Trustworthy Whole-System Provenance for the Linux Kernel Adam Bates, Dave (Jing) Tian, and Kevin R.B
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Have You Driven an Selinux Lately? an Update on the Security Enhanced Linux Project
Have You Driven an SELinux Lately? An Update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd [email protected] Abstract All security-relevant accesses between subjects and ob- jects are controlled according to a dynamically loaded Security Enhanced Linux (SELinux) [18] has evolved mandatory security policy. Clean separation of mecha- rapidly over the last few years, with many enhancements nism and policy provides considerable flexibility in the made to both its core technology and higher-level tools. implementation of security goals for the system, while fine granularity of control ensures complete mediation. Following integration into several Linux distributions, SELinux has become the first widely used Mandatory An arbitrary number of different security models may be Access Control (MAC) scheme. It has helped Linux to composed (or “stacked”) by SELinux, with their com- receive the highest security certification likely possible bined effect being fully analyzable under a unified pol- for a mainstream off the shelf operating system. icy scheme. SELinux has also proven its worth for general purpose Currently, the default SELinux implementation com- use in mitigating several serious security flaws. poses the following security models: Type Enforcement (TE) [7], Role Based Access Control (RBAC) [12], While SELinux has a reputation for being difficult to Muilti-level Security (MLS) [29], and Identity Based use, recent developments have helped significantly in Access Control (IBAC). These complement the standard this area, and user adoption is advancing rapidly. Linux Discretionary Access Control (DAC) scheme. This paper provides an informal update on the project, With these models, SELinux provides comprehensive discussing key developments and challenges, with the mandatory enforcement of least privilege, confidential- aim of helping people to better understand current ity, and integrity. -
Qualys Policy Compliance Getting Started Guide
Policy Compliance Getting Started Guide July 28, 2021 Verity Confidential Copyright 2011-2021 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 919 E Hillsdale Blvd Foster City, CA 94404 1 (650) 801 6100 Table of Contents Get Started ........................................................................................................ 5 Set Up Assets............................................................................................................................ 6 Start Collecting Compliance Data ............................................................... 8 Configure Authentication....................................................................................................... 8 Launch Compliance Scans ................................................................................................... 10 We recommend you schedule scans to run automatically .............................................. 12 How to configure scan settings............................................................................................ 12 Install Cloud Agents.............................................................................................................. 17 Evaluate Middleware Assets by Using Cloud Agent .......................................................... 17 Define Policies ................................................................................................. 21 -
Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car
2015-01-0224 Published 04/14/2015 Copyright © 2015 SAE International doi:10.4271/2015-01-0224 saepcelec.saejournals.org Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car Patrick Shelly Mentor Graphics Corp. ABSTRACT With the dramatic mismatch between handheld consumer devices and automobiles, both in terms of product lifespan and the speed at which new features (or versions) are released, vehicle OEMs are faced with a perplexing dilemma. If the connected car is to succeed there has to be a secure and accessible method to update the software in a vehicle's infotainment system - as well as a real or perceived way to graft in new software content. The challenge has become even more evident as the industry transitions from simple analog audio systems which have traditionally served up broadcast content to a new world in which configurable and interactive Internet- based content rules the day. This paper explores the options available for updating and extending the software capability of a vehicle's infotainment system while addressing the lifecycle mismatch between automobiles and consumer mobile devices. Implications to the design and cost of factory installed equipment will be discussed, as will expectations around the appeal of these various strategies to specific target demographics. CITATION: Shelly, P., "Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car," SAE Int. J. Passeng. Cars – Electron. Electr. Syst. 8(1):2015, doi:10.4271/2015-01-0224. INTRODUCTION be carefully taken into account. The use of app stores is expected to grow significantly in the coming years as automotive OEMs begin to Contemporary vehicle infotainment systems face an interesting explore apps not only on IVI systems, but on other components of the challenge. -
Command-Line Sound Editing Wednesday, December 7, 2016
