A Common Code Base and Toolkit for Deployment of Applications to Secure and Reliable Virtual Execution Environments

Risultati finali

Report on Communication and Dissemination Activities and Exploitation Plans - Initial

This report describes the 1st year results of all the activities for impact creation, including communication actions (also through project’s website), scientific publications, events participation as well as initial plans for the exploitation of the project outcomes.

Security, Safety and Validation Support Definition - Initial

This deliverable will describe the definition of the UNICORE security and safety primitives, which allow UNICORE applications to minimize the attack and failure surface in production. This is done both proactively (using software verification techniques) and reactively (using software hardening techniques). In addition, this deliverable will report on deterministic execution support for smart contracts.

Report on Communication and Dissemination Activities - Intermediate

This report describes the 2nd year results of all the activities form impact creation, including communication actions, scientific publications and events participation.

Platform Requirements - Final

This deliverable will describe the aggregated inputs and goals of the diverse partners will aligned into one consistent whole that will maximise the efficiency of the core implementation and developed toolsets for the selected and practical use-cases of Unikernels defined in WP5. This deliverable will contain: the initial description of the Scenarios, the initial description of business and trials requirements, the taxonomy of services where unikernels applies.

Security, Safety and Validation Support Definition - Final

This deliverable will describe the definition of the UNICORE security and safety primitives which allow UNICORE applications to minimize the attack and failure surface in production This is done both proactively using software verification techniques and reactively using software hardening techniques In addition this deliverable will report on deterministic execution support for smart contracts

Initial Deployment

This report will detail the results of the initial deployment of the core project tools/unikernels (i.e., the output of WP2, WP3 and WP4): what went well, what did not, what functionality is missing, etc. This input will be fed back to the core WPs in order to further refine the UNICORE tools to meet the demands of the project’s four use cases.

Final Report on Open Source Contributions, Exploitation Plans and Business Opportunities

This report will summarize the project contributions to standardization bodies and open source communities Moreover the report will describe the final exploitation plans analyzing the potential of the project outcomes to feed new market products and inspire future research activities

API Design - Final

This deliverable in close cooperation with WP3WP5 will provide the library categories API definitions and semantics annotations This will define the common interfaces prevailing throughout UNICORE to support decomposition and modularization of OS components and automated Unikernel construction

Platform Requirements - Initial

This deliverable will describe the conflicting inputs and goals of the diverse partners will aligned into one consistent whole that will maximise the efficiency of the core implementation and developed toolsets for the selected and practical use-cases of Unikernels defined in WP5. This deliverable will contain: the initial description of the Scenarios, the initial description of business and trials requirements, the taxonomy of services where unikernels applies.

Deployment Plan, Requirements and Business Cases

This report will provide a detailed deployment plan for the four different deployment targets in this WP. This will include infrastructure description, unikernel requirements for each particular use case and any orchestration/management integration requirements. Further, this report will provide an analysis and description of the business cases for each of the use cases, pointing out what the business models will be.

Data Management Plan

This deliverable provides the data management plan for open research data conforming to the guidelines of the H2020 framework programme.

Design & Implementation of Tools for Unikernel Deployment - Initial

A report on the development of the tools required during the unikernel life cycle. The report details the design of each tool used to build the unikernel, including a decomposition tool, dependency analysis tool, optimization tool and verification tool. Deployment tools are also described including any modifications or additions required to the orchestration tool. In addition, the design of the host environment is described and details how unikernels are supported for easy deployment, and reliable and secure execution without sacrificing performance. The report will be accompanied by an initial release of the open source tool set and host development and deployment environments.

Platform Integration

This deliverable will report on the results of the integration effort which will bring all of the UNICORE tools eg the build tool the verification one the performance optimization one etc under a common easytouse ecosystem It will further contain a section consisting of a user manual to explain how this ecosystem of tools should be used

Definition of APIs and Library Identification - Initial

This deliverable will describe the definition of the UNICORE APIs that allow libraries within a category (e.g., schedulers, memory allocators, etc.) to be able to easily swapped in and out (e.g., exchanging a co-operative scheduler with a pre-emptive one, or a slab allocator with a buddy one). In addition, this deliverable will identify the libraries that UNICORE will need to support the widest possible range of applications, along with a work plan as to how to quickly implement them (or port them).

