SlideShare a Scribd company logo

LinuxCon Japan 2010 suzaki

Kuniyasu Suzaki
Kuniyasu Suzaki

Titie: Rethink Package Components on De-Duplication: From Logical Sharing to Physical Sharing URL: http://events.linuxfoundation.org/2010/linuxcon-japan/suzaki Abstract: inux distributions include many logical sharing techniques (shared library, symbolic link, etc) on memory and storage. Unfortunately they cause security and management problems, such as GOT (Global Offset Table) overwrite attack, TOCTTOU (Time Of Check To Time Of Use) attack, Dependency hell, etc. In order to mitigate the problems, we propose the replacement of logical sharing by physical sharing (memory and disk deduplication; e.g., KSM: Kernel Samepage Merging, Content Addressable Storage, etc). Original ELF binaries are transformed as self-contained binaries which include dynamic linked shared libraries as “pseudo-static”. The binaries become fat but physical resource usage is mitigated by deduplication. We have investigated the effect on Debian and Ubuntu and confirmed that the physical impact is low. Data centers of Cloud Computing utilize the deduplication techniques. Users and administrators should consider Linux images in terms of security and maintenance, and the usage of deduplicated fat binaries.

Technology
1 of 24
Download to read offline
Rethink Package Components on De-Duplication: From Logical Sharing to Physical Sharing Leaflet is wrong Kuniyashu Kuniyasu Suzaki, T hiki Y i K K i h K i S ki Toshiki Yagi, Kengo Iiji Iijima, N Nguyen Anh Quynh, C ill A h A hQ h Cyrille Artho Research Center of Information Security National Institute of Advanced Industrial Science and Technology & Yoshihito Watanebe Alpha Systems Inc.
Contents • Rethink Package Components • Vulnerability of logical sharing (Dynamic-Link Shared Library and Symbolic Link) • Propose replacement of logical sharing by physical sharing – Physical sharing • Deduplication on Memory and Storage – Self-contained binary • It is NOT static-Link binary. • Experimental results • Conclusions with discussing topics
Rethink Package Components • Current Packages depend on Logical Sharing • Logical sharing is OS technique to reduce consumption of memory and storage. – “Dynamic-Link Shared Library” for memory and storage – “Symbolic Link” for storage Symbolic Link • Unfortunately, they include vulnerability caused by dynamic management. – Search Path Replacement Attack – GOT (Global Offset Table) overwrite attack – Dependency Hell – Etc.
Search Path Replacement Attack • Dynamic-link searches a shared library at run time using a search path. – Search path is defined by environment variables. • Example: “LD_LIBRARY_PATH” – It allows us to change shared libraries for each process. • Unfortunately, the search path is easily replaced by an attacker and leads to malicious shared libraries. – Caller program has no methods to certify libraries. • Static-link solves this problem but it wastes memory and storage.
GOT Overwrite Attack • ELF format has GOT (Global Offset Table) to locate position-independent function address of shared library. The value of GOT is assigned at run time. – GOT is created on Data Segment and vulnerable for overwrite attack. • Static link solves this problem but it wastes memory and storage. Program Library Call Routine Code Code Segment Segment PLT PLT Data Data GOT GOT Segment Segment Attack
Dependency Hell (DLL Hell in Windows) • Dependency Hell is a management problem of shared libraries. – Package manager maintains versions of libraries. However, the version mismatch may occur, when a user updates a library without package manager. • D Dependency H ll i escalated b symbolic-link, b d Hell is l t d by b li li k because most shared libraries use symbolic-link to manage minor updates. – /lib/libc.so.6 -> libc-2.10.1.so – # ln –s libc-2.11.1.so libc.so.6 • Static link solves this problem but it wastes memory and storage.
Solution, and further problems • The problems are solved by static-link, but it increases consumption of memory and storage. – Fortunately, the increased consumption is mitigated by new technique, deduplication. – SLINY[USENIX’05] developed deduplication in Linux kernel. – It looks the problems are solved … • Two trends – Current applications assume dynamic-link and are not re-compiled as static-link easily . – Current virtualization offers us deduplication. • SLINKY uses special Linux kernel. It is not applied on any Linux. • Using virtualization, guest OS only has to solve the security problems without regard to physical consumption.
Static-Link is not easy [BIG Problem] • Current applications depend on dynamic-link shared libraries for flexibility and avoiding license contamination. – Some Licenses conflict and the code can not be mixed. – Static link is not created with compile option, because dlopen() which calls shared library explicitly is used in main source codes. • glibc, l b l b libX11, openssl, gcc, glib, pam… Difficult to remove! l lb iffi l ! • We tried to re-compile /bin, /sbin, /usr/bin, and /usr/sbin dynamic-linked binaries (1,162) with static-link on Gentoo. – 185 (15.9%) binaries are re-compiled with static-link. • Binary packages make it difficult to re-compile, because they are not easy to get all source code. – Commercial applications make problem more difficult.
