SlideShare a Scribd company logo

Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This presentation goes more in depth on some key points from the NDC (2017) presentation.

1 of 26
Download to read offline
@pati_gallardo
Linux Security
and How Web Browser Sandboxes Really Work
Patricia Aas
SweedenCpp Meetup C++ Stockholm 0x08 2017
@pati_gallardo
Patricia Aas
Programmer - mainly in C++ and Java
Currently : Vivaldi Technologies
Previously : Cisco Systems, Knowit, Opera Software
Master in Computer Science
Twitter : @pati_gallardo
One Binary
Browser
Gpu BrokerZygote
Renderer
GpuZygote Init
Clone/Exec *
User/Pid/Net
Fork/Exec *
* NO_NEW_PRIVS
ForkFork
Clone
The
Initial Sandbox
@pati_gallardo
Windows of Opportunity
Browser
Gpu BrokerZygote
Renderer
GpuZygote Init
Clone/Exec *
User/Pid/Net
Fork/Exec *
* NO_NEW_PRIVS
ForkFork
Clone

Recommended

Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
 
Install Nagios Core On CentOS 7
Install Nagios Core On CentOS 7Install Nagios Core On CentOS 7
Install Nagios Core On CentOS 7sharad chhetri
 
STM32 개발 환경 셋팅
STM32 개발 환경 셋팅STM32 개발 환경 셋팅
STM32 개발 환경 셋팅인호 최
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Building a scalable learning platform - Erik Veld - Codemotion Amsterdam 2018
Building a scalable learning platform - Erik Veld - Codemotion Amsterdam 2018Building a scalable learning platform - Erik Veld - Codemotion Amsterdam 2018
Building a scalable learning platform - Erik Veld - Codemotion Amsterdam 2018Codemotion
 

More Related Content

What's hot

nginx.conf - globo.com's live video platform for fifa world cup 14
nginx.conf  - globo.com's live video platform for fifa world cup 14nginx.conf  - globo.com's live video platform for fifa world cup 14
nginx.conf - globo.com's live video platform for fifa world cup 14Leandro Moreira
 
Qt native built for raspberry zero
Qt native built for  raspberry zeroQt native built for  raspberry zero
Qt native built for raspberry zeroSoheilSabzevari2
 
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - NokiaSummit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - NokiaOPNFV
 
WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 tnoho
 
Istio - The life of a packet
Istio - The life of a packetIstio - The life of a packet
Istio - The life of a packetMatt Turner
 
Docker at Digital Ocean
Docker at Digital OceanDocker at Digital Ocean
Docker at Digital OceanCloud 66
 
GNOME on Android Dongle
GNOME on Android DongleGNOME on Android Dongle
GNOME on Android Dongleprinceofgiri
 
OpenChain AutomotiveWG(OSS license tools()
OpenChain AutomotiveWG(OSS license tools()OpenChain AutomotiveWG(OSS license tools()
OpenChain AutomotiveWG(OSS license tools()Yuichi Kusakabe
 
Networks, Linux, Containers, Pods
Networks, Linux, Containers, PodsNetworks, Linux, Containers, Pods
Networks, Linux, Containers, PodsMatt Turner
 
Node Web Development 2nd Edition: Chapter2 Setup Node and NPM
Node Web Development 2nd Edition: Chapter2 Setup Node and NPMNode Web Development 2nd Edition: Chapter2 Setup Node and NPM
Node Web Development 2nd Edition: Chapter2 Setup Node and NPMRick Chang
 
Porting Tizen to open source hardware devices for beginners
Porting Tizen to open source hardware devices for beginnersPorting Tizen to open source hardware devices for beginners
Porting Tizen to open source hardware devices for beginnersLeon Anavi
 
Mastering in troubleshooting nfv
Mastering in troubleshooting nfvMastering in troubleshooting nfv
Mastering in troubleshooting nfvSadique Puthen
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeVictor Morales
 

What's hot (20)

nginx.conf - globo.com's live video platform for fifa world cup 14
nginx.conf  - globo.com's live video platform for fifa world cup 14nginx.conf  - globo.com's live video platform for fifa world cup 14
nginx.conf - globo.com's live video platform for fifa world cup 14
 
Qt native built for raspberry zero
Qt native built for  raspberry zeroQt native built for  raspberry zero
Qt native built for raspberry zero
 
Git & G
Git & GGit & G
Git & G
 
Git & GitHub
Git & GitHubGit & GitHub
Git & GitHub
 
Zedroid - Android (5.0 and later) on Zedboard
Zedroid - Android (5.0 and later) on ZedboardZedroid - Android (5.0 and later) on Zedboard
Zedroid - Android (5.0 and later) on Zedboard
 
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - NokiaSummit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia
Summit 16: ARM Mini-Summit - OpenFastPath is Open and Fast - Nokia
 
WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。
 
Istio - The life of a packet
Istio - The life of a packetIstio - The life of a packet
Istio - The life of a packet
 