Platform Evaluation

This deliverable will contain the results of the final implementation of the UNICORE use cases This final document will include an overall analysis of the performed evaluations and will provide a final assessment of the models underlying the tested control components This document will provide guidelines for future collaborative users of the system to maximize the tools usage

Design & Implementation of Tools for Unikernel Deployment - Intermediate

An updated report detailing the progress since the release of D4.1. The report includes the final design of all the tools and host environment which are now feature complete. An evaluation of the development and deployment environment is included, which is based on T2.4 Evaluation. A second release of the source code is also part of the deliverable, which has already been published as open source as part of D4.1.

API Design - Intermediate

This deliverable in close cooperation with WP3/WP5 will provide the library categories API definitions and semantics annotations. This will define the common interfaces prevailing throughout UNICORE to support decomposition and modularization of OS components, and automated Unikernel construction.

Innovation Strategy Report

This deliverable will provide a full report of the innovation activities of T13 including market analysis description of business opportunities and the development of business models for the deployments envisioned by project partners WP5 This document will further describe interactions with the advisory board regarding innovation opportunities as well as any developments coming from dissemination activities at industryled events

API Design - Initial

This deliverable in close cooperation with WP3/WP5 will provide the library categories API definitions and semantics annotations. This will define the common interfaces prevailing throughout UNICORE to support decomposition and modularization of OS components, and automated Unikernel construction.

Report on Communication and Dissemination Activities - Final

This report describes all the communication and dissemination results of the project including details of scientific publications organization of workshops advertising and communication materials participation in industrial events

Definition of APIs and Library Identification - Final

This deliverable will describe the definition of the UNICORE APIs that allow libraries within a category eg schedulers memory allocators etc to be able to easily swapped in and out eg exchanging a cooperative scheduler with a preemptive one or a slab allocator with a buddy one In addition this deliverable will identify the libraries that UNICORE will need to support the widest possible range of applications along with a work plan as to how to quickly implement them or port them

API, Library and Security Primitives Implementation - Initial

This deliverable will provide the initial implementation of the UNICORE APIs, along with an initial set of libraries. This initial set should be sufficient to at least support a few applications (e.g., a web server, or a Python unikernel) in order to start developing the project’s use cases. Further, this deliverable will describe an initial implementation of the security and safety primitives being developed in tasks T3.2 and T.3.3.

Design & Implementation of Tools for Unikernel Deployment - Final

The final report detailing the progress since the release of D42 Any modifications to the design that were implemented are included which may come about as a result of evaluation through the use cases

Final Deployment, Evaluation and Market Impact

This report will give a full description of the final deployment for all use cases including a performance evaluation and a final description of the business case and future plans that each deployment has in order to have market impact

API, Library and Security Primitives Implementation - Final

This deliverable will contain the description of the final implementation of the UNICORE APIs libraries and security and safety primitives At this stage this implementation will cover all of the functionality needed by the UNICORE use cases

Website, Social Accounts and Advertising Material

This report documents the web site and the social channels established, as well as the initial advertising material produced to widely disseminate the activities and the outcomes of the project.

Pubblicazioni

PIBE: Practical Kernel Control-flow Hardening with Profile-guided Indirect Branch Elimination.

Autori: Duta, V.; van der Kouwe, E.; Bos, H.; and Giuffrida, C
Pubblicato in: ASPLOS 2021: Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, 2021
Editore: ACM

Unikraft: Fast, Specialized Unikernels the Easy Way

Autori: Felipe Huici
Pubblicato in: EuroSys '21: Proceedings of the Sixteenth European Conference on Computer Systems, 2021
Editore: ACM
DOI: 10.1145/3447786.3456248

TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering

Autori: Tatar, A.; Trujillo, D.; Giuffrida, C
Pubblicato in: USENIX Security, 2022
Editore: USENIX

FlexOS: towards flexible OS isolation

Autori: Lefeuvre, H.; Bădoiu, V-A.; Jung, A.; Teodorescu, S.L.; Rauch, S.; Huici, F.; Raiciu, C
Pubblicato in: In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2022)., 2022
Editore: ACM
DOI: 10.1145/3503222.3507759

FlexOS: Making OS Isolation Flexible

Autori: Hugo Lefeuvre
Pubblicato in: HotOS '21: Proceedings of the Workshop on Hot Topics in Operating Systems, 2021
Editore: ACM
DOI: 10.1145/3458336.3465292

Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks

Autori: Barberis, E.; Frigo, P.; Muench, M.; Bos, H.; and Giuffrida, C.
Pubblicato in: USENIX Security, 2022
Editore: USENIX

NetCAT: Practical Cache Attacks from the Network

Autori: Kurth, M.; Gras, B.; Andriesse, D.; Giuffrida, C.; Bos, H
Pubblicato in: 2020 IEEE Symposium on Security and Privacy (SP), 2020
Editore: IEEE
DOI: 10.1109/sp40000.2020.00082

DupeFS: Leaking Data Over the Network With Filesystem Deduplication Side Channels

Autori: Bacs, A.; Musaev, S.; Razavi, K.; Giuffrida, C.; and Bos, H
Pubblicato in: FAST 2022, 2022
Editore: USENIX

Practical Software Crash Recovery with Targeted Library-level Fault Injection

Autori: Bhat, K.; van der Kouwe, E.; Bos, H.; and Giuffrida, C.
Pubblicato in: 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2021
Editore: IEEE

Speculative Probing: Hacking Blind in the Spectre Era

Autori: Enes Gkta, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida
Pubblicato in: CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Numero November 2020, 2020
Editore: ACM
DOI: 10.1145/3372297.3417289

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Autori: Ragab, H.; Barberis, E.; Bos, H.; and Giuffrida, C
Pubblicato in: USENIX Security, 2021
Editore: USENIX

TRRespass: Exploiting the Many Sides of Target Row Refresh

Autori: Frigo, P.; Vannacci, E.; Hassan, H.; van der Veen, V.; Mutlu, O.; Giuffrida, C.; Bos, H.; and Razavi, K.
Pubblicato in: 2020 IEEE Symposium on Security and Privacy (SP), 2020
Editore: IEEE
DOI: 10.1109/sp40000.2020.00090

CrossTalk: Speculative Data Leaks Across Cores Are Real

Autori: Ragab, H.; Milburn, A.; Razavi, K.; Bos, H.; and Giuffrida, C
Pubblicato in: IEEE Symposium on Security and Privacy (SP), 2021
Editore: IEEE

kMVX - Detecting Kernel Information Leaks with Multi-variant Execution

Autori: Sebastian Österlund, Koen Koning, Pierre Olivier, Antonio Barbalace, Herbert Bos, Cristiano Giuffrida
Pubblicato in: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS '19, 2019, Pagina/e 559-572, ISBN 9781-450362405
Editore: ACM Press
DOI: 10.1145/3297858.3304054

Unleashing the power of unikernels with unikraft

Autori: S. Kuenzer, S. Santhanam, Y. Volchkov, F. Schmidt, F. Huici, Joel Nider, Mike Rapoport, Costin Lupu
Pubblicato in: Proceedings of the 12th ACM International Conference on Systems and Storage - SYSTOR '19, 2019, Pagina/e 195-195, ISBN 9781-450367493
Editore: ACM Press
DOI: 10.1145/3319647.3325856

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Autori: Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos
Pubblicato in: 2019 IEEE Symposium on Security and Privacy (SP), 2019, Pagina/e 55-71, ISBN 978-1-5386-6660-9
Editore: IEEE
DOI: 10.1109/sp.2019.00089

SoK: Benchmarking Flaws in Systems Security

Autori: Erik van der Kouwe, Gernot Heiser, Dennis Andriesse, Herbert Bos, Cristiano Giuffrida
Pubblicato in: 2019 IEEE European Symposium on Security and Privacy (EuroS&P), 2019, Pagina/e 310-325, ISBN 978-1-7281-1148-3
Editore: IEEE
DOI: 10.1109/eurosp.2019.00031

VPS: excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Autori: Pawlowski, A., van der Veen, V., Andriesse, D., van der Kouwe, E., Holz, T., Giuffrida, C. and Bos, H.
Pubblicato in: 35th Annual Computer Security Applications Conference, ACSAC 2019, Dec 9-13 2019, 2019
Editore: ACSAC
DOI: 10.5281/zenodo.3523939

