DOCSLIB.ORG

Xen Enterprise

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Xen Enterprise Xen: the Past, Present and Exciting Future Ian Pratt Chairman of Xen.org, SVP and Founder of Bromium Sponsored by: & 1 Outline • Community Update • Xen 4 Review • Xen and the next wave of virtualization 2 COMMUNITY UPDATE 3 2011 Highlights • Inclusion of Xen into Linux 3 (and distros) • New Initiatives: – Project Kronos – Xen.org Governance – Renewed focus on Xen for ARM • Successful Community Initiatives – Documentation Day – Google Summer of Code – Hackathons: Cambridge (Citrix) and Munich (Fujitsu) • Lars Kurth: (not so) new Community Manager 4 Contribution Statistics By Change Sets Contributors to Xen.org 5000.0 200 4500.0 180 4000.0 160 3500.0 140 3000.0 120 XenARM** 2500.0 100 PVOPS Individuals 2000.0 XCP 80 Orgs 1500.0 Xen HV 60 1000.0 40 500.0 20 0.0 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011* *) End of Sept 2011 **) Activity on Development branch (not yet in xen-unstable) 5 2010 & 2011 Contributors (by KLOC) 2010** 2011** *** 1% 2% 3% 4% 5% 4% 6% 5% Citrix HV 28% Citrix XCP Citrix XCP 5% Citrix HV Oracle Samsung* 39% 11% Intel Novell 6% Novell Oracle Fujitsu AMD 7% AMD Individual Individual 13% Intel Misc 18% Misc 8% University 20% 15% *) Activity on Development branch (not yet in xen-unstable) **) Includes PVOPS ***) Until Sept 2011 6 Developer mailing list traffic Conversations, excluding patches excluding Conversations, 1000 1500 2000 2500 500 0 Oct-03 Dec-03 Feb-04 Apr-04 Jun-04 Aug-04 Oct-04 Dec-04 Feb-05 Apr-05 Jun-05 Aug-05 Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Oct-06 Dec-06 xen-devel Feb-07 Apr-07 Jun-07 Aug-07 xen-api Oct-07 Dec-07 Feb-08 Apr-08 Jun-08 Aug-08 Oct-08 Dec-08 Feb-09 Apr-09 Jun-09 Aug-09 Oct-09 Dec-09 Feb-10 Apr-10 Jun-10 Aug-10 Oct-10 Dec-10 Feb-11 Apr-11 Jun-11 7 Formalized Governance • How to contribute (had this for a long time, but was poorly documented) • Election of Maintainers, Committers & Project Leads – Committer Election in September – Jan Beulich (Novell) : Committer on Xen HV project • 2009 : 107 patches changing 11746 lines of code • 2010 : 147 patches changing 7613 lines of code • 2011 : 130 patches changing 27377 lines of code (as of Sept) • Project Lifecycle – Xen HV & XCP migrated to new lifecycle 8 Xen.org Web site Activity Website Traffic/Day: Linux 3 Notable traffic increase since September (almost double) Coincides with changes to content and new content! Linux 3 Blog Traffic/Month: Xen 4.1 Xen 4.0 100% average increase of traffic compared to one year ago Part of Sept Prediction at tip of arrow 9 Product and project news roundup • Xen support in Linux 3 – More in Linux 3.1 (and subsequent releases) • Xen support (DomU and Dom0) back in Linux distros – Debian – Ubuntu 11.10 – Fedora 16 • Recent product releases that distribute Xen – Oracle VM 3.0 – XenServer 6.0 – XenClient 2.0 – Beta’s of QubesOS and RC’s of openSuse 12.1 10 Where do we need to improve? Focus for 2012 • New website • Better media presence • More focus on users (individual & commercial) • More and better documentation • New benchmarks, feature comparisons, etc. • Formalize volunteer activities such as “documentation day” 11 2011 & 2012 Event Calendar • LinuxCon Brazil, Sao Paulo, Nov 17-18 • USENIX Lisa, Boston, Dec 4-9 • Planning to co-locate XenSummit NA with LinuxCon (LinuxCon NA, San Diego, Aug 27-28) – Not yet finalized, but should be soon • OSCON, Portland, July 16-20 12 Community Summary • The Xen Developer community is healthy for a 10 year old project • The inclusion of Xen support into Linux 3.x has made a big impact – Getting questions by many new users – Building new and productive relationships with many people in the Linux and BSD communities • Up to now Xen.org was almost exclusively looking after developers – Successful open source communities bring their users and developers together – Xen.org needs to focus on • Reconnecting to its users • On making it easy to get started with Xen and engage new users – Many opportunities in Cloud Projects • On better communicating the Xen advantages • Everybody