Securing Your Cloud with Xen Project s Advanced Security Features

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Securing Your Cloud with Xen Project s Advanced Security Features"

Transcription

1 Securing Your Cloud with Xen Project s Advanced Security Features Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013

2 Who is the Old, Fat Geek Up Front? Xen Project Evangelist Employed by Citrix, focused entirely on the Xen Project History with Open Source begins in 1997 Former columnist with Infoworld, Processor magazines Former panelist on The Linux Show webcast, repeat guest on The Linux Link Tech Show Over 150 pieces published, plus one book on Open Source development and several blogs CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 2 / 32

3 Introduction: Xen Project and Security Xen Project is an enterprise-grade Type I hypervisor Built for the Cloud before it was called the Cloud A number of advanced security features Driver Domains, Stub Domains, FLASK, and more Most of them are not (or cannot) be turned on by default Although they are simple to use, sometimes they can appear to be complicated CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 3 / 32

4 Presentation Goals Introduce you to key Xen Project Security Tools Discuss some key Xen security features Get you started in the right direction toward securing your Xen installation CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 4 / 32

5 Presentation Outline A few thoughts on the problem of securing the Cloud Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces and Xen features we can use to mitigate them: Driver Domains PVgrub Stub Domains Paravirtualization (PV) mode vs Hardware Virtualization (HVM) mode FLASK example policy CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 5 / 32

6 The Cloud Security Conundrum Security: The 800 pound gorilla of the Cloud world Nothing generates more fear in specific, and FUD in general Probably the single greatest barrier to Cloud adoption Immediately behind it is the inability to get out of a 20th century IT mindset (i.e., Change is Bad ) The good news: we don t need to fear it we just need to solve it CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 6 / 32

7 Cloud Security: New Visibility to Old Problem Security has always been an issue Putting a truly secure system in the open does not reduce its security, just increases the frequency of attack Unfortunately, system security behind the firewall has not always been comprehensive Having solutions in Clouds forces us to solve the security issues we should have already solved Security through obscurity is no longer sufficient CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 7 / 32

8 Security by Design, not by Wishful Thinking Security by Wishful Thinking is Officially Dead Merely hoping that your firewall holds off the marauding hordes is NOT good enough Addressing security in one area while ignoring others is NOT good enough Saying, We ve never had a problem before is NOT good enough Comprehensive security starts with design It needs to planned and carefully thought through It needs to be implemented at multiple levels It needs components which are themselves securable CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 8 / 32

9 Xen Project: Security by Design Xen Project was designed for Clouds before the term Cloud was coined in the industry Designers foresaw the day of an infrastructure for wide-area distributed computing which we now call the Cloud /srg/netos/xeno/publications.html Xen is designed to thwart attacks from many attack vectors, using different defensive techniques CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 9 / 32

10 Xen Architecture: A Basic Picture dom 0 device model (qemu) toolstack Hardware Drivers netback blkback Paravirtualized (PV) Domain netfront blkfront Fully Virtualized (HVM) Domain Xen Hypervisor I/O Devices CPU Memory Hardware CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 10 / 32

11 Security Overview Threat Models: Attacker can access network Attacker controls one Guest VM Security considerations to evaluate: How much code is accessible? What is the interface like? (e.g., pointers vs scalars) Defense-in-depth Then combine security tactics to secure the installation There is no single magic bullet Individual tactics reduce danger; combined tactics go even farther CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 11 / 32

12 Example System, for our Discussion Hardware setup Two networks: one Control network, one Guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow for full Hardware Virtualization (HVM) Default configuration Network drivers in the Control Domain (aka Domain 0 or just Dom0 ) Paravirtualized (PV) guests using PyGrub (grub-like boot utility within context of Guest Domain) Hardware Virtualized (HVM) guests using Qemu (as the device model) running in the Control Domain CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 12 / 32

13 Attack surface: Network path dom 0 toolstack Domain iptables NIC Driver bridge netback netfront Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Where might an exploit focus? Bugs in hardware driver Bugs in bridging / filtering Bugs in netback (via the ring protocol) CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 13 / 32

14 Attack surface: Network path dom 0 toolstack Domain iptables NIC Driver bridge netback netfront Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What could a successful exploit yield? Control of Domain 0 kernel Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 14 / 32

15 Security feature: Driver Domains dom 0 toolstack NIC Driver Driver Domain iptables NIC Driver bridge netback Domain netfront Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is a Driver Domain? Unprivileged VM which drives hardware, provides access to guests CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 15 / 32

