Presentation for openSUSE Asia Summit 2015.
Here I explained what kind of security risk Docker is having, and how can we reduce the risk by using AppArmor.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
Android Ramdisks basics presented at the Big Android BBQ 2014.
Covers some of SElinux for Android, Kernels, Startup Sequences, Services, Classes, and Properties.
Even, some practical examples on how they can be used to help your Android embedded or debugging work.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
Serverless Security: Defence Against the Dark ArtsYan Cui
Recording: https://www.youtube.com/watch?v=bnXp29kQIwU
Real-world serverless podcast: https://realworldserverless.com
Learn Lambda best practices: https://lambdabestpractice.com
Blog: https://theburningmonk.com
Consulting services: https://theburningmonk.com/hire-me
Production-Ready Serverless workshop: https://productionreadyserverless.com
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast-changing world.
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
#Codemotion Rome 2018 - Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
Android Ramdisks basics presented at the Big Android BBQ 2014.
Covers some of SElinux for Android, Kernels, Startup Sequences, Services, Classes, and Properties.
Even, some practical examples on how they can be used to help your Android embedded or debugging work.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
Serverless Security: Defence Against the Dark ArtsYan Cui
Recording: https://www.youtube.com/watch?v=bnXp29kQIwU
Real-world serverless podcast: https://realworldserverless.com
Learn Lambda best practices: https://lambdabestpractice.com
Blog: https://theburningmonk.com
Consulting services: https://theburningmonk.com/hire-me
Production-Ready Serverless workshop: https://productionreadyserverless.com
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast-changing world.
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
#Codemotion Rome 2018 - Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
Containerd: Building a Container Supervisor by Michael CrosbyDocker, Inc.
Containerd is a container supervisor that allows users to manage the lifecycle of a container as well as interact with the container while it is executing. Containerd was built to fulfill many of the requirements that we expect from a modern supervisor all while staying small and fast. In this talk, we will discuss some of the design decisions that shaped containerd’s architecture that allows it to reattach to running containers if it was killed and how it is designed to start 100s containers in seconds.
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.
Riot builds a lot of software. At the start of 2015 we were looking at 3000 build jobs over a hundred different applications and dozens of teams. We were handling nearly 750 jobs per hour and our build infrastructure needed to grow rapidly to meet demand. We needed to give teams total control of the “stack” used to build their applications and we needed a solution that enabled agile delivery to our players. On top of that, we needed a scalable system that would allow a team of four engineers to support over 250.
After as few explorations, we built an integrated Docker solution using Jenkins that accepts docker images submitted as build environments by engineers around the company . Our “containerized” farm now creates over 10,000 containers a week and handles nearly 1000 jobs at a rate of about 100 jobs an hour.
In this occasionally technical talk, we’ll explore the decisions that led Riot to consider Docker, the evolutionary stages of our build infrastructure, and how the open source and in-house software we combined to achieve our goals at scale. You’ll come away with some best practices, plenty of lessons learned, and insight into some of the more unique aspects of our system (like automated testing of submitted build environments, or testing node.js apps in containers with Chromium and xvfb).
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight!
In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
Docker … Podman are two close but different tools. What are their differences, what are their commonalities? In this presentation, we propose to present the two tools in order to highlight their differences in design and their specificities, their similarities.
The objective is to allow you to know these tools, from their common roots (Cgroup, namespace,...) to their divergence (socket). From ease of use (Socket) to the hassle (proxy), we will address the strengths and weaknesses of each through our uses of them (build, test,...). We will of course mention our friends the CVEs to feed your thoughts on their security.
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
his workshop will shed light on a modern solution to solve application portability, building, delivery, packaging, and system dependency issues. Containers especially Docker have seen accelerated adoption in the web, cloud and recently the enterprise. HPC environments are seeing something similar to the introduction of HPC containers Singularity and Shifter. They provide a good use case for solving software portability, not to mention ensure repeatability of results. Not to mention their ECO system provides for the better development, delivery, testing workflows that were alien to most of HPC environments. This workshop will cover the Theory and hands-on of containers and Its ecosystem. Introducing Docker and singularity containers; Docker as a general-purpose container for almost any app, Singularity as the particular container technology for HPC. The workshop will go over the foundations of the containers platform, including an overview of the platform system components: images, containers, repositories, clustering, and orchestration. The strategy is to demonstrate through "live demo, and hands-on exercises." The reuse case of containers in building a portable distributed application cluster running a variety of workloads including HPC workload.
