DOCSLIB.ORG

(12) United States Patent (10) Patent No.: US 8,124,082 B2 Fong Et Al

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
(12) United States Patent (10) Patent No.: US 8,124,082 B2 Fong Et Al USOO8124082B2 (12) United States Patent (10) Patent No.: US 8,124,082 B2 Fong et al. (45) Date of Patent: Feb. 28, 2012 (54) HUMANIZED ANTI-BETA7 ANTAGONISTS 3.68 A 13 3. SEetC ren al. et al.1 AND USES THEREFOR 5,624,821 A 4/1997 Winter et al. 5,648,260 A 7, 1997 Winter et al. (75) Inventors: Sherman Fong, Alameda, CA (US); 5,658,727 A 8, 1997 Barbas et al. Mark S. Dennis, San Carlos, CA (US) 5,693,762 A 12/1997 Queen et al. 5,712.374. A 1/1998 Kuntsmann et al. 5,714,586 A 2, 1998 Kunstmann et al. (73) Assignee: Genentech, Inc., South San Francisco, 5,731, 168 A 3, 1998 Carter et al. CA (US) 5,733,743 A 3/1998 Johnson et al. 5,739,116 A 4, 1998 Hamann et al. (*) Notice: Subject to any disclaimer, the term of this 5,750,373 A 5/1998 Garrard et al. patent is extended or adjusted under 35 5,767.285 A 6/1998 Hamann et al. U.S.C. 154(b) by 119 days 5,770,701 A 6/1998 McGahren et al. M YW- y yS. 5,770,710 A 6/1998 McGahren et al. 5,773,001 A 6/1998 Hamann et al. (21) Appl. No.: 12/390,730 5,837.242 A 1 1/1998 Holliger et al. 5,877,296 A 3, 1999 Hamann et al. (22) Filed: Feb. 23, 2009 5,969,108 A 10/1999 McCafferty et al. 9 6,172,197 B1 1/2001 McCafferty et al. O O 6,300,080 B1 10/2001 Brenner et al. (65) Prior Publication Data 6,551,593 B1 4/2003 Ringler et al. 7,528,236 B2 5/2009 Fong et al. US 2009/0226437 A1 Sep. 10, 2009 7,687,605 B2 3/2010 Fong et al. 2001, 0046496 A1 11/2001 Brettman et al. Related U.S. Application Data 2005/OO95238 A1 5/2005 Brettman et al. (62) Division of application No. 1 1/219,121, filed on Sep. FOREIGN PATENT DOCUMENTS 2. 2005, now Pat. No. 7,528,236. EP O425235 B1 9, 1996 (60) Provisional application No. 60/607,377, filed on Sep. E. 338 3, 2004. WO WO93,06213 4f1993 WO WO93,21232 10, 1993 (51) Int. Cl. WO WO94/11026 5, 1994 A 6LX39/395 (2006.01) WO WO94,29351 12/1994 WO WO96,24673 8, 1996 (52) U.S. Cl. ............... 424/133.1; 424/141.1; 424/143.1; WO WO 98.06248 2, 1998 424/152.1; 424/156.1; 424/174.1 WO WO99,51642 10, 1999 (58) Field of Classification Search ........................ None WO WOOO.30681 6, 2000 See application file for complete search history. WO OOf 40604 T 2000 WO WOO 1/78779 10, 2001 (56) References Cited WO 2005/080432 A2 9, 2005 OTHER PUBLICATIONS U.S. PATENT DOCUMENTS Chen, et al., Journal of Molecular Biology—293:865-881 (1999). 4,137,230 A 1/1979 Hashimoto et al. Clark (Protein Engineering of Antibody Molecules for Prophylactic 4,151,042 A 4/1979 Higashide et al. and Therapeutic Applications in an, 1993, pp. 4-5). 4,248,870 A 2/1981 Miyashita et al. Holm, et al., Molecular Immunology 44:1075-1084 (2007). 4,256,746 A 3/1981 Miyashita et al. Malmborg, et al., Journal of Immunological Methods—183:7-13 4,260,608 A 4, 1981 Miyashita et al. (1995). 