The Kernel Self-Protection Project focuses on addressing gaps in Linux’s defensive technologies. With Linux reaching into every corner of modern life, and userspace frequently being very locked-down, the kernel has become an ever-increasing target for attackers and much more needs to be done to harden the kernel so it can protect itself. A quick overview will be shown of what we’re trying to protect Linux against, as well as the state of the art in available technologies. Also presented will be a summary of the last year’s participation by many people over a wide range of technologies, with a review of KSPP attempts, accomplishments, active efforts, and an examination of future projects and goals.
Kees Cook, Google
Kernel Recipes 2017 - Testing on device with LAVA - Olivier CrêteAnne Nicolas
Continous integration has gained a lot of popularity in the open source world in recent years, with the loud/web world at the forefront. The kernel world has however been somewhat slow to catch-up, especially in the embedded world, services like KernelCi and the 0-day are incredibly useful services once patches are flowing upstream but are limited in their scope.
In this talk we’ll go over how CI best practices can be used when doing kernel development, and how with a little bit of infrastructure and tooling one can setup a “mini-kernelci” to run tests relevant to the current development on actual embedded hardware.
Sjoerd SimonsOlivier Crête
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KHAnne Nicolas
This talk describes how the Linux kernel development model works, what a long term supported kernel is, and why all Linux-based systems devices should be using all of the stable releases and not attempting to pick and choose random patches.
It also goes into how the kernel community approaches “security” patches, and the reasoning why they do it in the manner they do.
This is an expanded talk based on a lighting talk presented at Kernel Recipes 2015, and the speaker’s interactions with companies reaction to the supposedly confusing development model on which they rely on.
Greg KH, Linux Foundation
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...Anne Nicolas
The technical side of how to build embedded Linux systems solved by now: Take the kernel, a build system, add some patches, integrate your application and you’re done!
In reality though, most of the embedded systems we build are connected to the Internet and run most of the same software as servers or desktops.
Unlike these however, our systems are not regularly maintained an administrator and don’t run a standard distribution.
In this presentation, Marc Kleine-Budde will explain why apparently reasonable approaches to long-term maintenance fail and how to establish a sustainable workflow instead.
By mainlining required features early, aligning to the upstream support cycles and having a predictable maintenance and testing schedule, it is easy to respond to the inevitable (security) problems quickly and with controlled risk.
Mark Kleine-Budde, Pengutronix
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better.
Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better. Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
PaaSTA, Yelp's platform as a service (PaaS) built on top of open source tools, provides tooling for developers to quickly turn their microservice into a monitored, highly available application spanning multiple data centers and cloud regions. Nathan Handler outlines the technologies that power PaaSTA and discusses how Yelp uses PaaSTA to empower developers and solve key problems.
Video: https://youtu.be/vISUXKeoqXM
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
Docker lets us build, ship, and run any Linux application, on any platform. It found many early adopters in the CI/CD industry, long before it reached the symbolic 1.0 milestone and was considered "production-ready." Since then, its stability and features attracted enterprise users in many different fields, including very demanding ones like finance, banking, or intelligence agencies.
We will see how Docker is particularly suited to the deployment of distributed applications, and why it is an ideal platform for microservice architectures. In particular, we will look into three Docker related projects that have been announced at DockerCon Europe last December: Machine, Swarm, and Compose, and we will explain how they improve the way we build, deploy, and scale distributed applications.
Kernel Recipes 2017 - Testing on device with LAVA - Olivier CrêteAnne Nicolas
Continous integration has gained a lot of popularity in the open source world in recent years, with the loud/web world at the forefront. The kernel world has however been somewhat slow to catch-up, especially in the embedded world, services like KernelCi and the 0-day are incredibly useful services once patches are flowing upstream but are limited in their scope.
In this talk we’ll go over how CI best practices can be used when doing kernel development, and how with a little bit of infrastructure and tooling one can setup a “mini-kernelci” to run tests relevant to the current development on actual embedded hardware.
Sjoerd SimonsOlivier Crête
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KHAnne Nicolas
This talk describes how the Linux kernel development model works, what a long term supported kernel is, and why all Linux-based systems devices should be using all of the stable releases and not attempting to pick and choose random patches.
It also goes into how the kernel community approaches “security” patches, and the reasoning why they do it in the manner they do.
This is an expanded talk based on a lighting talk presented at Kernel Recipes 2015, and the speaker’s interactions with companies reaction to the supposedly confusing development model on which they rely on.
Greg KH, Linux Foundation
Embedded Recipes 2017 - Long-Term Maintenance, or How to (Mis-)Manage Embedde...Anne Nicolas
The technical side of how to build embedded Linux systems solved by now: Take the kernel, a build system, add some patches, integrate your application and you’re done!
In reality though, most of the embedded systems we build are connected to the Internet and run most of the same software as servers or desktops.
Unlike these however, our systems are not regularly maintained an administrator and don’t run a standard distribution.
In this presentation, Marc Kleine-Budde will explain why apparently reasonable approaches to long-term maintenance fail and how to establish a sustainable workflow instead.
By mainlining required features early, aligning to the upstream support cycles and having a predictable maintenance and testing schedule, it is easy to respond to the inevitable (security) problems quickly and with controlled risk.
Mark Kleine-Budde, Pengutronix
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better.
Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better. Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
PaaSTA, Yelp's platform as a service (PaaS) built on top of open source tools, provides tooling for developers to quickly turn their microservice into a monitored, highly available application spanning multiple data centers and cloud regions. Nathan Handler outlines the technologies that power PaaSTA and discusses how Yelp uses PaaSTA to empower developers and solve key problems.
Video: https://youtu.be/vISUXKeoqXM
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
Docker lets us build, ship, and run any Linux application, on any platform. It found many early adopters in the CI/CD industry, long before it reached the symbolic 1.0 milestone and was considered "production-ready." Since then, its stability and features attracted enterprise users in many different fields, including very demanding ones like finance, banking, or intelligence agencies.
