University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Explicit vs. Automatic Memory Management
Garbage Collection, Reference Counting
Rust ownership types
For embedded notes, see: http://rust-class.org/class9-pointers-in-rust.html
Kernel-Level Programming: Entering Ring NaughtDavid Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Leslie Lamport wins the Turing Award!
Hardware-Based Memory Isolation
Software-Based Memory Isolation
Kernel-Level Programming
Which came first, programming languages or operating systems?
Programming without other programs
Kernel development
IronKernel
For embedded notes, see:
http://rust-class.org/class-14-entering-ring-naught.html
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Explicit vs. Automatic Memory Management
Garbage Collection, Reference Counting
Rust ownership types
For embedded notes, see: http://rust-class.org/class9-pointers-in-rust.html
Kernel-Level Programming: Entering Ring NaughtDavid Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Leslie Lamport wins the Turing Award!
Hardware-Based Memory Isolation
Software-Based Memory Isolation
Kernel-Level Programming
Which came first, programming languages or operating systems?
Programming without other programs
Kernel development
IronKernel
For embedded notes, see:
http://rust-class.org/class-14-entering-ring-naught.html
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
various tricks for remote linux exploits by Seok-Ha Lee (wh1ant)CODE BLUE
Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment.
http://codeblue.jp/en-speaker.html#SeokHaLee
SIMD machines — machines capable of evaluating the same instruction on several elements of data in parallel — are nowadays commonplace and diverse, be it in supercomputers, desktop computers or even mobile ones. Numerous tools and libraries can make use of that technology to speed up their computations, yet it could be argued that there is no library that provides a satisfying minimalistic, high-level and platform-agnostic interface for the C++ developer.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
Topic: Migrating KSM page causes the VM lock up as the KSM page merging list is too large - 2019 OSS China Shanghai
https://sched.co/NruN
- Description
A classic example of kdump related to KSM/khugepaged/NUMA balance/KVM in server/cloud environment.
- Youtube Chinese Presentation
https://youtu.be/oEtkEntScd0
- Speaker: Gavin Guo, Canonical
Technical Lead - Sustaining Engineering
Taipei, Taiwan
Gavin Guo is a Linux kernel developer in the Ubuntu community. He is the speaker of Spectre v2 Internal in 2018 China L3C and KASan debugging in 2016 China Linux Kernel Conference. He is now working for Canonical in the Customer Success division. He is responsible for the kernel stability and performance tuning of the OpenStack platform, especially in the NUMA(Nonuniform Memory Access), Page Reclaim, and SLUB allocator. He is also the one who introduces KASAN into the team to investigate kernel issues on OpenStack platform and that ended a lot of nightmares.
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
A look at the techniques that middle tier developers can employ to get greater value out of their applications, simply by having an understanding of how the database works and how to make it sing.
Ведущий: Николай Анисеня
Подавляющее большинство использует не случайно сгенерированные пароли, а словарные слова, видоизмененные по определенным правилам. В интернете можно найти подборки таких правил, но они обычно составляются и сортируются в полуавтоматическом или ручном режиме с использованием утекших баз с хешами паролей, без учета некоторых особенностей (например, как пользователи используют свои личные данные — имя, год рождения — при создании пароля). Ведущий мастер-класса опишет атаку перебора, основанную на правилах преобразования паролей. Предложит способ сокращения списка правил для оптимизации атаки и сравнит свой метод с уже существующими подходами.
Down to Stack Traces, up from Heap DumpsAndrei Pangin
Глубже стек-трейсов, шире хип-дампов
Stack trace и heap dump - не просто инструменты отладки; это потайные дверцы к самым недрам виртуальной Java машины. Доклад будет посвящён малоизвестным особенностям JDK, так или иначе связанным с обоходом хипа и стеками потоков.
Мы разберём:
- как снимать дампы в продакшне без побочных эффектов;
- как работают утилиты jmap и jstack изнутри, и в чём хитрость forced режима;
- почему все профилировщики врут, и как с этим бороться;
- познакомимся с новым Stack-Walking API в Java 9;
- научимся сканировать Heap средствами JVMTI;
- узнаем о недокументированных функциях Хотспота и других интересных штуках.
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
The talk will look at limitations of compilers when creating fast code and how to make more effective use of both the underlying micro-architecture of modern CPU's and how algorithmic optimizations may have surprising effects on the generated code. We shall discuss several specific CPU architecture features and their pros and cons in relation to creating fast C++ code. We then expand with several algorithmic techniques, not usually well-documented, for making faster, compiler friendly, C++.
Note that we shall not discuss caching and related issues here as they are well documented elsewhere.
Packet Filter is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic, as well as providing bandwidth control and packet prioritization.
Invent the Future (Operating Systems in 2029)David Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
For embedded notes, see:
http://rust-class.org/class-23-invent-the-future.html
"Even so, mankind will suffer badly from the disease of boredom, a disease spreading more widely each year and growing in intensity. This will have serious mental, emotional and sociological consequences, and I dare say that psychiatry will be far and away the most important medical specialty in 2014. The lucky few who can be involved in creative work of any sort will be the true elite of mankind, for they alone will do more than serve a machine.
Indeed, the most somber speculation I can make about A.D. 2014 is that in a society of enforced leisure, the most glorious single word in the vocabulary will have become work!"
Isaac Asimov, visit to the 2014 World's Fair, 1964
various tricks for remote linux exploits by Seok-Ha Lee (wh1ant)CODE BLUE
Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment.
http://codeblue.jp/en-speaker.html#SeokHaLee
SIMD machines — machines capable of evaluating the same instruction on several elements of data in parallel — are nowadays commonplace and diverse, be it in supercomputers, desktop computers or even mobile ones. Numerous tools and libraries can make use of that technology to speed up their computations, yet it could be argued that there is no library that provides a satisfying minimalistic, high-level and platform-agnostic interface for the C++ developer.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
Topic: Migrating KSM page causes the VM lock up as the KSM page merging list is too large - 2019 OSS China Shanghai
https://sched.co/NruN
- Description
A classic example of kdump related to KSM/khugepaged/NUMA balance/KVM in server/cloud environment.
- Youtube Chinese Presentation
https://youtu.be/oEtkEntScd0
- Speaker: Gavin Guo, Canonical
Technical Lead - Sustaining Engineering
Taipei, Taiwan
Gavin Guo is a Linux kernel developer in the Ubuntu community. He is the speaker of Spectre v2 Internal in 2018 China L3C and KASan debugging in 2016 China Linux Kernel Conference. He is now working for Canonical in the Customer Success division. He is responsible for the kernel stability and performance tuning of the OpenStack platform, especially in the NUMA(Nonuniform Memory Access), Page Reclaim, and SLUB allocator. He is also the one who introduces KASAN into the team to investigate kernel issues on OpenStack platform and that ended a lot of nightmares.
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
A look at the techniques that middle tier developers can employ to get greater value out of their applications, simply by having an understanding of how the database works and how to make it sing.
Ведущий: Николай Анисеня
Подавляющее большинство использует не случайно сгенерированные пароли, а словарные слова, видоизмененные по определенным правилам. В интернете можно найти подборки таких правил, но они обычно составляются и сортируются в полуавтоматическом или ручном режиме с использованием утекших баз с хешами паролей, без учета некоторых особенностей (например, как пользователи используют свои личные данные — имя, год рождения — при создании пароля). Ведущий мастер-класса опишет атаку перебора, основанную на правилах преобразования паролей. Предложит способ сокращения списка правил для оптимизации атаки и сравнит свой метод с уже существующими подходами.
Down to Stack Traces, up from Heap DumpsAndrei Pangin
Глубже стек-трейсов, шире хип-дампов
Stack trace и heap dump - не просто инструменты отладки; это потайные дверцы к самым недрам виртуальной Java машины. Доклад будет посвящён малоизвестным особенностям JDK, так или иначе связанным с обоходом хипа и стеками потоков.