16 Security feature: Driver Domains dom 0 toolstack NIC Driver Driver Domain iptables NIC Driver bridge netback Domain netfront Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now a successful exploit could yield: Control of the Driver Domain (PV hypercall interface) Control of that guest s network traffic Control of NIC An opportunity to attack netfront of other guests CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 16 / 32

17 HowTo: Driver Domains Create a VM with appropriate drivers Use any distribution suitable as a Control Domain Install the Xen-related hotplug scripts Just installing the Xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the Driver domain Just like you would for the Control Domain Configure the guest Virtual Network Interface (vif) to use the new domain ID Add backend=domnet to vif declaration vif = [ type=pv, bridge=xenbr0, backend=domnet ] Domain CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 17 / 32

18 Attack surface: PyGrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is PyGrub? grub implementation for PV guests Python program running in Control Domain Reads guest filesystem, parses grub.conf, shows menu Passes resulting kernel image to domain builder CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 18 / 32

19 Attack surface: PyGrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor Where might an exploit focus? Bugs in file system parser Bugs in menu parser Bugs in domain builder CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 19 / 32

20 Attack surface: PyGrub dom 0 kernel toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What could a successful exploit yield? Control of Domain 0 user space Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 20 / 32

21 Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is a fixed kernel? Passing a known-good kernel from Control Domain Removes attacker avenue to domain builder CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 21 / 32

22 Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Guest admin can t pass kernel parameters, custom kernels, CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 22 / 32

23 Security feature: PVgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is PVgrub? MiniOS + PV port of grub running in a guest context PV equivalent of HVM BIOS + grub Now a successful exploit could yield: Control of the attacked guest domain alone CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 23 / 32

24 HowTo: PVgrub Make sure that you have the PVgrub image pvgrub-$arch.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate PVgrub as bootloader in guest configuration kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz" CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 24 / 32

25 Attack surface: Device model (Qemu) Where might an exploit focus? Bugs in NIC emulator parsing packets Bugs in emulation of virtual devices What could a successful exploit yield? Control Domain privileged userspace Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 25 / 32

26 Security feature: Qemu stub domains What is a stub domain? Stub domain: a small service domain running just one application Qemu stub domain: run each Qemu in its own domain What could a successful exploit yield? Control only of the stub domain VM (which, if FLASK is employed, is a relatively small universe) You need to devise another attack entirely to do anything more significant CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 26 / 32

27 HowTo: Qemu stub domains Make sure that you have the PVgrub image: ioemu-$arch.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages On Debian (and offshoots), you will need to build it yourself Specify stub domains in your guest config device_model_stubdomain_override = 1 Model Stub Domains CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 27 / 32

28 Attack Surface: Xen Hypervisor itself Where might an exploit focus? On Paravirtualized (PV) Guests: PV Hypercalls On full Hardware Virtualized (HVM) Guests: HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization Security practice: Use PV VMs whenever possible CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 28 / 32

29 Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen equivalent of SELinux Uses same concepts and tools as SELinux Allows a policy to restrict hypercalls What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy This contains example roles for the Control Domain (dom0), User/Guest Domain(domU), stub domains, driver domains, etc. CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 29 / 32

30 HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] Make sure you TEST the example policy in your environment BEFORE putting it into production! NOTE: As an example policy, it is not as rigorously tested as other parts of Xen during release, and it may not be suitable as-is if you are doing unusual things /Xen Security Modules : XSM-FLASK CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 30 / 32

31 ARM: Right solution for security Stays in ARM Hypervisor Mode The ARM architecture has separate Hypervisor and Kernel modes Because Xen s architecture maps so well to the ARM architecture, Xen never has to use Kernel mode Other hypervisors have to flip back and forth between modes If a hypervisor has to enter Kernel mode, it loses the security of running in a privileged mode, isolated from the rest of the system This is a non-issue with the Xen Hypervisor on ARM Does not need to use device emulation No emulation means a smaller attack surface for bad guys CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 31 / 32

32 For More Information... Details at Xen Thanks to George Dunlap for supplying much of the information presented here, and Stefano Stabellini for ARM information Check out our blog: Contact me at Thank You! CloudOpen North America 2013 Securing Your Cloud with Xen Project s Advanced Security Features 32 / 32

Performance tuning Xen

Performance tuning Xen Performance tuning Xen Roger Pau Monné roger.pau@citrix.com Madrid 8th of November, 2013 Xen Architecture Control Domain NetBSD or Linux device model (qemu) Hardware Drivers toolstack netback blkback Paravirtualized

