Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
The document describes a project to bridge the semantic gap in virtualized environments. It aims to generate a complete view of a guest VM by connecting the Volatility memory forensics framework to QEMU. This allows leveraging Volatility plugins to live monitor the guest OS without modifying the guest. It implements a QEMU monitor command to dump VM memory and execute Volatility commands. Performance evaluation and malware analysis demonstrations are provided. The open problem of interpreting low-level VM state as high-level guest OS semantic information is discussed.
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem.
In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
Course Duration: 30-35 hours Training + Assignments + Actual Project Based Case Studies
Training Materials: All attendees will receive,
Assignment after each module, Video recording of every session
Notes and study material for examples covered.
Access to the Training Blog & Repository of Materials
Pre-requisites:
Basic Computer Skills and knowledge of IT.
Training Highlights
* Focus on Hands on training.
* 30 hours of Assignments, Live Case Studies.
* Video Recordings of sessions provided.
* One Problem Statement discussed across the whole training program.
* Resume prep, Interview Questions provided.
WEBSITE: www.QuontraSolutions.com
Contact Info: Phone +1 404-900-9988(or) Email - info@quontrasolutions.com
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
This document discusses a hybrid honeypot architecture that combines low and high interaction honeypots using virtual machine introspection. It aims to provide the benefits of both types of honeypots while avoiding their limitations. The proposed system, called VMI-Honeymon, uses virtualization and memory scanning techniques to monitor high interaction honeypots running inside virtual machines without in-guest agents. This allows it to detect malware attempts to alter its behavior and subvert monitoring. An evaluation found it captured malware binaries from high interaction honeypots with fewer sessions than a low interaction honeypot alone. Future work plans to support concurrent high interaction honeypots across different Windows versions and automate analyses of malware footprints.
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
The document describes a project to bridge the semantic gap in virtualized environments. It aims to generate a complete view of a guest VM by connecting the Volatility memory forensics framework to QEMU. This allows leveraging Volatility plugins to live monitor the guest OS without modifying the guest. It implements a QEMU monitor command to dump VM memory and execute Volatility commands. Performance evaluation and malware analysis demonstrations are provided. The open problem of interpreting low-level VM state as high-level guest OS semantic information is discussed.
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
Data Breaches are all over the news these days, and no organization is safe. Nobody, from the largest governments to the biggest banks to the most advanced security companies is able to adequately protect themselves. The difficulty is that there are infinite number of ways to exfiltrate data from an organization ranging from stolen/lost hardware to steganography to malicious insiders to 0Day exploits installing malware to side channels. The industry is trying to solve this problem using detection, heuristics, pattern matching and behavioral analysis. A new approach is clearly needed to fight the Data Breach problem and keep data inside an organization.
Come find out how to use Hypervisors to repurpose hardware to protect sensitive data under the assumption of compromised networks, devices and users (Malicious Insiders). In addition, find out how to do so without using any type of detection, heuristics, pattern matching or behavioral analysis, but rather a strictly algorithmic approach rooted in hardware. Finally, learn about how this technology can be used in a generic manner to protect data of DataBases, Server Software, unmodified legacy applications, and unmodified consumer applications such as word processing and spreadsheet software.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem.
In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...The Linux Foundation
This presentation is based on the technical hurdles we overcame when building a commercial product on the introspection capabilities of the Xen hypervisor. Mihai Dontu will relate the importance of the x86 emulator, the need for a more focused effort on its completeness and correctness, the problems encountered, and the solutions adopted. He will also approach the subject of performance, for which hypervisor features that were not meant to be in the hot path had to be punctually reworked to solve a key requirement for making a theoretical product a commercial reality.
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
Course Duration: 30-35 hours Training + Assignments + Actual Project Based Case Studies
Training Materials: All attendees will receive,
Assignment after each module, Video recording of every session
Notes and study material for examples covered.
Access to the Training Blog & Repository of Materials
Pre-requisites:
Basic Computer Skills and knowledge of IT.
Training Highlights
* Focus on Hands on training.
* 30 hours of Assignments, Live Case Studies.
* Video Recordings of sessions provided.
