SlideShare uma empresa Scribd logo

System Integrity

Vasily Sartakov
Vasily Sartakov

The lecture by Sartakov A. Vasily for Summer Systems School'12. Brief introduction to System Integrity. SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security. 1. http://ksyslabs.org/

Educação
1 de 26
Baixar para ler offline
System Integrity Sartakov A. Vasily Summer Systems School’12
Software Hardening Methods Compile-time Run time Process Canaries Virtualization (Dalvik, Java VM) System Virtualization (KVM, Xen, L4) OS (Linux Kernel Ench.) HW support (MMU, Trust Zone)
1. Compiler time sw hardening 2. Linux operating system extension 1.1 Memory corruption 2.1 Container based os mitigation methods virtualization 2.2 Linux security modules 2.3 Gr security 3. Process virtualization and sandboxing 4. System virtualization 3.1 Byte-code 4.1 Hardware translation recruitment 3.2 Sandboxing 4.2 VM and VMMs untrusted native code 4.3 Use cases
1. Compile-time Software Hardening Memory Corruption Mitigation Methods: Code injection Arc injection Pointer Subterfuge Format String Attacks and Arithmetic Overflows
Code Injection void f1a(void *arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* buffer overrun if len > 100 */ /* ... */ return; } void f1b(void *arg, size_t len) { char *ptr = malloc(100); if (ptr == NULL) return; memcpy(ptr, arg, len); /* buffer overrun if len >100 */ /* ... */ return; }
Stackguard ProPolice
Pointer Subterfuge void SomeFunc() { void SomeFunc() { // do something EncodePointer // do something } } DecodePointer typedef void (*FUNC_PTR )(void); EncodeSystemPointer typedef void (*FUNC_PTR )(void); DecodeSystemPointer int DangerousFunc(char *szString) { int DangerousFunc(char *szString) { char buf[32]; char buf[32]; strcpy(buf,szString); strcpy(buf,szString); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); // Other code // Other code // Other code // Other code (*fp)(); (*fp)(); return 0; return 0; } }
Format String Attacks and Arithmetic Overflows Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, pages 7–7, Berkeley, CA, USA, 2003. USENIX Association. Jonathan Pincus and Brandon Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2:20–27, July 2004. Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. "Return-Oriented Programming: Exploits Without Code Injection". Retrieved 2009-08-12. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323c
2. Linux operating system extension 2.1 Container based os virtualisation Linux-vserver Virtuozzo and openvz Linux containers 2.2 Linux security modules SElinux Apparmor Smack Tomoyo Linux 2.3 Grsecurity Pax Role based access control
2.1 Container based os virtualisation Linux-Vserver Virtuozzo OpenVZ LXC (Linux Container Tools) The core concept of container-based operating system virtualization is to run completely isolated virtual servers sharing the same kernel. Compared to system virtualization, this reduces the required memory for additional kernels on the one hand but at the same time it might increase the vulnerability of the system. If an attacker gains full access to the kernel all virtual servers are compromised. System Virtualization would offer an additional level of isolation and therefore more security in this case.
Linux-VServer • Security contexts • Segmented routing • Chroot • Extended quotas • Further standard tools • High-performance computing (HPC) clusters • The Grid • Distributed hosting organizations like PlanetLab and Amazon EC2 The Host kernel should be patched The system provides a Shared OS Image consisting of a root file system and a set of system libraries and executables. This Start/Stop/Resume Shared OS Image together with a privileged host VM builds the Hosting Platform.
Virtuozzo and OpenVZ OpenVZ is operating system virtualization based on the Linux kernel. It is very similar to Linux-VServer. Like Linux- VServer it requires a patched Linux kernel. Here likewise Debian ships prebuilt kernel images. Unfortunately, the patches are not provided for each Linux kernel release. OpenVZ is the basis for Parallels Virtuozzo Containers, which is a commercial product by Parallels. Usage scenarios and evaluation are basically the same as for the Linux-VServer project.
Linux Containers (LXC) • Namespace isolation • Linux kernel control groups (cgroups) • PID namespace • Network namespace • UTS namespace (hostname) • Mount namespace • IPC namespace • Control (Restart, Freeze, etc.) • Resource limiting (Memory) • Priorization (CPU, I/O) • Accounting The best solution for lightweight isolation of Linux processes without much inter-process communication.
Terminology 1. Access control models * Discretionary access control * Mandatory access control * Role-based access control Subject -- Object