Address space isolation in the linux kernel

Autori: Joel Nider, Mike Rapoport, James Bottomley
Pubblicato in: Proceedings of the 12th ACM International Conference on Systems and Storage - SYSTOR '19, 2019, Pagina/e 194-194, ISBN 9781-450367493
Editore: ACM Press
DOI: 10.1145/3319647.3325855

RIDL: Rogue In-Flight Data Load

Autori: Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
Pubblicato in: 2019 IEEE Symposium on Security and Privacy (SP), 2019, Pagina/e 88-105, ISBN 978-1-5386-6660-9
Editore: IEEE
DOI: 10.1109/sp.2019.00087

UNICORE: A toolkit to automatically build unikernels

Autori: Gaulthier, G., Soldani, C. and Mathy, L.
Pubblicato in: Grascomp Doctoral Day, 22 November 2019, Namur, Belgium, 2019
Editore: n/a

Terminal Brain Damage: Exposing the Graceless Degradation in Deep Neural Networks Under Hardware Fault Attacks

Autori: Sanghyun Hong and Pietro Frigo and Yigitcan Kaya and Cristiano Giuffrida and Tudor Dumitras
Pubblicato in: 28th USENIX Security Symposium, Aug 14–16, 2019 SANTA CLARA, CA, USA, 2019, Pagina/e 497--514, ISBN 978-1-939133-06-9
Editore: USENIX Association

ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks

Autori: Radhesh Krishnan Konoth and Marco Oliverio and Andrei Tatar and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida and Kaveh Razavi
Pubblicato in: 12th USENIX conference on Operating Systems Design and Implementation USENIX-ACM OSDI 2018, 2018, Pagina/e 697-710, ISBN 978-1-939133-08-3
Editore: USENIX Association

Unikernels Made Easy with Unikraft

Autori: S.Kuenzer
Pubblicato in: 14th Workshop on Virtualization in High-Performance Cloud Computing (VHPC'19), 2019
Editore: VHPC

Threat Classification in Current Communication Infrastructures

Autori: Ioan Constantin, Cristian Patachia, Carmen Patrascu, Andrei Avadanei, Lucian Nitescu
Pubblicato in: 11th edition of the Electronics, Computers and Artificial Intelligence - ECAI-2019, 2019
Editore: ECAI

TagBleed: Breaking KASLR on the Isolated Kernel Address Space Using Tagged TLBs

Autori: Koschel, J.; Giuffrida, C.; Bos, H.; and Razavi, K
Pubblicato in: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), 2020
Editore: IEEE
DOI: 10.1109/eurosp48549.2020.00027

SMASH: Synchronized Many-sided Rowhammer Attacks From JavaScript

Autori: de Ridder, F.; Frigo, P.; Vannacci, E.; Bos, H.; Giuffrida, C.; and Razavi, K
Pubblicato in: USENIX Security, 2021
Editore: USENIX

owards Highly Specialized, POSIX -compliant Software Stacks with Unikraft: Work-in-Progress

Autori: S. Santhanam et al.
Pubblicato in: 2020 International Conference on Embedded Software (EMSOFT), 2020
Editore: IEEE
DOI: 10.1109/emsoft51651.2020.9244044

Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

Autori: Giuffrida, C.; Borrello, D.; Cono, D.; Querzoni, L
Pubblicato in: CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021
Editore: ACM
DOI: 10.1145/3460120.3484583

Wayfinder: towards automatically deriving optimal OS configurations

Autori: Jung, A.; Lefeuvre, H.; Rotsos, D.; Olivier, p.; Oñoro-Rubio, D.; Huici, F.; Niepert, M.
Pubblicato in: In Proceedings of the 12th ACM SIGOPS Asia-Pacific Workshop on Systems, 2021
Editore: ACM

On the Effectiveness of Same-Domain Memory Deduplication

Autori: Costi, A.; Johannesmeyer, B.; Bosman, E.; Giuffrida, C.; and Bos, H
Pubblicato in: EuroSec '22: Proceedings of the 15th European Workshop on Systems Security, 2022
Editore: ACM

Scanning for Generalized Transient Execution Gadgets in the Linux Kernel

Autori: Johannesmeyer, B.; Koschel, J.; Razavi, K.; Bos, H.; and Giuffrida, C
Pubblicato in: 2022 NDSS Symposium, 2022
Editore: NDSS

ABSynthe: Automatic Blackbox Sidechannel Synthesis on Commodity Microarchitectures