can help with this! 13 XEN 4.1 REVIEW 14 Xen 4.1 Release – 21 March 2011 • Very large system support – 4 TB; >255 CPUs – Reliability, Availability, Scalability enhancements • CPU Pools for system partitioning • Page sharing enhancements • Hypervisor emergency paging / compression • New “xl” lightweight control stack • Memory Introspection API • Enhanced SR-IOV support • Software-implemented Hardware Fault Tolerance 15 Hardware Fault Tolerance Restart-HA monitors hosts and VMs to keep apps running Hardware Fault Tolerance with deterministic replay or checkpointing Xen’s Software-Implemented Hardware Fault Tolerance enables true High Availability for unmodified applications and operating systems Hardware Fault Tolerance • University of British Columbia’s “Remus” project is now in Xen 4 • Smart checkpointing approach yields excellent performance – VM executes in parallel with checkpoint transmission, with all externally visible state changes suppressed until checkpoint receipt acknowledged – Checkpoints delta compressed • Checkpointing possible across wide-area, even for multi-vCPU guests 17 Enhanced SR-IOV • SR-IOV: Single Root IO Virtualization – Virtualization friendly IO devices • High performance, high efficiency, low latency • Enables even the most demanding applications to now be virtualized • Compatible with live relocation via hotplug of acceleration driver “plugin” module – Retain primary benefit of physical hardware abstraction 18 SR-IOV NIC Dell 10G Switch Dell R710 Server Dell R710 Server XenServer and Intel 10G SR-IOV NIC XenServer and Intel 10G SR-IOV NIC NFS Common Storage w/OpenFiler Dell R710 Server XenServer and Intel 10G SR-IOV NIC • 80 Gb/s bi-directional aggregate throughput between 4 VM pairs • Low latency, High CPU efficiency • Live relocation between hosts - Even hosts with different NICs Network Performance 35 30 usercopy 25 kern 20 201% Type-0 xen1 15 CPU (%) 123% 103% grantcopy 10 100% kern0 5 xen0 0 s/w only basic smart SR-IOV native NIC NIC • New Smart NICs reduce CPU overhead substantially • Care must be taken with SR-IOV NICs to ensure benefits of VM portability and live relocation are not lost • Need for an industry standard for “driver plugins” THE NEXT VIRTUALIZATION WAVE 21 Security will drive the Next Wave of Virtualization • Security is key requirement for Cloud • Security is the primary goal of virtualization on the Client – Desktop, Laptops, Smart Phones, etc • Maintaining isolation between VMs is critical – Spatial and Temporal isolation – Run multiple VMs with policy controlled information flow • E.g. Personal VM; Corporate VM; VM for web browsing; VM for banking • Enables “out-of-band” management and policy enforcement – Malware detection, remote access, image update, backup, VPN, etc. 22 Xen Introspection API • Allows a suitably privileged VM to monitor and control the execution of another VM – Interpose on disk and network IO path – Mark VM memory as immutable, no-execute etc – Inspect/modify CPU and memory state • Enables robust anti-malware, anti-root kit – Cannot be disabled/bypassed by guest VM Virtualized can be more secure than physical! 24 Secure Isolation • Use good software engineering practice – Thin hypervisor: minimize code running with privilege – Disaggregate and de-privilege functionality into dedicated Service VMs – Narrow interfaces between components – Hypervisors are simpler than OSes, simpler than OS kernels – Use modern high-level languages where possible • New hardware technologies help – VT-x, VT-d, EPT: reduce software complexity, enhanced protection – TPM/TXT: Enable Dynamic Root of Trust 25 XenClient XT / Qubes OS • First products configured to take advantage of the security benefits of Xen’s architecture • Isolated Driver Domains • Virtual hardware Emulation Domains • Service VMs (global and per-guest) • Xen Security Modules / SElinux • Measured Launch (TXT) 26 Typical Xen Configuration VM0 VM1 VM2 VM3 Device Manager & Applications Applications Applications Control s/w GuestOS GuestOS GuestOS GuestOS Back-End Native Device Front-End Front-End Driver Device Drivers Device Drivers