We will see how Docker is particularly suited to the deployment of distributed applications, and why it is an ideal platform for microservice architectures. In particular, we will look into three Docker related projects that have been announced at DockerCon Europe last December: Machine, Swarm, and Compose, and we will explain how they improve the way we build, deploy, and scale distributed applications.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
CohesiveFT's Director of Products & Marketing, Ryan Koop, presented on how CohesiveFT is incorporating Docker containers in our latest version of the virtual networking appliance, VNS3.
Docker Meetup #2 was held on March 12, 2014 at Mediafly
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
Ten years ago, virtualization ignited a revolution which gave birth to the Cloud and the DevOps initiative. Today, with containers, we are at the dawn of a similar breakthrough.
How can we capture the value of containers? How can we use their features to implement microservices and immutable infrastructures, while retaining as much as possible of our existing practices? The answer is in the rich ecosystem that developed around Docker, an open-source platform to build, ship, and run applications in containers.
In this keynote we’ll explore what the applications of tomorrow will look like, how they’ll be deployed and distributed – and how to leverage those tools today.
OSCON: Better Collaboration through ToolingDocker, Inc.
Ying Li and David Lawrence investigate how to use free tools to ease collaboration and improve outcomes in open source Go projects. By providing a better way for your contributors to get up and running and giving them more visibility into their impact, positive or negative, you can increase their independence and the velocity of your project.
Ying and David discuss three key topics: Introduction to a project, Submitting a pull request, Distributing updates.
Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
Contributing to a large open source project can seem daunting at first; but fear not! You too can join thousands of successful contributors. First, you don't have to be an expert in Golang, Python, or C, to contribute to Docker, OpenStack, or the Linux Kernel. Many projects also need help with documentation, translation, testing, triaging issues, and more. Very often, just going through bug reports to reproduce them and confirm "this also happens on my setup, with version XYZ" is extremely helpful.
If you decide to take the leap and propose a change (be it code or documentation), each open source project has different contribution guidelines and workflows.
In this talk, Arnaud and Jérôme will explain some of those workflows, how maintainers review your patches, and highlight the details that make your changes more likely to be merged into the project.
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Anne Nicolas
Nowadays a lot of embedded system are connected to Internet. And every years, more devices are available in the market but without maintenance. Due to this situation, a lot of security issues raised which could compromised the lifetime of the product and the privacy of their users. To fix these bugs, these security issues or to add new features, updating remotely these systems on regular basis is very important. We have to think about update process for each new product, to be easy, reliable, efficient and not too costly for the required bandwidth or hardware performances.
Several update designs are available to fit your requirements. Due to these constraints, you have to make choice and find the right balance.
Hopefully one free software allows us to perform this task in a easy and flexible way: swupdate. This solution is very well integrated with U-boot, buildroot and Yocto. You can describe exactly how the update should be done.
This talk is to explain the main designs to update an embedded system with pro and cons of all of them and then explain how to implement them with swupdate for your embedded system.
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Docker, Inc.
If you want to compromise millions of machines and users, software distribution and software updates are an excellent attack vector. Using public cryptography to sign your packages is a good starting point, but as we will see, it still leaves you open to a variety of attacks. This is why we designed TUF, a secure software update framework. TUF helps to handle key revocation securely, limits the impact a man-in-the-middle attacker may have, and reduces the impact of repository compromise. We will discuss TUF's protections and integration into Docker's Notary software, and demonstrate new techniques that could be added to verify other parts of the software supply chain, including the development, build, and quality assurance processes.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
OSCON: Incremental Revolution - What Docker learned from the open-source fire...Docker, Inc.
Since Solomon Hykes unveiled Docker at the PyCon conference three years ago, containers have revolutionized how developers and ops teams build, ship, and run applications. Solomon explores the past, present, and future of our container ecosystem and shares lessons learned from managing successful open source projects across several dimensions: technology, people, products, and business.
Sign up for the Docker for Mac and Windows beta: beta.docker.com
Introduction to Docker and all things containers, Docker Meetup at RelateIQdotCloud
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
A guest lecture at National University of Defense Technology (NUDT) in 2016 to postgraduate students in China about emerging technologies in the Linux operating system.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
CohesiveFT's Director of Products & Marketing, Ryan Koop, presented on how CohesiveFT is incorporating Docker containers in our latest version of the virtual networking appliance, VNS3.
Docker Meetup #2 was held on March 12, 2014 at Mediafly
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
Ten years ago, virtualization ignited a revolution which gave birth to the Cloud and the DevOps initiative. Today, with containers, we are at the dawn of a similar breakthrough.
How can we capture the value of containers? How can we use their features to implement microservices and immutable infrastructures, while retaining as much as possible of our existing practices? The answer is in the rich ecosystem that developed around Docker, an open-source platform to build, ship, and run applications in containers.
In this keynote we’ll explore what the applications of tomorrow will look like, how they’ll be deployed and distributed – and how to leverage those tools today.
OSCON: Better Collaboration through ToolingDocker, Inc.
Ying Li and David Lawrence investigate how to use free tools to ease collaboration and improve outcomes in open source Go projects. By providing a better way for your contributors to get up and running and giving them more visibility into their impact, positive or negative, you can increase their independence and the velocity of your project.
Ying and David discuss three key topics: Introduction to a project, Submitting a pull request, Distributing updates.
Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
Contributing to a large open source project can seem daunting at first; but fear not! You too can join thousands of successful contributors. First, you don't have to be an expert in Golang, Python, or C, to contribute to Docker, OpenStack, or the Linux Kernel. Many projects also need help with documentation, translation, testing, triaging issues, and more. Very often, just going through bug reports to reproduce them and confirm "this also happens on my setup, with version XYZ" is extremely helpful.
If you decide to take the leap and propose a change (be it code or documentation), each open source project has different contribution guidelines and workflows.
In this talk, Arnaud and Jérôme will explain some of those workflows, how maintainers review your patches, and highlight the details that make your changes more likely to be merged into the project.
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Anne Nicolas
Nowadays a lot of embedded system are connected to Internet. And every years, more devices are available in the market but without maintenance. Due to this situation, a lot of security issues raised which could compromised the lifetime of the product and the privacy of their users. To fix these bugs, these security issues or to add new features, updating remotely these systems on regular basis is very important. We have to think about update process for each new product, to be easy, reliable, efficient and not too costly for the required bandwidth or hardware performances.