Self-Contained Binaries • Self-contained binary translator • It is developed to bring a binary to another machine. • It integrates shared libraries into an ELF binary file. – Tools • Statifier, Autopacage, Ermine for Linux – Advantage • Prevent Search Path Replacement Attack and Dependency Hell, because it integrates all libraries. • Mitigate GOT Overwrite Attack, because the addresses are prefixed for each execution. – Disadvantage • Consume more memory and storage than static-link
Min: /usr/bin/qmake Max: /usr/bin/gnome-open (3,426,340 -> 6,094,848 (x1.78) ) (5,400 -> 8,732,672 (x1617.16)) 6 shared libraries 22shared libraries # ldd /usr/bin/qmake # ldd /usr/bin/gnome-open linux-gate.so.1 => (0xb78d5000) l inux-gate.so.1 => (0xb772d000) libstdc++.so.6 => /usr/lib/gcc/i686-pc-linux-gnu/ libgnome-2.so.0 => /usr/lib/libgnome-2.so.0 (0xb7709000) 4.3.4/libstdc++.so.6 (0xb77da000) libgnomevfs-2.so.0 => /usr/lib/libgnomevfs-2.so.0 (0xb76ae000) libm.so.6 => /lib/libm.so.6 (0xb77b4000) libxml2.so.2 => /usr/lib/libxml2.so.2 (0xb7578000) libgcc_s.so.1 => /usr/lib/gcc/i686-pc-linux-gnu/ libm.so.6 => /lib/libm.so.6 (0xb7552000) 4.3.4/libgcc_s.so.1 (0xb77a6000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7509000) libc.so.6 => /lib/libc.so.6 (0xb765e000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb73bc000) /lib/ld-linux.so.2 (0xb78d6000) libz.so.1 => /lib/libz.so.1 (0xb73a8000) libutil.so.1 => /lib/libutil.so.1 (0xb73a4000) libbonobo-2.so.0 => /usr/lib/libbonobo-2.so.0 (0xb7348000) libbonobo-activation.so.4 => /usr/lib/libbonobo-activation.so.4 (0xb7332000) libORBitCosNaming 2.so.0 /usr/lib/libORBitCosNaming 2.so.0 libORBitCosNaming-2 so 0 => /usr/lib/libORBitCosNaming-2 so 0 (0xb732c000) libgconf-2.so.4 => /usr/lib/libgconf-2.so.4 (0xb72f7000) libORBit-2.so.0 => /usr/lib/libORBit-2.so.0 (0xb72a2000) libgthread-2.0.so.0 => /usr/lib/libgthread-2.0.so.0 (0xb729c000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7283000) librt.so.1 => /lib/librt.so.1 (0xb727a000) libdbus-glib-1.so.2 => /usr/lib/libdbus-glib-1.so.2 (0xb725c000) libnsl.so.1 => /lib/libnsl.so.1 (0xb7244000) libdbus-1.so.3 => /usr/lib/libdbus-1.so.3 (0xb720b000) libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0xb7178000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7163000) libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0xb7126000) libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0xb7120000) libdl.so.2 => /lib/libdl.so.2 (0xb711c000) libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0xb7044000) libpopt.so.0 => /usr/lib/libpopt.so.0 (0xb7039000) libc.so.6 => /lib/libc.so.6 (0xb6ef1000) /lib/ld-linux.so.2 (0xb772e000)
Statifier (1/2) • Creation of self-contained binary by Statifier • Statifier emulates normal loader and gets allocation information – Take snapshot before _dl_start_user() and analyze allocation information of functions of libraries from /proc/PID/maps. – The libraries and allocation information are embedded into the binary.
Statifier (2/2) • Self-Contained Binary – Allocation information and shared libraries are loaded by the starter which is embedded ELF binary by statifier. • Includes special libraries: linux-gate.so, ld-linux.so – The ELF binary has no INTERP segment to call ld-linux.so – ldd command shows no dynamic-link shared libraries • Statifier makes a larger binary than static link. • Increased memory and storage are mitigated by deduplication.
Deduplication • Technique to share same-content chunks at block level (memory and storage). • Same-content chunks are shared by indirect link. – It is easy to implement when a virtual layer exists to access a block device device. – Some virtualizations include deduplication mechanism.
Storage Deduplication • Used by CAS (Content addressable Storage) – data is not addressed by its physical location. Data is addressed by a unique name derived from the content (a secure hash is used as a unique name usually) – Same contents are expressed by one original content (same hash) and addressed by indirected link. • Plan9 has Venti [USENIX FAST02] • Data Domain (EMC) Deduplication [USENIX FAST08] • LBCAS (Loopback Content Addressable Storage) [LinuxSymp09] Virtual Disk CAS Storage Archive Indexing Address SHA-1 0000000-0003FFF 4ad36ffe8… New block is 0004000-0007FFF 974daf34a… created with 0008000-000BFFF 2d34ff3e1… new SHA-1 000C000-000FFFF 974daf34a… … … sharing Deduplication
Memory Deduplication • Memory deduplication is mainly used for virtual machines. • Very effective when same guest OS runs on several virtual machines. • On Virtual Machine Monitor – Disco[OSDI97] has Transparent Page Sharing – VMWare ESX has Content-Based Page Sharing [SOSP02] – Xen has Satori[USENIX09] and Differential Engine[OSDI08] • On Kernel – Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09] Guest Physical Memory VM1 VM2 VM(n) • Memory of Process(es) are deduplicated • KVM uses this mechanism • These targets are virtual machines, but our proposal uses memory deduplication on single OS image, which increase same pages with copy of libraries (self-contained binary). Real Physical Memory
