Entries in 'security'
« Previous Page — Next Page »
Our paper about virtual appliance configuration and management was accepted to the TeraGrid 2007 conference and is now online: A Scalable Approach To Deploying And Managing Appliances.
This paper examines configuration and security issues that large and heterogeneous deployments of virtual appliances/workspaces will face.
From the introduction:
The goal of this paper is to develop a holistic approach that would provide scalable and sustainable ways of managing and deploying virtual workspaces implemented as VM images. We will discuss ways of leveraging existing configuration management tools, exemplified by the Bcfg2 system, for VM image lifecycle management that will allow systems staff to deploy robust virtualized resources for their users. We will also describe the process of contextualization — integration of an appliance in its deployment context — and discuss its reference implementation using Bcfg2 and the Workspace Service.
The GridShib Project is pleased to announce GridShib for GT v0.5.1, which is now available on the GridShib Downloads page:
http://gridshib.globus.org/download.html#gridshib-gt
For a detailed changelog of what is new in this release, see:
http://gridshib.globus.org/docs/gridshib-gt-0.5.1/admin-index.html#gridshib-gt-changelog
The major change in this release is support for using VOMS based authorization in conjunction with SAML attribute based authorization (authorization will be based on one or the other). If you are not interested in using VOMS, GridShib for GT will compile and run without needing to install the VOMS authorization library.
We are pleased to announce that an update of the VOMS authorization package is now available.
This library is for the GT4 Java core authorization framework. It allows VOMS certificates to be inspected and authorization decisions to be made based on the attributes.
The notable changes are:
- support for user account mappings from VOMS attributes
- compatibility with both GT4.0.x and GT4.1.0.
For information on downloads, installation, and configuration, see the VOMS page:
http://dev.globus.org/wiki/VOMS
Tom Scavo writes:
The GridShib Team is pleased to announce the availability of the
GridShib SAML Tools v0.1.3.
http://gridshib.globus.org/docs/gridshib-saml-tools-0.1.3/readme.html
Changes in this release include:
- added support for –ssoResponse command-line option
- fixed logging bug http://bugzilla.globus.org/globus/show_bug.cgi?id=4982
- fixed (UNIX) file permissions on scripts in bin/
- fixed CRLF on scripts and editable text files
- implemented web-based demo script https://computer.ncsa.uiuc.edu/gst-demo/
To see the GridShib SAML Tools in action, please try out our new demo app:
https://computer.ncsa.uiuc.edu/gst-demo/
The source code used to implement this demo is bundled with the SAML
Tools. As always, you can download the SAML Tools and other software
components from the GridShib Downloads page:
http://gridshib.globus.org/download.html
On Friday, Tom Scavo wrote:
The GridShib Team is pleased to announce GridShib SAML Tools v0.1.2.
http://gridshib.globus.org/docs/gridshib-saml-tools-0.1.2/readme.html
Changes in this release include:
- fixed incompatibility bugs with JDK 1.4
- fixed incompatibility bugs with OpenSAML 1.1
- enabled logging
- enabled debug option
- updated JGlobus CoG library
- added subjectIP address to command-line interface
Many thanks to Wonjun Lee for his extremely helpful feedback and assistance.
To try out the GridShib SAML Tools, please visit the GridShib Downloads page:
http://gridshib.globus.org/download.html#saml-tools
I ran across an interesting overview paper, Attacks on Virtual Machine Emulators by Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research.
Abstract - As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper will explain known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). It will also demonstrate newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU, and Xen), and describe how to defend against them.
A lot of the paper covers detection which I would say is different from an attack.
An interesting thing discussed is a way to use the CPUID instruction in combination with examining pages in the TLB to detect the presence of VMMs (cf. this previous entry here).
There is also a description of an authentication method that Parallels employs, a session key placed into the general registers by the guest (it also discusses a way of crashing Parallels on demand).
Slides and the paper can be downloaded from the author’s homepage.
Tom Scavo writes on gridshib-announce:
The GridShib Team is pleased to announce GridShib
SAML Tools v0.1.1.
http://gridshib.globus.org/docs/gridshib-saml-tools-0.1.1/readme.html
The most visible feature of this minor point release of the GridShib SAML Tools is its ability to use a Java KeyStore as the issuing credential. The install script now creates such a KeyStore, which reduces the startup requirements to Java and Ant, nothing more.
To try out the GridShib SAML Tools, please visit the GridShib Downloads page:
http://gridshib.globus.org/download.html#saml-tools
The GridShib SAML Tools issue or request SAML assertions and optionally bind these assertions to X.509 proxy certificates for use on the grid (or in other scenarios).
The toolbox consists of the following components:
- SAML Assertion Issuer Tool
- SAML Attribute Query Client
- SAML X.509 Binding Tool
- Globus SAML Library
For more information, read the GridShib SAML Tools 0.1.1 documentation.
This is old news, but I wanted to remind you that there is a counter argument to the blue pill “100% undetectable malware” prototype that generated a lot of press this year:
http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html
http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html
Also, since malware requires an attack vector in the first place: if you don’t have extreme performance requirements, consider putting all network facing services in VMs (my websites are, save one SSH port on a dedicated IP). This should eliminate the ability for a blue pill/subvirt style attack to take hold in the first place (unless there’s an egregious networking stack issue in the VMM (if the VMM is even involved in networking which is not always the case)).
I hope that network facing VMs for the desktop become commonplace which will happen en masse when Microsoft likes the idea I guess (and makes it transparent to the user). Boot from a saved, clean slate every session; perhaps with versioned, non-executable storage shared between host and guest VM for user data updates.
Here is a ready to go web browsing virtual appliance from VMware and another one from rPath.
« Previous Page — Next Page »