* One Problem Statement discussed across the whole training program.
* Resume prep, Interview Questions provided.
WEBSITE: www.QuontraSolutions.com
Contact Info: Phone +1 404-900-9988(or) Email - info@quontrasolutions.com
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
This document discusses a hybrid honeypot architecture that combines low and high interaction honeypots using virtual machine introspection. It aims to provide the benefits of both types of honeypots while avoiding their limitations. The proposed system, called VMI-Honeymon, uses virtualization and memory scanning techniques to monitor high interaction honeypots running inside virtual machines without in-guest agents. This allows it to detect malware attempts to alter its behavior and subvert monitoring. An evaluation found it captured malware binaries from high interaction honeypots with fewer sessions than a low interaction honeypot alone. Future work plans to support concurrent high interaction honeypots across different Windows versions and automate analyses of malware footprints.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
PVH allows a paravirtualized Linux guest to run in ring 0 by using a hardware-assisted virtualization technique called PVH. PVH combines aspects of para-virtualization (PV) and hardware virtualization (HVM) by using a PV entry point to boot the guest faster while still allowing the guest kernel to run in ring 0. Performance benchmarks show that PVH provides significant performance improvements over traditional PV guests, bringing performance closer to HVM while still maintaining the security model of PV. However, some optimizations remain to be done to match the performance of pure PV or HVM guests.
Adding Extended Attribute Support to NFSJames Morris
This document discusses adding extended attribute support to NFS. It provides background on extended attributes, describes different implementations among operating systems, and outlines a proposal to implement name/value extended attribute support in Linux NFSv3 through a side protocol. Prototype code has been developed and is undergoing review. The work could serve as a model for adding extended attribute support to NFSv4 to enable proper support on Linux and BSD systems.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
This document provides an introduction to the Linux kernel, including its main features and architecture. It discusses the kernel's portable, open source, multi-user nature and hierarchical file system. The document outlines the Linux versioning scheme and describes the kernel's main subsystems, including process management, memory management, the virtual file system, network stack, and system call interface. It explains how the kernel uses virtual memory to separate user space and privileged kernel space.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
This document introduces how to write a basic "Hello, world" kernel module in Linux. It discusses making a module with a single source file, and also with multiple source files. Example code is provided for a simple module that prints a message when loaded and removed from the kernel. The document also covers makefiles used to build kernel modules.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
The document discusses the Linux kernel and its structure. The Linux kernel acts as the interface between hardware and software, contains device drivers for peripherals, handles resource allocation and tracking application access to files. It is also responsible for security and access controls for users. The kernel version numbers use even numbers to indicate stable releases.
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Presentation on "Linux Kernel Compilation" (Ubuntu based).
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
Linux Kernel and Driver Development TrainingStephan Cadene
This document provides information about a Linux Kernel and Driver Development training from Free Electrons. It begins with an overview of the course and hardware that will be used. It then discusses Free Electrons as a company and their online resources. The document also provides generic course information and guidelines for participation and the practical labs.
The document discusses directions for improving SELinux networking capabilities. It outlines ideas such as using Netfilter/iptables for IP packet controls instead of the current implementation, leveraging IPsec to label security associations rather than individual packets, extending SELinux policy to the distributed environment, and developing mechanisms for distributing and synchronizing policy across security realms. Long term trends toward high assurance distributed computing are also noted.
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
"Have You Driven an SELinux Lately? - An Update on the SELinux Project"
This was given at OLS (Ottawa Linux Symposium) in 2008.
The paper from the talk may be found at
http://namei.org/ols-2008-selinux-paper.pdf.
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
The document discusses advanced persistent threats and techniques used by attackers both historically and currently. It covers topics like out-of-band analysis techniques to gain "perfect knowledge" of attackers through reverse engineering, using telemetry and signatures to detect malware, and challenges with scanning techniques due to polymorphism and evasion methods used by attackers.
Part 02 Linux Kernel Module ProgrammingTushar B Kute
Presentation on "Linux Kernel Module Programming".
