Trusted Virtual Datacenter and Trusted Computing
|
|
- Curtis Andrew Cummings
- 8 years ago
- Views:
Transcription
1 IBM T J Watson Research Center Trusted Virtual Datacenter and Trusted Computing What about Cryptography? Reiner Sailer <> IBM Thomas J Watson Research Center, Hawthorne, NY Joint work with: Stefan Berger, Ramón Cáceres, Kenneth Goldman, Dimitrios Pendarakis, Ronald Perez, Josyula R Rao, Wayne Schildhauer, Eran Rom, Deepa Srinivasan, Sivan Tal, Ray Valdez 2008 IBM Corporation High Utilization Benefits Power Consumption Relative Power Consumption: Lowest at High Server Utilization RPC Virtualization 0% 100% 2 1
2 Collocating Customers Raises Isolation Concerns Complication: Moving different customers onto the same platform raises concerns related to their isolation Just pretend I m not here Customer feedback suggests that insufficient isolation can be a disruptive force hindering virtualization 3 We Must Strengthen Isolation Three-fold! Trusted Virtual Datacenter = Adding controls on data sharing between VMs to improve isolation TVD admin TVD admin Continuously monitoring isolation mechanisms and configurations + Automating security management to account for increasing dynamics of Cloud Computing + 4 2
3 Virtualization-based Security Management Virtual Resources IHS Blue Workload DB2 Green Workload IHS DB2 Physical Resources 5 Isolation Mechanisms Holistic workload protection Virtual Domain View Run-time isolation Isolate VMs of different colors Network isolation Isolate traffic of different colors Storage isolation Isolate storage of different colors Management isolation Separate tenant administrators responsible for different colors 6 3
4 Cryptography Offers Decisive Advantages For Isolation Cryptography can can translate a communications // storage security problem into into a key key management problem Hypervisor Three major challenges for cryptography in virtualized environments Side-channels can leak keys from Secure VMs Credentials must be virtualized and automatically managed Integrity of key-keeping VMs must be managed effectively 7 TVDc: Orchestrating Server, Network & Storage Isolation System/Service Management Solutions Data Center Administrator IHS DB2 SVC SVC Blue Trusted Virtual Domain Dom U Dom U Dom U Dom 0 Green Bridge XenAPI Blue Bridge Virtual IO Server Mgmt Green Bridge Blue Bridge LPAR LPAR LPAR Xen/sHype System x w. Xen Blue VLAN Blue VLAN PHYP/sHype System P Green VLAN Green VLAN System x (Xen) System P (PHYP) 8 4
5 Cryptography Usage Where cryptography is used in the data center (list is not exhaustive) Run-time: Crypto service VMs (credential management, virtual crypto hardware) Networking Layer-2: additional protection beyond logical virtual LANs Layer-3: bridging public networks between data-center locations (IPSEC) layer: protecting access to DC services from external clients (SSL) Storage Block-level encryption to protect from theft of storage devices File system-level encryption as close to the consumer processes as possible Credentials required for VMs accessing storage devices Virtualization Platform Management: Authentication, Key Management 9 Crypto Requirement: Side Channel Resistance Security Services and related keys move from Guests into specialized Security VM Complication: Keys can still leak through side-channels Perfect confinement of VMs is problematic E.g., I/D Cache on Intel/AMD, Hypervisor storage and timing channels Crypto Opportunity: Secure VM can help protect keys by decoupling resource usage from the key Frequent re-keying Crypto hardware can protect keys even if the trusted VM becomes corrupt Guest VM Hypervisor Hypervisor Secure VM 10 5
6 TVDc Centralized Policy-Driven Storage Isolation Purely Physical Access Attribute Logical credentials bound to physical attributes Purely Logical Credentials + can migrate - abusable if leaked SAN Storage System 11 Capability based Secure Access Control to Networked Storage Devices 2 CreateVM(label,privKey) 3 Integrated Manager MapVolume(uuid,vol_id) Policy Guest VM 7 I/O Xen / shype Mgmt VM (Dom0) ACM VBD SCSI driver StartVM(uuid) Authenticate, request credential Credential CreateVolume(secretKey) 1 HBA IO request IO request I/O request SVC LUN 12 6
7 Crypto Requirement: Automatic Credential Management Virtualizing physical attributes that are used for security is complicated physical attribute are shared by multiple guests keys / credentials become invalid after VM migration Example case: Channel-bound Storage Access Credentials Virtualization management migrates VMs to optimize availability, utilization, Updating physical attributes (e.g., Port-Zoning, LUN-Masking) is complicated Purely logical credentials introduce risk of abuse of leaked credentials Risk Mitigation: Re-issue credentials associated with physical attributes after migration Introduce validation period for credentials 13 Secure Secure VM VM Hypervisor 14 7