Evaluation • Evaluate the effect of moving form logical sharing to physical sharing. – Effect of dynamic link shared library (logical sharing) • Gentoo installed on 32GB virtual disk for KVM virtual machine – Effect of Statifier (remove logical sharing and increase consumption on memory and storage) • Applied on binaries under /bin,/sbin,/usr/bin,/usr/sbin – Memory Deduplication • KSM (Kernel Samepage merging) of Linux with KVM virtual machine (758MB). – Storage Deduplication • LBCAS (Loopback Content Addressable Storage)
Effect of Dynamic Link Shared Library • 42 normal processes were running at the end of login. • Shared libraries overlapped on physical memory – (total Virtual memory used by library) / (Physical memory Used by library) = ((B) - (C) )/ ((A) - (C)) = 86,184KB / 13,016KB = 6.62 • (A) Consumed physical memory 54,760 KB • (B) Summation of consumed memory by each process (Size on /proc/[pid]/smaps) 127,928 KB • (C) Summation of process own memory 41,744KB • The overlap was 6.62 times. Information obtained by /proc/[pid]smaps Number of libraries used by 42 processes PID RSS SHARED Usued Name 1 672 536 (79%) 42 linux-gate.so.1 Included by 792 1676 448 (26%) 42 /lib/ld-linux.so.2 all processes 1401 508 400 (78%) 42 libc.so.6 1412 712 580 (81%) 32 libdl.so.2 1709 544 392 (72%) 29 libpthread.so.0 1718 408 332 (81%) 27 libpcre.so.3 1728 628 524 (83%) 27 libnsl.so.1 1737 764 360 (47%) 26 libglib-2.0.so.0 1749 1428 1040 (72%) 25 libgobject-2.0.so.0 1750 468 372 (79%) 24 libm.so.6
Static Analysis of Statifier • Gentoo was customized by statifier. – The ELF (1,162) binaries under /bin (82 files), /sbin (74), /usr/bin (912), /usr/sbin (94) were customized by statifier. Original Statifier Increase (Dynamic-link) Total 87,865,480 3,572,936,704 40.66 Average 75,615 3,074,816 40.66 Max (gnome-open) 5,400 8,732,672 1617.16 Min (qmake) 3,426,340 6,094,848 1.78 • The disk image (includes non-statifiered files) was expnaded from 3.75GB to 7.08GB (1.88 times).
Effect of Memory Deduplication • Memory usage at the end of login • Statifier expanded memory consumption from the view of GuestOS, • but Deduplication reduced physical memory consumption. 80000 34.4% 4KB GuestOS View page 70000 60000 50000 GuestOS 93.0% 45 332 View Duplicated 40000 86056 8.9% Deduplicate 22 96 17.3% 30000 48 1 44 41 29732 Unique physical 20000 32706 30410 memory 2 9929 physical 25 291 10000 memory 0 Normal Gentoo Statifier Gentoo
Trace of memory consumption Normal Gentoo Statifer Gentoo Loopback GuestOS View Physical Physical Mem View Mem View GuestOS View Auto Auto login login LBCAS (256KB) GuestOS View Physical GuestOS View Mem View Physical Mem View Auto Auto login login
Effect of Storage Deduplication • Storage usage (static) and total read data at boot (dynamic) . • Statifier expanded storage consumption from the view of GuestOS on both cases, but Deduplication reduced physical storage consumption in static and dynamic. • Smaller chunk is easy to be deduplicated but time overhead is large. Static Dynamic ( (boot) ) normal statifier normal statifier On Loopback 3,754MB 7,075MB 151.7MB 341.0MB (Guest OS View) (1.88) (2.25) 4352MB 268,454 LBCAS 16KB [278,499] --- ---- [4195MB] (1.04) 83,863 304MB 74,679 218MB LBCAS 64KB [5241MB] [4,866] [4667MB] [3,481] (1.12) (1.40) 6723MB 505MB 22,806 390MB LBCAS 256KB [26,892] [2,019] [5701MB] [1,560 ] (1.18) (1.29)
Time overhead at boot • Statifier reduced the boot time, because it eliminated dynamic reallocation overhead. • Deduplication increased the boot time. The overhead of KSM and LBCAS was less than 37%. – The overhead is a penalty to remove the vulnerabilities of logical sharing. Without KSM With KSM Normal Statifier Normal Statifier Loopback 95s 84s 95s 105s Reduced LBCAS 107s 108s 115s 130s (256KB)
Conclusion & Discussion • Self-Contained binaries strengthen OS security. – Prevent Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell – Easy to apply on normal OS. It does not require source code and re-compile. – Increase consumption of memory and storage. • Deduplication mitigates the consumption of memory and storage caused by self-contained binary. – Encourage moving from Logical sharing to Physical Sharing • Deduplication is utilized to increase security on single OS. *Technical detail is written in USENIX HotSec2010 Paper, “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine”
Conclusion & Discussion • Re-think the packages of Linux distributions • Self-Contained binaries is temporary solution. We should re- think to remove logical sharing which cause security problems, because same contents are shared on memory and storage p dedeuplcation. • Deduplication will be mainly used on IaaS type (multi-tenants) Cloud Computing. *Technical detail is written in USENIX HotSec2010 Paper, “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine”

