Skip to content

Instantly share code, notes, and snippets.

@joekir

joekir/day1.md

Last active August 29, 2018 17:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joekir/cd2d91648844385b34af545995d4303b to your computer and use it in GitHub Desktop.
Save joekir/cd2d91648844385b34af545995d4303b to your computer and use it in GitHub Desktop.
Download ZIP
LSS2018
Raw
day1.md

Day 1

Full Schedule

Fuschia/Zephyr talk:

Making C Safer - KSPP - Kees Cook

slides Document link openwall reading Undefined behaviour

  • compiler flag -Wvla ?? to catch guard page overflow for variable length arrays
  • CWE-484 -Wimplicit-fallthrough 
     /* fall through */
  • CWE-200 and CWE-457 Can use gcc -finit-local-vars (not upstream) or clang -fsanitize=init-local (not upstream)
  • -Wswitch-unreachable
  • gcc -fsanitize=signed-integer-oveflow comes with UBSAN
  • clang -fsanitize=cfi for forward-edge control flow integrity checks
  • clang -fsanitize=safe-stack or -fsanitize=shadow-call-stack
  • Interesting hardware protection to allow writing of stacks only in call and ret instructions
  • Arm v8.3a has pointer signing?
  • CFI works in Android now

Azure Sphere OS

  • Specifically for IoT stuff
  • They created an LSM
  • OTA updates they can update within 24 hours How do they ensure this is successful? Q&A
  • Apps define their own policy..?! 
    app_manifest.json
bin
  |_ curl_ssl_test
test_root_cert.pem
  • They then parse a manifest and map that to some linux security technologies cgroups, namespaces
  • Have they considered a dynamic DAC for that manifest?
  • Cannot select spefic features in `sysfs

fs-verity

Merkle-tree approach similar in Android's dm-verity

Linux firmware panel

super boring

Anadroid Kernel Bugs

  • CVE-2017-14140 (to review) blocked by seccomp filter addition in Android Oreo
  • CFI only protects forward-edges (indirect branches) LLVM's shadow call stack helps with back-edges

Auditd

  • Issues with knowing which container to log issues against. ContainerID vs collection of NamespaceIDs

Syzkaller

  • List of bugs found
  • syzkaller and syzbot automate the fuzzing and filing of these bugs (Google continuous kernel fuzzer)
  • KTSAN, KBSAN, KMSAN tools
  • "Bug nest" <3 that term

STACKPROTECT

see positive security blog, mostly around how messed up the linux patch submission process is

Landlock LSM

  • LSM to protect "server" and "client"?
  • Restricts specific process based on some LSM policy??
  • Provides Kernel hooks for various Syscall APIs
  • eBPF inode map
  • Can add RO and RW paths at runtime to the landlock mapping

Q. ll-map? Q. How does that fswalk handle deep paths?

SELinux catchup

  • New access for eBPF ??
Raw
day2.md

Day 2

Full Schedule

OpenCIT stuff

  • really good slide deck and slick presentation
  • Need to read more about OpenCIT

Intel crypto stuff

  • Why ECB, CBC, CFB, CTR modes? Isn't that reckless?
  • NIST compliant core? PBKDF2?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment