SlideShare a Scribd company logo
1 of 66
Download to read offline
Advanced Security Features of
the Xen Project Hypervisor
Russell Pavlicek
Xen Project Evangelist
Citrix Systems
Who is the Old, Fat Geek Up Front?
● Xen Project Evangelist (I have a big mouth...)
● Employed by Citrix, focused entirely on Xen project
● History with open source begins in 1995
● Former columnist for Infoworld, Processor
magazines
● Former panelist on The Linux Show, speaker at over
50 Open Source conferences
● Over 150 pieces published, one book on
open source, plus blogs
Presentation Goals
● Introduce the subject of security in the Cloud
● Introduce you to the Xen Project Security Tools
● Discuss some key Xen Project security features
● Get you started in the right direction toward securing
your Xen Project Hypervisor installation
Presentation Outline
● A few thoughts on the problem of securing the Cloud
● Overview of the Xen Project architecture
● Brief introduction to the principles of security analysis
● Examine some of the attack surfaces and the Xen
Project features we can use to mitigate them:
– Driver Domains
– PVgrub
– Stub Domains
– Paravirtualization (PV) versus
Hardware Virtualization (HVM)
– FLASK example policy
Introduction: Xen Project, The Cloud,
and Security
Introduction: Xen Project and Security
● Xen Project produces an enterprise-grade Type 1
hypervisor
● Built for the cloud before it was called cloud
● A number of advanced security features
– Driver domains, stub domains, FLASK, and more
– Most of them are not (or cannot) be turned on by
default
– Although they can be simple to use, sometimes
they appear complicated
The Cloud Security Conundrum
● Cloud Security: The 800lb Gorilla in the room
– Nothing generates more fear in specific, and FUD in
general
– Probably the single greatest barrier to Cloud adoption
● Immediately behind it is the inability to get out of the
20th century IT mindset
– Must get past the “Change is Bad” concept of 1980
– Cloud is about embracing change at a rapid pace
– The good news: the “Gorilla” is actually a “Red Herring”
● We don't need to fear it – we just need to solve it
Cloud Security: New Visibility to an Old Problem
● Security has always been an IT issue
● Putting a truly secure system in the open does not
reduce its security, it just increases the frequency of
attack
● Unfortunately, system security behind the firewall has
not always been comprehensive
● Having solutions in an external cloud forces us to
solve the security issues we should have already
solved
News Flash: Security Through Obscurity is Dead
Use Security by Design, Not by Wishful Thinking
● Security by wishful thinking no longer works
– Merely hoping that your firewall holds off the marauding hordes
is NOT good enough
– Addressing security in one area while ignoring others is NOT
good enough
– Saying, “We never had a problem before” is NOT good enough
● Comprehensive security starts with design
– It needs to be planned carefully and thought through
– It needs to be implemented at multiple levels
– It needs components which are themselves securable
Xen Project: Security by Design
● Xen Project software was designed for clouds before the
term “cloud” was ever coined in the industry
– Designers foresaw the day of “infrastructure for wide-
area distributed computing” which we now call “the
cloud”
– http://www.cl.cam.ac.uk/research//srg/netos/xeno/publ
ications.html
● The hypervisor is designed to thwart attacks from many
attack vectors, using different defensive techniques
Basic Architecture of the Xen Project
Hypervisor
Hypervisor Architectures
Type 1: Bare metal Hypervisor
A pure Hypervisor that runs directly on the
hardware and hosts Guest OS’s.
Provides partition isolation +
reliability, higher security
Provides partition isolation +
reliability, higher security
Host HWHost HW
Memory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMU
Device Drivers/
Models
Device Drivers/
Models
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Hypervisor Architectures
Type 1: Bare metal Hypervisor
A pure Hypervisor that runs directly on the
hardware and hosts Guest OS’s.
Type 2: OS ‘Hosted’
A Hypervisor that runs within a Host OS and
hosts Guest OS’s inside of it, using the host OS
services to provide the virtual environment.
Provides partition isolation +
reliability, higher security
Provides partition isolation +
reliability, higher security
Low cost, no additional drivers
Ease of use and installation
Low cost, no additional drivers
Ease of use and installation
Host HWHost HW
Memory CPUsI/O
Host HWHost HW
Memory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMU
Device Drivers/
Models
Device Drivers/
Models
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host OSHost OS
Device DriversDevice Drivers
Ring-0 VM Monitor
“Kernel “
Ring-0 VM Monitor
“Kernel “
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
User
Apps
User
Apps
User-level VMMUser-level VMM
Device ModelsDevice Models
Xen Project: Type 1 with a Twist
Type 1: Bare metal Hypervisor
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host HWHost HW
Memory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMU
Device Drivers/
Models
Device Drivers/
Models
Xen Project: Type 1 with a Twist
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host HWHost HW
Memory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMU
Device Drivers/
Models
Device Drivers/
Models
Type 1: Bare metal Hypervisor
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host HWHost HW