Device Emulation Control IF Safe HW IF Event Channel Virtual CPU Virtual MMU Xen Virtual Machine Monitor Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Xen Driver Domains VM0 VM1 VM2 VM3 Device Manager & Applications Applications Control s/w GuestOS GuestOS GuestOS GuestOS Back-End Back-End Native Native Device Device Front-End Driver Driver Device Drivers Device Emulation VM3a Control IF IOMMU Event Channel Virtual CPU Virtual MMU Xen Virtual Machine Monitor Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Advanced XenClient Architecture Per host/device Per guest Service VMs Service VMs User VM User VM Device Device Device Emulate Control Control Domain Domain Network Network Isolation Emulation VPN Isolation Management Management VPN Isolation Policy Granularity Policy Granularity Xen Xen Security Modules VT-d TXT Intel vPro Hardware VT-x AES-NI 29 Disaggregation • Unique benefit of the Xen architecture: • Security – Minimum privilege; Narrow interfaces • Performance – Lightweight e.g. minios directly on hypervisor – Exploit locality – service VMs see a subset of the machine, run close to resources with which they interact • Reliability – Able to be safely restarted 30 Isolated Driver VMs for High Availability • Detect failure e.g. 350 – Illegal access 300 – Timeout 250 • Kill domain, restart 200 150 – E.g. Just 275ms outage from 100 failed Ethernet driver 50 • New work uses restarts to 0 0 5 10 15 20 25 30 35 40 enhance security time (s) Proposal • We should strive to get all Xen products and deployments to take full advantage of the Xen architecture • We need to make this much easier! • Proposal: define and maintain a reference architecture and implementation that embodies best practice recommendations 32 Reference Architecture • Define using new technologies – Latest stable Xen – Linux 3.x pvops • Optimization effort required – Libxl control stack • For easy consumption by other vendor tool stacks 33 Target Features • Network restart-able driver domains – Integrated OpenFlow vswitch • Storage restart-able driver domains – Also allows easier deployment of new storage options e.g.
Load more

Recommended publications
  • Bromium Advanced Endpoint Security Protect | Detect | Respond
    Data Sheet Bromium Advanced Endpoint Security Protect | Detect | Respond At a Glance Today’s enterprises are fighting a losing battle against advanced, Bromium Advanced Endpoint Security targeted and often undetectable cyber attacks. In spite of the uses micro-virtualization and contextual, increased spend on more and more layered security solutions, real-time detection to protect across all major threat vectors and attack types. organizations are not making headway against attackers. Enterprises Enterprises can finally defeat cyber attacks and eliminate endpoint breaches. are getting breached, users’ productivity is hampered by side effects of security solutions, and IT is stuck on a treadmill of never-ending Key Business Benefits patching and remediation. PROTECT AGAINST ZERO-DAY ATTACKS Revolutionary micro-virtualization technology prevents known and Bromium® Advanced Endpoint Security next-generation endpoint protection unknown cyber attacks from offers a better way to defeat cyber that integrates endpoint threat isolation, compromising endpoints and your attacks that target the endpoint, where threat analytics and continuous host corporate network more than 70% of breaches originate. monitoring to enable organizations TRUE PREVENTION WITHOUT The first to deliver an endpoint security to protect, detect and respond to USER DISRUPTION Users can safely click on anything from solution based on virtualization, targeted attacks, zero-day threats and home, branch offices, airports and cafes— Bromium offers comprehensive attempted breaches in real time. without the need for restrictive policies DETECT ATTEMPTED BREACHES Behavioral detection techniques alert and monitor suspicious activity on the host system ELIMINATE REMEDIATION AND EMERGENCY PATCHING COSTS Bromium-protected endpoints are self-remediating because any possibility of malware persistence is eliminated.
