In the report the technology of virtual security modules will be presented. It rely on Linux containers. The report should be interesting for those people who are planning (or already using) could services for building IT-infrastructure.
Занятие в Школе Сисадмина.
Основано на http://www.slideshare.net/IlyaAlekseyev/openstack-12003939
Событие: https://vk.com/shkola_sysadm
Лектор: https://vk.com/vse_v_moei_golove
Fedora Virtualization Day 2013. Moscow.
June 01, 2013.
Михаил Кулёмин.
Language: russian.
Обзор KVM.
https://www.youtube.com/watch?v=9qwqdPRS2yg&index=5&list=PLTWTWm0uA2fLok6RlpJYy350FDQiRXYbS
Динамическое управление ресурсами в KVM.
https://www.youtube.com/watch?v=t5MfXVFQjys&index=6&list=PLTWTWm0uA2fLok6RlpJYy350FDQiRXYbS
The document describes a source code analyzer tool that allows users to visualize code structure through objects and connections in a graph. It can define objects from text, files, or hex editors, connect objects, annotate objects, and support object filtering. The tool uses Qt, Source-highlight-qt, and SQLite and has features like external tool support, usability improvements, object grouping, performance analysis, and automatic graph generation. Contact information is provided for the Ubuntu app center, GitHub repository, and developers.
The document discusses implementing a mesh network between Nokia Internet Tablets and OLPC/XO devices. It outlines upgrading the devices' mesh drivers and kernels to enable the heterogeneous mesh network, including patching other needed drivers. It then describes testing the mesh network by establishing IP connectivity between devices located close together and using intermediate devices to route packets for those further apart.
This document summarizes a presentation about improving mesh networking on One Laptop Per Child (OLPC) laptops. It discusses the goals of reducing routing overhead on OLPC networks and implementing solutions on the laptops. The presentation covers analyzing different types of ad-hoc routing, comparing industrial and open source routing implementations, and proposing a solution that uses restricting the routing area, dynamic optimization radius selection, and defining routing overhead externally. It also provides a timeline for developing and testing the solutions through simulations and contributing code to OLPC laptops.
Implementation of the new REST API for Open Source LBS-platform Geo2TagOSLL
The document discusses the implementation of a new REST API for the open source Geo2Tag LBS platform. The goals were to encourage 3rd party developers by simplifying the existing codebase and making the API more RESTful. This included rewriting the backend in Python with MongoDB, adding OAuth authorization, pagination support, and making all entities identifiable through URLs. It also describes adding plugins and data import capabilities to allow customization and ingesting open data through a new plugin system.
Massive open online courses (MOOCs) offer unlimited enrollment, 24/7 access to course materials, and automated testing to assess knowledge for software engineering and computer applications students. Upcoming improvements include adaptive teaching and analyzing student behavior through machine learning. MOOCs are provided through major platforms and can be supplemented with virtual labs for hands-on experience, with contacts available through the course coordinator.
The document describes an automated tool called MDBCI that is used to create multi-configuration testing environments for database servers and proxy applications like MariaDB and Maxscale. It allows defining configuration templates that can deploy virtual machines across different providers with various Linux distributions, database versions, and topologies. MDBCI uses tools like Vagrant, Terraform, Ansible, and Chef to automate the deployment and configuration of the test environments from human-readable definition files. Developers find it useful for debugging by allowing direct access to the test environment machines.
The document describes an SVG Player tool for analyzing results from xml-based and svg-based network simulations. The SVG Player allows viewing a set of SVG images in sequential order, navigating images forwards and backwards, declaring and saving image sets, and playing sets in direct and reverse order. It was developed using C++, Qt Framework, and Qt Creator and loads SVG images asynchronously in a separate thread to prevent rendering delays. While intended for viewing NS2 simulation results, the SVG Player can be used to play any SVG image series.
E.Kalishenko, K.Krinkin, S.P.Shiva Prakash. Process Mining Approach for Traff...OSLL
Abstract. Short-time traffic flow prediction in particular systems will expedite discovering of an optimal path for packet transmitting in dynamic wireless networks. The main goal is to predict traffic overload while changing a network topology. Machine learning techniques and process mining can help analyze traffic produced by several moving nodes. Several related approaches are observed. Research framework structure is presented. The idea of process mining approach is proposed.
This document discusses connecting Nokia and OLPC devices in a mesh network. It describes patching the drivers for the Nokia N810 and OLPC XO laptop to enable mesh networking between their different wireless adapters. A proof of concept was able to connect two systems via mesh using different wireless adapters. However, fully enabling mesh between the Nokia and OLPC devices requires further work, as their existing drivers do not currently support mesh networking.
Ceph является одной из мнообещающих архитектур для построения облачных хранилищ данных. В презентации приведены основные возможности, описана архитектура, дан краткий обзор команд CLI
Короткое знакомство с Mongo; Коротко про GeoJson; Какие данные можно хранить в Mongo; Как хранить геоданные в Mongo; Как индексировать геоданные; Как выполнять запросы к данным (поиск объектов рядом/внутри/на пересечении с областями); Примеры использования геовозможностей MongoDb в Geo2Tag
This document summarizes an open source implementation of the ZigBee wireless networking standard. It discusses applications of ZigBee networks in home automation and commercial buildings. It provides an overview of ZigBee nodes, topologies, and stack architecture. The presentation outlines a work plan to make the protocol layers independent, define socket interfaces, and develop a user-space library. Progress on a Wireshark dissector and socket interfaces is also summarized.
Linux Control Groups (Контрольные группы) -- механизм, позволяющий управлять группами процессов в Linux и их ресурсами. Это мощный инструмент о котором знают далеко не все. Презентация дает краткий обзор.
Виртуализация уровня операционной системы в Linux (так, называемые контейнеры) опирается на изоляцию ресурсов и на управление их использованием. Пространства имен в Linux (linux namespaces) тот инструмент, который позволяет изолировать ресурсы друг от друга на уровне имен. Например, именами процессов являются их идентификаторы (PIDs), которые можно организовать таким образом, что процессы никогда не могут узнать о существовании друг друга. Об этом и других интересных вещах рассказывается в презентации.
Занятие в Школе Сисадмина.
Основано на http://www.slideshare.net/IlyaAlekseyev/openstack-12003939
Событие: https://vk.com/shkola_sysadm
Лектор: https://vk.com/vse_v_moei_golove
Fedora Virtualization Day 2013. Moscow.
June 01, 2013.
Михаил Кулёмин.
Language: russian.
Обзор KVM.
https://www.youtube.com/watch?v=9qwqdPRS2yg&index=5&list=PLTWTWm0uA2fLok6RlpJYy350FDQiRXYbS
Динамическое управление ресурсами в KVM.
https://www.youtube.com/watch?v=t5MfXVFQjys&index=6&list=PLTWTWm0uA2fLok6RlpJYy350FDQiRXYbS
The document describes a source code analyzer tool that allows users to visualize code structure through objects and connections in a graph. It can define objects from text, files, or hex editors, connect objects, annotate objects, and support object filtering. The tool uses Qt, Source-highlight-qt, and SQLite and has features like external tool support, usability improvements, object grouping, performance analysis, and automatic graph generation. Contact information is provided for the Ubuntu app center, GitHub repository, and developers.
The document discusses implementing a mesh network between Nokia Internet Tablets and OLPC/XO devices. It outlines upgrading the devices' mesh drivers and kernels to enable the heterogeneous mesh network, including patching other needed drivers. It then describes testing the mesh network by establishing IP connectivity between devices located close together and using intermediate devices to route packets for those further apart.
This document summarizes a presentation about improving mesh networking on One Laptop Per Child (OLPC) laptops. It discusses the goals of reducing routing overhead on OLPC networks and implementing solutions on the laptops. The presentation covers analyzing different types of ad-hoc routing, comparing industrial and open source routing implementations, and proposing a solution that uses restricting the routing area, dynamic optimization radius selection, and defining routing overhead externally. It also provides a timeline for developing and testing the solutions through simulations and contributing code to OLPC laptops.
Implementation of the new REST API for Open Source LBS-platform Geo2TagOSLL
The document discusses the implementation of a new REST API for the open source Geo2Tag LBS platform. The goals were to encourage 3rd party developers by simplifying the existing codebase and making the API more RESTful. This included rewriting the backend in Python with MongoDB, adding OAuth authorization, pagination support, and making all entities identifiable through URLs. It also describes adding plugins and data import capabilities to allow customization and ingesting open data through a new plugin system.
