1. Memcached currently lacks security features like access controls.
2. Centralized security servers like SELinux are preferable to apply access controls over individual applications.
3. A Memcached plugin called selinux_engine was created to apply SELinux mandatory access controls. It performs access checks using the libselinux API to interface with SELinux and enforce the security policy. This provides centralized access controls for Memcached in a way that is transparent to applications.
Novell ZENworks technologies have been in use for over a decade, and the future has never been brighter. This session will focus on Novell ZENworks Configuration Management and the upcoming version 11 release. It will also cover new developments in the product line, such as Linux device management, advanced power management tools and integrated endpoint security capabilities. Finally, we'll provide a roadmap review that details upcoming releases for other products in the Endpoint Management portfolio.
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...Novell
In this advanced technical session, we'll discuss techniques for optimizing and troubleshooting the Novell Storage Services (NSS) file system in Novell Open Enterprise Server 2 on Linux. You'll also learn how to design, configure and troubleshoot a clustered NSS environment. Finally, find out how integration with Novell Sentinel in Novell Open Enterprise Server 2 SP2 opens the door to NSS file auditing.
Novell ZENworks technologies have been in use for over a decade, and the future has never been brighter. This session will focus on Novell ZENworks Configuration Management and the upcoming version 11 release. It will also cover new developments in the product line, such as Linux device management, advanced power management tools and integrated endpoint security capabilities. Finally, we'll provide a roadmap review that details upcoming releases for other products in the Endpoint Management portfolio.
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...Novell
In this advanced technical session, we'll discuss techniques for optimizing and troubleshooting the Novell Storage Services (NSS) file system in Novell Open Enterprise Server 2 on Linux. You'll also learn how to design, configure and troubleshoot a clustered NSS environment. Finally, find out how integration with Novell Sentinel in Novell Open Enterprise Server 2 SP2 opens the door to NSS file auditing.
Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or Service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.
The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.
One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task.
This presentation focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsNovell
Novell Sentinel Log Manager is a powerful log management and reporting solution. It supports collecting and reporting on log and audit data generated by Novell Identity Manager and Novell Open Enterprise Server. This integration enhances Identity Manager and Open Enterprise Server with powerful reporting capabilities.
This session will explain how Sentinel Log Manager can integrate with Identity Manager and Open Enterprise Server to collect log and audit data. It will also show how this integration can be used to provide compelling reports about Identity Manager and Open Enterprise Server activity.
This session explains how SLM can integrate with IDM and OES to collect log and audit data. It will also show how this integration can be used to provide compelling reports of IDM and OES activity.
Speaker: David Corlette Product Line Lead
Novell, Inc.
Configuration management: automating and rationalizing server setup with CFEn...Jonathan Clarke
With the advent of virtualization and cloud computing, modern IT management relies more and more on the concept of "create, set up, use and throw away" servers. In this context, the benefits of automating and rationalizing the "set up phase" are obvious. This is where configuration management tools come in to play.
This presentation kicks off with a discussion of some key points of configuration management and their benefits and drawbacks, building on real world examples (well, pseudo examples, mostly too silly to have ever really happened... or maybe not?)
The main contender is then introduced: CFEngine 3. Released in 2009, this is a brand new version of the open source configuration management solution, built on 17+ years of experience from previous versions of the software. We'll introduce the technology's key points, comparing approaches with similar devops-type tools, such as Puppet and Chef (where possible).
last cover the basics of setting up a minimal environment to start automating your configuration with CFEngine 3. We'll cover simple but illustrative examples, and show real-time demos of the technology in action.
Cross-Build Injection attacks are a completely new class of attacks that take place at build time. In this presentation (which was presented at JavaOne 2012) I show what the problem is and what can be done about. As always, security doesn't come for free: you'll have to work to get it right!
(unfortunately, some graphics got mangled by the SlideShare conversion. Sorry!)
Glitches can occur in even the best run IT operations. In this session, Accelrys support experts will share tips and tricks for proactively managing the performance of your ELN and detailed strategies for troubleshooting issues when they arise. Discussions will draw from real-world experience and will provide you with detailed strategies to leverage Accelrys support and minimize the time required to diagnose an issue.
(ATS4-APP03) Top 10 things every Notebook administrator should knowBIOVIA
Attend this session to learn Symyx Notebook administrator tips and tricks provided by Accelrys testing and support teams. Time will be provided for questions and to share customer tips and tricks.