    [Show full text]
  • Improving Desktop System Security Using Compartmentalization
    Improving Desktop System Security Using Compartmentalization by Mohsen Zohrevandi A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy Approved April 2018 by the Graduate Supervisory Committee: Rida Bazzi, Chair Gail-Joon Ahn Adam Doupé Ming Zhao ARIZONA STATE UNIVERSITY August 2018 ABSTRACT Compartmentalizing access to content, be it websites accessed in a browser or docu- ments and applications accessed outside the browser, is an established method for protect- ing information integrity [12, 19, 21, 60]. Compartmentalization solutions change the user experience, introduce performance overhead and provide varying degrees of security. Strik- ing a balance between usability and security is not an easy task. If the usability aspects are neglected or sacrificed in favor of more security, the resulting solution would have a hard time being adopted by end-users. The usability is affected by factors including (1) the gen- erality of the solution in supporting various applications, (2) the type of changes required, (3) the performance overhead introduced by the solution, and (4) how much the user expe- rience is preserved. The security is affected by factors including (1) the attack surface of the compartmentalization mechanism, and (2) the security decisions offloaded to the user. This dissertation evaluates existing solutions based on the above factors and presents two novel compartmentalization solutions that are arguably more practical than their existing counterparts. The first solution, called FlexICon, is an attractive alternative in the design space of compartmentalization solutions on the desktop. FlexICon allows for the creation of a large number of containers with small memory footprint and low disk overhead.
    [Show full text]
  • Securing the Path to Windows 10 How to Achieve the Benefits of Virtualization-Based Security Without a Hardware Refresh White Paper
    White Paper Securing the Path to Windows 10 How to Achieve the Benefits of Virtualization-based Security Without a Hardware Refresh White Paper Introduction “Bromium, a Microsoft partner, For enterprises the #1 reason to upgrade to Windows 10 is delivers hardware-enforced improved security, but the critical enhancements that rely on security to today’s deployed Windows endpoints. More hardware protection will be difficult to adopt until you buy importantly, Bromium enables new PCs. Bromium, a Microsoft partner, delivers hardware- IT organizations to easily upgrade existing PCs to Windows 10 with enforced security to today’s deployed Windows endpoints. More hardware-enforced security importantly, Bromium enables IT organizations to easily upgrade that extends the in-box security existing PCs to Windows 10 with hardware-enforced security that of Windows 10, without a hardware refresh, accelerating extends the in-box security of Windows 10, without a hardware Windows 10 rollouts.” refresh, accelerating Windows 10 rollouts. Windows 10 Security Windows 10 Enterprise promises many security enhancements over Windows 7 and 8, and introduces a family of hardware-assisted security technologies in Device Guard (DG). DG helps to ensure a secure boot, whitelists kernel code and offers credential protection and biometric authentication. The most important Figure 1: Windows 10 Device Guard SECURING THE PATH TO WINDOWS 10 2 White Paper “VBS uses endpoint CPU feature is virtualization-based security (VBS) which uses Hyper-V, enhanced with virtualization to isolate and elements of micro-virtualization, to help protect the operating system using protect two critical Windows hardware virtualization. The Bromium / Microsoft partnership aims to accelerate services: Windows Code Integrity service which protects the kernel the roadmap for VBS.
