KVM Forum 2021 has ended

Create Your Own Event

KVM Forum 2021

Virtual Event | September 15-16, 2021
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for KVM Forum to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Coordinated Universal Time (UTC). Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."

05:00 UTC

Sharing IOMMU PageTables with TDP in KVM - Lu Baolu & Zhao Yan, Intel Corporation

With assigned devices, IOMMU page tables actually hold the same mappings as TDP in KVM if IOMMU shadowed page table is not required. Sharing IOMMU page tables with TDP has the advantages of reduced memory footprint, unified page table for dirty page tracking during migration and page fault handling, probably higher performance by reducing unnecessary EPT/NPT zap, EPT/NPT pre-population, etc… This topic researches the challenges in both KVM and IOMMU subsystems and proposes an architecture to achieve this.

Speakers

Lu Baolu

Senior Software Engineer, Intel Corporation

Baolu, employed by Intel, is the Linux kernel maintainer for Intel VT-d implementation. In recent years, he focused on technologies such as thunderbolt vulnerabilities, scalable I/O virtualization and shared virtual address.

Yan Zhao

Senior Software Engineer, Intel Corporation

Yan, employed by Intel, has more than 10 years experiences in virtualization software development. In recent yeas, she focused on KVM and Linux kernel support for device direct assignment.

KVM 2021 sharing TDP IOMMU pdf

Wednesday September 15, 2021 05:00 - 05:25 UTC
TBA

Presentation Slides Attached Yes

05:30 UTC

Support SDEI Virtualization and Asynchronous Page Fault for arm64 - Gavin Shan, Redhat

The asynchronous page fault has been supported on x86 for long time. It helps to improve the parallelism and performance of the guest by picking another process to execute when the requested page is not ready immediately in stage-2 page fault handler. In this way, the vCPU on which the page is requested do not have to be suspended until the requested page becomes ready. The asynchronous page fault is not supported on arm64 yet and it relies on two signals or notifications delivered from host to guest: page-not-present and page-ready. The page-not-present notification should be delivered in synchronized fashion. As NMI is not supported by arm64 naturally, so SDEI (Software Delegated Exception Interface) is leveraged to deliver the page-not-present notification synchronously. On the other hand, the page-ready is delivered from host to guest by using PPI (Private Peripheral Interrupt). The presentation will explain the design and implementation of SDEI virtualization and asynchronous page fault. Besides, the benchmarks will be presented either to show how much the guest can benefit from the features.

Speakers

Gavin Shan

Senior Software Engineer, Redhat

Gavin is currently employed by Redhat to work on KVM support for arm64. The most intrested areas spans from memory management to live migration and QEMU etc. Prior to that, Gavin has been working on Linux kernel and driver for over 10 years, used to be employed by IBM to maintain... Read More →

sdei apf for arm64 gavin pdf

Wednesday September 15, 2021 05:30 - 05:55 UTC
TBA

Presentation Slides Attached Yes

06:00 UTC

Analysis of AMD HW-assisted vIOMMU Implementation and Performance - Suravee Suthikulpanit & Wei Huang, AMD

This talk will cover the software implementation details of AMD hardware-assisted vIOMMU (HW-vIOMMU), which includes the QEMU HW-vIOMMU device model, the extension to AMD IOMMU driver to support the new HW-vIOMMU capability in the hypervisor, and the guest I/O page table support for DMA-API in the guest kernel. The talk will also demonstrate passing-thru of a PCI device, which will be managed by the HW-vIOMMU inside the VM, and will also analyze performance data of the HW-vIOMMU in various aspects, as well as discuss future improvements.

Speakers

Suravee Suthikulpanit

Open-Source Contributor, AMD

Suravee Suthikulpanit works for AMD Server Software Group. His work mainly focus on Linux kernel and the open-source virtualization software. Within AMD, Suravee works with the hardware design and performance teams on future feature definitions. Suravee has been a regular contributor... Read More →

Wei Huang

Open-Source Contributor, AMD

Wei Huang is a member of AMD Server Software Group, with current focus on server OS and x86 virtualization. Wei has contributed to Linux kernel and various open source virtualization projects (Xen, KVM/QEMU, etc.), and presented a number of times at various technical conferences... Read More →

vIOMMU KVM Forum 2021 v4 pdf

Wednesday September 15, 2021 06:00 - 06:25 UTC
TBA

Presentation Slides Attached Yes

06:30 UTC

KVM Memory Cost Optimization in Alibaba Cloud - Huaitong Han, Alibaba Cloud

In the current VM life cycle, in addition to the memory used by the guest os, QEMU/KVM also uses a lot of memory, especially the KVM module, which takes up memory in proportion to the VM memory specification, especially for lightweight VMs such as Kata, etc., KVM occupies too much memory resources, which is difficult to accept. In this introduction, Huaitong will introduce the current KVM module memory usage and Alibaba Cloud's KVM module memory optimization practices.

Speakers

Huaitong Han

virtualization developer, Alibaba Cloud

Huaitong has 7 years experience in system virtualization, he is working for alibaba cloud now, and focus on virtualizaiton performace optimization and ECS feature development.

KVM memory cost optimize huaitong pdf

Wednesday September 15, 2021 06:30 - 06:55 UTC
TBA

Presentation Slides Attached Yes

11:00 UTC

Mitigating Excessive Pause-Loop-Exiting in VM-Agnostic KVM - Kenta Ishiguro, Keio University

In virtualized environments, oversubscribing virtual CPUs (vCPUs) on physical CPUs (pCPUs) is common to utilize CPU resources efficiently. Unfortunately, excessive vCPU spinning, which occurs when a vCPU is waiting in a spin loop for an event from a descheduled vCPU, causes serious performance degradation. VM-agnostic KVM tries to prevent excessive vCPU spinning by rescheduling vCPUs when an excessive spin is detected by pause-loop-exiting. This talk explains how the KVM vCPU scheduler fails to avoid excessive vCPU spinning in many opportunities. Three problems have been identified: 1) scheduler mismatch, 2) lost opportunity, and 3) overboost. The first problem comes from the mismatch between the KVM vCPU scheduler and the Linux scheduler. The second and third problems come from an inefficient algorithm for choosing the next candidate vCPU to be scheduled. Simple modifications gracefully resolve the problems and the performance improves by up to 80 %. Results imply the VM-agnostic hypervisor can resolve excessive vCPU spinning more gracefully than previously believed.

Speakers

Kenta Ishiguro

Ph.D student, Keio University

Kenta Ishiguro is a Ph.d student in the department of information and computer science at Keio university, advised by Kenji Kono. He is working on KVM performance analysis related to Pause-loop-exiting. He has made two academic contributions to KVM: "Mitigating Excessive vCPU Spinning... Read More →

kvmforum 2021 kenta ishiguro pdf

Wednesday September 15, 2021 11:00 - 11:25 UTC
TBA

Presentation Slides Attached Yes

11:30 UTC

Towards a More Efficient Synchronization in KVM - Wanpeng Li, Tencent Cloud

The KVM hypervisor is at the core of cloud computing, Virtual Machine based approaches to workload consolidation, as seen in IaaS cloud as well as datacenter platforms, have long had to contend with performance degradation caused by synchronization primitives inside the guest environments. These primitives can be affected by virtual CPU preemptions by the host scheduler that can introduce delays that are orders of magnitude longer than those primitives were designed for. In this presentation, Wanpeng Li will discuss lost opportunities in vCPU boost, vCPUs stacking, and RCU-Reader Preemption Problem in VMs etc. Let's have a look at their mitigations.

Speakers

Wanpeng Li

Linux Kernel Contributor, Tencent Cloud

Wanpeng Li is a 9 years experienced Linux kernel/virtualization developer who works in Tencent Cloud currently. He mainly focuses on KVM, scheduler and memory management. In KVM, he contributes a lot of features to improve performance and stability. He has worked in the IBM LTC kernel... Read More →

Towards a More Efficient Synchronization in KVM pdf

Wednesday September 15, 2021 11:30 - 11:55 UTC
TBA

Presentation Slides Attached Yes

13:35 UTC

Dirty Quota-Based VM Live Migration Auto-Converge - Manish Mishra & Shivam Kumar, Nutanix India