Massive open online courses (MOOCs) offer unlimited enrollment, 24/7 access to course materials, and automated testing to assess knowledge for software engineering and computer applications students. Upcoming improvements include adaptive teaching and analyzing student behavior through machine learning. MOOCs are provided through major platforms and can be supplemented with virtual labs for hands-on experience, with contacts available through the course coordinator.
The document describes an automated tool called MDBCI that is used to create multi-configuration testing environments for database servers and proxy applications like MariaDB and Maxscale. It allows defining configuration templates that can deploy virtual machines across different providers with various Linux distributions, database versions, and topologies. MDBCI uses tools like Vagrant, Terraform, Ansible, and Chef to automate the deployment and configuration of the test environments from human-readable definition files. Developers find it useful for debugging by allowing direct access to the test environment machines.
The document describes an SVG Player tool for analyzing results from xml-based and svg-based network simulations. The SVG Player allows viewing a set of SVG images in sequential order, navigating images forwards and backwards, declaring and saving image sets, and playing sets in direct and reverse order. It was developed using C++, Qt Framework, and Qt Creator and loads SVG images asynchronously in a separate thread to prevent rendering delays. While intended for viewing NS2 simulation results, the SVG Player can be used to play any SVG image series.
E.Kalishenko, K.Krinkin, S.P.Shiva Prakash. Process Mining Approach for Traff...OSLL
Abstract. Short-time traffic flow prediction in particular systems will expedite discovering of an optimal path for packet transmitting in dynamic wireless networks. The main goal is to predict traffic overload while changing a network topology. Machine learning techniques and process mining can help analyze traffic produced by several moving nodes. Several related approaches are observed. Research framework structure is presented. The idea of process mining approach is proposed.
This document discusses connecting Nokia and OLPC devices in a mesh network. It describes patching the drivers for the Nokia N810 and OLPC XO laptop to enable mesh networking between their different wireless adapters. A proof of concept was able to connect two systems via mesh using different wireless adapters. However, fully enabling mesh between the Nokia and OLPC devices requires further work, as their existing drivers do not currently support mesh networking.
Ceph является одной из мнообещающих архитектур для построения облачных хранилищ данных. В презентации приведены основные возможности, описана архитектура, дан краткий обзор команд CLI
Короткое знакомство с Mongo; Коротко про GeoJson; Какие данные можно хранить в Mongo; Как хранить геоданные в Mongo; Как индексировать геоданные; Как выполнять запросы к данным (поиск объектов рядом/внутри/на пересечении с областями); Примеры использования геовозможностей MongoDb в Geo2Tag
This document summarizes an open source implementation of the ZigBee wireless networking standard. It discusses applications of ZigBee networks in home automation and commercial buildings. It provides an overview of ZigBee nodes, topologies, and stack architecture. The presentation outlines a work plan to make the protocol layers independent, define socket interfaces, and develop a user-space library. Progress on a Wireshark dissector and socket interfaces is also summarized.
Linux Control Groups (Контрольные группы) -- механизм, позволяющий управлять группами процессов в Linux и их ресурсами. Это мощный инструмент о котором знают далеко не все. Презентация дает краткий обзор.
Виртуализация уровня операционной системы в Linux (так, называемые контейнеры) опирается на изоляцию ресурсов и на управление их использованием. Пространства имен в Linux (linux namespaces) тот инструмент, который позволяет изолировать ресурсы друг от друга на уровне имен. Например, именами процессов являются их идентификаторы (PIDs), которые можно организовать таким образом, что процессы никогда не могут узнать о существовании друг друга. Об этом и других интересных вещах рассказывается в презентации.
The document summarizes a seminar on the Geo2tag LBS platform. It includes an agenda covering an architecture overview, installation process, source code overview, JSON interface, client libraries, and practice with Qt. Key features of the current platform include basic geo-tagging, filtration, and load balancing. Planned features for 2012 include exporters and channel aggregation. The conceptual model diagram shows how data flows from devices through the HTTP/JSON interface to Lighttpd, PostgreSQL, and back.
