Usenix security10-poster-suzaki

•

0 recomendaciones•276 vistas

Kuniyasu Suzaki

USENIX Security 2010 Poster. TItle is "Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine".

Moving from Logical Sharing of Guest OS
to Physical Sharing of Deduplication on Virtual Machine*
Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Nguyen Anh Quynh† Cyrille Artho† Yoshihito Watanebe‡
† National Institute of Advanced Industrial Science and Technology ‡ Alpha Systems Inc.
Main Problem: Logical Sharing (dynamic-link shared (Sub Problems)
library, symbolic link, etc) has security and management • search path replacement attack
problems which come from the dynamic management. • GOT overwrite attack
• Dependency Hell

Idea : Static-link shared library and substantial copy can solve the problem, but they
require more memory and storage (problem1).

(solution1) Current virtual machines have
(problem2) Unfortunately, current applications
deduplication, which is a technique to share
are not easy to re-compile with static-link.
same-content chunks of virtual device
(memory and storage), reducing the total real
usage.
Memory Deduplication: VMware’s Content-Based Page (solution2) “pseudo-static” converter integrates
Sharing [SOSP’02], Xen’s Differential Engine [OSDI’08] and
Satori [USENIX’09], KVM’s KSM (Kernel Samepage
dynamic-link shared libraries into an ELF binary
Management) [LinuxSymp’09]. file. However, it requires more memory and
Storage Deduplication: Venti [FAST’02], HydraStar storage than static-link, because each ELF file
[FAST’09], LBCAS [LinuxSymp’09]
has same copy of libraries.
Pseudo-static converter: statifier, ermine, and autopackage on
Linux

(Goal) Deduplication (Physical Sharing) mitigates the redundancy caused by
“pseudo-static” converter. The combination increases security of an OS on a VM.
(Implementation and evaluation) Gentoo
Linux is customized by statifier on KVM
virtual machine with deduplication.
The storage image was increased 1.88 times
(7,075MB/3,754MB). It was mitigated by LBCAS
(16KB block storage deduplication) into 1.16 times
(4,352MB).
The memory usage at boot time was increased 2.64 times
(344.2MB/130.8MB) and it was mitigated by KSM
(4KB bock memory dedulicatoin) into 0.91times
(101.2MB).
Statifier prevents search path replacement attack and
Dependency Hell, because shared libraries are included. Effect of Memory Deduplication
GOT overwrite attack is mitigated because the table is * Details are presented at HotSec 2010.
prefixed and verified.

Más contenido relacionado

La actualidad más candente

Docker

Ramchandra Koty

The Xen Project uses a bespoke Continuous Integration system, osstest. This system has a number of unique architectural features that make it flexible and powerful. In this talk, I'll take you through some of these, such as: the distributed job scheduler; the standalone vs. infrastructure abstraction; and some of the more advanced command-line interfaces useful in infrastructure installations. Transcript: See https://schd.ws/hosted_files/xendeveloperanddesignsummit2017/2a/talk.txt

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

The Linux Foundation

Mastering KVM virtualization is a complete guide to understand KVM virtualization. Mastering KVM Virtualization is a culmination of all the knowledge we gained by troubleshooting, configuring and fixing bug on KVM virtualization. We authored this book for system administrators, DevOps practitioners and developers who have a good hands-on knowledge of Linux and would like to sharpen their skills of open source virtualization. The chapters in this book are written with a focus on practical examples that should help you deploy a robust virtualization environment, suiting your organization's needs. Our expectation is that, once you have finished the book, you should have a good understanding of KVM virtualization, its tools to build and manage diverse virtualization environments.

Mastering kvm virtualization- A complete guide of KVM virtualization

Mastering kvm virtualization- A complete guide of KVM virtualization

Mastering kvm virtualization- A complete guide of KVM virtualization

Humble Chirammal

2010 xen-lisa

The kvm virtualization way

The kvm virtualization way

The kvm virtualization way

Francisco Gonçalves

Openstorage with OpenStack, by Bradley

Openstorage with OpenStack, by Bradley

Openstorage with OpenStack, by Bradley

Unikernels and Cloud Computing

Unikernels and Cloud Computing

Unikernels and Cloud Computing

Virt-VSC

Kaushik Chakraborty

After a short introduction to the goals and approach of the Superfluidity EU research project, we discuss the Unikernels and their orchestration aspects. Unikernel technology allows to build tiny VMs with memory footprint in the order of hundreds of KBs and boot time in the order of milliseconds. We focus on ClickOS Unikernels. We have adapted 3 VIMs (OpenStack, Nomad, OpenVIM) to support ClickOS Unikernels and report a performance evaluation of the VM instantiation time. We have implemented a scenario that can combines Unikernels and regular VMs in the same Network Service or VNF extending OpenVIM.We describe how we have extended the ETSI NFV models and OpenVIM. In particular, we provide the details of the OpenVIM descriptor extensions to support Unikernels.

