R: Vulnerability Reported T: Triage P: Vulnerability Pre-disclosed A: Vulnerability Announced F: Fix Available X: Fix Deployed Vulnerability is known by the reporter and the security team Note: It may also be known and used by black hats Vulnerability is known about by a privileged and small group of users Vulnerability is known publicly Description, CVE allocation, … Pre-disclosure period R Patch/fix creation and validation FT P What can and can’t be done with privileged information can differ significantly between projects
  • 19. Long disclosure times discredit responsible disclosure From a few days to many months Long disclosure times create a disincentive for reporters to work with you Increases the risk of 0 day exploits Pre-defined disclosure times help manage vendors Example later Most successful projects have a 2-3 weeks disclosure period
  • 20. Assigning CVE numbers is best practice in by established projects and vendors in the Linux/Cloud ecosystem
  • 21. CVE databases (such as www.cvedetails.com) can be used to evaluate your project This shows Xen Project CVE stats Before 2012, we didn’t have fewer vulnerabilities than after We just didn’t have a process requiring creation of CVEs
  • 22. A fair comparison between projects/technologies using CVE data is not easily possible Not all projects/products create CVEs for all their issues Example: Linux/QEMU only do so for severe ones Policies are not always published Some projects don’t assign CVEs at all Some technologies/products cannot be easily identified in databases Example: KVM, LXC Sometimes CVEs can affect several products But are counted only against one Open source product definitions on cvedetails are often sloppy
  • 23. Mike Licht @ Flickr
  • 24. Description, CVE allocation, … A D Pre-disclosure period R Patch/fix creation and validation FT P What happens here depends on your process goals
  • 25. Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completes
  • 26. What is allowed during pre-disclosure Who is privileged and trusted to be on the pre-disclosure mailing list Disclosure Time
  • 27. Make sure that a fix is available before disclosure Make sure that downstream projects and products (e.g. distros) can package and test the fix in their environment Allow service providers that use your Software to start planning an upgrade (at scale this can take a week) Allow service providers that use your Software to deploy an upgrade before the embargo completesCloud Model Distro Model
  • 28. Emerged recently! Recognizes the needs of service providers Pre-Cloud Computing! Services and their users are vulnerable immediately after disclosure
  • 29. Approach Used by Projects Linux Kernel/LXC/KVM if reported via OSS Security Distros Linux Distributions (both open source and commercial) QEMU, Libvirt, oVirt, ... OpenStack for intermediate to high impact issues OPNFV, OpenDayLight : process modeled on OpenStack Xen Project for all issues (also handles 3rd party issues, e.g. QEMU) Docker: depends on severity, details only available on request
  • 30.
  • 31. More Cloud/Service users than direct users of your software Example: AWS stated in 2014 that they have > 1M users (and a lot more instances) AliCloud claims that they have > 1M users …
  • 32. Just imagine what the reputation damage would have been, if Xen had put AWS, Rackspace, SoftLayer, … users at real risk of a vulnerability. There were 100’s of stories at the time, despite the fact that users were never put at risk, but merely inconvenienced !
