SlideShare a Scribd company logo

Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook

Anne Nicolas
Anne Nicolas

The Kernel Self-Protection Project focuses on addressing gaps in Linux’s defensive technologies. With Linux reaching into every corner of modern life, and userspace frequently being very locked-down, the kernel has become an ever-increasing target for attackers and much more needs to be done to harden the kernel so it can protect itself. A quick overview will be shown of what we’re trying to protect Linux against, as well as the state of the art in available technologies. Also presented will be a summary of the last year’s participation by many people over a wide range of technologies, with a review of KSPP attempts, accomplishments, active efforts, and an examination of future projects and goals. Kees Cook, Google

1 of 59
Download to read offline
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (“Case”) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf
Agenda ● Background – “Security” in the context of this presentation – Why we need to change what we’re doing – Just fixing bugs isn’t sufficient – Upstream development model ● Kernel Self Protection Project – Who we are – What we’re doing – How you can help ● Challenges
Kernel Security ● More than access control (e.g. SELinux) ● More than attack surface reduction (e.g. seccomp) ● More than bug fixing (e.g. CVEs) ● More than protecting userspace ● More than kernel integrity ● This is about Kernel Self Protection
Devices using Linux ● Servers, laptops, cars, phones, … ● >2,000,000,000 active Android devices in 2017 ● Vast majority are running v3.4 (with v3.10 slowly catching up) ● Bug lifetimes are even longer than upstream ● “Not our problem”? None of this matters: even if upstream fixes every bug found, and the fixes are magically sent to devices, bug lifetimes are still huge.
Upstream Bug Lifetime ● In 2010 Jon Corbet researched security flaws, and found that the average time between introduction and fix was about 5 years. ● My analysis of Ubuntu CVE tracker for the kernel from 2011 through 2017: – Critical: 3 @ 5.3 years – High: 59 @ 6.4 years – Medium: 534 @ 5.6 years – Low: 273 @ 5.6 years
CVE lifetimes
critical & high CVE lifetimes
Upstream Bug Lifetime ● The risk is not theoretical. Attackers are watching commits, and they are better at finding bugs than we are: – http://seclists.org/fulldisclosure/2010/Sep/268 ● Most attackers are not publicly boasting about when they found their 0-day...
Fighting Bugs ● We’re finding them – Static checkers: compilers, coccinelle, sparse, smatch, coverity – Dynamic checkers: kernel, trinity, syzkaller, KASan-family ● We’re fixing them – Ask Greg KH how many patches land in -stable ● They’ll always be around – We keep writing them – They exist whether we’re aware of them or not – Whack-a-mole is not a solution
“If you are not using a stable / longterm kernel, your machine is insecure” - Greg Kroah-Hartman
“If you are not using a stable / longterm kernel, your machine is insecure” - Greg Kroah-Hartman “Your machine is insecure” - me
“If you are not using the latest kernel, you don't have the most recently added security defenses, which, in the face of newly exploited bugs, may render your machine less secure than it could have been” - me
Analogy: 1960s Car Industry ● @mricon’s presentation at 2015 Linux Security Summit – http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf ● Cars were designed to run, not to fail ● Linux now where the car industry was in 1960s – https://www.youtube.com/watch?v=fPF4fBGNK0U ● We must handle failures (attacks) safely – Userspace is becoming difficult to attack – Containers paint a target on kernel – Lives depend on Linux
Killing bugs is nice ● Some truth to security bugs being “just normal bugs” ● Your security bug may not be my security bug ● We have little idea which bugs attackers use ● Bug might be in out-of-tree code – Un-upstreamed vendor drivers – Not an excuse to claim “not our problem”
Killing bug classes is better ● If we can stop an entire kind of bug from happening, we absolutely should do so! ● Those bugs never happen again ● Not even out-of-tree code can hit them ● But we’ll never kill all bug classes
Killing exploitation is best ● We will always have bugs ● We must stop their exploitation ● Eliminate exploitation targets and methods ● Eliminate information leaks ● Eliminate anything that assists attackers ● Even if it makes development more difficult
Typical Exploit Chains ● Modern attacks tend to use more than one flaw ● Need to know where targets are ● Need to inject (or build) malicious code ● Need to locate malicious code ● Need to redirect execution to malicious code
What can we do? ● Many exploit mitigation technologies already exist (e.g. grsecurity/PaX) or have been researched (e.g. academic whitepapers), but many haven't been in upstream Linux kernel ● There is demand for kernel self-protection, and there is demand for it to exist in the upstream kernel ● http://www.washingtonpost.com/sf/business/2015/11/05/net-of-in security-the-kernel-of-the-argument/
Out-of-tree defenses? ● Some downstream kernel forks: – RedHat (ExecShield), Ubuntu (AppArmor), Android (Samsung KNOX), grsecurity (so many things) ● If you only use the kernel, and don't develop it, you're in a better position● – But you're depending on a downstream fork – Fewer eyeballs (and less automated testing infrastructure) looking for vulnerabilities – Developing the kernel means using engineering resources for your fork ● e.g. Android deals with multiple vendor forks already ● Hard to integrate multiple forks ● Upstreaming means: – No more forward-porting – More review (never perfect, of course)
Digression 1: defending against email Spam ● Normal email server communication establishment: Client Server [connect] [accept]220 smtp.some.domain ESMTP ok EHLO my.domain 250 ohai MAIL FROM:<me@my.domain> 250 OK RCPT TO:<you@your.domain> 250 OK DATA
Spam bot communication ● Success, and therefore timing, isn't important to Spam bots: Client Server [connect] [accept]220 smtp.some.domain ESMTP ok EHLO my.domain MAIL FROM:<me@my.domain> RCPT TO:<you@your.domain> DATA 250 ohai 250 OK 250 OK
Trivially blocking Spam bots ● Insert a short starting delay Client Server [connect] [accept] EHLO my.domain MAIL FROM:<me@my.domain> RCPT TO:<you@your.domain> DATA 554 smtp.some.domain ESMTP nope
