Loading…
Timezone

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Intermediate [clear filter]
Monday, October 26
 

13:00 GMT

K8S on the Edge: An Arm-based Implementation of Image Recognition - Thorsten Kukuk & John von Voros, SUSE
This session will discuss the many benefits of deploying Edge workloads with Kubernetes and containers.   In addition, we’ll give a demo on how to install and perform image classification using a 4-node Raspberry Pi-based cluster.
Speakers
avatar for Thorsten Kukuk

Thorsten Kukuk

Distinguished Engineer, SUSE
Thorsten is working since over 20 years for SUSE, he is a Distinguished Engineer, Senior Architect for SLES and MicroOS and leading the Future Technology Team. He started his Open Source Career about 25 years ago.
avatar for John von Voros

John von Voros

Director – Cloud Solutions, SUSE
John is currently focused on building the ecosystem around Edge Computing using SUSE’s industry-leading enterprise Linux expertise combined with low-footprint Kubernetes container technology.  His goal is to remove complexity and cost while simplifying all aspects of deploying... Read More →

Kubernetes at the Edge pdf
Monday October 26, 2020 13:00 - 13:50 GMT
Cloud Theater
  Cloud + Cloud Native

13:00 GMT

Solving the Twelve Year Old ftrace Time Stamp Puzzle - Steven Rostedt, VMware
Since 2008, the ftrace ring buffer inside the Linux kernel has been used to debug numerous issues. With recording events within nanoseconds, it's streamlined processing that keeps overhead very low, hard to debug areas of Linux can easily be traced. It works in all sorts of context including non-maskable-interrupts (NMIs), that makes it an ideal debugging tool. With its incorporated timestamp counter, it can show how long functions last, or time the latency between events.

But this timestamp had a flaw for all these years; It would not give time deltas for events recorded in a context that interrupted the recording of another event on the buffer. This issue has now been solved.

This talk will go over why it was so difficult to solve the nested event timestamp issue, and then a step by step dive into its solution. If you like to geek-out over hard to solve problems, and then see how they are eventually solved, you will enjoy watching this talk.
Speakers
avatar for Steven Rostedt

Steven Rostedt

Open Source Engineer, VMWare, Inc.
Steven has been working on the Linux kernel since 1998 (started while working on his masters). He has been working on the Linux kernel professionally since 2001. Steven is one of the original developers of the PREEMPT_RT patch which turns Linux into a true real-time operating system... Read More →

oss eu 2020 ftrace ring buff nested timestamp pdf
Monday October 26, 2020 13:00 - 13:50 GMT
Linux Systems Theater
  Linux Systems
 
Wednesday, October 28
 

16:15 GMT

Software Quality and Testing – Recognize and Fix the Risks - Boris Cipot, Synopsys
Software development is continually changing and in doing so, it is becoming more complex. To keep up with this evolution the landscape of development, testing tools and security requirements have all progressed. Development teams are finding themselves under more pressure, to not only build quality software with tight time pressures, but ensuring it is compliant with both internal and external standards, for example GDPR. In this session, we will look at what these problems are and how you can combat them.

Key takeaways:
  • Understand what are the problems are in today’s software development and testing
  • Understand solutions for secure software development and testing
  • How to find vulnerabilities and other risks earlier in the software development lifecycle
  • How to reduce operational, security and license compliance risk

What will we talk about:
  • What are today's problems in Software testing?
  • Why is it so hard to keep the quality of the software high?
  • What to consider when using tools as a solution?
  • What is SCA and why it matters?
Speakers
avatar for Boris Cipot

Boris Cipot

Senior Security Engineer, Synopsys
Boris Cipot is a senior security engineer at Synopsys. He helps companies of all shapes and sizes to create secure software. Boris joined Synopsys when Black Duck Software was acquired in 2017.  He specializes in open source software security, robotics, and artificial intelligence... Read More →

Wednesday October 28, 2020 16:15 - 17:05 GMT
OS Dependability Theater
  OS Dependability
 