Memory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
Xen Project: Type 1 with a Twist
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host HWHost HW
Memory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMU
Device Drivers/
Models
Device Drivers/
Models
Type 1: Bare metal Hypervisor
VMn
VMn
VM1
VM1
VM0
VM0
Guest OS
and Apps
Guest OS
and Apps
Host HWHost HW
Memory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
Control domain
(dom0)
Control domain
(dom0)
DriversDrivers
Device ModelsDevice Models
Linux & BSDLinux & BSD
Xen Project Architecture: Basic Parts
Security Thinking: An Approach
An Approach to Security Thinking
● Threat models:
– Attacker can access network
– Attacker controls one Guest VM
● Security considerations to evaluate:
– How much code is accessible?
– What is the interface like? (e.g., pointers vs scalars)
– Defense-in-depth: how many rings of defense surround you?
● Then combine security tactics to secure the installation
– There is no single "magic bullet"
– Individual tactics reduce danger; combined tactics go farther
Example System For This Discussion
● Hardware setup
– Two networks: one Control network, one Guest network
– IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow
for full hardware virtualization (HVM)
● Default configuration
– Network drivers in the Control Domain (aka "Domain 0" or just
"Dom0")
– Paravirtualized (PV) guests using PyGrub (grub-like boot utility
within context of Guest Domain)
– Hardware Virtualized (HVM) guests using Qemu (as the device
model) running in the Control Domain
Attacking the Network Interface
Attack Surface: Network Path
Attack Surface: Network Path
● Where might an exploit focus?
– Bugs in hardware driver
– Bugs in bridging / filtering
– Bugs in netback (via the ring protocol)
● Netback and Netfront are part of the Paravirtualization mode
● Note the exploits
– The main exploits exist already, even in hardware
– The netback surface is very small, but needs to be acknowledged
– When these are attacked in hardware, you have deep trouble
– You actually have better defense in the VM than in hardware
Result: Network Path Compromised
Result: Network Path Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 kernel
Security Feature: Driver Domains
Security Feature: Driver Domains
● What is a Driver Domain?
– Unprivileged VM which drives hardware
– It provides driver access to guest VMs
– Very limited scope; not a full operating system
– Does not have the access or capability of a full VM
Result: Driver Domain Compromised
Result: Driver Domain Compromised
● Now a successful exploit could yield:
– Control of the Driver Domain
(Paravirtualization hypercall interface)
● But the Driver Domain is limited: no shell, no utilities
– Control of that guest's network traffic
● But in the cloud, most orchestrators detect network traffic failure
● The problem is not allowed to stand very long
– Control of the network interface card (NIC)
– An opportunity to attack the netfront of other guest VMs
● But to take advantage of this platform, you need to launch another attack
● Compound attacks are complex, and they take time which you may not have
Basic How To: Driver Domains
● Create a VM with appropriate drivers
– Use any distribution suitable as a Control Domain
● Install the Xen Project hotplug scripts
– Just installing the Xen Project tools in the VM is usually
good enough
● Give the VM access to the physical NIC with PCI passthrough
● Configure the network topology in the Driver Domain
– Just like you would for the Control Domain
Basic How To: Driver Domains
● Configure the guest Virtual Network Interface (vif) to
use the new domain ID
– Add “backend=domnet” to vif declaration
vif = [ 'type=pv, bridge=xenbr0, backend=domnet' ]
Detailed Info
http://wiki.xenproject.org/wiki/Driver_Domain
Attacking the PyGrub Boot Loader
Attack Surface: PyGrub
Attack Surface: PyGrub
● What is PyGrub?
– “grub” implementation for Paravirtualized guests
– A Python program running in Control Domain
● What does it do?
– It reads the guest VM's filesystem
– It parses grub.conf
– It displays a boot menu to the user
– It passes the selected kernel image to domain builder
Attack Surface: PyGrub
Attack Surface: PyGrub
● Where might an exploit focus?
– Bugs in file system parser
– Bugs in menu parser
– Bugs in domain builder
● Again, note the exploits
– Forms of these exist in hardware as well
– But hardware doesn't have as many options to combat
the situation
Result: PyGrub Compromised
Result: PyGrub Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 user space
Security Feature: Fixed Kernels
Security Feature: Fixed Kernels
● What is a fixed kernel?
– Passing a known-good kernel from Control Domain
● No longer allows a user to choose the kernel
● Best practice for anything in production
– Removes attacker avenue to domain builder
● Disadvantages
– Host administrator must keep up with kernel updates
– Guest admin can't pass kernel parameters or custom kernels
Security Feature: PVgrub
Security Feature: PVgrub
● What is PVgrub?
– MiniOS plus the Paravirtualized port of “grub” running
in a guest context
– Paravirtualized equivalent of Hardware Virtualized
combination of BIOS plus grub
Result: PVgrub Compromised
Control Domain is no longer at risk
Vulnerability Analysis:
Now a successful exploit could yield:
Control of the attacked Guest Domain alone
Basic HowTo: PVgrub
● Make sure that you have the PVgrub image
– “pvgrub-$ARCH.gz”