Docker at Digital Ocean
Docker at Digital OceanDocker at Digital Ocean
Docker at Digital Ocean
 
GNOME on Android Dongle
GNOME on Android DongleGNOME on Android Dongle
GNOME on Android Dongle
 
2
22
2
 
OpenChain AutomotiveWG(OSS license tools()
OpenChain AutomotiveWG(OSS license tools()OpenChain AutomotiveWG(OSS license tools()
OpenChain AutomotiveWG(OSS license tools()
 
Networks, Linux, Containers, Pods
Networks, Linux, Containers, PodsNetworks, Linux, Containers, Pods
Networks, Linux, Containers, Pods
 
Node Web Development 2nd Edition: Chapter2 Setup Node and NPM
Node Web Development 2nd Edition: Chapter2 Setup Node and NPMNode Web Development 2nd Edition: Chapter2 Setup Node and NPM
Node Web Development 2nd Edition: Chapter2 Setup Node and NPM
 
Porting Tizen to open source hardware devices for beginners
Porting Tizen to open source hardware devices for beginnersPorting Tizen to open source hardware devices for beginners
Porting Tizen to open source hardware devices for beginners
 
Mastering in troubleshooting nfv
Mastering in troubleshooting nfvMastering in troubleshooting nfv
Mastering in troubleshooting nfv
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs mode
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013
 
A Close Look at ARM Code Size
A Close Look at ARM Code SizeA Close Look at ARM Code Size
A Close Look at ARM Code Size
 
Hardgroup - Raspberry PI #1
Hardgroup - Raspberry PI #1Hardgroup - Raspberry PI #1
Hardgroup - Raspberry PI #1
 

Viewers also liked

Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocationJoris Bonnefoy
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?Black Duck by Synopsys
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardwareHans Mallen
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang IntroSimone Gentili
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersDenis Magda
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneRoman Elizarov
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageKaylyn Gibilterra
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & EcosystemKingston Smiler
 
Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017Roman Elizarov
 

Viewers also liked (20)

Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocation
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardware
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang Intro
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
 
Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Go Execution Tracer
Go Execution TracerGo Execution Tracer
Go Execution Tracer
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 

Similar to Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reporthidenorly
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingHenry Schreiner
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development toolsPeter Haase
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in GoBo-Yi Wu
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentZach Pfeffer
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Installing nagios core_from_source
Installing nagios core_from_sourceInstalling nagios core_from_source
Installing nagios core_from_sourcelaonap166
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)Gene Leybzon
 
Open-source Android 10 on Orange Pi: myth or reality?
Open-source Android 10 on Orange Pi: myth or reality?Open-source Android 10 on Orange Pi: myth or reality?
Open-source Android 10 on Orange Pi: myth or reality?GlobalLogic Ukraine
 
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT Core
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT CoreHands-on Labs: Raspberry Pi 2 + Windows 10 IoT Core
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT CoreAndri Yadi
 
Perl on embedded Linux with Buildroot‎
Perl on embedded Linux with Buildroot‎Perl on embedded Linux with Buildroot‎
Perl on embedded Linux with Buildroot‎François Perrad
 
26.1.7 lab snort and firewall rules
26.1.7 lab   snort and firewall rules26.1.7 lab   snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 

Similar to Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017) (20)

Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development tools
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
Installing nagios core_from_source
Installing nagios core_from_sourceInstalling nagios core_from_source
Installing nagios core_from_source
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
 
Open-source Android 10 on Orange Pi: myth or reality?
Open-source Android 10 on Orange Pi: myth or reality?Open-source Android 10 on Orange Pi: myth or reality?
Open-source Android 10 on Orange Pi: myth or reality?
 
Meng
MengMeng
Meng
 
Meng
MengMeng
Meng
 
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT Core
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT CoreHands-on Labs: Raspberry Pi 2 + Windows 10 IoT Core
Hands-on Labs: Raspberry Pi 2 + Windows 10 IoT Core
 
Perl on embedded Linux with Buildroot‎
Perl on embedded Linux with Buildroot‎Perl on embedded Linux with Buildroot‎
Perl on embedded Linux with Buildroot‎
 
26.1.7 lab snort and firewall rules
26.1.7 lab   snort and firewall rules26.1.7 lab   snort and firewall rules
26.1.7 lab snort and firewall rules
 
Readme
ReadmeReadme
Readme
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
Yobi d2 naver(create)
Yobi d2 naver(create)Yobi d2 naver(create)
Yobi d2 naver(create)
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 

Recently uploaded

Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueShapeBlue
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGRick Ossendrijver
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Jay Zhao
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyMustafa Kuğu
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...2toLead Limited
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfRodneyThomas28
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024BookNet Canada
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientKari Kakkonen
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueShapeBlue
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)François
 

Recently uploaded (20)

Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5Company
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdf
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficient
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
 

Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)