Dalle applicazioni desktop al web ed alle architetture multi tier. Dallo sviluppo basato sui componenti alle service oriented architecture… I Microservices saranno la soluzione vincente?
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
Presentation material for EDB Summit 2016. This is describing how the IT environment will be growing up from 2016, and also present how to protect DB on Cloud.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
AI Genie Review: World’s First Open AI WordPress Website CreatorGoogle
AI Genie Review: World’s First Open AI WordPress Website Creator
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-genie-review
AI Genie Review: Key Features
✅Creates Limitless Real-Time Unique Content, auto-publishing Posts, Pages & Images directly from Chat GPT & Open AI on WordPress in any Niche
✅First & Only Google Bard Approved Software That Publishes 100% Original, SEO Friendly Content using Open AI
✅Publish Automated Posts and Pages using AI Genie directly on Your website
✅50 DFY Websites Included Without Adding Any Images, Content Or Doing Anything Yourself
✅Integrated Chat GPT Bot gives Instant Answers on Your Website to Visitors
✅Just Enter the title, and your Content for Pages and Posts will be ready on your website
✅Automatically insert visually appealing images into posts based on keywords and titles.
✅Choose the temperature of the content and control its randomness.
✅Control the length of the content to be generated.
✅Never Worry About Paying Huge Money Monthly To Top Content Creation Platforms
✅100% Easy-to-Use, Newbie-Friendly Technology
✅30-Days Money-Back Guarantee
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIGenieApp #AIGenieBonus #AIGenieBonuses #AIGenieDemo #AIGenieDownload #AIGenieLegit #AIGenieLiveDemo #AIGenieOTO #AIGeniePreview #AIGenieReview #AIGenieReviewandBonus #AIGenieScamorLegit #AIGenieSoftware #AIGenieUpgrades #AIGenieUpsells #HowDoesAlGenie #HowtoBuyAIGenie #HowtoMakeMoneywithAIGenie #MakeMoneyOnline #MakeMoneywithAIGenie
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
4. 4
What is Docker ? (you know...)
Docker is
- for separate each App UserSpace (container).
- cgroups/namespaces for containers.
- for App/Userspace Portability
→ Not for Creating Secure environment!!
5. 5
Security Risks of Docker Applications
- Which UID is running your docker container?
- root can bypass access control (Discretionary Access Control)
- What will happen if App has vulnerability?
- What will happen if the OS/kernel has vulnerability?
- Can you trust Docker-Hub image?
Not only desk theory...
6. 6
Security Risks of Docker Applications
- Do you really think “Container” is safety sandbox?
ex. VENOM(VM) +Local root Exploit
CVE-2014-6408, CVE-2014-6409
We have to Protect Docker process !!
8. 8
What is AppArmor
Do you know AppArmor?
- Provide “Mandatory Access Control( 制 控制强 访问 )”
- Restrict root(UID=0) permission.
- Process under AppArmor is in separate domain.
- Same as SELinux, but not so complicated. :-p
AppArmordomain
domain
inherit
15. 15
Docker with AppArmor
/var/www/html /etc/shadow
httpd
- Each container(web1/web2) separated with AppArmor domain.
- If web2 cracked with zero-day, web1 and others are safe. :-)
docker_httpd_web1
/var/www/html
httpd(?)
docker_httpd_web2
16. 16
Docker with AppArmor UseCase.
Many Single-App-Containers on 1 host.
Web
Python
DB
Web1
Web2
Web3
DB
Each container has own AppArmor Domain.
Web Domain
Python Domain
DB Domain
Web1 Domain
Web2 Domain
Web3 Domain
DB Domain
17. 17
Docker with AppArmor UseCase.
Multi-App-Containers on 1 host.
