logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Roman Volosatovs, Jarkko Sakkinen
2022-09-16

We go through the current state of the Intel SGX support in the Linux kernel and userland. The topics covered include the kernel interface and its features, and available confidential computing run-times supporting SGX. Since getting into the mainline kernel late 2020, the SGX software ecosystem has started to get mature enough for production, and is the only cloud-scale confidential computing technology fully in the mainline kernel so far.
Authors: Yueqi Chen, Zhenpeng Li
2022-09-15

tldr - powered by Generative AI

The presentation discusses the use of hard BPF for dynamic memory separation to protect against memory corruption vulnerabilities.
  • Dynamic memory separation is necessary to protect against memory corruption vulnerabilities
  • Hard BPF is a tool that can be used for dynamic memory separation
  • The hard BPF design involves an agent in the user space and a BPF program in the kernel
  • The BPF program intercepts the allocation of vulnerable objects and diverts them to a v-metal region
  • One-time allocation is guaranteed to prevent use after free exploitation techniques
Authors: Gustavo A. R. Silva
2022-09-15

tldr - powered by Generative AI

The presentation discusses the importance of removing ambiguity from the kernel and adopting the use of flexible array members to improve security. The speaker shares their experience with transforming one-element arrays to flexible array members and the challenges they faced.
  • Flexible array members should be used instead of one-element arrays to prevent vulnerabilities
  • Transforming one-element arrays to flexible array members is time-consuming and requires careful verification
  • Sanity checking can be added to all trailing arrays through the use of a fortified main copy
  • Monitoring code check-ins can help prevent the introduction of one-element arrays
Conference:  CloudOpen 2022
Authors: Adam Sayah
2022-06-23

tldr - powered by Generative AI

The presentation discusses the use of eBPF programs in cybersecurity and DevOps, specifically in collecting and analyzing metrics for monitoring purposes.
  • eBPF programs can be used to collect valuable data from traffic operating on a system
  • Bumblebee is an example of a service that provides metrics directly on the server once run
  • Prometheus can be used to collect and analyze metrics from various sources, including eBPF programs
  • eBPF programs can be reused and deployed on multiple clusters to collect data from traffic going from a service to another
  • The Book Info demo application is used as an example to demonstrate the deployment of Prometheus to collect metrics
Conference:  ContainerCon 2022
Authors: Lin Sun
2022-06-22

tldr - powered by Generative AI

The presentation discusses the use of the open source bumblebee project to enable easy creation, running, and sharing of eBPF programs without writing any user-space code. Bumblebee harnesses Linux Kernel's observability data and allows users to focus on writing eBPF code while taking care of the user space component for them.
  • Bumblebee is an open source project that simplifies the creation, running, and sharing of eBPF programs without requiring user-space code
  • Bumblebee harnesses Linux Kernel's observability data and allows users to focus on writing eBPF code while taking care of the user space component for them
  • Bumblebee supports vbpf compatible bpf code and provides a containerized building environment
  • Bumblebee packages the eBPF program into the bumblebee oci image and creates the map for the program to interact with
  • Bumblebee allows users to run local, remote, or third-party images as long as they trust them
Conference:  ContainerCon 2022
Authors: Aviv Sasson
2022-06-22

Containers are glorified by the fact that no one can escape them, and frankly - escaping containers is a tricky and complex task that is impossible in most scenarios. Many security layers restrict the container in order to prevent an escape. But what are those layers? How do they work? What are their defaults? Can we modify them? Should we? This session will present the Linux kernel features and mechanisms that make up those layers, including Capabilities, Seccomp, SELinux, and AppArmor. It will discuss how container runtimes implement them to create a security stack that keeps the container tamed and whether if it is possible to modify them for specific use cases while explaining the security risks of such actions.