logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

State of Intel SGX in Linux

Conference:  Linux Security Summit Europe 2022
Authors: Roman Volosatovs, Jarkko Sakkinen
2022-09-16
We go through the current state of the Intel SGX support in the Linux kernel and userland. The topics covered include the kernel interface and its features, and available confidential computing run-times supporting SGX. Since getting into the mainline kernel late 2020, the SGX software ecosystem has started to get mature enough for production, and is the only cloud-scale confidential computing technology fully in the mainline kernel so far.
Tags:
Intel SGX
linux kernel
userland
Confidential computing
run-times

HotBPF - An On-demand and On-the-fly Memory Protection for the Linux Kernel

Conference:  Linux Security Summit Europe 2022
Authors: Yueqi Chen, Zhenpeng Li
2022-09-15

tldr - powered by Generative AI

The presentation discusses the use of hard BPF for dynamic memory separation to protect against memory corruption vulnerabilities.
  • Dynamic memory separation is necessary to protect against memory corruption vulnerabilities
  • Hard BPF is a tool that can be used for dynamic memory separation
  • The hard BPF design involves an agent in the user space and a BPF program in the kernel
  • The BPF program intercepts the allocation of vulnerable objects and diverts them to a v-metal region
  • One-time allocation is guaranteed to prevent use after free exploitation techniques
Tags:
Kernel vulnerabilities
memory exploitation
linux kernel
eBPF
virtual memory allocator

Flexible Array Transformations and Array-bounds Checking

Conference:  Linux Security Summit Europe 2022
Authors: Gustavo A. R. Silva
2022-09-15

tldr - powered by Generative AI

The presentation discusses the importance of removing ambiguity from the kernel and adopting the use of flexible array members to improve security. The speaker shares their experience with transforming one-element arrays to flexible array members and the challenges they faced.
  • Flexible array members should be used instead of one-element arrays to prevent vulnerabilities
  • Transforming one-element arrays to flexible array members is time-consuming and requires careful verification
  • Sanity checking can be added to all trailing arrays through the use of a fortified main copy
  • Monitoring code check-ins can help prevent the introduction of one-element arrays
Tags:
linux kernel
self-protection
memcpy
bounds-checking