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
Do you wish that you could provide more automatic methods to monitor your network? Have you ever wasted hours to capture evidence of a transient network issue? Do you know which part of your network is likely to fail next? And how to prevent it? Your Cisco IOS® Network provides a wealth of advanced device manageability instrumentation (DMI) and Embedded Automation Systems (EASy) to design and implement your own Network Automations. Learn how Network Automation allows you to automate manual tasks, better operate existing network services and even enable new and innovative networking solutions. This session uncovers embedded Network Automation capabilities you can use to interact with your network elements for the purpose of implementing network testing, verification and service assurance in a more effective, efficient and robust way. Network Automation fundamentals as well as the choice and use of appropriate practices are illustrated through a combination of presentation and best practice examples. The topic is relevant for network planners and administrators, engineers and system integrators for both enterprises and service providers.
Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or Service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.
The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.
One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task.
This presentation focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsNovell
Novell Sentinel Log Manager is a powerful log management and reporting solution. It supports collecting and reporting on log and audit data generated by Novell Identity Manager and Novell Open Enterprise Server. This integration enhances Identity Manager and Open Enterprise Server with powerful reporting capabilities.
This session will explain how Sentinel Log Manager can integrate with Identity Manager and Open Enterprise Server to collect log and audit data. It will also show how this integration can be used to provide compelling reports about Identity Manager and Open Enterprise Server activity.
This session explains how SLM can integrate with IDM and OES to collect log and audit data. It will also show how this integration can be used to provide compelling reports of IDM and OES activity.
Speaker: David Corlette Product Line Lead
Novell, Inc.
Configuration management: automating and rationalizing server setup with CFEn...Jonathan Clarke
With the advent of virtualization and cloud computing, modern IT management relies more and more on the concept of "create, set up, use and throw away" servers. In this context, the benefits of automating and rationalizing the "set up phase" are obvious. This is where configuration management tools come in to play.
This presentation kicks off with a discussion of some key points of configuration management and their benefits and drawbacks, building on real world examples (well, pseudo examples, mostly too silly to have ever really happened... or maybe not?)
The main contender is then introduced: CFEngine 3. Released in 2009, this is a brand new version of the open source configuration management solution, built on 17+ years of experience from previous versions of the software. We'll introduce the technology's key points, comparing approaches with similar devops-type tools, such as Puppet and Chef (where possible).
last cover the basics of setting up a minimal environment to start automating your configuration with CFEngine 3. We'll cover simple but illustrative examples, and show real-time demos of the technology in action.
Cross-Build Injection attacks are a completely new class of attacks that take place at build time. In this presentation (which was presented at JavaOne 2012) I show what the problem is and what can be done about. As always, security doesn't come for free: you'll have to work to get it right!
(unfortunately, some graphics got mangled by the SlideShare conversion. Sorry!)
Glitches can occur in even the best run IT operations. In this session, Accelrys support experts will share tips and tricks for proactively managing the performance of your ELN and detailed strategies for troubleshooting issues when they arise. Discussions will draw from real-world experience and will provide you with detailed strategies to leverage Accelrys support and minimize the time required to diagnose an issue.
(ATS4-APP03) Top 10 things every Notebook administrator should knowBIOVIA
Attend this session to learn Symyx Notebook administrator tips and tricks provided by Accelrys testing and support teams. Time will be provided for questions and to share customer tips and tricks.
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
Do you wish that you could provide more automatic methods to monitor your network? Have you ever wasted hours to capture evidence of a transient network issue? Do you know which part of your network is likely to fail next? And how to prevent it? Your Cisco IOS® Network provides a wealth of advanced device manageability instrumentation (DMI) and Embedded Automation Systems (EASy) to design and implement your own Network Automations. Learn how Network Automation allows you to automate manual tasks, better operate existing network services and even enable new and innovative networking solutions. This session uncovers embedded Network Automation capabilities you can use to interact with your network elements for the purpose of implementing network testing, verification and service assurance in a more effective, efficient and robust way. Network Automation fundamentals as well as the choice and use of appropriate practices are illustrated through a combination of presentation and best practice examples. The topic is relevant for network planners and administrators, engineers and system integrators for both enterprises and service providers.