Several update designs are available to fit your requirements. Due to these constraints, you have to make choice and find the right balance.
Hopefully one free software allows us to perform this task in a easy and flexible way: swupdate. This solution is very well integrated with U-boot, buildroot and Yocto. You can describe exactly how the update should be done.
This talk is to explain the main designs to update an embedded system with pro and cons of all of them and then explain how to implement them with swupdate for your embedded system.
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Docker, Inc.
If you want to compromise millions of machines and users, software distribution and software updates are an excellent attack vector. Using public cryptography to sign your packages is a good starting point, but as we will see, it still leaves you open to a variety of attacks. This is why we designed TUF, a secure software update framework. TUF helps to handle key revocation securely, limits the impact a man-in-the-middle attacker may have, and reduces the impact of repository compromise. We will discuss TUF's protections and integration into Docker's Notary software, and demonstrate new techniques that could be added to verify other parts of the software supply chain, including the development, build, and quality assurance processes.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
OSCON: Incremental Revolution - What Docker learned from the open-source fire...Docker, Inc.
Since Solomon Hykes unveiled Docker at the PyCon conference three years ago, containers have revolutionized how developers and ops teams build, ship, and run applications. Solomon explores the past, present, and future of our container ecosystem and shares lessons learned from managing successful open source projects across several dimensions: technology, people, products, and business.
Sign up for the Docker for Mac and Windows beta: beta.docker.com
Introduction to Docker and all things containers, Docker Meetup at RelateIQdotCloud
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
A guest lecture at National University of Defense Technology (NUDT) in 2016 to postgraduate students in China about emerging technologies in the Linux operating system.
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
OSAC16: Unikernel-powered Transient Microservices: Changing the Face of Softw...Russell Pavlicek
In most current microservice-based architectures, the machine images powering the microservice are quite traditional: a full software stack from operating system to application, which takes significant resources to host and plenty of time to start and stop. As a result, most current microservice workloads are persistent, having to start before they are needed and sitting idle when there’s no work to do. This wastes precious resources and slows the application’s ability to scale out as workloads require.
The arrival of lightweight technologies like Docker and containers have opened the door to lighter workloads in the microservice arena, but the advent of unikernels might be a game changer. These ultralight, highly secure workloads combine the entire software stack—from operating system functions to application—into a single, tiny package that runs directly on a hypervisor. Start times for many unikernel-based VMs can be measured in milliseconds, raising the question: why waste time and resources with persistent microservices? Why not consider transient microservices, which appear when there is something to do and disappear immediately thereafter?
While the use of transient microservices could free up much computing power, it will also change the architecture and orchestration of software solutions. The concept of services that may have a lifetime measured in seconds—or less—does not currently exist in popular cloud-based systems.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
Open Source Investments in Mainframe Through the Next Generation - Showcasing...Open Mainframe Project
In it's 3rd year, the Open Mainframe Project continues to invest in the open source ecosystem on mainframe through it's summer internship program. This year's class focused on improving mainframe open source packaging and support of modern technologies such as Cloud Foundry and Kubernetes.
In this session, interns will present their work and experience in working in the internship program.
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageMayaData Inc
Webinar Session - https://youtu.be/_5MfGMf8PG4
In this webinar, we share how the Container Attached Storage pattern makes performance tuning more tractable, by giving each workload its own storage system, thereby decreasing the variables needed to understand and tune performance.
We then introduce MayaStor, a breakthrough in the use of containers and Kubernetes as a data plane. MayaStor is the first containerized data engine available that delivers near the theoretical maximum performance of underlying systems. MayaStor performance scales with the underlying hardware and has been shown, for example, to deliver in excess of 10 million IOPS in a particular environment.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
Navigating the Sea of Javascript Tools to Discover Scalable Tools for Continuous Delivery
Menelaos Kotsollaris, Senior Software Engineer
Viki Green, Senior Software Developer at Trulioo
How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...OpenStack
Securing Openstack in Line with the Government ISM and PSPF controls and how to deliver High Performance OpenStack Cloud to address Government Legacy Systems
Audience: Intermediate/Advanced
Topic: Security, Infrastructure, Performance
Abstract: As the CTO of Vault Systems, Christoph will take us through the challenges of implementing ASD’s ISM controls within Vault’s OpenStack cloud to create a Protected Certified OpenStack Platform and give a technical account of some of the optimizations he has done around Ceph on NVMe Storage to deliver High Performance Storage.
Speaker Bio: Christoph Dwertmann, Vault Systems
Christoph is a full stack engineer with four years of experience in deploying and securing Openstack. Fully automated software deployment and self-healing microservice containers are amongst his current interests. As the CTO of Vault Systems he recently deployed the world’s first pure NVMe Ceph cluster into production. From his previous work in network research for the National Science Foundation (NSF) he gathered in-depth knowledge spanning software-defined networks across continents.
OpenStack Australia Day Government - Canberra 2016
https://events.aptira.com/openstack-australia-day-canberra-2016/
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Advanced cgroups and namespaces
This talk picks up where we left off in the previous cgroups and namespaces talk and dive in even deeper!
Agenda:
* cgroups v2 design (cgroup v2 was started to be merged in the current kernel, 4.4)
* cgroups v2 examples (migrating tasks, enabling and disabling controllers, and more).
* comparison between cgroup v2 unified hierarchy and cgroup v1 legacy hierarchy.
* PIDs namespaces (from kernel 4.3)
* cgroup namespaces (not merged yet)
Historically, sharing a Linux server entailed all kinds of untenable compromises. In addition to the security concerns, there was simply no good way to keep one application from hogging resources and messing with the others. The classic “noisy neighbor” problem made shared systems the bargain-basement slums of the Internet, suitable only for small or throwaway projects.
Serious use-cases traditionally demanded dedicated systems. Over the past decade virtualization (in conjunction with Moore’s law) has democratized the availability of what amount to dedicated systems, and the result is hundreds of thousands of websites and applications deployed into VPS or cloud instances. It’s a step in the right direction, but still has glaring flaws.