More information

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems Xen Project 4.4: Features and Futures Russell Pavlicek Xen Project Evangelist Citrix Systems About This Release Xen Project 4.4.0 was released on March 10, 2014. This release is the work of 8 months of

More information

Virtualization Technology. Zhiming Shen

Virtualization Technology. Zhiming Shen Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960 s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970 s and early 1980 s: became

More information

KVM Security Comparison

KVM Security Comparison atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-349-7525 Fax: 512-349-7933 www.atsec.com KVM Security Comparison a t s e c i n f o r m a t i o n s e c u

More information

Virtual machines and operating systems

Virtual machines and operating systems V i r t u a l m a c h i n e s a n d o p e r a t i n g s y s t e m s Virtual machines and operating systems Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Virtual machines and operating systems interactions

More information

Full and Para Virtualization

Full and Para Virtualization Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels

More information

Date: December 2009 Version: 1.0. How Does Xen Work?

Date: December 2009 Version: 1.0. How Does Xen Work? Date: December 2009 Version: 1.0 How Does Xen Work? Table of Contents Executive Summary... 3 Xen Environment Components... 3 Xen Hypervisor... 3... 4 Domain U... 4 Domain Management and Control... 6 Xend...

More information

Attacking Hypervisors via Firmware and Hardware

Attacking Hypervisors via Firmware and Hardware Attacking Hypervisors via Firmware and Hardware Alex Matrosov (@matrosov), Mikhail Gorobets, Oleksandr Bazhaniuk (@ABazhaniuk), Andrew Furtak, Yuriy Bulygin (@c7zero) Advanced Threat Research Agenda Hypervisor

More information

Virtualization. Types of Interfaces

Virtualization. Types of Interfaces Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform diversity

More information

Knut Omang Ifi/Oracle 19 Oct, 2015

Knut Omang Ifi/Oracle 19 Oct, 2015 Software and hardware support for Network Virtualization Knut Omang Ifi/Oracle 19 Oct, 2015 Motivation Goal: Introduction to challenges in providing fast networking to virtual machines Prerequisites: What

More information

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones (drjones@redhat.com) May 2011

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones (drjones@redhat.com) May 2011 Cloud^H^H^H^H^H Virtualization Technology Andrew Jones (drjones@redhat.com) May 2011 Outline Promise to not use the word Cloud again...but still give a couple use cases for Virtualization Emulation it's

More information

10 Years of Xen and beyond

10 Years of Xen and beyond 10 Years of Xen and beyond Lars Kurth Xen Project Community Manager lars.kurth@xen.org @lars_kurth FREENODE: lars_kurth Xen.org becomes XenProject.org Teams aka sub-projects Hypervisor XAPI ARM Hypervisor

More information

Chapter 5 Cloud Resource Virtualization

Chapter 5 Cloud Resource Virtualization Chapter 5 Cloud Resource Virtualization Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. Performance and security isolation. Architectural support for virtualization.

More information

Xen: FOSS Hypervisor for the Cloud

Xen: FOSS Hypervisor for the Cloud Xen: FOSS Hypervisor for the Cloud Russell Pavlicek Xen Project Evangelist Russell.Pavlicek@XenProject.org @RCPavlicek So Who s the Fat Geek up Front? About the Speaker... Linux user since 1995; Linux

More information

Advanced Computer Networks. Network I/O Virtualization

Advanced Computer Networks. Network I/O Virtualization Advanced Computer Networks 263 3501 00 Network I/O Virtualization Patrick Stuedi Spring Semester 2014 Oriana Riva, Department of Computer Science ETH Zürich 1 Outline Last week: Today: Software Defined

More information

Virtual Machines. COMP 3361: Operating Systems I Winter 2015 http://www.cs.du.edu/3361

Virtual Machines. COMP 3361: Operating Systems I Winter 2015 http://www.cs.du.edu/3361 s COMP 3361: Operating Systems I Winter 2015 http://www.cs.du.edu/3361 1 Virtualization! Create illusion of multiple machines on the same physical hardware! Single computer hosts multiple virtual machines

More information

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com KVM: A Hypervisor for All Seasons Avi Kivity avi@qumranet.com November 2007 Virtualization Simulation of computer system in software Components Processor: register state, instructions, exceptions Memory

More information

Nested Virtualization

Nested Virtualization Nested Virtualization Dongxiao Xu, Xiantao Zhang, Yang Zhang May 9, 2013 Agenda Nested Virtualization Overview Dive into Nested Virtualization Details Nested CPU Virtualization Nested MMU Virtualization

More information

Virtualization Technology

Virtualization Technology Virtualization Technology A Manifold Arms Race Michael H. Warfield Senior Researcher and Analyst mhw@linux.vnet.ibm.com 2008 IBM Corporation Food for Thought Is Virtual Reality an oxymoron or is it the

More information

Virtual Switching Without a Hypervisor for a More Secure Cloud

Virtual Switching Without a Hypervisor for a More Secure Cloud ing Without a for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton) 1 Public Cloud Infrastructure Cloud providers offer computing resources

More information

Virtualization. Pradipta De pradipta.de@sunykorea.ac.kr

Virtualization. Pradipta De pradipta.de@sunykorea.ac.kr Virtualization Pradipta De pradipta.de@sunykorea.ac.kr Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation

More information

Virtual Machine Security

Virtual Machine Security Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ 1 Operating System Quandary Q: What is the primary goal

More information

Virtualization in the Cloud: Featuring Xen and XCP

Virtualization in the Cloud: Featuring Xen and XCP Virtualization in the Cloud: Featuring Xen and XCP Lars Kurth Xen Community Manager lars.kurth@xen.org FREENODE: lars_kurth @lars_kurth A Brief History of Xen in the Cloud Late 90s XenoServer Project A

More information

Enterprise-Class Virtualization with Open Source Technologies

Enterprise-Class Virtualization with Open Source Technologies Enterprise-Class Virtualization with Open Source Technologies Alex Vasilevsky CTO & Founder Virtual Iron Software June 14, 2006 Virtualization Overview Traditional x86 Architecture Each server runs single

More information

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines: Virtual Machines Uses for Virtual Machines Virtual machine technology, often just called virtualization, makes one computer behave as several computers by sharing the resources of a single computer between

More information

The QEMU/KVM Hypervisor

The QEMU/KVM Hypervisor The /KVM Hypervisor Understanding what's powering your virtual machine Dr. David Alan Gilbert dgilbert@redhat.com 2015-10-14 Topics Hypervisors and where /KVM sits Components of a virtual machine KVM Devices:

More information

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY Syamsul Anuar Abd Nasir Fedora Ambassador Malaysia 1 ABOUT ME Technical Consultant for Warix Technologies - www.warix.my Warix is a Red Hat partner Offers

More information

Operating System and Hypervisor Support for IOMMUs

Operating System and Hypervisor Support for IOMMUs Operating System and Hypervisor Support for IOMMUs Muli Ben-Yehuda IBM Haifa Research Lab muli@il.ibm.com p. 1/3 Table of Contents The what and why of IOMMUs. How much does it cost? What can we do about

More information

Compromise-as-a-Service

Compromise-as-a-Service ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg 3/31/14 Compromise-as-a-Service Our PleAZURE Felix Wilhelm & Matthias Luft {fwilhelm, mluft}@ernw.de ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg Agenda

More information

COS 318: Operating Systems. Virtual Machine Monitors

COS 318: Operating Systems. Virtual Machine Monitors COS 318: Operating Systems Virtual Machine Monitors Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318/ Introduction u Have

More information

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey February 26, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey

More information

KVM on S390x. Revolutionizing the Mainframe

KVM on S390x. Revolutionizing the Mainframe KVM on S390x Revolutionizing the Mainframe Audience In depth technology High level overview Audience In depth technology High level overview Yes, you get both! S390x? Mainframe Highly available Highly

More information

Tom Eastep Linuxfest NW April 26-27, 2008 Bellingham, Washington

Tom Eastep Linuxfest NW April 26-27, 2008 Bellingham, Washington Tom Eastep Linuxfest NW April 26-27, 2008 Bellingham, Washington 1. Introduction to Virtualization Techniques 2. Pros and Cons 3. Where does KVM fit in 4. QEMU-kvm 5. Creating a virtual disk 6. Installing

More information

Cloud Computing CS 15-319

Cloud Computing CS 15-319 Cloud Computing CS 15-319 Virtualization Case Studies : Xen and VMware Lecture 20 Majd F. Sakr, Mohammad Hammoud and Suhail Rehman 1 Today Last session Resource Virtualization Today s session Virtualization