Recommended

Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & FreeTetsuyuki Kobayashi
 
Londiste Replication system for PostgreSQL
Londiste Replication system for PostgreSQLLondiste Replication system for PostgreSQL
Londiste Replication system for PostgreSQLelliando dias
 
Bglrsession4
Bglrsession4Bglrsession4
Bglrsession4Nagasuri Bala Venkateswarlu
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
101 2.3 manage shared libraries
101 2.3 manage shared libraries101 2.3 manage shared libraries
101 2.3 manage shared librariesAcácio Oliveira
 
Making Big Data Analytics Interactive and Real-­Time
Making Big Data Analytics Interactive and Real-­Time Making Big Data Analytics Interactive and Real-­Time
Making Big Data Analytics Interactive and Real-­TimeSeven Nguyen
 
2.3 manage shared libraries
2.3 manage shared libraries2.3 manage shared libraries
2.3 manage shared librariesAcácio Oliveira
 
Basic Multithreading using Posix Threads
Basic Multithreading using Posix ThreadsBasic Multithreading using Posix Threads
Basic Multithreading using Posix ThreadsTushar B Kute
 

Recommended

Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & FreeTetsuyuki Kobayashi
 
Londiste Replication system for PostgreSQL
Londiste Replication system for PostgreSQLLondiste Replication system for PostgreSQL
Londiste Replication system for PostgreSQLelliando dias
 
Bglrsession4
Bglrsession4Bglrsession4
Bglrsession4Nagasuri Bala Venkateswarlu
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
101 2.3 manage shared libraries
101 2.3 manage shared libraries101 2.3 manage shared libraries
101 2.3 manage shared librariesAcácio Oliveira
 
Making Big Data Analytics Interactive and Real-­Time
Making Big Data Analytics Interactive and Real-­Time Making Big Data Analytics Interactive and Real-­Time
Making Big Data Analytics Interactive and Real-­TimeSeven Nguyen
 
2.3 manage shared libraries
2.3 manage shared libraries2.3 manage shared libraries
2.3 manage shared librariesAcácio Oliveira
 
Basic Multithreading using Posix Threads
Basic Multithreading using Posix ThreadsBasic Multithreading using Posix Threads
Basic Multithreading using Posix ThreadsTushar B Kute
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportKuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...Kuniyasu Suzaki
 
Hot sec10 slide-suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzakiKuniyasu Suzaki
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Kuniyasu Suzaki
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話Takaaki Fukai
 
Linker Wisdom
Linker WisdomLinker Wisdom
Linker Wisdomdmichelsen
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkersPinkus Chang
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Workhorse Computing
 