4,265,814 A 5, 1981 Hashimoto et al. Pascalis, et al., Journal of Immunology—169:3076-3084 (2002). 4,307,0164.294,757. A 12/198110/1981 Asai et al. Wu,u, et al., Journal of Molecular biologyBiology—294:151-162 294, (1999) 4,308,268 A 12/1981 Miyashita et al. Vajdos, et al., Journal of Molecular Biology 320:415-428 (2002). 4,308,269 A 12/1981 Miyashita et al. Andrew, D.P. et al., Distinct but overlapping epitopes are involved in 4,309.428 A 1/1982 Miyashita et al. O?37-mediated adhesion to vascular cell adhesion molecule-1, 4,313,946 A 2f1982 Powell et al. mucosal addressin-1, fibronectin, and lymphocyte aggregation' J. 4,315,929 A 2, 1982 Freedman et al. Immunol. 153:3847-3861 (1994). 4,317,821 A 3/1982 Miyashita et al. Baldwin et al., “Monoclonal Antibodies In Cancer Treatment' Lan 4.322,348 A 3, 1982 Asai et al. cet, The pp. 603-605 (Mar. 15, 1986). 4.331,598 A 5/1982 Hasegawa et al. Barbadillo, C. et al., “Anti-integrin immunotherapy in rheumatoid 3. E. A 3. 3. R et al arthritis: protective effect of anti-C4 antibody in adjuvant arthritis' 4,364,866 A 12, 1982 is a Springer Semin. Immunopathol. 16:427-436 (1995). 4,371.533. A 2, 1983 Akimoto et al. (Continued) 4.424,219 A 1, 1984 Hashimoto et al. E. A E. E. et Set 1 Primary Examiner — Karen Canella 486,567 A 3, 1989 E. (74) Attorney, Agent, or Firm — Jennifer L. Davis 4,970,198 A 11, 1990 Lee et al. (57) ABSTRACT 4,975,278 A 12/1990 Senter et al. 5,053,394 A 10, 1991 Ellestad et al. The invention provides therapeutic anti-beta7 antibodies, 5,079,233 A 1/1992 Lee et al. compositions comprising, and methods of using these anti 5,208,020 A 5, 1993 Chari et al. bodies. 5,416,064 A 5, 1995 Chari et al. 5,580,717 A 12/1996 Dower et al. 14 Claims, 22 Drawing Sheets US 8,124,082 B2 Page 2 OTHER PUBLICATIONS Jaffers et al., “Monoclonal Antibody Therapy, Anti-Idiotypic and Barbas III et al., “In Vitro Evolution of a Neutralizing Human Anti Non-Anti-Idiotypic Antibodies to OKT3 Arising Despite Intense body to Human Immunodeficiency Virus Type 1 to Enhance Affinity Immunosuppression' Transplantation 41(5):572-578 (May 1986). and Broaden Strain Cross-Reactivity” Proc. Natl. Acad. Sci. USA Jones et al., “Replacing the Complementarity-Determining Regions 91(9):3809-3813 (Apr. 1994). in a Human Antibody with Those From a Mouse” Nature 321:522 Carlsson, J. et al., “Protein Thiolation and Reversible Protein-Protein 525 (May 29, 1986). Conjugation” Biochemical Journal 173:723-737 (1978). Junghans et al., “Anti-Tac-H, a Humanized Antibody to the Carter et al., “Humanization of an Anti-p185' Antibody for Interleukin 2 Receptor with New Features for Immunotherapy in Human Cancer Therapy” Proc. Natl. Acad. Sci. USA 89(10):4285 Malignant and Immune Disorders' Cancer Research 50(5):1495 4289 (May 1992). Cepek, K.L. et al., “Integran O'B, mediates adhesion of T lympho 1502 (Mar. 1, 1990). cytes to epithelial cells”.J. Immunol. 