8 Trusted Computing Integrity Measurement Architecture Attesting System Measurements Verifying System Deduce System Properties Data Config data Boot- Process TCG Grub Kernel Real System Program... IMA Kernel module SHA1(Boot Process) SHA1(Kernel) SHA1(Kernel Modules) SHA1(Program) SHA1(Libraries) SHA1(Configurations) SHA1(Structured data) TPM-Signed PCR Integrity Value Analysis Inferred System Known Fingerprints 15 (1) Measurement (2) Attestation (3) Verification VMM Integrity Verification Example (Xen) VMM VMM Measurement Measurement List List Fingerprint Fingerprint DB DB ===============================================+============================ ===============================================+============================ #000: #000: BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB aggregate aggregate (bios (bios + + grub grub stages) stages) #001: #001: A8A865C7203F2565DDEB511480B0A2289F7D035B A8A865C7203F2565DDEB511480B0A2289F7D035B grub.conf grub.conf (boot (boot configuration) configuration) #002: #002: 1238AD50C652C88D139EA2E9987D06A99A2A22D1 1238AD50C652C88D139EA2E9987D06A99A2A22D1 xen.gz xen.gz #003: #003: 84ABD CA4A448E0D2C9364B4E1725BDA4F 84ABD CA4A448E0D2C9364B4E1725BDA4F isolation_policy.bin isolation_policy.bin #004: #004: 9ECF02F90A2EE2080D DE47968C8A1BE3D 9ECF02F90A2EE2080D DE47968C8A1BE3D linux xen linux xen #317: #317: BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB /bin/login /bin/login #318: Hypervisor #318: A8A865C7203F2565DDEB511480B0A2289F7D035B A8A865C7203F2565DDEB511480B0A2289F7D035B /usr/bin/httpd /usr/bin/httpd #319: #319: 1238AD50C652C88D139EA2E9987D06A99A2A22D1 1238AD50C652C88D139EA2E9987D06A99A2A22D1 /usr/bin/java /usr/bin/java #320: #320: 84ABD CA4A448E0D2C9364B4E1725BDA4F 84ABD CA4A448E0D2C9364B4E1725BDA4F /usr/bin/sshd /usr/bin/sshd #321: #321: 9ECF02F90A2EE2080D DE47968C8A1BE3D 9ECF02F90A2EE2080D DE47968C8A1BE3D /usr/bin/python /usr/bin/python Hypervisor Secure Secure VM VM Known Fingerprints = Acceptable + Malicious + Out of Policy 16 8
9 Crypto Req: Commutative Fingerprint Aggregation TPM protects measurement list against insertion, deletion, re-ordering A C D D B B B C PCR new := SHA1(PCR old, M) where M = Hash(Program) C A C B If system yielded same PCR value for same set of fingerprints Property verification and comparison would be greatly simplified Anomalies would be easier to identify D D A A Summary Virtualization driven by energy saving potential TVDc / Trusted Computing can mitigate the risk of collocating customers Improving on isolation between workloads Continuous integrity monitoring and anomaly detection Simplified and policy-driven data center security configuration Cryptography is essential but also faces challenges (opportunities) Side-channel resistant cryptographic implementations Scalable and autonomic key / credential management supporting VM migration Effective integrity management for VMM and Secure VMs 18 9
10 References and Related Work TVDc: Managing Security in the Trusted Virtual Datacenter. Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Ronald Perez, Reiner Sailer, Wayne Schildhauer, Deepa Srinivasan, Enriquillo Valdez. ACM SIGOPS Operating Systems Review, Vol 42, Issue 1, January Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control. Enriquillo Valdez, Reiner Sailer, Ronald Perez. 23rd Annual Computer Security s Conference (ACSAC), Florida, December Capability based Secure Access Control to Networked Storage Devices. Michael Factor, Dalit Naor, Eran Rom, Julian Satran, Sivan Tal. Mass Storage Systems and Technologies, MSST th IEEE Conference on Volume, Issue, Sept Page(s): Shamon -- A System for Distributed Mandatory Access Control. Jonathan M McCune, Stefan Berger, Ramón Cáceres, Trent Jaeger, Reiner Sailer. 22nd Annual Computer Security s Conference (ACSAC), Miami Beach, Florida, December 2006 vtpm: Virtualizing the Trusted Platform Module. Stefan Berger, Ramón Cáceres, Kenneth Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn. 15th USENIX Security Symposium, Vancouver, Canada, July Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn. 21st Annual Computer Security s Conference (ACSAC), Tucson, Arizona, December Design and Implementation of a TCG-based Integrity Measurement Architecture. Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert van Doorn.13th Usenix Security Symposium, San Diego, California, August, In the interest of space, please refer to the references of the cited papers for further related work. 19 BACKUP 20 10
11 BACKUP 21 Trusted Computing and Virtualization Timeline IBM IMA for Linux MS NGSCB 1.. IBM shype IBM vtpm NAC MS Vista Bitlocker TCG TPM1.1 SRTM TCG TPM1.2 DRTM AMD SVM SKINIT Intel LT SENTER