Thursday, October 29
 

13:05 GMT

Block Me if You Can: Subverting IMA - Tobias Mueller, University of Hamburg
This presentation investigates the resilience of IMA against malicious block devices. While it is not too surprising that all hope is lost if the hardware betrays you, we note that reprogramming hard-disk controllers is still relatively easy and the results may surprise some who sought to protect their machines with IMA. We find that users, in particular in the domain of critical infrastructure, may be susceptible in ways they have not considered. In this presentation, we demonstrate that the security guarantees of IMA can be undermined by way of a specially-crafted malicious block device, which delivers different data depending on whether the block has already been accessed. We extensively analyse the conditions which allow the attack to be launched and discuss how the attack affects certain use cases of IMA and discuss potential mitigations.
Speakers
TM

Tobias Mueller

Academic, University of Hamburg
Tobias is a German Free Software advocate, former member of the GNOME Foundation's Board of Directors, and Pythonista. He acquired a Masters degree in Security and Forensic computing from Dublin, is now working in the area of applied cryptography, and loves to build and break stuff... Read More →

2020 10 Linux Security Summit Subverting IMA pdf
Thursday October 29, 2020 13:05 - 13:50 GMT
LSS Theater
  Linux Security Summit (LSS)

14:00 GMT

Kernel Integrity Enforcement with HLAT In a Virtual Machine - Chao Gao, Intel Corporation
Some VMMs are using virtualization technology to enhance guest kernel security. Enforcing guest kernel integrity is a topic that has been explored many times. Read-only page where guest kernel locates can help to prevent tampering but cannot effectively prevent “remapping” attacks which edit guest page table to hijack control flow. Some solutions have to introduce complex mechanism (for example, track all guest page table changes somehow) to defend against “remapping” attack at the cost of performance. Hypervisor-manage linear address translation (HLAT), a new extension to Intel VT-x, provides an efficient solution to enforce guest kernel integrity. This presentation will analyze the challenges in kernel integrity enforcement, then describe how to enforce kernel integrity in a virtual machine with HLAT.
Speakers
CG

Chao Gao

Cloud Software Engineer, Intel
Chao has work for Intel for 4 years as a software engineer. He is responsible for enabling new Intel virtualization features in KVM/Xen and is familiar with interrupt virtualization, performance tuning and virtualization base security. Currently, Chao is working on using HLAT to enhance... Read More →

LSSEU20 kernel integrity enforcement with HLAT in a virtual machine v3 pdf
Thursday October 29, 2020 14:00 - 14:30 GMT
LSS Theater
  Linux Security Summit (LSS)

14:40 GMT

Introducing TPM NV Storage with E/A Policies and TSS-FAPI - Andreas Fuchs, Fraunhofer SIT
The TPM contains two major features; a certain amount of NV memory and the so-called Enhanced Authorization framework. The former can be configured as simple storage, but also as monotonic counter, or bitfield. The latter can be used to implement fine-grained access policies for access TPM objects, such as NV memory. This presentation will give an introduction into these concepts and demonstrates how the features of TPM NV and E/A policies can easily be used via the TPM Software Stacks's (TSS) Feature API (FAPI). This API includes a declarative language and processing engine for TPM E/A policies which for the first time make their use very easy. In order to illustrate their usefulness, a set of example use cases and configurations, such as WriteOnceReadMany (WORM) storage (for device serial numbers) or role-based access on a per-operation level for NV storage will be presented.
Speakers
AF

Andreas Fuchs

Head of Trustworthy Platform, Fraunhofer SIT
Andreas Fuchs is a TPM and OpenSource enthusiast involved with TCG. He is a maintainer of the OpenSource TPM Software Stack (TSS) 2.0, the tpm2tss OpenSSL engine and the tpm2-totp project. Andreas Fuchs studied computer science at the Technische Universität Darmstadt and the University... Read More →

Oct 29 Introducing TPM NV Storage with EA Policies and TSS FAPI Andreas Fuchs pdf
Thursday October 29, 2020 14:40 - 15:25 GMT
LSS Theater
  Linux Security Summit (LSS)