150:3459-3470 (1993). Kanwar, J. et al., “f7 integrins contribute to demyelinating disease of Chari et al., “Immunoconjugates Containing Novel Maytansinoids: the central nervous system” J. Neuroimmunology 103: 146-152 Promising Anticancer Drugs' Cancer Research 52: 127-131 (Jan. (2000). 1992). Khazaeli et al., “Phase I trial of multiple large doses of murine Chothia, et al., “Canonical Structures for the Hypervariable Regions monoclonal antibody C017-1A. II. Pharmacokinetics and immune of Immunoglobulins' J. Mol. Biol. 196:901-917 (1987). response” J. Natl Cancer Inst.80(12):937-942 (Aug. 17, 1988). Cunningham and Wells, “High-Resolution Epitope Mapping of Kilger and Holzmann, “Molecular analysis of the physiological and hGH-Receptor Interactions by Alanine-Scanning Mutagenesis' Sci pathophysiological role of O-integrins' Journal of Molecular Medi ence 244: 1081-1085 (Jun. 2, 1989). cine 73(7):347-354 (Jul 1995). Doronina et al., “Development of potent monoclonal antibody Kilshaw and Murant, “Expression and regulation of f(p) integrins auristatin conjugates for cancer therapy' Nature Biotechnology on mouse lymphocytes: relevance to the mucosal immune system' 21:778-784 (2003). European Journal of Immunology 21 (10):2591-2597 (Oct. 1991). Duncan and Winter, “The binding site or Cld on IgG” Nature Kroneld, U. et al., “Expression of the mucosal lymphocyte integrin 322:738-740 1988. 3SupE37 and its Ligand E-cadherin in Salivary glands of patietns with Ebert, M. et al., “CD8+CD103+ T cells analogous to intestinal Sjogren's syndrome' Scand.J Rheumatol 27:215-218 (1998). intraepithelial lymphocytes infiltrate the pancreas in chronic Kunkeletal., “Rapid and EfficientSite-specific Mutagenesis Without pancreatitis' Am. J. Gastroenterol. 93:2141-2147 (1998). Phenotypic Selection” Methods in Enzymology 154:367-382 (1987). Erle et al., “Complete amino acid sequence of an integrin f3 Subunit Laberge, S. et al., “Role of VLA-4 and LFA-1 in Allergen-Induced (B) identified in leukocytes' Journal of Biological Chemistry Airway Hyperrespnosiveness and Lung Inflammation in the Rat' 266(17): 11009-11016 (Jun. 15, 1991). Fraker and Speck Jr., “Protein and cell membrane iodinations with a Am. J. Respir: Crit. Care Med. 151:822-829 (1995). sparingly soluble chloroamide, 1,3,4,6-tetrachloro-3a,6a Leckie et al., “Sputum T lymphocytes in asthma, COPD and healthy diphenylglycoluril' Biochemical & Biophysical Research Commu subjects have the phenotype of activated intraepithelial T cells nications 80(4):849-857 (1978). (CD69+ CD103+)” Thorax 58:23-20 (2003). Francisco et al., “cAC10-vcMMAE, an anti-CD30 monomethyl Lee et al., “High-affinity human antibodies from phage-displayed auristatin E conjugate with potent and selective antitumor activity synthetic Fab libraries with a single framework scaffold'J Mol Biol. Blood 102: 1458-1465 (2003). 340(5):1073-1093 (Jul 23, 2004). Gallop et al., “Applications of Combinatorial Technologies to Drug Liu et al., “Eradication of Large Colon Tumor Xenografts by Tar Discovery Background and peptide combinatorial libraries' Journal geted Delivery of Maytansinolds.” Proc.