Most of these websites are just piles of code sitting on a server somewhere. How did that code got there? How can it can be scaled? Secured? Maintained? It’s anybody’s guess. There simply isn’t enough SysAdmin talent in the world to meet the demands of managing all these apps with anything close to best practices without a better model.
Containers are a whole new ballgame. Unlike VMs, you skip the overhead of running an entire OS for every application environment. There’s also no need to provision a whole new machine to have a place to deploy, meaning you can spin up or scale your application with orders of magnitude more speed and accuracy.
Similar to Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook (20)
Kernel Recipes 2019 - Driving the industry toward upstream firstAnne Nicolas
Wanting to avoid the Android experience, Google developers always aimed to make their Chrome OS Linux kernels as close to mainline as possible. However, when Chromebooks were first created, Google was left with no choice, the mainline kernel, in some subsystems, still did not have all the functionalities needed by Chromebooks. Hence, similarly to Android, Chrome OS had to develop their own out-of-tree code for the kernel and maintain that for a few different kernel versions.
Luckily, over the last few years a strong and consistent effort has been happening to bring Chromebook devices closer to mainline. It has led to significant improvements that now make it possible to run mainline on Chrome OS devices. And not only Chromebooks, as these significant strides are also improving Arm-based SOCs and other key components of the rich Chromebook hardware ecosystem. In this talk, we will look at how and why upstream support for Chromebooks improved, the current status of various models, and what we expect in the future.
Enric Balletbò i Serra
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread.
AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU.
This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it.
Julien Thierry
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
At a rate of almost 9 changes per hour (24/7), the Linux kernel is definitely a scary beast. Bugs are introduced on a daily basis and, through the use of multiple code analyzers, *some* of them are detected and fixed before they hit mainline. Over the course of the last few years, Gustavo has been fixing such bugs and many different issues in every corner of the Linux kernel. Recently, he was in charge of leading the efforts to globally enable -Wimplicit-fallthrough; which appears by default in Linux v5.3. This presentation is a report on all the stuff Gustavo has found and fixed in the kernel with the support of the Core Infrastructure Initiative.
Gustavo A.R. Silva
Kernel Recipes 2019 - Metrics are moneyAnne Nicolas
In I.T. we all use all kinds of metrics. Operations teams rely heavily on these, especially when things go south. These metrics are sometimes overrated. Let’s dive into a few real life stories together.
Aurélien Rougemont
Kernel Recipes 2019 - Kernel documentation: past, present, and futureAnne Nicolas
The Linux kernel project includes a huge amount of documentation, but that information has seen little in the way of care over the
years. The amount of care has increased significantly recently, though, and things are improving quickly. Listen as the kernel’s documentation maintainer discusses the current state of the kernel’s docs, how we got here, where we’re trying to go, and how you can help.
Jonathan Corbet
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
Modern SoC designs incorporate technologies from numerous vendors, each with their own inconsistent, confusing, undocumented and even contradictory terminology. The result is a mess of acronyms and product names which have a surprising impact on the ability to develop reusable, modular code thanks to the nature of the underlying IP being obscured.
This presentation will dive into some of the misnomers plaguing the Arm ecosystem, with the aim of explaining why things are like they are, how they fit together under the architectural umbrella and how you, as a developer, can decipher the baffling ingredients list of your next SoC design!
Will Deacon
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
GNU poke is a new interactive editor for binary data. Not limited to editing basic ntities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them. Once a user has defined a structure for binary data (usually matching some file format) she can search, inspect, create, shuffle and modify abstract entities such as ELF relocations, MP3 tags, DWARF expressions, partition table entries, and so on, with primitives resembling simple editing of bits and bytes. The program comes with a library of already written descriptions (or “pickles” in poke parlance) for many binary formats.
GNU poke is useful in many domains. It is very well suited to aid in the development of programs that operate on binary files, such as assemblers and linkers. This was in fact the primary inspiration that brought me to write it: easily injecting flaws into ELF files in order to reproduce toolchain bugs. Also, due to its flexibility, poke is also very useful for reverse engineering, where the real structure of the data being edited is discovered by experiment, interactively. It is also good for the fast development of prototypes for programs like linkers, compressors or filters, and it provides a convenient foundation to write other utilities such as diff and patch tools for binary files.
This talk (unlike Gaul) is divided into four parts. First I will introduce the program and show what it does: from simple bits/bytes editing to user-defined structures. Then I will show some of the internals, and how poke is implemented. The third block will cover the way of using Poke to describe user data, which is to say the art of writing “pickles”. The presentation ends with a status of the project, a call for hackers, and a hint at future works.
Jose E. Marchesi
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Anne Nicolas
Operating system distributors often face challenges that are somewhat different from that of upstream kernel developers. For instance, some kernel updates often need to stay at least binary compatible with modules that might be “out of tree” for some time.
In that context, being able to automatically detect and analyze changes to the binary interface exposed by the kernel to its module does have some noticeable value.
The Libabigail framework is capable of analyzing ELF binaries along with their accompanying debug info in the DWARF format, detect and report changes in types, functions, variables and ELF symbols. It has historically supported that for user space shared libraries and application so we worked to make it understand the Linux kernel
binaries.
In this presentation, we are going to present the current support of ABI analysis for Linux Kernel binaries, the challenges we face, how we address them and the plans we have for the future.
Dodji Seketeli, Jessica Yu, Matthias Männich
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
Different upgrade and update strategies exist when it comes to embedded Linux system. If at development time none of these strategies have been chosen, adding them afterwards can be tedious task.
Even harder it gets when the system is already deployed in the field and only accessible via a 3G connection.
This talk is a developer experience of putting in place exactly that. Giving a return of experience on one way of doing it on a system running Barebox and a Yocto-based distribution.
Patrick Boettcher
Embedded Recipes 2019 - Making embedded graphics less specialAnne Nicolas
Traditionally graphics drivers were one of the last hold-outs of proprietary software in an embedded Linux system. This situation is changing with open-source graphics drivers showing up for almost all of the graphics acceleration peripherals on the market right now. This talk will show how open-source graphics drivers are making embedded systems less special, as well as trying to provide an overview of the Linux graphics stack, de-mystifying what is often seen as black magic GPU stuff from outside observers.
