, 110 6.2.3 HTTP Authentication and Authorization for MirageOS Unikernels . . . 111 6.2.4 Application Firewalling for Mirage OS Unikernels, p.112
, 3.3 Performance with a pool of protected unikernels
,
123 7.1.3 Generating Protected Unikernel Resources on The Fly ,
,
124 7.3.1 Exploiting Infrastructure-As-Code for Security Programmability ,
,
, PhD Symposium, pp.464-467, 2016.
Towards a Software-Defined Security Framework for Supporting Distributed Cloud, Proceedings of the 11th IFIP International Conference on Autonomous Infrastructure, Management and Security, pp.47-61, 2017. ,
Unikernel-based Approach for Software-Defined Security in Cloud Infrastructures, Proceeding of the IEEE/IFIP Network Operations and Management Symposium, pp.1-7, 2018. ,
Demo: On-The-Fly Generation of Unikernels for Software-Defined Security in Cloud Infrastructures, Proceeding of the 2018 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp.1-2, 2018. ,
, Industrial Patents
Procédé et Système pour Créer une Image d'une Application, Orange Patent filed with the INPI, 2018. ,
, Submission Work to International Peer-Reviewed Journals
Security Issues in System Virtualization And Solutions: A Survey ,
A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds ,
, HTTP Server Benchmarking Tool -Apache HTTP Server Version, vol.2, 2018.
A Modular Package Manager Architecture, Information and Software Technology, vol.55, pp.459-474, 2013. ,
Top Threats to Cloud Computing v1, White Paper, 2010. ,
,
An XACML-based Privacy-centered Access Control System, Proceedings of the First ACM Workshop on Information Security Governance. WISG '09, pp.49-58, 2009. ,
SCONE: Secure Linux Containers with Intel SGX, In: OSDI, vol.16, pp.689-703, 2016. ,
DevOps: Introducing Infrastructure-as-Code, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pp.497-498, 2017. ,
Achieving dynamicity in security policies enforcement using aspects". en, International Journal of Information Security, vol.17, pp.1615-5270, 2018. ,
Slick: An Intrusion Detection System for Virtualized Storage Devices, Proceedings of the 31st Annual ACM Symposium on Applied Computing. SAC '16, pp.2033-2040, 2016. ,
VeriCon: Towards Verifying Controller Programs in Software-defined Networks, Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '14, pp.282-293, 2014. ,
Xen and the Art of Virtualization, SIGOPS Oper. Syst. Rev, vol.37, pp.164-177, 2003. ,
A SAT-based Autonomous Strategy for Security Vulnerability Management, 2014 IEEE Network Operations and Management Symposium (NOMS), pp.1-9, 2014. ,
CAIN: Silently Breaking ASLR in the Cloud, In: WOOT, 2015. ,
Shielding Applications from an Untrusted Cloud with Haven, ACM Trans. Comput. Syst, vol.33, issue.3, 2015. ,
Side-channels Beyond the Cloud Edge: New Isolation Threats and Solutions, 2017 1st Cyber Security in Networking Conference (CSNet). 2017 1st Cyber Security in Networking Conference (CSNet), pp.1-8, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01593144
QEMU, A Fast and Portable Dynamic Translator, USENIX Annual Technical Conference, FREENIX Track, pp.41-46, 2005. ,
The TClouds Platform: Concept, Architecture and Instantiations, Proceedings of the 2Nd International Workshop on Dependability Issues in Cloud Computing. DISCCO '13, vol.1, 2013. ,
eXtensible Access Control Markup Language (XACML) Version 3, 2013. ,
TOSCA: Portable Automated Deployment and Management of Cloud Applications, Advanced Web Services. Ed. by Athman Bouguettaya, Quan Z. Sheng, and Florian Daniel, pp.527-549, 2014. ,
Understanding the Linux Kernel: from I/O ports to Process Management, vol.929, 2005. ,
IncludeOS: A Minimal, Resource Efficient Unikernel for Cloud Services, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp.250-257, 2015. ,
Enhancing Cloud Security and Privacy: The Unikernel Solution, Eighth International Conference on Cloud Computing, GRIDs, and Virtualization, 2017. ,
A Look in the Mirror: Attacks on Package Managers, Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS '08, pp.565-574, 2008. ,
Taming Virtualization, IEEE Security Privacy, vol.6, issue.1, pp.1540-7993, 2008. ,
Hiding Virtualization from Attackers and Malware, IEEE Security Privacy, vol.5, pp.1540-7993, 2007. ,
Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface, Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS '13, pp.253-264, 2013. ,
A Caching Model of Operating System Kernel Functionality, Proceedings of the 1st USENIX Conference on Operating Systems Design and Implementation. OSDI '94, 1994. ,
Cloud Security Is Not (Just) Virtualization Security: a Short Paper, Proceedings of the 2009 ACM workshop on Cloud computing security -CCSW '09. the 2009 ACM workshop, p.97, 2009. ,
, Linux man page, 2018.
NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems, IEEE Transactions on Dependable and Secure Computing, vol.10, pp.1545-5971, 2013. ,
, Cohttp: Very lightweight HTTP Server using Lwt or Async. MirageOS, 2017.
Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. SOSP '11, pp.189-202, 2011. ,
Virtual Ghost: Protecting Applications from Hostile Operating Systems, Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. AS-PLOS '14, pp.81-96, 2014. ,
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation, SIGARCH Comput. Archit. News, vol.43, pp.163-5964, 2015. ,
Package Upgrades in FOSS Distributions: Details and Challenges, Proceedings of the 1st International Workshop on Hot Topics in Software Upgrades. HotSWUp '08, vol.7, pp.1-7, 2008. ,
URL : https://hal.archives-ouvertes.fr/hal-00359847
, Ship, and Run Any App, Anywhere, 2018.
, , 2017.
ICEMAN: An architecture for secure federated inter-cloud identity management, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013). 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013), pp.1207-1210, 2013. ,
Virtualization vs Containerization to Support PaaS, 2014 IEEE International Conference on Cloud Engineering, pp.610-614, 2014. ,
Exokernel: An Operating System Architecture for Application-level Resource Management, SIGOPS Oper. Syst. Rev, vol.29, pp.251-266, 1995. ,
, , 2018.
FlowTags: Enforcing Network-wide Policies in the Presence of Dynamic Middlebox Actions, Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking -HotSDN '13. the second ACM SIGCOMM workshop. Hong Kong, p.19, 2013. ,
An Updated Performance Comparison of Virtual Machines and Linux Containers, 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), pp.171-172, 2015. ,
, The Linux Foundation. Bridge. url
A Virtual Machine Introspection Based Architecture for Intrusion Detection, In: Ndss, vol.3, pp.191-206, 2003. ,
,
, wrk: Modern HTTP Benchmarking Tool. original-date: 2012-03-20T11:12:28Z. Sept. 5, 2017, 2017.
The Taser Intrusion Recovery System, SIGOPS Oper. Syst. Rev, vol.39, pp.163-5980, 2005. ,
Survey of Virtual Machine Research, Computer 7, pp.34-45, 1974. ,
Building a Security OS With Software Defined Infrastructure, Proceedings of the 8th Asia-Pacific Workshop on Systems. APSys '17, vol.4, 2017. ,
Characterization of Linux Kernel Behavior under Errors, International Conference on Dependable Systems and Networks, 2003. Proceedings.(DSN). 2003 International Conference on Dependable Systems and Networks, vol.00, p.459, 2003. ,
, Container Runtime Sandbox, 2018.