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

Stefano Salsano

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

OpenNebula Project

Unikernel technology allows to build tiny VMs with memory footprint in the order of hundreds of KBs and boot time in the order of milliseconds. We consider the usage of Unikernels as Virtual Network Functions for NFV, in particular assuming discuss highly dynamic and distributed scenarios in which Unikernels need to be instantiated in few tens of milliseconds in a highly distributed infrastructures. We have patched existing VIMs (Virtual Infrastructure Managers) like OpenStack, OpenVIM and a lightweight orchestrator like Nomad in order to orchestrate ClickOs Unikernels and we measured the achieved performances. Finally we present a complete testbed for the orchestration of ClickOS Unikernels, based on the enhancement of OpenVIM and of XEN. The proposed enhancements are Open Source.

Deploying of Unikernels in the NFV Infrastructure

Deploying of Unikernels in the NFV Infrastructure

Deploying of Unikernels in the NFV Infrastructure

Stefano Salsano

Docker: under the hood

Docker: under the hood

Docker: under the hood

Understanding LXC & Docker

Understanding LXC & Docker

Understanding LXC & Docker

Comprinno Technologies

Cloud expo 2015

Cloud expo 2015

Cloud expo 2015

Aaron Brongersma

The OpenEBS project has taken a different approach to storage when it comes to containers. Instead of using existing storage systems and making them work with containers; what if you were to redesign something from scratch using the same paradigms used in the container world? This resulted in the effort of containerizing the storage controller. Also, as applications that consume storage are changing over, do we need a scale-out distributed storage systems?

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Getting started with containerized delivery on the Microsoft stack

Getting started with containerized delivery on the Microsoft stack

Getting started with containerized delivery on the Microsoft stack

Cloud computing

Cloud computing

Cloud computing

Prily Rizky Arisandi

Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add. With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the construction of a toolkit for the configurable disaggregation of a Xen platform.

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

The Linux Foundation

Openstack vm live migration

Openstack vm live migration

Openstack vm live migration

La actualidad más candente (19)

Docker

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

XPDDS17: Xen Test Lab: The Installation and Our Plans - Ian Jackson, Citrix

Mastering kvm virtualization- A complete guide of KVM virtualization

Mastering kvm virtualization- A complete guide of KVM virtualization

Mastering kvm virtualization- A complete guide of KVM virtualization

2010 xen-lisa

The kvm virtualization way

The kvm virtualization way

The kvm virtualization way

Openstorage with OpenStack, by Bradley

Openstorage with OpenStack, by Bradley

Openstorage with OpenStack, by Bradley

Unikernels and Cloud Computing

Unikernels and Cloud Computing

Unikernels and Cloud Computing

Virt-VSC

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

Extending ETSI VNF descriptors and OpenVIM to support Unikernels

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

ISC Cloud 2013 - Cloud Architectures for HPC – Industry Case Studies

Deploying of Unikernels in the NFV Infrastructure

Deploying of Unikernels in the NFV Infrastructure

Deploying of Unikernels in the NFV Infrastructure

Docker: under the hood

Docker: under the hood

Docker: under the hood

Understanding LXC & Docker

Understanding LXC & Docker

Understanding LXC & Docker

Cloud expo 2015

Cloud expo 2015

Cloud expo 2015

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Container Attached Storage (CAS) with OpenEBS - Berlin Kubernetes Meetup - Ma...

Getting started with containerized delivery on the Microsoft stack

Getting started with containerized delivery on the Microsoft stack

Getting started with containerized delivery on the Microsoft stack

Cloud computing

Cloud computing

Cloud computing

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...