The Future of library dependency management of Ruby
The Future of library dependency management of Ruby The Future of library dependency management of Ruby
The Future of library dependency management of RubyHiroshi SHIBATA
 
101 2.3 manage shared libraries
101 2.3 manage shared libraries101 2.3 manage shared libraries
101 2.3 manage shared librariesAcácio Oliveira
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
One RubyStack to Rule them All
One RubyStack to Rule them AllOne RubyStack to Rule them All
One RubyStack to Rule them Allelliando dias
 
Automated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxAutomated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxSilvio Cesare
 
sbt 1
sbt 1sbt 1
sbt 1Eugene Yokota
 
Getting Git Right
Getting Git RightGetting Git Right
Getting Git RightSven Peters
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerJianwen Wei
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFsDocker, Inc.
 

More Related Content

Viewers also liked

ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportKuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...Kuniyasu Suzaki
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Kuniyasu Suzaki
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話Takaaki Fukai
 

Viewers also liked (7)

ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
 
Hot sec10 slide-suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzaki
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話
 

Similar to LinuxCon Japan 2010 suzaki

Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkersPinkus Chang
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Workhorse Computing
 
The Future of library dependency management of Ruby
The Future of library dependency management of Ruby The Future of library dependency management of Ruby
The Future of library dependency management of RubyHiroshi SHIBATA
 
101 2.3 manage shared libraries
101 2.3 manage shared libraries101 2.3 manage shared libraries
101 2.3 manage shared librariesAcácio Oliveira
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
One RubyStack to Rule them All
One RubyStack to Rule them AllOne RubyStack to Rule them All
One RubyStack to Rule them Allelliando dias
 
Automated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxAutomated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxSilvio Cesare
 
Getting Git Right
Getting Git RightGetting Git Right
Getting Git RightSven Peters
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerJianwen Wei
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFsDocker, Inc.
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talkdotCloud
 
Package management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxPackage management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxDonnie Berkholz
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesKASHISH BHATIA
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdatedoscon2007
 

Similar to LinuxCon Japan 2010 suzaki (20)

Linker Wisdom
Linker WisdomLinker Wisdom
Linker Wisdom
 
Beginner's guide to linkers
Beginner's guide to linkersBeginner's guide to linkers
Beginner's guide to linkers
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.
 
The Future of library dependency management of Ruby
The Future of library dependency management of Ruby The Future of library dependency management of Ruby
The Future of library dependency management of Ruby
 
101 2.3 manage shared libraries
101 2.3 manage shared libraries101 2.3 manage shared libraries
101 2.3 manage shared libraries
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
One RubyStack to Rule them All
One RubyStack to Rule them AllOne RubyStack to Rule them All
One RubyStack to Rule them All
 
Automated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxAutomated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in Linux
 
sbt 1
sbt 1sbt 1
sbt 1
 
Getting Git Right
Getting Git RightGetting Git Right
Getting Git Right
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π Supercomputer
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linux
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and Resources
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFs
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
 
Package management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxPackage management and creation in Gentoo Linux
Package management and creation in Gentoo Linux
 
Stack Frame Protection
Stack Frame ProtectionStack Frame Protection
Stack Frame Protection
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slides
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdated
 

More from Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)Kuniyasu Suzaki
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)Kuniyasu Suzaki
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告Kuniyasu Suzaki
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Kuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?Kuniyasu Suzaki
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationKuniyasu Suzaki
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224Kuniyasu Suzaki
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Kuniyasu Suzaki
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアルKuniyasu Suzaki
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点Kuniyasu Suzaki
 

More from Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアル
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