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
KF/x is an open-source fuzzing framework that leverages virtual machine introspection to fuzz code running inside virtual machines. It was used to discover vulnerabilities in the Virtio driver in Linux and a heap overflow in the 7z parser of Symantec Endpoint Protection. KF/x allows taking full memory snapshots of a VM, forking it to generate new test cases, and monitoring for crashes or desired program states. This approach found issues that may have otherwise remained undetected due to the lack of proper fuzzing tools for systems running complex, isolated software like antivirus programs.
Static partitioning is becoming increasingly common in embedded. A static hypervisor, such as Xen dom0less, is employed to split the hardware resources into multiple domains and run a different OS in each domain. For instance, Linux and Zephyr. Only the simplest static partitioning configurations don't involve any data exchanges between the domains. Often, communication and data exchanges between two or more environments are required to complete the data processing pipeline that implements the target application. However, the VM-to-VM communication mechanisms available in static partitioning configurations are typically more limited compared to general-purpose hypervisors. For example, PV drivers are not available to Xen dom0less domains. This presentation will discuss the need for communication in static partitioning setups and it will present the technical challenges involved in getting traditional communication methods to work, including Xen PV drivers and VirtIO. The talk will also provide simpler alternatives based on shared memory and interrupt notifications to set up domain-to-domain data streams: simpler techniques that are easily exploitable both by Linux and by tiny baremetal applications as well.
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
The document discusses tactics, techniques and procedures (TTPs) used by red teams to penetrate networks defended by Microsoft's Windows Defender Advanced Threat Protection (ATP). It analyzes ATP's detection capabilities and provides examples of techniques it does and does not detect. It recommends ways for red and blue teams to improve their strategies based on ATP's strengths and limitations.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSEThe Linux Foundation
A year has passed since the last Xen Developer Summit and it is time to announce the quiet progress made on the libvirt libxl driver and related tooling. New features include memory, cpu, block device, and network interface statistics reporting, support for pvUSB, support for migration stream V2, peer-to-peer migration, UEFI for HVM guests via OVMF, and domain capabilities reporting to name a few. There are also many noteworthy improvements such as better conversion of xl.cfg to/from libvirt domXML, allowing users to easily switch between the xl+libxl and libvirt+libxl toolstacks.
The summit also provides an opportunity to discuss new proposals such as better control of domain placement on NUMA systems, exposing Xen's cpu pool feature in libvirt, supporting non-volatile memory for UEFI variables, and improved capabilities reporting.
Much of libvirt's value for Xen is in the tools built upon it: virt-manager, virt-viewer, virt-install, virt-builder, kimchi, OpenStack nova, etc. These tools also deserve a quick status update as they relate to Xen.
The audience is encouraged to participate, e.g. by requesting a sorely missing feature, warning of an upcoming Xen change that may affect libvirt, or simply suggesting a change that makes virtualization management life a bit easier.
PVH allows a paravirtualized Linux guest to run in ring 0 by using a hardware-assisted virtualization technique called PVH. PVH combines aspects of para-virtualization (PV) and hardware virtualization (HVM) by using a PV entry point to boot the guest faster while still allowing the guest kernel to run in ring 0. Performance benchmarks show that PVH provides significant performance improvements over traditional PV guests, bringing performance closer to HVM while still maintaining the security model of PV. However, some optimizations remain to be done to match the performance of pure PV or HVM guests.
Adding Extended Attribute Support to NFSJames Morris
This document discusses adding extended attribute support to NFS. It provides background on extended attributes, describes different implementations among operating systems, and outlines a proposal to implement name/value extended attribute support in Linux NFSv3 through a side protocol. Prototype code has been developed and is undergoing review. The work could serve as a model for adding extended attribute support to NFSv4 to enable proper support on Linux and BSD systems.