SOA Summer School: Best of SOA Summer School – Encore Session WSO2
This wrap-up session of WSO2's SOA Summer School brings you the best of all sessions conducted over the past 8 weeks. Enterprise architects, developers, consultants and business analysts can now gain an overall understanding of SOA concepts and implementations of end-to-end SOA solutions.
BayThreat Why The Cloud Changes EverythingCloudPassage
Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security
These slides are from a talk delivered by Rand Wacker at BayThreat 2011.
ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.
Learn about Monitoring process to keep eye on systems or scheduled activities, to obtain real-time information to ease the overview or action in certain cases.For more information, visit http://ibm.co/PNo9Cb.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
2. Self Introduction
▐ Name KaiGai Kohei
▐ Company NEC, OSS Promotion Center
▐ Works 7 years experiences of OSS development
» SELinux
» PostgreSQL
» Memcached
» Apache (mod_selinux)
▐ Memcached - selinux engine
A memcached plugin to apply mandatory access control
according to the SELinux policy.
Page 2 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
3. 1. Memcached and security
Background
Centralized security and SELinux
2. Getting Memcached secure
Adjustment of security model
Engine framework performing with libselinux
The selinux_engine.so plugin
4. Recent web-system's architecture
Fast, but poor
Fast, but poor
functionality
functionality Web servers
The Internet
Key-Value Web application
store
Slow, but rich
Slow, but rich
functionality
functionality RDBMS End Users
Page 4 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
5. What is Memcached
▐ Memcached
general purpose, high-performance, distributed memory caches
Typically, used to backends of high-traffic web systems
Much faster than RDBMS, but less functionalities
PostgreSQL Memcached
Client Interface SQL memcached protocol
Script support OK OK
Schemed Data good bad
Data Integrity good bad
Performance relatively worse good
Scaling-out not easy much easier
authentication &
Security less features
access controls
Page 5 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
6. Memcached from security perspective (1/2)
(3) Not run as root
(3) Not run as root
Memcached
(2) SASL auth,
(2) SASL auth, (1) Firewalling,
if needed
Web Apps (1) Firewalling,
if needed always
always
Web Server
▐ We have few options to keep Memcached secure :-(
Should never allow to connect from external network
SASL authentication
Should never run as root
▐ Memcached Security; by Dustin Sallings
http://dustin.github.com/2010/08/08/memcached-security.html
Page 6 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
7. Memcached from security perspective (2/2)
Any items
Any items
Memcached accessible!
accessible!
Perhaps,
Perhaps, Web Apps
vulnerable?
vulnerable?
Web Server
▐ Our concern
No protection from internal threats
Buggy application turns an external threats
into an internal threat.
It means all the application must be
FREE from BUGS and VULNERABILITIES!
Page 7 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
8. Why server software applies access controls
▐ How reliable is the security feature?
Consistency and Comprehensiveness
▐ Which is more preferable to apply access control?
If each applications apply access control?
Some of them may not be right
Some of them may check nothing...
Access control should be centralized.
Access
Control
Authentication
object
object
Applications
Access
Control Access
object
Control
object
Server Application
Access
(Object Manager) Control
Page 8 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
9. More centralized access control (1/2)
PostgreSQL
Memcached
SE-PgSQL
Table Item
Schema Item
Table Item
Table Item
selinux_engine
Security
Security
Server
Server
SQL memcached
protocol
LSM
File
System Security
call File File Policy
Filesystem SELinux
Linux kernel
Page 9 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
10. More centralized access control (2/2)
a centralized
security server ie; we don't allow
classified process to write
SELinux
Security an object being readable
Policy from unclassified process
Filesystem
Networks
classified unclassified
information information
memcached RDBMS
domain of inter process domain of
classified processes communication channels unclassified processes
Page 10 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
11. SELinux as a Security Server (1/3)
▐ Interactions with object managers
Kernel subsystems do queries via LSM.
Userspace applications do queries via libselinux.
Both of them control user's requests according to the decision.
▐ Security context as a common identifier
system_u:system_r:memcached_t:s0
system_u:object_r:var_log_t:s0
A short formatted text, independent from object classes.
▐ Security policy
A massive set of access control rules.
A rule describes a set of actions to be allowed on a pair of
a security context of the subject (process being accessing) and
a security context of the object being accessed.
