Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms
|
|
- Darlene Blankenship
- 8 years ago
- Views:
Transcription
1 Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms (with Onur Aciicmez and Xinwen Zhang) Jean-Pierre Seifert TU Berlin & Deutsche Telekom Laboratories, Berlin, Germany
2 Agenda 1. Background of this work 1. Final paper in a series of papers about a real commercial Trusted Mobile Phone development (not my first one, but my last one!) 2. TCG MPWG 2. Some problems of Trusted Computing in Practice 1. No hw TPM/MTM on phones although not really required, but would be quite sexy 2. Phones = limited processing power, boot time, power consumption 3. Virtualization on cellphones 4. IMA and PRIMA from IBM the quasi standard 3. Our original Prototype and its transfer problemsto Samsung s cellphone BU 4. Intrinsic and unique features of real cellphones to make it happen 5. Some architectural highlights 6. Conclusion
3 Paper Series (for this specific platform) Extending SELinux Policy Model and Enforcement towards Trusted Computing Paradigms Usage control platformization via trustworthy SELinux A trusted mobile phone reference architecture via secure kernel, ACM STC 2007 A Trusted mobile phone prototype Integrity Protection for Open Mobile Platforms Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms T. Jaeger et alii, Measuring integrity on mobile phone systems, SACMAT 2008
4 rusted Computing platforms today? Some TC activities: TCG Specifications of TPM (Trusted Platform Module) and many other things TPM is hardware root of trust Needs to be ubiquitous cheap, cheap, cheap therefore a performance bottleneck Additional Hardware already existing Intel s LaGrande Technology (LT, VT, iamt, TXT) AMD s Pacifica ARM s TrustZone OS/Software Microsoft Palladium NGSCB Longhorn Vista ->??? Linux, Xen, SE Linux, Trusted BSD, sel4, etc. Mostly NSA funded Supporting PKI needed
5 Architecture proposal from TCG TCG Mobile Trusted Module Specification (aka MTM) Spec v 1.0 released in June 2007 Some significant differences from TPM: Some simplified commands and some extra commands Local and remote platform owners To satisfy the business model of mobile phone Multiple MTM instances on a single devices Four different types of stakeholders Device manufacturer Network service provider General service provider End-user (customer)
6 Architecture proposal from TCG
7 Some problems of Trusted Computing in Practice No hw TPM/MTM on phones although not really required, but would be quite sexy No real estate on PCB board for extra chip No $ for extra chip from manufacturers No $ generating killer apps which cannot be realized otherwise in a good is good enough fashion Existing silicon embedded TPM s of Intel s Xscale series Bulverde, Monahan, etc. which are sold from Marvell as PXA 300, 310, 320 are not enabled in phones
8 Some problems of Trusted Computing in Practice Real world cell-phones: 200 Mhz Mb RAM Power consumption has #1 priority No extra instructions (LT, VT, Pacifica) as provided by x86 ARM TrustZone is not really available and not good enough Never change the internals of the OS: Symbian, Windows CE,
9 Trusted/Secure Boot Transitive Trust in the Boot process Enables extension of the trust boundary from layer to layer Each layer is responsible for determining the trustworthiness of the following layer
10 Secure Boot (via 96 MHz you are running into some problems if you have no hw acceleration and just measure the Linux kernel: usec Secure Boot pre OS start SHA1 Calculation Get_RSA_PubKey RSA_Verify Others 0 OpenSSL SHA1 throughput is 196 Mhz
11 irtualization on phones? VM Ware is for x86 Not happening very soon on ARM XEN comes from the server world Sure, was ported to ARM, but overhead??? so far not real-time capable as needed for phones! additionally to real-time we need to integrate security! as it is now, not productizable! VirtualLogix is real-time, but more or less just context-switching and no inherent security or isolation L4 microkernel Severe real-time issues, overhead??? Trango real-time, overhead??