Migration of virtual machines without guest downtime is a key feature for hypervisors. Sadly, not all hardware is the same, and keeping guests running in a heterogeneous environment takes a lot of care. Normally, features are advertised via the CPUID instruction, but life is never as simple as we would like. Andrew will discuss what information needs to be controlled, what information can and can't be controlled, and how it applies to Xen guests.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
This document provides an introduction to the Linux kernel, including its main features and architecture. It discusses the kernel's portable, open source, multi-user nature and hierarchical file system. The document outlines the Linux versioning scheme and describes the kernel's main subsystems, including process management, memory management, the virtual file system, network stack, and system call interface. It explains how the kernel uses virtual memory to separate user space and privileged kernel space.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
This document introduces how to write a basic "Hello, world" kernel module in Linux. It discusses making a module with a single source file, and also with multiple source files. Example code is provided for a simple module that prints a message when loaded and removed from the kernel. The document also covers makefiles used to build kernel modules.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
The document discusses the Linux kernel and its structure. The Linux kernel acts as the interface between hardware and software, contains device drivers for peripherals, handles resource allocation and tracking application access to files. It is also responsible for security and access controls for users. The kernel version numbers use even numbers to indicate stable releases.
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Presentation on "Linux Kernel Compilation" (Ubuntu based).
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
Linux Kernel and Driver Development TrainingStephan Cadene
This document provides information about a Linux Kernel and Driver Development training from Free Electrons. It begins with an overview of the course and hardware that will be used. It then discusses Free Electrons as a company and their online resources. The document also provides generic course information and guidelines for participation and the practical labs.
The document discusses directions for improving SELinux networking capabilities. It outlines ideas such as using Netfilter/iptables for IP packet controls instead of the current implementation, leveraging IPsec to label security associations rather than individual packets, extending SELinux policy to the distributed environment, and developing mechanisms for distributing and synchronizing policy across security realms. Long term trends toward high assurance distributed computing are also noted.
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
"Have You Driven an SELinux Lately? - An Update on the SELinux Project"
This was given at OLS (Ottawa Linux Symposium) in 2008.
The paper from the talk may be found at
http://namei.org/ols-2008-selinux-paper.pdf.
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
The document discusses advanced persistent threats and techniques used by attackers both historically and currently. It covers topics like out-of-band analysis techniques to gain "perfect knowledge" of attackers through reverse engineering, using telemetry and signatures to detect malware, and challenges with scanning techniques due to polymorphism and evasion methods used by attackers.
Part 02 Linux Kernel Module ProgrammingTushar B Kute
Presentation on "Linux Kernel Module Programming".
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
KF/x is an open-source fuzzing framework that leverages virtual machine introspection to fuzz code running inside virtual machines. It was used to discover vulnerabilities in the Virtio driver in Linux and a heap overflow in the 7z parser of Symantec Endpoint Protection. KF/x allows taking full memory snapshots of a VM, forking it to generate new test cases, and monitoring for crashes or desired program states. This approach found issues that may have otherwise remained undetected due to the lack of proper fuzzing tools for systems running complex, isolated software like antivirus programs.
Static partitioning is becoming increasingly common in embedded. A static hypervisor, such as Xen dom0less, is employed to split the hardware resources into multiple domains and run a different OS in each domain. For instance, Linux and Zephyr. Only the simplest static partitioning configurations don't involve any data exchanges between the domains. Often, communication and data exchanges between two or more environments are required to complete the data processing pipeline that implements the target application. However, the VM-to-VM communication mechanisms available in static partitioning configurations are typically more limited compared to general-purpose hypervisors. For example, PV drivers are not available to Xen dom0less domains. This presentation will discuss the need for communication in static partitioning setups and it will present the technical challenges involved in getting traditional communication methods to work, including Xen PV drivers and VirtIO. The talk will also provide simpler alternatives based on shared memory and interrupt notifications to set up domain-to-domain data streams: simpler techniques that are easily exploitable both by Linux and by tiny baremetal applications as well.