– Normally lives in “/usr/lib/xen/boot”
– Debian, SLES: Currently need to build for yourself
– Included in Fedora Xen Project packages
● Use appropriate PVgrub as bootloader in guest
configuration:
– kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"
See http://wiki.xenproject.org/wiki/Pvgrub
Attacking the Qemu Device Model
Attack Surface: Device Model (Qemu)
Attack Surface: Device Model (Qemu)
● What is Qemu?
– In other contexts, a virtualization provider
– In the Xen Project context, a provider of needed
device models
● Where might an exploit focus?
– Bugs in NIC emulator parsing packets
– Bugs in emulation of virtual devices
Result: Device Model Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control Domain privileged user space
Security Feature: Qemu Stub Domains
● What is a stub domain?
– Stub domain: a small “service'' domain running just
one application
– Qemu stub domain: run each Qemu in its own
domain
Result: Stub Domain Compromised
You need to devise another attack entirely to do
anything more significant
Vulnerability Analysis:
Now a successful exploit could yield:
Control only of the stub domain VM
(which, if FLASK is employed, is a relatively small universe)
Basic HowTo: Qemu Stub Domains
● Make sure that you have the ioemu image:
– “ioemu-$ARCH.gz”
– Normally lives in “/usr/lib/xen/boot”
– SUSE SLES, currently need to build it yourself (SLES 12?)
– Included in Fedora Xen Project packages
– On Debian (and offshoots), you will need to build it yourself
● Specify stub domains in your guest configuration:
device_model_stubdomain_override = 1
http://wiki.xenproject.org/wiki/Device_Model_Stub_Domains
Detailed Info
Attacking the Hypervisor Itself
Attack Surface: The Hypervisor Itself
● Where might an exploit focus?
– On Paravirtualized (PV) Guests:
● PV Hypercalls
– On full Hardware Virtualized (HVM) Guests:
● HVM hypercalls (Subset of PV hypercalls)
● Instruction emulation (MMIO, shadow pagetables)
● Emulated platform devices: APIC, HPET, PIT
● Nested virtualization
● Security practice: Use PV VMs whenever possible
Using the Xen Project Security Module
Security Feature: FLASK Policy
● What is FLASK?
– Xen Project Security Module (XSM): Xen Project
equivalent of LSM
– FLASK: FLux Advanced Security Kernel
– Framework for XSM developed by NSA
– Xen Project equivalent of SELinux
– Uses same concepts and tools as SELinux
– Allows a policy to restrict hypercalls
Security Feature: FLASK Policy
● What can FLASK do?
– Basic: Restricts hypercalls to those needed by a particular
guest
– Advanced: Allows more fine-grained granting of privileges
● FLASK example policy
– This contains example roles for the Control Domain
(dom0), User/Guest Domain(domU), stub domains, driver
domains, etc.
– Make sure you TEST the example policy in your
environment BEFORE putting it into production!
NOTE: As an example policy, it is not as rigorously tested as
other parts of Xen during release; make sure it is suitable for you
Basic HowTo: FLASK Example Policy
● Build Xen Project software with XSM enabled
● Build the example policy
● Add the appropriate label to guest config files:
– “seclabel=[foo]”
– “stubdom_label=[foo]”
http://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK
Detailed Info
ARM-Specific Security Features
ARM SOCARM SOC
Xen Project + ARM = A Perfect Match
ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization
Hypervisor mode : EL2
Kernel mode : EL1
User mode : EL0
GIC
v2
GIC
v2GTGT
2
stage
MMU
2
stage
MMU
I/O
Device Tree describes …
Hypercall Interface HVCHypercall Interface HVC
ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization
EL2
EL1
EL0
GIC
v2
GIC
v2GTGT
2
stage
MMU
2
stage
MMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization
EL2
EL1
EL0
GIC
v2
GIC
v2GTGT
2
stage
MMU
2
stage
MMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
HVCHVC
ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization
EL2
EL1
EL0
GIC
v2
GIC
v2GTGT
2
stage
MMU
2
stage
MMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
Dom0
only
Dom0
only
Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
I/O
PV
back
PV
frontI/O
HVCHVC
ARM: Right Solution for Security
● Stays in ARM Hypervisor Mode
– The ARM architecture has separate Hypervisor and Kernel modes
– Because Xen Project's architecture maps so well to the ARM architecture, the
hypervisor never has to use Kernel mode
– Other hypervisors have to flip back and forth between modes
– If a hypervisor has to enter Kernel mode, it loses the security of running in a
privileged mode, isolated from the rest of the system
– This is a non-issue with the Xen Project Hypervisor on ARM
● Does not need to use device emulation
– No emulation means a smaller attack surface for bad guys
Xen Project Events Coming Up
● Xen Project User Summit
– September 15, 2014 in New York City
– Call For Participation closes May 31
http://events.linuxfoundation.org/events/xen-project-user-summit/program/cfp
● Xen Project Developer Summit
– August 18-19, 2014 in Chicago at LinuxCon NA
– Call For Participation closes May 2
http://events.linuxfoundation.org/events/xen-project-developer-summit
For More Information...
Thanks to George Dunlap for supplying much of the information
presented here, and Stefano Stabellini for ARM information
Center of the Xen Project universe:
http://www.XenProject.org/
Contact me at russell.pavlicek@xenproject.org
Detailed Info
http://wiki.xenproject.org/wiki/Securing_Xen
Thank You!
LFNW2014 Advanced Security Features of Xen Project Hypervisor