Web Python DB
Web Python DB
Container_1 Domain
Inside container , same AppArmor Domain
→ Not good idea from security point of view.
Container_2 Domain
18. 18
AppArmor Domain Transition
Domain can transit to another Domain in Profile rule.
#include <tunables/global>
profile docker_test_parent flags=(…..)
{
#include <abstractions/base>
/usr/sbin/httpd-prefork px -> docker_httpd_web1,
deny @{PROC}/mem rwklx,,
docker_test_parent_web1
docker_httpd_web1
Docker parent
docker_test_parent_web1 docker_httpd_web1
20. 20
Docker with AppArmor UseCase
(with Domain transition)
Multi-App-Containers on 1 host.
Web
Python
DB
Container 1 DomainWeb_Con1
Py_Con1
DB_Con1
Web
Python
DB
Web_Con2
Py_Con2
DB_Con2
More Safe :)
Container 2 Domain
25. AppArmor UseCases with Docker system
Kazuki Omo( 面 和毅 ): ka-omo@sios.com
SIOS Technology, Inc.
Hello Everyone
Thanks for attending this session.
In this session, I'll discuss the
Docker's security issues, and how
we can control the issues with
AppAromor.
26. 2
Who am I ?
- Security Researcher/Engineer (15 years)
- SELinux/MAC Evangelist (10 years)
- SIEM Engineer (3 years)
- Linux Engineer (15 years)
Here is my background for security and OSS
area.
I spent almost 15 years for Security
Researching and Business.
Also I have experience to inplement those kind
of Security Product to customer(Big customer
to small).
And I was working as SELinux(you know)
Evangelist 4 years.
27. Security Risks of Docker Applications
At first. I wish to discuss how the
docker's security Risk.
28. 4
What is Docker ? (you know...)
Docker is
- for separate each App UserSpace (container).
- cgroups/namespaces for containers.
- for App/Userspace Portability
→ Not for Creating Secure environment!!
So, I guess almost everyone in here have
experience to use Docker with your
Linux+Application.
The Docker's concept is making container by
using cgroups/namespaces/capabilities with
current Linux system. Sometime we imagine
it's concept is similar as chroot, but Docker is
more flexible system. Then current IT
engineer, admin or dev or vendor are
interested to use Docker with their system.
But we should imagine that the Docker's
concept is “making container for running
several Apps on same OS/system”, and the
concept is not coming from “How to create
secure container.”
29. 5
Security Risks of Docker Applications
- Which UID is running your docker container?
- root can bypass access control (Discretionary Access Control)
- What will happen if App has vulnerability?
- What will happen if the OS/kernel has vulnerability?
- Can you trust Docker-Hub image?
Not only desk theory...
So, these are famous questions when we are
discussing about Docker's security scheme
issue.
Docker's problem is
1. not using it's own UID, and docker process
are running by “root”.
So if docker is having any critical issue, we
might have issue to get root priviledge by
cracker.
2. And root can do anything, then the cracker
can do anything on your OS.
So now we have to think about “how can we
protect docker process by cracker”.
30. 6
Security Risks of Docker Applications
- Do you really think “Container” is safety sandbox?
ex. VENOM(VM) +Local root Exploit
CVE-2014-6408, CVE-2014-6409
We have to Protect Docker process !!
So, these are famous questions when we are
discussing about Docker's security scheme
issue.
Docker's problem is
1. not using it's own UID, and docker process
are running by “root”.
So if docker is having any critical issue, we
might have issue to get root priviledge by
cracker.
2. And root can do anything, then the cracker
can do anything on your OS.
So now we have to think about “how can we
protect docker process by cracker”.
32. 8
What is AppArmor
Do you know AppArmor?
- Provide “Mandatory Access Control( 制 控制强 访问 )”
- Restrict root(UID=0) permission.
- Process under AppArmor is in separate domain.
- Same as SELinux, but not so complicated. :-p
AppArmordomain
domain
inherit
So, in here, how many people know about
AppArmor?
Have you experience to use AppArmor on your
system?
Thanks. Here I described what is AppArmor.
