Issuing advisories has a cost: It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, build, and test patches; and it costs many of our users time to decide whether to do an update, and if so, to test and deploy it.
Given this, the Xen Project Security Team wants to clarify when they should issue an advisory or not: the Xen Security Response Process only mentions “‘vulnerabilities”, without specifying what constitutes a vulnerability.
A challenge for any cloud installation is the constant tradeoff of availability versus security. In general, the more fluid your cloud system (i.e., making virtualized resources available on demand more quickly and easily), the more your system becomes open to certain cyberattacks. This tradeoff is perhaps most acute during active virtual machine (VM) migration, when a VM is moved from one physical host to another transparently, without disruption of the VM’s operations. Live virtual machine migration is a crucial operation in the day-to-day management of modern cloud environment.
The modern trend towards cloud-native apps seems to be set to kill hypervisors with a long slow death. Paradoxically, it is the massive success of hypervisors and infrastructure-as-a-service during the last 15 years that enabled this trend.
Stefano Stabellini provides an overview of the rise of containers and how hypervisors are co-existing and thriving in the era of containers. Read more here.
Embedded systems become virtualized, IoT security concerns continue and the container community diversifies… What else will happen to the hypervisor and beyond in 2017? Two members of the Xen Project, Stefano Stabellini and James Bulpin, provide insight on where the hypervisor is going in 2017 and other virtualization and infrastructure trends to watch out for in this VMblog post.
I’m pleased to announce the release of the Xen Project Hypervisor 4.8. As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security.
Today the Xen Project announced eight security advisories: XSA-191 to XSA-198. The bulk of these security advisories were discovered and fixed during the hardening phase of the Xen Project Hypervisor 4.8 release (expected to come out in early December). The Xen Project has implemented a security-first approach when publishing new releases.
I am pleased to announce the release of Xen 4.6.4 and 4.7.1. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.6 and 4.7 stable series update to the latest point release.
On Monday, we created Xen 4.8 RC1 and will release a new release candidate every week, until we declare a release candidate as the final candidate and cut the Xen 4.8 release. We will also hold a Test Day every Friday for the release candidate that was released the week prior to the Test Day. Note that RC’s are announced on the following mailing lists: xen-announce, xen-devel and xen-users.
The Xen Project descended on Toronto, Canada in late August for its annual Xen Project Developer Summit. The Summit is an opportunity for developers and software engineers to collaborate and discuss the latest advancements of the Xen Project software. It also gives developers a chance to better understand new trends and deployments in the community and from power enterprise users.
I am pleased to announce the release of Xen 4.5.5. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
Xen 4.5.5 is available immediately from its git repository:
Let’s take a step back and look at the current state of virtualization in the software industry. X86 hypervisors were built to run a few different operating systems on the same machine. Nowadays they are mostly used to execute several instances of the same OS (Linux), each running a single server application in isolation. Containers are a better fit for this use case, but they expose a very large attack surface. It is possible to reduce the attack surface, however it is a very difficult task, one that requires minute knowledge of the app running inside.
I’m pleased to announce the release of Xen Project Hypervisor 4.7 and Xen Project Hypervisor 4.6.3.
Xen Project Hypervisor 4.7
This new release focuses on improving code quality, security hardening, security features, live migration support, usability improvements and support for new hardware features — this is also the first release of our fixed term June – December release cycle.
The Xen Project’s code contributions have grown more than 10% each year. Although growth is extremely healthy to the project as a whole, it has its growing pains. For the Xen Project, it led to issues with its code review process: maintainers believed that their review workload increased and a number of vendors claimed that it took significantly longer for contributions to be upstreamed, compared to the past.
This is a guest blog post by Rich Persaud, former member of the Citrix XenServer and XenClient engineering and business teams. He is currently a consultant to BAE Systems, working on the OpenXT project, which stands on the shoulders of the Xen Project, OpenEmbedded Linux and XenClient XT.
Yesterday we created Xen 4.7 RC2 and will release a new release candidate every Wednesday, until we declare a release candidate as the final candidate and cut the Xen 4.7 release. We will also hold a Test Day every Friday for the release candidate that was released the Wednesday prior to the Test Day. This means we will have Test Days on May 13th, 20th, 27th and June 3rd.
We just wrapped another successful Xen Project Hackathon, which is an annual event, hosted by Xen Project member companies, typically at their corporate offices. This year’s event was hosted by ARM at their Cambridge HQ. 42 delegates descended on Cambridge from Aporeto, ARM, Assured Information Security, Automotive Electrical Systems, BAE Systems, Bromium, Citrix, GlobalLogic, OnApp, Onets, Oracle, StarLab, SUSE and Vates to attend. A big thank you (!) to ARM and in particular to Thomas Molgaard for organising the event and the social activities afterwards.
One of the core features that differentiates Xen from other open-source hypervisors is its native support for stealthy and secure monitoring of guest internals (aka. virtual machine introspection ). In Xen 4.6 which was was released last autumn several new features have been introduced that make this subsystem better; a cleaned-up, optimized API and ARM support being just some of the biggest items on this list. As part of this release of Xen, a new and unique feature was also successfully added by a team from Intel that make stealthy monitoring even better on Xen: altp2m.