12 shype: Enabling Trusted Virtual Datacenters TVDc (manages) Workload Isolation + Integrity Integrated isolation management across networking/storage resources Radically Simplified WL-Management Managed Services Human Coalition Resources Payroll shype (controls sharing) Work Load Xen VMM (virtualizes + isolates) VM Core Root of Trust TPM + HSM Hypervisor Hypervisor Hypervisor 23 Trusted Virtual Data Center Value Proposition Radically simplifies security Management Reduces the risk of security exposures through consistent, policy-driven enforcement Isolation Management Integrity Management Enforces restrictions on administration and data sharing Who can manage what Which customers can run together How virtual machines can share data Maintains software inventory and acts as early warning system for anomalies What is running in each VM If VMs/Systems are correctly configured If VMs are up-to-date with patches 24 12
13 Secure Hypervisor Architecture (shype) VM Auditing, Monitoring, Metering, Linux MS Windows Secure Services Secure (isolated) services e.g. Policy Management Resource control and metering Access control between partitions Xen / shype Hardware Isolation between partitions Attested boot and run-time (TCG/TPM, IMA) Sailer, Sailer, Jaeger, Jaeger, Valdez, Valdez, Cáceres, Cáceres, Perez, Perez, Berger, Berger, Griffin, Griffin, van van Doorn: Doorn: Building Building a a MAC-based MAC-based Security Security Architecture Architecture for for the the Xen Xen Opensource Opensource Hypervisor. Hypervisor st st ACSAC, ACSAC, shype Access Control Architecture (Example: Xen) 26 VM Linux Xen / shype Hardware Hypervisor security hooks MS Windows Callbacks Dom0 Secure (Management) Services ACM Flexible framework: Supports Multiple Policies Access Control Module Implements Policy Model Hypervisor Security Hooks mediate inter-vm communication + resource access interact with ACM for access decision Implemented for Xen, PHYP, rhype in various stages 13
14 2. Distributed Isolation Enforcement at Run-time (Secure hypervisor extensions shype/acm) 1. Control Sharing 2. Control what a system can run 3. Enforce rules for anti-collocation Xen: Xen: Integrated Integrated into into Open-source Open-source distribution distribution PHYP PHYP Access Access Control Control Module Module (research (research prototype) prototype) Anti-Collocation:{, } t 27 Berger, Berger, Cáceres, Cáceres, Goldman, Goldman, Perez, Perez, Sailer, Sailer, van van Doorn Doorn vtpm: vtpm: Virtualizing Virtualizing the the Trusted Trusted Platform Platform Module. Module. 15th 15th USENIX USENIX Security Security Symposium, Symposium, July July Virtual TPMs Enable VM Integrity Attestation IMA-enabled IMA-enabled Guest Kernel OS IMA-enabled IMA-enabled IMA-enabled Guest Kernel OS Virtual TPMs Support current IMA via vtpms (flexible, scalable) Policy Manager Measure HW, hypervisor, and critical services Secure Hypervisor ACM Hardware Core Root of Trust 28 14
15 vtpm+ima: Focus on Solving Real Problems Configuration Management Configure server classes Verify configuration against software stack Problem Management Automatically detect and isolate real problems Direct intelligence towards those real problems Fix problems efficiently Verify that problems no longer exists System B System A HELP! #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #003: 84ABD C B4E5BDA4F init (first process) #003: 84ABD C B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #006: 84ABD C B4E5BDA4F Unknown Program #006: 84ABD C B4E5BDA4F Unknown Program Runs old patch-level #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #003: 84ABD C B4E5BDA4F init (first process) #003: 84ABD C B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #006: 84ABD C B4E5BDA4F Old HTTP Server 1.1 #006: 84ABD C B4E5BDA4F Old HTTP Server Weinberg s Second Law of Programming If builders built buildings the way programmers write programs, the first woodpecker to come along would destroy civilization
16 TVDc Centralized Policy-Driven Storage Isolation Purely Physical Access Attribute Logical credentials bound to physical attributes Purely Logical Credentials + can migrate - abusable if leaked Set Credentials SAN Admin Manual Configuration Storage System Create Credentials Security Manager 31 Crypto Requirement: Automatic Credential Management Virtualizing physical attributes that are used for security can be complicated It removes the uniqueness since the attribute is reused by guests It complicates key and credential management across migration since keys / credentials can become invalid after migration due to changing physical attributes Example case: Channel-bound Storage Access Credentials Networked Storage Access Virtualization management migrates VMs to optimize availability, utilization, etc. Storage Access control relying on physical attributes (e.g., Port-Zoning, LUN-Masking) is complicated since those change with migration and are shared between virtual machines Storage Access control based purely on logical credentials introduces risk of unauthorized access through abuse of leaked credentials Risk Mitigation: Credentials associated with physical attributes can be re-issued after migration Credentials with short validity period become invalid after expiration even if leaked 32 16
Trusted Virtual Datacenter Radically simplified security management