Lucas Stach
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconAnne Nicolas
This talk will explore Open Source Hardware projects relevant to Linux, including boards like BeagleBone, Olimex OLinuXino, Giant board and more. Looking at the benefits and challenges of designing Open Source Hardware for a Linux system, along with BeagleBoard.org’s experience of working with community, manufacturers, and distributors to create an Open Source Hardware platform. In closing also looking at the future, Libre Silicon like RISC-V designs, and where this might take Linux.
Drew Fustini
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureAnne Nicolas
The I2C subsystem is not the shiniest part of the Linux Kernel. For embedded devices, though, it is one of the many puzzle pieces which just have to work. Wolfram Sang has the experience of maintaining this subsystem for nearly 7 years now. This talk gives a short overview of how maintaining works in general and specifically in this subsystem. But mainly, it will highlight noteworthy points in the timeline and lessons learnt from that. It will present trends, not so much regarding I2C but more the Linux Kernel and the embedded ecosystem in general. And of course, there will be plenty of anecdotes and bits from behind the scenes for your entertainment.
Wolfram Sang
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
ITRenew is selling recertified OCP servers under the Sesame brand, those servers come either with their original UEFI BIOS or with LinuxBoot. The LinuxBoot project is pushing the Linux kernel inside bios flash and using userland programs as bootloader.
To achieve quality on our software stack, as any project, we need to test it. Traditional BIOS are tested by hand, this is 2019 we need to do it automatically! We already presented the hardware setup behind the LinuxBoot CI, this talk will focus on the software.
We use u-root for our userland bootloader; this software is written in Go so we naturally choose to use Go for our testing too. We will present how we are using and extending the Go native test framework `go test` for testing embedded systems (serial console) and improving the report format for integration to a CI.
Julien Viard de Galbert
Embedded Recipes 2019 - Herd your socs become a matchmakerAnne Nicolas
About 60% of the Linux kernel source tree is devoted to drivers for a large variety of supported hardware components. Especially in the embedded world, the number of different SoC families, versions, and revisions, integrating a myriad of “IP cores”, keeps on growing.
In this presentation, Geert will explain how to match drivers against hardware, and how to support a wide variety of (dis)similar devices, without turning platform and driver code into an entangled bowl of spaghetti.tra
Starting with a brief history of driver matching in Linux, he will fast-forward to device-tree based matching. He will discuss ways to handle slight variations of the same hardware devices, and different SoC revisions, each with their own quirks and bugs. Finally, Geert will show best practices for evolving device drivers in a maintainable way, based on his experiences as an embedded Linux kernel developer and maintainer.
Geert Uytterhoeven
Embedded Recipes 2019 - LLVM / Clang integrationAnne Nicolas
Buildroot is a popular and easy to use embedded Linux build system. It generates, in few minutes, lightweight and customized Linux systems, including the cross-compilation toolchain, kernel and bootloader images, as well as a wide variety of userspace libraries and programs.
This talk is about the integration of LLVM/clang into Buildroot.
In 2018, Valentin Korenblit, supervised by Romain Naour, worked on this topic during his internship at Smile ECS. After a short introduction about llvm/clang and Buildroot, this talk will go through the numerous issues discovered while adding llvm/clang componants and how these issues were fixed. Romain will also detail the work in progress and the work to be done based on llvm/clang libraries (OpenCL, Compiler-rt, BCC. Chromium, ldd).
Romain Naour
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
This talk introduces JTAG debugging capabilities, both for debugging hardware and software. Marek first explains what the JTAG stands for and explains the operation of the JTAG state machine. This is followed by an introduction to free software JTAG tools, OpenOCD and urJTAG. Marek shortly explains how to debug software using those tools and how that ties into the JTAG state machine. However, JTAG was designed for testing hardware. Marek explains what boundary scan testing (BST) is, what are BSDL files and their format, and practically demonstrates how to blink an LED using BST and only free software tools.
Marek Vasut
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaAnne Nicolas
PipeWire is an open source project that aims to greatly improve audio and video handling under Linux. Utilising a fresh design, it bridges use cases that have been previously addressed by different tools – or not addressed at all -, providing ground for building complex, yet secure and efficient, multimedia systems.
In this talk, Julien is going to present the PipeWire project and the concepts that make up its design. In addition, he is going to give an update of the current and future work going on around PipeWire, both upstream and in Automotive Grade Linux, an early adopter that Julien is actively working on.
Julian Bouzas
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
Ftrace’s most powerful feature is the function tracer (and function graph tracer which is built from it). But to have this enabled on production systems, it had to have its overhead be negligible when disabled. As the function tracer uses gcc’s profiling mechanism, which adds a call to “mcount” (or more recently fentry, don’t worry if you don’t know what this is, it will all be explained) at the start of almost all functions, it had to do something about the overhead that causes. The solution was to turn those calls into “nops” (an instruction that the CPU simply ignores). But this was no easy feat. It took a lot to come up with a solution (and also turning a few network cards into bricks). This talk will explain the history of how ftrace came about implementing the function tracer, and brought with it the possibility of static branches and soon static calls!
Steven Rostedt
Kernel Recipes 2019 - Suricata and XDPAnne Nicolas
Suricata is a network threat detection engine using network packets capture to reconstruct the traffic till the application layer and find threats on the network using rules that define behavior to detect. This task is really CPU intensive and discarding non interesting traffic is a solution to enable a scaling of Suricata to 40gbps and other.
This talk will present the latest evolution of Suricata that knows uses eBPF and XDP to bypass traffic. Suricata 5.0 is supporting the hardware XDP to provide ypass with network card such as Netronome. It also takes advantage of pinned maps to get persistance of the bypassed flows. This talk will cover the different usage of XDP and eBPF in Suricata and shows how it impact performance and usability. If development time permit, the talk will also cover AF_XDP and the impact on this new capture method on Suricata.