12 Integrity Measurement Imagine a real world cell-phone 200 Mhz with a damnslowflash filesystem And implementing IBM Integrity Measurement Architecture (IMA) IMA extends GRUB to measure the kernel, ramdisk images, and grub.conf Also, a kernel module is implemented to measure OS components after the kernel is loaded (post-boot), including libraries, usual command and tool binaries, configuration files, and application modules. IMA has measurements and is even on desktops impractical!!! PRIMA extends IMA for mobile phone devices and simplifies the integrity measurements. However it still has more than 200 measurements for the OpenMoko Freerunner
13 So we built our own real prototype with a real TPM! Deutsche Telekom Laboratories 5. Juni
14 How to solve Virtualizaion, i.e., Domain Isolation Four different types of stakeholders Device manufacturer Network service provider General service provider End-user (customer) Generalizes the concept of a platform to a set of conventional TCG-enabled platforms called trusted engines. Each belongs to a stakeholder
15 TCG Mobile Ref Architecture Main security requirements: Isolation of resources from different stakeholders Controlled resource sharing information flow between stakeholders Flexible and configurable policy management No specific solution is defined.
16 Our Solution Policy Model Mandatory access control (MAC) based security model in OS kernel Strong isolation Secure resource sharing and communication between engines Via strong information flow control Loadable policy modules for different stakeholders Over-the-air policy management and update Architecture Kernel-level reference monitor Integrate integrity measurement with reference monitor Prototype Secure boot on OMAP 5912 (ARM-based) reference board with hwtpm Ported SELinuxon board with NSA Sample Policy and a simplified policy with few domains Integrity measurement and verification
17 SELinux Policy Model Extension Current SELinux policy model: Security context: user:role:type Security mechanism in SELinux is Type Enforcement Simple role-based access control We extend the security context of objects (including subjects): user:role:type:profile:system Each object can be categorized as a set of general and customizable attributes defined by profile. Time Location Other context-aware attributes Trusted computing information will be provided by system: Integrity values, PCR s Platform boot and runtime states Configurations Extensible model When new functions become available on a platform Especially on user-space services on mobile platforms More generalized and flexible constraints: Attributes are then checked against specified values in the constrain expression E.g., Constrained role inheritance with time or location information
18 Policy Specifications High-level policy specifications for trusted mobile platform Cross-domain security framework
19 Platform Architecture of Prototype Data Data Data Services Services Services Services User Applications Device Manufacture Service Provider User System Calls/APIs Hooks SELinux Module MAC Policies Kernel CRTM MTM Device Device Conditional SELinux policy: Hardware
20 Performance study of SE Linux overhead on OMAP 5912
21 BU feedback after seeing our machine at CES 2008 Yes, we like your trusted platform and would like to integrate you security functionality to our next product, but Max 1% performance overhead 2. It must be hardware independent 3. No extra security hardware 4. 6 months development time 5. You must make it a standard
22 Integrity Models Integrity protections on traditional systems: Biba Clark-Wilson CW-lite UMIP SELinux/AppArmor/LIDS Andorid/Symbian/Qt/J2ME Problems: Not efficient on mobile platforms Needs to switch integrity level during runtime Hard to identify filter Complex policy specification No high level security goals (e.g., integrity model) Android/Symbian/Qtopia/J2ME SELinux-like solution has not integrity model
23 Mobile Integrity Model Biba-like isolation between trusted and untrusted processes Communication controlled via trusted subjects (daemons) Architecture for LiMo-like platform But for Symbian and Android also. Trusted (a) Unrusted Trusted Trusted Unrusted Trusted Untrusted (b)
24 Implementation Filesystem and memory space Clearly defined trusted/untrusted boundary Security-enhanced application installation and launch Controlled communication via trusted daemons between trusted and untrusted domains
25 Policy design Rule1 about store: All trusted program and resources stored in trusted file systems All untrusted program and resources stored in untrusted file systems Rule2 about new process launch: Process launched from trusted fs is regarded as trusted process Trusted program only can be launched by kernel or trusted process Process launched from untrusted fs is regarded as untrusted process Trusted Domains jvm_t, sysxo_t, gconfd_t,... controlled communication Untrusted Domains read read-write read-write read-only filesystems (e.g, cramfs) read-write filesystems (e.g, ext3)
