DOCSLIB.ORG

Solve the Paradox Less Downtime – More Security Linuxcon Berlin, Germany October 4, 12:10 – 13:00

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Solve the Paradox Less Downtime – More Security Linuxcon Berlin, Germany October 4, 12:10 – 13:00 Solve the paradox Less Downtime – More Security LinuxCon Berlin, Germany October 4, 12:10 – 13:00 Hannes Kühnemund SUSE Product Management Downtime Considerations for your digital architecture Take a holistic approach … - End-users (Business) are interested service availability - Application, OS, Cluster, VM, Server, Network, Storage, People, Processes... ... because we understand that components will fail, ... - Failure tolerant architecture, identify weak links ... acceptance of any downtime is decreasing and it is critical to ... - Seek to reduce both planned and unplanned service downtime ... strike a balance. - Cost of IT continuity vs. business impact 2 Downtime Quiz planned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 3 Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 4 Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 5 Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend Usually on Christmas Day In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 6 Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend Usually on Christmas Day In alignment with all stakeholders No alignment with stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 7 Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend Usually on Christmas Day In alignment with all stakeholders No alignment with stakeholders Combination of Taks Only one particular problem fixed - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 8 Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend Usually on Christmas Day In alignment with all stakeholders No alignment with stakeholders Combination of Taks Only one particular problem fixed - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with Optimizable with - SUSE Manager - Various technologies available 9 Minimize Unplanned Downtime RAS System UPS Rollback High Availability and GEO Virtualization RAID Load Balancer Live Patching 10 Strike the balance? 11 Strike the balance? No Downtime Security 12 Since 2005, more than 75 data breaches in which 1,000,000 or more records were compromised have been publicly disclosed. But what about the non-disclosed ones? 13 Vulnerabilities Year # vulnerabilities 10000 2010 4258 8000 2011 3532 6000 2012 4347 2013 4794 4000 2014 7038 2000 2015 8822 2010 2011 2012 2013 2014 2015 Vulnerability type 2015 Rank Operating System # vulnerabilities 2015 1 Apple OS X 384 Operating 28% 38% System 2 Microsoft Windows Server 2012 155 Browsers 3 Canonical Ubuntu Linux 152 Mobile Devices 4 Microsoft Windows 8.1 151 ... 18% Applications 16% 11 The Linux Kernel 77 Source: [http://www.cvedetails.com] & [https://nvd.nist.gov/] & [http://www.gfi.com/blog/2015s-mvps-the-most-vulnerable-players/] 14 In a data center, not so long ago … 15 In a data center, not so long ago … Linux Kernel Nov-11, 2015 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 16 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 17 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE: Common Vulnerabilities and Exposures CVE-2015-6937 It is a standard naming scheme used by the NVD CVE-2015-7872 CVE-2015-7990 NVD: National Vulnerability Database (https://nvd.nist.gov/) December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 18 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 19 In a data center, not so long ago … Linux Kernel Nov-11, 2015 Reboot CVE-2015-6937 CVE-2015-7872 Linux Kernel CVE-2015-7990 Dec-11, 2015 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 20 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 Linux Kernel CVE-2015-7990 Dec-11, 2015 CVE-2016-0728 CVE-2016-0728 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 21 