DOCSLIB.ORG

End-To-End Verification of Memory Isolation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Secure System Virtualization: End-to-End Verification of Memory Isolation HAMED NEMATI Doctoral Thesis Stockholm, Sweden 2017 TRITA-CSC-A-2017:18 KTH Royal Institute of Technology ISSN 1653-5723 School of Computer Science and Communication ISRN-KTH/CSC/A--17/18-SE SE-100 44 Stockholm ISBN 978-91-7729-478-8 SWEDEN Akademisk avhandling som med tillstånd av Kungl Tekniska högskolan framlägges till offentlig granskning för avläggande av teknologie doktorsexamen i datalogi fre- dagen den 20 oktober 2017 klockan 14.00 i Kollegiesalen, Kungl Tekniska högskolan, Brinellvägen 8, Stockholm. © Hamed Nemati, October 2017 Tryck: Universitetsservice US AB iii Abstract Over the last years, security kernels have played a promising role in re- shaping the landscape of platform security on today’s ubiquitous embedded devices. Security kernels, such as separation kernels, enable constructing high-assurance mixed-criticality execution platforms. They reduce the soft- ware portion of the system’s trusted computing base to a thin layer, which enforces isolation between low- and high-criticality components. The reduced trusted computing base minimizes the system attack surface and facilitates the use of formal methods to ensure functional correctness and security of the kernel. In this thesis, we explore various aspects of building a provably secure separation kernel using virtualization technology. In particular, we examine techniques related to the appropriate management of the memory subsystem. Once these techniques were implemented and functionally verified, they pro- vide reliable a foundation for application scenarios that require strong guar- antees of isolation and facilitate formal reasoning about the system’s overall security. We show how the memory management subsystem can be virtualized to enforce isolation of system components. Virtualization is done by using direct paging that enables a guest software under some circumstances to manage its own memory configuration. We demonstrate the soundness of our approach by verifying that the high-level model of the system fulfills the desired security properties. Through refinement, we then propagate these properties (semi-) automatically to the machine-code of the virtualization mechanism. An application of isolating platforms is to provide external protection to an untrusted guest operating system to restrict its attack surface. We show how a runtime monitor can be securely deployed alongside a Linux guest on a hypervisor to prevent code injection attacks targeting Linux. The monitor takes advantage of the provided separation to protect itself and to retain a complete view of the guest software. Separating components using a low-level software, while important, is not by itself enough to guarantee security. Indeed, current processors ar- chitecture involves features, such as caches, that can be utilized to violate the isolation of components. In this thesis, we present a new low noise at- tack vector constructed by measuring cache effects. The vector is capable of breaching isolation between components of different criticality levels, and it invalidates the verification of software that has been verified on a mem- ory coherent (cacheless) model. To restore isolation, we provide a number of countermeasures. Further, we propose a new methodology to repair the verification of the software by including data-caches in the statement of the top-level security properties of the system. Sammanfattning Inbyggda system finns överallt idag. Under senare år har utvecklingen av platformssäkerhet för inbyggda system spelat en allt större roll. Säker- hetskärnor, likt isoleringskärnor, möjliggör konstruktion av tillförlitliga exe- kveringsplatformar ämnade för både kritiska och icke-kritiska tillämpningar. Säkerhetskärnor reducerar systemets kritiska kodmängd i ett litet tunt mjuk- varulager. Detta mjukvarulager upprättar en tillförlitlig isolering mellan olika mjukvarukomponenter, där vissa mjukvarukomponenter har kritiska roller och andra inte. Det tunna mjukvarulagret minimerar systemets attackyta och un- derlättar användningen av formella metoder för att försäkra mjukvarulagrets funktionella korrekthet och säkerhet. I denna uppsats utforskas olika aspekter för att bygga en isoleringskärna med virtualiseringsteknik sådant att det går att bevisa att isoleringskärnan är säker. I huvudsak undersöks tekniker för säker hantering av minnessystemet. Implementering och funktionell verifiering av dessa minneshanteringstekniker ger en tillförlitlig grund för användningsområden med höga krav på isolering och underlättar formell argumentation om att systemet är säkert. Det visas hur minneshanteringssystemet kan virtualiseras i syfte om att isolera systemkomponenter. Virtualiseringstekniken bakom minnessystemet