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
The document discusses tactics, techniques and procedures (TTPs) used by red teams to penetrate networks defended by Microsoft's Windows Defender Advanced Threat Protection (ATP). It analyzes ATP's detection capabilities and provides examples of techniques it does and does not detect. It recommends ways for red and blue teams to improve their strategies based on ATP's strengths and limitations.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
PC = Personal Cloud (or how to use your development machine with Vagrant and ...Codemotion
by Andrey Adamovich - Have you ever wished to run production clone on your laptop to find that annoying bug? With decreasing hardware costs and growing hardware performance characteristics it becomes possible. Virtualization tools like VirtualBox come very handy at simulating real OS with real setup. Tools like Vagrant (VirtualBox wrapper) make it even easier. This presentation gives several hands-on demonstrations of Vagrant capabilities and the simplicity of integrating that into your normal development cycle.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
This document discusses securing container-based applications. It covers container and OS security best practices like using Linux namespaces and cgroups for isolation, reducing the container attack surface, and hardening container images. It also discusses securing the container lifecycle through vulnerability scanning, configuration governance with Amazon ECS, and using secrets management. Finally, it shows how to automate security deployments through the CI/CD pipeline and tools like CloudFormation and CodeDeploy.
As the Xen hypervisor evolves so do the chances for a potentially exploitable bug to be introduced. This is the case for XSA-105/106, where a number of oversights in the x86 instruction emulator created the opportunity for a number of exploits.
The document discusses Windows memory and cache manager internals. It covers several topics:
- The virtual memory manager (VMM) abstracts physical memory to make it feel infinite to applications. It protects OS memory and enables memory sharing between applications.
- Paging is used to divide physical memory into equal size pages. Address translation uses page directories (PDEs) and page tables (PTEs) along with a translation lookaside buffer (TLB) for faster lookups.
- The cache manager improves performance by caching frequently used disk blocks in physical memory. It facilitates read-ahead and write-back caching to reduce disk access.
- Whalebone provides DNS resolution services for millions protecting against malware and anomalies
- They have experienced random subdomain attacks that try to take down domains by overloading resolvers with queries for nonexistent subdomains
- DNSSEC aggressive caching helps mitigate these attacks by reducing load on authoritative nameservers for nonexistent records
- However, some devices like F5 BIG-IP load balancers have had faulty implementations of DNSSEC that can cause validation failures and resolution issues
Back to Basics Webinar 6: Production DeploymentMongoDB
This is the final webinar of a Back to Basics series that will introduce you to the MongoDB database. This webinar will guide you through production deployment.
Whats new in Microsoft Windows Server 2016 Clustering and StorageJohn Moran
In this webinar we will learn what the High Availability & Storage team in Microsoft has cooked up for us in Windows Server 2016, which is being launched at Microsoft Ignite at the end of September.
There’s lots of new stuff in this release, including better high availability for Hyper-V, greater control over resource utilization, improved fault tolerance of transient events, newer design options for stretch or multi-site clusters, a whole new way of doing software defined storage with SATA and NVMe drives, built-in block-level storage replication, and hyper-convergence without having to break the bank.
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
This document discusses security challenges faced by antivirus engines, products, and systems. It notes that antivirus systems are vulnerable to malware just like other software. The document outlines threats including rootkits that can hijack antivirus software processes, format vulnerabilities that can crash engines, and privilege escalation issues. It discusses improving input validation, privilege control, testing, and secure code development to address these challenges. The goal is for antivirus software to remain vigilant against emerging threats through continued research and responsiveness.
Metasploit & Windows Kernel ExploitationzeroSteiner
The document discusses kernel exploitation on Windows systems. It provides an overview of common vulnerability classes like write-what-where and use-after-free. It also covers techniques for executing code, mitigation technologies, writing exploits for Metasploit, and sources of instability. The speaker's background and agenda are introduced at the start.
This document provides guidance on considerations for deploying MongoDB in production environments. It covers sizing hardware requirements for memory, CPU and I/O; installing and configuring MongoDB; using MongoDB on Amazon EC2; implementing security, backups, and durability; upgrading MongoDB versions; scaling deployments by sharding; and monitoring MongoDB performance.
This document discusses I/O virtualization and GPU virtualization. It covers:
- Two approaches to I/O virtualization: hosted and device driver approaches. Hosted has lower engineering cost but lower performance.
- Methods to optimize para-virtualized I/O including split-driver models, reducing data copy costs, and hardware supports like IOMMU and SR-IOV.
- Challenges of GPU virtualization including whether to take a low-level virtualization or high-level API remoting approach. API remoting is preferred due to closed and evolving GPU hardware.