IBM T. J. Watson Research Center Trusted Virtual Datacenter Radically simplified security management Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Ray Valdez Secure Systems Department,
More informationTVDc: Managing Security in the Trusted Virtual Datacenter
TVDc: Managing Security in the Trusted Virtual Datacenter Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Enriquillo Valdez IBM T. J. Watson Research Center, 19 Skyline Drive, Hawthorne,
More informationAttestation-based Policy Enforcement for Remote Access
Attestation-based Policy Enforcement for Remote Access Reiner Sailer, Trent Jaeger, Leendert van Doorn, Xiaolan Zhang IBM Thomas J. Watson Research Center Hawthorne, NY (ACM Conference on Computer and
More informationSecurity for the cloud infrastructure: Trusted virtual data center implementation
Security for the cloud infrastructure: Trusted virtual data center implementation The trusted virtual data center (TVDc) is a technology developed to address the need for strong isolation and integrity
More informationA Virtualized Linux Integrity Subsystem for Trusted Cloud Computing
A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011
More informationManagement of the Access Control Module through the Xen-API
IBM T. J. Watson Research Center Management of the Access Control Module through the Xen-API Stefan Berger, Reiner Sailer, Ronald Perez, Ramón Cáceres IBM T. J. Watson Research Center, NY 2006 IBM Corporation
More informationVirtual Machine Security
Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ 1 Operating System Quandary Q: What is the primary goal
More informationSecurity technology of system virtualization platform
Security technology of system virtualization platform Dr. Qingni Shen Peking University Intel UPO Supported Main Points Security analysis of system virtualization platform Security architecture of VMM
More informationTPM-based Trust in Trusted Computing Systems
Trusted Integrity Measurement and Reporting for Virtualized Platforms (Work-in-Progress) Serdar Cabuk 1, Liqun Chen 2, David Plaquin 2 and Mark Ryan 3 1 serdar.cabuk@gmail.com 2 Hewlett-Packard Laboratories
More informationBuilding Blocks Towards a Trustworthy NFV Infrastructure
Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical
More informationPrivate Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04
Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 F. John Krautheim 1 Dhananjay S. Phatak Alan T. Sherman 1 Cyber
More informationSecurity Considerations for Virtual Platform Provisioning
Security Considerations for Virtual Platform Provisioning Mudassar Aslam, Christian Gehrmann Swedish Institute of Computer Science (SICS) Isafjordsgatan 22, SE-164 29 Kista, Sweden {mudassar.aslam, chrisg}@sics.se
More informationVirtualization Technologies (ENCS 691K Chapter 3)
Virtualization Technologies (ENCS 691K Chapter 3) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ The Key Technologies on Which Cloud Computing
More informationPrivate Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04
Private Virtual Infrastructure: A Model for Trustworthy Utility Cloud Computing UMBC Computer Science Technical Report Number TR-CS-10-04 F. John Krautheim 1 Dhananjay S. Phatak Alan T. Sherman 1 Cyber
More informationvtpm: Virtualizing the Trusted Platform Module
vtpm: Virtualizing the Trusted Platform Module Stefan Berger Ramón Cáceres Kenneth A. Goldman Ronald Perez Reiner Sailer Leendert van Doorn {stefanb, caceres, kgoldman, ronpz, sailer, leendert}@us.ibm.com
More informationTrusted Virtual Machine Management for Virtualization in Critical Environments
Trusted Virtual Machine Management for Virtualization in Critical Environments Khan Ferdous Wahid Fraunhofer SIT Rheinstraße 75 64295 Darmstadt Germany www.sit.fraunhofer.de khan.wahid@sit.fraunhofer.de
More informationSoftware Execution Protection in the Cloud
Software Execution Protection in the Cloud Miguel Correia 1st European Workshop on Dependable Cloud Computing Sibiu, Romania, May 8 th 2012 Motivation clouds fail 2 1 Motivation accidental arbitrary faults
More informationWhat s New with VMware Virtual Infrastructure
What s New with VMware Virtual Infrastructure Virtualization: Industry-Standard Way of Computing Early Adoption Mainstreaming Standardization Test & Development Server Consolidation Infrastructure Management
More informationThe Advantages of Trusted Virtual Platforms
Trusted Virtual Platforms: A Key Enabler for Converged Client Devices Chris I Dalton, David Plaquin, Wolfgang Weidner, Dirk Kuhlmann, Boris Balacheff, Richard Brown HP Laboratories, Filton Road, Bristol
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationData Centers and Cloud Computing
Data Centers and Cloud Computing CS377 Guest Lecture Tian Guo 1 Data Centers and Cloud Computing Intro. to Data centers Virtualization Basics Intro. to Cloud Computing Case Study: Amazon EC2 2 Data Centers
More informationAccelerate OpenStack* Together. * OpenStack is a registered trademark of the OpenStack Foundation