Page 11 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
12. SELinux as a Security Server (2/3)
▐ Case of Linux Kernel
staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0
write(2)
write(2)
read(2)
read(2)
user process A Subject: user process B
Subject: user_u:user_r:user_t:s0
user_u:user_r:user_t:s0 Applications
Object: user_u:object_r:user_home_t:s0 Linux kernel
Object: user_u:object_r:user_home_t:s0
Target class: file
Target class: file
VFS LSM
Security
Policy
file:{getattr read write ...}
file:{getattr read write ...}
SELinux
File X File Y
system_u:object_r:etc_t:s0 user_u:object_r:user_home_t:s0
Page 12 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
13. SELinux as a Security Server (3/3)
▐ Case of Memcached
staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0
SET
SET
GET
GET
user process A Subject: user_u:user_r:user_t:s0
userSubject:user_u:user_r:user_t:s0
process B Applications
Object: user_u:object_r:user_item_t:s0
Object: user_u:object_r:user_item_t:s0
Memcached Target class: kv_item Linux kernel
Target class: kv_item
libselinux
Protocol Parser
Security
selinux_engine.so Policy
kv_item:{read write ...}
kv_item:{read write ...}
SELinux
Item X Item Y
user_u:object_r:user_item_t:s0
system_u:object_r:system_ro_item_t:s0
Page 13 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
14. 1. Memcached and security
Background
Centralized security and SELinux
2. Getting Memcached secure
Adjustment of security model
Engine framework performing with libselinux
The selinux_engine.so plugin
15. Needed features to be enhanced
▐ Memcached needs to get enhanced
1. Facility to retrieve security context of client process
2. Facility to assign security context on key-value item
3. Facility to ask SELinux its access control decision
query
system_u:system_r:user_webapp_t:s0 system_u:object_r:memcached_item_t:s0
system_u:object_r:memcached_item_t:s0
Item
Protocol Parser
Engine Module
web application
Item
Security
Policy
Item
system_u:system_r:guest_webapp_t:s0 SELinux
Page 15 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
16. Security context of the clients
▐ getpeercon(int sockfd, security_context_t *con)
It allows to retrieve security context of the client process
that connected to the server using sockfd.
If UNIX domain socket, no configurations are necessary
If TCP/IP socket, also need to set up labeled IPsec.
▐ Labeled IPsec
It uses an enhanced version of key-exchange daemon
that transfers peer security context during IKE exchanges.
getpeercon(3) enables to retrieve the delivered one.
For more details:
Introduction to Labeled Networking on Linux (Paul Moore, HP)
http://www.linuxfoundation.jp/jp_uploads/seminar20080709/paul_moore-r1.pdf
Page 16 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
17. Security context of key/value item
hash_item structure mchunk_t.item
uint32_t nbytes uint16 flags
uint16_t nkey uint16_t keylen
uint16_t iflag uint32_t datalen mchunk_t.label
uint32_t secid uint32_t secid
uint32_t refcount
Key of item Key of item
security context
in text form
Value of item Value of item
▐ SELinux needs key-value item to be labeled
But original hash_item is not designed to store a security context.
▐ Revised data format that allows to point a certain security context
Large number of objects tend to share small number of security contexts
Page 17 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
18. memcached - storage engine interface (1/2)
▐ What is the storage engine interface?
An upcoming feature in memcached v1.6.x
It allows a plugin to provide its mechanism to manage key/value pair.
Well designed protocol between the core and engine plugin.
• Some plugins may provide persistent storage support.
• Some plugins may provide access control.
:
xxx
storage engine
memcached
protocol plugin
interface
Protocol
Parser
selinux
SELinux
plugin
memcached
Page 18 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
19. memcached - storage engine interface (2/2)
typedef struct engine_interface_v1 {
:
/**
* Retrieve an item.
*
* @param handle the engine handle
* @param cookie The cookie provided by the frontend
* @param item output variable that will receive the located item
* @param key the key to look up
* @param nkey the length of the key
* @param vbucket the virtual bucket id
*
* @return ENGINE_SUCCESS if all goes well
*/
ENGINE_ERROR_CODE (*get)(ENGINE_HANDLE* handle,
const void* cookie,
item** item,
const void* key,
const int nkey,
uint16_t vbucket);
:
}
Page 19 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
20. Flow-chart in GET command
Protocol
Parser
Storage Engine
selinux_get()
Interface
GET xxx ENGINE_KEY_ENOENT
Item exists?
