widely used but out of tree
play

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) - PowerPoint PPT Presentation

Mar 02, 2024 •782 likes •919 views

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) kees.cook@canonical.com Linux Security Summit Boston, Aug 2010 http://people.canonical.com/~kees/slides/out-of-tree.pdf Internal use only 1 Agenda Past

  1. Widely Used But Out-Of-Tree Kees Cook (that's pronounced “Case”) kees.cook@canonical.com Linux Security Summit Boston, Aug 2010 http://people.canonical.com/~kees/slides/out-of-tree.pdf Internal use only 1

  2. Agenda • Past successes/compromises • Current successes • Living outside of mainline • Why isn't it upstream? • Cultural shift for the Linux kernel community Internal use only 2

  3. Past successes/compromises (userspace) • SELinux • ASLR of stack, mmap, exec, brk (x86 mostly) • SECCOMP (x86 mostly) • TOMOYO • SMACK • AT_RANDOM Internal use only 3

  4. Past successes/compromises (kernel) • mmap_min_addr • /dev/mem restrictions (x86 mostly) • CC_STACKPROTECTOR (x86 mostly) Internal use only 4

  5. Current successes • AppArmor – In for 5 years on SUSE, 4 on Ubuntu • Yama Internal use only 5

  6. Living outside of mainline (part 1) symlink/hardlink restrictions, 15 years old • – OpenWall, grsecurity, Ubuntu partial NX emulation, 10 years old • – grsecurity, RedHat/Fedora, SUSE, Ubuntu ASCII-armored addresses, 6 years old • – RedHat/Fedora, SUSE, Ubuntu (partially) PTRACE restrictions, 4 years old? • – grsecurity, Ubuntu Internal use only 6

  7. Living outside of mainline (part 2) fifo, /proc, NPROC, SHM restrictions, 8 years old? • – OpenWall, grsecurity RSBAC, 5 years old? • – Mandriva • mprotect, and a giant list of other things, many via PaX – grsecurity Internal use only 7

  8. Why isn't it upstream? • No one has tried • (Unreasonable) objections Internal use only 8

  9. Objections (part 1) • “this is a hack” – yet majority/many/some distros use it? • “... but at the cost of speed” – why can't this be a choice? Internal use only 9

  10. Objections (part 2) “the perfect is the enemy of the good” • – defense against attack is, like biological systems, a matter of probability – better to have an imperfect heuristic than a missing perfect system – work around changes in userspace semantics (we are, after all, a Free Software community, right?) – “perfect” is absolutely impossible (kernel vulnerabilities frequently undermine all other defense systems) Internal use only 10

  11. Cultural shift for the Linux kernel community • Acknowledge that vulnerabilities are a way of life • Lose the prejudice against optional defense mechanisms • Take responsibility to create a pro-actively secure system Internal use only 11

  12. Thank you for your time kees.cook@canonical.com Internal use only 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

B+ tree a dynamic structure that adjusts to changes in the file gracefully. It is the the

B+ tree a dynamic structure that adjusts to changes in the file gracefully. It is the the

B+ tree a dynamic structure that adjusts to changes in the file gracefully. It is the the most widely used structure because it adjusts well to changes and supports both equality and range queries. It is a balanced tree in which the internal

280 views • 12 slides
Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were

Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were

Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were building with Tree-sitter at GitHub Algorithms behind Tree-sitter What is Tree-si tu er? Uniform parsing of di ff erent languages if (a) c();

772 views • 75 slides
Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1 Tree ADT A E ROv1 SBwl D G Tree recursion F H I Tree traversal ROv2 SBwlE4 Search and score n Search runtime O(2 ) Pass message

311 views • 9 slides
PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures

PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures

PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures are built on the tree A primitive type is a tree with a single node at the root and no leaves A string is a tree of characters A function is a

370 views • 13 slides
Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports

Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports

Tree Research and Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports scientific discovery and dissemination of new knowledge in arboriculture and urban forestry. TREE Fund Grant Awards TREE Fund has

441 views • 10 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree

The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree

The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree We will study a new structure called the R-tree, which can be thought of as a multi-dimensional extension of the B-tree. The R-tree supports e ffi

1.11k views • 85 slides
Session 12 Tree-based models: tree and rpart Two libraries The tree library is like the

Session 12 Tree-based models: tree and rpart Two libraries The tree library is like the

Session 12 Tree-based models: tree and rpart Two libraries The tree library is like the S-PLUS native library and implements the traditional S-PLUS tree technology The rpart library is due to Beth Atkinson and Terry Therneau of the Mayo

501 views • 28 slides
Are Hybrid Physical Designs Important? 1 B+ tree 2 C O L B+ tree 3 ? C O L C O L B+ tree

Are Hybrid Physical Designs Important? 1 B+ tree 2 C O L B+ tree 3 ? C O L C O L B+ tree

Columnstore and B+ tree Are Hybrid Physical Designs Important? 1 B+ tree 2 C O L B+ tree 3 ? C O L C O L B+ tree B+ tree B+ tree & Columnstore on same table = Hybrid design 4 ? C O L C O L B+ tree B+ tree Are Hybrid

1.09k views • 79 slides
Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Advanced Programming Binary Search Tree Binary Search Tree Introduction Binary Search Tree, o BST implement dictionaries or ordered queues elements stored are ordered according to a key Efficient (log n) operations S EARCH , M INIMUM , M