26 Implementation Secure inter-process communication Most Linux mobile platforms use D-Bus LiMo, OpenMoko, GPE, Maemo, Qtopia, Andorid Security context transferred via D-Bus messages Local enforcement in individual daemons Gconfd (for configuration storage) Telephony server (voice, messages, SIM, etc)
27 Secure Dbus Dameon Architecture Sender process Libnoti, libdbus, libgconf dbus message dispatch dbus-daemon Pid=get_sender_pid(connection) Set_sender_pid(message, pid) noti-service gconfd libgconf Pid=get_sender_pid(message) getpidcon(pid) getkeycon( key) check_avc( pcon, kcon, perm) ; Subscription / Publication module Filter module Adapter Container module adapter1 adapter2 If target app is not running, it can be auto-activated by dbusdaemon. process dbusd gconfd SElinuxKernel Gconf_key_co ntexts SELinux policy Dbusmsg (write, key, value) Assign Pid to msg send msg (write, key, value, pid) libselinux: ggetpidcon(pid) Getkeycon(key) Query policy with (Pidcon, keycon, gconf_gconf SET_VALUE) and make decision Write the key the value Or deny silently
28 Visualization-based Policy Analysis Policy View
29 Performance
30 Simplified new architecture for Trusted Platform
31 Real LiMo security architecture
32 Questions??? Global Mobile Linux Initiative
Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms
Building Efficient Integrity Measurement and Attestation for Mobile Phone Platforms Xinwen Zhang 1, Onur Acıiçmez 1, and Jean-Pierre Seifert 2 1 Samsung Information Systems America, San Jose, CA, USA {xinwen.z,o.aciicmez}@samsung.com
More informationBuilding Blocks Towards a Trustworthy NFV Infrastructure
Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical
More informationMeasuring Integrity on Mobile Phone Systems
Measuring Integrity on Mobile Phone Systems Divya Muthukumaran Systems and Internet Infrastructure Security Laboratory Pennsylvania State University University Park, PA 16802 dzm133@psu.edu Anuj Sawani
More informationTrusted Virtual Datacenter Radically simplified security management
IBM T. J. Watson Research Center Trusted Virtual Datacenter Radically simplified security management Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Ray Valdez Secure Systems Department,
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationEmbedded Trusted Computing on ARM-based systems
1 / 26 Embedded Trusted Computing on ARM-based systems Martin Schramm, M.Eng. 10.04.2014 Agenda 2 of 26 martin.schramm@th-deg.de Embedded computing platforms have become omnipresent intend to alleviate
More informationLecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday
Lecture 17: Mobile Computing Platforms: Android Mythili Vutukuru CS 653 Spring 2014 March 24, Monday Mobile applications vs. traditional applications Traditional model of computing: an OS (Linux / Windows),
More informationSECURITY IN OPEN SOURCE VIRTUALIZATION
SECURITY IN OPEN SOURCE VIRTUALIZATION S.SELVAKUMAR B.Tech., IFET College of Engineering, - selvakkumarit@gmail.com ABSTRACT: As virtual machines become increasingly commonplace as a method of separating
More informationOVAL+TPM. A Case Study in Enterprise Trusted Computing. Ariel Segall. June 21, 2011
OVAL+TPM A Case Study in Enterprise Trusted Computing Ariel Segall June 21, 2011 Approved for Public Release: 11-0144. Distribution Unlimited. c 2011. All Rights Reserved. (1/15) Motivation Goal: Demonstrate
More informationThe Art of Virtualization with Free Software
Master on Free Software 2009/2010 {mvidal,jfcastro}@libresoft.es GSyC/Libresoft URJC April 24th, 2010 (cc) 2010. Some rights reserved. This work is licensed under a Creative Commons Attribution-Share Alike
More informationEstablishing and Sustaining System Integrity via Root of Trust Installation
Establishing and Sustaining System Integrity via Root of Trust Installation Luke St.Clair, Joshua Schiffman, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Laboratory The Pennsylvania
More informationHW (Fat001) TPM. Figure 1. Computing Node
1. Overview Two major components exist in our current prototype systems: the management node, including the Cloud Controller, Cluster Controller, Walrus and EBS, and the computing node, i.e. the Node Controller
More informationSecure Data Management in Trusted Computing
1 Secure Data Management in Trusted Computing Ulrich Kühn Deutsche Telekom Laboratories, TU Berlin Klaus Kursawe (KU Leuven) Stefan Lucks (U Mannheim) Ahmad-Reza Sadeghi (RU Bochum) Christian Stüble (RU
More informationVirtual Hosting & Virtual Machines
& Virtual Machines Coleman Kane Coleman.Kane@ge.com September 2, 2014 Cyber Defense Overview / Machines 1 / 17 Similar to the network partitioning schemes described previously, there exist a menu of options
More informationChapter 2 System Structures