The AppArmor is providing Mandatory Access
Control to your Linux. Usually, root can
escape OS Access Control, DAC. But in MAC,
even if root can not escape Access Control,
and control by MAC ACL.
This MAC can reduce the root/privileged ID's
risk in the process.
Most famous MAC system is SELinux, but it's a
little bit messy to use in Actual system.
AppArmor is more easy to understand, and
33. 9
What is AppArmor
/var/www/html
httpd
When you use Apparmor,
- easy to control permission even if “UID=0”.
docker_httpd
/etc/shadow
So here is a graphical example how the
AppArmor working.
Each process under AppArmor control has
domain, called profile. In this example, gray
one “docker_httpd” is profile.
Each profile, we have to describe which
file/dir/object the process can
open/write/read, etc…
And default permission is “deny”.
So If the httpd process with docker is linked
with “docker_httpd” profile and the profile is
saying it can open/read “/var/www/html”, it
only can open/read “var/www/html” and
can't do anything to other un-listed file, such
as /etc/shadow or something.
Then we can use this AppArmor MAC for
34. 10
What is AppArmor
/var/www/html /etc/shadow
httpd
When you use Apparmor,
- easy to control permission even if “UID=0”.
docker_httpd
Tiny shell
So here is a graphical example how the
AppArmor working.
Each process under AppArmor control has
domain, called profile. In this example, gray
one “docker_httpd” is profile.
Each profile, we have to describe which
file/dir/object the process can
open/write/read, etc…
And default permission is “deny”.
So If the httpd process with docker is linked
with “docker_httpd” profile and the profile is
saying it can open/read “/var/www/html”, it
only can open/read “var/www/html” and
can't do anything to other un-listed file, such
as /etc/shadow or something.
Then we can use this AppArmor MAC for
36. 12
Docker Security Option
Option: --security-opt
- After Docker 1.3
- Attach to Container;
- SELinux Label
- AppArmor Domain
We can use AppArmor Access Control!!
After Docker 1.3, docker program is having
security option, such as “--security-opt”.
With this option, we can use SELinux Label or
AppArmor Profile with container which is
provided by Docker.
Then we can use AppArmor Access Control.
37. 13
Docker with AppArmor
Sample:)
docker –security-opt=apparmor:docker_httpd_web1 XXXX
/etc/apparmor.d/local/docker_httpd_web1
#include <tunables/global>
profile docker_httpd_web1
flags=(attach_disconnected,mediate_deleted,complain) {
#include <abstractions/base>
deny @{PROC}/sys/fs/** wklx,
}
Here is just sample. Docker is created for
providing httpd web server.
When we wish to run docker+Apache, we will
run “docker run XXX –security-
opt=apparmor:[Profile Name]”, then the
httpd and other process under the docker will
run with [Profile Name] profile.
38. 14
Docker with AppArmor
docker_httpd_web1 (enforce) 5352 root /usr/bin/python /usr/bin/supervisord
docker_httpd_web1 (enforce) 5396 root /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web1 (enforce) 5397 wwwrun /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web1 (enforce) 5398 wwwrun /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web2 (enforce) 5389 root /usr/bin/python /usr/bin/supervisord
docker_httpd_web2 (enforce) 5402 root /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web2 (enforce) 5403 wwwrun /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web2 (enforce) 5404 wwwrun /usr/sbin/httpd-prefork -D
FOREGROUND
ps axZ
So, this is process list.
You can see web1 container related process,
such as supervisord and httpd, are running
with docker_httpd_web1.
Also web2 container related process, such as
supervisord and httpd, are running with
docker_httpd_web2.
In this case, what will happen? See next slide.
39. 15
Docker with AppArmor
/var/www/html /etc/shadow
httpd
- Each container(web1/web2) separated with AppArmor domain.
- If web2 cracked with zero-day, web1 and others are safe. :-)
docker_httpd_web1
/var/www/html
httpd(?)
docker_httpd_web2
So, web1's httpd are running under
docker_httpd_web1. Web2's httpd are also
under docker_httpd_web2. If httpd has zero-
day issue and malicious user or cracker
attack web2's apache and get root access,
The malicious user or cracker only can get
“docker_httpd_web2” profile.