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2015-6937 Linux Kernel CVE-2015-7872 Reboot CVE-2015-7990 Dec-11, 2015 CVE-2016-0728 CVE-2016-0728 Linux Kernel Jan-15, 2016 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 22 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446 CVE-2015-6937 Linux Kernel CVE-2015-7872 Dec-11, 2015 CVE-2015-7990 CVE-2013-7446 CVE-2015-8019 Linux Kernel CVE-2015-8019 CVE-2015-8539 CVE-2015-8539 Jan-15, 2016 CVE-2015-8660 CVE-2015-8660 CVE-2016-0728 CVE-2013-7446 CVE-2016-0728 CVE-2015-8019 CVE-2015-8539 CVE-2015-8660 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 23 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446 CVE-2015-6937 Linux Kernel CVE-2015-7872 Dec-11, 2015 CVE-2015-7990 CVE-2013-7446 CVE-2015-8019 Linux Kernel CVE-2015-8019 CVE-2015-8539 Reboot CVE-2015-8539 Jan-15, 2016 CVE-2015-8660 CVE-2015-8660 CVE-2016-0728 CVE-2013-7446 CVE-2016-0728 Linux Kernel CVE-2015-8019 CVE-2015-8539 Feb-10, 2016 CVE-2015-8660 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 24 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446 CVE-2015-6937 Linux Kernel CVE-2015-7872 Dec-11, 2015 CVE-2015-7990 CVE-2013-7446 CVE-2015-8019 Linux Kernel CVE-2015-8019 CVE-2015-8539 CVE-2015-8539 Jan-15, 2016 CVE-2015-8660 CVE-2015-8660 CVE-2015-8709 CVE-2013-7446 CVE-2015-8709 CVE-2015-8812 Linux Kernel CVE-2015-8019 CVE-2015-8812 CVE-2015-8816 CVE-2015-8539 Feb-10, 2016 CVE-2015-8816 CVE-2016-0728 CVE-2015-8660 CVE-2016-0728 CVE-2016-0774 CVE-2015-8709 CVE-2015-8709 CVE-2016-0774 CVE-2016-2384 CVE-2015-8812 CVE-2015-8812 CVE-2016-2384 CVE-2015-8816 CVE-2015-8816 CVE-2016-0774 CVE-2016-0774 CVE-2016-2384 CVE-2016-2384 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 25 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446 CVE-2015-6937 Linux Kernel CVE-2015-7872 Dec-11, 2015 CVE-2015-7990 CVE-2013-7446 CVE-2015-8019 Linux Kernel CVE-2015-8019 CVE-2015-8539 CVE-2015-8539 Jan-15, 2016 CVE-2015-8660 CVE-2015-8660 CVE-2015-8709 CVE-2013-7446 CVE-2015-8709 CVE-2015-8812 Linux Kernel CVE-2015-8019 CVE-2015-8812 CVE-2015-8816 Reboot CVE-2015-8539 Feb-10, 2016 CVE-2015-8816 CVE-2016-0728 CVE-2015-8660 CVE-2016-0728 CVE-2016-0774 CVE-2015-8709 CVE-2015-8709 CVE-2016-0774 Linux Kernel CVE-2016-2384 CVE-2015-8812 CVE-2015-8812 CVE-2016-2384 CVE-2015-8816 Mar-22, 2016 CVE-2015-8816 CVE-2016-0774 CVE-2016-0774 CVE-2016-2384 CVE-2016-2384 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 26 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446 CVE-2015-6937 Linux Kernel CVE-2015-7872 Dec-11, 2015 CVE-2015-7990 CVE-2013-7446 CVE-2015-8019 Linux Kernel CVE-2015-8019 CVE-2015-8539 CVE-2015-8539 Jan-15, 2016 CVE-2015-8660 CVE-2015-8660 CVE-2015-8709 CVE-2013-7446 CVE-2015-8709 CVE-2015-8812 Linux Kernel CVE-2015-8019 CVE-2015-8812 CVE-2015-8816 CVE-2015-8539 Feb-10, 2016 CVE-2015-8816 CVE-2016-0728 CVE-2015-8660 CVE-2016-0728 CVE-2016-0774 CVE-2015-8709 CVE-2015-8709 CVE-2016-0774 Linux Kernel CVE-2016-1583 CVE-2015-8812 CVE-2015-8812 CVE-2016-1583 CVE-2016-2384 CVE-2015-8816 Mar-22, 2016 CVE-2015-8816 CVE-2016-2384 CVE-2016-3134 CVE-2016-0774 CVE-2016-0774 CVE-2016-1583 CVE-2016-3134 CVE-2016-1583 CVE-2016-1583 CVE-2016-3134 CVE-2016-2384 CVE-2016-2384 CVE-2016-3134 CVE-2016-3134 December January February March April May June July August September 2015 2016 2016 2016 2016 2016 2016 2016 2016 2016 27 In a data center, not so long ago … Linux Kernel Nov-11, 2015 CVE-2013-7446
Load more

Recommended publications
  • Red Hat Enterprise Linux 7 7.1 Release Notes
    Red Hat Enterprise Linux 7 7.1 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Customer Content Services Red Hat Enterprise Linux 7 7.1 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Customer Content Services Legal Notice Copyright © 2015 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
    [Show full text]
  • Think ALL Distros Offer the Best Linux Devsecops Environment?