Мы разберём:
- как снимать дампы в продакшне без побочных эффектов;
- как работают утилиты jmap и jstack изнутри, и в чём хитрость forced режима;
- почему все профилировщики врут, и как с этим бороться;
- познакомимся с новым Stack-Walking API в Java 9;
- научимся сканировать Heap средствами JVMTI;
- узнаем о недокументированных функциях Хотспота и других интересных штуках.
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
The talk will look at limitations of compilers when creating fast code and how to make more effective use of both the underlying micro-architecture of modern CPU's and how algorithmic optimizations may have surprising effects on the generated code. We shall discuss several specific CPU architecture features and their pros and cons in relation to creating fast C++ code. We then expand with several algorithmic techniques, not usually well-documented, for making faster, compiler friendly, C++.
Note that we shall not discuss caching and related issues here as they are well documented elsewhere.
Packet Filter is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic, as well as providing bandwidth control and packet prioritization.
Invent the Future (Operating Systems in 2029)David Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
For embedded notes, see:
http://rust-class.org/class-23-invent-the-future.html
"Even so, mankind will suffer badly from the disease of boredom, a disease spreading more widely each year and growing in intensity. This will have serious mental, emotional and sociological consequences, and I dare say that psychiatry will be far and away the most important medical specialty in 2014. The lucky few who can be involved in creative work of any sort will be the true elite of mankind, for they alone will do more than serve a machine.
Indeed, the most somber speculation I can make about A.D. 2014 is that in a society of enforced leisure, the most glorious single word in the vocabulary will have become work!"
Isaac Asimov, visit to the 2014 World's Fair, 1964
This presentation covers the understanding of system calls for various resource management and covers system calls for file management in details. The understanding of using system calls helps to start with working with device driver programming on Unix/Linux OS.
[See a more recent version of this talk here: http://www.slideshare.net/DavidEvansUVa/invent-the-future-operating-systems-in-2029]
http://rust-class.org
How to make Predictions
You Will (but the company that brought it to you wasn't AT&T)
Why is Human Progress Increasing Exponentially
Neil deGrasse Tyson and Science's Endless Golden Age
Malthus
Malthus' Fallacy
What the Future Holds
University of Virginia
cs4414: Operating Systems
http://rust-class.org
The Internet
Benchmarking: Customer vs. Developer
Cheating on Benchmarks
Networking
Latency and Bandwidth
Tracing Routes
Network Layers
For embedded notes and videos, see:
http://rust-class.org/class-13-the-internet.html
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Scheduling in Linux, 2002-2014
Energy and Scheduling
OSX Mavericks Timer Coalescing
Scheduling Web Servers
Healthcare.gov
For embedded notes, see: http://rust-class.org/class-12-scheduling-in-linux-and-web-servers.html
University of Virginia
cs4414: Operating Systems
Rust Expressions and Higher-Order Procedures
How to Share a Processor
Non-Preemptive and Preemptive Multitasking
Kernel Timer Interrupt
cs4414: Operating Systems
http://rust-class.org/class-1-what-is-an-operating-system.html
Class 1: What is an Operating System?
Why so many programming languages?
Introducing Rust
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What is special about the kernel
Privileged Instructions
How many processes should a browser have?
gash demo
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Explicit Memory Management
4.3BSD
Morris Worm
fingerd code
NX bit
For embedded notes, see: http://rust-class.org/class-8-managing-memory.html
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...David Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Scheduling Recap
Real-Time Scheduling
On-Demand vs. Planned Scheduling
First Come, First Served
Round-Robin
Priorities
Priority Preemptive
Priority Inversion
Lottery Scheduling
Stride Scheduling
For embedded notes, see: http://rust-class.org/class-11-smarter-scheduling.html
Sysdig is a new dynamic tracer for Linux, inspired by strace, dtrace, and tcpdump. Very useful as a super fast strace replacement and systemwide performance/security/etc. diagnostics.