More information

Professional Xen Visualization

Professional Xen Visualization Professional Xen Visualization William von Hagen WILEY Wiley Publishing, Inc. Acknowledgments Introduction ix xix Chapter 1: Overview of Virtualization : 1 What Is Virtualization? 2 Application Virtualization

More information

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader Virtualization System Vulnerability Discovery Framework Speaker: Qinghao Tang Title:360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization

More information

Hardware Based Virtualization Technologies. Elsie Wahlig elsie.wahlig@amd.com Platform Software Architect

Hardware Based Virtualization Technologies. Elsie Wahlig elsie.wahlig@amd.com Platform Software Architect Hardware Based Virtualization Technologies Elsie Wahlig elsie.wahlig@amd.com Platform Software Architect Outline What is Virtualization? Evolution of Virtualization AMD Virtualization AMD s IO Virtualization

More information

Virtualization. Dr. Yingwu Zhu

Virtualization. Dr. Yingwu Zhu Virtualization Dr. Yingwu Zhu What is virtualization? Virtualization allows one computer to do the job of multiple computers. Virtual environments let one computer host multiple operating systems at the

More information

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk <rafal@bromium.com> POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS Rafal Wojtczuk Agenda About the speaker Types of hypervisors Attack surface Examples of past and

More information

Virtualization for Cloud Computing

Virtualization for Cloud Computing Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources

More information

How to Install Windows on Xen TM 3.0

How to Install Windows on Xen TM 3.0 How to Install Windows on Xen TM 3.0 A XenSource Technical Note for the Windows 2003 Server Introduction This note describes how to install Windows 2003 Server on Xen. It provides an overview of the Linux

More information

Virtualization Technologies

Virtualization Technologies 12 January 2010 Virtualization Technologies Alex Landau (lalex@il.ibm.com) IBM Haifa Research Lab What is virtualization? Virtualization is way to run multiple operating systems and user applications on

More information

Attacking Hypervisors via Firmware and Hardware

Attacking Hypervisors via Firmware and Hardware Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research Agenda Hypervisor based isolation Firmware rootkit

More information

Practical Applications of Virtualization. Mike Phillips IAP 2008 SIPB IAP Series http://stuff.mit.edu/iap/ http://stuff.mit.

Practical Applications of Virtualization. Mike Phillips <mpp@mit.edu> IAP 2008 SIPB IAP Series http://stuff.mit.edu/iap/ http://stuff.mit. Practical Applications of Virtualization Mike Phillips IAP 2008 SIPB IAP Series http://stuff.mit.edu/iap/ http://stuff.mit.edu/sipb/ Some Guy Rambling About Virtualization Stuff He's Read

More information

Nested Virtualization

Nested Virtualization Nested Virtualization State of the art and future directions Bandan Das Yang Z Zhang Jan Kiszka 2 Outline Introduction Changes and Missing Features for AMD Changes and Missing Features for Intel Working

More information

Basics of Virtualisation

Basics of Virtualisation Basics of Virtualisation Volker Büge Institut für Experimentelle Kernphysik Universität Karlsruhe Die Kooperation von The x86 Architecture Why do we need virtualisation? x86 based operating systems are

More information

BHyVe. BSD Hypervisor. Neel Natu Peter Grehan

BHyVe. BSD Hypervisor. Neel Natu Peter Grehan BHyVe BSD Hypervisor Neel Natu Peter Grehan 1 Introduction BHyVe stands for BSD Hypervisor Pronounced like beehive Type 2 Hypervisor (aka hosted hypervisor) FreeBSD is the Host OS Availability NetApp is

More information

kvm: Kernel-based Virtual Machine for Linux

kvm: Kernel-based Virtual Machine for Linux kvm: Kernel-based Virtual Machine for Linux 1 Company Overview Founded 2005 A Delaware corporation Locations US Office Santa Clara, CA R&D - Netanya/Poleg Funding Expertise in enterprise infrastructure

More information

Enabling Technologies for Distributed Computing

Enabling Technologies for Distributed Computing Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies

More information

KVM: Kernel-based Virtualization Driver

KVM: Kernel-based Virtualization Driver KVM: Kernel-based Virtualization Driver White Paper Overview The current interest in virtualization has led to the creation of several different hypervisors. Most of these, however, predate hardware-assisted

More information

KVM KERNEL BASED VIRTUAL MACHINE

KVM KERNEL BASED VIRTUAL MACHINE KVM KERNEL BASED VIRTUAL MACHINE BACKGROUND Virtualization has begun to transform the way that enterprises are deploying and managing their infrastructure, providing the foundation for a truly agile enterprise,

More information

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM Bern University of Applied Sciences Engineering and Information Technology Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM By Franz Meyer Version 1.0 February 2011 Virtualization Architecture

More information

A quantitative comparison between xen and kvm

A quantitative comparison between xen and kvm Home Search Collections Journals About Contact us My IOPscience A quantitative comparison between xen and kvm This content has been downloaded from IOPscience. Please scroll down to see the full text.