    Marc Staimer, Dragon Slayor Consulting WHITE PAPER Think All Distros Offer the Best Linux DevSecOps What You’re Not Being Told About Environment? Database as a Service (DBaaS) Think Again! WHITE PAPER • Think Again! Think All Distros Provide the Best Linux DevSecOps Environment? Think Again! Introduction DevOps is changing. Developing code with after the fact bolt-on security is dangerously flawed. When that bolt-on fails to correct exploitable code vulnerabilities, it puts the entire organization at risk. Security has been generally an afterthought for many doing DevOps. It was often assumed the IT organization’s systemic multiple layers of security measures and appliances would protect any new code from malware or breaches. And besides, developing code with security built in, adds tasks and steps to development and testing time. More tasks and steps delay time-to-market. Multi-tenant clouds have radically changed the market. Any vulnerability in a world with increasing cyber-attacks, can put millions of user’s data at risk. Those legacy DevOps attitudes are unsound. They are potentially quite costly in the current environment. Consider that nearly every developed and most developing countries have enacted laws and regulation protecting personally identifiable information or PII1. PII is incredibly valuable to cybercriminals. Stealing PII enables them to commit many cybercrimes including the cybertheft of identities, finances, intellectual property, admin privileges, and much more. PII can also be sold on the web. Those PII laws and regulations are meant to force IT organizations to protect PII. Non-compliance of these laws and regulations often carry punitive financial penalties.
    [Show full text]
  • Instant OS Updates Via Userspace Checkpoint-And
    Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap, Changwoo Min, Byoungyoung Lee, and Taesoo Kim, Georgia Institute of Technology; Pavel Emelyanov, CRIU and Odin, Inc. https://www.usenix.org/conference/atc16/technical-sessions/presentation/kashyap This paper is included in the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16). June 22–24, 2016 • Denver, CO, USA 978-1-931971-30-0 Open access to the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16) is sponsored by USENIX. Instant OS Updates via Userspace Checkpoint-and-Restart Sanidhya Kashyap Changwoo Min Byoungyoung Lee Taesoo Kim Pavel Emelyanov† Georgia Institute of Technology †CRIU & Odin, Inc. # errors # lines Abstract 50 1000K 40 100K In recent years, operating systems have become increas- 10K 30 1K 20 ingly complex and thus more prone to security and per- 100 formance issues. Accordingly, system updates to address 10 10 these issues have become more frequently available and 0 1 increasingly important. To complete such updates, users 3.13.0-x 3.16.0-x 3.19.0-x May 2014 must reboot their systems, resulting in unavoidable down- build/diff errors #layout errors Jun 2015 time and further loss of the states of running applications. #static local errors #num lines++ We present KUP, a practical OS update mechanism that Figure 1: Limitation of dynamic kernel hot-patching using employs a userspace checkpoint-and-restart mechanism, kpatch. Only two successful updates (3.13.0.32 34 and → which uses an optimized data structure for checkpoint- 3.19.0.20 21) out of 23 Ubuntu kernel package releases.
    [Show full text]
  • Red Hat Enterprise Linux 7 Kernel Administration Guide
    Red Hat Enterprise Linux 7 Kernel Administration Guide Examples of Tasks for Managing the Kernel Last Updated: 2018-05-21 Red Hat Enterprise Linux 7 Kernel Administration Guide Examples of Tasks for Managing the Kernel Marie Dolezelova Red Hat Customer Content Services [email protected] Mark Flitter Red Hat Customer Content Services Douglas Silas Red Hat Customer Content Services Eliska Slobodova Red Hat Customer Content Services Jaromir Hradilek Red Hat Customer Content Services Maxim Svistunov Red Hat Customer Content Services Robert Krátký Red Hat Customer Content Services Stephen Wadeley Red Hat Customer Content Services Florian Nadge Red Hat Customer Content Services Legal Notice Copyright © 2018 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates.
    [Show full text]
  • Red Hat Enterprise Linux 8 Managing, Monitoring and Updating the Kernel
    Red Hat Enterprise Linux 8 Managing, monitoring and updating the kernel A guide to managing the Linux kernel on Red Hat Enterprise Linux 8 Last Updated: 2019-11-05 Red Hat Enterprise Linux 8 Managing, monitoring and updating the kernel A guide to managing the Linux kernel on Red Hat Enterprise Linux 8 Legal Notice Copyright © 2019 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
    [Show full text]
  • Release Notes for Oracle Linux 7.7
    Oracle® Linux 7 Release Notes for Oracle Linux 7.7 F20376-06 March 2021 Oracle Legal Notices Copyright © 2019, 2021 Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Red Hat Enterprise Linux 7 7.0 Release Notes
    Red Hat Enterprise Linux 7 7.0 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Engineering Content Services Red Hat Enterprise Linux 7 7.0 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Engineering Content Services Legal Notice Copyright © 2014 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
    [Show full text]
  • Kpatch Have Your Security and Eat It Too!