The current qemu auto-converge implementation works by throttling all the vcpus based on dirty-rate and network-throughput observed over an iteration. This leads to - all the vcpus getting equally penalized, multiple iterations to get to the optimal throttle value, and convergence failure when >99% throttle is required. This talk proposes a new algorithm based on individual vcpu “dirty quota” that dynamically throttles individual vcpus based on their contribution to overall memory dirtying. It does so by enforcing an upper limit(dirty-quota) on amount of pages a vcpu is allowed to dirty within a small interval of time to limit the total pages dirtied over an iteration. The advantage of this approach is that it penalizes only the write-intensive vcpus, dynamically adapts in case of varying network and dirty-rate and improves convergence by allowing more granular control over dirty rates.

Speakers

Shivam Kumar

Member of Technical Staff, Nutanix

I work for the AHV team at Nutanix where most of my work to date is around improving live migration algorithms. Other than live migration, my interests lie in systems and virtualization in general.

Manish Mishra

Member of Technical Staffd, Nutanix India

Experience of working on Esx kernel. Currently working with vmware Vmkernel team contributing to vmkcore part. Knowledge of memory management, intel 86 architecture, process management, os booting, basic filesystems, kernel debugging. Continuously learning and passanate about virtualisation... Read More →

Dirty Quota Based VM Live Migration Auto Converge pptx

Wednesday September 15, 2021 13:35 - 14:00 UTC
TBA

Presentation Slides Attached Yes

14:05 UTC

KVM Dirty Page Tracking - Peter Xu, Red Hat

In this talk, Peter Xu will discuss the existing solutions used in KVM for guest dirty page tracking, challenges, and wild imaginations to the future. As a start, there will be a background introduction on what is KVM dirty page tracking, why we need it, and how it works. It will cover the state of the art techniques we already use with either dirty logging or dirty rings, meanwhile discuss pros and cons for different solutions. The challenges that we face on huge VM migrations will be discussed and explained too. It turns out that maybe having a better interface is not the only thing we need to do, but also think about how to use it right.

Speakers

Peter Xu

Software Engineer, Red Hat

Peter Xu is a software engineer working for Red Hat Virtualization team. He's recently working on VM live migrations and some memory management problems of VMs or hosts.

KVM Dirty Page Tracking pdf

Wednesday September 15, 2021 14:05 - 14:30 UTC
TBA

Presentation Slides Attached Yes

14:35 UTC

Know your QEMU and KVM Test Frameworks - Thomas Huth, Red Hat

QEMU and KVM are huge projects - and so there are of course also multiple test frameworks for the various parts of the project: KVM selftests, kvm-unit-tests, qemu qtests, iotests, avocado etc. For newcomers, but also for frequent contributors to the projects, it can be quite challenging to understand and pick the right framework for the topics they are working on. This talk will give a survey over the available testing frameworks, to help with the decision of which one should be chosen for which task, along with some simple examples for adding new tests.

Speakers

Thomas Huth

Principal Software Engineer, Red Hat

Thomas Huth is working for Red Hat in the virtualization team, taking care of keeping the virtualization stack on the IBM Z (s390x) platform in a good shape. Additionally he's also involved in the upstream QEMU project when time permits.

Huth Know your QEMU and KVM test frameworks pdf

Wednesday September 15, 2021 14:35 - 15:00 UTC
TBA

Presentation Slides Attached Yes

15:05 UTC

Qemu Performance Regression CI - Lukáš Doktor, Red Hat Czech, s. r. o.

Motto: "An improvement is BAD in the same way a regression is." This talk builds on the "Proposal for a regular upstream performance testing" email thread on qemu-devel and describes what is being done, why it’s important and suggests a BoF session to discuss use cases and make any necessary adjustments. After a brief introduction of our upstream performance regression CI the talk is going to move towards the practical aspects useful for (mainly) qemu developers, explaining the public reports, the collected metrics, how to make sense of the issues and how to reproduce the runs.