2.2 Linux security modules The Linux Security Modules (LSM) framework is part of the Linux Kernel. It provides lightweight, general support for access control by allowing modules to define security hooks: • Task Hooks • Program Loading Hooks • IPC Hooks • Filesystem Hooks • Network Hooks • Module hooks (e.g. module initialization) • System hooks (e.g. hostname setting) • AppArmor • SELinux • Smack • TOMOYO Linux
Security-Enhanced Linux MAC Part of Linux
Smack TOMOYO Linux TOMOYO Linux is another pathname-based Smack is the abbreviation for access control system for Linux. It also Simplified Mandatory Access implements Mandatory Access Control, but Control Kernel for Linux. It is part of additionally it is stated to be useful as a pure the MeeGo Security Architecture, system analysis tool. Like e.g. AppArmor, but not exclusively dedicated to it. TOMOYO Linux also provides tools for automatic policy generation and it is designed As the name already suggest, to be easy to use with a simple syntax for Smack provides Mandatory Access policies. Control in a simpler way than e.g. SELinux. The author states that simplicity is the primary design goal AppArmor of Smack. AppArmor is an alternative to SELinux. It is a Like AppArmor, Smack requires pathname-based access control system and extended file attributes. There it requires a file system with extended attributes stores labels for files which must support. The originally goal was to provide a match labels associated with SELinux like Mandatory Access Control processes to grant access. mechanism, which is simpler to manage for Additionally, special rules can be the typical user. Therefore, AppArmor added for file labels and process implements a learning mode to create profiles of the typical programs behavior. labels that do not match. While AppArmor is a simple and powerful solution for end-users, it seems that SELinux is more powerful to implement advanced security concepts on top of it.
2.3 Grsecurity GrSecurity is a set of security related patches for the Linux kernel. Some major security enhancements are: • Stack and Heap modification protection (PaX) • Role-based Access Control (RBAC) • Chroot restrictions • Auditing Pax RBAC PaX is a major component of GrSecurity. Amongst other things, the patch adds three While PaX implements the principle memory protection mechanisms: of least privileges for memory • Data memory is flagged as non-executable (NX management, another component of bit) GrSecurity (RBAC) implements it for • Program memory is flagged as non-writable users and processes. This means • Program memory is randomly arranged, known that users and processes get only as address space layout randomization (ASLR) the privileges which are required to Recent mainline kernel versions added some work correctly. It should be noted, similar protection mechanisms for suitable that besides this implementation memory regions on x86 systems. aspect, the RBAC concept can be applied in very different fields of applications.
3. Process virtualization and sandboxing Skip
4. System Virtualization 4.1 Hardware recruitment 4.2 VM and VMMs Linux KVM Hypervisor Xen Hypervisor L4 Microkernel based 4.3 Use cases
4.1 Hardware recruitment * HW support: Johannes Winter. Trusted computing building blocks for embedded linux-based arm trustzone platforms. In Proceedings of the 3rd ACM workshop on Scalable trusted computing, STC’08, pages 21–30, New York, NY, USA, 2008. ACM. * Intel VT-x * AMD-V * ARM TrustZone * ARM Cortex-A15 including full hardware virtualization * DMA and IOMMU
Terminology 2. Virtualization, Virtual machines * System virtualization or hardware virtualization allows to run multiple operating systems on one physical machine. * Guest and Host OS * VMM / hypervisor * Type 1 / Native – Bare Metal * Type 2 / Hosted – on top of OS * Paravirtualization – VMM doesn't provide an interface that is identical to real hardware
Linux KVM Hypervisor * Part of Linux kernel * QEMU * VT-x AMD-V extension * Big trusted computing base (TCB) * Low overhead
Xen hypervisor Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM. Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis, Leendert Van Doorn, Asit Mallick, Jun Nakajima, and Elsie Wahlig. Utilizing iommus for virtualization in linux and xen. In Proceedings of the 2006 Ottawa Linux Symposium (OLS 2006), 2006. Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon Caceres, and Reiner Sailer. Shamon: A system for distributed mandatory access control. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 23–32, Washington, DC, USA, 2006. IEEE Computer Society.
L4 microkenel * User-level components * Address spaces (tasks) * Threads * Scheduling * Inter-process communication * Reusing * TCB L4Linux L4Linux app Moe Mag Ned IO Fiasco.OC
4.3 Use Case Crypto L4Linux L4Linux (eth0) (eth1) app Moe Mag Ned IO Fiasco.OC