    [Show full text]
  • Citrix Hypervisor 8.2
    Citrix Hypervisor 8.2 Citrix Product Documentation | docs.citrix.com August 16, 2021 Citrix Hypervisor 8.2 Contents Citrix Hypervisor 8.2 3 新增功能 4 自 XenServer 7.1 以来的新增功能 8 已修复的问题 19 已知问题 21 弃用 25 系统要求 32 配置限制 35 来宾操作系统支持 39 快速入⻔ 42 技术概述 61 技术常⻅问题解答 68 许可 82 安装 89 安装和部署方案 96 从现有版本升级 101 更新您的主机 109 对安装问题进行故障排除 119 从 SAN 环境引导 120 网络引导安装 124 主机分区布局 133 在小型设备上安装 134 XenCenter 当前版本 135 © 1999‒2021 Citrix Systems, Inc. All rights reserved. 2 Citrix Hypervisor 8.2 主机和资源池 135 群集池 150 管理用户 154 基于⻆色的访问控制 161 RBAC ⻆色和权限 161 将 RBAC 与 CLI 结合使用 171 网络连接 176 管理网络连接 189 网络连接故障排除 208 存储 212 存储库格式 216 精简预配的共享 GFS2 块存储 233 管理存储库 240 存储多路径 251 和 IntelliCache 253 存储读缓存 256 PVS 加速器 259 图形概述 266 准备主机以处理图形 270 创建启用了 vGPU 的 VM 279 内存使用率 285 监视和管理您的部署 287 管理虚拟机 307 Windows VM 310 © 1999‒2021 Citrix Systems, Inc. All rights reserved. 3 Citrix Hypervisor 8.2 Linux VM 327 VM 内存 334 迁移 VM 340 导入和导出 VM 343 删除 VM 355 Bromium 安全平台 357 vApp 359 演示版 Linux 虚拟设备 361 虚拟机高级注释 363 为 Linux VM 启用 VNC 372 VM 问题故障排除 384 高可用性 390 灾难恢复和备份 397 启用灾难恢复 399 vApp 402 备份和还原主机和 VM 403 VM 快照 407 处理计算机故障 414 故障排除 417 标准引导补充包 420 Workload Balancing 423 Workload Balancing 入⻔ 425 管理 Workload Balancing 虚拟设备 435 用于 Workload Balancing 的证书 491 © 1999‒2021 Citrix Systems, Inc. All rights reserved. 4 Citrix Hypervisor 8.2 转换 VMware 工作负载 498 命令行接口 511 第三方声明 625 Citrix Hypervisor 开源许可和属性 625 SDK 和 API 630 数据治理 631 © 1999‒2021 Citrix Systems, Inc.
    [Show full text]
  • Weekly Internet / Digital Media / Saas Sector Summary
    Weekly Internet / Digital Media / SaaS Sector Summary Week of October 28th, 2013 Industry Stock Market Valuation Internet / Digital Media / SaaS Last 12 Months Last 3 Months 170 130 58% 55% 160 53% 125 46% 22% 150 43% 21% 120 43% 13% 43% 140 11% 40% 115 9% 32% 130 8% 8% 110 7% 120 7% 105 110 100 100 95 90 80 90 10/25/12 01/24/13 04/25/13 07/25/13 10/25/13 07/25/13 08/16/13 09/09/13 10/02/13 10/25/13 (1) (2) (3) (4) NASDAQ Search / Online Advertising Internet Commerce Internet Content Publishers (5) (6) (7) (8) Diversified Marketing Media Conglomerates Gaming SaaS Notes: 1) Search/Online Advertising Composite includes: BCOR, BLNX-GB, GOOG, FUEL, MCHX, MM, MRIN, MSFT, QNST, RLOC, TRMR, VCLK, VELT, YHOO, YNDX, YUME. 2) Internet Commerce Composite includes: AMZN, AWAY, CPRT, DRIV, EBAY, EXPE, FLWS, LINTA, NFLX, NILE, OPEN, OSTK, PCLN, PRSS, SSTK, STMP, TZOO, VPRT. 3) Internet Content Composite includes: AOL, DHX, DMD, EHTH, IACI, MOVE, MWW, RATE, RENN, RNWK, SCOR, SFLY, TRLA, TST, TTGT, UNTD, WBMD, WWWW, XOXO, Z. 4) Publishers Composite includes: GCI, MMB-FR, NWSA, NYT, PSON-GB, SSP, TRI, UBM-GB, WPO. 5) Diversified Marketing Composite includes: ACXM, EFX, EXPN-GB, HAV-FR, HHS, IPG, MDCA, NLSN, VCI, WPP-GB. 6) Media Conglomerates Composite includes: CBS, CMCSA, DIS, DISCA, LGF, SNE, TWX, VIA.B. 1 7) Gaming Composite includes: 035420-KR, 036570-KR, 2432-JP, 3632-JP, 3765-JP, 700-HK, ATVI, CYOU, EA, GA, GAME, GLUU, NTES, PWRD, UBI-FR, ZNGA.