Speakers

Lukáš Doktor

Senior Software Engineer, Red Hat

Python enthusiast especially for it's easy of debugging and ability to interactively inquire it, when something doesn't work as expectedAt Red Hat he is in the virtualization team, currently working on upstream/downstream performance CI; previously did the same for functional CI on... Read More →

ldoktor qemu perf regression ci pdf

Wednesday September 15, 2021 15:05 - 15:30 UTC
TBA

Presentation Slides Attached Yes

15:35 UTC

HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Kostiuk, Daynix Computing LTD

In order to be able to accept contributions from different developers to virtio-win (http://github.com/virtio-win/kvm-guest-drivers-windows/) project, there is a need to ensure that those contributions are not breaking the ability to certify the virtio-win drivers by different members of the ecosystem. As a result, the HCK-CI test framework was created in order to enable CI for all the types of virtio-win drivers on a wide range of Windows OS versions. The framework automates setup creation (VM and network orchestration), uses HLK\HCK tools kits API in order to run Microsoft WHQL certification tests, and publishes the results in human-readable form. During the presentation, Konstantin will review the history of the project, explain the architecture of HCK-CI, demonstrate how you can deploy it in your development setup, and talk about the future of the project.

Speakers

Kostiantyn Kostiuk

Software engineer, Daynix Computing LTD

Kostiantyn is a SW engineer at Daynix. For the last several years he is working on security-based virtualization focusing on QEMUKVM related projects. Kostiantyn is lately involved in introducing CI capabilities for paravirtualized drivers based on the HCK-CI project: https://github.com/hck-ci... Read More →

HCK CI KVM Forum pdf

Wednesday September 15, 2021 15:35 - 16:00 UTC
TBA

Presentation Slides Attached Yes

05:00 UTC

Protecting from Malicious Hypervisor Using AMD SEV-SNP - Brijesh Singh, AMD

This talk will discuss AMD SEV-SNP (Secure Nested Paging), the next generation of AMD’s x86 virtualization isolation technology. Building upon the existing AMD SEV and AMD SEV-ES features released in 2017, SEV-SNP provides additional hardware security that is designed to protect VMs from malicious hypervisors. SEV-SNP adds new memory integrity protection, new use models, and more flexibility in attestation and VM management when working with protected VMs in hostile environments. This talk will delve into the specific changes required in the KVM to support the SEV-SNP feature.

Speakers

Brijesh Singh

SMTS, Advanced Micro Devices

Brijesh Singh is a member of the Linux OS group at Advanced Micro Devices. He is responsible for enabling and enhancing support for AMD processor features in the Linux kernel. He is currently working on extending the SEV support to enable SEV-SNP (Secure Nested Paging).

SEV SNP AMD Brijesh Singh pdf

Thursday September 16, 2021 05:00 - 05:25 UTC
TBA

Presentation Slides Attached Yes

05:30 UTC

Status Update on TDX Support - Isaku Yamahata, Intel

The Intel Trust Domain eXtensions(TDX) is to isolate VMs from VMM and other software to protect VMs from abroad range of software. It requires to enable KVM to support it. This talk will update the status of KVM TDX enablement activities from the last year. After providing an overview of the technology as introduction, the overall progress will be provided and then move on to details. newly supported features, and enhancement to KVM and then qemu change will be discussed. Changes to guest Linux kernel will be discussed. Finally the future plan will be shown as conclusion.

Speakers

Isaku Yamahata

Software Engineer, Intel

Isaku Yamahata is a Software architect in the Open Source Technology Center, Intel. His main focus is virtualization technology, network virtualization as Software Defined Networking for multiple years. Isaku is an active on Graphene LibOS and OpenStack Neutron (networking) and has... Read More →

tdx status update pdf

Thursday September 16, 2021 05:30 - 05:55 UTC
TBA

Presentation Slides Attached Yes

06:00 UTC

TDX Live Migration - Wei Wang, Intel Corp.

The Intel Trust Domain Extension (TDX) technology extends VMX and MKTME to enhance guest data security by isolating guests from host software, including VMM/hypervisor. Live migration support for such isolated guests (i.e. TDs) facilitates the deployment of TD guests in the cloud. This talk presents the QEMU/KVM design of TDX live migration and initial PoC results for the migration performance evaluation. A common framework is added to the QEMU migration to support TD guests and other similar technologies (e.g. SEV guests). For TDX live migration, the guest shared memory pages are migrated in plaintexts. The guest private memory pages, vCPU states and TD scope states are encrypted via a migration key when they are exported by KVM from the TDX module. A migration stream in the workflow has a KVM device created and the device creates shared memory between KVM and the QEMU migration thread to transport the encrypted guest states.