Accelerate OpenStack* Together * OpenStack is a registered trademark of the OpenStack Foundation Where are your workloads running Ensuring Boundary Control in OpenStack Cloud. Raghu Yeluri Principal Engineer,
More informationVirtualization and the U2 Databases
Virtualization and the U2 Databases Brian Kupzyk Senior Technical Support Engineer for Rocket U2 Nik Kesic Lead Technical Support for Rocket U2 Opening Procedure Orange arrow allows you to manipulate the
More informationChapter 2 Addendum (More on Virtualization)
Chapter 2 Addendum (More on Virtualization) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ More on Systems Virtualization Type I (bare metal)
More informationSecurity Virtual Infrastructure - Cloud
Security Virtual Infrastructure - Cloud Your Name Ramkumar Mohan Head IT & CISO Orbis Financial Corporation Ltd Agenda Cloud Brief Introduction State of Cloud Cloud Challenges Private Cloud Journey to
More informationHow To Create A Cloud Based System For Aaas (Networking)
1 3.1 IaaS Definition IaaS: Infrastructure as a Service Through the internet, provide IT server, storage, computing power and other infrastructure capacity to the end users and the service fee based on
More informationSecurity and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto
Security and Privacy in Public Clouds David Lie Department of Electrical and Computer Engineering University of Toronto 1 Cloud Computing Cloud computing can (and is) applied to almost everything today.
More informationVirtualisation Without a Hypervisor in Cloud Infrastructures: An Initial Analysis
Virtualisation Without a Hypervisor in Cloud Infrastructures: An Initial Analysis William A. R. de Souza and Allan Tomlinson Information Security Group Royal Holloway, University of London Egham Hill,
More informationFull and Para Virtualization
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
More informationIOS110. Virtualization 5/27/2014 1
IOS110 Virtualization 5/27/2014 1 Agenda What is Virtualization? Types of Virtualization. Advantages and Disadvantages. Virtualization software Hyper V What is Virtualization? Virtualization Refers to
More informationSECURITY IN OPEN SOURCE VIRTUALIZATION
SECURITY IN OPEN SOURCE VIRTUALIZATION S.SELVAKUMAR B.Tech., IFET College of Engineering, - selvakkumarit@gmail.com ABSTRACT: As virtual machines become increasingly commonplace as a method of separating
More informationProperty Based TPM Virtualization
Property Based Virtualization Marcel Winandy Joint work with: Ahmad Reza Sadeghi, Christian Stüble Horst Görtz Institute for IT Security Chair for System Security Ruhr University Bochum, Germany Sirrix
More informationImplementing Security on virtualized network storage environment
International Journal of Education and Research Vol. 2 No. 4 April 2014 Implementing Security on virtualized network storage environment Benard O. Osero, David G. Mwathi Chuka University bosero@chuka.ac.ke
More informationvtpm: Virtualizing the Trusted Platform Module
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA vtpm: Virtualizing the
More informationSeed4C: A Cloud Security Infrastructure validated on Grid 5000
Seed4C: A Cloud Security Infrastructure validated on Grid 5000 E. Caron 1, A. Lefray 1, B. Marquet 2, and J. Rouzaud-Cornabas 1 1 Université de Lyon. LIP Laboratory. UMR CNRS - ENS Lyon - INRIA - UCBL
More informationMasters Project Proposal
Masters Project Proposal Virtual Machine Storage Performance Using SR-IOV by Michael J. Kopps Committee Members and Signatures Approved By Date Advisor: Dr. Jia Rao Committee Member: Dr. Xiabo Zhou Committee
More informationWindows Server Virtualization & The Windows Hypervisor
Windows Server Virtualization & The Windows Hypervisor Brandon Baker Lead Security Engineer Windows Kernel Team Microsoft Corporation Agenda - Windows Server Virtualization (WSV) Why a hypervisor? Quick
More informationIaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures
IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Introduction
More informationEnabling Technologies for Distributed Computing
Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationSecuring your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation
Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization
More informationWIND RIVER SECURE ANDROID CAPABILITY
WIND RIVER SECURE ANDROID CAPABILITY Cyber warfare has swiftly migrated from hacking into enterprise networks and the Internet to targeting, and being triggered from, mobile devices. With the recent explosion
More informationHypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:
Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique
More informationEnabling Technologies for Distributed and Cloud Computing
Enabling Technologies for Distributed and Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Multi-core CPUs and Multithreading
More informationSurvey On Hypervisors
Survey On Hypervisors Naveed Alam School Of Informatics and Computing Indiana University Bloomington nalam@indiana.edu ABSTRACT Virtual machines are increasing in popularity and are being widely adopted.