21m.380 Music and Technology Recording Techniques & Audio Production Workshop: Command-line sound editing Wednesday, December 7, 2016 1 Student presentation (pa1) • 2 Subject evaluation 3 Group picture 4 Why edit sound on the command line? Figure 1. Graphical representation of sound • We are used to editing sound graphically. • But for many operations, we do not actually need to see the waveform! 4.1 Potential applications • • • • • • • • • • • • • • • • 1 of 11 21m.380 · Workshop: Command-line sound editing · Wed, 12/7/2016 4.2 Advantages • No visual belief system (what you hear is what you hear) • Faster (no need to load guis or waveforms) • Efficient batch-processing (applying editing sequence to multiple files) • Self-documenting (simply save an editing sequence to a script) • Imaginative (might give you different ideas of what’s possible) • Way cooler (let’s face it) © 4.3 Software packages On Debian-based gnu/Linux systems (e.g., Ubuntu), install any of the below packages via apt, e.g., sudo apt-get install mplayer. Program .deb package Function mplayer mplayer Play any media file Table 1. Command-line programs for sndfile-info sndfile-programs playing, converting, and editing me- Metadata retrieval dia files sndfile-convert sndfile-programs Bit depth conversion sndfile-resample samplerate-programs Resampling lame lame Mp3 encoder flac flac Flac encoder oggenc vorbis-tools Ogg Vorbis encoder ffmpeg ffmpeg Media conversion tool mencoder mencoder Media conversion tool sox sox Sound editor ecasound ecasound Sound editor 4.4 Real-world -
BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd
76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page i BSD UNIX® TOOLBOX 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iv BSD UNIX® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD® Power Users Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-37603-4 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data is available from the publisher. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permis- sion should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. -
Oracle Optimized Solution for Oracle E-Business Suite a High-Performance, Flexible Architecture on SPARC T5-2 Servers and Oracle Exadata
Oracle Optimized Solution for Oracle E-Business Suite A High-Performance, Flexible Architecture on SPARC T5-2 Servers and Oracle Exadata ORACLE WHITE P A P E R | OCTOBER 2015 Table of Contents Introduction 1 Solution Overview 2 Oracle Technologies—Everything Needed for Oracle E-Business Suite Deployment 2 Platform Infrastructure 3 Network Infrastructure and Remote Management 4 Built-in Virtualization for Simplified Oracle E-Business Suite Application Consolidation 4 High Availability Features to Keep Oracle E-Business Suite Running 6 Backup, Restore, and Disaster Recovery Solutions 6 Built-in Security Technology and Comprehensive Tools for Secure Deployment 7 Cryptographic Acceleration for Oracle E-Business Suite 7 Secure Isolation 9 Secure Access Control 9 Data Protection 9 Compliance 10 Security Best Practices for Oracle E-Business Suite Deployments 10 Security Technical Implementation Guides 11 My Oracle Support Documents 11 Component-Level Security Recommendations 12 Mapping an Oracle E-Business Suite Deployment to SPARC T5 Servers and Oracle Exadata 13 Consolidating to Oracle Systems 14 ORACLE OPTIMIZED SOLUTION FOR ORACLE E-BUSINESS SUITE A Basic Production System 15 Test Systems, Disaster Recovery Systems, and Other Systems 17 Solution Scalability 18 Consolidation of Quality Assurance, Disaster Recovery, and Other Systems 18 Consolidating onto a Single Oracle System 18 Cloud-Based Deployments 19 Additional Oracle Optimized Solutions for Oracle E-Business Suite Deployments 20 Oracle Optimized Solution for Secure Backup and Recovery -
Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material. -
Trustworthy Whole-System Provenance for the Linux Kernel
Trustworthy Whole-System Provenance for the Linux Kernel Adam Bates, Dave (Jing) Tian, Thomas Moyer Kevin R.B. Butler University of Florida MIT Lincoln Laboratory {adammbates,daveti,butler}@ufl.edu [email protected] Abstract is presently of enormous interest in a variety of dis- In a provenance-aware system, mechanisms gather parate communities including scientific data processing, and report metadata that describes the history of each ob- databases, software development, and storage [43, 53]. ject being processed on the system, allowing users to un- Provenance has also been demonstrated to be of great derstand how data objects came to exist in their present value to security by identifying malicious activity in data state. However, while past work has demonstrated the centers [5, 27, 56, 65, 66], improving Mandatory Access usefulness of provenance, less attention has been given Control (MAC) labels [45, 46, 47], and assuring regula- to securing provenance-aware systems. Provenance it- tory compliance [3]. self is a ripe attack vector, and its authenticity and in- Unfortunately, most provenance collection mecha- tegrity must be guaranteed before it can be put to use. nisms in the literature exist as fully-trusted user space We present Linux Provenance Modules (LPM), applications [28, 27, 41, 56]. Even kernel-based prove- the first general framework for the development of nance mechanisms [43, 48] and sketches for trusted provenance-aware systems. We demonstrate that LPM provenance architectures [40, 42] fall short of providing creates a trusted provenance-aware execution environ- a provenance-aware system for malicious environments. ment, collecting complete whole-system provenance The problem of whether or not to trust provenance is fur- while imposing as little as 2.7% performance overhead ther exacerbated in distributed environments, or in lay- on normal system operation. -
A Framework for Prototyping and Testing Data-Only Rootkit Attacks