Speakers

Wei Wang

Senior Software Engineer, Intel Corp.

Wei is currently a software developer at Intel. He earned a Master degree from the University of Ottawa, Canada. Wei has rich experience in the virtualization field and he worked on many projects such as network virtualization, VM live migration, memory ballooning, PMU virtualization... Read More →

TDX Live Migration Wei Wang pdf

Thursday September 16, 2021 06:00 - 06:25 UTC
TBA

Presentation Slides Attached Yes

06:30 UTC

Unmapped Guest Memory - Yu Zhang, Intel

Historically guest memory can be seen by userspace part of VMM like QEMU in KVM architecture. This is convenient for userspace to handle services on behalf of guest. However, this ability also is seen as increasing guest attack surface and with more strict hardware memory protection features like Intel TDX introduced such ability can cause real system issue like system crash. In this talk we will present our way to address this problem that is being discussed in community.

Speakers

Yu Zhang

Virtualization Developer, Intel

Yu is a virtualization developer from Intel's virtualization team. He had 10+ years’ experiences in virtualization areas from I/O to CPU/memory virtualization, from performance tuning to security enhancements. Yu’s public presentation experience includes Xen summit/LC3 conference/Intel... Read More →

Yu Zhang KVM Forum Unmapped Guest Memory pdf

Thursday September 16, 2021 06:30 - 06:55 UTC
TBA

Presentation Slides Attached Yes

11:00 UTC

libkrun: More than a VMM, in Dynamic Library Form - Sergio Lopez Pascual, Red Hat

libkrun is a dynamic library that enables programs to easily acquire Virtualization-based process isolation capabilities. Combined with an OCI runtime like crun, enables it to seamlessly run a container inside a Virtual Machine. Combined with a small frontend, such as krunvm, it makes possible to run Lightweight Virtual Machines based on OCI images. And that's just the start of it, as new use cases for libkrun continuously emerge, such as its use as a lightweight runtime for Confidential Computing workloads. In this session, Sergio Lopez will present libkrun's main components, design choices and future developments, along with a demonstration of its current capabilities and integrations in other projects.

Speakers

Sergio Lopez Pascual

Principal Software Engineer, Red Hat

Sergio Lopez is a Principal Software Engineer working in the Virtualization team at Red Hat. He's the maintainer of the "microvm" machine type in QEMU, libkrun, krunvm, virtiofsd-rs, and co-maintainer of various rust-vmm crates. He presented previously at various iterations of DevConf.cz... Read More →

libkrun More than a VMM in Dynamic Library Form pdf

Thursday September 16, 2021 11:00 - 11:20 UTC
TBA

Presentation Slides Attached Yes

11:20 UTC

Don't Peek Into my Container! - Alice Frosi, Christophe de Dinechin & Sergio Lopez Pascual, Red Hat

"Confidential containers" is the application of such technologies to protect the data in containers. This matters for use cases where the "tenant" running the workloads has legal or business reasons to want the data being processed to be hidden from the infrastructure it is running on.

We will focus on the interaction between container runtimes and KVM, using Kata Containers and libkrun as two example implementations. This will expose both technical and market challenges enabling technologies
such as AMD-SEV or Intel TDX, that differ in their availability, capabilities but also in the way they perform attestation.

In this talk, we are going to explore how you can convert your containerized application into an encrypted workload using libkrun, KVM, and Kubernetes. You will learn the designed architecture in k8s, the challenges we face in deploying an attested and confidential workload by keeping the user experience agile as the usual container deployments.

We will also quickly show how Kata Containers recently added platform-level support, and how we plan to more significantly overhaul its architecture in order to deliver a solid value proposition in terms of security.

Speakers

Christophe de Dinechin

Senior Principal Software Engineer, Red Hat

Working on Kata Containers and OpenShift sandboxed containers Areas of interest: programming languages (XL), interactive 3D graphics and stereoscopy (Tao3D), physics research (theory of incomplete measurements) More info on http://c3d.github.io

Alice Frosi

Principal Engineer, Red Hat

Alice is a Principal Software Engineer working on KubeVirt, virtualization, and containers. She focuses mostly on storage topics but she has fun exploring all possible combinations of containers and VMs.