From banking details to glimpses of passwords, there are lots valuable data elements on your screen. Unfortunately, as far as Apple’s Mac is concerned this information is up for grabs to whoever gets there first. This is due to the lack of protections surrounding the pixel grabbing API’s of the operating system. With ease of access to computer vision libraries and services, attackers can track screens at scale to pick out only the useful information.
Apple ships a screen capture utility to make it easy for the user to take screenshots. In this presentation, we will lift the bonnet of this utility to learn about the API’s surrounding screen grabbing. Armed with the knowledge, we will explore discovered malware that takes screenshots. Then, we will build better, stealthier malware as an educational exercise. And finally, we will explore some options for improving security of the operating system so that the user can continue enjoying the convenience of taking screenshots but malware would have to work harder.
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
Speaker: Andrzej Dyjak
Language: English
In recent years security industry started to grow fond of Apple’s iOS and OS X platforms. This talk will cover one of XNU's flagship debugging utilities: DTrace, a dynamic tracing framework for troubleshooting kernel and application problems on production systems in real time. It will be shown how it can be used in order to ease various tasks within the realm of dynamic binary analysis and beyond.
CONFidence: http://confidence.org.pl/
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges.
In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
David Evans
DC Area Crypto Day
Johns Hopkins University
30 October 2015
This (non-research) talk will start with a tutorial introduction to cryptocurrencies and how bitcoin works (and doesn’t work) today. We’ll touch on some of the legal, policy, and business aspects of bitcoin and discuss some potential research opportunities in cryptocurrencies.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
5. Course Goal Reminder: Minimizing Magic4
Itsallmagic!
Physics
Cool Computing Stuff
cs1110
cs2110
cs2150
cs2150
cs2330
cs3330
cs3102
cs4414
cs4610
cs4414
cs4414
electives
Class 1:
If you have any gaps left (other than
synchronization primitives), post
then in comments or email me.
7. What’s wrong with Zhtta?
6
Note: because of the way pathnames are handled, I think it
is probably actually secure (except for links in www/).
8. 7
Why Might Letting Anyone
Read Any File on your
Machine Be a Bad Idea?
LMGTFY
9. 8
This is serious:
actually trying
the passwords
would be
wrong and
criminal.* * Just because someone “broadcasts” their password or uses
laughable security, doesn’t mean the FBI considers it
“authorized” access. Whether it is you or Google that is
breaking the law in this case is unclear.
11. Zhtta and Apache’s (Partial) Solution
10
DocumentRoot /home/evans/htdocs/
Apache will only serve files in DocumentRoot’s subtree.
in httpd.conf:
12. Apache’s (Partial) Solution
11
DocumentRoot /home/evans/htdocs/
Opps! Now it will follow symlinks inside DocumentRoot
subtree to anywhere…
in httpd.conf:
<Directory />
Options FollowSymLinks
</Directory>
13. Apache’s (Further) Solution
12
User #-1
Apache starts running as root (uid = 0) to be able to
listen on port 80, which is default web port.
By default, switches to run as uid = -1 (“nobody”) when
processing requests.
in httpd.conf:
14. 13
bash-3.2$ ps aux | grep httpd
dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd
_www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd
root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
# after one request
bash-3.2$ ps aux | grep httpd
dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd
_www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd
_www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd
_www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd
_www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd
root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
24. Unix File Mode Permission Bits
23execute
write
read
execute
write
read
execute
write
read
owner group others
+ 7 bits for
other stuff:
file/directory
symbolic link
etc.
666
644
000
755
25. 24
bash-3.2$ ps aux | grep httpd
dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd
_www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd
root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
# after one request
bash-3.2$ ps aux | grep httpd
dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd
_www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd
_www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd
_www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd
_www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd
root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
How does Apache create processes running as different users?