Chapter 2 System Structures Operating-System Structures Goals: Provide a way to understand an operating systems Services Interface System Components The type of system desired is the basis for choices
More informationHypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:
Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique
More informationTrusted Virtual Machine Management for Virtualization in Critical Environments
Trusted Virtual Machine Management for Virtualization in Critical Environments Khan Ferdous Wahid Fraunhofer SIT Rheinstraße 75 64295 Darmstadt Germany www.sit.fraunhofer.de khan.wahid@sit.fraunhofer.de
More informationThe Case for SE Android. Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency
The Case for SE Android Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency 1 Android: What is it? Linux-based software stack for mobile devices. Very divergent from typical
More informationUses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:
Virtual Machines Uses for Virtual Machines Virtual machine technology, often just called virtualization, makes one computer behave as several computers by sharing the resources of a single computer between
More informationA Virtualized Linux Integrity Subsystem for Trusted Cloud Computing
A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing Stefan Berger Joint work with: Kenneth Goldman, Dimitrios Pendarakis, David Safford, Mimi Zohar IBM T.J. Watson Research Center 09/21/2011
More informationCSE597a - Cell Phone OS Security. Cellphone Hardware. William Enck Prof. Patrick McDaniel
CSE597a - Cell Phone OS Security Cellphone Hardware William Enck Prof. Patrick McDaniel CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck 1 2 Embedded Systems
More informationRemote 2014 Monitoring & Control. Securing Mobile Devices November 7 th 2014
Remote 2014 Monitoring & Control Securing Mobile Devices November 7 th 2014 Purpose / Agenda Ken Lewis, CISSP Director of Cross Domain Security Solutions for Tresys Technology Systems Security Engineer
More informationReview from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture
Review from last time CS 537 Lecture 3 OS Structure What HW structures are used by the OS? What is a system call? Michael Swift Remzi Arpaci-Dussea, Michael Swift 1 Remzi Arpaci-Dussea, Michael Swift 2
More informationStart building a trusted environment now... (before it s too late) IT Decision Makers
YOU CAN T got HAP Start building a trusted environment now... IT Decision Makers (before it s too late) HAP reference implementations and commercial solutions are available now in the HAP Developer Kit.
More informationA M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions
A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions AMD DAS (DASH, AMD Virtualization (AMD-V ) Technology, and Security) 1.0 is a term used to describe the various
More informationLeveraging Thin Hypervisors for Security on Embedded Systems
Leveraging Thin Hypervisors for Security on Embedded Systems Christian Gehrmann A part of Swedish ICT What is virtualization? Separation of a resource or request for a service from the underlying physical
More informationLinux Distributed Security Module 1
Linux Distributed Security Module 1 By Miroslaw Zakrzewski and Ibrahim Haddad This article describes the implementation of Mandatory Access Control through a Linux kernel module that is targeted for Linux
More informationHow to Secure Infrastructure Clouds with Trusted Computing Technologies
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.
More informationFull and Para Virtualization
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
More informationVirtual Machine Security
Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ 1 Operating System Quandary Q: What is the primary goal
More informationBuilding the Internet of Things Jim Green - CTO, Data & Analytics Business Group, Cisco Systems
Building the Internet of Things Jim Green - CTO, Data & Analytics Business Group, Cisco Systems Brian McCarson Sr. Principal Engineer & Sr. System Architect, Internet of Things Group, Intel Corp Mac Devine
More informationAttestation-based Policy Enforcement for Remote Access
Attestation-based Policy Enforcement for Remote Access Reiner Sailer, Trent Jaeger, Leendert van Doorn, Xiaolan Zhang IBM Thomas J. Watson Research Center Hawthorne, NY (ACM Conference on Computer and
More informationImplementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age Sponsored by the Trusted Computing Group (TCG)
Implementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age Sponsored by the Trusted Computing Group (TCG) Speakers: Gal Shpantzer, John Pescatore (SANS Institute) Chris Hallum (Microsoft)
More informationVMware Server 2.0 Essentials. Virtualization Deployment and Management
VMware Server 2.0 Essentials Virtualization Deployment and Management . This PDF is provided for personal use only. Unauthorized use, reproduction and/or distribution strictly prohibited. All rights reserved.