Openstack vm live migration

Openstack vm live migration

Openstack vm live migration

Similar a Usenix security10-poster-suzaki

Hot sec10 slide-suzaki

Hot sec10 slide-suzaki

Hot sec10 slide-suzaki

Kuniyasu Suzaki

Hyper v r2 deep dive

Hyper v r2 deep dive

Hyper v r2 deep dive

Concentrated Technology

Design and implementation of a reliable and cost-effective cloud computing in...

Design and implementation of a reliable and cost-effective cloud computing in...

Design and implementation of a reliable and cost-effective cloud computing in...

Francesco Taurino

This slides were presented at the 24th International Symposium on High-Performance Parallel and Distributed Computing (HPDC '15) Performance isolation is emerging as a requirement for High Performance Computing (HPC) applications, particularly as HPC architectures turn to in situ data processing and application composition techniques to increase system throughput. These approaches require the co-location of disparate workloads on the same compute node, each with different resource and runtime requirements. In this paper we claim that these workloads cannot be effectively managed by a single Operating System/Runtime (OS/R). Therefore, we present Pisces, a system software architecture that enables the co-existence of multiple independent and fully isolated OS/Rs, or enclaves, that can be customized to address the disparate requirements of next generation HPC workloads. Each enclave consists of a specialized lightweight OS co-kernel and runtime, which is capable of independently managing partitions of dynamically assigned hardware resources. Contrary to other co-kernel approaches, in this work we consider performance isolation to be a primary requirement and present a novel co-kernel architecture to achieve this goal. We further present a set of design requirements necessary to ensure performance isolation, including: (1) elimination of cross OS dependencies, (2) internalized management of I/O, (3) limiting cross enclave communication to explicit shared memory channels, and (4) using virtualization techniques to provide missing OS features. The implementation of the Pisces co-kernel architecture is based on the Kitten Lightweight Kernel and Palacios Virtual Machine Monitor, two system software architectures designed specifically for HPC systems. Finally we will show that lightweight isolated co-kernels can provide better performance for HPC applications, and that isolated virtual machines are even capable of outperforming native environments in the presence of competing workloads.

Achieving Performance Isolation with Lightweight Co-Kernels

Achieving Performance Isolation with Lightweight Co-Kernels

Achieving Performance Isolation with Lightweight Co-Kernels

Jiannan Ouyang, PhD

Linux Kernel Library - Reusing Monolithic Kernel

Linux Kernel Library - Reusing Monolithic Kernel

Linux Kernel Library - Reusing Monolithic Kernel

Updates

Isa Ansharullah

Updates

Isa Ansharullah

Vmreport

Virtualization And Disk Performance

Virtualization And Disk Performance

Virtualization And Disk Performance

Registry

How many total bits are required for a direct-mapped cache with 2048 entries each holding an 8 word (of 32 bits or 4 bytes) block, assuming a 32-bit address? Discuss with the help of a diagram the logic to check a hit or miss (that is, presence or absence) of a required memory block in the cache described in 1(a), and access a specific word of the block in case of a hit. Label all the fields in a cache word. What is virtual memory? What is the fundamental difference between the memory hierarehy of Q.1 (a) and this one? Explain how briefly how it helps multiple users share the limited memory, and still get the illusion of using a dedicated resource? Solution 2. (a) Virtual Memory: In computing,virtual memoryis a memory management technique that is implemented using both hardware and software. It mapsmemory addresses used by a program, calledvirtual addresses, intophysical addressesin computer memory. Main storage as seen by a process or task appears as a contiguous address space or collection of contiguous segments. The operating system manages virtual address spaces and the assignment of real memory to virtual memory. Address translation hardware in the CPU, often referred to as a memory management unit orMMU, automatically translates virtual addresses to physical addresses. Software within the operating system may extend these capabilities to provide a virtual address space that can exceed the capacity of real memory and thus reference more memory than is physically present in the computer.The primary benefits of virtual memory include freeing applications from having to manage a shared memory space, increased security due to memory isolation, and being able to conceptually use more memory than might be physically available, using the technique of paging. Virtual memory makes application programming easier by hiding fragmentation of physical memory; by delegating to the kernel the burden of managing the memory hierarchy(eliminating the need for the program to handle overlays explicitly); and, when each process is run in its own dedicated address space, by obviating the need to relocate program code or to access memory with relative addressing. Memory virtualization can be considered a generalization of the concept of virtual memory. Virtual memory is an integral part of a modern computer architecture; implementations require hardware support, typically in the form of a memory management unit built into theCPU. While not necessary, emulators and virtual machines can employ hardware support to increase performance of their virtual memory implementations. Consequently, older operating systems, such as those for the mainframes of the 1960s, and those for personal computers of the early to mid-1980s (e.g. DOS), generally have no virtual memory functionality, though notable exceptions for mainframes of the 1960s include: and the operating system for the Apple Lisa is an example of a personal computer operating system of the 1980s that features vir.