    [Show full text]
  • It's That Time
    December 2014 / January 2015 | Vol. 8 No. 1 VirtualizationReview.com 2015 READERS CHOICE AWARDS WINNER IT’S THAT TIME OFYEAR! Eggnog, presents and the products you like best. PLUS > VIRTUAL PREDICTIONS > DELL’S VDI STRATEGY > UNTANGLING VMWARE DRS VISIT VIRTUALIZATIONREVIEW.COM contents The objective is helping organizations accomplish their 6 goals; not to push any specifi c type of technology. By Dan Kusnetzky 2015Readers Choice Awards “Chromebook desktop ÌÌÌÌ Winner ÌÌÌÌ access looks especially promising, especially in the education market.” Garret Grajek, dinCloud 18 6 December 2014 / January 2015 | VIRTUALIZATION REVIEW | VOL. 7, NO. 2 FEATURES 11 Best Cloud Storage Product 15 Best Network 4 The 2015 Reader’s Choice 12 Best Cloud Security Product Virtualization Product Awards and Buyer’s Guide 12 Best Cloud Software Product 16 Best Virtualization Security Product You, the readers, have spoken. 13 Best Business Continuity Product Here are the virtualization and Best Converged 14 Best Virtualization 17 cloud computing products that Automation Product Infrastructure Product rock your world. Best Virtualization Training 15 Best Storage 17 6 Best Application Virtualization Product Virtualization Product 6 Best Server Virtualization Product Best Desktop Virtualization/ 7 18 2015 Virtualization Predictions COLUMNS Virtual Desktop Infrastructure Product What can you expect to happen 2 Editor’s Note: KEITH WARD in the virtualization and cloud 3 Expectations for 2015 8 Best Mobile Virtualization/ BYOD Product industries in the coming year?
    [Show full text]
  • Hardware-Assisted Security for High-Value Information
    SOLUTION BRIEF Application Code Security Intel® Software Guard Extensions Hardware-Assisted Security for High-Value Information Numecent, Bromium, and wolfSSL employ Intel® Software Guard Extensions (Intel® SGX) to create more secure, next-generation solutions Developers have long been constrained by the security capabilities that major platform providers have exposed for application development. These same capabilities are also well known to hackers, who have exploited weaknesses to steal sensitive data and credentials, or hijack code for attacks. Until now, developers have been forced to rely on the provider’s security architecture, with no way to apply a security model designed to fit their own requirements after a platform release has shipped. Recognizing the need for a new model that protects selected code and data from disclosure or modification, Intel designed Intel® Software Guard Extensions (Intel® SGX), a hardware-assisted trusted execution environment with the smallest possible attack surface. With Intel SGX, developers can partition their application into CPU-hardened “enclaves,” or protected areas of execution, that increase security even on compromised platforms. Using this new application-layer trusted execution environment allows developers to enable identity and records privacy, secure browsing, DRM, harden end point protection, or any high assurance security use case that needs to safely store secrets or protect data. Intel SGX is an Intel® technology for application developers who are seeking to protect select code and data from disclosure or modification. Intel SGX makes such protections possible through the use of enclaves. Application code can be put into an enclave by special instructions and software made available to developers via the Intel SGX SDK.