More informationCSE 120 Principles of Operating Systems. Modules, Interfaces, Structure
CSE 120 Principles of Operating Systems Fall 2000 Lecture 3: Operating System Modules, Interfaces, and Structure Geoffrey M. Voelker Modules, Interfaces, Structure We roughly defined an OS as the layer
More informationIOS110. Virtualization 5/27/2014 1
IOS110 Virtualization 5/27/2014 1 Agenda What is Virtualization? Types of Virtualization. Advantages and Disadvantages. Virtualization software Hyper V What is Virtualization? Virtualization Refers to
More informationLecture Embedded System Security Dynamic Root of Trust and Trusted Execution
1 Lecture Embedded System Security Dynamic Root of Trust and Execution Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2014 Dynamic Root
More informationwww.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009
SEE-GRID-SCI Virtualization and Grid Computing with XEN www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009 Milan Potocnik University
More informationModels For Modeling and Measuring the Performance of a Xen Virtual Server
Measuring and Modeling the Performance of the Xen VMM Jie Lu, Lev Makhlis, Jianjiun Chen BMC Software Inc. Waltham, MA 2451 Server virtualization technology provides an alternative for server consolidation
More informationvtpm: Virtualizing the Trusted Platform Module
vtpm: Virtualizing the Trusted Platform Module Stefan Berger Ramón Cáceres Kenneth A. Goldman Ronald Perez Reiner Sailer Leendert van Doorn {stefanb, caceres, kgoldman, ronpz, sailer, leendert}@us.ibm.com
More informationA Perspective on the Evolution of Mobile Platform Security Architectures
A Perspective on the Evolution of Mobile Platform Security Architectures N. Asokan Nokia Research Center Joint work with Kari Kostiainen, Jan-Erik Ekberg, Elena Reshetova (Intel) Padova, July 2012 1 Introduction
More informationnanohub.org An Overview of Virtualization Techniques
An Overview of Virtualization Techniques Renato Figueiredo Advanced Computing and Information Systems (ACIS) Electrical and Computer Engineering University of Florida NCN/NMI Team 2/3/2006 1 Outline Resource
More informationTrustworthy Computing
Stefan Thom Senior Software Development Engineer and Security Architect for IEB, Microsoft Rob Spiger, Senior Security Strategist Trustworthy Computing Agenda Windows 8 TPM Scenarios Hardware Choices with
More informationKernel Types System Calls. Operating Systems. Autumn 2013 CS4023
Operating Systems Autumn 2013 Outline 1 2 Types of 2.4, SGG The OS Kernel The kernel is the central component of an OS It has complete control over everything that occurs in the system Kernel overview
More informationA Perspective on the Evolution of Mobile Platform Security Architectures
A Perspective on the Evolution of Mobile Platform Security Architectures Kari Kostiainen Nokia Research Center, Helsinki TIW, June 2011 Joint work with N. Asokan, Jan-Erik Ekberg and Elena Reshetova 1
More informationSurvey of Filesystems for Embedded Linux. Presented by Gene Sally CELF
Survey of Filesystems for Embedded Linux Presented by Gene Sally CELF Presentation Filesystems In Summary What is a filesystem Kernel and User space filesystems Picking a root filesystem Filesystem Round-up
More informationSierraVMI Sizing Guide
SierraVMI Sizing Guide July 2015 SierraVMI Sizing Guide This document provides guidelines for choosing the optimal server hardware to host the SierraVMI gateway and the Android application server. The
More informationVirtualization and Performance NSRC
Virtualization and Performance NSRC Overhead of full emulation Software takes many steps to do what the hardware would do in one step So pure emulation (e.g. QEMU) is slow although much clever optimization
More informationArchitecture (SOSP 2011) 11/11/2011 Minsung Jang
Cells: A Virtual Mobile Smartphone Architecture (SOSP 2011) Lunch TimeReading Group 11/11/2011 Minsung Jang Summary Novel Architecture for a Virtual Phone How to do away with overhead New way to virtualize
More informationPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de
More informationHow To Write Security Enhanced Linux On Embedded Systems (Es) On A Microsoft Linux 2.2.2 (Amd64) (Amd32) (A Microsoft Microsoft 2.3.2) (For Microsoft) (Or
Security Enhanced Linux on Embedded Systems: a Hardware-accelerated Implementation Leandro Fiorin, Alberto Ferrante Konstantinos Padarnitsas, Francesco Regazzoni University of Lugano Lugano, Switzerland
More informationDo Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16
Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16 Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization
More informationHow To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X
(Advanced Topics in) Operating Systems Winter Term 2009 / 2010 Jun.-Prof. Dr.-Ing. André Brinkmann brinkman@upb.de Universität Paderborn PC 1 Overview Overview of chapter 3: Case Studies 3.1 Windows Architecture.....3
More informationEmbedded Linux development training 4 days session
Embedded Linux development training 4 days session Title Overview Duration Trainer Language Audience Prerequisites Embedded Linux development training Understanding the Linux kernel Building the Linux
More informationVirtualization for Cloud Computing
Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources
More informationSELinux. Security Enhanced Linux
SELinux Security Enhanced Linux Introduction and brief overview. Copyright 2005 by Paweł J. Sawicki http://www.pawel-sawicki.com/ Agenda DAC Discretionary Access Control ACL Access Control Lists MAC Mandatory
More informationUsing the TPM to Solve Today s Most Urgent Cybersecurity Problems
Using the to Solve Today s Most Urgent Cybersecurity Problems May 20, 2014 10:00AM PDT 2 Stacy Cannady, Technical Marketing Trustworthy Computing, Cisco Stacy Cannady, CISSP, is technical marketing - Trustworthy
More informationSecurity Overview of the Integrity Virtual Machines Architecture
Security Overview of the Integrity Virtual Machines Architecture Introduction... 2 Integrity Virtual Machines Architecture... 2 Virtual Machine Host System... 2 Virtual Machine Control... 2 Scheduling
More informationARM TrustZone and KVM Coexistence with RTOS For Automotive
ARM TrustZone and KVM Coexistence with RTOS For Automotive Michele Paolino m.paolino@virtualopensystems.com Automotive-grade Linux Summit, 2015-06-01, Tokyo, Japan Authorship and sponsorship Michele Paolino,
More informationCPS221 Lecture: Operating System Structure; Virtual Machines
Objectives CPS221 Lecture: Operating System Structure; Virtual Machines 1. To discuss various ways of structuring the operating system proper 2. To discuss virtual machines Materials: 1. Projectable of
More informationPARALLELS SERVER BARE METAL 5.0 README
PARALLELS SERVER BARE METAL 5.0 README 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights reserved. This document provides the first-priority information on the Parallels Server Bare Metal
More informationOperating System Organization. Purpose of an OS
Slide 3-1 Operating System Organization Purpose of an OS Slide 3-2 es Coordinate Use of the Abstractions he Abstractions Create the Abstractions 1 OS Requirements Slide 3-3 Provide resource abstractions
More informationSeeding Clouds with Trust Anchors
Seeding Clouds with Trust Anchors Joshua Schiffman, Thomas Moyer, Hayawardh Vijayakumar Trent Jaeger and Patrick McDaniel Systems and Internet Infrastructure Security Laboratory The Pennsylvania State
More informationRED HAT ENTERPRISE VIRTUALIZATION
Giuseppe Paterno' Solution Architect Jan 2010 Red Hat Milestones October 1994 Red Hat Linux June 2004 Red Hat Global File System August 2005 Red Hat Certificate System & Dir. Server April 2006 JBoss April
More informationSecurity and Integrity of a Distributed File Storage in a Virtual Environment
Security and Integrity of a Distributed File Storage in a Virtual Environment Gaspare Sala 1 Daniele Sgandurra 1 Fabrizio Baiardi 2 1 Department of Computer Science, University of Pisa, Italy 2 Polo G.