26. Changing Users
25
int setuid(uid_t uid);
real user id (ruid) = owner of the process
effective user id (euid) = ID used in access control decisions
saved user id (suid) = previous user ID that may be restored
27. Using setuid
26
httpd
euid: 0 (root)
HTTPGET./../../../user/dave/secrets.txt
handler
pid_t handler = fork();
if (handler == 0) {
setuid(-1);
…
}
fopen(pathname, ‘r’)
Error: secrets.txt not readable to user nobody
28. Using setuid
27
httpd
euid: 0 (root)
handler
pid_t handler = fork();
if (handler == 0) {
setuid(-1);
…
}
fopen(pathname, ‘r’)
Error: secrets.txt not readable to user nobody
Principle of Least Privilege
Running code should have as little
power as possible to get the job done.
HTTPGET./../../../user/dave/secrets.txt
33. 32
gash> curl http://apache.mirrors.tds.net//httpd/httpd-2.4.9.tar.gz | tar xz
gash> cd httpd-2.4.9/
gash> find . -name "*.c" -print | xargs grep "setuid("
./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(ap_unixd_config.user_id)
== -1)) {
./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(cfg->uid) == -1)) {
./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) {
./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) {
./os/bs2000/os.c:/* This routine complements the setuid() call: it causes the BS2000 job
./os/bs2000/os.c:/* BS2000 requires a "special" version of fork() before a setuid() call */
./os/unix/unixd.c:/* This routine complements the setuid() call: it causes the BS2000 job
./os/unix/unixd.c:/* BS2000 requires a "special" version of fork() before a setuid() call */
./server/mpm/prefork/prefork.c: /* BS2000 requires a "special" version of fork() before a
setuid() call */
./support/suexec.c: * before we setuid().
./support/suexec.c: * setuid() to the target user. Error out on fail.
./support/suexec.c: if ((setuid(uid)) != 0) {
34. 33
in mod_privileges.c:
/* if either user or group are not the default, restore them */
if (cfg->uid || cfg->gid) {
if (setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_setid) == -1) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02136)
"PRIV_ON failed restoring default user/group");
}
if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02137)
"Error restoring default userid");
}
if (cfg->gid && (setgid(ap_unixd_config.group_id) == -1)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02138)
"Error restoring default group");
}
}
35. Apache’s (Further) Solution
34
User #-1
Apache starts running as root (uid = 0) to be able to
listen on port 80, which is default web port.
By default, switches to run as uid = -1 (“nobody”) when
processing requests.
in httpd.conf:
A few minutes ago…
36. 35
static int
unixd_drop_privileges(apr_pool_t *pool, server_rec *s)
{
…
/* Only try to switch if we're running as root */
if (!geteuid() && (setuid(ap_unixd_config.user_id) == -1)) {
rv = errno;
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, APLOGNO(02162)
"setuid: unable to change to uid: %ld",
(long) ap_unixd_config.user_id);
return rv;
}
in mod_unixd.c:
37. 36
in support/suexec.c:
… copyright and license
/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
*
***********************************************************************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own
* risk.
*
***********************************************************************
*
*
*/
38. 37
/*
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd);
exit(110);
}
39. 38
/*
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd);
exit(110);
}
…
/*
* Stat the cwd and verify it is a directory, or error out.
*/
if (((lstat(cwd, &dir_info)) != 0) || !(S_ISDIR(dir_info.st_mode))) {
log_err("cannot stat directory: (%s)n", cwd);
exit(115);
}
…
40. 39
/*
* Error out if cwd is writable by others.
*/
if ((dir_info.st_mode & S_IWOTH) || … {
log_err("directory is writable by others: (%s)n", cwd);
exit(116);
}
/*
* Error out if we cannot stat the program.
*/
if (((lstat(cmd, &prg_info)) != 0) || …) {
log_err("cannot stat program: (%s)n", cmd);
exit(117);
}
/*
* Error out if the program is writable by others.
*/
if ((prg_info.st_mode & S_IWOTH) || …) {
log_err("file is writable by others: (%s/%s)n", cwd, cmd);
exit(118);
}
/*
* Error out if the file is setuid or setgid.