Load more

Recommended publications
  • Fast and Scalable VMM Live Upgrade in Large Cloud Infrastructure
    Fast and Scalable VMM Live Upgrade in Large Cloud Infrastructure Xiantao Zhang Xiao Zheng Zhi Wang Alibaba Group Alibaba Group Florida State University [email protected] [email protected] [email protected] Qi Li Junkang Fu Yang Zhang Tsinghua University Alibaba Group Alibaba Group [email protected] [email protected] [email protected] Yibin Shen Alibaba Group [email protected] Abstract hand over passthrough devices to the new KVM instance High availability is the most important and challenging prob- without losing any ongoing (DMA) operations. Our evalua- lem for cloud providers. However, virtual machine mon- tion shows that Orthus can reduce the total migration time itor (VMM), a crucial component of the cloud infrastruc- and downtime by more than 99% and 90%, respectively. We ture, has to be frequently updated and restarted to add secu- have deployed Orthus in one of the largest cloud infrastruc- rity patches and new features, undermining high availabil- tures for a long time. It has become the most effective and ity. There are two existing live update methods to improve indispensable tool in our daily maintenance of hundreds of the cloud availability: kernel live patching and Virtual Ma- thousands of servers and millions of VMs. chine (VM) live migration. However, they both have serious CCS Concepts • Security and privacy → Virtualization drawbacks that impair their usefulness in the large cloud and security; • Computer systems organization → Avail- infrastructure: kernel live patching cannot handle complex ability. changes (e.g., changes to persistent data structures); and VM live migration may incur unacceptably long delays when Keywords virtualization; live upgrade; cloud infrastructure migrating millions of VMs in the whole cloud, for example, ACM Reference Format: to deploy urgent security patches.
    [Show full text]
  • Live Kernel Patching Using Kgraft
    SUSE Linux Enterprise Server 12 SP4 Live Kernel Patching Using kGraft SUSE Linux Enterprise Server 12 SP4 This document describes the basic principles of the kGraft live patching technology and provides usage guidelines for the SLE Live Patching service. kGraft is a live patching technology for runtime patching of the Linux kernel, without stopping the kernel. This maximizes system uptime, and thus system availability, which is important for mission-critical systems. By allowing dynamic patching of the kernel, the technology also encourages users to install critical security updates without deferring them to a scheduled downtime. A kGraft patch is a kernel module, intended for replacing whole functions in the kernel. kGraft primarily oers in-kernel infrastructure for integration of the patched code with base kernel code at runtime. SLE Live Patching is a service provided on top of regular SUSE Linux Enterprise Server maintenance. kGraft patches distributed through SLE Live Patching supplement regular SLES maintenance updates. Common update stack and procedures can be used for SLE Live Patching deployment. Publication Date: 09/24/2021 Contents 1 Advantages of kGraft 3 2 Low-level Function of kGraft 3 1 Live Kernel Patching Using kGraft 3 Installing kGraft Patches 4 4 Patch Lifecycle 6 5 Removing a kGraft Patch 6 6 Stuck Kernel Execution Threads 6 7 The kgr Tool 7 8 Scope of kGraft Technology 7 9 Scope of SLE Live Patching 8 10 Interaction with the Support Processes 8 11 GNU Free Documentation License 8 2 Live Kernel Patching Using kGraft 1 Advantages of kGraft Live kernel patching using kGraft is especially useful for quick response in emergencies (when serious vulnerabilities are known and should be xed when possible or there are serious system stability issues with a known x).
    [Show full text]
  • Think ALL Distros Offer the Best Linux Devsecops Environment?