Powerful because it's not the default ● If everyone did this (i.e. it was upstream), bots would adapt ● If a defense is unexamined and/or only run by a subset of Linux users, it may be accidentally effective due to it being different, but may fail under closer examination ●● Though, on the flip side, heterogeneous environments tend to be more resilient
Digression 2: Stack Clash research in 2017 ● Underlying issues were identified in 2010 – Fundamentally, if an attacker can control the memory layout of a setuid process, they may be able to manipulate it into colliding stack with other things, and arranging related overflows to gain execution control. – Linux tried to fix it with a 4K gap – grsecurity (from 2010 through at least their last public patch) took it further with a configurable gap, defaulting to 64K
A gap was not enough ● In addition to raising the gap size, grsecurity sensibly capped stack size of setuid processes, just in case: do_execveat_common(...) { ... /* limit suid stack to 8MB * we saved the old limits above and will restore them if this exec fails */ if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) && (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024))) current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024; ...
Upstreaming the setuid stack size limit ● Landed in v4.14-rc1 ● 15 patches ● Reviewed by at least 7 other people ● Made the kernel smaller ● Actually keeps the stack limited for setuid exec 16 files changed, 91 insertions(+), 159 deletions(-)
Important detail: threads ● Stack rlimit is a single value shared across entire thread-group ● Exec kills all other threads (part of the “point of no return”) as late in exec as possible ● If you check or set rlimits before the point of no return, you're racing other threads Thread 1: while (1) setrlimit(...); Thread 2: while (1) setrlimit(...); Thread 3: exec(...); signal … struct rlimit[RLIM_NLIMITS];
Un-upstreamed and unexamined for seven years $ uname -r 4.9.24-grsec+ $ ulimit -s unlimited $ ls -la setuid-stack -rwsrwxr-x 1 root root 9112 Aug 11 09:17 setuid-stack $ ./setuid-stack Stack limit: 8388608 $ ./raise-stack ./setuid-stack Stack limit: 18446744073709551615
Out-of-tree defenses need to be upstreamed ● While the preceding example isn't universally true for all out-of- tree defenses, it's a good example of why upstreaming is important, and why sometimes what looks like a tiny change turns into much more work. ● How do we get this done?
Kernel Self Protection Project ● http://www.openwall.com/lists/kernel-hardening/ – http://www.openwall.com/lists/kernel-hardening/2015/11/05/1 ● http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project ● People interested in coding, testing, documenting, and discussing the upstreaming of kernel self protection technologies and related topics.
Kernel Self Protection Project ● There are other people working on excellent technologies that ultimately revolve around the kernel protecting userspace from attack (e.g. brute force detection, SROP mitigations, etc) ● KSPP focuses on the kernel protecting the kernel from attack ● Currently ~12 organizations and ~10 individuals working on about ~20 technologies ● Slow and steady
Developers under KSPP umbrella ● LF’s Core Infrastructure Initiative funded: Emese Revfy, with others pending ● Self-funded: Andy Lutomirski, Russell King, Valdis Kletnieks, Jason Cooper, Daniel Micay, David Windsor, Richard Weinberger, Richard Fellner, Daniel Gruss, Jason A. Donenfeld, Sandy Harris, Alexander Popov ● ARM: Catalin Marinas, Mark Rutland ● Canonical: Juerg Haefliger ● Cisco: Daniel Borkmann ● Docker: Tycho Andersen ● Google: Kees Cook, Thomas Garnier, Daniel Cashman, Jeff Vander Stoep, Jann Horn, Eric Biggers ● Huawei: Li Kun ● IBM: Michael Ellerman, Heiko Carstens, Christian Borntraeger ● Imagination Technologies: Matt Redfearn ● Intel: Elena Reshetova, Hans Liljestrand, Casey Schaufler, Michael Leibowitz, Dave Hansen, Peter Zijlstra ● Linaro: Ard Biesheuvel, David Brown, Arnd Bergmann ● Linux Foundation: Greg Kroah-Hartman ● Oracle: James Morris, Quentin Casasnovas, Yinghai Lu ● RedHat: Laura Abbott, Rik van Riel, Jessica Yu, Baoquan He
Probabilistic protections ● Protections that derive their strength from some system state being unknown to an attacker ● Weaker than “deterministic” protections since information exposures can defeat them, though they still have real-world value ● Familiar examples: – stack protector (canary value can be exposed) – Address Space Layout Randomization (offset can be exposed)
Deterministic protections ● Protections that derive their strength from organizational system state that always blocks attackers ● Familiar examples: – Read-only memory (writes will fail) – Bounds-checking (large accesses fail)
Bug classes ...
Bug class: stack overflow and exhaustion Exploit example: – https://jon.oberheide.org/files/half-nelson.c ● Mitigations: – stack canaries, e.g. gcc's -fstack-protector (v2.6.30) and -fstack- protector-strong (v3.14) – guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW) ● vmap stack (v4.9 x86, v4.14 arm64), removal of thread_info from stack (v4.9 x86, v4.10 arm64) – alloca checking (e.g. PAX_MEMORY_STACKLEAK): Alexander Popov – shadow stacks (e.g. Clang SafeStack)
Bug class: integer over/underflow ● Exploit examples: – https://cyseclabs.com/page?n=02012016 – http://perception-point.io/2016/01/14/analysis-and-exploi tation-of-a-linux-kernel-vulnerability-cve-2016-0728/ ● Mitigations: – check for atomic overflow (e.g. PAX_REFCOUNT) ● refcount_t: Elena Reshetova, David Windsor, Kees Cook, Ard Biesheuvel, Li Kun – compiler plugin to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)
Bug class: buffer overflows ● Exploit example: – http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html ● Mitigations: – runtime validation of variable size vs copy_to_user / copy_from_user size (e.g. PAX_USERCOPY) ● CONFIG_HARDENED_USERCOPY (v4.8) ● Usercopy whitelisting: David Windsor, Kees Cook ● Usercopy slab segregation: David Windsor, Kees Cook – metadata validation (e.g. glibc's heap protections) ● linked-list hardening (from grsecurity) CONFIG_DEBUG_LIST (v4.10) ● CONFIG_SLUB_HARDENED, heap freelist obfuscation (from grsecurity): Daniel Micay, Kees Cook ● Heap canaries: Daniel Micay – FORTIFY_SOURCE (inspired by glibc), check buffer sizes of str*/mem* functions at compile- and run-time ● CONFIG_FORTIFY_SOURCE (v4.13) ● Intra-object checking: Daniel Micay
Bug class: format string injection ● Exploit example: – http://www.openwall.com/lists/oss-security/2013/06/06/13 ● Mitigations: – Drop %n entirely (v3.13) – detect non-const format strings at compile time (e.g. gcc's -Wformat- security, or better plugin) – detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)
Bug class: kernel pointer leak ● Exploit examples: – examples are legion: /proc (e.g. kallsyms, modules, slabinfo, iomem), /sys, INET_DIAG (v4.1), etc – http://vulnfactory.org/exploits/alpha-omega.c ● Mitigations: – kptr_restrict sysctl (v2.6.38) too weak: requires dev opt-in – remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM) – detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)
Bug class: uninitialized variables ● This is not just an information leak! ● Exploit example: – https://outflux.net/slides/2011/defcon/kernel-exploitation.pdf ● Mitigations: – GCC plugin, stackleak: clear kernel stack between system calls (from PAX_MEMORY_STACKLEAK): Alexander Popov – GCC plugin, structleak: instrument compiler to fully initialize all structures (from PAX_MEMORY_STRUCTLEAK): (__user v4.11, by-reference v4.14)
Bug class: use-after-free ● Exploit example: – http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-k ernel-vulnerability-cve-2016-0728/ ● Mitigations: – clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) ● Zero poisoning (v4.6) – segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) – randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) ● Freelist randomization (SLAB: v4.7, SLUB: v4.8)
Exploit methods ...
Exploitation: finding the kernel ● Exploit examples (see “Kernel pointer leaks” above too): – https://github.com/jonoberheide/ksymhunter ● Mitigations: – hide symbols and kernel pointers (see “Kernel pointer leaks”) – kernel ASLR ● text/modules base: x86 (v3.14), arm64 (v4.6), MIPS (v4.7), ARM: Ard Biesheuvel ● memory: x86 (v4.8) ● PIE: arm64 (v4.6), x86: Thomas Garnier – runtime randomization of kernel functions – executable-but-not-readable memory ● x86 (v4.6), arm64 (v4.9) – per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) ● manual (v4.13), automatic (v4.14)
Exploitation: direct kernel overwrite ● How is this still a problem in the 21st century? ● Exploit examples: – Patch setuid to always succeed – http://itszn.com/blog/?p=21 Overwrite vDSO ● Mitigations: – Executable memory cannot be writable (CONFIG_STRICT_KERNEL_RWX) ● s390: forever ago ● x86: v3.18 ● ARM: v3.19 ● arm64: v4.0
Exploitation: function pointer overwrite ● Also includes things like vector tables, descriptor tables (which can also be info leaks) ● Exploit examples: – https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-e xploit/ – https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve ● Mitigations: – read-only function tables (e.g. PAX_CONSTIFY_PLUGIN) – make sensitive targets that need one-time or occasional updates only writable during updates (e.g. PAX_KERNEXEC): ● __ro_after_init (v4.6)
Exploitation: userspace execution ● Exploit example: – See almost all previous examples ● Mitigations: – hardware segmentation: SMEP (x86), PXN (ARM, arm64) – emulated memory segmentation via page table swap, PCID, etc (e.g. PAX_MEMORY_UDEREF): ● Domains (ARM: v4.3) ● TTBR0 (arm64: v4.10) ● PCID (x86): Andy Lutomirski – compiler instrumentation to set high bit on function calls
Exploitation: userspace data ● Exploit examples: – https://github.com/geekben/towelroot/blob/master/towelroot.c – http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9 322-linux-kernel-privilege-escalation/ ● Mitigations: – hardware segmentation: SMAP (x86), PAN (ARM, arm64) – emulated memory segmentation via page table swap, PCID, etc (e.g. PAX_MEMORY_UDEREF): ● Domains (ARM: v4.3) ● TTBR0 (arm64: v4.10) ● PCID (x86): Andy Lutomirski – eXclusive Page Frame Ownership: Tycho Andersen, Juerg Haefliger
Exploitation: reused code chunks ● Also known as Return Oriented Programming (ROP), Jump Oriented Programming (JOP), etc ● Exploit example: – http://vulnfactory.org/research/h2hc-remote.pdf ● Mitigations: – JIT obfuscation (e.g. BPF_HARDEN): ● eBPF JIT hardening (v4.7) – compiler instrumentation for Control Flow Integrity (CFI): ● Clang CFI https://clang.llvm.org/docs/ControlFlowIntegrity.html ● kCFI https://github.com/kcfi/docs ● GCC plugin: Return Address Protection, Indirect Control Transfer Protection (e.g. RAP) https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
A year's worth of kernel releases ...
Added in v4.10 ● PAN emulation, arm64 ● thread_info relocated off stack, arm64 ● Linked list hardening ● RNG seeding from UEFI, arm64 ● W^X detection, arm64
Added in v4.11 ● refcount_t infrastructure ● read-only usermodehelper ● structleak plugin
Added in v4.12 ● read-only and fixed-location GDT, x86 ● usercopy consolidation ● read-only LSM structures ● KASLR enabled by default, x86 ● stack canary expanded to bit-width of host ● stack/heap gap expanded
Added in v4.13 ● CONFIG_REFCOUNT_FULL ● CONFIG_FORTIFY_SOURCE ● randstruct (manual mode) ● ELF_ET_DYN_BASE lowered
Challenges ...
Challenge: Culture ● Conservatism – 16 years to accept symlink restrictions upstream ● Responsibility – Kernel developers must accept the need for these changes ● Sacrifice – Kernel developers must accept the technical burden ● Patience – Out-of-tree developers must understand how kernel is developed
Challenge: Technical ● Complexity – Very few people are proficient at developing (much less debugging) these features ● Innovation – We must adapt the many existing solutions – We must create new technologies ● Collaboration – Explain rationale for new technologies – Make code understandable/maintainable by other developers and accessible across architectures
Challenge: Resources ● People – Dedicated developers ● People – Dedicated testers ● People – Dedicated backporters
Thoughts? Kees (“Case”) Cook keescook@chromium.org keescook@google.com kees@outflux.net https://outflux.net/slides/2017/kr/kspp.pdf http://www.openwall.com/lists/kernel-hardening/ http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Recommended

Kernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Kernel Recipes 2017 - Testing on device with LAVA - Olivier CrêteKernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Kernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Anne Nicolas
 
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KHKernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Anne Nicolas
 
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Anne Nicolas
 
Performance Profiling Tools and Tricks
Performance Profiling Tools and TricksPerformance Profiling Tools and Tricks
Performance Profiling Tools and Tricks
Phase2
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at Yelp
Nathan Handler
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 

Recommended

Kernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Kernel Recipes 2017 - Testing on device with LAVA - Olivier CrêteKernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Kernel Recipes 2017 - Testing on device with LAVA - Olivier Crête
Anne Nicolas
 
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KHKernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Anne Nicolas
 
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...
Anne Nicolas
 
Performance Profiling Tools and Tricks
Performance Profiling Tools and TricksPerformance Profiling Tools and Tricks
Performance Profiling Tools and Tricks
Phase2
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at Yelp
Nathan Handler
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
What is the merge window?
What is the merge window?What is the merge window?
What is the merge window?
Macpaul Lin
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
Alexandre Gouaillard
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni
 
Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010
Arun Gupta
 
Janus conf'19: janus client side
Janus conf'19: janus client sideJanus conf'19: janus client side
Janus conf'19: janus client side
Alexandre Gouaillard
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVM
Nelson Elhage
 
OSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingOSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through Tooling
Docker, Inc.
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
dotCloud
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Anne Nicolas
 
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Docker, Inc.
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
Docker, Inc.
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
dotCloud
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
Anthony Wong
 
At the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with OpenstackAt the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with Openstack
Ryan Aydelott
 

More Related Content

What's hot

Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
What is the merge window?
What is the merge window?What is the merge window?
What is the merge window?
Macpaul Lin
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
Alexandre Gouaillard
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni
 
Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010
Arun Gupta
 
Janus conf'19: janus client side
Janus conf'19: janus client sideJanus conf'19: janus client side
Janus conf'19: janus client side
Alexandre Gouaillard
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVM
Nelson Elhage
 
OSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingOSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through Tooling
Docker, Inc.
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
dotCloud
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Anne Nicolas
 
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Docker, Inc.
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
Docker, Inc.
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
dotCloud
 

What's hot (20)

Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
 
What is the merge window?
What is the merge window?What is the merge window?
What is the merge window?
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010Improving Engineering Processes using Hudson - Spark IT 2010
Improving Engineering Processes using Hudson - Spark IT 2010
 
Janus conf'19: janus client side
Janus conf'19: janus client sideJanus conf'19: janus client side
Janus conf'19: janus client side
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVM
 
OSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through ToolingOSCON: Better Collaboration through Tooling
OSCON: Better Collaboration through Tooling
 
Containers 101
Containers 101Containers 101
Containers 101
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
 
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...OSCON: Incremental Revolution - What Docker learned from the open-source fire...
OSCON: Incremental Revolution - What Docker learned from the open-source fire...
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
 

Similar to Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook

Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
Anthony Wong
 
At the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with OpenstackAt the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with Openstack
Ryan Aydelott
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
Russell Pavlicek
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
David Jorm
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
Open Source Investments in Mainframe Through the Next Generation - Showcasing...
Open Source Investments in Mainframe Through the Next Generation - Showcasing...Open Source Investments in Mainframe Through the Next Generation - Showcasing...
Open Source Investments in Mainframe Through the Next Generation - Showcasing...
Open Mainframe Project
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageWebinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
MayaData Inc
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Node js meetup
Node js meetupNode js meetup
Node js meetup
Ansuman Roy
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays
 
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
OpenStack
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embedded
Alison Chaiken
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
Vishwas N
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
Kernel TLV
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
David Timothy Strauss
 

Similar to Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook (20)

Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
At the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with OpenstackAt the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with Openstack
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Open Source Investments in Mainframe Through the Next Generation - Showcasing...
Open Source Investments in Mainframe Through the Next Generation - Showcasing...Open Source Investments in Mainframe Through the Next Generation - Showcasing...
Open Source Investments in Mainframe Through the Next Generation - Showcasing...
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageWebinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Node js meetup
Node js meetupNode js meetup
Node js meetup
 
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...
 
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embedded
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
Anne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook

  • 1. Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (“Case”) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf
  • 2. Agenda ● Background – “Security” in the context of this presentation – Why we need to change what we’re doing – Just fixing bugs isn’t sufficient – Upstream development model ● Kernel Self Protection Project – Who we are – What we’re doing – How you can help ● Challenges
  • 3. Kernel Security ● More than access control (e.g. SELinux) ● More than attack surface reduction (e.g. seccomp) ● More than bug fixing (e.g. CVEs) ● More than protecting userspace ● More than kernel integrity ● This is about Kernel Self Protection
  • 4. Devices using Linux ● Servers, laptops, cars, phones, … ● >2,000,000,000 active Android devices in 2017 ● Vast majority are running v3.4 (with v3.10 slowly catching up) ● Bug lifetimes are even longer than upstream ● “Not our problem”? None of this matters: even if upstream fixes every bug found, and the fixes are magically sent to devices, bug lifetimes are still huge.
  • 5. Upstream Bug Lifetime ● In 2010 Jon Corbet researched security flaws, and found that the average time between introduction and fix was about 5 years. ● My analysis of Ubuntu CVE tracker for the kernel from 2011 through 2017: – Critical: 3 @ 5.3 years – High: 59 @ 6.4 years – Medium: 534 @ 5.6 years – Low: 273 @ 5.6 years
  • 7. critical & high CVE lifetimes
  • 8. Upstream Bug Lifetime ● The risk is not theoretical. Attackers are watching commits, and they are better at finding bugs than we are: – http://seclists.org/fulldisclosure/2010/Sep/268 ● Most attackers are not publicly boasting about when they found their 0-day...
  • 9. Fighting Bugs ● We’re finding them – Static checkers: compilers, coccinelle, sparse, smatch, coverity – Dynamic checkers: kernel, trinity, syzkaller, KASan-family ● We’re fixing them – Ask Greg KH how many patches land in -stable ● They’ll always be around – We keep writing them – They exist whether we’re aware of them or not – Whack-a-mole is not a solution
  • 10. “If you are not using a stable / longterm kernel, your machine is insecure” - Greg Kroah-Hartman
  • 11. “If you are not using a stable / longterm kernel, your machine is insecure” - Greg Kroah-Hartman “Your machine is insecure” - me
  • 12. “If you are not using the latest kernel, you don't have the most recently added security defenses, which, in the face of newly exploited bugs, may render your machine less secure than it could have been” - me
  • 13. Analogy: 1960s Car Industry ● @mricon’s presentation at 2015 Linux Security Summit – http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf ● Cars were designed to run, not to fail ● Linux now where the car industry was in 1960s – https://www.youtube.com/watch?v=fPF4fBGNK0U ● We must handle failures (attacks) safely – Userspace is becoming difficult to attack – Containers paint a target on kernel – Lives depend on Linux
  • 14. Killing bugs is nice ● Some truth to security bugs being “just normal bugs” ● Your security bug may not be my security bug ● We have little idea which bugs attackers use ● Bug might be in out-of-tree code – Un-upstreamed vendor drivers – Not an excuse to claim “not our problem”
  • 15. Killing bug classes is better ● If we can stop an entire kind of bug from happening, we absolutely should do so! ● Those bugs never happen again ● Not even out-of-tree code can hit them ● But we’ll never kill all bug classes
  • 16. Killing exploitation is best ● We will always have bugs ● We must stop their exploitation ● Eliminate exploitation targets and methods ● Eliminate information leaks ● Eliminate anything that assists attackers ● Even if it makes development more difficult
  • 17. Typical Exploit Chains ● Modern attacks tend to use more than one flaw ● Need to know where targets are ● Need to inject (or build) malicious code ● Need to locate malicious code ● Need to redirect execution to malicious code
  • 18. What can we do? ● Many exploit mitigation technologies already exist (e.g. grsecurity/PaX) or have been researched (e.g. academic whitepapers), but many haven't been in upstream Linux kernel ● There is demand for kernel self-protection, and there is demand for it to exist in the upstream kernel ● http://www.washingtonpost.com/sf/business/2015/11/05/net-of-in security-the-kernel-of-the-argument/
  • 19. Out-of-tree defenses? ● Some downstream kernel forks: – RedHat (ExecShield), Ubuntu (AppArmor), Android (Samsung KNOX), grsecurity (so many things) ● If you only use the kernel, and don't develop it, you're in a better position● – But you're depending on a downstream fork – Fewer eyeballs (and less automated testing infrastructure) looking for vulnerabilities – Developing the kernel means using engineering resources for your fork ● e.g. Android deals with multiple vendor forks already ● Hard to integrate multiple forks ● Upstreaming means: – No more forward-porting – More review (never perfect, of course)
  • 20. Digression 1: defending against email Spam ● Normal email server communication establishment: Client Server [connect] [accept]220 smtp.some.domain ESMTP ok EHLO my.domain 250 ohai MAIL FROM:<me@my.domain> 250 OK RCPT TO:<you@your.domain> 250 OK DATA
  • 21. Spam bot communication ● Success, and therefore timing, isn't important to Spam bots: Client Server [connect] [accept]220 smtp.some.domain ESMTP ok EHLO my.domain MAIL FROM:<me@my.domain> RCPT TO:<you@your.domain> DATA 250 ohai 250 OK 250 OK
  • 22. Trivially blocking Spam bots ● Insert a short starting delay Client Server [connect] [accept] EHLO my.domain MAIL FROM:<me@my.domain> RCPT TO:<you@your.domain> DATA 554 smtp.some.domain ESMTP nope
  • 23. Powerful because it's not the default ● If everyone did this (i.e. it was upstream), bots would adapt ● If a defense is unexamined and/or only run by a subset of Linux users, it may be accidentally effective due to it being different, but may fail under closer examination ●● Though, on the flip side, heterogeneous environments tend to be more resilient
