Runtime Verification of Linux Kernel Security Module
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Astra Linux Special Edition
ОПЕРАЦИОННАЯ СИСТЕМА СПЕЦИАЛЬНОГО НАЗНАЧЕНИЯ ASTRA LINUX SPECIAL EDITION ОБЩИЕ СВЕДЕНИЯ ОБ ОПЕРАЦИОННОЙ СИСТЕМЕ ПОДДЕРЖИВАЕМЫЕ АППАРАТНЫЕ ПЛАТФОРМЫ Операционная система Операционная система общего назначения специального назначения Релиз «Орел» Релиз «Смоленск» Релиз «Новороссийск» Релиз «Мурманск» Релиз «Керчь» Релиз «Севастополь» Мэйнфреймы IBM ЭВМ с процессорами х86-64 ЭВМ с процессорами ARM PowerPC MIPS System Z УЧАСТНИКИ ПРОЕКТА ПАТЕНТ АО «НПО РусБИТех» ООО «РусБИТех-Астра» Академия ФСБ ИСП РАН России Включена в Единый реестр российских Включена Минкомсвязь России программ для электронных вычислительных в отраслевые стандарты машин и баз данных Минкомсвязи России госкорпораций в 2015 г. СЕРТИФИКАТЫ СООТВЕТСТВИЯ Принята на снабжение ФСБ ФСТЭК Минобороны ВС РФ России России России в 2013 г. Виды защищаемой информации Коммерческая тайна Персональные данные Государственная тайна СОСТАВ ОПЕРАЦИОННОЙ СИСТЕМЫ ПОЛЬЗОВАТЕЛЬСКИЕ ПРИЛОЖЕНИЯ СЕРВЕРНЫЕ ПРИЛОЖЕНИЯ СРЕДСТВА РАБОТЫ С ДОКУМЕНТАМИ СИСТЕМА УПРАВЛЕНИЯ КОМПЛЕКС ПРОГРАММ ПЕЧАТИ БАЗАМИ ДАННЫХ И МАРКИРОВКИ ДОКУМЕНТОВ Редактор Текстовый Редактор Редактор СЕРВЕР СУБД редактор электронных таблиц презентаций векторной графики Сервер печати СРЕДСТВА ЭЛЕКТРОННОЙ ПОЧТЫ КОМПЛЕКС ПРОГРАММ ЭЛЕКТРОННОЙ ПОЧТЫ THUNDERBIRD IMAP сервер EXIM4 – агент кроссплатформенная программа для работы доставки передачи почтовых с электронной почтой и группами новостей почтовых сообщений. сообщений SMTP сервер ВСТРОЕННЫЕ СРЕДСТВА ЗАЩИТЫ ИНФОРМАЦИИ WEB-БРАУЗЕР WEB-СЕРВЕР ОТ НЕСАНКЦИОНИРОВАННОГО FIREFOX надёжный и гибкий -
Have You Driven an Selinux Lately? an Update on the Security Enhanced Linux Project
Have You Driven an SELinux Lately? An Update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd [email protected] Abstract All security-relevant accesses between subjects and ob- jects are controlled according to a dynamically loaded Security Enhanced Linux (SELinux) [18] has evolved mandatory security policy. Clean separation of mecha- rapidly over the last few years, with many enhancements nism and policy provides considerable flexibility in the made to both its core technology and higher-level tools. implementation of security goals for the system, while fine granularity of control ensures complete mediation. Following integration into several Linux distributions, SELinux has become the first widely used Mandatory An arbitrary number of different security models may be Access Control (MAC) scheme. It has helped Linux to composed (or “stacked”) by SELinux, with their com- receive the highest security certification likely possible bined effect being fully analyzable under a unified pol- for a mainstream off the shelf operating system. icy scheme. SELinux has also proven its worth for general purpose Currently, the default SELinux implementation com- use in mitigating several serious security flaws. poses the following security models: Type Enforcement (TE) [7], Role Based Access Control (RBAC) [12], While SELinux has a reputation for being difficult to Muilti-level Security (MLS) [29], and Identity Based use, recent developments have helped significantly in Access Control (IBAC). These complement the standard this area, and user adoption is advancing rapidly. Linux Discretionary Access Control (DAC) scheme. This paper provides an informal update on the project, With these models, SELinux provides comprehensive discussing key developments and challenges, with the mandatory enforcement of least privilege, confidential- aim of helping people to better understand current ity, and integrity. -
Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car