Then, cracker can only do anything with
their /var/www/html, but can't do anything to
other profile container, such as
docker_httpd_web1, or un-listed /etc/shadow
etc.
Then we can localize the damage to only web2
container.
40. 16
Docker with AppArmor UseCase.
Many Single-App-Containers on 1 host.
Web
Python
DB
Web1
Web2
Web3
DB
Each container has own AppArmor Domain.
Web Domain
Python Domain
DB Domain
Web1 Domain
Web2 Domain
Web3 Domain
DB Domain
In this senario, we ca run several Web server
on 1 host. Each container has it's own
AppArmor profile, then the damage will be
localized even if we have Zero-day attack.
41. 17
Docker with AppArmor UseCase.
Multi-App-Containers on 1 host.
Web Python DB
Web Python DB
Container_1 Domain
Inside container , same AppArmor Domain
→ Not good idea from security point of view.
Container_2 Domain
But now, let's consider about Multi-App
container.
For example, the container is running MySQL,
HTTPD, and Python.
Every process in the container are having
same AppArmor Profile.
In this case, we can localize the risk in each
container, but if httpd have problem, MySQL
in same container will have security risk.
From security point of view, this is not good
idea.
42. 18
AppArmor Domain Transition
Domain can transit to another Domain in Profile rule.
#include <tunables/global>
profile docker_test_parent flags=(…..)
{
#include <abstractions/base>
/usr/sbin/httpd-prefork px -> docker_httpd_web1,
deny @{PROC}/mem rwklx,,
docker_test_parent_web1
docker_httpd_web1
Docker parent
docker_test_parent_web1 docker_httpd_web1
For resolving this issue, we can use Profile
transition. It is AppArmor feature, and it's
more like process/child process concept.
Parent process is using a profile, and there is a
description how the profile will transition to
other in “the” profile, child process will have
new profile.
In this example, parent process,
docker/supervisord will have
docker_test_parent_web1 profile, httpd which
is child of the supervisord will have
“docker_httpd_web1”, different profile.
If we will use this profile tranisiton, we can
separate each process's profile in same
container.
43. 19
AppArmor Domain Transition
docker_test_parent_web1 (enforce) root 2545 /usr/bin/python
/usr/bin/supervisord
docker_httpd_web1 (enforce) root 2566 /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web1 (enforce) wwwrun 2583 /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web1 (enforce) wwwrun 2584 /usr/sbin/httpd-prefork -D
FOREGROUND
---------------------------------------------------------------------------------------------------------------
docker_test_parent_web2 (enforce) root 2581 /usr/bin/python
/usr/bin/supervisord
docker_httpd_web2 (enforce) root 2593 /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web2 (enforce) wwwrun 2594 /usr/sbin/httpd-prefork -D
FOREGROUND
docker_httpd_web2 (enforce) wwwrun 2595 /usr/sbin/httpd-prefork -D
FOREGROUND
ps axZ
So, In this is process list, we can see
supervisord for web1 is running with
“docker_test_parent_web1” profile, and httpd
for web1 is running with docker_httpd_web1.
Here is only supervisord and httpd, but we will
be able to create other profile for each apps
in the container if we have. Such as mysqld,
python, and so on.
44. 20
Docker with AppArmor UseCase
(with Domain transition)
Multi-App-Containers on 1 host.
Web
Python
DB
Container 1 DomainWeb_Con1
Py_Con1
DB_Con1
Web
Python
DB
Web_Con2
Py_Con2
DB_Con2
More Safe :)
Container 2 Domain
So, if we will use Docker + AppArmor with
profile transition, we can localize the risk in
1. each container
2. each apps in the container.
This will be more safe system, then I wish to
recommend this.
46. 22
Conclusion
- Docker will be more secure by
using “--security-opts”.
- Multi-Apps container by Docker
will be secured by using AppArmor.
:-)
So, now we know Docker security risk, but we
can control the risk by using AppArmor.
For using AppArmor with Docker, we can use
“--security-opts” option.
And using AppArmor, and profile transition, we
can create more secured system with Docker
+ Multi container.