SlideShare a Scribd company logo

Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017)

Patricia Aas
Patricia Aas

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This presentation goes more in depth on some key points from the NDC (2017) presentation.

Technology
1 of 24
Download to read offline
@pati_gallardo
Linux Security and How Web Browser Sandboxes Really Work Patricia Aas Security Researchers Meetup 2017 @pati_gallardo
Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo Will put up link to slides on Twitter/LinkedIn
One Binary BROWSER GPUZYGOTE GPUBROKERZYGOTE RENDERER FORKCLONE EXEC EXEC CLONE FORKFORK
The Initial Sandbox @pati_gallardo
Windows of Opportunity BROWSER GPUZYGOTE GPUBROKERZYGOTE RENDERER NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK
Namespaces in use CLONE_NEWUSER No privilege is needed to create a User NS, and in one we can create a PID NS without global privilege. CLONE_NEWPID Same PID number can represent different processes in different PID namespaces. One init (PID 1) process per PID NS CLONE_NEWNET Isolate a process from network@pati_gallardo Zygote + Renderer
At Clone : Create NAmespaces Clone flags define the process* created and will create namespaces (NS) for it 1. Test which NS are available 2. Fail if not sufficient 3. Construct the biggest supported and applicable set Emulates fork with longjmp * Also used to create threads@pati_gallardo Zygote + Renderer
int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET; jmp_buf env; if (setjmp(env) == 0) { return CloneAndLongjmpInChild(flags, ptid, ctid, &env); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
pid_t CloneAndLongjmpInChild(unsigned long flags, pid_t* ptid, pid_t* ctid, jmp_buf* env) { char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
int CloneHelper(void* arg) { jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); longjmp(*env_ptr, 1); // Should not be reached assert(false); return 1; } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
Shrinking the Initial Sandbox @pati_gallardo
Shrinking the Sandbox BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK Done post-fork
Seccomp BPF Program Program written in an assembly-like language to filter system-calls. Runs in a simple VM in kernel space. All syscalls will be filtered by this program TSYNC : Once a Seccomp Program is installed it applies to all threads in a process @pati_gallardo Renderer + Gpu + Broker
Seccomp : BPF Policies BPF Program defined in a Policy Fundamentally a whitelist, allows a set of syscalls and has custom handling of others An extended Policy is then generally more permissive 1. BaselinePolicy 1.1 GpuProcessPolicy 1.1.1 GpuBrokerProcessPolicy 1.2 RendererProcessPolicy@pati_gallardo Renderer + Gpu + Broker
void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) { SandboxBPF sandbox(policy); assert(sandbox.StartSandbox()); } bool SandboxBPF::StartSandbox() { InstallFilter(); return true; } @pati_gallardo chromium/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
void SandboxBPF::InstallFilter() { CodeGen::Program program = AssembleFilter(); struct sock_filter bpf[program.size()]; const struct sock_fprog prog = { static_cast<unsigned short>(program.size()), bpf }; memcpy(bpf, &program[0], sizeof(bpf)); assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0); assert(seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) == 0); } @pati_gallardo chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
Chroot : Drop Access to FS A chroot is done in a clone(CLONE_FS) child that does chroot(”/proc/self/fdinfo/”) and immediately does a chdir(“/”) and _exit(0) You can see this by looking at ls -l /proc/<pid>/root Of the Zygote or any ancestor Credentials::DropFileSystemAccess @pati_gallardo Zygotes + Renderer
bool ChrootToSafeEmptyDir() { pid_t pid = -1; char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); int clone_flags = CLONE_FS | LINUX_SIGCHLD; pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr); int status = -1; assert(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
int ChrootToSelfFdinfo(void*) { assert(chroot("/proc/self/fdinfo/") == 0); assert(chdir("/") == 0); _exit(kExitSuccess); } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
Trust is Relative BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK No access to filesystem Done post-fork
vivaldi://sandbox @pati_gallardo
Sources Michael Kerrisk Book: The Linux Programming Interface Course: Linux Security and Isolation APIs Chromium/Kernel source + Linux Man Pages + lwn.net All Errors Are My Own
Linux Security and How Web Browser Sandboxes Really Work Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com

Recommended

Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Patricia Aas
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Git
GitGit
Gitjnewland
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Anne Nicolas
 