1 A Framework for Prototyping and Testing Data-Only Rootkit Attacks Ryan Riley [email protected] Qatar University Doha, Qatar Version 1.0 This is a preprint of the paper accepted in Elsevier Computers & Security Abstract—Kernel rootkits—attacks which modify a running of 25 rootkit attacks to test with, but end up stating, “Of operating system kernel in order to hide an attacker’s presence— the 25 that we acquired, we were able to install 18 in our are significant threats. Recent advances in rootkit defense tech- virtual test infrastructure. The remainder either did not support nology will force rootkit threats to rely on only modifying kernel data structures without injecting and executing any new our test kernel version or would not install in a virtualized code; however these data-only kernel rootkit attacks are still environment.” In [2], the authors test with 16 Linux rootkits, both realistic and powerful. In this work we present DORF, a but only 12 of them overlap with [1]. In [3], the authors give framework for prototyping and testing data-only rootkit attacks. no results that involved testing with rootkit attacks. DORF is an object-oriented framework that allows researchers to As another example, in our own work involving kernel construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF rootkit defense [2], [4], [5], [6] we found ourselves locked in contains a group of existing and new data-only attacks, and the to an older version of Linux due to the rootkits we planned to portability of DORF is demonstrated by porting it to 6 different test with. -
Linux Kernel Debugging and Security (Lfd440)
Contact Us [email protected] HOME > COURSE CATALOG > LINUX FOUNDATION > SECURITY > LINUX KERNEL DEBUGGING AND SECURITY (LFD440) Linux Kernel Debugging and Security (LFD440) DURATION 4 Days COURSE LNX-LFD440 AVAILABLE FORMATS Classroom Training, Online Training Course Description Overview Learn the methods and internal infrastructure of the Linux kernel. This course focuses on the important tools used for debugging and monitoring the kernel, and how security features are implemented and controlled. Objectives This four day course includes extensive hands-on exercises and demonstrations designed to give you the necessary tools to develop and debug Linux kernel code. Students will walk away from this course with a solid understanding of Linux kernel. debugging techniques and tools. Audience 9/27/2021 1 of 11 1:47:42 PM This course is for experienced developers who need to understand the methods and internal infrastructure of the Linux kernel. Prerequisites To make the most of this course, you should: Be proficient in the C programming language; Be familiar with basic Linux (UNIX) utilities such as ls, grep and tar; Be comfortable using any of the available text editors (e.g. emacs, vi, etc.); Experience with any major Linux distribution is helpful but not strictly required; Have experience equivalent to having taken : Linux Kernel Internals and Development. Topics Introduction Objectives Who You Are The Linux Foundation Linux Foundation Training Certification Programs and Digital Badging Linux Distributions Platforms Preparing Your System -
April 2006 Volume 31 Number 2
APRIL 2006 VOLUME 31 NUMBER 2 THE USENIX MAGAZINE OPINION Musings RIK FARROW OpenSolaris:The Model TOM HAYNES PROGRAMMING Code Testing and Its Role in Teaching BRIAN KERNIGHAN Modular System Programming in MINIX 3 JORRIT N. HERDER, HERBERT BOS, BEN GRAS, PHILIP HOMBURG, AND ANDREW S. TANENBAUM Some Types of Memory Are More Equal Than Others DIOMEDIS SPINELLIS Simple Software Flow Analysis Using GNU Cflow CHAOS GOLUBITSKY Why You Should Use Ruby LU KE KANIES SYSADMIN Unwanted HTTP:Who Has the Time? DAVI D MALONE Auditing Superuser Usage RANDOLPH LANGLEY C OLUMNS Practical Perl Tools:Programming, Ho Hum DAVID BLANK-EDELMAN VoIP Watch HEISON CHAK /dev/random ROBERT G. FERRELL STANDARDS USENIX Standards Activities NICHOLAS M. STOUGHTON B O OK REVIEWS Book Reviews ELIZABETH ZWICKY, WITH SAM STOVER AND RI K FARROW USENIX NOTES Letter to the Editor TED DOLOTTA Fund to Establish the John Lions Chair C ONFERENCES LISA ’05:The 19th Large Installation System Administration Conference WORLDS ’05: Second Workshop on Real, Large Distributed Systems FAST ’05: 4th USENIX Conference on File and Storage Technologies The Advanced Computing Systems Association Upcoming Events 3RD SYMPOSIUM ON NETWORKED SYSTEMS 2ND STEPS TO REDUCING UNWANTED TRAFFIC ON DESIGN AND IMPLEMENTATION (NSDI ’06) THE INTERNET WORKSHOP (SRUTI ’06) Sponsored by USENIX, in cooperation with ACM SIGCOMM JULY 6–7, 2006, SAN JOSE, CA, USA and ACM SIGOPS http://www.usenix.org/sruti06 MAY 8–10, 2006, SAN JOSE, CA, USA Paper submissions due: April 20, 2006 http://www.usenix.org/nsdi06 2006 -
Linux-Database-Bible.Pdf
Table of Contents Linux Database Bible..........................................................................................................................................1 Preface..................................................................................................................................................................4 The Importance of This Book.................................................................................................................4 Getting Started........................................................................................................................................4 Icons in This Book..................................................................................................................................5 How This Book Is Organized.................................................................................................................5 Part ILinux and Databases................................................................................................................5 Part IIInstallation and Configuration................................................................................................5 Part IIIInteraction and Usage...........................................................................................................5 Part IVProgramming Applications...................................................................................................6 Part VAdministrivia.........................................................................................................................6