LinuxCon Japan 2010 suzaki

  • 1. Rethink Package Components on De-Duplication: From Logical Sharing to Physical Sharing Leaflet is wrong Kuniyashu Kuniyasu Suzaki, T hiki Y i K K i h K i S ki Toshiki Yagi, Kengo Iiji Iijima, N Nguyen Anh Quynh, C ill A h A hQ h Cyrille Artho Research Center of Information Security National Institute of Advanced Industrial Science and Technology & Yoshihito Watanebe Alpha Systems Inc.
  • 2. Contents • Rethink Package Components • Vulnerability of logical sharing (Dynamic-Link Shared Library and Symbolic Link) • Propose replacement of logical sharing by physical sharing – Physical sharing • Deduplication on Memory and Storage – Self-contained binary • It is NOT static-Link binary. • Experimental results • Conclusions with discussing topics
  • 3. Rethink Package Components • Current Packages depend on Logical Sharing • Logical sharing is OS technique to reduce consumption of memory and storage. – “Dynamic-Link Shared Library” for memory and storage – “Symbolic Link” for storage Symbolic Link • Unfortunately, they include vulnerability caused by dynamic management. – Search Path Replacement Attack – GOT (Global Offset Table) overwrite attack – Dependency Hell – Etc.
  • 4. Search Path Replacement Attack • Dynamic-link searches a shared library at run time using a search path. – Search path is defined by environment variables. • Example: “LD_LIBRARY_PATH” – It allows us to change shared libraries for each process. • Unfortunately, the search path is easily replaced by an attacker and leads to malicious shared libraries. – Caller program has no methods to certify libraries. • Static-link solves this problem but it wastes memory and storage.
  • 5. GOT Overwrite Attack • ELF format has GOT (Global Offset Table) to locate position-independent function address of shared library. The value of GOT is assigned at run time. – GOT is created on Data Segment and vulnerable for overwrite attack. • Static link solves this problem but it wastes memory and storage. Program Library Call Routine Code Code Segment Segment PLT PLT Data Data GOT GOT Segment Segment Attack
  • 6. Dependency Hell (DLL Hell in Windows) • Dependency Hell is a management problem of shared libraries. – Package manager maintains versions of libraries. However, the version mismatch may occur, when a user updates a library without package manager. • D Dependency H ll i escalated b symbolic-link, b d Hell is l t d by b li li k because most shared libraries use symbolic-link to manage minor updates. – /lib/libc.so.6 -> libc-2.10.1.so – # ln –s libc-2.11.1.so libc.so.6 • Static link solves this problem but it wastes memory and storage.
  • 7. Solution, and further problems • The problems are solved by static-link, but it increases consumption of memory and storage. – Fortunately, the increased consumption is mitigated by new technique, deduplication. – SLINY[USENIX’05] developed deduplication in Linux kernel. – It looks the problems are solved … • Two trends – Current applications assume dynamic-link and are not re-compiled as static-link easily . – Current virtualization offers us deduplication. • SLINKY uses special Linux kernel. It is not applied on any Linux. • Using virtualization, guest OS only has to solve the security problems without regard to physical consumption.
  • 8. Static-Link is not easy [BIG Problem] • Current applications depend on dynamic-link shared libraries for flexibility and avoiding license contamination. – Some Licenses conflict and the code can not be mixed. – Static link is not created with compile option, because dlopen() which calls shared library explicitly is used in main source codes. • glibc, l b l b libX11, openssl, gcc, glib, pam… Difficult to remove! l lb iffi l ! • We tried to re-compile /bin, /sbin, /usr/bin, and /usr/sbin dynamic-linked binaries (1,162) with static-link on Gentoo. – 185 (15.9%) binaries are re-compiled with static-link. • Binary packages make it difficult to re-compile, because they are not easy to get all source code. – Commercial applications make problem more difficult.
  • 9. Self-Contained Binaries • Self-contained binary translator • It is developed to bring a binary to another machine. • It integrates shared libraries into an ELF binary file. – Tools • Statifier, Autopacage, Ermine for Linux – Advantage • Prevent Search Path Replacement Attack and Dependency Hell, because it integrates all libraries. • Mitigate GOT Overwrite Attack, because the addresses are prefixed for each execution. – Disadvantage • Consume more memory and storage than static-link