No
decision
security_compute_av()
ENGINE_EACCESS /selinux/access
Allowed?
No
Security
Return the item Policy
Storage Engine
Interface ENGINE_SUCCESS SELinux
Client
Application Memcached Kernel
Page 20 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
21. selinuxfs and libselinux (1/2)
[kaigai@saba ~]$ ls /selinux
access context load reject_unknown
avc/ create member relabel
booleans/ deny_unknown mls status
checkreqprot disable null user
class/ enforce policy_capabilities/
commit_pending_bools initial_contexts/ policyvers
▐ selinuxfs
A pseudo filesystem as an interface to applications
Eg; write and read on /selinux/access
it asks selinux its access control decision
▐ libselinux
A set of wrapper functions for selinuxfs and configuration files.
Eg; security_getenforce() read /selinux/enforce
Userspace access vector cache
Page 21 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
22. selinuxfs and libselinux (2/2)
extern int security_compute_av(const security_context_t scon,
const security_context_t tcon,
security_class_t tclass,
access_vector_t required,
struct av_decision *avd);
It contains bitmask of
It contains bitmask of
allowed permissions.
allowed permissions.
▐ security_compute_av
scon ... security context of the user process
tcon ... security context of the item to be referenced
tclass ... code of object class
required... an obsolete argument
avd ... result shall be set in this structure
It writes scon, tcon and tclass to /selinux/access,
then SELinux returns allowed actions on a pair of them.
Page 22 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
23. Flow-chart in ADD command
Protocol
Parser selinux_allocate() default
context
Storage Engine security_compute_create()
Interface
ADD xxx create a new item
with security context
/selinux/create
selinux_store()
decision
OPERATION_ADD
security_compute_av() /selinux/access
ENGINE_EACCESS
Allowed?
No
Security
link the new item
Policy
to btree-index
Storage Engine
Interface ENGINE_SUCCESS SELinux
Client
Application Memcached Kernel
Page 23 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
24. Memcached - selinux engine
▐ To obtain the source code
git clone git://github.com/trondn/memcached.git -b engine
svn co http://sepgsql.googlecode.com/svn/trunk/memcached
▐ Features
Mandatory access control with SELinux policy
Using B+tree index
Persistent storage support
▐ Future works
Waiting for Memcached v1.6.x release :-)
Pushing the package to Fedora project
Scalability improvement
Comprehensive statistical information
Documentations
Page 24 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
25. Userspace access vector cache (avc)
▐ security_compute_xxx() always invokes a system-call
AVC enables to cache access control decisions recently used.
Query
Query avc_has_perms() Memory
Memory
reference
reference
validation check of
Decision selinux_kernel_status
Decision userspace cache
mmap(2)
still valid invalid
reset avc cache
/selinux/status
lookup an avc
entry from the cache /selinux/access
In heuristic,
In heuristic, not found
Found
the rate to hit /selinux/create
the rate to hit make an avc entry
overs 99.9%
overs 99.9% System
System
call
call
check access permissions Security
Policy
validation check of
SELinux
still valid userspace cache invalid
Page 25 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
26. Benchmark
default
default selinux
selinux
IPsec(ESP)
IPsec(ESP)
191,409
191,409
IPsec(AH)
IPsec(AH)
251,485
251,485
No IPsec
No IPsec
00 100000
100000 200000
200000 300000
300000
number of commands in 30sec
number of commands in 30sec
▐ Iteration of GET/SET mixture, 8threads-client, 4core server x 2, Gb-ether
▐ Less significant differences in same network environment
default = no access control, selinux = mandatory access control
▐ Penalties in IPsec(AH) communication (~20%?)
Page 26 LinuxCon Japan/Tokyo 2010 - Memcached getting secure
27. Summary
▐ Why object managers apply access controls
Access control should be centralized
• Consistency
• Coverage
Server is better than applications, Kernel is better than servers.
▐ SELinux as a Security Server
SELinux returns its access control decision,
then object manager control accesses according to the decision.
User and data object need to be identified with security context.
▐ Using libselinux
Libselinux encapsulates raw accesses to selinuxfs.
Userspace access vector cache reduces number of kernel invocations
Page 27 LinuxCon Japan/Tokyo 2010 - Memcached getting secure