- Hardware pass-through of GPUs for high performance but low scalability. Industry solutions for remote desktop
The document discusses application sandboxes from a penetration tester's perspective. It describes two main types of sandboxes - Type A which uses OS enhancements to isolate untrusted code, and Type B which uses a master/slave model with a lower privileged slave process. Both types are fundamentally vulnerable to kernel and some user mode vulnerabilities on the OS that can allow bypassing of the sandbox isolation. Type A sandboxes are easier to escape than Type B. The document demonstrates exploits against both sandbox types using vulnerabilities such as in CSRSS and the Windows kernel. It concludes that application sandboxes are not sufficient for malware analysis due to their vulnerability to OS exploits.
The document provides guidance on deploying MongoDB in production environments. It discusses sizing hardware requirements for memory, CPU, and disk I/O. It also covers installing and upgrading MongoDB, considerations for cloud platforms like EC2, security, backups, durability, scaling out, and monitoring. The focus is on performance optimization and ensuring data integrity and high availability.
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
This document discusses and compares four hardware-based security solutions for cloud computing environments: Intel TXT, ARM TrustZone, AMD SEV, and Intel SGX. It first provides an overview of each solution, describing their basic components and architectures. It then evaluates them according to three criteria categories: security, functionality, and deployability. According to the comparison, while Intel SGX is presented as generally better than the others, it still requires code modification of legacy applications and puts responsibility on developers to prevent side channel attacks. Overall, the document analyzes and contrasts these four industrial-scale trusted execution environment approaches.
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18Casey Bisson
As presented at LinuxCon/CloudOpen 2015: http://sched.co/3Y3v
We tell our code lies from development to deploy. The most common of these lies start with the simple act of launching a virtual machine. These lies are critical to our applications. Some of them protect applications from themselves and each other, some even improve performance. Some, however, decrease performance, and others create barriers to simply getting things done.
We lie about the systems, networks, storage, RAM, CPU and other resources our applications use, but how we tell those lies is critical to how the applications that depend on them perform. Joyent's Casey Bisson will explore the lies we tell our code and demonstrate examples of how they sometimes help and hurt us.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Similar to WannaCry - An OS course perspective (20)
Dr. Peter Tröger discusses cloud standards and virtualization. He outlines three basic cloud service models and describes challenges with cloud dependability from the customer and provider perspectives. The document also reviews several standards organizations and specifications relevant to cloud computing, including OVF, OCCI, CDMI, and the Cloud Security Alliance. It emphasizes that while infrastructure standards are maturing, more work remains regarding platforms, software, data models, and billing standards.
Distributed Resource Management Application API (DRMAA) Version 2Peter Tröger
The document describes the Distributed Resource Management Application API (DRMAA) version 2. It provides an overview of DRMAA and its goals of providing a standardized API for distributed resource management systems. It discusses the key components involved in DRMAA including distributed resource management systems, DRMAA implementations/libraries, submission hosts, and execution hosts. It also summarizes the success of DRMAA version 1 and outlines the status and design approach of the new DRMAA version 2 specification.
Design of Software for Embedded SystemsPeter Tröger
This document provides an overview of the Design of Software for Embedded Systems (SWES) course. It discusses the course organization, project requirements, and introduces some basic concepts and terminology related to embedded systems and real-time software. Specifically, it describes the challenges in embedded system design, different types of hardware platforms, characteristics of embedded software, issues related to timeliness and real-time scheduling, and how real-time operating systems address these issues. The document aims to equip students with foundational knowledge on embedded systems and real-time systems engineering.
Human users should not be forced to edit XML documents. Sometimes, they may want to read it.
The presentation persists some arguments I stated about this topic again and again in the past. Discussions and opinions are more than welcome.
What activates a bug? A refinement of the Laprie terminology model.Peter Tröger
The document proposes refinements to the Laprie terminology model for describing software bugs. It introduces concepts of a fault model describing faulty code, a fault condition model describing enabling system states, and an error model describing states where faults are activated and may lead to failures. A failure automaton is presented with states for disabled, dormant, and active faults, as well as detected errors and outages. Events are defined for when fault conditions are fulfilled or no longer fulfilled, faulty code is executed, and failures occur. The refinement aims to separately consider investigated software layers and their environment in order to better describe what activates bugs.