    Marc Staimer, Dragon Slayor Consulting WHITE PAPER Think All Distros Offer the Best Linux DevSecOps What You’re Not Being Told About Environment? Database as a Service (DBaaS) Think Again! WHITE PAPER • Think Again! Think All Distros Provide the Best Linux DevSecOps Environment? Think Again! Introduction DevOps is changing. Developing code with after the fact bolt-on security is dangerously flawed. When that bolt-on fails to correct exploitable code vulnerabilities, it puts the entire organization at risk. Security has been generally an afterthought for many doing DevOps. It was often assumed the IT organization’s systemic multiple layers of security measures and appliances would protect any new code from malware or breaches. And besides, developing code with security built in, adds tasks and steps to development and testing time. More tasks and steps delay time-to-market. Multi-tenant clouds have radically changed the market. Any vulnerability in a world with increasing cyber-attacks, can put millions of user’s data at risk. Those legacy DevOps attitudes are unsound. They are potentially quite costly in the current environment. Consider that nearly every developed and most developing countries have enacted laws and regulation protecting personally identifiable information or PII1. PII is incredibly valuable to cybercriminals. Stealing PII enables them to commit many cybercrimes including the cybertheft of identities, finances, intellectual property, admin privileges, and much more. PII can also be sold on the web. Those PII laws and regulations are meant to force IT organizations to protect PII. Non-compliance of these laws and regulations often carry punitive financial penalties.
    [Show full text]
  • Fast and Live Hypervisor Replacement
    Fast and Live Hypervisor Replacement Spoorti Doddamani Piush Sinha Hui Lu Binghamton University Binghamton University Binghamton University New York, USA New York, USA New York, USA [email protected] [email protected] [email protected] Tsu-Hsiang K. Cheng Hardik H. Bagdi Kartik Gopalan Binghamton University Binghamton University Binghamton University New York, USA New York, USA New York, USA [email protected] [email protected] [email protected] Abstract International Conference on Virtual Execution Environments (VEE Hypervisors are increasingly complex and must be often ’19), April 14, 2019, Providence, RI, USA. ACM, New York, NY, USA, updated for applying security patches, bug fixes, and feature 14 pages. https://doi.org/10.1145/3313808.3313821 upgrades. However, in a virtualized cloud infrastructure, up- 1 Introduction dates to an operational hypervisor can be highly disruptive. Before being updated, virtual machines (VMs) running on Virtualization-based server consolidation is a common prac- a hypervisor must be either migrated away or shut down, tice in today’s cloud data centers [2, 24, 43]. Hypervisors host resulting in downtime, performance loss, and network over- multiple virtual machines (VMs), or guests, on a single phys- head. We present a new technique, called HyperFresh, to ical host to improve resource utilization and achieve agility transparently replace a hypervisor with a new updated in- in resource provisioning for cloud applications [3, 5–7, 50]. stance without disrupting any running VMs. A thin shim Hypervisors must be often updated or replaced for various layer, called the hyperplexor, performs live hypervisor re- purposes, such as for applying security/bug fixes [23, 41] placement by remapping guest memory to a new updated adding new features [15, 25], or simply for software reju- hypervisor on the same machine.
    [Show full text]
  • Instant OS Updates Via Userspace Checkpoint-And
    Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap, Changwoo Min, Byoungyoung Lee, and Taesoo Kim, Georgia Institute of Technology; Pavel Emelyanov, CRIU and Odin, Inc. https://www.usenix.org/conference/atc16/technical-sessions/presentation/kashyap This paper is included in the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16). June 22–24, 2016 • Denver, CO, USA 978-1-931971-30-0 Open access to the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16) is sponsored by USENIX. Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap Changwoo Min Byoungyoung Lee Taesoo Kim Pavel Emelyanov† Georgia Institute of Technology †CRIU & Odin, Inc. # errors # lines Abstract 50 1000K 40 100K In recent years, operating systems have become increas- 10K 30 1K 20 ingly complex and thus more prone to security and per- 100 formance issues. Accordingly, system updates to address 10 10 these issues have become more frequently available and 0 1 increasingly important. To complete such updates, users 3.13.0-x 3.16.0-x 3.19.0-x May 2014 must reboot their systems, resulting in unavoidable down- build/diff errors #layout errors Jun 2015 time and further loss of the states of running applications. #static local errors #num lines++ We present KUP, a practical OS update mechanism that Figure 1: Limitation of dynamic kernel hot-patching using employs a userspace checkpoint-and-restart mechanism, kpatch. Only two successful updates (3.13.0.32 34 and → which uses an optimized data structure for checkpoint- 3.19.0.20 21) out of 23 Ubuntu kernel package releases.