More informationBest Practices on monitoring Solaris Global/Local Zones using IBM Tivoli Monitoring
Best Practices on monitoring Solaris Global/Local Zones using IBM Tivoli Monitoring Document version 1.0 Gianluca Della Corte, IBM Tivoli Monitoring software engineer Antonio Sgro, IBM Tivoli Monitoring
More informationRPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY
RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY Syamsul Anuar Abd Nasir Fedora Ambassador Malaysia 1 ABOUT ME Technical Consultant for Warix Technologies - www.warix.my Warix is a Red Hat partner Offers
More informationOperating System Structures
COP 4610: Introduction to Operating Systems (Spring 2015) Operating System Structures Zhi Wang Florida State University Content Operating system services User interface System calls System programs Operating
More informationWhite Paper. Fabasoft on Linux SELinux Support. Fabasoft Folio 2015 Update Rollup 2
White Paper Fabasoft Folio 2015 Update Rollup 2 Copyright Fabasoft R&D GmbH, Linz, Austria, 2015. All rights reserved. All hardware and software names used are registered trade names and/or registered
More informationHow do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself
How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,
More informationMobile Platform Security Architectures A perspective on their evolution
Mobile Platform Security Architectures A perspective on their evolution N. Asokan Kari Kostiainen 1 NA, KKo, JEE, Nokia Resarch Center 2011-2012 Introduction Recent interest in smartphone security 2 NA,
More informationDevelopment of complex KNX Devices
WEINZIERL ENGINEERING GmbH WEINZIERL ENGINEERING GMBH Jason Richards 84558 Tyrlaching GERMANY Phone +49 (0) 8623 / 987 98-03 Web: www.weinzierl.de Development of complex KNX Devices Abstract The KNX World
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationEXPLORING LINUX KERNEL: THE EASY WAY!
EXPLORING LINUX KERNEL: THE EASY WAY! By: Ahmed Bilal Numan 1 PROBLEM Explore linux kernel TCP/IP stack Solution Try to understand relative kernel code Available text Run kernel in virtualized environment
More informationDigital Rights Management Demonstrator
Digital Rights Management Demonstrator Requirements, Analysis, and Design Authors: Andre Osterhues, Marko Wolf Institute: Ruhr-University Bochum Date: March 2, 2007 Abstract: This document describes a
More informationDistributed systems Techs 4. Virtualization. October 26, 2009
Distributed systems Techs 4. Virtualization October 26, 2009 Current interest in virtualization is one of the hottest topics in information technology today. Possible due to the increasing speed and capabilities
More informationVirtualization. Michael Tsai 2015/06/08
Virtualization Michael Tsai 2015/06/08 What is virtualization? Let s first look at a video from VMware http://bcove.me/x9zhalcl Problems? Low utilization Different needs DNS DHCP Web mail 5% 5% 15% 8%
More informationTrusted Virtual Datacenter and Trusted Computing
IBM T J Watson Research Center Trusted Virtual Datacenter and Trusted Computing What about Cryptography? Reiner Sailer IBM Thomas J Watson Research Center, Hawthorne, NY Joint work with: Stefan Berger,
More informationTrus%ng your Cloud Provider s System
Trus%ng your Cloud Provider s System Retaining Control over Private Virtual Machines Hosted by a Cloud Provider Using Mandatory Access Control, Trusted Boot and A>esta?on Vorarlberg University of Applied
More informationELEC 377. Operating Systems. Week 1 Class 3
Operating Systems Week 1 Class 3 Last Class! Computer System Structure, Controllers! Interrupts & Traps! I/O structure and device queues.! Storage Structure & Caching! Hardware Protection! Dual Mode Operation
More informationDesktop Virtualization. The back-end
Desktop Virtualization The back-end Will desktop virtualization really fit every user? Cost? Scalability? User Experience? Beyond VDI with FlexCast Mobile users Guest workers Office workers Remote workers
More informationVerfahren zur Absicherung von Apps. Dr. Ullrich Martini IHK, 4-12-2014
Verfahren zur Absicherung von Apps Dr. Ullrich Martini IHK, 4-12-2014 Agenda Introducing G&D Problem Statement Available Security Technologies Smartcard Embedded Secure Element Virtualization Trusted Execution
More informationJustifying Integrity Using a Virtual Machine Verifier