Sergio Lopez Pascual

Principal Software Engineer, Red Hat

Sergio Lopez is a Principal Software Engineer working in the Virtualization team at Red Hat. He's the maintainer of the "microvm" machine type in QEMU, libkrun, krunvm, virtiofsd-rs, and co-maintainer of various rust-vmm crates. He presented previously at various iterations of DevConf.cz... Read More →

Dont Peek Into my Container pdf

Thursday September 16, 2021 11:20 - 12:00 UTC
TBA

Presentation Slides Attached Yes

13:35 UTC

Securing Linux VM boot with AMD SEV measurement - Dov Murik & Hubertus Franke, IBM Research

Booting Linux guests with AMD SEV using a kernel and initrd supplied by the VMM currently breaks the Confidential Computing promise: the binaries are supplied by the VMM which is outside the trusted domain. However, this mode of guest booting is convenient for both the platform provider and the guest owner, as usually the kernel and initrd binaries are not confidential. We introduce a way to harness SEV memory measurement and secret injection at startup to verify that the kernel and initrd supplied by the VMM are indeed approved by the guest owner, thus making this way of booting SEV guests secure for Confidential Computing workloads. The presentation will explain the boot process in the VMM and guest, the added integrity checks added in OVMF, and layouts of secret injection memory areas. We will present the current upstream status of OVMF and QEMU patches, as well as cover possible attack scenarios and mitigations.

Speakers

Dov Murik

Research Staff Member, IBM

Dov Murik is a Research Staff Member in IBM Research, working on various aspects of information and system security, and recently focusing on confidential computing. Previously he worked on malware detection, phishing prevention, and AI security. Before that he was part of IBM Trusteer... Read More →

Hubertus Franke

Distinguished Research Staff Member, IBM Research

Dr. Hubertus Franke is a Distinguished Research Staff Member at the IBM T.J.Watson Research Center since 1993. His area of current work and interests are the area of operating systems, virtualization, processor architectures, cloud runtimes and security. Some time back he has also... Read More →

securing linux vm boot with amd sev measurement pdf

Thursday September 16, 2021 13:35 - 14:00 UTC
TBA

Presentation Slides Attached Yes

14:05 UTC

Encrypted Virtual Machine Images for Confidential Computing - James Bottomley, IBM & Brijesh Singh, AMD

KVM/QEMU has had the concept of encrypted qcow2 images for a while. Unfortunately the decryption is done inside the VMM which, in the current SEV and TDX paradigms , is outside of the trust zone and thus inappropriate for Confidential Computing because the machine owner must be privy to the image encryption key. We introduce a new encrypted image format, which is very similar to the current encrypted image format except that decryption is done inside the guest instead of in the VMM, thus making it suitable for Confidential Computing. This presentation will explain the image format, how it works both inside and outside of Confidential Computing hardware, and for the AMD SEV hardware, how attestation, trust and secret key release work, including a demo of the feature. Getting all this to work requires patches to tianocore/OVMF, qemu and grub, which we will describe and explain (and give the current upstream status).

Speakers

James Bottomley

DE, IBM

James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the BoardJames Bottomley is a Distinguished Engineer at IBM Research where he works on... Read More →

Brijesh Singh

SMTS, Advanced Micro Devices

Brijesh Singh is a member of the Linux OS group at Advanced Micro Devices. He is responsible for enabling and enhancing support for AMD processor features in the Linux kernel. He is currently working on extending the SEV support to enable SEV-SNP (Secure Nested Paging).

Thursday September 16, 2021 14:05 - 14:30 UTC
TBA

14:35 UTC

Secure Live Migration of Encrypted VMs - Tobin Feldman-Fitzthum & Dov Murik, IBM

Most Confidential Computing platforms, such as AMD SEV, encrypt guest memory and CPU state, not allowing the hypervisor to access either. This complicates live VM migration. In a non-secure setting, the hypervisor copies memory from the source node to the destination node and coordinates the CPU state of the source VM and destination VM. In a secure setting, without access to guest memory or CPU state, the hypervisor needs help from a trusted agent inside the guest to facilitate live migration. We are implementing live migration support in firmware. In this session, we will describe in detail the current and future challenges for migrating encrypted VMs. We will walk through our modified firmware and demonstrate how it can be used with QEMU and SEV VMs.