Autori: Gras, B.; Giuffrida, C.; Kurth, M.; Bos, H.; and Razavi, K
Pubblicato in: 2020 NDSS Symposium, 2020
Editore: NDSS

Defeating Software Mitigations Against Rowhammer: A Surgical Precision Hammer

Autori: Andrei Tatar, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi
Pubblicato in: Research in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10-12, 2018, Proceedings, Numero 11050, 2018, Pagina/e 47-66, ISBN 978-3-030-00469-9
Editore: Springer International Publishing
DOI: 10.1007/978-3-030-00470-5_3

Unikraft: Unikernels Made Easy

Autori: Simon Kuenzer
Pubblicato in: FOSDEM 2019, 2019
Editore: n/a

Kernel Address Space Isolation

Autori: Alexandre Chartre, Mike Rapoport, James Bottomley, Joel Nider
Pubblicato in: Linux Plumbers, 9-11 September 2019,, 2019
Editore: n/a

Building DPDK Unikernel with Unikraft

Autori: S. Santhanam, S.Kuenzer, F. Huici
Pubblicato in: DPDK Summit 2019,, 2019
Editore: n/a

Is the Hypervisor the New Kernel?

Autori: C. Lupu
Pubblicato in: EuroSys, Doctoral Workshop, 25-28 March 2019, 2019
Editore: EuroSys

UNICORE Project: Unikernel Power

Autori: J. Guijarro
Pubblicato in: OpenNebula Techday, 8 May 2019, Barcelona, Spain, 2019
Editore: OpenNebula

Unikraft: Unikernels for NFV

Autori: L. Mathy (speaker), F. Huici
Pubblicato in: The 3rd Future Network Development Conference, 2019
Editore: N/A

Another Step Beyond Containers

Autori: X. Peralta
Pubblicato in: Jornadas Técnicas RedIRIS, 28/30 May 2019, 2019
Editore: n/a

UNICORE Presentation by Orange

Autori: Cristian Patachia & Orange CEO
Pubblicato in: Digital Assembly, 13-14 June 2019,, 2019
Editore: n/a

Address Space Isolation for Container Security

Autori: Mike Rapoport, James Bottomley
Pubblicato in: Linux Plumbers, 9-11 September 2019, 2019
Editore: n/a

Address Space Isolation inside Linux Kernel

Autori: Mike Rapoport, James Bottomley
Pubblicato in: Open Source Summit Europe, 28-30 October 2019, 2019
Editore: n/a

Memory management bits in arch/*

Autori: Mike Rapoport
Pubblicato in: Kernel Summit, 9-11 September 2019, 2019
Editore: n/a

Boot Time Memory Management

Autori: Mike Rapoport
Pubblicato in: Embedded Linux Conference Europe, 28-30 October 2019, 2019
Editore: n/a

Address Spaces for Namespaces

Autori: Mike Rapoport, James Bottomley
Pubblicato in: Linux Security Summit Europe, 31 October - 1 November 2019, 2019
Editore: n/a

UNICORE video

Autori: UNICORE Consortium
Pubblicato in: UNICORE Project Video, 2019
Editore: UNICORE Consortium

Digital Forensics

Autori: Ioan Constantin
Pubblicato in: Orange Education Program Spring School, 8-10 March 2019, Bucharest, Romania, 2019
Editore: “Alexandru Ioan Cuza” University of Iași, Romania

Cybersecurity in Mobile Networks

Autori: Ioan Constantin
Pubblicato in: Cybersecurity Romania, 4 June 2019, Bucharest, Romania, 2019
Editore: N/A

Lightweight virtualization with Unikraft

Autori: Costin Raiciu
Pubblicato in: Microsoft Research Seminar, 5 September 2019, 2019
Editore: Microsoft

Simjacker – billion dollar mobile security vs. one tiny piece of plastic

Autori: Ioan Constantin
Pubblicato in: Def Camp 2019 - International Hacking & Information Security Conference, 7-8 November 2019, Bucharest, Romania, 2019
Editore: Def Camp

Cristian Patachia, Ioan Constantin

Autori: Orange Business Internet Security Report Ed. II
Pubblicato in: Online resource, 2019
Editore: Orange Romania

Risultati finali

Pubblicazioni

Condividi questa pagina

Scarica