  • 10. Min: /usr/bin/qmake Max: /usr/bin/gnome-open (3,426,340 -> 6,094,848 (x1.78) ) (5,400 -> 8,732,672 (x1617.16)) 6 shared libraries 22shared libraries # ldd /usr/bin/qmake # ldd /usr/bin/gnome-open linux-gate.so.1 => (0xb78d5000) l inux-gate.so.1 => (0xb772d000) libstdc++.so.6 => /usr/lib/gcc/i686-pc-linux-gnu/ libgnome-2.so.0 => /usr/lib/libgnome-2.so.0 (0xb7709000) 4.3.4/libstdc++.so.6 (0xb77da000) libgnomevfs-2.so.0 => /usr/lib/libgnomevfs-2.so.0 (0xb76ae000) libm.so.6 => /lib/libm.so.6 (0xb77b4000) libxml2.so.2 => /usr/lib/libxml2.so.2 (0xb7578000) libgcc_s.so.1 => /usr/lib/gcc/i686-pc-linux-gnu/ libm.so.6 => /lib/libm.so.6 (0xb7552000) 4.3.4/libgcc_s.so.1 (0xb77a6000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7509000) libc.so.6 => /lib/libc.so.6 (0xb765e000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb73bc000) /lib/ld-linux.so.2 (0xb78d6000) libz.so.1 => /lib/libz.so.1 (0xb73a8000) libutil.so.1 => /lib/libutil.so.1 (0xb73a4000) libbonobo-2.so.0 => /usr/lib/libbonobo-2.so.0 (0xb7348000) libbonobo-activation.so.4 => /usr/lib/libbonobo-activation.so.4 (0xb7332000) libORBitCosNaming 2.so.0 /usr/lib/libORBitCosNaming 2.so.0 libORBitCosNaming-2 so 0 => /usr/lib/libORBitCosNaming-2 so 0 (0xb732c000) libgconf-2.so.4 => /usr/lib/libgconf-2.so.4 (0xb72f7000) libORBit-2.so.0 => /usr/lib/libORBit-2.so.0 (0xb72a2000) libgthread-2.0.so.0 => /usr/lib/libgthread-2.0.so.0 (0xb729c000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7283000) librt.so.1 => /lib/librt.so.1 (0xb727a000) libdbus-glib-1.so.2 => /usr/lib/libdbus-glib-1.so.2 (0xb725c000) libnsl.so.1 => /lib/libnsl.so.1 (0xb7244000) libdbus-1.so.3 => /usr/lib/libdbus-1.so.3 (0xb720b000) libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0xb7178000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7163000) libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0xb7126000) libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0xb7120000) libdl.so.2 => /lib/libdl.so.2 (0xb711c000) libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0xb7044000) libpopt.so.0 => /usr/lib/libpopt.so.0 (0xb7039000) libc.so.6 => /lib/libc.so.6 (0xb6ef1000) /lib/ld-linux.so.2 (0xb772e000)
  • 11. Statifier (1/2) • Creation of self-contained binary by Statifier • Statifier emulates normal loader and gets allocation information – Take snapshot before _dl_start_user() and analyze allocation information of functions of libraries from /proc/PID/maps. – The libraries and allocation information are embedded into the binary.
  • 12. Statifier (2/2) • Self-Contained Binary – Allocation information and shared libraries are loaded by the starter which is embedded ELF binary by statifier. • Includes special libraries: linux-gate.so, ld-linux.so – The ELF binary has no INTERP segment to call ld-linux.so – ldd command shows no dynamic-link shared libraries • Statifier makes a larger binary than static link. • Increased memory and storage are mitigated by deduplication.
  • 13. Deduplication • Technique to share same-content chunks at block level (memory and storage). • Same-content chunks are shared by indirect link. – It is easy to implement when a virtual layer exists to access a block device device. – Some virtualizations include deduplication mechanism.
  • 14. Storage Deduplication • Used by CAS (Content addressable Storage) – data is not addressed by its physical location. Data is addressed by a unique name derived from the content (a secure hash is used as a unique name usually) – Same contents are expressed by one original content (same hash) and addressed by indirected link. • Plan9 has Venti [USENIX FAST02] • Data Domain (EMC) Deduplication [USENIX FAST08] • LBCAS (Loopback Content Addressable Storage) [LinuxSymp09] Virtual Disk CAS Storage Archive Indexing Address SHA-1 0000000-0003FFF 4ad36ffe8… New block is 0004000-0007FFF 974daf34a… created with 0008000-000BFFF 2d34ff3e1… new SHA-1 000C000-000FFFF 974daf34a… … … sharing Deduplication
  • 15. Memory Deduplication • Memory deduplication is mainly used for virtual machines. • Very effective when same guest OS runs on several virtual machines. • On Virtual Machine Monitor – Disco[OSDI97] has Transparent Page Sharing – VMWare ESX has Content-Based Page Sharing [SOSP02] – Xen has Satori[USENIX09] and Differential Engine[OSDI08] • On Kernel – Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09] Guest Physical Memory VM1 VM2 VM(n) • Memory of Process(es) are deduplicated • KVM uses this mechanism • These targets are virtual machines, but our proposal uses memory deduplication on single OS image, which increase same pages with copy of libraries (self-contained binary). Real Physical Memory