    [Show full text]
  • Update Your Kernel with No Service Interruption: SUSE Linux Enterprise
    Data sheet Update your kernel with no service interruption SUSE Linux Enterprise Live Patching on HPE infrastructure Eliminate the need for planned downtime Keep your kernel up-to-date Downtime is expensive, even when it Take a proactive and dynamic approach to kernel patching is planned. SUSE Linux Enterprise Live Patching virtually eliminates the need SUSE® Linux® Enterprise Live Patching running on HPE infrastructure is an open source for downtime—and allows for easier solution that delivers live kernel patching without the need to reboot the system. With this planning of scheduled downtime—by subscription offering based on the open source kGraft project, you can perform patching applying critical Linux kernel fixes without interrupting your mission-critical workloads and in-memory databases—saving outside of maintenance windows. the cost of downtime and increasing service availability. Because the solution builds on the SUSE Linux Enterprise Live Patching offers a proactive and dynamic approach existing SUSE Linux Enterprise kernel infrastructure and uses familiar deployment methods, to kernel maintenance that saves your SUSE Linux Enterprise Live Patching on HPE infrastructure is an easy way to make operating company valuable time and money by system maintenance more efficient and secure. never needing to stop the kernel. SUSE Linux Enterprise Live Patching on HPE infrastructure puts you in charge of kernel updates and service availability. Even when urgent kernel updates are needed, SUSE Linux Customer profile Enterprise Server can run continuously—with zero execution interruptions—while you apply • SAP HANA®: Live Patching targets critical kernel patches in the background. users of SAP® applications, specifically the HANA in-memory databases.
    [Show full text]
  • SUSE Linux Enterprise Live Patching
    Data Sheet SUSE Linux Enterprise Live Patching SUSE® Linux Enterprise Live Patching Downtime is expensive, even when it is planned. Live Patching virtually eliminates the need for downtime—and allows for easier planning of scheduled downtime—by applying critical Linux kernel fixes outside of maintenance windows. Live Patching offers a proactive and dynamic approach to kernel maintenance that saves your company valuable time and money by never needing to stop the kernel. System Requirements Product Overview interruptions, not even a millisecond—while SUSE® Linux Enterprise Live Patching is a you apply critical kernel patches in the • Minimum Requirements: + A system that runs SUSE Linux simple open source solution that deliv- background. Enterprise Server 12 or 15 ers live kernel patching without the need + Zypper must be installed and configured to receive updates to reboot. With this subscription offering Key Benefits based on the kGraft project, you can per- SUSE Linux Enterprise Live Patching keeps • Supported Processor form patching without interrupting your your systems running smoothly and securely Platforms: mission-critical workloads and in-memory on the front end while critical updates are + x86-64 databases, saving the cost of downtime applied on the back end. + ppc64le (IBM Power Systems) + IBM Z and LinuxONE and increasing service availability. Because it builds on to the existing SUSE Linux • Reduce downtime—You can reduce For detailed product specifica- tions and system requirements, Enterprise kernel infrastructure and uses downtimes whether planned or un- visit: https://www.suse.com/ familiar deployment methods, Live Patching planned. In the case of unplanned down- products/live-patching/ is an easy way to make operating system times, you can potentially eliminate maintenance more efficient and secure.
    [Show full text]
  • Think All Distors Offer the Best Linux Devsecops Environment?