  • 2. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas SweedenCpp Meetup C++ Stockholm 0x08 2017 @pati_gallardo
  • 3. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
  • 4. One Binary Browser Gpu BrokerZygote Renderer GpuZygote Init Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS ForkFork Clone
  • 6. Windows of Opportunity Browser Gpu BrokerZygote Renderer GpuZygote Init Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS ForkFork Clone
  • 7. Namespaces in use CLONE_NEWUSER No privilege is needed to create a USER NS, and in one we can create a PID NS without global privilege. CLONE_NEWPID Same PID number can represent different processes in different PID namespaces. One init (PID 1) process per PID NS CLONE_NEWNET Isolate a process from network @pati_gallardo Zygote + Renderer
  • 8. At Clone : Create NAmespaces Clone flags define the process* created and will create namespaces (NS) for it 1. Test which NS are available 2. Fail if not sufficient 3. Construct the biggest supported and applicable set Emulates fork with longjmp * Also used to create threads @pati_gallardo Zygote + Renderer
  • 9. int flags = CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET; jmp_buf env; if (setjmp(env) == 0) { return CloneAndLongjmpInChild(flags, ptid, ctid, &env); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 10. pid_t CloneAndLongjmpInChild(unsigned long flags, pid_t* ptid, pid_t* ctid, jmp_buf* env) { char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); return clone(&CloneHelper, stack, flags, env, ptid, nullptr, ctid); } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 11. int CloneHelper(void* arg) { jmp_buf* env_ptr = reinterpret_cast<jmp_buf*>(arg); longjmp(*env_ptr, 1); // Should not be reached assert(false); return 1; } @pati_gallardo chromium/base/process/launch_posix.cc Code Simplified To Illustrate
  • 13. Shrinking the Sandbox Browser Gpu Broker Seccomp Zygote SYS_ADMIN Renderer Pid capset rlimit Gpu Seccomp Zygote Init User capset chroot Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS Done post fork ForkFork Clone
  • 14. Seccomp BPF Program Program written in an assembly-like language to filter system-calls. Runs in a simple VM in kernel space. All syscalls will be filtered by this program TSYNC : Once a Seccomp Program is installed it applies to all threads in a process@pati_gallardo Renderer + Gpu + Broker
  • 15. Seccomp : BPF Policies BPF Program defined in a Policy Fundamentally a whitelist, allows a set of syscalls and has custom handling of others. An extended Policy is generally more permissive 1. BaselinePolicy 1.1 GpuProcessPolicy 1.1.1 GpuBrokerProcessPolicy 1.2 RendererProcessPolicy @pati_gallardo Renderer + Gpu + Broker
  • 16. void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) { SandboxBPF sandbox(policy); assert(sandbox.StartSandbox()); } bool SandboxBPF::StartSandbox() { InstallFilter(); return true; } @pati_gallardo chromium/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  • 17. void SandboxBPF::InstallFilter() { CodeGen::Program program = AssembleFilter(); struct sock_filter bpf[program.size()]; const struct sock_fprog prog = { static_cast<unsigned short>(program.size()), bpf }; memcpy(bpf, &program[0], sizeof(bpf)); assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0); assert(seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) == 0); } @pati_gallardo chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc Code Simplified To Illustrate
  • 18. Chroot : Drop Access to FS - clone(CLONE_FS) a child process - Child chroot(”/proc/self/fdinfo/”) - Child immediately does a chdir(“/”) - Child does _exit(kExitSuccess) You can see this by looking at ls -l /proc/<pid>/root Of the Zygote or any ancestor Credentials::DropFileSystemAccess@pati_gallardo Zygotes + Renderer
  • 19. bool ChrootToSafeEmptyDir() { pid_t pid = -1; char stack_buf[PTHREAD_STACK_MIN]; void* stack = stack_buf + sizeof(stack_buf); int clone_flags = CLONE_FS | LINUX_SIGCHLD; pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr); int status = -1; assert(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  • 20. int ChrootToSelfFdinfo(void*) { assert(chroot("/proc/self/fdinfo/") == 0); assert(chdir("/") == 0); _exit(kExitSuccess); } @pati_gallardo chromium/sandbox/linux/services/credentials.cc Code Simplified To Illustrate
  • 21. Trust is Relative Browser Gpu Broker Seccomp Zygote SYS_ADMIN Renderer Pid capset rlimit Gpu Seccomp Zygote Init User capset chroot Clone/Exec * User/Pid/Net Fork/Exec * * NO_NEW_PRIVS Done post fork ForkFork Clone No access to filesystem
  • 23. Sources Michael Kerrisk Book: The Linux Programming Interface Course: Linux Security and Isolation APIs Chromium/Kernel source + Linux Man Pages + lwn.net All Errors Are My Own
  • 24. Linux Security and How Web Browser Sandboxes Really Work Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com
  • 25. Make Everyone Feel Safe To Be Themselves @pati_gallardo
  • 26. Vivaldi Swag Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com