How many total bits are required for a direct-mapped cache with 2048 .pdf

How many total bits are required for a direct-mapped cache with 2048 .pdf

How many total bits are required for a direct-mapped cache with 2048 .pdf

Eye2eyeopticians10

The building blocks of docker.

The building blocks of docker.

The building blocks of docker.

Chafik Belhaoues

How swift is your Swift - SD.pptx

How swift is your Swift - SD.pptx

How swift is your Swift - SD.pptx

OpenStack Foundation

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

Have you heard that all in-memory databases are equally fast but unreliable, inconsistent and expensive? This session highlights in-memory technology that busts all those myths. Redis, the fastest database on the planet, is not a simply in-memory key-value data-store; but rather a rich in-memory data-structure engine that serves the world’s most popular apps. Redis Labs’ unique clustering technology enables Redis to be highly reliable, keeping every data byte intact despite hundreds of cloud instance failures and dozens of complete data-center outages. It delivers full CP system characteristics at high performance. And with the latest Redis on Flash technology, Redis Labs achieves close to in-memory performance at 70% lower operational costs. Learn about the best uses of in-memory computing to accelerate everyday applications such as high volume transactions, real time analytics, IoT data ingestion and more.

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

In-Memory Computing Summit

Virtualization Changes Storage

Virtualization Changes Storage

Virtualization Changes Storage

Stephen Foskett

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

Kuniyasu Suzaki

Making clouds: turning opennebula into a product

Making clouds: turning opennebula into a product

Making clouds: turning opennebula into a product

What does it takes to bring innovations like private clouds to small and medium enterprises? In the course of this talk we will present our experience in creating a self-service toolkit for creating a complete virtualization and cloud platform based on OpenNebula, as well as our experience gathered in tens of installations of all sizes. From scalable storage (with benchmarks!) to autonomic optimization, we will present what in our view is needed to bring private clouds to everyone, what components and additions we created to better solve our customers’ problems (from replacing industrial control systems to medium scale virtual desktop infrastructures), and why OpenNebula has been chosen over other competing cloud toolkits.

Making Clouds: Turning OpenNebula into a Product

Making Clouds: Turning OpenNebula into a Product

Making Clouds: Turning OpenNebula into a Product

What does it takes to bring innovations like private clouds to small and medium enterprises? In the course of this talk we will present our experience in creating a self-service toolkit for creating a complete virtualization and cloud platform based on OpenNebula, as well as our experience gathered in tens of installations of all sizes. From scalable storage (with benchmarks!) to autonomic optimization, we will present what in our view is needed to bring private clouds to everyone, what components and additions we created to better solve our customers’ problems (from replacing industrial control systems to medium scale virtual desktop infrastructures), and why OpenNebula has been chosen over other competing cloud toolkits. Bio: Carlo Daffara the Technical director of Cloudweavers, and formerly head of research and development at Conecta, a consulting firm specializing in open source systems and distributed computing; Italian member of the European Working Group on Libre Software and co-coordinator of the working group on SMEs of the EU ICT task force on competitiveness. Since 1999, works as evaluator for IST programme submissions in the field of component-based software engineering, GRIDs and international cooperation. Coordinator of the open source platforms technical area of the IEEE technical committee on scalable computing, co-chair of the SIENA EU cloud initiative roadmap editorial board and part of the editorial review board of the International Journal of Open Source Software & Processes (IJOSSP).

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebula Project

Similar a Usenix security10-poster-suzaki (20)

Hot sec10 slide-suzaki

Hot sec10 slide-suzaki

Hot sec10 slide-suzaki

Hyper v r2 deep dive

Hyper v r2 deep dive

Hyper v r2 deep dive

Design and implementation of a reliable and cost-effective cloud computing in...

Design and implementation of a reliable and cost-effective cloud computing in...

Design and implementation of a reliable and cost-effective cloud computing in...