Recomendados

System call
System callSystem call
System callshahadat hossain
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Bölüm 6
Bölüm 6Bölüm 6
Bölüm 6cccdddaaa
 
The Design of an MVB Communication Controller Based on an FPGA
The Design of an MVB Communication Controller Based on an FPGAThe Design of an MVB Communication Controller Based on an FPGA
The Design of an MVB Communication Controller Based on an FPGAIJRESJOURNAL
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 
CAN- controlled area network
CAN- controlled area networkCAN- controlled area network
CAN- controlled area networkPantech ProLabs India Pvt Ltd
 
Arm cm3 architecture_and_programmer_model
Arm cm3 architecture_and_programmer_modelArm cm3 architecture_and_programmer_model
Arm cm3 architecture_and_programmer_modelGanesh Naik
 

Recomendados

System call
System callSystem call
System callshahadat hossain
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Bölüm 6
Bölüm 6Bölüm 6
Bölüm 6cccdddaaa
 
The Design of an MVB Communication Controller Based on an FPGA
The Design of an MVB Communication Controller Based on an FPGAThe Design of an MVB Communication Controller Based on an FPGA
The Design of an MVB Communication Controller Based on an FPGAIJRESJOURNAL
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 
CAN- controlled area network
CAN- controlled area networkCAN- controlled area network
CAN- controlled area networkPantech ProLabs India Pvt Ltd
 
Arm cm3 architecture_and_programmer_model
Arm cm3 architecture_and_programmer_modelArm cm3 architecture_and_programmer_model
Arm cm3 architecture_and_programmer_modelGanesh Naik
 
37 segmentation
37 segmentation37 segmentation
37 segmentationmyrajendra
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Introduction to arm processor
Introduction to arm processorIntroduction to arm processor
Introduction to arm processorRAMPRAKASHT1
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 
Chapter 3
Chapter 3Chapter 3
Chapter 3PRADEEP
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
OS Process and Thread Concepts
OS Process and Thread ConceptsOS Process and Thread Concepts
OS Process and Thread Conceptssgpraju
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
 
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...Parker Hannifin Corporation
 
presentation on SCB,DEBUG,RESET of Arm Cortex processor
presentation on SCB,DEBUG,RESET of Arm Cortex processorpresentation on SCB,DEBUG,RESET of Arm Cortex processor
presentation on SCB,DEBUG,RESET of Arm Cortex processorರೇಣುಕ ಭುವನ್
 
Chapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitationChapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitationsubramaniam shankar
 
Andes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpAndes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpRISC-V International
 
LCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLinaro
 
LAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg developmentLAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg developmentLinaro
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance SystemEhsan Ilahi
 
System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architecturesA B Shinde
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with SystemcMarc Engels
 
Thesis Presentation
Thesis PresentationThesis Presentation
Thesis Presentationvenkatakalyan
 
Bus CAN.pdf
Bus CAN.pdfBus CAN.pdf
Bus CAN.pdfMAMDGSM1
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardHeechul Yun
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 

Mais conteúdo relacionado

Mais procurados

37 segmentation
37 segmentation37 segmentation
37 segmentationmyrajendra
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Introduction to arm processor
Introduction to arm processorIntroduction to arm processor
Introduction to arm processorRAMPRAKASHT1
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 
Chapter 3
Chapter 3Chapter 3
Chapter 3PRADEEP
 
OS Process and Thread Concepts
OS Process and Thread ConceptsOS Process and Thread Concepts
OS Process and Thread Conceptssgpraju
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
 
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...Parker Hannifin Corporation
 
Chapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitationChapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitationsubramaniam shankar
 
Andes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpAndes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpRISC-V International
 
LCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLinaro
 
LAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg developmentLAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg developmentLinaro
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance SystemEhsan Ilahi
 
System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architecturesA B Shinde
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with SystemcMarc Engels
 
Bus CAN.pdf
Bus CAN.pdfBus CAN.pdf
Bus CAN.pdfMAMDGSM1
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardHeechul Yun
 

Mais procurados (20)

37 segmentation
37 segmentation37 segmentation
37 segmentation
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Introduction to arm processor
Introduction to arm processorIntroduction to arm processor
Introduction to arm processor
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
OS Process and Thread Concepts
OS Process and Thread ConceptsOS Process and Thread Concepts
OS Process and Thread Concepts
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...
 