är direkt paging och möjliggör gästmjukvara, under vissa begränsningar, att konfigurera sitt eget minne. Denna metods sundhet demonstreras genom veri- fiering av att högnivåmodellen av systemet satisfierar de önskade säkerhetse- genskaperna. Genom förfining överförs dessa egenskaper (semi-) automatiskt till maskinkoden som utgör virtualiseringsmekanismen. En isolerad gästapplikation ger externt skydd för ett potentiellt angri- pet gästoperativsystem för att begränsa den senares attackyta. Det visas hur en körningstidsövervakare kan köras säkert i systemet ovanpå en hypervi- sor bredvid en Linuxgäst för att förhindra kodinjektionsattacker mot Linux. Övervakaren utnyttjar systemets isoleringsegenskaper för att skydda sig själv och för att ha en korrekt uppfattning av gästmjukvarans status. Isolering av mjukvarukomponenter genom lågnivåmjukvara är inte i sig tillräckligt för att garantera säkerhet. Dagens processorarkitekturer har funk- tioner, som exempelvis cacheminnen, som kan utnyttjas för att kringgå iso- leringen mellan mjukvarukomponenter. I denna uppsats presenteras en ny attack som inte är störningskänslig och som utförs genom att analysera cache- operationer. Denna attack kan kringgå isoleringen mellan olika mjukvarukom- ponenter, där vissa komponenter har kritiska roller och andra inte. Attacken ogiltigförklarar också verifiering av mjukvara om verifieringen antagit en min- neskoherent (cachefri) modell. För att motverka denna attack presenteras ett antal motmedel. Utöver detta föreslås också en ny metodik för att återvalidera mjukvaruverifieringen genom att inkludera data-cacheminnen i formuleringen av systemets säkerhetsegenskaper. v Acknowledgements I would like to express my sincere gratitude and appreciation to my main super- visor, Prof. Mads Dam for his encouragement and support, which brought to the completion of this thesis. Mads’ high standards have significantly enriched my research. I am deeply grateful to my colleagues Roberto Guanciale, Oliver Schwarz (you are one of “the best” ;)), Christoph Baumann, Narges Khakpour, Arash Vahidi, and Viktor Do for their supports, valuable comments, and advices during the entire progress of this thesis. I would also like to thank all people I met at TCS, especially Adam Schill Collberg, Andreas Lindner, Benjamin Greschbach, Cenny Wenner, Cyrille Artho (thanks for reading the thesis draft and providing good suggestions), Daniel Bosk (trevligt att träffas Daniel), Emma Enström, Hojat Khosrowjerdi, Ilario Bonacina, Jan Elffers, Jesús Giráldez Crú, Jonas Haglund (thanks for helping with the ab- stract), Joseph Swernofsky, Linda Kann, Marc Vinyals, Mateus de Oliveira Oliveira, Mika Cohen, Mladen Mikša, Muddassar Azam Sindhu, Musard Balliu, Pedro de Carvalho Gomes, Roelof Pieters (I like you too :)), Sangxia Huang, Susanna Figueiredo de Rezende, Thatchaphol Saranurak, Thomas Tuerk, and Xin Zhao for lunch company and making TCS a great place. I am truly thankful to my dear friends Vahid Mosavat, Mohsen Khosravi, Guillermo Rodríguez Cano, and Ali Jafari, who made my stay in Sweden more pleasant. Last but not the least, huge thanks to my parents, my sister and Razieh for their endless love, moral support and encouragement, without which I would have never been able to complete this important step of my life. Contents Contents vi I Introduction and Summary 1 Abbreviations 3 1 Introduction 5 1.1 Overview . 5 1.2 Thesis Statement . 7 1.3 Thesis Outline . 9 2 Background 11 2.1 Platform Security . 12 2.2 Formal Verification . 24 2.3 Summary . 36 3 Related Work 37 3.1 Verification of Security-Kernels . 37 3.2 Trustworthy Runtime Monitoring . 40 3.3 Attack On Isolation . 41 3.4 Summary . 41 4 Contributions 43 4.1 Summary of Included Papers . 43 4.2 Further Publications . 48 5 Conclusions 49 5.1 Contribution . 49 5.2 Concluding Remarks and Future Work . 50 vi CONTENTS vii II Included Papers 53 A Provably secure memory isolation for Linux on ARM 55 A.1 Introduction . 55 A.2 Related Work . 58 A.3 Verification Approach . 60 A.4 The ARMv7 CPU . 66 A.5 The Memory Virtualization API . 70 A.6 Formalizing the Proof Goals . 77 A.7 TLS Consistency . 83 A.8 Refinement . 87 A.9 Binary Verification . 88 A.10 Implementation . 98 A.11 Evaluation . 102 A.12 Applications . 103 A.13 Concluding Remarks . 107 B Trustworthy Prevention of Code Injection in Linux on Embed- ded Devices 109 B.1 Introduction . 109 B.2 Background . 111 B.3 Design . 116 B.4 Formal Model of MProsper . 118 B.5 Verification Strategy . 121 B.6 Evaluation . 124 B.7 Related Work . 125 B.8 Concluding Remarks . 126 C Cache Storage Channels: Alias-Driven Attacks and Verified Coun- termeasures 129 C.1 Introduction . 129 C.2 Background . 131 C.3 The New Attack Vectors: Cache Storage Channels . 133 C.4 Case Studies . 139 C.5 Countermeasures . 146 C.6
Recommended publications
  • Upgrading Cfengine Nova a Cfengine Special Topics Handbook