15:40 GMT

Architectural Extensions for Hardware Virtual Machine Isolation to Advance Confidential Computing in Public Clouds - Ravi Sahita & Jun Nakajima, Intel Corporation
Confidential computing focuses on data-in-use protection - a large volume of sensitive data-in-use is processed in public clouds, where the trusted computing base (TCB) is large including hypervisors, host operating system, operators, orchestration software, devices (with firmware), and BIOS. This talk describes the architectural extensions (CPU and platform) to enable hardware-isolated virtual machines for confidential computing in an untrustworthy public cloud environment. The proposed architecture enables the TCB of the cloud environment to be reduced substantially while providing the ability to shift existing applications without recompilation. The talk will describe the platform capabilities to address the threats and security objectives, starting with a threat model and will discuss future requirements for an increasingly heterogeneous computing environment with diverse workloads.
Speakers
avatar for Jun Nakajima

Jun Nakajima

Sr. Principal Engineer, Intel Corp.
Jun Nakajima is a Senior Principal Engineer at the Intel Open Source Technology Center, leading open source virtualization, such as KVM and Xen. Jun presented a number of times at technical conferences, including KVM Forum, Xen Summit, LinuxCon, OpenStack Summit, and USENIX. He has... Read More →
avatar for Ravi Sahita

Ravi Sahita

Sr. Principal Engineer and Security Architect, Intel Corp.
Ravi Sahita is a Senior Principal Engineer at Intel in the Data Platforms Group. He has 20 years of experience in computer security, hardware virtualization, systems and platform software, CPU ISA and applying machine learning for security. His current focus is on architecture development... Read More →

Thursday October 29, 2020 15:40 - 16:25 GMT
LSS Theater
  Linux Security Summit (LSS)

16:40 GMT

Network File System Security Overview: Securing SMB3 - Steven French, Microsoft
Network file systems on Linux present challenging security problems, especially as data moves to the cloud and clustered storage. This presentation will provide an overview of security considerations, focusing on the most popular file system protocol (SMB3), its security features, and areas its integration with Linux security components. Access to storage over these protocols is often encrypted, and relies on other security protocols for authentication, verifying claims and id mapping. Integration with future security protocols will be needed, and also finding better interfaces to map a user's identity among the 4 ways it is represented in Linux (username, POSIX UID, SID, OID). As more data moves to remote storage, the importance of network file system security becomes more critical. This presentation will discuss where we are and areas where additional improvements are needed.
Speakers
SF

Steven French

Principal Software Engineer - Azure Storage, Microsoft
Steve French is a member of the Samba team, and Principal Software Engineer at Microsoft (Azure Storage), and long time maintainer (as well as original author) of one of the more active Linux file systems (cifs.ko), and a frequent presenter at SMB and storage conferences (including... Read More →

LSS Europe SMB3 Security smf slides pdf
Thursday October 29, 2020 16:40 - 17:25 GMT
LSS Theater
  Linux Security Summit (LSS)
 
Friday, October 30
 

13:00 GMT

State of the User Namespace - Stephane Graber & Christian Brauner, Canonical
The user namespace first started off as a way to run safer containers, preventing trivial container escapes and privilege escalations. It has since evolved into a versatile tool used by container managers as well as a growing number of other software, ranging from network services to web browsers. In this talk we'll go over the main characteristics of the user namespace, its current uses, recent improvements and new features as well as going over some of the upcoming work on it.
Speakers
avatar for Stéphane Graber

Stéphane Graber

Project leader for LXD, LXC and LXCFS, Canonical Ltd.
Stéphane Graber is the engineering manager for the LXD team at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at events related to containers and Linux. Stéphane is also a longtime contributor to the Ubuntu Linux distribution... Read More →
avatar for Christian Brauner

Christian Brauner

Senior Software Engineer, Canonical
Christian Brauner is a kernel developer and maintainer of the LXD and LXC projects currently working at Canonical. He works mostly upstream on the Linux Kernel maintaining various bits and pieces. He is strongly committed to working in the open, and an avid proponent of Free Software... Read More →

2020 LSS EU State of the User Namespace pdf
Friday October 30, 2020 13:00 - 13:45 GMT
LSS Theater
  Linux Security Summit (LSS)