Eric Leblond
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Anne Nicolas
System memory configuration is a transparent operation nowadays, something that we all came to expect to just work out of the box. Still, it does happen behind the scenes every single time we boot our computers. This requires the cooperation of hardware components on the mainboard and on memory modules themselves, as well as firmware code to drive these. While it is possible to just let it happen, having a deeper understanding of how it works makes it possible to access valuable information from the operating system at run-time.
I will take you through the history of system memory configuration from the mid 70s to now. We will explore the different types of memory modules, how their configuration data is stored and how the firmware can access them. We will see which problems had to be solved along the way and how they were solved. Lastly we will see how Linux supports reading the memory configuration information and what you can do with that information.
Jean Delvare
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
1. Linux Kernel Self Protection Project
Kernel Recipes, Paris
September 28, 2017
Kees (“Case”) Cook
keescook@chromium.org
https://outflux.net/slides/2017/kr/kspp.pdf
2. Agenda
● Background
– “Security” in the context of this presentation
– Why we need to change what we’re doing
– Just fixing bugs isn’t sufficient
– Upstream development model
● Kernel Self Protection Project
– Who we are
– What we’re doing
– How you can help
● Challenges
3. Kernel Security
● More than access control (e.g. SELinux)
● More than attack surface reduction (e.g. seccomp)
● More than bug fixing (e.g. CVEs)
● More than protecting userspace
● More than kernel integrity
● This is about Kernel Self Protection
4. Devices using Linux
● Servers, laptops, cars, phones, …
● >2,000,000,000 active Android devices in 2017
● Vast majority are running v3.4 (with v3.10 slowly catching up)
● Bug lifetimes are even longer than upstream
● “Not our problem”? None of this matters: even if upstream fixes
every bug found, and the fixes are magically sent to devices,
bug lifetimes are still huge.
5. Upstream Bug Lifetime
● In 2010 Jon Corbet researched security flaws, and found that
the average time between introduction and fix was about 5
years.
● My analysis of Ubuntu CVE tracker for the kernel from 2011
through 2017:
– Critical: 3 @ 5.3 years
– High: 59 @ 6.4 years
– Medium: 534 @ 5.6 years
– Low: 273 @ 5.6 years
8. Upstream Bug Lifetime
● The risk is not theoretical. Attackers are watching commits, and
they are better at finding bugs than we are:
– http://seclists.org/fulldisclosure/2010/Sep/268
● Most attackers are not publicly boasting about when they found
their 0-day...
9. Fighting Bugs
● We’re finding them
– Static checkers: compilers, coccinelle, sparse, smatch, coverity
– Dynamic checkers: kernel, trinity, syzkaller, KASan-family
● We’re fixing them
– Ask Greg KH how many patches land in -stable
● They’ll always be around
– We keep writing them
– They exist whether we’re aware of them or not
– Whack-a-mole is not a solution
10. “If you are not using a stable /
longterm kernel, your machine is
insecure”
- Greg Kroah-Hartman
11. “If you are not using a stable /
longterm kernel, your machine is
insecure”
- Greg Kroah-Hartman
“Your machine is insecure”
- me
12. “If you are not using the latest
kernel, you don't have the most
recently added security defenses,
which, in the face of newly
exploited bugs, may render your
machine less secure than it could
have been”
- me
13. Analogy: 1960s Car Industry
● @mricon’s presentation at 2015 Linux Security Summit
– http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
● Cars were designed to run, not to fail
● Linux now where the car industry was in 1960s
– https://www.youtube.com/watch?v=fPF4fBGNK0U
● We must handle failures (attacks) safely
– Userspace is becoming difficult to attack
– Containers paint a target on kernel
– Lives depend on Linux
14. Killing bugs is nice
● Some truth to security bugs being “just normal bugs”
● Your security bug may not be my security bug
● We have little idea which bugs attackers use
● Bug might be in out-of-tree code
– Un-upstreamed vendor drivers
– Not an excuse to claim “not our problem”
15. Killing bug classes is better
● If we can stop an entire kind of bug from happening, we
absolutely should do so!
● Those bugs never happen again
● Not even out-of-tree code can hit them
● But we’ll never kill all bug classes
16. Killing exploitation is best
● We will always have bugs
● We must stop their exploitation
● Eliminate exploitation targets and methods
● Eliminate information leaks
● Eliminate anything that assists attackers
● Even if it makes development more difficult
17. Typical Exploit Chains
● Modern attacks tend to use more than one flaw
● Need to know where targets are
● Need to inject (or build) malicious code
● Need to locate malicious code
● Need to redirect execution to malicious code
18. What can we do?
● Many exploit mitigation technologies already exist (e.g.
grsecurity/PaX) or have been researched (e.g. academic
whitepapers), but many haven't been in upstream Linux kernel
● There is demand for kernel self-protection, and there is demand
for it to exist in the upstream kernel
● http://www.washingtonpost.com/sf/business/2015/11/05/net-of-in
security-the-kernel-of-the-argument/
19. Out-of-tree defenses?
● Some downstream kernel forks:
– RedHat (ExecShield), Ubuntu (AppArmor), Android (Samsung KNOX), grsecurity (so many things)
● If you only use the kernel, and don't develop it, you're in a better position●
– But you're depending on a downstream fork
– Fewer eyeballs (and less automated testing
infrastructure) looking for vulnerabilities
– Developing the kernel means using engineering
resources for your fork
● e.g. Android deals with multiple vendor forks already
● Hard to integrate multiple forks
● Upstreaming means:
– No more forward-porting
– More review (never perfect, of course)
20. Digression 1: defending against email Spam
● Normal email server communication establishment:
Client Server
[connect]
[accept]220 smtp.some.domain ESMTP ok
EHLO my.domain
250 ohai
MAIL FROM:<me@my.domain>
250 OK
RCPT TO:<you@your.domain>
250 OK
DATA
21. Spam bot communication
● Success, and therefore timing, isn't important to Spam bots:
Client Server
[connect]
[accept]220 smtp.some.domain ESMTP ok
EHLO my.domain
MAIL FROM:<me@my.domain>
RCPT TO:<you@your.domain>
DATA
250 ohai
250 OK
250 OK
22. Trivially blocking Spam bots
● Insert a short starting delay
Client Server
[connect]
[accept]
EHLO my.domain
MAIL FROM:<me@my.domain>
RCPT TO:<you@your.domain>
DATA
554 smtp.some.domain ESMTP nope
23. Powerful because it's not the default
● If everyone did this (i.e. it was upstream), bots would adapt
● If a defense is unexamined and/or only run by a subset of Linux
users, it may be accidentally effective due to it being different,
but may fail under closer examination
●● Though, on the flip side,
heterogeneous environments
tend to be more resilient
24. Digression 2: Stack Clash research in 2017
● Underlying issues were identified in 2010
– Fundamentally, if an attacker can control the memory layout of a
setuid process, they may be able to manipulate it into colliding stack
with other things, and arranging related overflows to gain execution
control.