    Marc Staimer, Dragon Slayer ARTIGO Acha que todas as distribuições oferecem o melhor O que não lhe falaram sobre banco de ambiente de DevSecOps no Linux? dados como serviço (DBaaS) Pense melhor! ARTIGO • Pense melhor! Acha que todas as distribuições fornecem o melhor ambiente de DevSecOps no Linux? Pense melhor! Introdução O DevOps está mudando. O desenvolvimento de código com segurança adicional posterior é uma estratégia perigosamente falha. Quando essa segurança adicional não consegue corrigir vulnerabilidades de código exploráveis, ela coloca toda a organização em risco. Para muitos que trabalham com DevOps, a segurança geralmente era apenas algo com o que eles se preocupavam depois. Era comum supor que as múltiplas camadas sistêmicas de medidas e dispositivos de segurança da organização de TI protegeriam qualquer novo código contra malware ou violações. Além disso, o desenvolvimento de código com segurança integrada adiciona tarefas e etapas ao tempo de desenvolvimento e teste. Mais tarefas e etapas atrasam o prazo de lançamento no mercado. As nuvens multilocatário mudaram radicalmente o mercado. Em um mundo com um número cada vez maior de ataques cibernéticos, qualquer vulnerabilidade pode colocar em risco os dados de milhões de usuários. Essas atitudes herdadas do DevOps são inseguras. Elas são potencialmente muito caras no ambiente atual. Lembre-se de que quase todos os países desenvolvidos e a maioria dos países em desenvolvimento promulgaram leis e regulamentos para proteger informações de identificação pessoal, ou PII1. As PII são incrivelmente valiosas para os cibercriminosos. O roubo de PII permite que eles cometam muitos crimes cibernéticos, incluindo o roubo cibernético de identidades, finanças, propriedade intelectual, privilégios de administrador e muito mais.
    [Show full text]
  • Mitigating Vulnerability Windows with Hypervisor Transplant Dinh Ngoc Tu, Boris Teabe Djomgwe, Alain Tchana, Gilles Muller, Daniel Hagimont
    Mitigating vulnerability windows with hypervisor transplant Dinh Ngoc Tu, Boris Teabe Djomgwe, Alain Tchana, Gilles Muller, Daniel Hagimont To cite this version: Dinh Ngoc Tu, Boris Teabe Djomgwe, Alain Tchana, Gilles Muller, Daniel Hagimont. Mitigating vulnerability windows with hypervisor transplant. EuroSys 2021 - European Conference on Computer Systems, Apr 2021, Edinburgh / Virtual, United Kingdom. pp.1-14, 10.1145/3447786.3456235. hal- 03183856 HAL Id: hal-03183856 https://hal.archives-ouvertes.fr/hal-03183856 Submitted on 30 Mar 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Mitigating vulnerability windows with hypervisor transplant Tu Dinh Ngoc Boris Teabe Alain Tchana University of Toulouse, France University of Toulouse, France ENS Lyon, France Inria, France Gilles Muller Daniel Hagimont Inria, France University of Toulouse, France ABSTRACT such as Spectre and Meltdown [25, 32]1. The time to apply the The vulnerability window of a hypervisor regarding a given secu- patch mainly depends on the datacenter operators’ patching policy. rity flaw is the time between the identification of the flawandthe Together, this timeframe leaves plenty of time to launch an attack integration of a correction/patch in the running hypervisor.