Fast Artificial Landmark Detection for indoor mobile robots AIMAVIG'2015OSLL
Nowadays the big challenge in simultaneous local-
ization and mapping (SLAM) of mobile robots is the creation
of efficient and robust algorithms. Significant Number of SLAM
algorithms rely on unique features or or use artificial landmarks
received from camera images. Feature points and landmarks
extraction from images have two significant drawbacks: CPU
consumption and weak robustness depending on environment
conditions. In this paper we consider performance issues for
landmark detection, introduce a new artificial landmark design
and fast algorithm for detecting and tracking them in arbitrary
images. Also we provide results of performance optimization for
different hardware platforms.
Корпоративный Linux: осваиваем с нуля Red Hat Enterprise LinuxSkillFactory
Никита Войтов – ведущий инструктор SkillFactory по направлению Linux – об особенностях и преимуществах корпоративного стандарта ОС Linux – Red Hat Enterprise.
I.Kukalo - "Creating UTM System" on Microsoft congference in TPUguestc6d031
Unified threat management (UTM) is used to describe network firewalls that have many features in one box, including e-mail spam filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall. Main goal of this research is to create own open-source based UTM system, that has almost all capabilities as their commercial analogs.
I.Kukalo - "Creating UTM System" on Microsoft congference in TPUIvan Kukalo
Unified threat management (UTM) is used to describe network firewalls that have many features in one box, including e-mail spam filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall. Main goal of this research is to create own open-source based UTM system, that has almost all capabilities as their commercial analogs.
Использование средств шифрования для обеспечения конфиденциальности в процесс...kzissu
Презентация работы Забоева Д.
Выполнена на Кафедре Защиты Информации Факультета Информационных Систем и Технологий СыктГУ.
Подробнее: http://www.kzissu.ru/paper/kursovye-raboty/35 (доступ закрытый)
Для работы привилегированных пользователей создаются исключения в политиках безопасности и предоставляются преференции в ИТ-процессах. Средства защиты периметра обеспечивают привилегированным пользователям доступ внутрь сети и возможности удаления данных аудита, доступ к данным без уведомления. Получение доступа к контроллеру домена на основании доступного хэша пароля позволяет эскалировать привилегии существующих привилегированных учетных записей и создавать новые. Конечные точки создают плацдарм для атак, доступ к данным и средства эскалации привилегий вглубь инфраструктуры. Хищение привилегированных учетных данных и эскалация привилегий – сегодня являются основными причинами успешности атак.
Юрий Леонычев «Безопасность мобильных приложений для Android. Теория и практика»Yandex
Научно-технический семинар «Android и iOS: безопасность мобильных приложений» в московском офисе Яндекса, 7 марта 2013 г.
Юрий Леонычев, администратор ИБ, Яндекс.
Application Security - ответы на ежедневные вопросы / Сергей Белов (Mail.Ru G...Ontico
РИТ++ 2017, секция ML + IoT + ИБ
Зал Белу-Оризонти, 5 июня, 13:00
Тезисы:
http://ritfest.ru/2017/abstracts/2798.html
В данном докладе будет рассмотрено множество вопросов, с которыми сталкивается AppSec-отдел - как генерировать анти-CSRF токены, где хранить секретные ключи, как тестировать безопасность в сжатые сроки и многое, многое другое.
The document describes a SLAM constructor framework for ROS that aims to speed up SLAM research. It provides common components that can be assembled to implement SLAM algorithms. The current version uses laser scans and odometry, but ongoing work includes adding support for graph-based SLAM, extra sensors, and feature-based SLAM methods. The framework is open source on GitHub and implements some existing SLAM methods as a starting point.
В презентации описан опыт создания робота с нуля на базе Raspberry Pi и недорогих актуаторов и сенсоров. Представлены примеры двух разработанных поколений роботов, детально описана одна из последних версий, собранная на базе деталей конструктора Trik. Описанная модель имеет дифференциальное управление (используются два мотора с энкодерами), ультразвуковой сенсор, камеру. Питание организовано от 11.1V батареи через UBEC. Прошивка робота реализована на базе ROS и состоит из нескольких модулей.
This document discusses the implementation of the 802.11s Power Save Mode in the NS-3 network simulator. It begins with background on 802.11s mesh networking and power saving approaches. It describes the objectives of developing a routing algorithm based on 802.11s PSM aspects and implementing it in NS-3. Details are provided on extending NS-3's mesh and energy models to support this work. The document outlines next steps of creating a PSM infrastructure, implementing the routing algorithm, and testing the implementation.