  • 24. Digression 2: Stack Clash research in 2017 ● Underlying issues were identified in 2010 – Fundamentally, if an attacker can control the memory layout of a setuid process, they may be able to manipulate it into colliding stack with other things, and arranging related overflows to gain execution control. – Linux tried to fix it with a 4K gap – grsecurity (from 2010 through at least their last public patch) took it further with a configurable gap, defaulting to 64K
  • 25. A gap was not enough ● In addition to raising the gap size, grsecurity sensibly capped stack size of setuid processes, just in case: do_execveat_common(...) { ... /* limit suid stack to 8MB * we saved the old limits above and will restore them if this exec fails */ if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) && (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024))) current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024; ...
  • 26. Upstreaming the setuid stack size limit ● Landed in v4.14-rc1 ● 15 patches ● Reviewed by at least 7 other people ● Made the kernel smaller ● Actually keeps the stack limited for setuid exec 16 files changed, 91 insertions(+), 159 deletions(-)
  • 27. Important detail: threads ● Stack rlimit is a single value shared across entire thread-group ● Exec kills all other threads (part of the “point of no return”) as late in exec as possible ● If you check or set rlimits before the point of no return, you're racing other threads Thread 1: while (1) setrlimit(...); Thread 2: while (1) setrlimit(...); Thread 3: exec(...); signal … struct rlimit[RLIM_NLIMITS];
  • 28. Un-upstreamed and unexamined for seven years $ uname -r 4.9.24-grsec+ $ ulimit -s unlimited $ ls -la setuid-stack -rwsrwxr-x 1 root root 9112 Aug 11 09:17 setuid-stack $ ./setuid-stack Stack limit: 8388608 $ ./raise-stack ./setuid-stack Stack limit: 18446744073709551615
  • 29. Out-of-tree defenses need to be upstreamed ● While the preceding example isn't universally true for all out-of- tree defenses, it's a good example of why upstreaming is important, and why sometimes what looks like a tiny change turns into much more work. ● How do we get this done?
  • 30. Kernel Self Protection Project ● http://www.openwall.com/lists/kernel-hardening/ – http://www.openwall.com/lists/kernel-hardening/2015/11/05/1 ● http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project ● People interested in coding, testing, documenting, and discussing the upstreaming of kernel self protection technologies and related topics.
  • 31. Kernel Self Protection Project ● There are other people working on excellent technologies that ultimately revolve around the kernel protecting userspace from attack (e.g. brute force detection, SROP mitigations, etc) ● KSPP focuses on the kernel protecting the kernel from attack ● Currently ~12 organizations and ~10 individuals working on about ~20 technologies ● Slow and steady
  • 32. Developers under KSPP umbrella ● LF’s Core Infrastructure Initiative funded: Emese Revfy, with others pending ● Self-funded: Andy Lutomirski, Russell King, Valdis Kletnieks, Jason Cooper, Daniel Micay, David Windsor, Richard Weinberger, Richard Fellner, Daniel Gruss, Jason A. Donenfeld, Sandy Harris, Alexander Popov ● ARM: Catalin Marinas, Mark Rutland ● Canonical: Juerg Haefliger ● Cisco: Daniel Borkmann ● Docker: Tycho Andersen ● Google: Kees Cook, Thomas Garnier, Daniel Cashman, Jeff Vander Stoep, Jann Horn, Eric Biggers ● Huawei: Li Kun ● IBM: Michael Ellerman, Heiko Carstens, Christian Borntraeger ● Imagination Technologies: Matt Redfearn ● Intel: Elena Reshetova, Hans Liljestrand, Casey Schaufler, Michael Leibowitz, Dave Hansen, Peter Zijlstra ● Linaro: Ard Biesheuvel, David Brown, Arnd Bergmann ● Linux Foundation: Greg Kroah-Hartman ● Oracle: James Morris, Quentin Casasnovas, Yinghai Lu ● RedHat: Laura Abbott, Rik van Riel, Jessica Yu, Baoquan He
  • 33. Probabilistic protections ● Protections that derive their strength from some system state being unknown to an attacker ● Weaker than “deterministic” protections since information exposures can defeat them, though they still have real-world value ● Familiar examples: – stack protector (canary value can be exposed) – Address Space Layout Randomization (offset can be exposed)
  • 34. Deterministic protections ● Protections that derive their strength from organizational system state that always blocks attackers ● Familiar examples: – Read-only memory (writes will fail) – Bounds-checking (large accesses fail)
  • 36. Bug class: stack overflow and exhaustion Exploit example: – https://jon.oberheide.org/files/half-nelson.c ● Mitigations: – stack canaries, e.g. gcc's -fstack-protector (v2.6.30) and -fstack- protector-strong (v3.14) – guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW) ● vmap stack (v4.9 x86, v4.14 arm64), removal of thread_info from stack (v4.9 x86, v4.10 arm64) – alloca checking (e.g. PAX_MEMORY_STACKLEAK): Alexander Popov – shadow stacks (e.g. Clang SafeStack)
  • 37. Bug class: integer over/underflow ● Exploit examples: – https://cyseclabs.com/page?n=02012016 – http://perception-point.io/2016/01/14/analysis-and-exploi tation-of-a-linux-kernel-vulnerability-cve-2016-0728/ ● Mitigations: – check for atomic overflow (e.g. PAX_REFCOUNT) ● refcount_t: Elena Reshetova, David Windsor, Kees Cook, Ard Biesheuvel, Li Kun – compiler plugin to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)
  • 38. Bug class: buffer overflows ● Exploit example: – http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html ● Mitigations: – runtime validation of variable size vs copy_to_user / copy_from_user size (e.g. PAX_USERCOPY) ● CONFIG_HARDENED_USERCOPY (v4.8) ● Usercopy whitelisting: David Windsor, Kees Cook ● Usercopy slab segregation: David Windsor, Kees Cook – metadata validation (e.g. glibc's heap protections) ● linked-list hardening (from grsecurity) CONFIG_DEBUG_LIST (v4.10) ● CONFIG_SLUB_HARDENED, heap freelist obfuscation (from grsecurity): Daniel Micay, Kees Cook ● Heap canaries: Daniel Micay – FORTIFY_SOURCE (inspired by glibc), check buffer sizes of str*/mem* functions at compile- and run-time ● CONFIG_FORTIFY_SOURCE (v4.13) ● Intra-object checking: Daniel Micay