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
How to Implement Functional Safety in Mobile Machinery IQAN MC4xFS Parker Han...
 
presentation on SCB,DEBUG,RESET of Arm Cortex processor
presentation on SCB,DEBUG,RESET of Arm Cortex processorpresentation on SCB,DEBUG,RESET of Arm Cortex processor
presentation on SCB,DEBUG,RESET of Arm Cortex processor
 
Chapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitationChapter 3 instruction level parallelism and its exploitation
Chapter 3 instruction level parallelism and its exploitation
 
Andes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmpAndes building a secure platform with the enhanced iopmp
Andes building a secure platform with the enhanced iopmp
 
LCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLCA13: Power State Coordination Interface
LCA13: Power State Coordination Interface
 
LAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg developmentLAS16-TR06: Remoteproc & rpmsg development
LAS16-TR06: Remoteproc & rpmsg development
 
Fault Tolerance System
Fault Tolerance SystemFault Tolerance System
Fault Tolerance System
 
System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architectures
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with Systemc
 
Thesis Presentation
Thesis PresentationThesis Presentation
Thesis Presentation
 
Bus CAN.pdf
Bus CAN.pdfBus CAN.pdf
Bus CAN.pdf
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuard
 

Destaque

[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System LayerSidharth D
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportAjit Gaddam
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Jayesh Naik
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 

Destaque (20)

[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System Layer
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability report
 
Jaundice
Jaundice Jaundice
Jaundice
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 

Semelhante a System Integrity

Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019kanedafromparis
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of SystemsJamal Jamali
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 

Semelhante a System Integrity (20)

淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 

Mais de Vasily Sartakov

Мейнстрим технологии шифрованной памяти
Мейнстрим технологии шифрованной памятиМейнстрим технологии шифрованной памяти
Мейнстрим технологии шифрованной памятиVasily Sartakov
 
RnD Collaborations in Asia-Pacific Region
RnD Collaborations in Asia-Pacific RegionRnD Collaborations in Asia-Pacific Region
RnD Collaborations in Asia-Pacific RegionVasily Sartakov
 
Сетевая подсистема в L4Re и Genode
Сетевая подсистема в L4Re и GenodeСетевая подсистема в L4Re и Genode
Сетевая подсистема в L4Re и GenodeVasily Sartakov
 
Защита памяти при помощи NX-bit в среде L4Re
Защита памяти при помощи NX-bit в среде L4ReЗащита памяти при помощи NX-bit в среде L4Re
Защита памяти при помощи NX-bit в среде L4ReVasily Sartakov
 
Hardware Errors and the OS
Hardware Errors and the OSHardware Errors and the OS
Hardware Errors and the OSVasily Sartakov
 
Operating Systems Meet Fault Tolerance
Operating Systems Meet Fault ToleranceOperating Systems Meet Fault Tolerance
Operating Systems Meet Fault ToleranceVasily Sartakov
 
Operating Systems Hardening
Operating Systems HardeningOperating Systems Hardening
Operating Systems HardeningVasily Sartakov
 
Особенности Национального RnD
Особенности Национального RnDОсобенности Национального RnD
Особенности Национального RnDVasily Sartakov
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to MicrokernelsVasily Sartakov
 
Advanced Components on Top of L4Re
Advanced Components on Top of L4ReAdvanced Components on Top of L4Re
Advanced Components on Top of L4ReVasily Sartakov
 
Применение Fiasco.OC
Применение Fiasco.OCПрименение Fiasco.OC
Применение Fiasco.OCVasily Sartakov
 

Mais de Vasily Sartakov (20)

Мейнстрим технологии шифрованной памяти
Мейнстрим технологии шифрованной памятиМейнстрим технологии шифрованной памяти
Мейнстрим технологии шифрованной памяти
 
RnD Collaborations in Asia-Pacific Region
RnD Collaborations in Asia-Pacific RegionRnD Collaborations in Asia-Pacific Region
RnD Collaborations in Asia-Pacific Region
 
Сетевая подсистема в L4Re и Genode
Сетевая подсистема в L4Re и GenodeСетевая подсистема в L4Re и Genode
Сетевая подсистема в L4Re и Genode
 