    [Show full text]
  • Piper Jaffray Cybersecurity Earnings Update
    Piper Jaffray Cybersecurity Earnings Update Third Quarter 2017 Marc Steifman Greg Klancher Co-Head of Technology Principal Investment Banking Piper Jaffray & Co. Piper Jaffray & Co. MINNEAPOLIS | BOSTON | CHICAGO | HOUSTON | LONDON | LOS ANGELES | NEW YORK | SAN FRANCISCO | ZÜRICH Piper Jaffray Companies (NYSE: PJC) is an investment bank and asset management firm headquartered in Minneapolis with offices across the U.S. and in London, Zurich and Hong Kong. Securities brokerage and investment banking services are offered in the United States through Piper Jaffray & Co., member NYSE and SIPC, in Europe through Piper Jaffray Ltd., authorized and regulated by the Financial Conduct Authority, and in Hong Kong through Piper Jaffray Hong Kong, authorized and regulated by the Securities and Futures Commission. Asset management products and services are offered through three separate investment advisory affiliates registered with the U.S. Securities and Exchange Commission: Advisory Research Inc., Piper Jaffray Investment Management LLC and PJC Capital Partners LLC. Piper Jaffray & Co., Member SIPC and FINRA 11/17 Piper Jaffray Case Study: Vista Equity Partners acquires majority stake in Jamf Vista Equity Partners: Undisclosed . Vista Equity Partners is a U.S.-based investment firm with more than $30 billion in cumulative capital commitments, currently invests in software, data and technology-enabled organizations. The firm invests in middle market management and leveraged buyouts, growth and acquisition Has purchased a majority financing, recapitalizations, private transactions, spin-outs and corporate divestitures. stake in . The firm was founded in 2000 and is headquartered in Austin, Texas. Jamf: . Jamf focuses on helping businesses, education and government organizations succeed with November 2017 Apple through its Jamf Pro and Jamf Now solutions.
    [Show full text]
  • Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks
    Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks Stefano Cristalli and Mattia Pagnozzi, University of Milan; Mariano Graziano, Cisco Systems Inc.; Andrea Lanzi, University of Milan; Davide Balzarotti, Eurecom https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/stefano This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks Stefano Cristalli Mattia Pagnozzi Mariano Graziano Universita` degli Studi di Milano Universita` degli studi di Milano Cisco Systems Inc. Andrea Lanzi Davide Balzarotti Universita’ degli Studi di Milano Eurecom Abstract ception Handling Overwrite Protection (SEHOP) [29], Spraying is a common payload delivery techniue and Control Flow Integrity [3]—just to name some of used by attackers to execute arbitrary code in presence the most popular solutions. Even though the combina- of Address Space Layout Randomisation (ASLR). In tion of all these techniues have certainly increased the this paper we present Graffiti, an efficient hypervisor- security of modern operating systems, no matter how based memory analysis framework for the detection and high the bar was set, attackers have always found a way prevention of spraying attacks. Compared with previ- to overcome it to take control of a vulnerable system. ous solutions, our system is the first to offer an effi- ASLR is certainly one of the most common and suc- cient, complete, extensible, and OS independent protec- cessful techniues adopted by modern operating sys- tion against all spraying techniues known to date.
    [Show full text]
  • Master Arbeit
    Hochschule Wismar Fakultät für Ingenieurwissenschaften WINGS Studiengang IT Sicherheit und Forensik Master-Thesis Capabilities of Live/Memory-Forensics on Compartmentalized Systems Using Bromium, Qubes and Proxmox as Examples Eingereicht am: 31. August 2019 von: Ute Schüller Matrikelnummer: XXXXXX Erstgutachter: Prof. Dr.-Ing. A. Raab-Düsterhöft Zweitgutachter: Prof. Dr.-Ing. A. Ahrens Scope of Work Scope of Work With the constantly increasing digitalization of daily life, there is also a rising number of attacks, against private as well as company computers. One of the options to reduce those risks, is the usage of operating systems or software, that provide compartments (aka. sandboxes or containers), when working on a network-connected computer. Despite the reduced risks, sometimes the need for live/memory-forensics arises on those systems, as well. How to perform such an analysis, is well-documented for e.g. VMware; nevertheless, for Bromium, Qubes and Proxmox, there is not much literature available. Consequently, the aim of this master thesis is to investigate the available options for those 3 operating systems. On one Hand, this includes examining the systems for already present IT-forensic capabilities, and, on the other hand, investigating additional possibilities to collect live/memory forensic data, that can be gathered, using freely available software like Rekall or Proxmox. Additionally, commercial software (Axiom, EnCase, X-Ways and Nuix) should be looked at, to find out, which possibilities are available, within those programs. Finally, if possible, a half-automated data collection on Qubes should be implemented, for later IT-forensic investigation. In GERMAN: Titel: Möglichkeiten der Live/Memory-Forensik auf kompartimentierten Systeme am Beispiel von Bromium, Qubes und Proxmox Aufgabenstellung Mit der stetig wachsenden Digitalisierung des täglichen Lebens, wächst auch die Anzahl der Angriffe auf private, wie auch auf Firmen-Computer.
