xen hypervisor security in vm isolation
play

Xen Hypervisor security in VM isolation Yanick de Jong 4 February - PowerPoint PPT Presentation

Mar 06, 2024 •307 likes •457 views

Xen Hypervisor security in VM isolation Yanick de Jong 4 February 2009 Research Question? What are the risks involved with merging Xen servers in different segments of the network and put all virtual machines together on one machine?

  1. Xen Hypervisor security in VM isolation Yanick de Jong 4 February 2009

  2. Research Question? What are the risks involved with merging Xen servers in different segments of the network and put all virtual machines together on one machine?

  3. Network Overview Internet Server LAN DMZ User LAN

  4. Network Overview Internet Server LAN & DMZ User LAN

  5. Subjects  Network  System  Disk allocation  Memory  Bridging  DMA  Conclusion

  6. Network  Defense in Depth  Least Privilege

  7. System (xen host)  Single point of Failure  Increase complexity

  8. Virtual Machine  Less risks  Easy to restore

  9. Disk Allocation  Writing outside allocated virtual machine diskspace

  10. Memory  Writing into memory  Reading memory  Reading memory from checkpointfile

  11. Bridging  All VM's on the same bridge  VM's connected to physical networkcards  VM's connected with vlan

  12. DMA  Example – Reading memory (RAM) through the firewire port

  13. Conclusion  Network  Defense in Depth  Least Privilege  Single point of failure  Xen host

  14. Questions ?

Recommend

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller

859 views • 20 slides
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2

688 views • 53 slides
Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication Introduction to Computer Security Announcements intermission Day 9: OS security basics Stephen McCamant Basics of access control University of Minnesota,

269 views • 8 slides
Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor Authors

Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor Authors

Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor Authors Department of Computer Computer Science, University of British Columbia Patrick Colp Mihi Nanavati William Aiello Andrew Warfield

478 views • 45 slides
VirtualBoxes A close look at a desktop hypervisor Niklas Baumstark WHOIS Security researcher

VirtualBoxes A close look at a desktop hypervisor Niklas Baumstark WHOIS Security researcher

Unboxing your VirtualBoxes A close look at a desktop hypervisor Niklas Baumstark WHOIS Security researcher and student Pwn2Own 17 & 18 (VirtualBox in 18) CTF player & orga with KITCTF and Eat Sleep Pwn Repeat

824 views • 45 slides
Institute for Cyber Security A Formal Model for Isolation Management in Cloud

Institute for Cyber Security A Formal Model for Isolation Management in Cloud

Institute for Cyber Security A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 15-17, 2014 NSS

146 views • 13 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication Introduction to Computer Security Basics of access control OS authentication and access control (combined lecture) Announcements, Ex. 1 debrief Stephen

440 views • 11 slides
Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori Andrew Theurer Michael Hohnbaum Real-world Hypervisor Applications Make more efficient use of expensive hardware Server Consolidation

633 views • 24 slides
Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

USE IMPROVE EVANGELIZE Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE EVANGELIZE Agenda Hypervisors 101 Introduction to Sun TM xVM Hypervisor Use Cases Using the hypervisor

731 views • 36 slides
CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck Nadia Heninger Frank Piessens Berk Sunar Intel Labs Sept. 10 2020 OS/Hypervisor Security Model App App App OS Trusted Hypervisor

1.13k views • 67 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof.

CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof.

CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof. Nadim Kobeissi Operating 3.3a System Security Basics 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Operating systems:

417 views • 24 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Adaptive Isolation for Security Patrick Schaumont Virginia Tech Dagstuhl Seminar 16441 1

Adaptive Isolation for Security Patrick Schaumont Virginia Tech Dagstuhl Seminar 16441 1

Adaptive Isolation for Security Patrick Schaumont Virginia Tech Dagstuhl Seminar 16441 1 November 2016 1 Objective 1. Contemporary Secure Computing An Example: Trusted Medical Applications 2. Building Blocks of Secure Computing - Attacker

482 views • 30 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

706 views • 36 slides
CMPSC 497: Software Fault Isolation Trent Jaeger Systems and Internet Infrastructure

CMPSC 497: Software Fault Isolation Trent Jaeger Systems and Internet Infrastructure

CMPSC 497: Software Fault Isolation Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory

705 views • 34 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME Window may contain frames from different sources Frame: rigid division as part of frameset iFrame: flo floati ting inline frame iFrame

787 views • 60 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer

Rethinking Kernel Isolation Vasileios P. Kemerlis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Georgia Institute of Technology, 09/12/2014 vpk@cs.columbia.edu (Columbia University) ret2dir GT

1.09k views • 69 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser ("kernel") Full privileges (file system,

603 views • 29 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides

More recommend