Mining a high level access control policy in a network with multiple firewalls, Journal of Information Security and Applications. Security, Privacy and Trust in Future Networks and Mobile Computing, vol.20, pp.2214-2126, 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01207768
Software-Defined Networking: Challenges and research opportunities for Future Internet, Computer Networks, vol.75, pp.1389-1286, 2014. ,
Purify: Fast Detection of Memory Leaks and Access Errors, Proceedings of the Winter 1992 USENIX Conference, pp.125-138, 1991. ,
SDAC: A New Software-Defined Access Control Paradigm for Cloud-Based Systems, Information and Communications Security, pp.570-581, 2018. ,
Control Group v2, 2015. ,
MongoDB Databases at Risk, Center for IT-Security, Privacy, and Accountability, 2015. ,
Towards Cloud-based Compositions of Security Functions for Mobile Devices, IFIP/IEEE International Symposium on Integrated Network Management (IM). 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp.578-584, 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01093041
Software-Defined Networking Based Security Services using Interface to Network Security Functions, 2015. ,
Analyzing Integrity Protection in the SELinux Example Policy, Proceedings of the 12th Conference on USENIX Security Symposium, vol.12, pp.5-5, 2003. ,
Stealthy Malware Detection Through Vmm-based "Out-of-the-box, Proceedings of the 14th ACM Conference on Computer and Communications Security. CCS '07, pp.128-138, 2007. ,
Code-injection Vulnerabilities in Web Applications -Exemplified at Cross-site Scripting, it -Information Technology Methoden und innovative Anwendungen der Informatik und Informationstechnik, vol.53, pp.256-160, 2011. ,
Container and Microservice Driven Design for Cloud Infrastructure DevOps, 2016 IEEE International Conference on Cloud Engineering (IC2E) ,
, IEEE International Conference on Cloud Engineering (IC2E), pp.202-211, 2016.
, Kata Containers -The Speed of Containers, the Security of VMs, 2018.
The Vision of Autonomic Computing, Computer, vol.36, issue.1, 2003. ,
SubVirt: implementing malware with virtual machines, 2006 IEEE Symposium on Security and Privacy (S P'06), vol.14, p.327, 2006. ,
KVM: the Linux Virtual Machine Monitor, Proceedings of the Linux symposium. Linux Symposium, vol.1, pp.225-230, 2007. ,
seL4: Formal Verification of an OS Kernel, Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles. SOSP '09, pp.207-220, 2009. ,
Differential Power Analysis, Advances in Cryptology -CRYPTO' 99: 19th Annual International Cryptology Conference, 1999. ,
, , pp.388-397, 1999.
Virtualization in Linux, White paper, vol.3, p.39, 2006. ,
Optimization of out of Memory Killer for Embedded Linux Environments, Proceedings of the 2011 ACM Symposium on Applied Computing. SAC '11, pp.633-634, 2011. ,
Dynamic Enforcement of Security Policies in Multi-Tenant Cloud Networks, 2012. ,
Cloudburst, Black Hat, 2009. ,
Xomb: an Exokernel for Modern 64-bit, Multicore Hardware, WSO-VII Workshop de Sistemas Operacionais, pp.1991-1998, 2010. ,
Software Component Models, IEEE Transactions on Software Engineering, vol.33, pp.98-5589, 2007. ,
Secure Virtual Machine Execution under an Untrusted Management OS, 2010 IEEE 3rd International Conference on Cloud Computing, pp.172-179, 2010. ,
Implementing an Untrusted Operating System on Trusted Hardware, Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles. SOSP '03, pp.178-192, 2003. ,
On Micro-kernel Construction, Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles. SOSP '95, pp.237-250, 1995. ,
A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection, IEEE Asia-Pacific Services Computing Conference, pp.1252-1257, 2008. ,
, Linux Containers -LXC -Introduction, 2018.