    Upgrading Cfengine Nova a Cfengine Special Topics Handbook

    Upgrading CFEngine Nova A CFEngine Special Topics Handbook CFEngine AS This document describes how software updates work in CFEngine Nova. ¨ © Copyright c 2010- CFEngine AS 1 v i Table of Contents What does upgrading mean? ::::::::::::::::::::::::::::::::::::::::: 3 Why do I need to upgrade?::::::::::::::::::::::::::::::::::::::::::: 3 How does upgrading work? ::::::::::::::::::::::::::::::::::::::::::: 3 How can I do phased deployment? :::::::::::::::::::::::::::::::::::: 4 What if I have multiple operating system platforms? ::::::::::::::::::: 4 How do Nova policies update if I already have my own policy? ::::::::: 4 Appendix A Manual package upgrade commands ::::::: 5 3 What does upgrading mean? A software upgrade involves obtaining a new version of the CFEngine software from soft- ware.CFEngine.com and installing it in place of the old. When software is updated, the previous version of the software is retained. From version 1.1 of CFEngine Nova, CFEngine is fully capable of managing its own updates ¨ and service restarts with a minimum of manual work on the policy server. Existing users of version 1.0 will need to upgrade the software manually on the affected sys- tems, or use the existing CFEngine to assist in the manual process. Please contact CFEngine Professional Services for for assistance (see Appendix). © Why do I need to upgrade? Bug fixes and new features are included in new software releases. To gain access to these fixes, you need to upgrade the software. Changes to the standard Community Open Promise Body Library might make use of new features, so upgrading brings you access to these new methods. How does upgrading work? CFEngine packages its software in operating sytsem compatible package formats (RPM, PKG, MSI, etc).
  • Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software

    Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software

    Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software Chongkyung Kil,∗ Jinsuk Jun,∗ Christopher Bookholt,∗ Jun Xu,† Peng Ning∗ Department of Computer Science∗ Google, Inc.† North Carolina State University {ckil, jjun2, cgbookho, pning}@ncsu.edu [email protected] Abstract a memory corruption attack), an attacker attempts to alter program memory with the goal of causing that program to Address space randomization is an emerging and behave in a malicious way. The result of a successful at- promising method for stopping a broad range of memory tack ranges from system instability to execution of arbitrary corruption attacks. By randomly shifting critical memory code. A quick survey of US-CERT Cyber Security Alerts regions at process initialization time, address space ran- between mid-2005 and 2004 shows that at least 56% of the domization converts an otherwise successful malicious at- attacks have a memory corruption component [24]. tack into a benign process crash. However, existing ap- Memory corruption vulnerabilities are typically caused proaches either introduce insufficient randomness, or re- by the lack of input validation in the C programming lan- quire source code modification. While insufficient random- guage, with which the programmers are offered the free- ness allows successful brute-force attacks, as shown in re- dom to decide when and how to handle inputs. This flex- cent studies, the required source code modification prevents ibility often results in improved application performance. this effective method from being used for commodity soft- However, the number of vulnerabilities caused by failures ware, which is the major source of exploited vulnerabilities of input validation indicates that programming errors of this on the Internet.
  • Security Enhancements in Red Hat Enterprise Linux (Beside Selinux)

    Security Enhancements in Red Hat Enterprise Linux (Beside Selinux)

    Security Enhancements in Red Hat Enterprise Linux (beside SELinux) Ulrich Drepper Red Hat, Inc. [email protected] December 9, 2005 Abstract Bugs in programs are unavoidable. Programs developed using C and C++ are especially in danger. If bugs cannot be avoided the next best thing is to limit the damage. This article will show improvements in Red Hat Enterprise Linux which achieve just that. 1 Introduction These problems are harder to protect against since nor- mally2 all of the OS’s functionality is available and the Security problems are one of the biggest concerns in the attacker might even be able to use self-compiled code. industry today. Providing services on networked comput- ers which are accessible through the intranet and/or Inter- Remotely exploitable problems are more serious since net potentially to untrusted individuals puts the installa- the attacker can be anywhere if the machine is available tion at risk. A number of changes have been made to the through the Internet. On the plus side, only applications Linux OS1 which help a lot to mitigate the risks. Up- accessible through the network services provided by the coming Red Hat Enterprise Linux versions will feature machine can be exploited, which limits the range of ex- the SELinux extensions, originally developed by the Na- ploits. Further limitations are the attack vectors. Usually tional Security Agency (NSA), with whom Red Hat now remote attackers can influence applications only by pro- collaborates to productize the developed code. SELinux viding specially designed input. This often means cre- means a major change in Linux and is a completely sep- ating buffer overflows, i.e., situations where the data is arate topic by itself.
  • Intel X86 Considered Harmful

    Intel X86 Considered Harmful

    Intel x86 considered harmful Joanna Rutkowska October 2015 Intel x86 considered harmful Version: 1.0 1 Contents 1 Introduction5 Trusted, Trustworthy, Secure?......................6 2 The BIOS and boot security8 BIOS as the root of trust. For everything................8 Bad SMM vs. Tails...........................9 How can the BIOS become malicious?.................9 Write-Protecting the flash chip..................... 10 Measuring the firmware: TPM and Static Root of Trust........ 11 A forgotten element: an immutable CRTM............... 12 Intel Boot Guard............................. 13 Problems maintaining long chains of trust............... 14 UEFI Secure Boot?........................... 15 Intel TXT to the rescue!......................... 15 The broken promise of Intel TXT.................... 16 Rescuing TXT: SMM sandboxing with STM.............. 18 The broken promise of an STM?.................... 19 Intel SGX: a next generation TXT?................... 20 Summary of x86 boot (in)security.................... 21 2 Intel x86 considered harmful Contents 3 The peripherals 23 Networking devices & subsystem as attack vectors........... 23 Networking devices as leaking apparatus................ 24 Sandboxing the networking devices................... 24 Keeping networking devices outside of the TCB............ 25 Preventing networking from leaking out data.............. 25 The USB as an attack vector...................... 26 The graphics subsystem......................... 29 The disk controller and storage subsystem............... 30 The audio
  • Qualys Policy Compliance Getting Started Guide