14:00 GMT

TBOOT and Secure Boot Coexistence to Launch OS Even More Securely - Łukasz Hawryłko, Intel Corporation
Intel TXT is a D-RTM technology that allows to set-up trusted environment by measuring boot process components. Measurements, stored in TPM, can be verified by local or remote attestation to detect any inconsistency in the boot process. UEFI Secure Boot has a similar goal, however, it is achieved in different ways. In opposite to Intel TXT, Secure Boot is an S-RTM technology that requires to maintain trusted chain from the beginning of system power up. TBOOT is an implementation of MLE in Intel TXT dedicated for Linux kernel based OS and Xen VMM. The current version does not support Secure Boot, so there is no possibility to enable Intel TXT and Secure Boot simultaneously when using TBOOT. This presentation discusses the possibilities of enabling Secure Boot in TBOOT and what benefits come from that.
Speakers
LH

Łukasz Hawryłko

Security Engineer, Intel
I am working at Intel in BIOS Security team, where I am an architect and leading developer of TBOOT project. In my job, I am also working with Open Source community to help in enabling Intel TXT on Linux based systems.

TBOOT and SecureBoot pdf
Friday October 30, 2020 14:00 - 14:45 GMT
LSS Theater
  Linux Security Summit (LSS)

15:00 GMT

Bypassing Many Kernel Protections Using Elastic Objects - Yueqi Chen & Zhepeng Lin, Ph.D. Students
We will analyze an anecdotal exploit that demonstrates the capability of bypassing KASLR, using an elastic object in the Linux kernel implementation. We justify this exploit could be abstracted and extended as a general exploitation practice. First, the Linux kernel contains a large number of such elastic objects, by using which, nearly any kernel vulnerabilities (with an overwriting capability) could enable the adversary to easily bypass heap cookie protector, KASLR, stack canary, and even realize an arbitrary read attack. Second, we show that Linux is not the only kernel using these objects for implementation. Other OS kernels, e.g., XNU, also adopt the same practice. Third, we conclude that elastic kernel objects are perilous as they provide a new, general approach to breaking existing protection mechanisms, and thus new defense should be designed as a part of kernel hardening.
Speakers
avatar for Yueqi Chen

Yueqi Chen

Ph.D. Student, Pennsylvania State University
Yueqi (Lewis) Chen received his B.Sc degree from Nanjing University in 2017 and is currently a Ph.D. student with Dr. Xinyu Xing at Pennsylvania State University. He was awarded the IBM Ph.D. Fellowship 2020. His research focuses on OS security and vulnerability analysis. He is particularly... Read More →
ZL

Zhenpeng Lin

Ph.D. Student, Pennsylvania State University
Zhenpeng Lin is a first-year Ph.D. student advised by Dr. Xinyu Xing at Pennsylvania State University. His research focuses on vulnerability discovery and exploitation. He plays CTF a lot. As a core member of Nu1L, he won 1st place in BCTF 2017, BCTF 2018, Baidu AI CTF, WCTF Junior... Read More →

Friday October 30, 2020 15:00 - 15:45 GMT
LSS Theater
  Linux Security Summit (LSS)

16:00 GMT

Container Runtime Support for SGX and TEE Environment - Isaku Yamahata, Intel Corporation
Recently Trusted Execution Environment(TEE) is getting momentum as Linux Foundation founded Confidential Computing Consortium(CCC) and cloud service providers have already provided such environments. Container runtime support is key feature so that TEE can be easily managed in cloud environment like kubernetes. We discuss taxonomy of container support of TEE first and then how it will be implemented concretely. For example, Function-As-A-Service requir es different characteristic from normal container support, so does its design for container runtime. Lastly Graphene-LibOS Shielded Container(GSC) is introduced as concrete Example.
Speakers
avatar for Isaku Yamahata

Isaku Yamahata

Software engineer, Intel
Isaku Yamahata is a Software architect in the Open Source Technology Center, Intel. His main focus is virtualization technology, network virtualization as Software Defined Networking for multiple years. Isaku is an active on Graphene LibOS and OpenStack Neutron (networking) and has... Read More →

container runtime support uploaded pdf
Friday October 30, 2020 16:00 - 16:45 GMT
LSS Theater
  Linux Security Summit (LSS)
 

Twitter Feed