Speakers

Tobin Feldman-FItzthum

Software Engineer, T.J. Watson IBM Research Center

Tobin Feldman-Fitzthum is a Software Engineer at the T.J. Watson IBM Research Center. He works on secure virtualization and confidential computing. Tobin was a founding maintainer of the Confidential Containers CNCF Sandbox Project. He has also worked on encrypted disks and fast live... Read More →

Dov Murik

Research Staff Member, IBM

Dov Murik is a Research Staff Member in IBM Research, working on various aspects of information and system security, and recently focusing on confidential computing. Previously he worked on malware detection, phishing prevention, and AI security. Before that he was part of IBM Trusteer... Read More →

LiveMigrationSev TobinFeldmanFitzthum pdf

Thursday September 16, 2021 14:35 - 15:00 UTC
TBA

Presentation Slides Attached Yes

15:05 UTC

Securing the Hypervisor with Control-Flow Integrity - Daniele Buono, IBM

In the cloud, the Hypervisor is usually the first line of defense against attacks from malicious users. But what if the Hypervisor itself is vulnerable to attacks? What can we do to protect the host, and other VMs, against Hypervisor attacks, specifically zero-day exploits, where only generic security countermeasures can be taken? In this seminar, we present our work with the QEMU community to upstream a new security mechanism by leveraging Clang's software implementation of both backward and forward Control-Flow Integrity (CFI) for x86 systems. We show how, and why, this technique can provide an effective protection against zero-day remote execution exploits based on buffer overflows and ROP attacks, sooner and more extensively than current countermeasures such as SELinux, AppArmor, or Seccomp. We will also explain why compiler-driven CFI offers better protection than hardware-based techniques such as Intel's CET. Finally, we will discuss the few incompatibilities we encountered in QEMU's codebase, and the possibility of enabling CFI with QEMU's plugins and modules, which are currently unsupported.

Speakers

Daniele Buono

RSM, IBM

Daniele Buono is a Research Staff Member and Manager at the IBM T.J. Watson Research Center, where is currently leading the Security and Attestation for Hybrid Cloud group. He joined the Data-Centric Systems group at IBM Research in 2014, where he focused on High-Performance Computing... Read More →

Buono Securing the Hypervisor with Control Flow Integrity pdf

Thursday September 16, 2021 15:05 - 15:30 UTC
TBA

Presentation Slides Attached Yes

15:35 UTC

Host & Guest Tracing in Virtualization: "To sync, or not to sync?" - Stefano De Venuto, SUSE & Tzvetomir Stoyanov, VMware

Tracing is instrumental for understanding how a complex system work or for investigating issues. In virtualized environments, however, we have the complete picture only if we trace both the host and the guests (and then we combine all the traces!). This talk shows how tools like trace-cmd and KernelShark can already be used for such purpose, including having the timestamps of the events in host and guests traces synchronized However, let's assume we have a combined trace and that the tracing tools are telling us that all is sync'd. Is that really the case? And how can we be sure? Well, this talks discusses a possible "event-driven" approach to check and evaluate how accurate the synchronization turned out to be and introduces a tool, implemented on top of libkshark, that can help to do this kind of analysis automatically.

Speakers

Tzvetomir Stoyanov

Open Source Engineer, VMware

Tzvetomir Stoyanov is an Open Source Engineer at VMware, contributing to a variety of open source projects, including Linux kernel and user space tracing, Edge and IoT, and Machine Learning. Before joining VMware, he worked with Linux and various Unix-like operating systems for twenty... Read More →

Stefano De Venuto

Intern, SUSE

Stefano De Venuto is a CS student at the University of Turin, and he is currently doing an internship at SUSE focusing on combined host and guest tracing in virtualized systems. He is also really interested in the cybersecurity field, specifically on low level stuff, and loves sk... Read More →

HostGuestTracingInVirtualizationSlides pdf

Thursday September 16, 2021 15:35 - 16:00 UTC
TBA

Presentation Slides Attached Yes