More Related Content

What's hot

XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
 
Bare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationBare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationThe Linux Foundation
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
XPDS16:  CPUID handling for guests - Andrew Cooper, CitrixXPDS16:  CPUID handling for guests - Andrew Cooper, Citrix
XPDS16: CPUID handling for guests - Andrew Cooper, CitrixThe Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...The Linux Foundation
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
XPDS16:  Hypervisor-based Security: Vicarious Learning via Introspektioneerin...XPDS16:  Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
Multiple Device Emulators for HVM Guests, Paul Durrant, Citrix
Multiple Device Emulators for HVM Guests, Paul Durrant, CitrixMultiple Device Emulators for HVM Guests, Paul Durrant, Citrix
Multiple Device Emulators for HVM Guests, Paul Durrant, CitrixThe Linux Foundation
 
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekXen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekThe Linux Foundation
 
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEXPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16:  AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16:  AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...The Linux Foundation
 

What's hot (20)

Xen RAS Status and Progress
Xen RAS Status and ProgressXen RAS Status and Progress
Xen RAS Status and Progress
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
 
PVH : PV Guest in HVM container
PVH : PV Guest in HVM containerPVH : PV Guest in HVM container
PVH : PV Guest in HVM container
 
Xen io
Xen ioXen io
Xen io
 
XPDS16: Xen Development Update
XPDS16: Xen Development UpdateXPDS16: Xen Development Update
XPDS16: Xen Development Update
 
Bare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationBare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for Innovation
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for Embedded
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
XPDS16:  CPUID handling for guests - Andrew Cooper, CitrixXPDS16:  CPUID handling for guests - Andrew Cooper, Citrix
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
 
Why xen slides
Why xen slidesWhy xen slides
Why xen slides
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Ian Pratt Nsdi Keynote Apr2008
Ian Pratt Nsdi Keynote Apr2008Ian Pratt Nsdi Keynote Apr2008
Ian Pratt Nsdi Keynote Apr2008
 
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
XPDS16:  Hypervisor-based Security: Vicarious Learning via Introspektioneerin...XPDS16:  Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
Multiple Device Emulators for HVM Guests, Paul Durrant, Citrix
Multiple Device Emulators for HVM Guests, Paul Durrant, CitrixMultiple Device Emulators for HVM Guests, Paul Durrant, Citrix
Multiple Device Emulators for HVM Guests, Paul Durrant, Citrix
 
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekXen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
 
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEXPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16:  AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16:  AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
 