Justifying Integrity Using a Virtual Machine Verifier Joshua Schiffman, Thomas Moyer, Christopher Shal, Trent Jaeger, and Patrick McDaniel Systems and Internet Infrastructure Security Laboratory Computer
More informationTVDc: Managing Security in the Trusted Virtual Datacenter
TVDc: Managing Security in the Trusted Virtual Datacenter Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Enriquillo Valdez IBM T. J. Watson Research Center, 19 Skyline Drive, Hawthorne,
More informationNSA Security-Enhanced Linux (SELinux)
NSA Security-Enhanced Linux (SELinux) http://www.nsa.gov/selinux Stephen Smalley sds@epoch.ncsc.mil Information Assurance Research Group National Security Agency Information Assurance Research Group 1
More informationVirtualization. Jukka K. Nurminen 23.9.2015
Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,
More informationWindows Server Virtualization & The Windows Hypervisor
Windows Server Virtualization & The Windows Hypervisor Brandon Baker Lead Security Engineer Windows Kernel Team Microsoft Corporation Agenda - Windows Server Virtualization (WSV) Why a hypervisor? Quick
More informationVirtualization. Types of Interfaces
Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform diversity
More informationBerlin Institute of Technology FG Security in Telecommunications
Berlin Institute of Technology FG Security in Telecommunications Weiss L4Android: A Generic Operating System Framework for Secure Smartphones Workshop on Security and Privacy in Smartphones and Mobile
More informationCS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study
CS 377: Operating Systems Lecture 25 - Linux Case Study Guest Lecturer: Tim Wood Outline Linux History Design Principles System Overview Process Scheduling Memory Management File Systems A review of what
More informationVirtualization is set to become a key requirement
Xen, the virtual machine monitor The art of virtualization Moshe Bar Virtualization is set to become a key requirement for every server in the data center. This trend is a direct consequence of an industrywide
More informationWindows Server 2012 Hyper-V Virtual Switch Extension Software UNIVERGE PF1000 Overview. IT Network Global Solutions Division UNIVERGE Support Center
Windows Server 2012 Hyper-V Virtual Switch Extension Software UNIVERGE Overview IT Network Global Solutions Division UNIVERGE Support Center ProgrammableFlow API architecture Microsoft VSEM Provider Third
More informationTechnical Brief Distributed Trusted Computing
Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,
More information2 Purpose. 3 Hardware enablement 4 System tools 5 General features. www.redhat.com
A Technical Introduction to Red Hat Enterprise Linux 5.4 The Enterprise LINUX Team 2 Purpose 3 Systems Enablement 3 Hardware enablement 4 System tools 5 General features 6 Virtualization 7 Conclusion www.redhat.com
More informationUsing the Flask Security Architecture to Facilitate Risk Adaptable Access Controls
Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls Machon Gregory Peter Loscocco mbgrego@tycho.nsa.gov loscocco@tycho.nsa.gov National Security Agency Abstract Risk Adaptable
More informationNext Generation Now: Red Hat Enterprise Linux 6 Virtualization A Unique Cloud Approach. Jeff Ruby Channel Manager jruby@redhat.com
Next Generation Now: Virtualization A Unique Cloud Approach Jeff Ruby Channel Manager jruby@redhat.com Introducing Extensive improvements in every dimension Efficiency, scalability and reliability Unprecedented
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationProfessional Xen Visualization
Professional Xen Visualization William von Hagen WILEY Wiley Publishing, Inc. Acknowledgments Introduction ix xix Chapter 1: Overview of Virtualization : 1 What Is Virtualization? 2 Application Virtualization
More informationModule I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM
Bern University of Applied Sciences Engineering and Information Technology Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM By Franz Meyer Version 1.0 February 2011 Virtualization Architecture
More informationMobile Operating Systems. Week I
Mobile Operating Systems Week I Overview Introduction Mobile Operating System Structure Mobile Operating System Platforms Java ME Platform Palm OS Symbian OS Linux OS Windows Mobile OS BlackBerry OS iphone
More information