Защита памяти при помощи NX-bit в среде L4Re
Защита памяти при помощи NX-bit в среде L4ReЗащита памяти при помощи NX-bit в среде L4Re
Защита памяти при помощи NX-bit в среде L4Re
 
Hardware Errors and the OS
Hardware Errors and the OSHardware Errors and the OS
Hardware Errors and the OS
 
Operating Systems Meet Fault Tolerance
Operating Systems Meet Fault ToleranceOperating Systems Meet Fault Tolerance
Operating Systems Meet Fault Tolerance
 
Intro
IntroIntro
Intro
 
Genode OS Framework
Genode OS FrameworkGenode OS Framework
Genode OS Framework
 
Operating Systems Hardening
Operating Systems HardeningOperating Systems Hardening
Operating Systems Hardening
 
Особенности Национального RnD
Особенности Национального RnDОсобенности Национального RnD
Особенности Национального RnD
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode Architecture
 
Genode Components
Genode ComponentsGenode Components
Genode Components
 
Genode Programming
Genode ProgrammingGenode Programming
Genode Programming
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Trusted Computing Base
Trusted Computing BaseTrusted Computing Base
Trusted Computing Base
 
Intro
IntroIntro
Intro
 
Memory, IPC and L4Re
Memory, IPC and L4ReMemory, IPC and L4Re
Memory, IPC and L4Re
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to Microkernels
 
Advanced Components on Top of L4Re
Advanced Components on Top of L4ReAdvanced Components on Top of L4Re
Advanced Components on Top of L4Re
 
Применение Fiasco.OC
Применение Fiasco.OCПрименение Fiasco.OC
Применение Fiasco.OC
 

Último

....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdfVikramadityaRaj
 
How to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryHow to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryCeline George
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45MysoreMuleSoftMeetup
 
factors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptxfactors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptxSanjay Shekar
 
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...Nguyen Thanh Tu Collection
 
Navigating the Misinformation Minefield: The Role of Higher Education in the ...
Navigating the Misinformation Minefield: The Role of Higher Education in the ...Navigating the Misinformation Minefield: The Role of Higher Education in the ...
Navigating the Misinformation Minefield: The Role of Higher Education in the ...Mark Carrigan
 
How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17Celine George
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文中 央社
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Mohamed Rizk Khodair
 
How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17Celine George
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjMohammed Sikander
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatmentsaipooja36
 
Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Celine George
 
ppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyesppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyesashishpaul799
 
Essential Safety precautions during monsoon season
Essential Safety precautions during monsoon seasonEssential Safety precautions during monsoon season
Essential Safety precautions during monsoon seasonMayur Khatri
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...Nguyen Thanh Tu Collection
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...Nguyen Thanh Tu Collection
 
Capitol Tech Univ Doctoral Presentation -May 2024
Capitol Tech Univ Doctoral Presentation -May 2024Capitol Tech Univ Doctoral Presentation -May 2024
Capitol Tech Univ Doctoral Presentation -May 2024CapitolTechU
 

Último (20)

....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf
 
How to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryHow to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 Inventory
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
 
factors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptxfactors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptx
 
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
 
Navigating the Misinformation Minefield: The Role of Higher Education in the ...
Navigating the Misinformation Minefield: The Role of Higher Education in the ...Navigating the Misinformation Minefield: The Role of Higher Education in the ...
Navigating the Misinformation Minefield: The Role of Higher Education in the ...
 
How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).
 
How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
 
“O BEIJO” EM ARTE .
“O BEIJO” EM ARTE .“O BEIJO” EM ARTE .
“O BEIJO” EM ARTE .
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 
Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17
 
ppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyesppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyes
 
Essential Safety precautions during monsoon season
Essential Safety precautions during monsoon seasonEssential Safety precautions during monsoon season
Essential Safety precautions during monsoon season
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
 
Capitol Tech Univ Doctoral Presentation -May 2024
Capitol Tech Univ Doctoral Presentation -May 2024Capitol Tech Univ Doctoral Presentation -May 2024
Capitol Tech Univ Doctoral Presentation -May 2024
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 

System Integrity

  • 1. System Integrity Sartakov A. Vasily Summer Systems School’12
  • 2. Software Hardening Methods Compile-time Run time Process Canaries Virtualization (Dalvik, Java VM) System Virtualization (KVM, Xen, L4) OS (Linux Kernel Ench.) HW support (MMU, Trust Zone)
  • 3. 1. Compiler time sw hardening 2. Linux operating system extension 1.1 Memory corruption 2.1 Container based os mitigation methods virtualization 2.2 Linux security modules 2.3 Gr security 3. Process virtualization and sandboxing 4. System virtualization 3.1 Byte-code 4.1 Hardware translation recruitment 3.2 Sandboxing 4.2 VM and VMMs untrusted native code 4.3 Use cases
  • 4. 1. Compile-time Software Hardening Memory Corruption Mitigation Methods: Code injection Arc injection Pointer Subterfuge Format String Attacks and Arithmetic Overflows
  • 5. Code Injection void f1a(void *arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* buffer overrun if len > 100 */ /* ... */ return; } void f1b(void *arg, size_t len) { char *ptr = malloc(100); if (ptr == NULL) return; memcpy(ptr, arg, len); /* buffer overrun if len >100 */ /* ... */ return; }
  • 6. Stackguard ProPolice
  • 7. Pointer Subterfuge void SomeFunc() { void SomeFunc() { // do something EncodePointer // do something } } DecodePointer typedef void (*FUNC_PTR )(void); EncodeSystemPointer typedef void (*FUNC_PTR )(void); DecodeSystemPointer int DangerousFunc(char *szString) { int DangerousFunc(char *szString) { char buf[32]; char buf[32]; strcpy(buf,szString); strcpy(buf,szString); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); // Other code // Other code // Other code // Other code (*fp)(); (*fp)(); return 0; return 0; } }
  • 8. Format String Attacks and Arithmetic Overflows Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, pages 7–7, Berkeley, CA, USA, 2003. USENIX Association. Jonathan Pincus and Brandon Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2:20–27, July 2004. Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. "Return-Oriented Programming: Exploits Without Code Injection". Retrieved 2009-08-12. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323c
  • 9. 2. Linux operating system extension 2.1 Container based os virtualisation Linux-vserver Virtuozzo and openvz Linux containers 2.2 Linux security modules SElinux Apparmor Smack Tomoyo Linux 2.3 Grsecurity Pax Role based access control
  • 10. 2.1 Container based os virtualisation Linux-Vserver Virtuozzo OpenVZ LXC (Linux Container Tools) The core concept of container-based operating system virtualization is to run completely isolated virtual servers sharing the same kernel. Compared to system virtualization, this reduces the required memory for additional kernels on the one hand but at the same time it might increase the vulnerability of the system. If an attacker gains full access to the kernel all virtual servers are compromised. System Virtualization would offer an additional level of isolation and therefore more security in this case.
  • 11. Linux-VServer • Security contexts • Segmented routing • Chroot • Extended quotas • Further standard tools • High-performance computing (HPC) clusters • The Grid • Distributed hosting organizations like PlanetLab and Amazon EC2 The Host kernel should be patched The system provides a Shared OS Image consisting of a root file system and a set of system libraries and executables. This Start/Stop/Resume Shared OS Image together with a privileged host VM builds the Hosting Platform.
  • 12. Virtuozzo and OpenVZ OpenVZ is operating system virtualization based on the Linux kernel. It is very similar to Linux-VServer. Like Linux- VServer it requires a patched Linux kernel. Here likewise Debian ships prebuilt kernel images. Unfortunately, the patches are not provided for each Linux kernel release. OpenVZ is the basis for Parallels Virtuozzo Containers, which is a commercial product by Parallels. Usage scenarios and evaluation are basically the same as for the Linux-VServer project.
  • 13. Linux Containers (LXC) • Namespace isolation • Linux kernel control groups (cgroups) • PID namespace • Network namespace • UTS namespace (hostname) • Mount namespace • IPC namespace • Control (Restart, Freeze, etc.) • Resource limiting (Memory) • Priorization (CPU, I/O) • Accounting The best solution for lightweight isolation of Linux processes without much inter-process communication.
  • 14. Terminology 1. Access control models * Discretionary access control * Mandatory access control * Role-based access control Subject -- Object
  • 15. 2.2 Linux security modules The Linux Security Modules (LSM) framework is part of the Linux Kernel. It provides lightweight, general support for access control by allowing modules to define security hooks: • Task Hooks • Program Loading Hooks • IPC Hooks • Filesystem Hooks • Network Hooks • Module hooks (e.g. module initialization) • System hooks (e.g. hostname setting) • AppArmor • SELinux • Smack • TOMOYO Linux
  • 16. Security-Enhanced Linux MAC Part of Linux
  • 17. Smack TOMOYO Linux TOMOYO Linux is another pathname-based Smack is the abbreviation for access control system for Linux. It also Simplified Mandatory Access implements Mandatory Access Control, but Control Kernel for Linux. It is part of additionally it is stated to be useful as a pure the MeeGo Security Architecture, system analysis tool. Like e.g. AppArmor, but not exclusively dedicated to it. TOMOYO Linux also provides tools for automatic policy generation and it is designed As the name already suggest, to be easy to use with a simple syntax for Smack provides Mandatory Access policies. Control in a simpler way than e.g. SELinux. The author states that simplicity is the primary design goal AppArmor of Smack. AppArmor is an alternative to SELinux. It is a Like AppArmor, Smack requires pathname-based access control system and extended file attributes. There it requires a file system with extended attributes stores labels for files which must support. The originally goal was to provide a match labels associated with SELinux like Mandatory Access Control processes to grant access. mechanism, which is simpler to manage for Additionally, special rules can be the typical user. Therefore, AppArmor added for file labels and process implements a learning mode to create profiles of the typical programs behavior. labels that do not match. While AppArmor is a simple and powerful solution for end-users, it seems that SELinux is more powerful to implement advanced security concepts on top of it.
  • 18. 2.3 Grsecurity GrSecurity is a set of security related patches for the Linux kernel. Some major security enhancements are: • Stack and Heap modification protection (PaX) • Role-based Access Control (RBAC) • Chroot restrictions • Auditing Pax RBAC PaX is a major component of GrSecurity. Amongst other things, the patch adds three While PaX implements the principle memory protection mechanisms: of least privileges for memory • Data memory is flagged as non-executable (NX management, another component of bit) GrSecurity (RBAC) implements it for • Program memory is flagged as non-writable users and processes. This means • Program memory is randomly arranged, known that users and processes get only as address space layout randomization (ASLR) the privileges which are required to Recent mainline kernel versions added some work correctly. It should be noted, similar protection mechanisms for suitable that besides this implementation memory regions on x86 systems. aspect, the RBAC concept can be applied in very different fields of applications.
  • 19. 3. Process virtualization and sandboxing Skip
  • 20. 4. System Virtualization 4.1 Hardware recruitment 4.2 VM and VMMs Linux KVM Hypervisor Xen Hypervisor L4 Microkernel based 4.3 Use cases
  • 21. 4.1 Hardware recruitment * HW support: Johannes Winter. Trusted computing building blocks for embedded linux-based arm trustzone platforms. In Proceedings of the 3rd ACM workshop on Scalable trusted computing, STC’08, pages 21–30, New York, NY, USA, 2008. ACM. * Intel VT-x * AMD-V * ARM TrustZone * ARM Cortex-A15 including full hardware virtualization * DMA and IOMMU
  • 22. Terminology 2. Virtualization, Virtual machines * System virtualization or hardware virtualization allows to run multiple operating systems on one physical machine. * Guest and Host OS * VMM / hypervisor * Type 1 / Native – Bare Metal * Type 2 / Hosted – on top of OS * Paravirtualization – VMM doesn't provide an interface that is identical to real hardware
  • 23. Linux KVM Hypervisor * Part of Linux kernel * QEMU * VT-x AMD-V extension * Big trusted computing base (TCB) * Low overhead
  • 24. Xen hypervisor Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM. Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis, Leendert Van Doorn, Asit Mallick, Jun Nakajima, and Elsie Wahlig. Utilizing iommus for virtualization in linux and xen. In Proceedings of the 2006 Ottawa Linux Symposium (OLS 2006), 2006. Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon Caceres, and Reiner Sailer. Shamon: A system for distributed mandatory access control. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 23–32, Washington, DC, USA, 2006. IEEE Computer Society.
  • 25. L4 microkenel * User-level components * Address spaces (tasks) * Threads * Scheduling * Inter-process communication * Reusing * TCB L4Linux L4Linux app Moe Mag Ned IO Fiasco.OC
  • 26. 4.3 Use Case Crypto L4Linux L4Linux (eth0) (eth1) app Moe Mag Ned IO Fiasco.OC