More information

Security Challenges in Virtualized Environments

Security Challenges in Virtualized Environments Security Challenges in Virtualized Environments Joanna Rutkowska, Invisible Things Lab Confidence 2008, Krakow, Poland, May 15th, 2008 1 Virtualization-based MALWARE 2 Using Virtual Machines for ISOLATION

More information

Network Functions Virtualization on top of Xen

Network Functions Virtualization on top of Xen Network Functions Virtualization on top of Xen Joao Martins*, Mohamed Ahmed*, Felipe Huici*, Costin Raiciu, Vladimir Olteanu, Michio Honda*, Roberto Bifulco*, Simon Kuenzer* * NEC Europe Ltd., Heidelberg,

More information

Virtualization and Performance NSRC

Virtualization and Performance NSRC Virtualization and Performance NSRC Overhead of full emulation Software takes many steps to do what the hardware would do in one step So pure emulation (e.g. QEMU) is slow although much clever optimization

More information

LinuxCon/CloudOpen 2015

LinuxCon/CloudOpen 2015 LinuxCon/CloudOpen 2015 The Bare-Metal Hypervisor as a Platform for Innovation By Russell Pavlicek Xen Project Evangelist Russell.Pavlicek@XenProject.org @RCPavlicek About the Old, Fat Geek Up Front Linux

More information

The Microsoft Windows Hypervisor High Level Architecture

The Microsoft Windows Hypervisor High Level Architecture The Microsoft Windows Hypervisor High Level Architecture September 21, 2007 Abstract The Microsoft Windows hypervisor brings new virtualization capabilities to the Windows Server operating system. Its

More information

9/26/2011. What is Virtualization? What are the different types of virtualization.

9/26/2011. What is Virtualization? What are the different types of virtualization. CSE 501 Monday, September 26, 2011 Kevin Cleary kpcleary@buffalo.edu What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,

More information

VIRTUALIZATION 101. Brainstorm Conference 2013 PRESENTER INTRODUCTIONS

VIRTUALIZATION 101. Brainstorm Conference 2013 PRESENTER INTRODUCTIONS VIRTUALIZATION 101 Brainstorm Conference 2013 PRESENTER INTRODUCTIONS Timothy Leerhoff Senior Consultant TIES 21+ years experience IT consulting 12+ years consulting in Education experience 1 THE QUESTION

More information

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University Virtual Machine Monitors Dr. Marc E. Fiuczynski Research Scholar Princeton University Introduction Have been around since 1960 s on mainframes used for multitasking Good example VM/370 Have resurfaced

More information

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits: Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique

More information

Xen and the Art of Virtualization

Xen and the Art of Virtualization Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauery, Ian Pratt, Andrew Warfield University of Cambridge Computer Laboratory, SOSP

More information

Xen Cloud Platform 0.1 User Security

Xen Cloud Platform 0.1 User Security 1 Xen Cloud Platform 0.1 User Security 0.1 Published October 2009 1.0 Edition Xen Cloud Platform 0.1 User Security Xen Cloud Platform 0.1 User Security Published October 2009 Copyright 2009 Xen, XenSource,

More information

SUSE Virtualization Technologies Roadmap

SUSE Virtualization Technologies Roadmap SUSE Virtualization Technologies Roadmap Michal Svec Senior Product Manager msvec@suse.com Jason Douglas Senior Engineering Manager jdouglas@suse.com Agenda Virtualization @SUSE Enhancements in XEN/KVM

More information

OS Virtualization Frank Hofmann

OS Virtualization Frank Hofmann OS Virtualization Frank Hofmann OP/N1 Released Products Engineering Sun Microsystems UK Overview Different approaches to virtualization > Compartmentalization > System Personalities > Virtual Machines

More information

Architecture of the Kernel-based Virtual Machine (KVM)

Architecture of the Kernel-based Virtual Machine (KVM) Corporate Technology Architecture of the Kernel-based Virtual Machine (KVM) Jan Kiszka, Siemens AG, CT T DE IT 1 Corporate Competence Center Embedded Linux jan.kiszka@siemens.com Copyright Siemens AG 2010.