    Qualys Policy Compliance Getting Started Guide

    Policy Compliance Getting Started Guide July 28, 2021 Verity Confidential Copyright 2011-2021 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 919 E Hillsdale Blvd Foster City, CA 94404 1 (650) 801 6100 Table of Contents Get Started ........................................................................................................ 5 Set Up Assets............................................................................................................................ 6 Start Collecting Compliance Data ............................................................... 8 Configure Authentication....................................................................................................... 8 Launch Compliance Scans ................................................................................................... 10 We recommend you schedule scans to run automatically .............................................. 12 How to configure scan settings............................................................................................ 12 Install Cloud Agents.............................................................................................................. 17 Evaluate Middleware Assets by Using Cloud Agent .......................................................... 17 Define Policies ................................................................................................. 21
  • Formal Modelling of Separation Kernels

    Formal Modelling of Separation Kernels

    The University of York Department of Computer Science Submitted in part fulfilment for the degree of MSc in Software Engineering. Formal Modelling of Separation Kernels Andrius Velykis 18th September 20091 Supervised by Dr Leo Freitas Number of words = 45327, as counted by detex <report.tex> j wc -w. This report consists of 98 pages in total. This includes the body of the report (without blank pages) and Appendix A, but not Appendices B, C, D, E and F. 1Updated transactional operation proofs, 21st September 2009. Abstract A separation kernel is an architecture for secure applications, which benefits from inherent security of distributed systems. Due to its small size and usage in high-integrity environments, it makes a good target for formal modelling and verification. This project presents results from mechanisation and modelling of separation kernel components: a process table, a process queue and a scheduler. The results have been developed as a part of the pilot project within the international Grand Challenge in Verified Software. This thesis covers full development life-cycle from project initiation through design and evaluation to successful completion. Important findings about kernel properties, formal modelling and design decisions are discussed. The developed formal specification is fully verified and contributes to the pilot project aim of creating a formal kernel model and refining it down to implementation code. Other reusable artefacts, such as general lemmas and a new technique of ensuring transactional properties of operations are defined. The results will be curated within the Verified Software Repository. i Robertai. Aˇci¯u. Acknowledgements I would like to thank Dr Leo Freitas for his supervision, encouragement and getting me hooked on formal methods.
  • Command-Line Sound Editing Wednesday, December 7, 2016

    Command-Line Sound Editing Wednesday, December 7, 2016

    21m.380 Music and Technology Recording Techniques & Audio Production Workshop: Command-line sound editing Wednesday, December 7, 2016 1 Student presentation (pa1) • 2 Subject evaluation 3 Group picture 4 Why edit sound on the command line? Figure 1. Graphical representation of sound • We are used to editing sound graphically. • But for many operations, we do not actually need to see the waveform! 4.1 Potential applications • • • • • • • • • • • • • • • • 1 of 11 21m.380 · Workshop: Command-line sound editing · Wed, 12/7/2016 4.2 Advantages • No visual belief system (what you hear is what you hear) • Faster (no need to load guis or waveforms) • Efficient batch-processing (applying editing sequence to multiple files) • Self-documenting (simply save an editing sequence to a script) • Imaginative (might give you different ideas of what’s possible) • Way cooler (let’s face it) © 4.3 Software packages On Debian-based gnu/Linux systems (e.g., Ubuntu), install any of the below packages via apt, e.g., sudo apt-get install mplayer. Program .deb package Function mplayer mplayer Play any media file Table 1. Command-line programs for sndfile-info sndfile-programs playing, converting, and editing me- Metadata retrieval dia files sndfile-convert sndfile-programs Bit depth conversion sndfile-resample samplerate-programs Resampling lame lame Mp3 encoder flac flac Flac encoder oggenc vorbis-tools Ogg Vorbis encoder ffmpeg ffmpeg Media conversion tool mencoder mencoder Media conversion tool sox sox Sound editor ecasound ecasound Sound editor 4.4 Real-world
  • BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd

    BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd

    76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page i BSD UNIX® TOOLBOX 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iv BSD UNIX® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD® Power Users Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-37603-4 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data is available from the publisher. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permis- sion should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
  • Ein Wilder Ritt Distributionen

    Ein Wilder Ritt Distributionen

    09/2016 Besichtigungstour zu den skurrilsten Linux-Distributionen Titelthema Ein wilder Ritt Distributionen 28 Seit den frühen 90ern schießen die Linux-Distributionen wie Pilze aus dem Boden. Das Linux-Magazin blickt zurück auf ein paar besonders erstaunliche oder schräge Exemplare. Kristian Kißling www.linux-magazin.de © Antonio Oquias, 123RF Oquias, © Antonio Auch wenn die Syntax anderes vermu- samer Linux-Distributionen aufzustellen, Basis für Evil Entity denkt (Grün!), liegt ten lässt, steht der Name des klassischen denn in den zweieinhalb Jahrzehnten falsch. Tatsächlich basierte Evil Entity auf Linux-Tools »awk« nicht für Awkward kreuzte eine Menge von ihnen unseren Slackware und setzte auf einen eher düs- (zu Deutsch etwa „tolpatschig“), sondern Weg. Während einige davon noch putz- ter anmutenden Enlightenment-Desktop für die Namen seiner Autoren, nämlich munter in die Zukunft blicken, ist bei an- (Abbildung 3). Alfred Aho, Peter Weinberger und Brian deren nicht recht klar, welche Zielgruppe Als näher am Leben erwies sich der Fo- Kernighan. Kryptische Namen zu geben sie anpeilen oder ob sie überhaupt noch kus der Distribution, der auf dem Ab- sei eine lange etablierte Unix-Tradition, am Leben sind. spielen von Multimedia-Dateien lag – sie heißt es auf einer Seite des Debian-Wiki wollten doch nur Filme schauen. [1], die sich mit den Namen traditioneller Linux für Zombies Linux-Tools beschäftigt. Je kaputter, desto besser Denn, steht dort weiter, häufig halten Apropos untot: Die passende Linux- Entwickler die Namen ihrer Tools für Distribution für Zombies ließ sich recht Auch Void Linux [4], der Name steht selbsterklärend oder sie glauben, dass einfach ermitteln. Sie heißt Undead Linux je nach Übersetzung für „gleichgültig“ sie die User ohnehin nicht interessieren.
  • NOVA: a Log-Structured File System for Hybrid Volatile/Non

    NOVA: a Log-Structured File System for Hybrid Volatile/Non

    NOVA: A Log-structured File System for Hybrid Volatile/Non-volatile Main Memories Jian Xu and Steven Swanson, University of California, San Diego https://www.usenix.org/conference/fast16/technical-sessions/presentation/xu This paper is included in the Proceedings of the 14th USENIX Conference on File and Storage Technologies (FAST ’16). February 22–25, 2016 • Santa Clara, CA, USA ISBN 978-1-931971-28-7 Open access to the Proceedings of the 14th USENIX Conference on File and Storage Technologies is sponsored by USENIX NOVA: A Log-structured File System for Hybrid Volatile/Non-volatile Main Memories Jian Xu Steven Swanson University of California, San Diego Abstract Hybrid DRAM/NVMM storage systems present a host of opportunities and challenges for system designers. These sys- Fast non-volatile memories (NVMs) will soon appear on tems need to minimize software overhead if they are to fully the processor memory bus alongside DRAM. The result- exploit NVMM’s high performance and efficiently support ing hybrid memory systems will provide software with sub- more flexible access patterns, and at the same time they must microsecond, high-bandwidth access to persistent data, but provide the strong consistency guarantees that applications managing, accessing, and maintaining consistency for data require and respect the limitations of emerging memories stored in NVM raises a host of challenges. Existing file sys- (e.g., limited program cycles). tems built for spinning or solid-state disks introduce software Conventional file systems are not suitable for hybrid mem- overheads that would obscure the performance that NVMs ory systems because they are built for the performance char- should provide, but proposed file systems for NVMs either in- acteristics of disks (spinning or solid state) and rely on disks’ cur similar overheads or fail to provide the strong consistency consistency guarantees (e.g., that sector updates are atomic) guarantees that applications require.
  • Red Hat Enterprise Linux Openstack Platform on Inktank Ceph Enterprise