This document provides an overview of dependability and dependable systems. It defines dependability as an umbrella term that includes reliability, availability, maintainability, and other attributes that allow systems to be trusted. Dependability addresses how systems can continue operating correctly even when faults occur. Key topics covered include fault tolerance techniques, error processing, failure modes, and modeling approaches for analyzing dependability. The goal of the course is to understand how to design systems that can be relied upon to deliver their services as specified, even in the presence of faults or unexpected events.
Dependable Systems - Hardware Dependability with Redundancy (14/16)Peter Tröger
1) The document discusses hardware dependability through the use of redundancy. It provides examples of static redundancy like voting and N-modular redundancy as well as dynamic redundancy using techniques like back-up sparing and duplex systems.
2) IBM's zSeries mainframe computers are highlighted as an example of a highly redundant system, using techniques like machine check handling, error correction codes, unit deletion for degradation, and fully redundant I/O subsystems.
3) Redundancy comes at a cost but can effectively improve reliability through techniques that either mask faults or allow systems to reconfigure around faults. The level of redundancy must be weighed against associated costs and design complexity.
Dependable Systems -Fault Tolerance Patterns (4/16)Peter Tröger
The document discusses various patterns for achieving fault tolerance in dependable systems. It covers architectural patterns like units of mitigation and error containment barriers. It also discusses detection patterns such as fault correlation, system monitoring, acknowledgments, voting, and audits. Finally, it discusses error recovery patterns like quarantine, concentrated recovery, and checkpointing to avoid data loss during recovery. The patterns provide reusable solutions for commonly occurring problems in building fault tolerant systems.
Dependable Systems -Dependability Means (3/16)Peter Tröger
This document provides an overview of dependability and dependable systems. It defines dependability as the trustworthiness of a system such that reliance can be placed on the service it delivers. The key aspects of dependability discussed include fault prevention, fault tolerance, fault removal, and fault forecasting. Fault tolerance techniques aim to provide service even in the presence of faults through methods like redundancy, error detection, error processing through recovery, and fault treatment. Dependable system design involves assessing risks, adding redundancy, and designing error detection and recovery capabilities.
This document provides a summary of the history of operating systems from the earliest mechanical computers in the 1800s to modern desktop and server operating systems. It discusses the first programmable computers like the Analytical Engine and Z3 and the development of stored program architectures. It then covers the evolution of batch processing systems and time-sharing to allow for interactive use. Key developments discussed include the IBM 1401, CTSS, Multics, Unix, and early versions of Windows. The document also provides an overview of basic hardware concepts like SMP, multi-core processors, and parallelism that operating systems must account for.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
6. Pool corruption
• Pools are memory regions for kernel mode code
• Used by drivers and kernel software
• Standard heap management
• Minimal protection, performance optimization
• Pool corruption: Writing over the end of your
allocated region
8. Attacking the pool (I)
• Windows file sharing listens on port 445 for
imcoming SMB connections
• Network stack is kernel mode code (srvnet.sys)
• Incoming network data is stored in kernel mode
buffer from the non-paged pool
• Problem: Heap allocation ‚fills the holes‘
9. Attacking the pool (II)
• Approach: Allocate large chunks in pool
• Leads to ‚de-randomization‘
• Large chunks become aligned one after the
other
• Exploit triggers this by opening multiple SMB
connections and sending large packages
(grooming)
10. Overflow
• Send large initial SMB1 package
• Kernel needs to store received data
• srvnet.sys allocates space in non-paged pool
• Grooming
• First connection is closed, leaving adjacent hole
• Sending of overflow data, hole is used
11. Overflow
• Overflow overwrites SMB data structure stored in
subsequent memory
• struct SRVNET_POOLHDR
• Contains a pointer being called when finalizing a
SMB request
• If accidental overwriting is done right, then the
callback target is the data we sent before
• Close connection, kernel stack calls our function