More informationSecurity Challenges in Virtualized Environments
Security Challenges in Virtualized Environments Joanna Rutkowska, Invisible Things Lab Confidence 2008, Krakow, Poland, May 15th, 2008 1 Virtualization-based MALWARE 2 Using Virtual Machines for ISOLATION
More informationVirtual Switching Without a Hypervisor for a More Secure Cloud
ing Without a for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton) 1 Public Cloud Infrastructure Cloud providers offer computing resources
More informationVirtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies
Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies Kurt Klemperer, Principal System Performance Engineer kklemperer@blackboard.com Agenda Session Length:
More informationDistributed and Cloud Computing
Distributed and Cloud Computing K. Hwang, G. Fox and J. Dongarra Chapter 3: Virtual Machines and Virtualization of Clusters and datacenters Adapted from Kai Hwang University of Southern California March
More informationBasics of Virtualisation
Basics of Virtualisation Volker Büge Institut für Experimentelle Kernphysik Universität Karlsruhe Die Kooperation von The x86 Architecture Why do we need virtualisation? x86 based operating systems are
More informationSecuring Virtual Applications and Servers
White Paper Securing Virtual Applications and Servers Overview Security concerns are the most often cited obstacle to application virtualization and adoption of cloud-computing models. Merely replicating
More informationCloud Infrastructure Management - IBM VMControl
Cloud Infrastructure Management - IBM VMControl IBM Systems Director 6.3 VMControl 2.4 Thierry Huche IBM France - Montpellier thierry.huche@fr.ibm.com 2010 IBM Corporation Topics IBM Systems Director /
More informationHW (Fat001) TPM. Figure 1. Computing Node
1. Overview Two major components exist in our current prototype systems: the management node, including the Cloud Controller, Cluster Controller, Walrus and EBS, and the computing node, i.e. the Node Controller
More informationPublic Cloud Security: Surviving in a Hostile Multitenant Environment
Public Cloud Security: Surviving in a Hostile Multitenant Environment SESSION ID: EXP-R01 Mark Russinovich Technical Fellow Windows Azure, Microsoft @markrussinovich The Third Computing Era Security Could
More informationVirtualization. Dr. Yingwu Zhu
Virtualization Dr. Yingwu Zhu What is virtualization? Virtualization allows one computer to do the job of multiple computers. Virtual environments let one computer host multiple operating systems at the
More informationVirtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.
Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013. Keywords: virtualization, virtual machine, security. 1. Virtualization The rapid growth of technologies, nowadays,
More informationApplication Centric Cloud Solutions. Fast IT! Stefan Ruoss Business Consultant Fast IT! Datacenter Technology Team
Application Centric Cloud Solutions Fast IT! Stefan Ruoss Business Consultant Fast IT! Datacenter Technology Team Agenda Bimodal IT DC and Cloud Strategy Cloud ready! Orchestration and Automation Wrap
More informationIntroduction to Virtualization & KVM
Introduction to Virtualization & KVM By Zahra Moezkarimi ICT Research Institute Software Platform Laboratory Outline Virtualization History Overview Advantages and Limitations Types of virtualization Virtualization
More informationIBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationOverview of Windows 10 Requirements for TPM, HVCI and SecureBoot
presented by Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot UEFI Spring Plugfest May 18-22, 2015 Gabe Stocco, Scott Anderson, Suhas Manangi Updated 2011-06-01 UEFI Plugfest May 2015 www.uefi.org
More informationChapter 5 Cloud Resource Virtualization
Chapter 5 Cloud Resource Virtualization Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. Performance and security isolation. Architectural support for virtualization.