More information

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies Lecture 4 Virtualization of Clusters and Data Centers Text Book: Distributed and Cloud Computing, by K. Hwang, G C. Fox, and J.J. Dongarra,

More information

Increasing XenServer s VM density

Increasing XenServer s VM density Increasing XenServer s VM density Jonathan Davies, XenServer System Performance Lead XenServer Engineering, Citrix Cambridge, UK 24 Oct 2013 Jonathan Davies (Citrix) Increasing XenServer s VM density 24

More information

Beyond the Hypervisor

Beyond the Hypervisor Beyond the Hypervisor A Technical Roadmap for Open Virtualization, Linux, KVM Mike Day Distinguished Engineer, Chief Virtualization Architect, Open Systems Development Saturday, February 22, 2014 1 mdday@us.ibm.com

More information

A technical review on comparison of Xen and KVM hypervisors: An analysis of virtualization technologies

A technical review on comparison of Xen and KVM hypervisors: An analysis of virtualization technologies ISSN (Online) : 2278-1021 A technical review on comparison of Xen and KVM hypervisors: An analysis of technologies Ms Jayshri Damodar Pagare 1, Dr. Nitin A Koli 2 Research Scholar, Sant Gadge Baba Amravati

More information

Enabling Technologies for Distributed and Cloud Computing

Enabling Technologies for Distributed and Cloud Computing Enabling Technologies for Distributed and Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Multi-core CPUs and Multithreading

More information

Windows Server Virtualization & The Windows Hypervisor

Windows Server Virtualization & The Windows Hypervisor Windows Server Virtualization & The Windows Hypervisor Brandon Baker Lead Security Engineer Windows Kernel Team Microsoft Corporation Agenda - Windows Server Virtualization (WSV) Why a hypervisor? Quick

More information

Xen in Embedded Systems. Ray Kinsella Senior Software Engineer Embedded and Communications Group Intel Corporation

Xen in Embedded Systems. Ray Kinsella Senior Software Engineer Embedded and Communications Group Intel Corporation Xen in Embedded Systems Ray Kinsella Senior Software Engineer Embedded and Communications Group Intel Corporation Legal Notices INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS.

More information

Virtualization Management the ovirt way

Virtualization Management the ovirt way ovirt introduction FOSDEM 2013 Doron Fediuck Red Hat What is ovirt? Large scale, centralized management for server and desktop virtualization Based on leading performance, scalability and security infrastructure

More information

Virtualization. Explain how today s virtualization movement is actually a reinvention

Virtualization. Explain how today s virtualization movement is actually a reinvention Virtualization Learning Objectives Explain how today s virtualization movement is actually a reinvention of the past. Explain how virtualization works. Discuss the technical challenges to virtualization.

More information

www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009 SEE-GRID-SCI Virtualization and Grid Computing with XEN www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009 Milan Potocnik University

More information

Hybrid Virtualization The Next Generation of XenLinux

Hybrid Virtualization The Next Generation of XenLinux Hybrid Virtualization The Next Generation of XenLinux Jun Nakajima Principal Engineer Intel Open Source Technology Center Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL

More information

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization

More information

Masters Project Proposal

Masters Project Proposal Masters Project Proposal Virtual Machine Storage Performance Using SR-IOV by Michael J. Kopps Committee Members and Signatures Approved By Date Advisor: Dr. Jia Rao Committee Member: Dr. Xiabo Zhou Committee

More information

Using Linux as Hypervisor with KVM

Using Linux as Hypervisor with KVM Using Linux as Hypervisor with KVM Qumranet Inc. Andrea Arcangeli andrea@qumranet.com (some slides from Avi Kivity) CERN - Geneve 15 Sep 2008 Agenda Overview/feature list KVM design vs other virtualization

More information

Installing & Using KVM with Virtual Machine Manager COSC 495

Installing & Using KVM with Virtual Machine Manager COSC 495 Installing & Using KVM with Virtual Machine Manager COSC 495 1 Abstract:. There are many different hypervisors and virtualization software available for use. One commonly use hypervisor in the Linux system

More information

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR ANKIT KUMAR, SAVITA SHIWANI 1 M. Tech Scholar, Software Engineering, Suresh Gyan Vihar University, Rajasthan, India, Email:

More information

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab.