    kpatch Have your security and eat it too! Josh Poimboeuf Senior Software Engineer, Red Hat LinuxCon North America August 22, 2014 Agenda ● What is kpatch? ● Why use kpatch? ● Demo ● How it works ● Features & Limitations ● Try it! ● Questions? 2 What is kpatch? ● Live kernel patching framework ● Patch a running kernel ● No reboots ● No disruption to applications ● Used for security and stability fixes ● Not for major kernel updates 3 Open source ● Started as internal Red Hat project ● Feb 2014: Released on github ● Goal: merge into upstream Linux ● Already stable and useful ● 100% self-contained ● Works on many distributions ● Fedora, Ubuntu, Debian, Arch, RHEL7*, CentOS7, OL7 * Use at your own risk 4 Why kpatch? 5 Kernel bugs are problematic ● Many security bugs waiting to be found ● Large attack surface ● Huge code base ● System-level impact -> high priority ● Many high-priority security fixes ● Kernel update = reboot ● Kernel updates are often delayed 6 Why is rebooting a problem? ● Disruption to users/applications ● Sysadmins don't always have control of users or applications ● Many applications aren't distributed ● Re-architecting can be expensive or impractical ● Distributed systems need to reboot too ● (Up)time is money ● Hardware reboot failures 7 Security vs business factors ● Security doesn't exist in a vacuum ● Judgment calls / business decisions ● Risk of getting hacked vs reboot costs ● Reboot now? Or risk it and wait? 8 Security at the expense of flexibility comes at the expense of security 9 kpatch to the rescue ● Remove
    [Show full text]
  • Protecting Commodity Operating Systems Through Strong Kernel Isolation
    Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2015 c 2015 Vasileios P. Kemerlis All Rights Reserved ABSTRACT Protecting Commodity Operating Systems through Strong Kernel Isolation Vasileios P. Kemerlis Today’s operating systems are large, complex, and plagued with vulnerabilities that allow perpetrators to exploit them for profit. The constant rise in the number of software weak- nesses, coupled with the sophistication of modern adversaries, make the need for effective and adaptive defenses more critical than ever. In this dissertation, we develop a set of novel protection mechanisms, and introduce new concepts and techniques to secure commodity operating systems against attacks that exploit vulnerabilities in kernel code. Modern OSes opt for a shared process/kernel model to minimize the overhead of opera- tions that cross protection domains. However, this design choice provides a unique vantage point to local attackers, as it allows them to control—both in terms of permissions and contents—part of the memory that is accessible by the kernel, easily circumventing protec- tions like kernel-space ASLR and WˆX. Attacks that leverage the weak separation between user and kernel space, characterized as return-to-user (ret2usr) attacks, have been the de facto kernel exploitation technique in virtually every major OS, while they are not limited to the x86 platform, but have also targeted ARM and others. Given the multi-OS and cross-architecture nature of ret2usr threats, we propose kGuard: a kernel protection mechanism, realized as a cross-platform compiler extension, which can safeguard any 32- or 64-bit OS kernel from ret2usr attacks.
    [Show full text]
  • Online Patching for Lustre
    Online Patching for Lustre Andriy Skulysh Arshad Hussain LUG 2017 Bloomington, Indiana 1 Seagate Confidential Agenda Kpatch Kpatch Apply Process Kpatch Limitations Lustre Issues Found Lustre Changes Completed Test Results Open Issues and Future Work 2 LUG 2017 Seagate Confidential Kpatch Introduced in 2014 by RedHat RedHat RHEL7, there are patches for CentOS 6 Kernel part and tools are GPLv2 licensed Automated binary diff ‘ftrace’ + stop_machine() Single switching point Compatible with kdump/crash Replacement functions are normal functions. User load/unload hooks Initialize modified global/static variables Perform data modification 3 LUG 2017 Seagate Confidential Kpatch Apply Process 1. Original source and module Original Original 2. Patch source Source 1 Module (.ko) 3. kpatch-build - prepares loadable patch module a. Compiles original and patched source with -ffunction-sections -fdata-sections b. Generates binary diff c. Results in a patch_module 4. kpatch-load - Load module into running kernel. a. ‘stop_machine()’ freezes all tasks b. Checks for patching function in all stacks c. Do actual functions replacement d. Runs user hooks 5. Finally New Patch Module Running 6. kpatch-load --unload - Uninstall module 4 LUG 2017 Seagate Confidential Kpatch Apply Process 1. Original source and module Original Original 2. Patch source Source 1 Module (.ko) 3. kpatch-build - prepares loadable patch module a. Compiles original and patched source with 2 -ffunction-sections -fdata-sections b. Generates binary diff Patched c. Results in a patch_module Source 4. kpatch-load - Load module into running kernel. a. ‘stop_machine()’ freezes all tasks b. Checks for patching function in all stacks c. Do actual functions replacement d.