More informationVirtualization. Introduction to Virtualization Virtual Appliances Benefits to Virtualization Example Virtualization Products
Virtualization Originally prepared by Greg Bosch; last modified April 2012 by B. Davison I. Introduction to Virtualization II. Virtual Appliances III. Benefits to Virtualization IV. Example Virtualization
More informationThe future is in the management tools. Profoss 22/01/2008
The future is in the management tools Profoss 22/01/2008 Niko Nelissen Co founder & VP Business development Q layer Agenda Introduction Virtualization today Server & desktop virtualization Storage virtualization
More informationBuilding a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
Building a MAC-Based Security Architecture for the en Open-Source Hypervisor Reiner Sailer Trent Jaeger Enriquillo Valdez Ramón Cáceres Ronald Perez Stefan Berger John Linwood Griffin Leendert van Doorn
More informationProfessional Xen Visualization
Professional Xen Visualization William von Hagen WILEY Wiley Publishing, Inc. Acknowledgments Introduction ix xix Chapter 1: Overview of Virtualization : 1 What Is Virtualization? 2 Application Virtualization
More informationProtecting the Cloud from Inside
Protecting the Cloud from Inside Intra-cloud security intelligence Protection of Linux containers Mitigation of NoSQL injections Alexandra Shulman-Peleg, PhD Cloud Security Researcher, IBM Cyber Security
More informationLecture Embedded System Security Dynamic Root of Trust and Trusted Execution
1 Lecture Embedded System Security Dynamic Root of Trust and Execution Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2014 Dynamic Root
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationEstablishing and Sustaining System Integrity via Root of Trust Installation
Establishing and Sustaining System Integrity via Root of Trust Installation Luke St.Clair, Joshua Schiffman, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Laboratory The Pennsylvania
More informationCPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers
CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies Lecture 4 Virtualization of Clusters and Data Centers Text Book: Distributed and Cloud Computing, by K. Hwang, G C. Fox, and J.J. Dongarra,
More informationHow to Secure Infrastructure Clouds with Trusted Computing Technologies
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.
More informationControl your corner of the cloud.
Chapter 1 of 5 Control your corner of the cloud. From the halls of government to the high-rise towers of the corporate world, forward-looking organizations are recognizing the potential of cloud computing
More informationUSING VIRTUALIZATION TECHNIQUE TO INCREASE SECURITY AND REDUCE ENERGY CONSUMPTION IN CLOUD COMPUTING
International Journal of Research in Computer Science eissn 2249-8265 Volume 4 Issue 2 (2014) pp. 25-30, A Unit of White Globe Publications doi: 10.7815/ijorcs.42.2014.082 USING VIRTUALIZATION TECHNIQUE
More informationSecuring sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant
Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV Nadav Elkabets Presale Consultant Protecting Your Data Encrypt Your Data 1 ProtectFile StorageSecure ProtectDB ProtectV Databases File
More informationVirtualization. Jukka K. Nurminen 23.9.2015
Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,
More informationChapter 14 Virtual Machines
Operating Systems: Internals and Design Principles Chapter 14 Virtual Machines Eighth Edition By William Stallings Virtual Machines (VM) Virtualization technology enables a single PC or server to simultaneously
More information16 April 2015. Cloud Security. Dr. Andreas Wespi. 2015 IBM Corporation
16 April 2015 Cloud Security Dr. Andreas Wespi The Roots of Cloud Computing Malcolm McLean, one of the founders of Cloud Computing, back in 1956 Born on Nov. 14, 1913, in Maxton, North Carolina Malcolm
More informationDynamic Load Balancing of Virtual Machines using QEMU-KVM
Dynamic Load Balancing of Virtual Machines using QEMU-KVM Akshay Chandak Krishnakant Jaju Technology, College of Engineering, Pune. Maharashtra, India. Akshay Kanfade Pushkar Lohiya Technology, College
More informationPosition Paper: Can the Web Really Use Secure Hardware?
Position Paper: Can the Web Really Use Secure Hardware? Justin King-Lacroix 1 Department of Computer Science, University of Oxford justin.king-lacroix@cs.ox.ac.uk Abstract. The Web has become the platform
More information9/26/2011. What is Virtualization? What are the different types of virtualization.