– Linux tried to fix it with a 4K gap
– grsecurity (from 2010 through at least their last public patch) took it
further with a configurable gap, defaulting to 64K
25. A gap was not enough
● In addition to raising the gap size, grsecurity sensibly capped
stack size of setuid processes, just in case:
do_execveat_common(...) {
...
/* limit suid stack to 8MB
* we saved the old limits above and will restore them if this exec fails */
if (((!uid_eq(bprm->cred->euid, current_euid())) ||
(!gid_eq(bprm->cred->egid, current_egid()))) &&
(old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024)))
current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
...
26. Upstreaming the setuid stack size limit
● Landed in v4.14-rc1
● 15 patches
● Reviewed by at least 7 other people
● Made the kernel smaller
● Actually keeps the stack limited for setuid exec
16 files changed, 91 insertions(+), 159 deletions(-)
27. Important detail: threads
● Stack rlimit is a single value shared across entire thread-group
● Exec kills all other threads (part of the “point of no return”) as
late in exec as possible
● If you check or set rlimits before the point of no return, you're
racing other threads
Thread 1: while (1) setrlimit(...);
Thread 2: while (1) setrlimit(...);
Thread 3: exec(...);
signal
…
struct rlimit[RLIM_NLIMITS];
28. Un-upstreamed and unexamined for seven years
$ uname -r
4.9.24-grsec+
$ ulimit -s
unlimited
$ ls -la setuid-stack
-rwsrwxr-x 1 root root 9112 Aug 11 09:17 setuid-stack
$ ./setuid-stack
Stack limit: 8388608
$ ./raise-stack ./setuid-stack
Stack limit: 18446744073709551615
29. Out-of-tree defenses need to be upstreamed
● While the preceding example isn't universally true for all out-of-
tree defenses, it's a good example of why upstreaming is
important, and why sometimes what looks like a tiny change
turns into much more work.
● How do we get this done?
30. Kernel Self Protection Project
● http://www.openwall.com/lists/kernel-hardening/
– http://www.openwall.com/lists/kernel-hardening/2015/11/05/1
● http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
● People interested in coding, testing, documenting, and discussing
the upstreaming of kernel self protection technologies and related
topics.
31. Kernel Self Protection Project
● There are other people working on excellent technologies that
ultimately revolve around the kernel protecting userspace from
attack (e.g. brute force detection, SROP mitigations, etc)
● KSPP focuses on the kernel protecting the kernel from attack
● Currently ~12 organizations and ~10 individuals working on
about ~20 technologies
● Slow and steady
32. Developers under KSPP umbrella
● LF’s Core Infrastructure Initiative funded: Emese Revfy, with others pending
● Self-funded: Andy Lutomirski, Russell King, Valdis Kletnieks, Jason Cooper, Daniel Micay, David Windsor, Richard
Weinberger, Richard Fellner, Daniel Gruss, Jason A. Donenfeld, Sandy Harris, Alexander Popov
● ARM: Catalin Marinas, Mark Rutland
● Canonical: Juerg Haefliger
●
Cisco: Daniel Borkmann
●
Docker: Tycho Andersen
● Google: Kees Cook, Thomas Garnier, Daniel Cashman, Jeff Vander Stoep, Jann Horn, Eric Biggers
● Huawei: Li Kun
● IBM: Michael Ellerman, Heiko Carstens, Christian Borntraeger
● Imagination Technologies: Matt Redfearn
● Intel: Elena Reshetova, Hans Liljestrand, Casey Schaufler, Michael Leibowitz, Dave Hansen, Peter Zijlstra
● Linaro: Ard Biesheuvel, David Brown, Arnd Bergmann
●
Linux Foundation: Greg Kroah-Hartman
●
Oracle: James Morris, Quentin Casasnovas, Yinghai Lu
● RedHat: Laura Abbott, Rik van Riel, Jessica Yu, Baoquan He
33. Probabilistic protections
● Protections that derive their strength from some system state
being unknown to an attacker
● Weaker than “deterministic” protections since information
exposures can defeat them, though they still have real-world
value
● Familiar examples:
– stack protector (canary value can be exposed)
– Address Space Layout Randomization (offset can be exposed)
34. Deterministic protections
● Protections that derive their strength from organizational system
state that always blocks attackers
● Familiar examples:
– Read-only memory (writes will fail)
– Bounds-checking (large accesses fail)
36. Bug class: stack overflow and exhaustion
Exploit example:
– https://jon.oberheide.org/files/half-nelson.c
● Mitigations:
– stack canaries, e.g. gcc's -fstack-protector (v2.6.30) and -fstack-
protector-strong (v3.14)
– guard pages (e.g. GRKERNSEC_KSTACKOVERFLOW)
● vmap stack (v4.9 x86, v4.14 arm64), removal of thread_info from stack
(v4.9 x86, v4.10 arm64)
– alloca checking (e.g. PAX_MEMORY_STACKLEAK): Alexander Popov
– shadow stacks (e.g. Clang SafeStack)
37. Bug class: integer over/underflow
● Exploit examples:
– https://cyseclabs.com/page?n=02012016
– http://perception-point.io/2016/01/14/analysis-and-exploi
tation-of-a-linux-kernel-vulnerability-cve-2016-0728/
● Mitigations:
– check for atomic overflow (e.g. PAX_REFCOUNT)
● refcount_t: Elena Reshetova, David Windsor, Kees Cook, Ard Biesheuvel, Li
Kun
– compiler plugin to detect multiplication overflows at runtime (e.g.