Similar to LFNW2014 Advanced Security Features of Xen Project Hypervisor

Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenThe Linux Foundation
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Russell Pavlicek
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
IITCC15: The Bare-Metal Hypervisor as a Platform for Innovation
IITCC15: The Bare-Metal Hypervisor as a Platform for InnovationIITCC15: The Bare-Metal Hypervisor as a Platform for Innovation
IITCC15: The Bare-Metal Hypervisor as a Platform for InnovationThe Linux Foundation
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTThe Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
LF Collaboration Summit: Xen Project 4 4 Features and Futures
LF Collaboration Summit: Xen Project 4 4 Features and FuturesLF Collaboration Summit: Xen Project 4 4 Features and Futures
LF Collaboration Summit: Xen Project 4 4 Features and FuturesThe Linux Foundation
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Russell Pavlicek
 
V mwarev sphere5.1notes-v2
V mwarev sphere5.1notes-v2V mwarev sphere5.1notes-v2
V mwarev sphere5.1notes-v2karanamsaibabu
 

Similar to LFNW2014 Advanced Security Features of Xen Project Hypervisor (20)

Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with Xen
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and Beyond
 
A Xen Case Study
A Xen Case StudyA Xen Case Study
A Xen Case Study
 
IITCC15: The Bare-Metal Hypervisor as a Platform for Innovation
IITCC15: The Bare-Metal Hypervisor as a Platform for InnovationIITCC15: The Bare-Metal Hypervisor as a Platform for Innovation
IITCC15: The Bare-Metal Hypervisor as a Platform for Innovation
 
Xen revisited
Xen revisitedXen revisited
Xen revisited
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XT
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
LF Collaboration Summit: Xen Project 4 4 Features and Futures
LF Collaboration Summit: Xen Project 4 4 Features and FuturesLF Collaboration Summit: Xen Project 4 4 Features and Futures
LF Collaboration Summit: Xen Project 4 4 Features and Futures
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)
 
V mwarev sphere5.1notes-v2
V mwarev sphere5.1notes-v2V mwarev sphere5.1notes-v2
V mwarev sphere5.1notes-v2
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityThe Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
 

