1. Modulverzeichnis (MTS)
  2. Module
  3. Modulbeschreibung anzeigen

System Virtualization and Secure Code Isolation

Display language
To modulepage Generate PDF

#40953 / #1

WS 2019/20 - WiSe 2022/23

English

System Virtualization and Secure Code Isolation

6

Nordholz, Jan Christoph

benotet

Portfolioprüfung

Zugehörigkeit


Fakultät IV

Institut für Softwaretechnik und Theoretische Informatik

34352600 FG Sichere und vertrauenswürdige netzangebundene Systemarchitekturen

No information

Kontakt


TEL 16

Nordholz, Jan Christoph

j.nordholz@tu-berlin.de

https://www.svnsa.tu-berlin.de/menue/lehre/

Learning Outcomes

Students who complete this module know the specialized feature set of modern general-purpose CPUs for building highly privileged software components like hypervisors and secure monitors. They understand that the design space permits different solutions (such as x86 vs. ARM vs. MIPS) and know the use cases and tradeoff decisions that motivated them. Students have also learnt different models for peripheral device passthrough as well as purely virtual device drivers, and they are able to apply this knowledge to create their own virtualization solution and driver architecture for a given use case. This module also demonstrates ways to hide execution from highly privileged software, and alerts students to the dangers of often overlooked and/or underrated areas of the attack surface of virtualized/isolated systems. The two module parts complement one another: students are expected to take the IV part first to gain the necessary theoretical knowledge and to see (and probably try out) code examples. In the following seminar they can then apply their new capabilities by analyzing recent academic publications in this area.

Content

We will cover the following topics: (A) Virtualization - Virtualization Basics (from Popek&Goldberg onward) - Register Virtualization (contrast x86 to ARM and MIPS) - Memory Virtualization (shadow paging, nested paging, paravirtualized paging) - Interrupt Virtualization (APIC-V, AVIC, ARM GIC(v2/v3/v4), MIPS IRQ Controller Integration) - Handling Peripheral Devices in virtualized environments (paravirtualization, faithful virtualization, emulation) - Handling DMA in virtualized environments (IOMMU, SYSMMU, software workarounds) - Purely Virtual Devices (timers, virtual network links, virtual UARTs, virtual disks) (B) Isolation - Encrypted Virtualization (AMD SME/SEV, Intel TME/MKTME) - Isolated Execution Environments: ARM TrustZone, Intel SGX (C) Breaking Out or In - Side and Covert Channels - Guest-to-Host Privilege Escalation

Module Components

Pflichtgruppe:

All Courses are mandatory.

Course NameTypeNumberCycleLanguageSWSVZ
System Virtualization and Secure Code IsolationIV3435 L 10149WiSeEnglish2
Recent Advances in System SecuritySEM3435 L 10213k.A.English2

Workload and Credit Points

System Virtualization and Secure Code Isolation (IV):

Workload descriptionMultiplierHoursTotal
Attendance15.02.0h30.0h
Pre/post processing15.04.0h60.0h
90.0h(~3 LP)

Recent Advances in System Security (SEM):

Workload descriptionMultiplierHoursTotal
Preparation of a Presentation1.030.0h30.0h
Attendance (Presentation Peer Review)1.08.0h8.0h
Seminar Paper1.052.0h52.0h
90.0h(~3 LP)
The Workload of the module sums up to 180.0 Hours. Therefore the module contains 6 Credits.

Description of Teaching and Learning Methods

IV: Gradually transitioning from a classical lecture to a group discussion / collaborative exploration of the problem space of each week's topic. SEM: Classical seminar (presentations with group discussion, seminar paper), organized either as a single block event or as a weekly format, depending mainly on the number of interested students.

Requirements for participation and examination

Desirable prerequisites for participation in the courses:

This course assumes that students have internalized the basic protection and separation concepts provided by a CPU's so-called "privileged mode", such as segmentation, paging (and page faults), interrupt delivery, and system calls. Students looking for a refresher are encouraged to browse the teaching material of the Bachelor course "Systemprogrammierung" - the syllabus is only available in German, but the literature references are English (Stallings, Silberschatz, and Tanenbaum).

Mandatory requirements for the module test application:

This module has no requirements.

Module completion

Grading

graded

Type of exam

Portfolio examination

Type of portfolio examination

100 Punkte insgesamt

Language

German/English

Test elements

NamePointsCategorieDuration/Extent
(Examination) Oral Exam (about the IV course)40oral20 min
(Deliverable Assessment) Seminar Presentation20oral30 min
(Deliverable Assessment) Seminar Paper40written10 pages

Grading scale

Notenschlüssel »Notenschlüssel 1: Fak IV (1)«

Gesamtpunktzahl1.01.31.72.02.32.73.03.33.74.0
100.0pt86.0pt82.0pt78.0pt74.0pt70.0pt66.0pt62.0pt58.0pt54.0pt50.0pt

Test description (Module completion)

The standard rules for portfolio modules apply.

Duration of the Module

The following number of semesters is estimated for taking and completing the module:
2 Semester.

This module may be commenced in the following semesters:
Wintersemester.

Maximum Number of Participants

This module is not limited to a number of students.

Registration Procedures

The registration rules for portfolio modules apply. Please check QISPOS for the exact registration deadline, but note that it is usually 6 weeks after lectures have started. Students who cannot use QISPOS please contact the lecturer via email.

Recommended reading, Lecture notes

Lecture notes

Availability:  unavailable

 

Electronical lecture notes

Availability:  unavailable

 

Literature

Recommended literature
No recommended literature given

Assigned Degree Programs


This module is used in the following Degree Programs (new System):

Studiengang / StuPOStuPOsVerwendungenErste VerwendungLetzte Verwendung
This module is not used in any degree program.

Students of other degrees can participate in this module without capacity testing.

Miscellaneous

No information