*/
if ((prg_info.st_mode & S_ISUID) || (prg_info.st_mode & S_ISGID))
{
log_err("file is either setuid or setgid: (%s/%s)n", cwd, cmd);
exit(119);
}
/*
* Error out if the target name/group is different from
* the name/group of the cwd or the program.
*/
if ((uid != dir_info.st_uid) || …) {
…
exit(120);
}
/*
* Error out if the program is not executable for the user.
* Otherwise, she won't find any error in the logs except for
* "[error] Premature end of script headers: ..."
*/
if (!(prg_info.st_mode & S_IXUSR)) {
log_err("file has no execute permission: (%s/%s)n", cwd, cmd);
exit(121);
}
41. 40
/*
* Execute the command, replacing our image with its own.
*/
...
execv(cmd, &argv[3]);
/*
* (I can't help myself...sorry.)
*
* Uh oh. Still here. Where's the kaboom? There was supposed to be an
* EARTH-shattering kaboom!
*
* Oh well, log the failure and error out.
*/
log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd);
exit(255);
}
42. 41
/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
***********************************************************************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own risk.
*/
…
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd);
exit(110);
}
…
/*
* Error out if the program is writable by others.
*/
if ((prg_info.st_mode & S_IWOTH) || …) {
log_err("file is writable by others: (%s/%s)n", cwd, cmd);
exit(118);
}
…
/*
* Error out if the program is not executable for the user.
* Otherwise, she won't find any error in the logs except for
* "[error] Premature end of script headers: ..."
*/
if (!(prg_info.st_mode & S_IXUSR)) {
log_err("file has no execute permission: (%s/%s)n", cwd, cmd);
exit(121);
}
…
execv(cmd, &argv[3]);
log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd);
exit(255);
}
43. /*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
***********************************************************************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own risk.
*/
…
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd);
exit(110);
}
…
/*
* Error out if the program is writable by others.
*/
if ((prg_info.st_mode & S_IWOTH) || …) {
log_err("file is writable by others: (%s/%s)n", cwd, cmd);
exit(118);
}
…
/*
* Error out if the program is not executable for the user.
* Otherwise, she won't find any error in the logs except for
* "[error] Premature end of script headers: ..."
*/
if (!(prg_info.st_mode & S_IXUSR)) {
log_err("file has no execute permission: (%s/%s)n", cwd, cmd);
exit(121);
}
…
execv(cmd, &argv[3]);
log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd);
exit(255);
}
42
Well done Apache!
44. How is setuid implemented?
43
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%lu: %s)n", …);
exit(110);
}
51. 50
Page 2213 of Intel x86 Manual:
http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
Modern x86 Design:
“APIC” = “Advanced PIC”
52. 51
Page 2213 of Intel x86 Manual:
http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
What should generate an
“External Interrupt”?
What should generate a
“Local Interrupt”?
64. 63
/**
* commit_creds - Install new credentials upon the current task
* @new: The credentials to be assigned
*
* Install a new set of credentials to the current task, using RCU to replace
* the old set. Both the objective and the subjective credentials pointers are
* updated. This function may not be called if the subjective credentials are
* in an overridden state.
*
* This function eats the caller's reference to the new credentials.
*
* Always returns 0 thus allowing this function to be tail-called at the end
* of, say, sys_setgid().
*/
int commit_creds(struct cred *new)
{
…
65. 64
int commit_creds(struct cred *new)
{
struct task_struct *task = current;
/* do it
* RLIMIT_NPROC limits on user->processes have already been checked
* in set_user().
*/
alter_cred_subscribers(new, 2);
if (new->user != old->user)
atomic_inc(&new->user->processes);
rcu_assign_pointer(task->real_cred, new);
rcu_assign_pointer(task->cred, new);
if (new->user != old->user)
atomic_dec(&old->user->processes);
alter_cred_subscribers(old, -2);
…
68. Charge
67
Sign up for PS4 demos today!
PS4 is due 11:59pm Sunday, 6 April
When writing security-sensitive code, emulate
Apache’s suEXEC, not glibc or the Linux kernel.
(Note: any code that runs on the Internet is
“security-sensitive”.)