Recently uploaded

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 

Recently uploaded (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 

LFNW2014 Advanced Security Features of Xen Project Hypervisor

  • 1. Advanced Security Features of the Xen Project Hypervisor Russell Pavlicek Xen Project Evangelist Citrix Systems
  • 2. Who is the Old, Fat Geek Up Front? ● Xen Project Evangelist (I have a big mouth...) ● Employed by Citrix, focused entirely on Xen project ● History with open source begins in 1995 ● Former columnist for Infoworld, Processor magazines ● Former panelist on The Linux Show, speaker at over 50 Open Source conferences ● Over 150 pieces published, one book on open source, plus blogs
  • 3. Presentation Goals ● Introduce the subject of security in the Cloud ● Introduce you to the Xen Project Security Tools ● Discuss some key Xen Project security features ● Get you started in the right direction toward securing your Xen Project Hypervisor installation
  • 4. Presentation Outline ● A few thoughts on the problem of securing the Cloud ● Overview of the Xen Project architecture ● Brief introduction to the principles of security analysis ● Examine some of the attack surfaces and the Xen Project features we can use to mitigate them: – Driver Domains – PVgrub – Stub Domains – Paravirtualization (PV) versus Hardware Virtualization (HVM) – FLASK example policy
  • 5. Introduction: Xen Project, The Cloud, and Security
  • 6. Introduction: Xen Project and Security ● Xen Project produces an enterprise-grade Type 1 hypervisor ● Built for the cloud before it was called cloud ● A number of advanced security features – Driver domains, stub domains, FLASK, and more – Most of them are not (or cannot) be turned on by default – Although they can be simple to use, sometimes they appear complicated
  • 7. The Cloud Security Conundrum ● Cloud Security: The 800lb Gorilla in the room – Nothing generates more fear in specific, and FUD in general – Probably the single greatest barrier to Cloud adoption ● Immediately behind it is the inability to get out of the 20th century IT mindset – Must get past the “Change is Bad” concept of 1980 – Cloud is about embracing change at a rapid pace – The good news: the “Gorilla” is actually a “Red Herring” ● We don't need to fear it – we just need to solve it
  • 8. Cloud Security: New Visibility to an Old Problem ● Security has always been an IT issue ● Putting a truly secure system in the open does not reduce its security, it just increases the frequency of attack ● Unfortunately, system security behind the firewall has not always been comprehensive ● Having solutions in an external cloud forces us to solve the security issues we should have already solved News Flash: Security Through Obscurity is Dead
  • 9. Use Security by Design, Not by Wishful Thinking ● Security by wishful thinking no longer works – Merely hoping that your firewall holds off the marauding hordes is NOT good enough – Addressing security in one area while ignoring others is NOT good enough – Saying, “We never had a problem before” is NOT good enough ● Comprehensive security starts with design – It needs to be planned carefully and thought through – It needs to be implemented at multiple levels – It needs components which are themselves securable
  • 10. Xen Project: Security by Design ● Xen Project software was designed for clouds before the term “cloud” was ever coined in the industry – Designers foresaw the day of “infrastructure for wide- area distributed computing” which we now call “the cloud” – http://www.cl.cam.ac.uk/research//srg/netos/xeno/publ ications.html ● The hypervisor is designed to thwart attacks from many attack vectors, using different defensive techniques
  • 11. Basic Architecture of the Xen Project Hypervisor
  • 12. Hypervisor Architectures Type 1: Bare metal Hypervisor A pure Hypervisor that runs directly on the hardware and hosts Guest OS’s. Provides partition isolation + reliability, higher security Provides partition isolation + reliability, higher security Host HWHost HW Memory CPUsI/O HypervisorHypervisor SchedulerScheduler MMUMMU Device Drivers/ Models Device Drivers/ Models VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps
  • 13. Hypervisor Architectures Type 1: Bare metal Hypervisor A pure Hypervisor that runs directly on the hardware and hosts Guest OS’s. Type 2: OS ‘Hosted’ A Hypervisor that runs within a Host OS and hosts Guest OS’s inside of it, using the host OS services to provide the virtual environment. Provides partition isolation + reliability, higher security Provides partition isolation + reliability, higher security Low cost, no additional drivers Ease of use and installation Low cost, no additional drivers Ease of use and installation Host HWHost HW Memory CPUsI/O Host HWHost HW Memory CPUsI/O HypervisorHypervisor SchedulerScheduler MMUMMU Device Drivers/ Models Device Drivers/ Models VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host OSHost OS Device DriversDevice Drivers Ring-0 VM Monitor “Kernel “ Ring-0 VM Monitor “Kernel “ VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps User Apps User Apps User-level VMMUser-level VMM Device ModelsDevice Models
  • 14. Xen Project: Type 1 with a Twist Type 1: Bare metal Hypervisor VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host HWHost HW Memory CPUsI/O HypervisorHypervisor SchedulerScheduler MMUMMU Device Drivers/ Models Device Drivers/ Models
  • 15. Xen Project: Type 1 with a Twist VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host HWHost HW Memory CPUsI/O HypervisorHypervisor SchedulerScheduler MMUMMU Device Drivers/ Models Device Drivers/ Models Type 1: Bare metal Hypervisor VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host HWHost HW Memory CPUsI/O SchedulerScheduler MMUMMU XEN Architecture