    Red Hat Enterprise Linux Openstack Platform on Inktank Ceph Enterprise

    Red Hat Enterprise Linux OpenStack Platform on Inktank Ceph Enterprise Cinder Volume Performance Performance Engineering Version 1.0 December 2014 100 East Davie Street Raleigh NC 27601 USA Phone: +1 919 754 4950 Fax: +1 919 800 3804 Linux is a registered trademark of Linus Torvalds. Red Hat, Red Hat Enterprise Linux and the Red Hat "Shadowman" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. Dell, the Dell logo and PowerEdge are trademarks of Dell, Inc. Intel, the Intel logo and Xeon are registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All other trademarks referenced herein are the property of their respective owners. © 2014 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). The information contained herein is subject to change without notice. Red Hat, Inc. shall not be liable for technical or editorial errors or omissions contained herein. Distribution of modified versions of this document is prohibited without the explicit permission of Red Hat Inc. Distribution of this work or derivative of this work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from Red Hat Inc. The GPG fingerprint of the [email protected] key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E www.redhat.com 2 Performance Engineering Table of Contents 1 Executive Summary ........................................................................................
  • Telecom Sud Paris

    Telecom Sud Paris

    Sécurité des OS et des systèmes Telecom Sud Paris Aurélien Wailly, Emmanuel Gras Amazon Dublin ANSSI Paris 2 Juin 2017 Présentation des intervenants Emmanuel Gras I Agence nationale de la sécurité des systèmes d’information depuis trop longtemps I Bureau inspections en SSI I http://pro.emmanuelgras.com I [email protected] Aurélien Wailly I Amazon depuis 2 ans I Thèse : End-to-end Security Architecture and Self-Protection Mechanisms for Cloud Computing Environments I Sécurité OS, reverse-engineering, réponse à incidents I http://aurelien.wail.ly I [email protected] A. Wailly, E. Gras (Amazon / ANSSI) Sécurité des OS et des systèmes 2 Juin 2017 2 / 259 Sécurité des sysèmes et des OS Objectifs I Fonctionnement des OS modernes, notamment du point de vue de la sécurité I Failles, exploitation, compromission I Dans le domaine de la sécurité, il est indispensable de comprendre comment marche un système pour l’exploiter Cibles I Linux, les principes restent valables pour les UNIX I Windows A. Wailly, E. Gras (Amazon / ANSSI) Sécurité des OS et des systèmes 2 Juin 2017 3 / 259 Plan 1 Introduction 2 OS, CPU et sécurité 3 Mémoire, segmentation et pagination (et sécurité !) 4 Sécurité des utilisateurs - UNIX 5 Sécurité des utilisateurs - Windows 6 Analyse de binaires - Concepts et outils 7 Failles applicatives 8 Protection des OS A. Wailly, E. Gras (Amazon / ANSSI) Sécurité des OS et des systèmes 2 Juin 2017 4 / 259 Votre OS ? www.dilbert.com/ A. Wailly, E. Gras (Amazon / ANSSI) Sécurité des OS et des systèmes 2 Juin 2017 5 / 259 Ce qui ne sera pas abordé La sécurité est un sujet vaste ! Réseau Virus et malwares Techniques logicielles avancées I Shellcoding poussé I Protection logicielle Exploitation Web I Cross Site Scripting I Injections SQL A.