2015-01-0224 Published 04/14/2015 Copyright © 2015 SAE International doi:10.4271/2015-01-0224 saepcelec.saejournals.org Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car Patrick Shelly Mentor Graphics Corp. ABSTRACT With the dramatic mismatch between handheld consumer devices and automobiles, both in terms of product lifespan and the speed at which new features (or versions) are released, vehicle OEMs are faced with a perplexing dilemma. If the connected car is to succeed there has to be a secure and accessible method to update the software in a vehicle's infotainment system - as well as a real or perceived way to graft in new software content. The challenge has become even more evident as the industry transitions from simple analog audio systems which have traditionally served up broadcast content to a new world in which configurable and interactive Internet- based content rules the day. This paper explores the options available for updating and extending the software capability of a vehicle's infotainment system while addressing the lifecycle mismatch between automobiles and consumer mobile devices. Implications to the design and cost of factory installed equipment will be discussed, as will expectations around the appeal of these various strategies to specific target demographics. CITATION: Shelly, P., "Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car," SAE Int. J. Passeng. Cars – Electron. Electr. Syst. 8(1):2015, doi:10.4271/2015-01-0224. INTRODUCTION be carefully taken into account. The use of app stores is expected to grow significantly in the coming years as automotive OEMs begin to Contemporary vehicle infotainment systems face an interesting explore apps not only on IVI systems, but on other components of the challenge. -
L'evoluzione Di Linux Eserved@D = *@Let@Token Width=6.5Em]Figs
L’evoluzione di Linux Centro Ricerche Frascati 11 febbraio 2013 Marco Cesati Università di Roma Tor Vergata Marco Cesati (Università di Roma Tor Vergata) L’evoluzione di Linux 1 / 29 Marco Cesati (Università di Roma Tor Vergata) L’evoluzione di Linux 2 / 29 • Promuovere la scrittura e la diffusione del software libero • La seconda versione è del 1991, la terza versione è del 2007 • È la più diffusa licenza utilizzata per il software libero • Nel 1985 Stallman fonda la Free Software Foundation (FSF) • Nel 1989 Stallman scrive la prima versione della licenza GNU GPL (General Public License) Le motivazioni di Stallman e dei proponenti del software libero sono primariamente di ordine “etico” e a salvaguardia dei diritti degli utenti Il movimento del software libero • Nel 1983 Richard Stallman avvia il Progetto GNU (GNU’s Not Unix) • Scrivere un intero SO “libero” da diritti d’autore e licenze • Compatibile con il SO Unix • Quasi completato nei primi anni ’90: manca solo il nucleo del SO Marco Cesati (Università di Roma Tor Vergata) L’evoluzione di Linux 3 / 29 • La seconda versione è del 1991, la terza versione è del 2007 • È la più diffusa licenza utilizzata per il software libero • Nel 1989 Stallman scrive la prima versione della licenza GNU GPL (General Public License) Le motivazioni di Stallman e dei proponenti del software libero sono primariamente di ordine “etico” e a salvaguardia dei diritti degli utenti Il movimento del software libero • Nel 1983 Richard Stallman avvia il Progetto GNU (GNU’s Not Unix) • Scrivere un intero SO “libero” -
Proceedings of the Linux Symposium
Proceedings of the Linux Symposium Volume One June 27th–30th, 2007 Ottawa, Ontario Canada Contents The Price of Safety: Evaluating IOMMU Performance 9 Ben-Yehuda, Xenidis, Mostrows, Rister, Bruemmer, Van Doorn Linux on Cell Broadband Engine status update 21 Arnd Bergmann Linux Kernel Debugging on Google-sized clusters 29 M. Bligh, M. Desnoyers, & R. Schultz Ltrace Internals 41 Rodrigo Rubira Branco Evaluating effects of cache memory compression on embedded systems 53 Anderson Briglia, Allan Bezerra, Leonid Moiseichuk, & Nitin Gupta ACPI in Linux – Myths vs. Reality 65 Len Brown Cool Hand Linux – Handheld Thermal Extensions 75 Len Brown Asynchronous System Calls 81 Zach Brown Frysk 1, Kernel 0? 87 Andrew Cagney Keeping Kernel Performance from Regressions 93 T. Chen, L. Ananiev, and A. Tikhonov Breaking the Chains—Using LinuxBIOS to Liberate Embedded x86 Processors 103 J. Crouse, M. Jones, & R. Minnich GANESHA, a multi-usage with large cache NFSv4 server 113 P. Deniel, T. Leibovici, & J.-C. Lafoucrière Why Virtualization Fragmentation Sucks 125 Justin M. Forbes A New Network File System is Born: Comparison of SMB2, CIFS, and NFS 131 Steven French Supporting the Allocation of Large Contiguous Regions of Memory 141 Mel Gorman Kernel Scalability—Expanding the Horizon Beyond Fine Grain Locks 153 Corey Gough, Suresh Siddha, & Ken Chen Kdump: Smarter, Easier, Trustier 167 Vivek Goyal Using KVM to run Xen guests without Xen 179 R.A. Harper, A.N. Aliguori & M.D. Day Djprobe—Kernel probing with the smallest overhead 189 M. Hiramatsu and S. Oshima Desktop integration of Bluetooth 201 Marcel Holtmann How virtualization makes power management different 205 Yu Ke Ptrace, Utrace, Uprobes: Lightweight, Dynamic Tracing of User Apps 215 J. -
Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material. -
Teaching Operating Systems Concepts with Systemtap
Session 8B: Enhancing CS Instruction ITiCSE '17, July 3-5, 2017, Bologna, Italy Teaching Operating Systems Concepts with SystemTap Darragh O’Brien School of Computing Dublin City University Glasnevin Dublin 9, Ireland [email protected] ABSTRACT and their value is undoubted. However, there is room in introduc- e study of operating systems is a fundamental component of tory operating systems courses for supplementary approaches and all undergraduate computer science degree programmes. Making tools that support the demonstration of operating system concepts operating system concepts concrete typically entails large program- in the context of a live, real-world operating system. ming projects. Such projects traditionally involve enhancing an is paper describes how SystemTap [3, 4] can be applied to existing module in a real-world operating system or extending a both demonstrate and explore low-level behaviour across a range pedagogical operating system. e laer programming projects rep- of system modules in the context of a real-world operating sys- resent the gold standard in the teaching of operating systems and tem. SystemTap scripts allow the straightforward interception of their value is undoubted. However, there is room in introductory kernel-level events thereby providing instructor and students alike operating systems courses for supplementary approaches and tools with concrete examples of operating system concepts that might that support the demonstration of operating system concepts in the otherwise remain theoretical. e simplicity of such scripts makes context of a live, real-world operating system. is paper describes them suitable for inclusion in lectures and live demonstrations in an approach where the Linux monitoring tool SystemTap is used introductory operating systems courses. -
Red Hat Enterprise Linux 7 Systemtap Beginners Guide
Red Hat Enterprise Linux 7 SystemTap Beginners Guide Introduction to SystemTap William Cohen Don Domingo Jacquelynn East Red Hat Enterprise Linux 7 SystemTap Beginners Guide Introduction to SystemTap William Cohen Red Hat Performance Tools [email protected] Don Domingo Red Hat Engineering Content Services [email protected] Jacquelynn East Red Hat Engineering Content Services [email protected] Legal Notice Copyright © 2014 Red Hat, Inc. and others. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. -
A Framework for Prototyping and Testing Data-Only Rootkit Attacks
1 A Framework for Prototyping and Testing Data-Only Rootkit Attacks Ryan Riley [email protected] Qatar University Doha, Qatar Version 1.0 This is a preprint of the paper accepted in Elsevier Computers & Security Abstract—Kernel rootkits—attacks which modify a running of 25 rootkit attacks to test with, but end up stating, “Of operating system kernel in order to hide an attacker’s presence— the 25 that we acquired, we were able to install 18 in our are significant threats. Recent advances in rootkit defense tech- virtual test infrastructure. The remainder either did not support nology will force rootkit threats to rely on only modifying kernel data structures without injecting and executing any new our test kernel version or would not install in a virtualized code; however these data-only kernel rootkit attacks are still environment.” In [2], the authors test with 16 Linux rootkits, both realistic and powerful. In this work we present DORF, a but only 12 of them overlap with [1]. In [3], the authors give framework for prototyping and testing data-only rootkit attacks. no results that involved testing with rootkit attacks. DORF is an object-oriented framework that allows researchers to As another example, in our own work involving kernel construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF rootkit defense [2], [4], [5], [6] we found ourselves locked in contains a group of existing and new data-only attacks, and the to an older version of Linux due to the rootkits we planned to portability of DORF is demonstrated by porting it to 6 different test with. -