SECR'13 Lightweight linux shared libraries profilingOSLL
This document summarizes a presentation on developing a lightweight profiler called ElfPerf for Linux embedded systems. ElfPerf allows profiling function calls in shared libraries without recompilation or relinking. It uses call redirection and wrapping mechanisms to intercept function calls and collect profiling statistics. ElfPerf works by modifying the dynamic linker (ld-linux.so) and dynamic loading library (libdl.so) to integrate the profiling library (libelfperf.so). This allows non-invasive profiling of dynamically linked and loaded functions on x86/x64 platforms.
The document discusses integrating the Smart-M3 and Geo2Tag platforms to develop technology for efficient geocoded smart spaces. The goal is to develop an integration architecture and agent to connect the platforms. Smart-M3 is an open source semantic web sharing platform, while Geo2Tag is a centralized geo-tagging database. A layered architecture is proposed with interfaces, integration, domain engines, and a data backend. Use cases include geotagging smart objects, spatial/temporal filtering, and providing extra geo-tagged information. A prototype has been developed without the cloud backend, which is still in progress along with testing and optimizations.
The document provides an overview of the Tizen Web Runtime and Device APIs. It describes new HTML5 elements, JavaScript APIs for drawing, media, offline web, drag and drop, file access, and geolocation. It then summarizes the main Tizen Device APIs, including communication, social, content, input/output, system, application, and user interface APIs. It provides examples for filters, applications, downloading content, filesystems, message ports, calendars, and device orientation.
This document summarizes a presentation about the Geo2tag platform for location-based services and geo-tagging. It introduces the architecture, features, and APIs of the Geo2tag system. Key points include an overview of the REST API and JSON interface, client libraries for Android and Qt, and demonstrations of functionality like user authentication, tag writing and loading, and channel management in the Android and Qt clients.
The document describes a RESTful JSON API for a geo-tagging application called Geo2tag. It outlines the goals of REST, defines JSON and its grammar, provides API usage examples using cURL, and details the API endpoints for user management, channel management, and working with geo tags. The API uses HTTP requests, JSON payloads, and authentication tokens to allow clients to interact with the Geo2tag service in a stateless and scalable way.
Introduction to geo-tagging and geo2tag platformOSLL
This document introduces location based services (LBS) and geo-tagging. It defines key terms like geo-tagging, tags, and channels. It describes the main features of a geo-tagging system for accessing, classifying, filtering, and processing massive amounts of tagged data. It outlines the architecture of the Geo2tag LBS platform, including its client/server design with session caching, query engine, and backend database. It provides development resources and describes the JSON/REST API for user management, channel management, and working with tags through functions like login, writeTag, and loadTags.
Virtual-HSM: Virtualization of Hardware Security Modules in Linux Containers
1. Технология виртуализации
аппаратных Название модулей доклада
безопасности
в контейнерах Linux
Кирилл Кринкин,
Дмитрий Карташов
Академический Университет РАН
Лаборатория Parallels
Санкт-Петербург
5. Что такое HSM
Hardware Security Module – физическое устройство для
управления цифровыми ключами и выполнения
криптофункций
Свойства:
● физическая (аппаратная) изоляция;
● отсутствие интерфейсов доступа к памяти
● средства защиты от проникновения
6. PKCS#11 (Cryptoki)
PKCS= Public-Key Cryptography Standards
PKCS#11 – платформо незивисимый API
для криптографических токенов:
● HSM
● Smart cards
7. Контейнеры в Linux
Контейнеры:
– Пространства имен (ipc, pid, network,
user...)
– Apparmor and SELinux
– Chroots
– cgroups
8. Идея проекта
● Аппаратные HSM –
зарекомендовавшие себя средства
защиты, имеющие высокую
стоимость;
● Контейнеры Linux – надежные и
защищенные окружения
● Реализация функций HSM в
контейнере – компромисс
защищенности и функциональности
10. Программные решения
и их проблемы
● OpenDNS SEC
SoftHSM
● Elliptic Ellipsys-VSM
● Trusted Virtual Security
Module
● HighCloud Data Security
Module
● отсутствие изоляции
памяти
● нестандартный API
● TCP/IP в качестве
транспорта
● Использование
полновесных виртуальных
машин