  • 33. Pre-disclosure list membership: more members, more risk of leakage In the Distro Model, the number of privileged users is typically <10 In the Cloud Model, the number could be an order of magnitude higher (50-100) This increases risk of information being accidentally released
  • 34. Restricting pre-disclosure list membership Restricting membership to large service providers to minimize risk That creates issues of “fairness” Which may be incompatible with your communities' values
  • 35. How the Xen Project got to its Vulnerability Process xenproject.org/security-policy.html Moyan Brenn @ Flickr
  • 36. 2011 2012 2013 2014 2015 2016 Goals: Allow fixing, packaging and testing; Allow service providers to prepare (but not deploy) during embargo Pre-disclosure: Membership biased towards distros & large service providers No predefined disclosure time 1.0
  • 37. 2011 2012 2013 2014 2015 2016 July 2012: CVE-2012-0217, Intel SYSRET Affected FreeBSD, NetBSD, Solaris, Xen and Microsoft Windows A large pre-disclosure list member put pressure on key members of the Xen Project Community to get an embargo extension They eventually convinced the discoverer to request an extension 1.0
  • 38. 2011 2012 2013 2014 2015 2016 Centered on: Predetermined disclosure schedule: 1 week to fix, 2 weeks embargo Who should be allowed on the pre-disclosure list Fairness issues between small and large service providers Direct vs. indirect Xen consumers The risk of larger pre-disclosure list membership 1.0
  • 39. 2011 2012 2013 2014 2015 2016 Strongly recommended disclosure schedule Inclusive pre-disclosure list membership Changes to application procedure (based on checkable criteria) 1.0 2.0
  • 40. 2011 2012 2013 2014 2015 2016 Sept 2014: CVE-2014-7118 Leading to the first Cloud Reboot AWS pre-announced cloud reboot to their customers Other vendors didn’t. Policy was interpreted differently by vendors. This highlighted ambiguities in the project’s security policy (what can/can’t be said/done during an embargo) 1.0 2.0
  • 41. 2011 2012 2013 2014 2015 2016 Goals: Allow fixing, packaging and testing Allow service providers to prepare (and normally to deploy) during embargo Pre-disclosure: Clearer application criteria Public application process (transparency) Clear information on what is/is not allowed during an embargo (per XSA) Means for pre-disclosure list members to collaborate 1.0 2.0 3.0
  • 42. 2011 2012 2013 2014 2015 2016 Conducted XSA-133 Retrospective upon request Process change: Earlier embargoed pre-disclosure without patches May 2015: CVE-2015-3456 First time we were affected by a branded bug QEMU bug, which was handled by several security teams: QEMU, OSS Distro Security, Oracle Security & Xen Project From a process perspective: were not able to provide a fix 2 weeks before the embargo date ended 1.0 2.0 3.0
  • 43. Larger pre-disclosure list has not caused a single issues in two years of operating an inclusive approach We have not had a single 0-day vulnerability A well run vulnerability process builds trust Willingness to adapt to your stake-holders needs builds more trust It creates collaboration and understanding of stake-holders Fairness is a difficult issue There will always be practical issues, e.g. “interpretations of policy”, etc.
  • 44. The Xen Project’s process is the only example case, where this issue has been tackled through a community consultation. To Contrast: OpenStack does not publish who is on their pre-disclosure list OpenStack does not have a formal application process Avoids dealing with the “fairness” issue head-on
  • 45.
  • 46.
  • 47. Security stories are “hot” Xen is widely used, thus security stories “sell” It’s too easy for reporters to write a story Reporters just have to check our page, and know when the next story comes
  • 49. Very wide range of approaches vs. The reality that SW stacks contain many layers Consider the weakest link in your SW stack Best Practice appears to be emerging Older projects seem slow to change New projects, don’t build security management into their culture from the beginning New Post-Snowden era pressures How to effectively deal with media Hype?

Editor's Notes

  1. Recent vulnerabilities like Heartbleed and Shellshock have brought the security practices and track record of open-source projects into the spotlight. A project’s response to security issues has a major impact on how much risk end users are exposed to and how the project is perceived in the technology industry. We will compare the security practices of key projects such as Linux, Docker, Xen Project, OpenStack and others. We will explore the trade-offs of different security practices, such as community trust, competing stakeholder interests, fairness and media coverage of vulnerabilities. Finally, we will explore the evolution of the Xen Project’s security process over the past 3 years as a case study. We will illustrate the trade-offs, pain points and unexpected issues we have experienced, to help other projects understand the pit-falls in designing robust security processes.
