Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

OS Dependability [clear filter]
Tuesday, October 27

13:00 GMT

Getting to Know Spectre & Meltdown Checker - Agata Gruza, Intel & Stéphane Lesimple, OVHcloud
Spectre & Meltdown Checker is a widely used open source hardware vulnerability checker tool. This simple to use application evaluates your system’s exposure to speculative execution side channel issues and detects the presence of security mitigations on your system. It is compatible with BSD and all Linux* flavors and distributions, and can be used on-premises, in virtual environments, and in containers.

In this session we'll take a trip back to early 2018, when Spectre & Meltdown changed the landscape of the IT security for years to come, which made this Spectre & Meltdown Checker a necessity. You will learn the process of contributing to Spectre & Meltdown Checker (what needs to be done between discovering a CVE vulnerability and pushing a patch to address the CVE to the public main repo). We will go over CVE nomenclature for new CPU vulnerabilities, creating a list of unaffected processors, new hardware capabilities, and the patch itself. From there Agata will cover steps on how to install the checker script, and then how to review and read the output from the tool. She will wrap up with what to do if you discover a vulnerability in your system.

avatar for Agata Gruza

Agata Gruza

Lead Performance Engineer, Intel
Agata Gruza has been at Intel for over 5 years working on performance optimizations of Big Data frameworks like Cassandra, Spark, and Hadoop for Intel Architecture. Currently she is a Lead Performance Engineer and focuses on Linux kernel software mitigation. Agata is a Google (Android... Read More →

Tuesday October 27, 2020 13:00 - 13:50 GMT
OS Dependability Theater

16:15 GMT

Demystifying Open Source Crash Reporter: An In-depth Security Analysis - Seong-Joong Kim, National Security Research Institute
Software vendors provide crash reporter to automatically collect crash reports from users to facilitate efficient handling of crash of their products. The crash reporter should be secure and reliable due to the fact that it handles sensitive information, such as core dump that captures the CPU context and memory contents of the crashed program, and helps to address the issue of crashed program. Unfortunately, several security flaws have been reported to the various crashing reporter for Windows, Mac OS X, Linux, Mozilla, etc. In this talk, Seong-Joong Kim will address security problems that reside in popular open source project for crash reporter. After auditing the source code, he found several flaws in the project, caused by unrestricted file upload vulnerability. When it allows the upload of an arbitrary crash report and the attacker may overflow a buffer on heap-memory, unhandled exception or cause resource exhaustion, which may lead to dreadful consequences. He will demonstrate those attacks and share the steps for improving security of the crash reporter.

avatar for Seong-Joong Kim

Seong-Joong Kim

Security Researcher, National Security Research Institute
Seong-Joong Kim is a member of research staff at the National Security Research Institute. Prior to that, he was a researcher at TmaxSoft R&D Center for alternative service as mandatory military service duty. Also, he interned at Samsung Electronics in the capacity of a Software Engineer... Read More →

Tuesday October 27, 2020 16:15 - 17:05 GMT
OS Dependability Theater

Twitter Feed