    [Show full text]
  • Protecting Commodity Operating Systems Through Strong Kernel Isolation
    Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2015 c 2015 Vasileios P. Kemerlis All Rights Reserved ABSTRACT Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Today’s operating systems are large, complex, and plagued with vulnerabilities that allow perpetrators to exploit them for profit. The constant rise in the number of software weak- nesses, coupled with the sophistication of modern adversaries, make the need for effective and adaptive defenses more critical than ever. In this dissertation, we develop a set of novel protection mechanisms, and introduce new concepts and techniques to secure commodity operating systems against attacks that exploit vulnerabilities in kernel code. Modern OSes opt for a shared process/kernel model to minimize the overhead of opera- tions that cross protection domains. However, this design choice provides a unique vantage point to local attackers, as it allows them to control—both in terms of permissions and contents—part of the memory that is accessible by the kernel, easily circumventing protec- tions like kernel-space ASLR and WˆX. Attacks that leverage the weak separation between user and kernel space, characterized as return-to-user (ret2usr) attacks, have been the de facto kernel exploitation technique in virtually every major OS, while they are not limited to the x86 platform, but have also targeted ARM and others. Given the multi-OS and cross-architecture nature of ret2usr threats, we propose kGuard: a kernel protection mechanism, realized as a cross-platform compiler extension, which can safeguard any 32- or 64-bit OS kernel from ret2usr attacks.
    [Show full text]
  • High Velocity Kernel File Systems with Bento
    High Velocity Kernel File Systems with Bento Samantha Miller Kaiyuan Zhang Mengqi Chen Ryan Jennings Ang Chen‡ Danyang Zhuo† Thomas Anderson University of Washington †Duke University ‡Rice University Abstract kernel-level debuggers and kernel testing frameworks makes this worse. The restricted and different kernel programming High development velocity is critical for modern systems. environment also limits the number of trained developers. This is especially true for Linux file systems which are seeing Finally, upgrading a kernel module requires either rebooting increased pressure from new storage devices and new demands the machine or restarting the relevant module, either way on storage systems. However, high velocity Linux kernel rendering the machine unavailable during the upgrade. In the development is challenging due to the ease of introducing cloud setting, this forces kernel upgrades to be batched to meet bugs, the difficulty of testing and debugging, and the lack of cloud-level availability goals. support for redeployment without service disruption. Existing Slow development cycles are a particular problem for file approaches to high-velocity development of file systems for systems. Recent changes in storage hardware (e.g., low latency Linux have major downsides, such as the high performance SSDs and NVM, but also density-optimized QLC SSD and penalty for FUSE file systems, slowing the deployment cycle shingle disks) have made it increasingly important to have an for new file system functionality. agile storage stack. Likewise, application workload diversity We propose Bento, a framework for high velocity devel- and system management requirements (e.g., the need for opment of Linux kernel file systems. It enables file systems container-level SLAs, or provenance tracking for security written in safe Rust to be installed in the Linux kernel, with forensics) make feature velocity essential.
    [Show full text]
  • Practical Linux Topics
    Binnie BOOKS FOR PROFESSIONALS BY PROFESSIONALS® THE EXPERT’S VOICE® IN LINUX Practical Linux Topics Practical Practical Linux Topics This book teaches you how to improve your hands-on knowledge of Linux using challenging, real-world scenarios. Each chapter explores a topic that has been chosen specifically to demonstrate how to enhance your base Linux system, and resolve important issues. This book enables sysadmins, DevOps engineers, developers, and other technical professionals to make full use of Linux’s rocksteady foundation. Practical Linux Explore specific topics in networking, e-mail, filesystems, encryption, system monitoring, security, servers, and more—including systemd and GPG. Understand salient security concerns and how to mitigate them. Applicable to almost all Linux flavors—Debian, Red Hat, Ubuntu, Linux Mint, CentOS—Power Linux Topics can be used to reference other Unix-type systems Topics with little modification. Improve your practical know-how and background knowledge on servers and workstations alike, increase your ability to troubleshoot and ultimately solve the daily challenges encountered — by all professional Linux users. Empower your Linux skills by adding Power Linux Topics to your library today. Chris Binnie US . ISBN 978-1-4842-1771-9 Shelve in: 54999 Linux/General User level: Intermediate–Advanced 9781484 217719 SOURCE CODE ONLINE www.apress.com Practical Linux Topics Chris Binnie Practical Linux Topics Copyright © 2016 by Chris Binnie This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
    [Show full text]