  • 39. Bug class: format string injection ● Exploit example: – http://www.openwall.com/lists/oss-security/2013/06/06/13 ● Mitigations: – Drop %n entirely (v3.13) – detect non-const format strings at compile time (e.g. gcc's -Wformat- security, or better plugin) – detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)
  • 40. Bug class: kernel pointer leak ● Exploit examples: – examples are legion: /proc (e.g. kallsyms, modules, slabinfo, iomem), /sys, INET_DIAG (v4.1), etc – http://vulnfactory.org/exploits/alpha-omega.c ● Mitigations: – kptr_restrict sysctl (v2.6.38) too weak: requires dev opt-in – remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM) – detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)
  • 41. Bug class: uninitialized variables ● This is not just an information leak! ● Exploit example: – https://outflux.net/slides/2011/defcon/kernel-exploitation.pdf ● Mitigations: – GCC plugin, stackleak: clear kernel stack between system calls (from PAX_MEMORY_STACKLEAK): Alexander Popov – GCC plugin, structleak: instrument compiler to fully initialize all structures (from PAX_MEMORY_STRUCTLEAK): (__user v4.11, by-reference v4.14)
  • 42. Bug class: use-after-free ● Exploit example: – http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-k ernel-vulnerability-cve-2016-0728/ ● Mitigations: – clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE) ● Zero poisoning (v4.6) – segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY) – randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc) ● Freelist randomization (SLAB: v4.7, SLUB: v4.8)
  • 44. Exploitation: finding the kernel ● Exploit examples (see “Kernel pointer leaks” above too): – https://github.com/jonoberheide/ksymhunter ● Mitigations: – hide symbols and kernel pointers (see “Kernel pointer leaks”) – kernel ASLR ● text/modules base: x86 (v3.14), arm64 (v4.6), MIPS (v4.7), ARM: Ard Biesheuvel ● memory: x86 (v4.8) ● PIE: arm64 (v4.6), x86: Thomas Garnier – runtime randomization of kernel functions – executable-but-not-readable memory ● x86 (v4.6), arm64 (v4.9) – per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) ● manual (v4.13), automatic (v4.14)
  • 45. Exploitation: direct kernel overwrite ● How is this still a problem in the 21st century? ● Exploit examples: – Patch setuid to always succeed – http://itszn.com/blog/?p=21 Overwrite vDSO ● Mitigations: – Executable memory cannot be writable (CONFIG_STRICT_KERNEL_RWX) ● s390: forever ago ● x86: v3.18 ● ARM: v3.19 ● arm64: v4.0
  • 46. Exploitation: function pointer overwrite ● Also includes things like vector tables, descriptor tables (which can also be info leaks) ● Exploit examples: – https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-e xploit/ – https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve ● Mitigations: – read-only function tables (e.g. PAX_CONSTIFY_PLUGIN) – make sensitive targets that need one-time or occasional updates only writable during updates (e.g. PAX_KERNEXEC): ● __ro_after_init (v4.6)
  • 47. Exploitation: userspace execution ● Exploit example: – See almost all previous examples ● Mitigations: – hardware segmentation: SMEP (x86), PXN (ARM, arm64) – emulated memory segmentation via page table swap, PCID, etc (e.g. PAX_MEMORY_UDEREF): ● Domains (ARM: v4.3) ● TTBR0 (arm64: v4.10) ● PCID (x86): Andy Lutomirski – compiler instrumentation to set high bit on function calls
  • 48. Exploitation: userspace data ● Exploit examples: – https://github.com/geekben/towelroot/blob/master/towelroot.c – http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9 322-linux-kernel-privilege-escalation/ ● Mitigations: – hardware segmentation: SMAP (x86), PAN (ARM, arm64) – emulated memory segmentation via page table swap, PCID, etc (e.g. PAX_MEMORY_UDEREF): ● Domains (ARM: v4.3) ● TTBR0 (arm64: v4.10) ● PCID (x86): Andy Lutomirski – eXclusive Page Frame Ownership: Tycho Andersen, Juerg Haefliger
  • 49. Exploitation: reused code chunks ● Also known as Return Oriented Programming (ROP), Jump Oriented Programming (JOP), etc ● Exploit example: – http://vulnfactory.org/research/h2hc-remote.pdf ● Mitigations: – JIT obfuscation (e.g. BPF_HARDEN): ● eBPF JIT hardening (v4.7) – compiler instrumentation for Control Flow Integrity (CFI): ● Clang CFI https://clang.llvm.org/docs/ControlFlowIntegrity.html ● kCFI https://github.com/kcfi/docs ● GCC plugin: Return Address Protection, Indirect Control Transfer Protection (e.g. RAP) https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
  • 50. A year's worth of kernel releases ...
  • 51. Added in v4.10 ● PAN emulation, arm64 ● thread_info relocated off stack, arm64 ● Linked list hardening ● RNG seeding from UEFI, arm64 ● W^X detection, arm64
  • 52. Added in v4.11 ● refcount_t infrastructure ● read-only usermodehelper ● structleak plugin
  • 53. Added in v4.12 ● read-only and fixed-location GDT, x86 ● usercopy consolidation ● read-only LSM structures ● KASLR enabled by default, x86 ● stack canary expanded to bit-width of host ● stack/heap gap expanded
  • 54. Added in v4.13 ● CONFIG_REFCOUNT_FULL ● CONFIG_FORTIFY_SOURCE ● randstruct (manual mode) ● ELF_ET_DYN_BASE lowered
  • 56. Challenge: Culture ● Conservatism – 16 years to accept symlink restrictions upstream ● Responsibility – Kernel developers must accept the need for these changes ● Sacrifice – Kernel developers must accept the technical burden ● Patience – Out-of-tree developers must understand how kernel is developed
  • 57. Challenge: Technical ● Complexity – Very few people are proficient at developing (much less debugging) these features ● Innovation – We must adapt the many existing solutions – We must create new technologies ● Collaboration – Explain rationale for new technologies – Make code understandable/maintainable by other developers and accessible across architectures
  • 58. Challenge: Resources ● People – Dedicated developers ● People – Dedicated testers ● People – Dedicated backporters