  • 16. Xen Project: Type 1 with a Twist VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host HWHost HW Memory CPUsI/O HypervisorHypervisor SchedulerScheduler MMUMMU Device Drivers/ Models Device Drivers/ Models Type 1: Bare metal Hypervisor VMn VMn VM1 VM1 VM0 VM0 Guest OS and Apps Guest OS and Apps Host HWHost HW Memory CPUsI/O SchedulerScheduler MMUMMU XEN Architecture Control domain (dom0) Control domain (dom0) DriversDrivers Device ModelsDevice Models Linux & BSDLinux & BSD
  • 19. An Approach to Security Thinking ● Threat models: – Attacker can access network – Attacker controls one Guest VM ● Security considerations to evaluate: – How much code is accessible? – What is the interface like? (e.g., pointers vs scalars) – Defense-in-depth: how many rings of defense surround you? ● Then combine security tactics to secure the installation – There is no single "magic bullet" – Individual tactics reduce danger; combined tactics go farther
  • 20. Example System For This Discussion ● Hardware setup – Two networks: one Control network, one Guest network – IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow for full hardware virtualization (HVM) ● Default configuration – Network drivers in the Control Domain (aka "Domain 0" or just "Dom0") – Paravirtualized (PV) guests using PyGrub (grub-like boot utility within context of Guest Domain) – Hardware Virtualized (HVM) guests using Qemu (as the device model) running in the Control Domain
  • 23. Attack Surface: Network Path ● Where might an exploit focus? – Bugs in hardware driver – Bugs in bridging / filtering – Bugs in netback (via the ring protocol) ● Netback and Netfront are part of the Paravirtualization mode ● Note the exploits – The main exploits exist already, even in hardware – The netback surface is very small, but needs to be acknowledged – When these are attacked in hardware, you have deep trouble – You actually have better defense in the VM than in hardware
  • 24. Result: Network Path Compromised
  • 25. Result: Network Path Compromised This could lead to the control of the whole system Vulnerability Analysis: What could a successful exploit yield? Control of Domain 0 kernel
  • 27. Security Feature: Driver Domains ● What is a Driver Domain? – Unprivileged VM which drives hardware – It provides driver access to guest VMs – Very limited scope; not a full operating system – Does not have the access or capability of a full VM
  • 28. Result: Driver Domain Compromised
  • 29. Result: Driver Domain Compromised ● Now a successful exploit could yield: – Control of the Driver Domain (Paravirtualization hypercall interface) ● But the Driver Domain is limited: no shell, no utilities – Control of that guest's network traffic ● But in the cloud, most orchestrators detect network traffic failure ● The problem is not allowed to stand very long – Control of the network interface card (NIC) – An opportunity to attack the netfront of other guest VMs ● But to take advantage of this platform, you need to launch another attack ● Compound attacks are complex, and they take time which you may not have
  • 30. Basic How To: Driver Domains ● Create a VM with appropriate drivers – Use any distribution suitable as a Control Domain ● Install the Xen Project hotplug scripts – Just installing the Xen Project tools in the VM is usually good enough ● Give the VM access to the physical NIC with PCI passthrough ● Configure the network topology in the Driver Domain – Just like you would for the Control Domain
  • 31. Basic How To: Driver Domains ● Configure the guest Virtual Network Interface (vif) to use the new domain ID – Add “backend=domnet” to vif declaration vif = [ 'type=pv, bridge=xenbr0, backend=domnet' ] Detailed Info http://wiki.xenproject.org/wiki/Driver_Domain
  • 32. Attacking the PyGrub Boot Loader
  • 34. Attack Surface: PyGrub ● What is PyGrub? – “grub” implementation for Paravirtualized guests – A Python program running in Control Domain ● What does it do? – It reads the guest VM's filesystem – It parses grub.conf – It displays a boot menu to the user – It passes the selected kernel image to domain builder
  • 36. Attack Surface: PyGrub ● Where might an exploit focus? – Bugs in file system parser – Bugs in menu parser – Bugs in domain builder ● Again, note the exploits – Forms of these exist in hardware as well – But hardware doesn't have as many options to combat the situation
  • 38. Result: PyGrub Compromised This could lead to the control of the whole system Vulnerability Analysis: What could a successful exploit yield? Control of Domain 0 user space
  • 40. Security Feature: Fixed Kernels ● What is a fixed kernel? – Passing a known-good kernel from Control Domain ● No longer allows a user to choose the kernel ● Best practice for anything in production – Removes attacker avenue to domain builder ● Disadvantages – Host administrator must keep up with kernel updates – Guest admin can't pass kernel parameters or custom kernels
  • 42. Security Feature: PVgrub ● What is PVgrub? – MiniOS plus the Paravirtualized port of “grub” running in a guest context – Paravirtualized equivalent of Hardware Virtualized combination of BIOS plus grub
  • 43. Result: PVgrub Compromised Control Domain is no longer at risk Vulnerability Analysis: Now a successful exploit could yield: Control of the attacked Guest Domain alone
  • 44. Basic HowTo: PVgrub ● Make sure that you have the PVgrub image – “pvgrub-$ARCH.gz” – Normally lives in “/usr/lib/xen/boot” – Debian, SLES: Currently need to build for yourself – Included in Fedora Xen Project packages ● Use appropriate PVgrub as bootloader in guest configuration: – kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz" See http://wiki.xenproject.org/wiki/Pvgrub
