According to him, the quantitative analysi

Description of your first forum.
Post Reply
Rakhiraqsdiwseo
Posts: 643
Joined: Sun Jan 19, 2025 7:57 am

According to him, the quantitative analysi

Post by Rakhiraqsdiwseo »

Bottomley calls HAP vulnerabilities “potentially business-breaking.” So how do you measure the security of a system against HAP? Bottomley explains: “We do this by taking the Linux kernel’s error density and multiplying it by the number of unique lines of code the system has been running since it reached a steady state (i.e., when it stopped interacting with the kernel). The quantitative approach assumes that the error density is uniform, and therefore the HAP is approximated by the amount of code the system has been running in steady state. To approximate the number of lines of code that have been run on a running system, the kernel has a mechanism called ftrace, which can be used to track all processes that are running in user space.”

lines of code provides a rough estimate of the security level of HAP, because the total number of lines is measured, while the internal code flow is not taken into account due to the lack of detail in ftrace. In addition, this methodology is most suitable for containers, which are managed by a group of processes using system calls, and less so for hypervisors, since in this case, in order to track code, it is necessary to connect a direct hypercall API and track the number of calls to backends (for example, requests to the Linux kernel subsystem vhost for KVM and dom0 for XEN). In other words, you need to calculate the number of lines of code required to run a particular application in a VM, container, or bare metal - the more code it consumes, the more likely it is to have security vulnerabilities at the HAP level.

In addition to the code count, the expert ran several malaysia whatsapp data tests - redis-bench-set, redis-bench-get, python-torornado and node-express, the last two of which were also run on web servers using regular external thin clients. The test subjects were Docker, Google's gVisor container sandbox, the KVM gVisor-kvm container sandbox, an embedded VM hypervisor in Linux; the open-source lightweight VM Kata Containers, and IBM's recently introduced Nabla container system, which aims to minimize system calls made in the main kernel. Bottomley found that at the HAP level, the Nabla runtime is better protected than the hypervisor based on Kata technology. "This means that we have developed a container system with better HAP (i.e., more secure) than hypervisors," he said. He also added that Docker has also learned to suppress unexpected system calls at the VM level.
Post Reply