I am pleased to announce the release of Xen 4.5.3. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
Xen 4.5.3 is available immediately from its git repository:
I am pleased to announce the release of Xen 4.6.1. Xen Project Maintenance releases are released in line with our Maintenance Release Policy: this means we make one new point release per stable series every 4 months, which include back-ports of bug-fixes and security issues.
I am pleased to announce the release of Xen 4.6.1. This is available immediately from its git repository
Lars Kurth had his first contact with the open source community in 1997 when he worked on various parts of the ARM toolchain. He has since become an open source enthusiasts, worked on several open source communities, and is the chairperson of the Xen Project Advisory Board. He is also the Director of the Xen Project at Citrix.
He recently sat down to discuss why Xen Project software makes sense for the cloud and where the community and technology is heading this year in this short video. Read on for more.
I am pleased to announce the release of Xen 4.4.4. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.4 stable series update to this point release.
Xen 4.4.4 is available immediately from its git repository:
I am pleased to announce the next Xen Project Hackathon. The Hackathon will be hosted by ARM in their Cambridge Headquarters from April 18 and 19. I wanted to thank Philippe Robin and Thomas Molgaard from ARM for hosting the Hackathon.
We were lucky to have the opportunity to meet up with GlobalLogic at CES and talk to them about their Nautilus platform for automotive virtualization. A few years ago, no one understood why the company was demoing hypervisor technology as a part of Nautilus, a set of solution accelerators that includes architectural concepts, a modified Android OS distribution, and advanced UI concepts. Today, however, no one is questioning why they are using virtualization.
January Features Major Xen Project Activities at Two of the Biggest FOSS Conferences of the Year!
The Xen Project is starting 2016 on a high note by sponsoring major events at both the largest community-run FOSS conference in North America (SCALE) and the world (FOSDEM). In addition to a flurry of technical talks in the main program of each conference, Xen Project is organizing additional co-located events.
In this video, George Dunlap Senior Engineer of Citrix explains how and why Citrix works with the Xen Project, why companies use Xen Project Hypervisor, and new opportunities for the future of this technology.
Two weeks ago, I embarked onto a road trip to China with the aim to meet Xen Project users as well as contributors. I visited a number of vendors in Hangzhou and Beijing on this trip. Part of the objective was to give training to new contributors and developers, and to strengthen existing relationships.
With Xen 4.6 released in October, we are already one month into the new cycle. Which means it is time to start planning for the next release. You may remember that one of the goals of the 4.6 release planning was to create smoother developer experience and to release Xen 4.6 on time. Both goals were achieved, so it was time to think where to go from here.
I am pleased to announce the release of Xen 4.5.2. Xen Project Maintenance releases are released roughly every 4 months, in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
Xen 4.5.2 is available immediately from its git repository:
We’ve just released a rather interesting batch of Xen security advisories. This has given rise in some quarters to grumbling around Xen not taking security seriously.
I have a longstanding interest in computer security. Nowadays I am a member of the Xen Project Security Team (the team behind security@xenproject, which drafts the advisories and coordinates the response). But I’m going to put forward my personal opinions.
I’m pleased to announce the release of Xen Project Hypervisor 4.6. This release focused on improving code quality, security hardening, enablement of security appliances, and release cycle predictability — this is the most punctual release we have ever had.
A little more than a week ago at Linaro Connect SFO15 in Burlingame Jim Perrin of the CentOS project publicly announced the availability of the Xen hypervisor in CentOS 7 for ARM64 (also known as aarch64). Jim and I have been working closely with George Dunlap, maintainer of Xen in CentOS for the x86 architecture, to produce high quality Xen binaries for 64-bit ARM servers. As a result you can setup an ARM64 virtualization host with just a couple of yum commands.
This is a quick reminder that the Xen Project is again participating in Outreachy (Round 11). Please check the round 11 page for more information about the December 2015 to March 2015 round of interships.
This year’s Xen Project Developer Summit is over! We had two days packed with highly technical sessions that were attended by 120 delegates. Our sessions have – as always – been very interactive with lots of discussions during and after the talks. Of course we did also have lots of time for in-corridor conversations during breaks, which most of us look forward to every year.
Docker is certainly the most influential open source project of the moment. Why is Docker so successful? Is it going to replace Virtual Machines? Will there be a big switch? If so, when?
Let’s look at the past to understand the present and predict the future. Before virtual machines, system administrators used to provision physical boxes to their users. The process was cumbersome, not completely automated, and it took hours if not days. When something went wrong, they had to run to the server room to replace the physical box.
The Rumprun unikernel, based on the driver components offered by rump kernels, provides a means to run existing POSIX applications as unikernels on Xen. This post explains how we got here (it matters!), what sort of things can be solved today, and also a bit of what is in store for the future.
The security threats we’re facing today are becoming increasingly sophisticated. Rootkits, and malware taking advantage of kernel and 0-day vulnerabilities pose especially serious challenges for classic anti-malware solutions, due to the latter’s lack of isolation: they’re typically executing in the same context as the malware they’re trying to prevent.