  • 16. Evaluation • Evaluate the effect of moving form logical sharing to physical sharing. – Effect of dynamic link shared library (logical sharing) • Gentoo installed on 32GB virtual disk for KVM virtual machine – Effect of Statifier (remove logical sharing and increase consumption on memory and storage) • Applied on binaries under /bin,/sbin,/usr/bin,/usr/sbin – Memory Deduplication • KSM (Kernel Samepage merging) of Linux with KVM virtual machine (758MB). – Storage Deduplication • LBCAS (Loopback Content Addressable Storage)
  • 17. Effect of Dynamic Link Shared Library • 42 normal processes were running at the end of login. • Shared libraries overlapped on physical memory – (total Virtual memory used by library) / (Physical memory Used by library) = ((B) - (C) )/ ((A) - (C)) = 86,184KB / 13,016KB = 6.62 • (A) Consumed physical memory 54,760 KB • (B) Summation of consumed memory by each process (Size on /proc/[pid]/smaps) 127,928 KB • (C) Summation of process own memory 41,744KB • The overlap was 6.62 times. Information obtained by /proc/[pid]smaps Number of libraries used by 42 processes PID RSS SHARED Usued Name 1 672 536 (79%) 42 linux-gate.so.1 Included by 792 1676 448 (26%) 42 /lib/ld-linux.so.2 all processes 1401 508 400 (78%) 42 libc.so.6 1412 712 580 (81%) 32 libdl.so.2 1709 544 392 (72%) 29 libpthread.so.0 1718 408 332 (81%) 27 libpcre.so.3 1728 628 524 (83%) 27 libnsl.so.1 1737 764 360 (47%) 26 libglib-2.0.so.0 1749 1428 1040 (72%) 25 libgobject-2.0.so.0 1750 468 372 (79%) 24 libm.so.6
  • 18. Static Analysis of Statifier • Gentoo was customized by statifier. – The ELF (1,162) binaries under /bin (82 files), /sbin (74), /usr/bin (912), /usr/sbin (94) were customized by statifier. Original Statifier Increase (Dynamic-link) Total 87,865,480 3,572,936,704 40.66 Average 75,615 3,074,816 40.66 Max (gnome-open) 5,400 8,732,672 1617.16 Min (qmake) 3,426,340 6,094,848 1.78 • The disk image (includes non-statifiered files) was expnaded from 3.75GB to 7.08GB (1.88 times).
  • 19. Effect of Memory Deduplication • Memory usage at the end of login • Statifier expanded memory consumption from the view of GuestOS, • but Deduplication reduced physical memory consumption. 80000 34.4% 4KB GuestOS View page 70000 60000 50000 GuestOS 93.0% 45 332 View Duplicated 40000 86056 8.9% Deduplicate 22 96 17.3% 30000 48 1 44 41 29732 Unique physical 20000 32706 30410 memory 2 9929 physical 25 291 10000 memory 0 Normal Gentoo Statifier Gentoo
  • 20. Trace of memory consumption Normal Gentoo Statifer Gentoo Loopback GuestOS View Physical Physical Mem View Mem View GuestOS View Auto Auto login login LBCAS (256KB) GuestOS View Physical GuestOS View Mem View Physical Mem View Auto Auto login login
  • 21. Effect of Storage Deduplication • Storage usage (static) and total read data at boot (dynamic) . • Statifier expanded storage consumption from the view of GuestOS on both cases, but Deduplication reduced physical storage consumption in static and dynamic. • Smaller chunk is easy to be deduplicated but time overhead is large. Static Dynamic ( (boot) ) normal statifier normal statifier On Loopback 3,754MB 7,075MB 151.7MB 341.0MB (Guest OS View) (1.88) (2.25) 4352MB 268,454 LBCAS 16KB [278,499] --- ---- [4195MB] (1.04) 83,863 304MB 74,679 218MB LBCAS 64KB [5241MB] [4,866] [4667MB] [3,481] (1.12) (1.40) 6723MB 505MB 22,806 390MB LBCAS 256KB [26,892] [2,019] [5701MB] [1,560 ] (1.18) (1.29)
  • 22. Time overhead at boot • Statifier reduced the boot time, because it eliminated dynamic reallocation overhead. • Deduplication increased the boot time. The overhead of KSM and LBCAS was less than 37%. – The overhead is a penalty to remove the vulnerabilities of logical sharing. Without KSM With KSM Normal Statifier Normal Statifier Loopback 95s 84s 95s 105s Reduced LBCAS 107s 108s 115s 130s (256KB)
  • 23. Conclusion & Discussion • Self-Contained binaries strengthen OS security. – Prevent Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell – Easy to apply on normal OS. It does not require source code and re-compile. – Increase consumption of memory and storage. • Deduplication mitigates the consumption of memory and storage caused by self-contained binary. – Encourage moving from Logical sharing to Physical Sharing • Deduplication is utilized to increase security on single OS. *Technical detail is written in USENIX HotSec2010 Paper, “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine”
  • 24. Conclusion & Discussion • Re-think the packages of Linux distributions • Self-Contained binaries is temporary solution. We should re- think to remove logical sharing which cause security problems, because same contents are shared on memory and storage p dedeuplcation. • Deduplication will be mainly used on IaaS type (multi-tenants) Cloud Computing. *Technical detail is written in USENIX HotSec2010 Paper, “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine”