DOCSLIB.ORG

Overview and Recent Developments: Seccomp and Small Lsms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Overview and Recent Developments: Seccomp and Small Lsms Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26, 2018 Edinburgh, Scotland Kees (“Case”) Cook [email protected] @kees_cook https://outflux.net/slides/2018/lss-eu/seccomp.pdf Agenda ● Background – what’s a “small” LSM? ● LoadPin – purpose, recent development, and demo ● Yama – purpose, recent development, and demo ● seccomp – why is seccomp not an LSM? – purpose, matching, filters – recent development – demo Background ● Regular LSMs (SELinux, AppArmor, Smack, TOMOYO) have a comprehensive policy language covering a full Mandatory Access Control system ● “small” LSMs have a very narrow (or fixed) policy LoadPin: Overview NOT ACTUAL LOGO ● Built with CONFIG_SECURITY_LOADPIN=y ● If you think CONFIG_MODULE_SIG_FORCE=y is redundant in your environment, LoadPin is for you! – Chrome OS uses dm-verity to provide a cryptographically verified read-only root filesystem – There is no need to sign modules – they just have to come only from the root filesystem ● Also protects other files the kernel reads: – kexec images, firmware, security policy, certs, etc LoadPin: Recent developments ● Thankfully pretty stable (maybe only Chrome OS uses it?) ● v4.20 – human readable device name in initialization output – boot param name changing from “enabled” to “enforce” LoadPin: Demo # df -h /tm" /tr#$ted File$ystem Size Used Avail U$e% Mounted )* !dev!root 24G 17G /0,G .2% ! !dev!%))p0 ,22M 94/5 ,4+M 1% /tr#$ted # insmod /trusted/test_module06) 7008 LoadPi*9 lo)"1 :.91;9 writ'=%e 7008 LoadPi*9 enfor>ement >'n be di$'=led0 7008 LoadPi*9 kernel-module pinned )=?="/tr#$ted/test_module06)" pid=3+12 cmdline="insmod /tr#$ted/test_module06)@ 7008 test_module: He%%), world # rmmod test_module 7008 test_module: G)odbye # insmod /tmp/test_module06) insm)d: ERROR: c)#%d not i*$ert module /tmp/test_module.6): Oper'tion not permitted 7008 LoadPi*9 kernel-module denied )=?="/tm"!test_module.6)@ pid=A+15 cmdline="i*$mod /tmp/test_module06)@ # um)#nt /trusted 7008 LoadPi*9 um)#*t pinned fs: refusing further %oad$ Yama: Overview ● Built with CONFIG_SECURITY_YAMA=y NOT ACTUAL LOGO ● The first “stacked” LSM (sorry not sorry) ● Narrows scope of ptracing from “same uid” to “ancestor and explicit whitelist” ● Basic goal is to expand the time window needed to steal a user’s credentials after successfully breaking into a machine Yama: Recent developments ● Also pretty stable (and many distros use it!) – (I just had to write this in a slide, didn’t I? syzkaller just sent me an RCU bug it found in Yama’s task walking...) ● I may have future work cut out for me – Jann Horn has started looking at bypasses … Yama: Demo $y$temdC-Cr))t Before Yama: E-d'em)*C++-,C)t er#$er "evil-attacker" wants to read memory E-='$ C+++AC6ee$ of "daemon", but gets blocked by E F-$e>retC++A1 DAC (kees != otheruser): ptrace(PTRACE_ATTACH, 2214) E F-Dd=C++A4 → EPERM E F-"r)Dr'mC++A/ F-='$ CA-1-C6ee$ But it can read “secret” (same uid, but E->r'$ i*D-"r)Dr'mCA-,4 started in the past): ptrace(PTRACE_ATTACH, 2230) E F-evi%-'tt'>6erCA+24 → ok F->r'$ - '*d%erCA+2/ Yama: Demo $y$temdC-Cr))t With Yama: E-d'em)*C++-,C)t er#$er E-='$ C+++AC6ee$ "evil-attacker" wants to read memory of "secret", but gets E E-$e>retC++A1 blocked (not in ancestry tree): E F-Dd=C++A4 E F-"r)Dr'mC++A/ ptrace(PTRACE_ATTACH, 2230) F-='$ CA-1-C6ee$ → EPERM E->r'$ i*D-"r)Dr'mCA-,4 E F-evi%-'tt'>6erCA+24 F->r'$ - '*d%erCA+2/ Yama: Demo $y$temdC-Cr))t With Yama: E-d'em)*C++-,C)t er#$er E-='$ C+++AC6ee$ "gdb" wants to read memory of "program" and is fine (gdb is in E E-$e>retC++A1 ancestory tree): E F-Dd=C++A4 E F-"r)Dr'mC++A/ ptrace(PTRACE_ATTACH, 2236) F-='$ CA-1-C6ee$ → ok E->r'$ i*D-"r)Dr'mCA-,4 E F-evi%-'tt'>6erCA+24 F->r'$ - '*d%erCA+2/ Yama: Demo $y$temdC-Cr))t But ancestory tree checking can break crash handlers: E-d'em)*C++-,C)t er#$er E-='$ C+++AC6ee$ "crash-handler" wants to read E F-$e>retC++A1 "crashing-program", but gets E F-Dd=C++A4 blocked: E F-"r)Dr'mC++A/ ptrace(PTRACE_ATTACH, 3145) F-='$ CA-1-C6ee$ → EPERM E->r'$ i*D-"r)Dr'mCA-,4 E F-evi%-'tt'>6erCA+24 F->r'$ - '*d%erCA+2/ Yama: Demo $y$temdC-Cr))t so "crashing-program" declares "crash-handler" can read its E-d'em)*C++-,C)t er#$er memory: E-='$ C+++AC6ee$ prctl(PR_SET_PTRACER, 3286) E F-$e>retC++A1 E F-Dd=C++A4 now "crash-handler" can read E F-"r)Dr'mC++A/ memory of "crashing-program": F-='$ CA-1-C6ee$ ptrace(PTRACE_ATTACH, 3145) E->r'$ i*D-"r)Dr'mCA-,4 → ok E F-evi%-'tt'>6erCA+24 F->r'$ - '*d%erCA+2/ seccomp: Overview ● Not an LSM. More low-level: it filters system calls NOT ACTUAL LOGO ● *o_new_priv$ saves the day against setuid issues ● As seen in Chrome, Chrome OS, Android, Docker, systemd and Firefox, QEMU, OpenSSH, vsftpd, LXD, Tor, the list goes on… ● Easy to add seccomp to your code! – To quickly wrap a program, use minijail -S ")licy.txt – To use normal filtering, you want %ibsec>)mp – To do really special things, you’ll need to learn BPF ● actually a subset of classic BPF (not eBPF) seccomp: Filter matching ● filter can match anything in the seccomp BPF “packet data”: $tr#>t $ec>)mp_d't' { i*t nrI /J System >'%l *#m=er J! __#A+ ar> I /J AUDIT_ARCB_* K%i*#G!'udit0 L J! __#/, in$tr#>ti)*_p)i*terI /J CPU i*$tr#cti)* ")i*ter J! __#/, arD$7/8I /J Up t) 6 $ystem >'%% 'rg$ J! MI ● Can not read process memory (e.g. filename arg contents) – would be racey seccomp: Filter results ● SECCOMP_RET_ALLOW: continue with syscall ● SECCOMP_RET_LOG: emit audit record and continue ● SECCOMP_RET_TRACE: generate PTRACE_EOENT_SECCOMP ● SECCOMP_RET_ERRNO: skip syscall, return specified errno ● SECCOMP_RET_TRAP: deliver SIGSYS signal ● SECCOMP_RET_KILL_THREAD: kill the thread ● SECCOMP_RET_KILL_PROCESS: kill the process (thread group) seccomp: Recent developments ● Tycho Andersen suffering endless discussion on how to add SECCOMP_RET_USER_NOTIF – Basically SECCOMP_RET_TRACE using a file descriptor instead of ptrace ● We know what it won’t be, at least: – Not NLA structs – Not eBPF (“eBPF will never block userspace”) seccomp: Demo P 0!mi*i?'i%1 -S >'t0")%i>y !=i*!>'t >'t0")%i>y P e> ) PQ -A, :SIGARRT; P t'i% -*+ !v'r!%)D!$y$%)D 000 >'t9 %i=mi*i?'i%7,+4A+89 "r>t%:$e>>)m"_fi%ter; f'i%ed9 Permi$$i)* de*ied 000 mi*i?'i%19 %i=mi*i?'i%7,+4A-89 > i%d "r)>e$$ ,+4A+ re>eived $iD*'% / P err*) --$e'r> de*ied EACCES -A Permi$$i)* de*ied P m'* $e>>)m" 000 EACCES T e >'%%er did *)t 've t e CAP_SYS_ADMIN >'"'=i%ity i* it$ #$er *'me$"'>eC )r 'd *)t $et *)_*e<_"riv$ =ef)re #$i*D SECS COMP_SET_MODE_FILTER0 000 P 0!mi*i?'i%1 - E Dre" "riv$ -*9 Set *)_*e<_"riv$0 seccomp: Demo P 0!mi*i?'i%1 -*S >'t0")%i>y !=i*!>'t >'t0")%i>y )"e*'t9 - f$t't9 - mm'"9 - f'dvi$e/,9 - re'd9 - <rite9 - m#*m'"9 - >%)$e9 - eGit_Dr)#"9 - P e'd -*- >'t-ei*v'%0")%i>y )"e*'t9 ret#r* EINOAL P 0!mi*i?'i%1 -*S >'t-ei*v'%0")%i>y !=i*!>'t >'t0")%i>y !=i*!>'t9 >'t0")%i>y9 I*v'%id 'rD#me*t seccomp: Demo P 0!mi*i?'i%1 -*S >'t0")%i>y !=i*!%$ >'t0")%i>y P e> ) PQ +4A P t'i% -*- !v'r!%)D!$y$%)D 000 mi*i?'i%19 %i=mi*i?'i%7,A24A89 > i%d "r)>e$$ ,A24, re>eived $iD*'% A- P 6i%% -% A- SYS P >" >'t0")%i>y %$0")%i>y P $tr'>e -f 0!mi*i?'i%1 -*S %$0")%i>y !=i*!%$ %$0")%i>y 000 T 7"id ,-1+/8 i)>t%:-C TCGETS K#*fi*i$ ed 000L; = Q A PE L E TI 7"id ,-1+/8 TTT 6i%%ed =y SIGSYS :>)re d#m"ed; TTT R N Y U P 000 P HA P e> ) Ui)>t%9 'rD1 == -V LL %$0")%i>y Thoughts? Kees (“Case”) Cook [email protected] [email protected] [email protected] @kees_cook https://outflux.net/slides/2018/lss-eu/seccomp.pdf .
Load more

Recommended publications
  • The Kernel Report
    The kernel report (ELC 2012 edition) Jonathan Corbet LWN.net [email protected] The Plan Look at a year's worth of kernel work ...with an eye toward the future Starting off 2011 2.6.37 released - January 4, 2011 11,446 changes, 1,276 developers VFS scalability work (inode_lock removal) Block I/O bandwidth controller PPTP support Basic pNFS support Wakeup sources What have we done since then? Since 2.6.37: Five kernel releases have been made 59,000 changes have been merged 3069 developers have contributed to the kernel 416 companies have supported kernel development February As you can see in these posts, Ralink is sending patches for the upstream rt2x00 driver for their new chipsets, and not just dumping a huge, stand-alone tarball driver on the community, as they have done in the past. This shows a huge willingness to learn how to deal with the kernel community, and they should be strongly encouraged and praised for this major change in attitude. – Greg Kroah-Hartman, February 9 Employer contributions 2.6.38-3.2 Volunteers 13.9% Wolfson Micro 1.7% Red Hat 10.9% Samsung 1.6% Intel 7.3% Google 1.6% unknown 6.9% Oracle 1.5% Novell 4.0% Microsoft 1.4% IBM 3.6% AMD 1.3% TI 3.4% Freescale 1.3% Broadcom 3.1% Fujitsu 1.1% consultants 2.2% Atheros 1.1% Nokia 1.8% Wind River 1.0% Also in February Red Hat stops releasing individual kernel patches March 2.6.38 released – March 14, 2011 (9,577 changes from 1198 developers) Per-session group scheduling dcache scalability patch set Transmit packet steering Transparent huge pages Hierarchical block I/O bandwidth controller Somebody needs to get a grip in the ARM community.
    [Show full text]
  • Tizen IVI “From Scratch” Customizing, Building and Testing
    Tizen IVI “from scratch” Customizing, building and testing Stéphane Desneux Senior Software Engineer Eurogiciel <[email protected]> Eurogiciel ● Open source development and integration: ● Maintainers in multiple domains on tizen.org ● Embedded systems for real-time multimedia: ▪ Widi/Miracast stack ▪ Wayland/Weston ▪ Webkit2 browser with HW acceleration ● Applications: HTML5/CSS3, jquery, jqmobi, Cordova ● Location : Vannes (Brittany), France 14 2 FOSDEM' Automotive devroom – Tizen “from scratch” : customize, build, test ! Agenda ● Tizen & Tizen:IVI : short introduction ● From source code to target devices ● Customize ● Build ● Flash, Run, Test ! 14 3 FOSDEM' Automotive devroom – Tizen “from scratch” : customize, build, test ! Tizen: a short introduction Definition ● Open source project ● Hosted at the Linux Foundation ● Innovative Web-based platform for multiple devices ● Sponsored by worldwide companies ● Samsung & Intel are two big contributors ● Built on industry standards: ● GNU/Linux kernel, GNU libc ● POSIX ● W3C ● Many upstream Open Source projects 14 5 FOSDEM' Automotive devroom – Tizen “from scratch” : customize, build, test ! Tizen Profiles ● Multiple vertical profiles (derived from Tizen:Generic) ● IVI ● Mobile ● Future: other devices (TV, ...) ● Each profile adds its own enhancements ● Tizen packaging format: RPM 14 6 FOSDEM' Automotive devroom – Tizen “from scratch” : customize, build, test ! From source code … … to target devices 1: Source code GIT Repositories Remote Local Clone source repo Developers
    [Show full text]
  • Rootless Containers with Podman and Fuse-Overlayfs
    CernVM Workshop 2019 (4th June 2019) Rootless containers with Podman and fuse-overlayfs Giuseppe Scrivano @gscrivano Introduction 2 Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running the container payload as an unprivileged user • Container runtime runs also as an unprivileged user 3 Don’t confuse with... • sudo podman run --user foo – Executes the process in the container as non-root – Podman and the OCI runtime still running as root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 4 Don’t confuse with... • podman run --uidmap – Execute containers as a non-root user, using user namespaces – Most similar to rootless containers, but still requires podman and runc to run as root 5 Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers 6 Caveat: Not a panacea • Although rootless containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 7 Podman 8 Rootless Podman Podman is a daemon-less alternative to Docker • $ alias
    [Show full text]
  • Flexible Lustre Management
    Flexible Lustre management Making less work for Admins ORNL is managed by UT-Battelle for the US Department of Energy How do we know Lustre condition today • Polling proc / sysfs files – The knocking on the door model – Parse stats, rpc info, etc for performance deviations. • Constant collection of debug logs – Heavy parsing for common problems. • The death of a node – Have to examine kdumps and /or lustre dump Origins of a new approach • Requirements for Linux kernel integration. – No more proc usage – Migration to sysfs and debugfs – Used to configure your file system. – Started in lustre 2.9 and still on going. • Two ways to configure your file system. – On MGS server run lctl conf_param … • Directly accessed proc seq_files. – On MSG server run lctl set_param –P • Originally used an upcall to lctl for configuration • Introduced in Lustre 2.4 but was broken until lustre 2.12 (LU-7004) – Configuring file system works transparently before and after sysfs migration. Changes introduced with sysfs / debugfs migration • sysfs has a one item per file rule. • Complex proc files moved to debugfs • Moving to debugfs introduced permission problems – Only debugging files should be their. – Both debugfs and procfs have scaling issues. • Moving to sysfs introduced the ability to send uevents – Item of most interest from LUG 2018 Linux Lustre client talk. – Both lctl conf_param and lctl set_param –P use this approach • lctl conf_param can set sysfs attributes without uevents. See class_modify_config() – We get life cycle events for free – udev is now involved. What do we get by using udev ? • Under the hood – uevents are collect by systemd and then processed by udev rules – /etc/udev/rules.d/99-lustre.rules – SUBSYSTEM=="lustre", ACTION=="change", ENV{PARAM}=="?*", RUN+="/usr/sbin/lctl set_param '$env{PARAM}=$env{SETTING}’” • You can create your own udev rule – http://reactivated.net/writing_udev_rules.html – /lib/udev/rules.d/* for examples – Add udev_log="debug” to /etc/udev.conf if you have problems • Using systemd for long task.
    [Show full text]
  • Version 7.8-Systemd
    Linux From Scratch Version 7.8-systemd Created by Gerard Beekmans Edited by Douglas R. Reno Linux From Scratch: Version 7.8-systemd by Created by Gerard Beekmans and Edited by Douglas R. Reno Copyright © 1999-2015 Gerard Beekmans Copyright © 1999-2015, Gerard Beekmans All rights reserved. This book is licensed under a Creative Commons License. Computer instructions may be extracted from the book under the MIT License. Linux® is a registered trademark of Linus Torvalds. Linux From Scratch - Version 7.8-systemd Table of Contents Preface .......................................................................................................................................................................... vii i. Foreword ............................................................................................................................................................. vii ii. Audience ............................................................................................................................................................ vii iii. LFS Target Architectures ................................................................................................................................ viii iv. LFS and Standards ............................................................................................................................................ ix v. Rationale for Packages in the Book .................................................................................................................... x vi. Prerequisites
    [Show full text]
  • Scalability of VM Provisioning Systems
    Scalability of VM Provisioning Systems Mike Jones, Bill Arcand, Bill Bergeron, David Bestor, Chansup Byun, Lauren Milechin, Vijay Gadepally, Matt Hubbell, Jeremy Kepner, Pete Michaleas, Julie Mullen, Andy Prout, Tony Rosa, Siddharth Samsi, Charles Yee, Albert Reuther Lincoln Laboratory Supercomputing Center MIT Lincoln Laboratory Lexington, MA, USA Abstract—Virtual machines and virtualized hardware have developed a technique based on binary code substitution been around for over half a century. The commoditization of the (binary translation) that enabled the execution of privileged x86 platform and its rapidly growing hardware capabilities have (OS) instructions from virtual machines on x86 systems [16]. led to recent exponential growth in the use of virtualization both Another notable effort was the Xen project, which in 2003 used in the enterprise and high performance computing (HPC). The a jump table for choosing bare metal execution or virtual startup time of a virtualized environment is a key performance machine execution of privileged (OS) instructions [17]. Such metric for high performance computing in which the runtime of projects prompted Intel and AMD to add the VT-x [19] and any individual task is typically much shorter than the lifetime of AMD-V [18] virtualization extensions to the x86 and x86-64 a virtualized service in an enterprise context. In this paper, a instruction sets in 2006, further pushing the performance and methodology for accurately measuring the startup performance adoption of virtual machines. on an HPC system is described. The startup performance overhead of three of the most mature, widely deployed cloud Virtual machines have seen use in a variety of applications, management frameworks (OpenStack, OpenNebula, and but with the move to highly capable multicore CPUs, gigabit Eucalyptus) is measured to determine their suitability for Ethernet network cards, and VM-aware x86/x86-64 operating workloads typically seen in an HPC environment.
    [Show full text]
  • Long Comment Regarding a Proposed Exemption Under 17 U.S.C. 1201 for Software Freedom Conservancy Proposed Class: 20 – Smart T
    Long Comment Regarding a Proposed Exemption Under 17 U.S.C. 1201 For Software Freedom Conservancy Proposed Class: 20 – Smart TVs No multimedia evidence is being provided in connection with this comment Item 1. Commenter Information The Petition submitter is Software Freedom Conservancy (“Conservancy”), a 501(c)(3) not-for-profit organization that helps promote, improve, develop, and defend Free, Libre, and Open Source Software (“FLOSS”)—software developed by volunteer communities and licensed for the benefit of everyone. Conservancy is the nonprofit home for dozens of FLOSS projects representing well over a thousand volunteer contributors. Conservancy's communities maintain some of the most fundamental utilities in computing today, and introduce innovations that will shape how software will be created in the future. Among the projects for which Conservancy provides logistical, administrative, and legal support are BusyBox and Samba, both of which are commonly installed on “smart” or computer- embedded consumer electronics devices. BusyBox provides a number of key system utilities that enable such devices to run applications, interact with files, access network services, and more.1 It is also used by community projects focused on unlocking and improving Samsung-2 and LG- manufactured Smart TVs.3 Samba permits devices to interact with files stored on other networked devices.4 Conservancy also represents the interests of several contributors to the Linux kernel, the core component of the operating system of most Smart TVs. Conservancy may be contacted through its authorized representatives and pro bono counsel at Tor Ekeland, P.C., 195 Plymouth Street, Brooklyn, New York 11201: Aaron Williamson Frederic Jennings (718) 285-9349 (718) 514-2075 [email protected] [email protected] Item 2.
    [Show full text]
  • Practical and Effective Sandboxing for Non-Root Users
    Practical and effective sandboxing for non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Abstract special tools. More importantly, all use cases neither re- quire root privilege nor require modification to the OS MBOX is a lightweight sandboxing mechanism for non- kernel and applications. root users in commodity OSes. MBOX’s sandbox usage model executes a program in the sandbox and prevents Overview MBOX aims to make running a program in a the program from modifying the host filesystem by layer- sandbox as easy as running the program itself. For exam- ing the sandbox filesystem on top of the host filesystem. ple, one can sandbox a program (say wget) by running as At the end of program execution, the user can examine below: changes in the sandbox filesystem and selectively com- mit them back to the host filesystem. MBOX implements $ mbox -- wget google.com ... this by interposing on system calls and provides a variety Network Summary: of useful applications: installing system packages as a > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) non-root user, running unknown binaries safely without > [11279] -> a00::2607:f8b0:4006:803:0 network accesses, checkpointing the host filesystem in- ... Sandbox Root: stantly, and setting up a virtual development environment > /tmp/sandbox-11275 without special tools. Our performance evaluation shows > N:/tmp/index.html [c]ommit, [i]gnore, [d]iff, [l]ist, [s]hell, [q]uit ?> that MBOX imposes CPU overheads of 0.1–45.2% for var- ious workloads. In this paper, we present MBOX’s design, wget is a utility to download files from the web.
    [Show full text]
  • Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
    Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material.
    [Show full text]
  • Hardening Kubernetes Containers Security with Seccomp an Often Overlooked Way to Harden Kubernetes Containers’ Security Is by Applying Seccomp Profiles
    eBook: Hardening Kubernetes Containers Security with Seccomp An often overlooked way to harden Kubernetes containers’ security is by applying seccomp profiles. A relatively ancient security mechanism in the Linux kernel, seccomp (short for secure computing mode) tells the Linux kernel which system calls a process can make. Restricting a process from accessing the kernel via system calls restricts the attack surface, and can prevent privilege escalation. The original seccomp was very restrictive and unwieldy to use. The first version of seccomp was merged in 2005 into Linux 2.6.12. It was enabled by writing a "1" to /proc/PID/seccomp. Then, the process could only make 4 syscalls: read(), write(), exit(), and sigreturn()"). Today, the seccomp-bpf extension, which uses the Berkeley Packet Filter rules, is more commonly used as it allows filtering system calls using a configurable policy. 1 Given the number of system calls invoked to execute a Customizing seccomp profiles, in effect, provides a container, each of which is a potential entry vector for deeply embedded line of defense that adds a layer of attackers, appropriately applying seccomp profiles goes a protection to your application in case of breach. As the long way to securing a container. probability of any application being breached is constantly rising, limiting the possible extent of a successful breach should be applied at as many levels as possible. Ever-increasing interconnections between applications, and increased reliance on external service providers as well as open-source images makes restricting seccomp profiles crucial to improving cloud-native security. Filtering system calls is not the same as sandboxing.
    [Show full text]
  • Tizen Based Remote Controller CAR Using Raspberry Pi2
    #ELC2016 Tizen based remote controller CAR using raspberry pi2 Pintu Kumar ([email protected], [email protected]) Samsung Research India – Bangalore : Tizen Kernel/BSP Team Embedded Linux Conference – 06th April/2016 1 CONTENT #ELC2016 • INTRODUCTION • RASPBERRY PI2 OVERVIEW • TIZEN OVERVIEW • HARDWARE & SOFTWARE REQUIREMENTS • SOFTWARE CUSTOMIZATION • SOFTWARE SETUP & INTERFACING • HARDWARE INTERFACING & CONNECTIONS • ROBOT CONTROL MECHANISM • SOME RESULTS • CONCLUSION • REFERENCES Embedded Linux Conference – 06th April/2016 2 INTRODUCTION #ELC2016 • This talk is about designing a remote controller robot (toy car) using the raspberry pi2 hardware, pi2 Linux Kernel and Tizen OS as platform. • In this presentation, first we will see how to replace and boot Tizen OS on Raspberry Pi using the pre-built Tizen images. Then we will see how to setup Bluetooth, Wi-Fi on Tizen and finally see how to control a robot remotely using Tizen smart phone application. Embedded Linux Conference – 06th April/2016 3 RASPBERRY PI2 - OVERVIEW #ELC2016 1 GB RAM Embedded Linux Conference – 06th April/2016 4 Raspberry PI2 Features #ELC2016 • Broadcom BCM2836 900MHz Quad Core ARM Cortex-A7 CPU • 1GB RAM • 4 USB ports • 40 GPIO pins • Full HDMI port • Ethernet port • Combined 3.5mm audio jack and composite video • Camera interface (CSI) • Display interface (DSI) • Micro SD card slot • Video Core IV 3D graphics core Embedded Linux Conference – 06th April/2016 5 PI2 GPIO Pins #ELC2016 Embedded Linux Conference – 06th April/2016 6 TIZEN OVERVIEW #ELC2016 Embedded Linux Conference – 06th April/2016 7 TIZEN Profiles #ELC2016 Mobile Wearable IVI TV TIZEN Camera PC/Tablet Printer Common Next?? • TIZEN is the OS of everything.
    [Show full text]
  • Container and Kernel-Based Virtual Machine (KVM) Virtualization for Network Function Virtualization (NFV)
    Container and Kernel-Based Virtual Machine (KVM) Virtualization for Network Function Virtualization (NFV) White Paper August 2015 Order Number: 332860-001US YouLegal Lines andmay Disclaimers not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting: http://www.intel.com/ design/literature.htm. Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at http:// www.intel.com/ or from the OEM or retailer. Results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. For more complete information about performance and benchmark results, visit www.intel.com/benchmarks. Tests document performance of components on a particular test, in specific systems.
    [Show full text]