Achieving Performance Isolation with Lightweight Co-Kernels

Achieving Performance Isolation with Lightweight Co-Kernels

Achieving Performance Isolation with Lightweight Co-Kernels

Linux Kernel Library - Reusing Monolithic Kernel

Linux Kernel Library - Reusing Monolithic Kernel

Linux Kernel Library - Reusing Monolithic Kernel

Updates

Updates

Vmreport

Virtualization And Disk Performance

Virtualization And Disk Performance

Virtualization And Disk Performance

Registry

How many total bits are required for a direct-mapped cache with 2048 .pdf

How many total bits are required for a direct-mapped cache with 2048 .pdf

How many total bits are required for a direct-mapped cache with 2048 .pdf

The building blocks of docker.

The building blocks of docker.

The building blocks of docker.

How swift is your Swift - SD.pptx

How swift is your Swift - SD.pptx

How swift is your Swift - SD.pptx

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

Disco: Running Commodity Operating Systems on Scalable Multiprocessors Disco

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

IMCSummit 2015 - Day 2 IT Business Track - 4 Myths about In-Memory Databases ...

Virtualization Changes Storage

Virtualization Changes Storage

Virtualization Changes Storage

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...

Making clouds: turning opennebula into a product

Making clouds: turning opennebula into a product

Making clouds: turning opennebula into a product

Making Clouds: Turning OpenNebula into a Product

Making Clouds: Turning OpenNebula into a Product

Making Clouds: Turning OpenNebula into a Product

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

Más de Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

Kuniyasu Suzaki

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

Kuniyasu Suzaki

IETF111 RATS: Remote Attestation ProcedureS 報告

IETF111 RATS: Remote Attestation ProcedureS 報告

IETF111 RATS: Remote Attestation ProcedureS 報告

Kuniyasu Suzaki

第20回情報科学技術フォーラム（FIT2021）のトップカンファレンスセッション、ソフトウェアシステム(8/26（木）9:30-12:00)に発表した「Reboot-Oriented IoT: 廃棄可能なIoTデバイスにするためのTEE内ライフサイクル管理」のスライドです。元ネタはACSAC2021のReboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices です。採択過程でRejectの歴史やConditional Accpetの対処を話しました。

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

Kuniyasu Suzaki

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

Kuniyasu Suzaki

第32回コンピュータシステム・シンポジウム（ComSys2020）招待講演で使ったスライドです。TEE(Trusted Execution Environment)のハードウェア実装(Arm TrustZone, Intel SGX, RISC-V Keystone)の解説から、それぞれのTEE上のソフトウェア実装が多く異なる話、仮想化(Arm v8.4AでのTEE内仮想化、Intel TDX: Trusted Domain Extensions、AMD SEV: Secure Encrypted Virtualization)が導入されてくる話をしました。また、TEEに対するアンチテーゼの研究や関連規格などを紹介しました。

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

Kuniyasu Suzaki

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

Kuniyasu Suzaki

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

Kuniyasu Suzaki

RISC-V-Day-Tokyo2018-suzaki

RISC-V-Day-Tokyo2018-suzaki

RISC-V-Day-Tokyo2018-suzaki

Kuniyasu Suzaki

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

Kuniyasu Suzaki

USENIX NSDI17 Memory Disaggregation

USENIX NSDI17 Memory Disaggregation

USENIX NSDI17 Memory Disaggregation

Kuniyasu Suzaki

Io t security-suzki-20170224

Io t security-suzki-20170224

Io t security-suzki-20170224

Kuniyasu Suzaki

”Bare-Metal Container" presented at HPCC2016

”Bare-Metal Container" presented at HPCC2016

”Bare-Metal Container" presented at HPCC2016

Kuniyasu Suzaki

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kuniyasu Suzaki

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Kuniyasu Suzaki

Slide used at ACM-SAC 2014 by Suzaki

Slide used at ACM-SAC 2014 by Suzaki

Slide used at ACM-SAC 2014 by Suzaki

Kuniyasu Suzaki

OSセキュリティチュートリアル

OSセキュリティチュートリアル

OSセキュリティチュートリアル

Kuniyasu Suzaki

Nested Virtual Machines and　Proxies

Nested Virtual Machines and　Proxies

Nested Virtual Machines and　Proxies

Kuniyasu Suzaki

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Kuniyasu Suzaki

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Kuniyasu Suzaki

Más de Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS）

IETF111 RATS: Remote Attestation ProcedureS 報告

IETF111 RATS: Remote Attestation ProcedureS 報告

IETF111 RATS: Remote Attestation ProcedureS 報告

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

TEE (Trusted Execution Environment)は第二の仮想化技術になるか？

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

3種類のTEE比較（Intel SGX, ARM TrustZone, RISC-V Keystone）

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

Hardware-assisted Isolated Execution Environment to run trusted OS and applic...