Linux Kernel Debugging and Security (Lfd440)
Contact Us [email protected] HOME > COURSE CATALOG > LINUX FOUNDATION > SECURITY > LINUX KERNEL DEBUGGING AND SECURITY (LFD440) Linux Kernel Debugging and Security (LFD440) DURATION 4 Days COURSE LNX-LFD440 AVAILABLE FORMATS Classroom Training, Online Training Course Description Overview Learn the methods and internal infrastructure of the Linux kernel. This course focuses on the important tools used for debugging and monitoring the kernel, and how security features are implemented and controlled. Objectives This four day course includes extensive hands-on exercises and demonstrations designed to give you the necessary tools to develop and debug Linux kernel code. Students will walk away from this course with a solid understanding of Linux kernel. debugging techniques and tools. Audience 9/27/2021 1 of 11 1:47:42 PM This course is for experienced developers who need to understand the methods and internal infrastructure of the Linux kernel. Prerequisites To make the most of this course, you should: Be proficient in the C programming language; Be familiar with basic Linux (UNIX) utilities such as ls, grep and tar; Be comfortable using any of the available text editors (e.g. emacs, vi, etc.); Experience with any major Linux distribution is helpful but not strictly required; Have experience equivalent to having taken : Linux Kernel Internals and Development. Topics Introduction Objectives Who You Are The Linux Foundation Linux Foundation Training Certification Programs and Digital Badging Linux Distributions Platforms Preparing Your System -
SUSE Linux Enterprise Server 12 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server 12 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 12 SP4 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii -
Verification of Operating Systems
SYRCoSE-2016 Krasnovidovo, Moscow Region 30 May 2016 Verification of Operating Systems Alexey Khoroshilov [email protected] Institute for System Programming of the Russian Academy of Sciences Operating Systems User-space Applications System System Operating Utilities Libraries Services System Signals, Special System Memory updates, File Systems Calls Scheduling, ... Kernel Kernel-space Kernel Modules Kernel Threads Device Drivers Kernel Core (mmu, scheduler, IPC) Interrupts, DMA IO Memory/IO Ports Hardware Embedded Operating Systems Operating System Drivers APEX POSIX System App App Services libARINC libPOSIX libSYSTEM User-Space Kernel-Space System Calls System Calls Kernel (mmu,scheduler,ipc) System Services ArchLib BSP Drivers Interrupts, DMA IO Memory / IO Ports Target System Hardware Host System Build System Configuration Static Verification Runtime Verification Static Verification Runtime Verification + All paths at once – One path only Static Verification Runtime Verification + All paths at once – One path only + Hardware, test data and – Hardware, test data and test environment is not test environment is required required Static Verification Runtime Verification + All paths at once – One path only + Hardware, test data and – Hardware, test data and test environment is not test environment is required required – There are false positives + Almost no false positives Static Verification Runtime Verification + All paths at once – One path only + Hardware, test data and – Hardware, test data and test environment is not test environment is required required – There are false positives + Almost no false positives – Checks for predefined + The only way to show set of bugs only the code actually works Verification Approaches all kinds of bugs One 1 kind test bugs in 1 execution in all executions Operating Systems User-space Applications System System Operating Utilities Libraries Services System Signals, Special System Memory updates, File Systems Calls Scheduling, ..