PAX_SIZE_OVERFLOW)
38. Bug class: buffer overflows
● Exploit example:
– http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
● Mitigations:
– runtime validation of variable size vs copy_to_user / copy_from_user size (e.g. PAX_USERCOPY)
● CONFIG_HARDENED_USERCOPY (v4.8)
● Usercopy whitelisting: David Windsor, Kees Cook
● Usercopy slab segregation: David Windsor, Kees Cook
– metadata validation (e.g. glibc's heap protections)
● linked-list hardening (from grsecurity) CONFIG_DEBUG_LIST (v4.10)
● CONFIG_SLUB_HARDENED, heap freelist obfuscation (from grsecurity): Daniel Micay, Kees Cook
● Heap canaries: Daniel Micay
– FORTIFY_SOURCE (inspired by glibc), check buffer sizes of str*/mem* functions at compile- and run-time
● CONFIG_FORTIFY_SOURCE (v4.13)
● Intra-object checking: Daniel Micay
39. Bug class: format string injection
● Exploit example:
– http://www.openwall.com/lists/oss-security/2013/06/06/13
● Mitigations:
– Drop %n entirely (v3.13)
– detect non-const format strings at compile time (e.g. gcc's -Wformat-
security, or better plugin)
– detect non-const format strings at run time (e.g. memory location
checking done with glibc's -D_FORITY_SOURCE=2)
40. Bug class: kernel pointer leak
● Exploit examples:
– examples are legion: /proc (e.g. kallsyms, modules, slabinfo, iomem),
/sys, INET_DIAG (v4.1), etc
– http://vulnfactory.org/exploits/alpha-omega.c
● Mitigations:
– kptr_restrict sysctl (v2.6.38) too weak: requires dev opt-in
– remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM)
– detect and block usage of %p or similar writes to seq_file or other
user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)
41. Bug class: uninitialized variables
● This is not just an information leak!
● Exploit example:
– https://outflux.net/slides/2011/defcon/kernel-exploitation.pdf
● Mitigations:
– GCC plugin, stackleak: clear kernel stack between system calls (from
PAX_MEMORY_STACKLEAK): Alexander Popov
– GCC plugin, structleak: instrument compiler to fully initialize all
structures (from PAX_MEMORY_STRUCTLEAK): (__user v4.11,
by-reference v4.14)
42. Bug class: use-after-free
● Exploit example:
– http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-k
ernel-vulnerability-cve-2016-0728/
● Mitigations:
– clearing memory on free can stop attacks where there is no reallocation
control (e.g. PAX_MEMORY_SANITIZE)
● Zero poisoning (v4.6)
– segregating memory used by the kernel and by userspace can stop
attacks where this boundary is crossed (e.g. PAX_USERCOPY)
– randomizing heap allocations can frustrate the reallocation efforts the
attack needs to perform (e.g. OpenBSD malloc)
● Freelist randomization (SLAB: v4.7, SLUB: v4.8)
44. Exploitation: finding the kernel
● Exploit examples (see “Kernel pointer leaks” above too):
– https://github.com/jonoberheide/ksymhunter
● Mitigations:
– hide symbols and kernel pointers (see “Kernel pointer leaks”)
– kernel ASLR
●
text/modules base: x86 (v3.14), arm64 (v4.6), MIPS (v4.7), ARM: Ard Biesheuvel
●
memory: x86 (v4.8)
●
PIE: arm64 (v4.6), x86: Thomas Garnier
– runtime randomization of kernel functions
– executable-but-not-readable memory
●
x86 (v4.6), arm64 (v4.9)
– per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT)
●
manual (v4.13), automatic (v4.14)
45. Exploitation: direct kernel overwrite
● How is this still a problem in the 21st century?
● Exploit examples:
– Patch setuid to always succeed
– http://itszn.com/blog/?p=21 Overwrite vDSO
● Mitigations:
– Executable memory cannot be writable (CONFIG_STRICT_KERNEL_RWX)
● s390: forever ago
● x86: v3.18
● ARM: v3.19
● arm64: v4.0
46. Exploitation: function pointer overwrite
● Also includes things like vector tables, descriptor tables (which
can also be info leaks)
● Exploit examples:
– https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-e
xploit/
– https://blogs.oracle.com/ksplice/entry/anatomy_of_an_exploit_cve
● Mitigations:
– read-only function tables (e.g. PAX_CONSTIFY_PLUGIN)
– make sensitive targets that need one-time or occasional updates only
writable during updates (e.g. PAX_KERNEXEC):
● __ro_after_init (v4.6)
47. Exploitation: userspace execution
● Exploit example:
– See almost all previous examples
● Mitigations:
– hardware segmentation: SMEP (x86), PXN (ARM, arm64)
– emulated memory segmentation via page table swap, PCID, etc (e.g.
PAX_MEMORY_UDEREF):
● Domains (ARM: v4.3)
● TTBR0 (arm64: v4.10)
● PCID (x86): Andy Lutomirski
– compiler instrumentation to set high bit on function calls
53. Added in v4.12
● read-only and fixed-location GDT, x86
● usercopy consolidation
● read-only LSM structures
● KASLR enabled by default, x86
● stack canary expanded to bit-width of host
● stack/heap gap expanded
56. Challenge: Culture
● Conservatism
– 16 years to accept symlink restrictions upstream
● Responsibility
– Kernel developers must accept the need for these changes
● Sacrifice
– Kernel developers must accept the technical burden
● Patience
– Out-of-tree developers must understand how kernel is developed
57. Challenge: Technical
● Complexity
– Very few people are proficient at developing (much less debugging)
these features
● Innovation
– We must adapt the many existing solutions
– We must create new technologies
● Collaboration
– Explain rationale for new technologies
– Make code understandable/maintainable by other developers and
accessible across architectures