  • 45. Attacking the Qemu Device Model
  • 46. Attack Surface: Device Model (Qemu)
  • 47. Attack Surface: Device Model (Qemu) ● What is Qemu? – In other contexts, a virtualization provider – In the Xen Project context, a provider of needed device models ● Where might an exploit focus? – Bugs in NIC emulator parsing packets – Bugs in emulation of virtual devices
  • 48. Result: Device Model Compromised This could lead to the control of the whole system Vulnerability Analysis: What could a successful exploit yield? Control Domain privileged user space
  • 49. Security Feature: Qemu Stub Domains ● What is a stub domain? – Stub domain: a small “service'' domain running just one application – Qemu stub domain: run each Qemu in its own domain
  • 50. Result: Stub Domain Compromised You need to devise another attack entirely to do anything more significant Vulnerability Analysis: Now a successful exploit could yield: Control only of the stub domain VM (which, if FLASK is employed, is a relatively small universe)
  • 51. Basic HowTo: Qemu Stub Domains ● Make sure that you have the ioemu image: – “ioemu-$ARCH.gz” – Normally lives in “/usr/lib/xen/boot” – SUSE SLES, currently need to build it yourself (SLES 12?) – Included in Fedora Xen Project packages – On Debian (and offshoots), you will need to build it yourself ● Specify stub domains in your guest configuration: device_model_stubdomain_override = 1 http://wiki.xenproject.org/wiki/Device_Model_Stub_Domains Detailed Info
  • 53. Attack Surface: The Hypervisor Itself ● Where might an exploit focus? – On Paravirtualized (PV) Guests: ● PV Hypercalls – On full Hardware Virtualized (HVM) Guests: ● HVM hypercalls (Subset of PV hypercalls) ● Instruction emulation (MMIO, shadow pagetables) ● Emulated platform devices: APIC, HPET, PIT ● Nested virtualization ● Security practice: Use PV VMs whenever possible
  • 54. Using the Xen Project Security Module
  • 55. Security Feature: FLASK Policy ● What is FLASK? – Xen Project Security Module (XSM): Xen Project equivalent of LSM – FLASK: FLux Advanced Security Kernel – Framework for XSM developed by NSA – Xen Project equivalent of SELinux – Uses same concepts and tools as SELinux – Allows a policy to restrict hypercalls
  • 56. Security Feature: FLASK Policy ● What can FLASK do? – Basic: Restricts hypercalls to those needed by a particular guest – Advanced: Allows more fine-grained granting of privileges ● FLASK example policy – This contains example roles for the Control Domain (dom0), User/Guest Domain(domU), stub domains, driver domains, etc. – Make sure you TEST the example policy in your environment BEFORE putting it into production! NOTE: As an example policy, it is not as rigorously tested as other parts of Xen during release; make sure it is suitable for you
  • 57. Basic HowTo: FLASK Example Policy ● Build Xen Project software with XSM enabled ● Build the example policy ● Add the appropriate label to guest config files: – “seclabel=[foo]” – “stubdom_label=[foo]” http://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK Detailed Info
  • 59. ARM SOCARM SOC Xen Project + ARM = A Perfect Match ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization Hypervisor mode : EL2 Kernel mode : EL1 User mode : EL0 GIC v2 GIC v2GTGT 2 stage MMU 2 stage MMU I/O Device Tree describes … Hypercall Interface HVCHypercall Interface HVC
  • 60. ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization EL2 EL1 EL0 GIC v2 GIC v2GTGT 2 stage MMU 2 stage MMU I/O Device Tree describes … HVCHVC Xen Project + ARM = A Perfect Match Xen Project HypervisorXen Project Hypervisor
  • 61. ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization EL2 EL1 EL0 GIC v2 GIC v2GTGT 2 stage MMU 2 stage MMU I/O Device Tree describes … HVCHVC Xen Project + ARM = A Perfect Match Xen Project HypervisorXen Project Hypervisor Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0) KernelKernel User SpaceUser Space HVCHVC
  • 62. ARM SOCARM SOC ARM Architecture Features for VirtualizationARM Architecture Features for Virtualization EL2 EL1 EL0 GIC v2 GIC v2GTGT 2 stage MMU 2 stage MMU I/O Device Tree describes … HVCHVC Xen Project + ARM = A Perfect Match Xen Project HypervisorXen Project Hypervisor Dom0 only Dom0 only Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0) KernelKernel User SpaceUser Space I/O PV back PV frontI/O HVCHVC
  • 63. ARM: Right Solution for Security ● Stays in ARM Hypervisor Mode – The ARM architecture has separate Hypervisor and Kernel modes – Because Xen Project's architecture maps so well to the ARM architecture, the hypervisor never has to use Kernel mode – Other hypervisors have to flip back and forth between modes – If a hypervisor has to enter Kernel mode, it loses the security of running in a privileged mode, isolated from the rest of the system – This is a non-issue with the Xen Project Hypervisor on ARM ● Does not need to use device emulation – No emulation means a smaller attack surface for bad guys
  • 64. Xen Project Events Coming Up ● Xen Project User Summit – September 15, 2014 in New York City – Call For Participation closes May 31 http://events.linuxfoundation.org/events/xen-project-user-summit/program/cfp ● Xen Project Developer Summit – August 18-19, 2014 in Chicago at LinuxCon NA – Call For Participation closes May 2 http://events.linuxfoundation.org/events/xen-project-developer-summit
  • 65. For More Information... Thanks to George Dunlap for supplying much of the information presented here, and Stefano Stabellini for ARM information Center of the Xen Project universe: http://www.XenProject.org/ Contact me at russell.pavlicek@xenproject.org Detailed Info http://wiki.xenproject.org/wiki/Securing_Xen Thank You!