CSE 501 Monday, September 26, 2011 Kevin Cleary kpcleary@buffalo.edu What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,
More informationNetwork Virtualization
Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services
More informationCitrix XenServer 7 Feature Matrix
Citrix XenServer 7 Matrix Citrix XenServer 7 Matrix A list of Citrix XenServer 7 features by product edition, including entitlements XenApp and XenDesktop license holders. The most comprehensive application
More informationVirtualization Technology
Virtualization Technology A Manifold Arms Race Michael H. Warfield Senior Researcher and Analyst mhw@linux.vnet.ibm.com 2008 IBM Corporation Food for Thought Is Virtual Reality an oxymoron or is it the
More informationServervirualisierung mit Citrix XenServer
Servervirualisierung mit Citrix XenServer Paul Murray, Senior Systems Engineer, MSG EMEA Citrix Systems International GmbH paul.murray@eu.citrix.com Virtualization Wave is Just Beginning Only 6% of x86
More informationInfrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) (ENCS 691K Chapter 4) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ References 1. R. Moreno et al.,
More informationBest Practices on monitoring Solaris Global/Local Zones using IBM Tivoli Monitoring
Best Practices on monitoring Solaris Global/Local Zones using IBM Tivoli Monitoring Document version 1.0 Gianluca Della Corte, IBM Tivoli Monitoring software engineer Antonio Sgro, IBM Tivoli Monitoring
More informationmanaging the risks of virtualization
managing the risks of virtualization Chris Wraight CA Technologies 28 February 2011 Session Number 8951 abstract Virtualization opens the door to a world of opportunities and well managed virtualization
More informationRED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES
RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS Server virtualization offers tremendous benefits for enterprise IT organizations server
More informationDIABLO TECHNOLOGIES MEMORY CHANNEL STORAGE AND VMWARE VIRTUAL SAN : VDI ACCELERATION
DIABLO TECHNOLOGIES MEMORY CHANNEL STORAGE AND VMWARE VIRTUAL SAN : VDI ACCELERATION A DIABLO WHITE PAPER AUGUST 2014 Ricky Trigalo Director of Business Development Virtualization, Diablo Technologies
More informationOn the security of Virtual Machine migration and related topics
Master thesis On the security of Virtual Machine migration and related topics Ramya Jayaram Masti Submitted in fulfillment of the requirements of Master of Science in Computer Science Department of Computer
More informationTrustworthy Computing
Stefan Thom Senior Software Development Engineer and Security Architect for IEB, Microsoft Rob Spiger, Senior Security Strategist Trustworthy Computing Agenda Windows 8 TPM Scenarios Hardware Choices with
More informationHBA Virtualization Technologies for Windows OS Environments
HBA Virtualization Technologies for Windows OS Environments FC HBA Virtualization Keeping Pace with Virtualized Data Centers Executive Summary Today, Microsoft offers Virtual Server 2005 R2, a software
More informationWindows Server 2008 R2 Hyper V. Public FAQ
Windows Server 2008 R2 Hyper V Public FAQ Contents New Functionality in Windows Server 2008 R2 Hyper V...3 Windows Server 2008 R2 Hyper V Questions...4 Clustering and Live Migration...5 Supported Guests...6
More informationCFCC: Covert Flows Confinement For VM Coalitions Ge Cheng, Hai Jin, Deqing Zou, Lei Shi, and Alex K. Ohoussou
CFCC: Covert Flows Confinement For VM Coalitions Ge Cheng, Hai Jin, Deqing Zou, Lei Shi, and Alex K. Ohoussou 服 务 计 算 技 术 与 系 统 教 育 部 重 点 实 验 室 (SCTS) 集 群 与 网 格 计 算 湖 北 省 重 点 实 验 室 (CGCL) Outline Background
More informationData Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment
Regular Paper Journal of Computing Science and Engineering, Vol. 5, No. 4, December 2011, pp. 331-337 Data Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationTowards Trustworthy Clouds
IBM Research Zurich Christian Cachin 12 September 2013 Towards Trustworthy Clouds 2009 IBM Corporation Cloud computing? 2 Cloud services are convenient No investment cost Pay only for consumption Scalable
More informationTowards Trusted Environment in Cloud Monitoring
Towards Trusted Environment in Cloud Monitoring Tuomas Kekkonen, Teemu Kanstrén VTT Technical Research Centre of Finland Oulu, Finland firstname.lastname@vtt.fi Kimmo Hätönen Nokia Solutions and Networks
More informationIntel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms
Intel Cloud Builders Guide Intel Xeon Processor-based Servers Enhancing Cloud Platform Security with Enomaly ECP* HAE and Dell PowerEdge* Servers Intel Cloud Builders Guide: Cloud Design and Deployment
More information