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab. VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab. Motivation The era of cloud computing Motivation In the

More information

Application Performance in the Cloud, and its Relationship to QoS

Application Performance in the Cloud, and its Relationship to QoS Application Performance in the Cloud, and its Relationship to QoS Fall 2010 First, Last Someone@my.csun.edu Student ID: xxxxxxxxx September 22, 2010 Committee Chair: Dr. Shan Barkataki Approved by: Committee

More information

Chapter 14 Virtual Machines

Chapter 14 Virtual Machines Operating Systems: Internals and Design Principles Chapter 14 Virtual Machines Eighth Edition By William Stallings Virtual Machines (VM) Virtualization technology enables a single PC or server to simultaneously

More information

2972 Linux Options and Best Practices for Scaleup Virtualization

2972 Linux Options and Best Practices for Scaleup Virtualization HP Technology Forum & Expo 2009 Produced in cooperation with: 2972 Linux Options and Best Practices for Scaleup Virtualization Thomas Sjolshagen Linux Product Planner June 17 th, 2009 2009 Hewlett-Packard

More information

Introduction to Virtualization & KVM

Introduction to Virtualization & KVM Introduction to Virtualization & KVM By Zahra Moezkarimi ICT Research Institute Software Platform Laboratory Outline Virtualization History Overview Advantages and Limitations Types of virtualization Virtualization

More information

On the Feasibility of Software Attacks on Commodity Virtual Machine Monitors via Direct Device Assignment

On the Feasibility of Software Attacks on Commodity Virtual Machine Monitors via Direct Device Assignment On the Feasibility of Software Attacks on Commodity Virtual Machine Monitors via Direct Device Assignment Gábor Pék CrySyS Lab, BME Budapest, Hungary pek@crysys.hu Davide Balzarotti Eurecom Sophia Anitpolis,

More information

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16 Virtualization P. A. Wilsey The text highlighted in green in these slides contain external hyperlinks. 1 / 16 Conventional System Viewed as Layers This illustration is a common presentation of the application/operating

More information

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. ! Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.

More information

SUSE Linux Enterprise 10 SP2: Virtualization Technology Support

SUSE Linux Enterprise 10 SP2: Virtualization Technology Support Technical White Paper LINUX OPERATING SYSTEMS www.novell.com SUSE Linux Enterprise 10 SP2: Virtualization Technology Support Content and modifications. The contents of this document are not part of the

More information

Virtualization System Security

Virtualization System Security Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability

More information

Performance Evaluation of Virtual Routers in Para-virtual Environment

Performance Evaluation of Virtual Routers in Para-virtual Environment Performance Evaluation of Virtual Routers in Para-virtual Environment 1. Abhishek Bajaj abhishek.bajaj@iiitb.net 2. Anargha Biswas anargha.biswas@iiitb.net 3. Ambarish Kumar ambarish.kumar@iiitb.net 4.

More information

Virtualization. Jukka K. Nurminen 23.9.2015

Virtualization. Jukka K. Nurminen 23.9.2015 Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,

More information

Virtual Machines. Virtual Machine (VM) Examples of Virtual Systems. Types of Virtual Machine

Virtual Machines. Virtual Machine (VM) Examples of Virtual Systems. Types of Virtual Machine 1 Virtual Machines Virtual Machine (VM) Layered model of computation Software and hardware divided into logical layers Layer n Receives services from server layer n 1 Provides services to client layer

More information

Hypervisors and Virtual Machines

Hypervisors and Virtual Machines Hypervisors and Virtual Machines Implementation Insights on the x86 Architecture DON REVELLE Don is a performance engineer and Linux systems/kernel programmer, specializing in high-volume UNIX, Web, virtualization,

More information

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

Microkernels, virtualization, exokernels. Tutorial 1 CSC469 Microkernels, virtualization, exokernels Tutorial 1 CSC469 Monolithic kernel vs Microkernel Monolithic OS kernel Application VFS System call User mode What was the main idea? What were the problems? IPC,

More information

Virtualization. Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/

Virtualization. Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/ Virtualization Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/ What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This

More information

Guardian: Hypervisor as Security Foothold for Personal Computers

Guardian: Hypervisor as Security Foothold for Personal Computers Guardian: Hypervisor as Security Foothold for Personal Computers Yueqiang Cheng, Xuhua Ding Singapore Management University (SMU) The International Conference on Trust & Trustworthy Computing (TRUST),

More information