Dokku
DokkuDokku
Dokku
Denys Kurets
 

Recommended

Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Patricia Aas
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Git
GitGit
Gitjnewland
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Anne Nicolas
 
Dokku
DokkuDokku
Dokku
Denys Kurets
 
Vagrant
VagrantVagrant
Vagrant
Denys Kurets
 
Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019
Saeid Bostandoust
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
Jo Hoon
 
Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨
Ruoshi Ling
 
Vagrant for developer setup
Vagrant for developer setupVagrant for developer setup
Vagrant for developer setupakqaanoraks
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Team Hypriot
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Node.js + influx + grafana
Node.js + influx + grafanaNode.js + influx + grafana
Node.js + influx + grafana
Lucas Inocente
 
Reference CNF development journey and outcomes
Reference CNF development journey and outcomesReference CNF development journey and outcomes
Reference CNF development journey and outcomes
Victor Morales
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
Jenkins NS
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwaveKernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Anne Nicolas
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
Henry Schreiner
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
Gene Leybzon
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 

More Related Content

What's hot

Vagrant
VagrantVagrant
Vagrant
Denys Kurets
 
Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019
Saeid Bostandoust
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
Jo Hoon
 
Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨
Ruoshi Ling
 
Vagrant for developer setup
Vagrant for developer setupVagrant for developer setup
Vagrant for developer setupakqaanoraks
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Team Hypriot
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Node.js + influx + grafana
Node.js + influx + grafanaNode.js + influx + grafana
Node.js + influx + grafana
Lucas Inocente
 
Reference CNF development journey and outcomes
Reference CNF development journey and outcomesReference CNF development journey and outcomes
Reference CNF development journey and outcomes
Victor Morales
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
Jenkins NS
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwaveKernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Anne Nicolas
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 

What's hot (18)

Vagrant
VagrantVagrant
Vagrant
 
Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019Red Hat, CentOS, Fedora 2019
Red Hat, CentOS, Fedora 2019
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
 
Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨
 
Vagrant for developer setup
Vagrant for developer setupVagrant for developer setup
Vagrant for developer setup
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by Hypriot
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on Kubernetes
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Node.js + influx + grafana
Node.js + influx + grafanaNode.js + influx + grafana
Node.js + influx + grafana
 
Reference CNF development journey and outcomes
Reference CNF development journey and outcomesReference CNF development journey and outcomes
Reference CNF development journey and outcomes
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
 
時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwaveKernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
 

Similar to Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017)

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
Henry Schreiner
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
Gene Leybzon
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Installing nagios core_from_source
Installing nagios core_from_sourceInstalling nagios core_from_source
Installing nagios core_from_source
laonap166
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
How to Install Odoo 17 on Ubuntu.pdf
How to Install Odoo 17 on Ubuntu.pdfHow to Install Odoo 17 on Ubuntu.pdf
How to Install Odoo 17 on Ubuntu.pdf
CanditRoot
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Zach Pfeffer
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Simplifying and accelerating converged media with Open Visual Cloud
Simplifying and accelerating converged media with Open Visual CloudSimplifying and accelerating converged media with Open Visual Cloud
Simplifying and accelerating converged media with Open Visual Cloud
Liz Warner
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
David Thomas
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
videos
 
Fastlane for Androidによる継続的デリバリー
Fastlane for Androidによる継続的デリバリーFastlane for Androidによる継続的デリバリー
Fastlane for Androidによる継続的デリバリー
Fumiya Nakamura
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
Chanaka Lasantha
 
Tensorflow in Docker
Tensorflow in DockerTensorflow in Docker
Tensorflow in Docker
Eric Ahn
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
Priyanka Aash
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
Alon Fliess
 

Similar to Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017) (20)

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
Installing nagios core_from_source
Installing nagios core_from_sourceInstalling nagios core_from_source
Installing nagios core_from_source
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
 
Readme
ReadmeReadme
Readme
 
How to Install Odoo 17 on Ubuntu.pdf
How to Install Odoo 17 on Ubuntu.pdfHow to Install Odoo 17 on Ubuntu.pdf
How to Install Odoo 17 on Ubuntu.pdf
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Simplifying and accelerating converged media with Open Visual Cloud
Simplifying and accelerating converged media with Open Visual CloudSimplifying and accelerating converged media with Open Visual Cloud
Simplifying and accelerating converged media with Open Visual Cloud
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
 