    [Show full text]
  • Xenserver 7.3 Release Notes December 2017
    XenServer 7.3 Release Notes December 2017 XenServer 7.3 Release Notes Welcome to XenServer 7.3. This document provides important information about the XenServer 7.3 release. XenServer 7.3 is a Current Release (CR). The Current Release model allows customers to consume new features at the earliest possible juncture. This contrasts with the Long Term Service Release (XenServer 7.1 LTSR), which guarantees stability in terms of the feature set within XenServer. XenServer 7.3 is available in two commercial editions: • Standard Edition • Enterprise Edition Note: If you use XenServer in an unlicensed1 state, there are new restrictions on the set of features that are available to you. Before moving to XenServer 7.3, ensure that you review the information in the Licensing section to see which features now require a license. XenServer 7.3 is available to download from the XenServer Product Download page. New Features and Improvements in XenServer 7.3 XenServer 7.3 introduces enhanced features and functionality for application, desktop, and server virtualization use cases. All XenServer 7.3 features are available to all licensed XenApp/XenDesktop customers. Citrix Director Integration You can now use Citrix Director version 7.16 and later to access consoles of Server and Desktop OS machines hosted on XenServer. This way, XenApp and XenDesktop users don’t require XenCenter to troubleshoot issues on XenServer-hosted VDAs. For more information, see the Director documentation: • https://docs.citrix.com/en-us/xenapp-and-xendesktop/current- release/director/troubleshoot-machines.html#machine_console Bromium Enhanced Security Enterprise Edition You can now use Bromium Secure Platform on Windows VMs running on XenServer.
    [Show full text]
  • Disaggregated System Services Through Lightweight Capability Domains
    Disaggregated System Services Through Lightweight Capability Domains John Regehr, Associate Professor School of Computing, University of Utah 50 S. Central Campus Dr., Room 3190 Salt Lake City, UT 84112 [email protected] +1 801 581 4280 Contacts: Ben Laurie, Mark Miller Abstract For several decades the operating system community has accepted that the only way of minimizing the trusted com- puting base, and constructing more secure, least authority systems, is to reimplement monolithic kernel functionality as a set of isolated microkernel servers. Our work aims to explore a less invasive means of constructing fine-grained, least authority environments. Instead of splitting the core functionality of a traditional operating system into multiple servers, we will develop a mechanism that can securely isolate individual kernel components right inside the address space of the monolithic operating system kernel. The traditional OS boots normally, supporting discovery, configura- tion, and initialization. However, after the system is initialized, the kernel will transfer execution of some subsystems into isolated protection domains. To implement protection domains, we propose to extend a hypervisor with support for lightweight protection domains and a capability access control model. Although these protection domains will run inside the guest OS’s kernel address space, they will be fully protected by the hypervisor, which also provides a mediated capability interface. Effectively, we will execute a traditional operating system on a capability machine, which we implement in the hypervisor rather than on specialized hardware. In contrast to the traditional microkenelization, our isolated service implementations will not require major modifications to their code. Our goal is to develop a small set of interfaces, communication, and synchronization mechanisms that can run the common kernel subsystems in both monolithic and disaggregated configurations.
    [Show full text]