RISC-V-Day-Tokyo2018-suzaki

RISC-V-Day-Tokyo2018-suzaki

RISC-V-Day-Tokyo2018-suzaki

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

BMC: Bare Metal Container ＠Open Source Summit Japan 2017

USENIX NSDI17 Memory Disaggregation

USENIX NSDI17 Memory Disaggregation

USENIX NSDI17 Memory Disaggregation

Io t security-suzki-20170224

Io t security-suzki-20170224

Io t security-suzki-20170224

”Bare-Metal Container" presented at HPCC2016

”Bare-Metal Container" presented at HPCC2016

”Bare-Metal Container" presented at HPCC2016

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Report for S4x14 (SCADA Security Scientific Symposium 2014)

Slide used at ACM-SAC 2014 by Suzaki

Slide used at ACM-SAC 2014 by Suzaki

Slide used at ACM-SAC 2014 by Suzaki

OSセキュリティチュートリアル

OSセキュリティチュートリアル

OSセキュリティチュートリアル

Nested Virtual Machines and　Proxies

Nested Virtual Machines and　Proxies

Nested Virtual Machines and　Proxies

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Bitvisorをベースとした既存Windowsのドライバメモリ保護

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)

Último

[BuildWithAI] Introduction to Gemini.pdf

[BuildWithAI] Introduction to Gemini.pdf

[BuildWithAI] Introduction to Gemini.pdf

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Cyberprint. Dark Pink Apt Group [EN].pdf

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Último (20)

[BuildWithAI] Introduction to Gemini.pdf

[BuildWithAI] Introduction to Gemini.pdf

[BuildWithAI] Introduction to Gemini.pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Cyberprint. Dark Pink Apt Group [EN].pdf

Cyberprint. Dark Pink Apt Group [EN].pdf

Cyberprint. Dark Pink Apt Group [EN].pdf

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Usenix security10-poster-suzaki

1. Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine* Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Nguyen Anh Quynh† Cyrille Artho† Yoshihito Watanebe‡ † National Institute of Advanced Industrial Science and Technology ‡ Alpha Systems Inc. Main Problem: Logical Sharing (dynamic-link shared (Sub Problems) library, symbolic link, etc) has security and management • search path replacement attack problems which come from the dynamic management. • GOT overwrite attack • Dependency Hell Idea : Static-link shared library and substantial copy can solve the problem, but they require more memory and storage (problem1). (solution1) Current virtual machines have (problem2) Unfortunately, current applications deduplication, which is a technique to share are not easy to re-compile with static-link. same-content chunks of virtual device (memory and storage), reducing the total real usage. Memory Deduplication: VMware’s Content-Based Page (solution2) “pseudo-static” converter integrates Sharing [SOSP’02], Xen’s Differential Engine [OSDI’08] and Satori [USENIX’09], KVM’s KSM (Kernel Samepage dynamic-link shared libraries into an ELF binary Management) [LinuxSymp’09]. file. However, it requires more memory and Storage Deduplication: Venti [FAST’02], HydraStar storage than static-link, because each ELF file [FAST’09], LBCAS [LinuxSymp’09] has same copy of libraries. Pseudo-static converter: statifier, ermine, and autopackage on Linux (Goal) Deduplication (Physical Sharing) mitigates the redundancy caused by “pseudo-static” converter. The combination increases security of an OS on a VM. (Implementation and evaluation) Gentoo Linux is customized by statifier on KVM virtual machine with deduplication. The storage image was increased 1.88 times (7,075MB/3,754MB). It was mitigated by LBCAS (16KB block storage deduplication) into 1.16 times (4,352MB). The memory usage at boot time was increased 2.64 times (344.2MB/130.8MB) and it was mitigated by KSM (4KB bock memory dedulicatoin) into 0.91times (101.2MB). Statifier prevents search path replacement attack and Dependency Hell, because shared libraries are included. Effect of Memory Deduplication GOT overwrite attack is mitigated because the table is * Details are presented at HotSec 2010. prefixed and verified.