Fastlane for Androidによる継続的デリバリー
Fastlane for Androidによる継続的デリバリーFastlane for Androidによる継続的デリバリー
Fastlane for Androidによる継続的デリバリー
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
 
Tensorflow in Docker
Tensorflow in DockerTensorflow in Docker
Tensorflow in Docker
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
Telling a story
Telling a storyTelling a story
Telling a story
Patricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 

Linux Security and How Web Browser Sandboxes Really Work (Security Researchers Meetup 0x05 2017)

  • 2. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas Security Researchers Meetup 2017 @pati_gallardo
  • 3. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo Will put up link to slides on Twitter/LinkedIn
  • 7. Namespaces in use CLONE_NEWUSER No privilege is needed to create a User NS, and in one we can create a PID NS without global privilege. CLONE_NEWPID Same PID number can represent different processes in different PID namespaces. One init (PID 1) process per PID NS CLONE_NEWNET Isolate a process from network@pati_gallardo Zygote + Renderer
  • 8. At Clone : Create NAmespaces Clone flags define the process* created and will create namespaces (NS) for it 1. Test which NS are available 2. Fail if not sufficient 3. Construct the biggest supported and applicable set Emulates fork with longjmp * Also used to create threads@pati_gallardo Zygote + Renderer
  • 9. int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET; jmp_buf env; if (setjmp(env) == 0) { return CloneAndLongjmpInChild(flags, ptid, ctid, &env); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 10. pid_t CloneAndLongjmpInChild(unsigned long flags, pid_t* ptid, pid_t* ctid, jmp_buf* env) { char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 11. int CloneHelper(void* arg) { jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); longjmp(*env_ptr, 1); // Should not be reached assert(false); return 1; } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 13. Shrinking the Sandbox BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK Done post-fork
  • 14. Seccomp BPF Program Program written in an assembly-like language to filter system-calls. Runs in a simple VM in kernel space. All syscalls will be filtered by this program TSYNC : Once a Seccomp Program is installed it applies to all threads in a process @pati_gallardo Renderer + Gpu + Broker
  • 15. Seccomp : BPF Policies BPF Program defined in a Policy Fundamentally a whitelist, allows a set of syscalls and has custom handling of others An extended Policy is then generally more permissive 1. BaselinePolicy 1.1 GpuProcessPolicy 1.1.1 GpuBrokerProcessPolicy 1.2 RendererProcessPolicy@pati_gallardo Renderer + Gpu + Broker
  • 16. void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) { SandboxBPF sandbox(policy); assert(sandbox.StartSandbox()); } bool SandboxBPF::StartSandbox() { InstallFilter(); return true; } @pati_gallardo chromium/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  • 17. void SandboxBPF::InstallFilter() { CodeGen::Program program = AssembleFilter(); struct sock_filter bpf[program.size()]; const struct sock_fprog prog = { static_cast<unsigned short>(program.size()), bpf }; memcpy(bpf, &program[0], sizeof(bpf)); assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0); assert(seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) == 0); } @pati_gallardo chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  • 18. Chroot : Drop Access to FS A chroot is done in a clone(CLONE_FS) child that does chroot(”/proc/self/fdinfo/”) and immediately does a chdir(“/”) and _exit(0) You can see this by looking at ls -l /proc/<pid>/root Of the Zygote or any ancestor Credentials::DropFileSystemAccess @pati_gallardo Zygotes + Renderer
  • 19. bool ChrootToSafeEmptyDir() { pid_t pid = -1; char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); int clone_flags = CLONE_FS | LINUX_SIGCHLD; pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr); int status = -1; assert(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  • 20. int ChrootToSelfFdinfo(void*) { assert(chroot("/proc/self/fdinfo/") == 0); assert(chdir("/") == 0); _exit(kExitSuccess); } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  • 21. Trust is Relative BROWSER GPU seccomp ZYGOTE USER capset chroot GPUBROKER seccomp ZYGOTE SYS_ADMIN seccomp RENDERER capset rlimit PID NO_NEW_PRIVS USER/PID/NET NO_NEW_PRIVS FORKCLONE EXEC EXEC CLONE FORKFORK No access to filesystem Done post-fork
  • 23. Sources Michael Kerrisk Book: The Linux Programming Interface Course: Linux Security and Isolation APIs Chromium/Kernel source + Linux Man Pages + lwn.net All Errors Are My Own
  • 24. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com