362 views • 32 slides
In prokaryotic cells (which are widely used as host cells in bio- engineering), enzymes are

In prokaryotic cells (which are widely used as host cells in bio- engineering), enzymes are

In prokaryotic cells (which are widely used as host cells in bio- engineering), enzymes are often widely separated among the cytoplasm. Traditional ways to elevate the concentration of substrates and enzymes in the specific area of the

601 views • 49 slides
Learning to Branch Balcan, Dick, Sandholm, Vitercik Introduction Parameter tuning tedious and

Learning to Branch Balcan, Dick, Sandholm, Vitercik Introduction Parameter tuning tedious and

Learning to Branch Balcan, Dick, Sandholm, Vitercik Introduction Parameter tuning tedious and time-consuming Algorithm configuration using Machine Learning Focus on tree search algorithms Branch-and-Bound Tree Search Widely

396 views • 17 slides
Solving Device Tree Issues Use of device tree is mandatory for all new ARM systems. But the

Solving Device Tree Issues Use of device tree is mandatory for all new ARM systems. But the

Solving Device Tree Issues Use of device tree is mandatory for all new ARM systems. But the implementation of device tree has lagged behind the mandate. The first priority has been correct function. Lower priorities include device tree

2.4k views • 183 slides
Eastern Shores (GHOTES) DNA A Family Tree DNA Project Family Tree DNA Family Tree DNA or

Eastern Shores (GHOTES) DNA A Family Tree DNA Project Family Tree DNA Family Tree DNA or

Eastern Shores (GHOTES) DNA A Family Tree DNA Project Family Tree DNA Family Tree DNA or FTDNA is one of the larger DNA testing companies. An alternative to Ancestry.com or AncestryDNA. Your (autosomal) test from another

284 views • 6 slides
CS 764: Topics in Database Management Systems Lecture 9: B-tree Locking Xiangyao Yu 10/5/2020 1

CS 764: Topics in Database Management Systems Lecture 9: B-tree Locking Xiangyao Yu 10/5/2020 1

CS 764: Topics in Database Management Systems Lecture 9: B-tree Locking Xiangyao Yu 10/5/2020 1 Todays Paper: B-tree Locking ACM Trans. Database Syst. 1981 2 Agenda Index in OLTP database B tree, B+ tree, and B* tree B link -tree 3

528 views • 34 slides
1 Widely distributed in the environment plants, soil, animal, water, dirt, dust may be

1 Widely distributed in the environment plants, soil, animal, water, dirt, dust may be

This presentation is the property of Regulatory Essentials Specialists, Inc and can not be used without expressed written permission from RES, Inc Opening remarks Highlight what we will cover and how it will be covered 1 Widely distributed

685 views • 21 slides
Goals for Today Learning Objective: Discuss the ins and outs of MP4

Goals for Today Learning Objective: Discuss the ins and outs of MP4

Goals for Today Learning Objective: Discuss the ins and outs of MP4 Announcements, etc: MP4 is out! Due May 6th (UTC-11) Final Exam MAY 9TH @ 7PM, SIEBEL 1404 Its fine to use electronics today CS 423: Operating

922 views • 34 slides
Security Subsystem Report: Yama Linux Security Summit 2012 Kees Cook (pronounced

Security Subsystem Report: Yama Linux Security Summit 2012 Kees Cook (pronounced

Security Subsystem Report: Yama Linux Security Summit 2012 Kees Cook (pronounced "Case") keescook@chromium.org http://outflux.net/slides/2012/lss/lsm/ Overview Past Present Future Past ("ruler of the

194 views • 6 slides
Convex Optimization 8. Geometric Problems Prof. Ying Cui Department of Electrical Engineering

Convex Optimization 8. Geometric Problems Prof. Ying Cui Department of Electrical Engineering

Convex Optimization 8. Geometric Problems Prof. Ying Cui Department of Electrical Engineering Shanghai Jiao Tong University 2018 SJTU Ying Cui 1 / 26 Outline Extremal volume ellipsoids Centering Classification Placement and facility

622 views • 26 slides
Statics 7-1 Systems of Forces Statics problems involve a system of balanced forces.

Statics 7-1 Systems of Forces Statics problems involve a system of balanced forces.

Statics 7-1 Systems of Forces Statics problems involve a system of balanced forces. Professional Publications, Inc. FERC Statics 7-2 NCEES Handbook Sample from the NCEES Handbook: www.ncees.org Professional Publications, Inc. FERC

676 views • 35 slides
Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working group Kamioka observatory, ICRR, Univ. of Tokyo Cosmic Frontier Workshop SLAC - March 7, 2013 Neutrinos generated by WIMP annihilation Trap

542 views • 20 slides
HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1

HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1

HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1 Overview of Hyper-K cavern design and excavation is given in my talk Thanks to J.Yamatomi, S. Nakayama, and Hide Tanaka for many slides More

398 views • 19 slides
Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino

Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino

16th International Conference on Topics in Astroparticle and Underground Physics September 913, 2019 / Toyama, Japan Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino Search Yosuke ASHIDA (Kyoto

441 views • 42 slides
Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1 LSM Infrastructure Responsibilities LSM Provides Infrastructure Which LSMs are enabled

609 views • 21 slides

More recommend