  2. Love to travel to weird places and grow weird plants
  3. 2M Anyone disagrees? Zombie Analogy to illustrate the one or other thing Vulnerabilities as an opening (an unlocked door, broken window, gap in your fence, …) for s zombie to get into your base. Base = Medevial town, moats, walls, gates, doors, … - compartmentalized SW architecture
  4. Unless you get them to report it: it is game over for that particular bug
  5. Unless you get them to report it: it is game over for that particular bug
  6. So, let’s go explore that Walking Dead analogy, … Band of survivors Lived on the road escaping zombies, moving from one place to the next Their ranks swell, but not excessively so – they always loose people to zombies Eventually they find a prison, Kill the remaining zombies and secure it. Prison = lots of ” security features, which kind of makes this an interesting analogy. Over time our survivors becomes quite good at securing their prison, getting out into the world and getting supplies, … => TEAM EFFORT Eventually it all goes haywire, because they then end up at war with another group of survivors.
  7. 3 MINS
  8. P : instead of an announcement, you pre-disclose to a “special group of users” Bubble: hold that in your mind
  9. What I wanted to do in this talk, is to look at Vulnerability Management. NOT at SW architecture, NOT at other techniques to minimize introduction of bugs, … Purpose of … = keep your users safe. Or at least that’s what it should be there for. I chose the picture above, because it’s from the Walking Dead comic/TV series – which I will continue to use as an analogy that little boy to be your user, who has to fend off security issues all by himself
  10. I wanted to come back to the point about how to keep your users safe and what that means. MOST security flaws not be discovered by your DEVS, But Outsiders => One of the reasons v proc is to encourage reporters to work with you I think that side of things is well understood
  11. Now you know of an issue And you need to get your developers to fix issues as fast as possible In the Xen Project, we have managed to do this typically in a week (in a few cases it took 2)
  12. So now we have a fix and we can get this out to end users. And that’s where it get’s messy and where Different types of users: products built from your sw Services End-user Typically, unless you are and end-user project with auto-upgrade capability, you don’t have control of that part of the process.
  13. So what do various projects actually do? Sample …. Linux: depends on how it is reported Predominant model for established projects Responsible disclosure (and in practice that applies to the kernel also) Distro/Cloud … explain that later Newer projects: not clear
  14. NOTES: Wake-up call for ODL via Netdump First release OpenDayLight was not in production yet The issue spurred the project into creating a vulnerability process and security team *before* it does go into production
  15. 15M ----
  16. Resp : predominant model => detail Point out ORANGE What & Who?
  17. Going to look at a couple of examples
  18. 17M
  19. Apple: 6 months (cross app resource vulnerability to allows access to keychain data, BIOS) Trade-off: disclosure time
  20. Another trade-off
  21. Refer to Intel talk at OSCON: makes the case that open source projects are more secure, because the proportion of high to severe issues is lower than in commercial products
  22. 23M
  23. Also depends on your user: this talk is about cloud security
  24. Who should be on your predisclosure list
  25. #1: High Value target #2: At scale, deploying fixes may take a week or two
  26. So what do various projects actually do? Sample …. Linux: depends on how it is reported Predominant model for established projects Responsible disclosure (and in practice that applies to the kernel also) Distro/Cloud … explain that later Newer projects: not clear
  27. This has not been an issue for the Xen Project, which has been operating an inclusive list for 2+ years Also: only issues for which fixes exist could normally be leaked
  28. One thing you could do is to focus on a subset of service providers, e.g. large ones, or paying members, …
  29. 30M
  30. What was interesting, was a large vendor – call it V CEOs of members of the security team, maintainers and committers to get a 6 week extension Handed of handling off this CVE off to Mitre
  31. Was: distros + VERY LARGE users Small service providers felt they could go out of business because of a sec issue, while large vendors reputation merely would be damaged What about service providers who are customers of a commercial distro? They shouldn’t be disadvantaged
  32. An example of transparency
  33. OpenStack process is similar to the Xen Project process If you don’t publish the list, fewer users want to join
  34. 40M
  35. After the cloud reboot, we were suddenly a high profile target for the tech press Every time we made a point release (which contained some XSA’s) the story was a security atory Every XSA is now a security story (regardless of whether it is Xen or QEMU)
  36. TIMING: 16 MINUTES
  37. TIMING: 16 MINUTES