Leveraging Software-defined Networking for Security Policy Enforcement, Information Sciences 327.Supplement C, pp.288-299, 2016. ,
SecureUML: A UML-Based Modeling Language for Model-Driven Security, UML 2002 -The Unified Modeling Language, pp.426-441, 2002. ,
First Experiences Using XACML for Access Control in Distributed Systems, Proceedings of the 2003 ACM Workshop on XML Security. XMLSEC '03, pp.25-37, 2003. ,
Man-in-the-middle attacks on auto-updating software, Bell Labs Technical Journal, vol.12, pp.1538-7305, 2007. ,
Orchestration of software-defined security services, 2016 IEEE International Conference on Communications Workshops (ICC). 2016 IEEE International Conference on Communications Workshops (ICC), pp.436-441, 2016. ,
Jitsu: Just-In-Time Summoning of Unikernels, Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI '15). 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI '15), pp.559-573, 2015. ,
Unikernels: Rise of the Virtual Library Operating System, Queue 11.11 (Dec. 2013), vol.30 ,
Unikernels: Library Operating Systems for the Cloud, SIGPLAN Not, vol.48, pp.461-472, 2013. ,
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML), 2003. ,
Managing the Complexity of Large Free and Open Source Package-Based Software Distributions, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06). 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06), pp.199-208, 2006. ,
URL : https://hal.archives-ouvertes.fr/hal-00149566
, VENOM, Don't Get Bitten, 2015.
The NIST Definition of Cloud Computing, 2011. ,
,
, Mirage Skeleton: Examples of simple MirageOS Applications -Static website TLS. Mira-geOS, 2017.
, , 1744.
, , 2013.
, , 2015.
, , 2016.
, , 2016.
, , 2016.
, , 2018.
SEVered: Subverting AMD's Virtual Machine Encryption, Proceedings of the 11th European Workshop on Systems Security. EuroSec'18, vol.1, pp.1-1, 2018. ,
Using Docker: Developing and Deploying Software with Containers, 2015. ,
Virtual Machine Introspection: Observation or Interference?, In: IEEE Security Privacy, vol.6, pp.1540-7993, 2008. ,
Resonance: Dynamic Access Control for Enterprise Networks, Proceedings of the 1st ACM Workshop on Research on Enterprise Networking. WREN '09, pp.11-18, 2009. ,
Hyperkernel: Push-Button Verification of an OS Kernel, Proceedings of the 26th Symposium on Operating Systems Principles. SOSP '17, pp.252-269, 2017. ,
What Are Race Conditions?: Some Issues and Formalizations, ACM Lett. Program. Lang. Syst, vol.1, issue.1, pp.1057-4514, 1992. ,
,
The FU Rootkit, 2008. ,
, , 2018.
An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, vol.10, 2007. ,
Topology and Orchestration Specification for Cloud Applications (TOSCA)". In: Organization for the Advancement of Structured Information Standards (OASIS), 2013. ,
SecMANO: Towards Network Functions Virtualization (NFV) Based Security MANagement and Orchestration, IEEE Trustcom, pp.598-605, 2016. ,
A First Step Towards Security Extension for NFV Orchestrator, Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. SDN-NFVSec '17, 2017. ,
NFV Security Survey: From Use Case Driven Threat Analysis to State-of-the-Art Countermeasures, IEEE Communications Surveys & Tutorials, pp.1553-877, 2018. ,
Lares: An Architecture for Secure Active Monitoring Using Virtualization, 2008 IEEE Symposium on Security and Privacy, pp.233-247, 2008. ,
Virtualization: Issues, Security Threats, and Solutions, In: ACM Comput. Surv, vol.45, issue.2, 2013. ,
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, IEEE Security Privacy, vol.2, issue.4, pp.1540-7993, 2004. ,
Formal Requirements for Virtualizable Third Generation Architectures, Commun. ACM, vol.17, issue.7, pp.412-421, 1974. ,
Rethinking the Library OS from the Top Down, SIGARCH Comput. Archit. News, vol.39, pp.163-5964, 2011. ,
SafeMem: Exploiting ECC-memory for Detecting Memory Leaks and Memory Corruption During Production Runs, 11th International Symposium on High-Performance Computer Architecture, pp.291-302, 2005. ,
Detecting the Presence of Virtual Machines Using the Local Data Table, Offensive Computing, 2006. ,
, RabbitMQ -Messaging that just works, 2018.
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing, Recent Advances in Intrusion Detection: 11th International Symposium, 2008. ,
, , pp.1-20, 2008.
Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds, Proceedings of the 16th ACM Conference on Computer and Communications Security. CCS '09, pp.199-212, 2009. ,
Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor, Proceedings of the 9th USENIX Security Symposium. 9th USENIX Security, pp.129-144, 2000. ,
MiniOS: An Instructional Platform for Teaching Operating Systems Projects, Proceedings of the 46th ACM Technical Symposium on Computer Science Education. SIGCSE '15, pp.430-435, 2015. ,
A Policy-Based Management Framework for Cloud Computing Security, 2014. ,
TOSCA Simple Profile in YAML Version 1.1, OASIS Committee Specification Draft, 2016. ,
Virtualization: A Survey on Concepts, Taxonomy and Associated Security Issues, 2010 Second International Conference on Computer and Network Technology, pp.222-226, 2010. ,
Building a MAC-based security architecture for the Xen open-source hypervisor, 21st Annual Computer Security Applications Conference (ACSAC'05) ,
, , vol.10, p.285, 2005.
Exploiting Format String Vulnerabilities, 2001. ,
On the Effectiveness of Address-space Randomization, Proceedings of the 11th ACM Conference on Computer and Communications Security. CCS '04, pp.298-307, 2004. ,
FlowChecker: Configuration Analysis and Verification of Federated Openflow Infrastructures, Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. SafeConfig '10, pp.37-44, 2010. ,
FRESCO: Modular Composable Security Services for Software-Defined Networks, NDSS. 2013 ,
User Data Persistence in Physical Memory, Digital Investigation, vol.4, pp.1742-2876, 2007. ,
Container-based Operating System Virtualization: A Scalable, High-performance Alternative to Hypervisors, SIGOPS Oper. Syst. Rev, vol.41, issue.3, pp.275-287, 2007. ,
NOVA: A Microhypervisor-based Secure Virtualization Architecture, Proceedings of the 5th European Conference on Computer Systems. 5th European Conference on Computer Systems. EuroSys '10, pp.209-222, 2010. ,
A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing, 2011 31st International Conference on Distributed Computing Systems Workshops, pp.248-252, 2011. ,
, The Solo5 Unikernel Project. Solo5, 2017.
, The Xen Project, the Powerful Open Source Industry Standard for Virtualization
Demystifying the Threat Modeling Process, IEEE Security Privacy, vol.3, issue.5, pp.1540-7993, 2005. ,
TVDSEC: Trusted Virtual Domain Security, 2011 Fourth IEEE International Conference on Utility and Cloud Computing, pp.57-64, 2011. ,
Escaping a chroot jail/1, 2013. ,
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services, Journal of Grid Computing, vol.15, pp.219-234, 2017. ,
The TClouds architecture: Open and resilient cloud-of-clouds computing, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012, pp.1-6, 2012. ,
, VMware Virtualization for Desktop & Server, Application, Public & Hybrid Clouds, 2018.
Memory Resource Management in VMware ESX Server, SIGOPS Oper. Syst. Rev, vol.36, pp.163-5980, 2002. ,
Live Updating in Unikernels, vol.118, 2017. ,
Policy Based Management for Security in Cloud Computing, Secure and Trust Computing, Data Management, and Applications, pp.130-137, 2011. ,
The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP version 1.2, NIST Special Publication, vol.800, p.126, 2011. ,
Run Mirage Unikernels on KVM/QEMU with Solo5, 2016. ,
Unikernel Monitors: Extending Minimalism Outside of the Box, 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16). USENIX Association, 2016. ,
Subverting the Xen hypervisor, Black Hat USA, 2008. ,
Attacking Intel Trusted Execution Technology, Black Hat DC 2009, 2009. ,
Following the White Rabbit: Software attacks against Intel VT-d technology, 2011. ,
, , 2017.
One Cloud Flops: Cross-vm Row Hammer Attacks and Privilege Escalation, Proceedings of the 25th USENIX Security Symposium. 25th USENIX Security Symposium, p.18, 2016. ,
, Overview of the Internet of Things, 2018.
Cross-VM Side Channels and Their Use to Extract Private Keys, Proceedings of the 2012 ACM Conference on Computer and Communications Security. CCS '12, pp.305-316, 2012. ,
Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing, Journal of Computer Security, vol.21, pp.533-559, 2013. ,