    [Show full text]
  • High Velocity Kernel File Systems with Bento
    High Velocity Kernel File Systems with Bento Samantha Miller Kaiyuan Zhang Mengqi Chen Ryan Jennings Ang Chen‡ Danyang Zhuo† Thomas Anderson University of Washington †Duke University ‡Rice University Abstract kernel-level debuggers and kernel testing frameworks makes this worse. The restricted and different kernel programming High development velocity is critical for modern systems. environment also limits the number of trained developers. This is especially true for Linux file systems which are seeing Finally, upgrading a kernel module requires either rebooting increased pressure from new storage devices and new demands the machine or restarting the relevant module, either way on storage systems. However, high velocity Linux kernel rendering the machine unavailable during the upgrade. In the development is challenging due to the ease of introducing cloud setting, this forces kernel upgrades to be batched to meet bugs, the difficulty of testing and debugging, and the lack of cloud-level availability goals. support for redeployment without service disruption. Existing Slow development cycles are a particular problem for file approaches to high-velocity development of file systems for systems. Recent changes in storage hardware (e.g., low latency Linux have major downsides, such as the high performance SSDs and NVM, but also density-optimized QLC SSD and penalty for FUSE file systems, slowing the deployment cycle shingle disks) have made it increasingly important to have an for new file system functionality. agile storage stack. Likewise, application workload diversity We propose Bento, a framework for high velocity devel- and system management requirements (e.g., the need for opment of Linux kernel file systems. It enables file systems container-level SLAs, or provenance tracking for security written in safe Rust to be installed in the Linux kernel, with forensics) make feature velocity essential.
    [Show full text]
  • Oss NMC Rel9.Xlsx
    Open Source Software Packages for NMC XMP Release 9 Application License Publisher abattis-cantarell-fonts OFL https://git.gnome.org/browse/cantarell-fonts/ abrt GPLv2+ https://abrt.readthedocs.org/ abrt-addon-ccpp GPLv2+ https://abrt.readthedocs.org/ abrt-addon-kerneloops GPLv2+ https://abrt.readthedocs.org/ abrt-addon-pstoreoops GPLv2+ https://abrt.readthedocs.org/ abrt-addon-python GPLv2+ https://abrt.readthedocs.org/ abrt-addon-vmcore GPLv2+ https://abrt.readthedocs.org/ abrt-addon-xorg GPLv2+ https://abrt.readthedocs.org/ abrt-cli GPLv2+ https://abrt.readthedocs.org/ abrt-console-notification GPLv2+ https://abrt.readthedocs.org/ abrt-dbus GPLv2+ https://abrt.readthedocs.org/ abrt-desktop GPLv2+ https://abrt.readthedocs.org/ abrt-gui GPLv2+ https://abrt.readthedocs.org/ abrt-gui-libs GPLv2+ https://abrt.readthedocs.org/ abrt-libs GPLv2+ https://abrt.readthedocs.org/ abrt-python GPLv2+ https://abrt.readthedocs.org/ abrt-retrace-client GPLv2+ https://abrt.readthedocs.org/ abrt-tui GPLv2+ https://abrt.readthedocs.org/ accountsservice GPLv3+ https://www.freedesktop.org/wiki/Software/AccountsService/ accountsservice-libs GPLv3+ https://www.freedesktop.org/wiki/Software/AccountsService/ acl GPLv2+ http://acl.bestbits.at/ adcli LGPLv2+ http://cgit.freedesktop.org/realmd/adcli adwaita-cursor-theme LGPLv3+ or CC-BY-SA http://www.gnome.org adwaita-gtk2-theme LGPLv2+ https://gitlab.gnome.org/GNOME/gnome-themes-extra adwaita-icon-theme LGPLv3+ or CC-BY-SA http://www.gnome.org adwaita-qt5 LGPLv2+ https://github.com/MartinBriza/adwaita-qt aic94xx-firmware
    [Show full text]