The program committee is looking for submissions from developers, researchers, and implementors.
If you’ve done anything interesting in Linux security over the last year, it’s time to get a proposal ready and send it in!
The program committee is looking for submissions from developers, researchers, and implementors.
If you’ve done anything interesting in Linux security over the last year, it’s time to get a proposal ready and send it in!
This event has its roots in the Linux security development community which emerged in the early 2000s, following the development of LSM and with the incorporation of a wide range of new security features into Linux. We’d previously met, as a community, in OLS BoF sessions, various conference hallway tracks, and at project-specific events such as the SELinux Symposium. There have also been very successful security mini-summits at LCA in 2008 and 2009, and a double security track at the 2009 Plumbers Conference.
This year, we tried to broaden the scope of the event as far as possible — to situate it with a more general Linux conference (than Plumbers, for example), and bring in not only developers, but the wider end-user community as well. We had great attendance from the security developer community, with pretty much all major areas of development represented, although not as many end-users as we’d hoped for. We were, however, easily able to fill up a days worth of bleeding edge technical discussions, with around 70 developers in attendance throughout.
Presentations were limited to thirty minutes, including discussion, to help ensure an interesting and stimulating event, aimed at fostering ongoing discussion and engagement. In this sense, it seems we were generally successful, with several strong discussions arising during presentations. There were many follow-up meetings between developers, end users and vendors during the remainder of LinuxCon, which was very gratifying to see.
Mobile security was one of the core issues discussed at LSS (and during the rest of the week), with the year of the Linux desktop now apparently permanently canceled due to smartphones and similar devices. There are certainly many very difficult and exciting challenges to be met in this area over the coming years, and it was great to be able to have the MeeGo security folk present on their work.
Another important area (as always), is security usability, with new high-level policy language work presented by Josh Brindle (lolpolicy). Z. Cliffe Schreuders presented the results of a comparative usability vs. efficacy study from his FBAC-LSM project, sparking some very robust and productive discussion. (Certainly from an SELinux point of view, we are trying to learn as much as possible from this kind of research, which is otherwise very thin on the ground).
Stephen Hemminger presented on the topic of integrating security into a router (Vyatta). This kind of presentation is really very useful to have when there are so many security developers present — it helps us better understand the nature & scope of security requirements for a wider range of real-world users.
Brad Spengler’s presentation addressed the difficult area of protecting the kernel itself, arising from his experiences developing grsecurity. As most of our protection mechanisms operate within the kernel, attacks on the kernel can render these mechanisms useless, so it is important to try and harden the kernel as much as possible. Brad outlined some areas which we still need to address upstream (or in distros, at least), a topic which was further developed by Kees Cook in his talk on Out of Tree security features.
IMHO, we face a number of challenges in this area: 1) core kernel developers are not always receptive to enhanced security, 2) the solutions proposed often are technically not acceptable to upstream (and require a lot of persistent reworking) and 3) we don’t have a huge pool of available expertise upstream in these areas. Kees has taken on some of the challenges here, and any additional contributors here would certainly be welcome, although I would not anticipate any smooth sailing.
The panel discussion kicked off with a session on the viability of a standard Linux security API. It was good to get a discussion going here, with well-considered input from key developers. It seems the consensus is that our various security models are too fundamentally different to develop the kinds of APIs you might see in proprietary OSes, although the issues are certainly recognized (e.g. hindered ISV and end user adoption of security) and people are thinking about solutions. There are many difficult, open issues in this area, although we really don’t have the option of not solving them — as a society we’re ever increasingly reliant on computing, and thus also on its security.
There’s already been quite a lot of feedback from attendees on the format and co-location of future events. There was some talk of aiming at a more purely technical conference (e.g. Plumbers), although it seems to me that there was a great benefit in being able to assemble a critical mass of security developers alongside the other LinuxCon developer mini-summits, as well as general end users, vendors etc. A couple of people also mentioned the Collab summit, although I wonder if being invite-only may limit the overall scope of participation. We may also look at a two-day event next year, to allow for keynotes, a few selected longer talks for major new projects, and break-out sessions.
If anyone has feedback or ideas, please join the LSS mailing list and post your thoughts.
Slides from the presentation are now linked from the schedule (where available), and I’ve posted a brief photo set on flickr. If you post any photos or blogs from the event, please tag them with #lss2010, and drop me an email, so I can link to them from the web site.
Overall, it seems that we had a very productive and collaborative event, bringing together key people to discuss ongoing and emerging challenges in Linux security. Indications thus far are that we should expect to see useful developments arise out of discussions begun at this summit, in some of the areas mentioned above.
The Linux Foundation organizers seamlessly provided us with everything we could need in terms of a venue and support — allowing us to concentrate on the program itself. Many folk worked behind the scenes, but I’d like to especially thank Angela Brown, C. Craig Ross and Amanda McPherson.
Also thanks to everyone who presented and attended, and to the program committee, who worked quickly to review and evaluate all the proposals.
Just a reminder that the CFP for the Linux Security Summit ends this Friday, 4th of June.
If you have something interesting to discuss, send your proposal to the program committee via plain text email per the CFP announcement.
We have some very interesting proposals so far — if you have any interest in Linux security, you should probably try and be there.
Note that you need to be registered for LinuxCon to attend. As a speaker at the main conference, I’ve been given a discount code to hand out to people “in my network”. If you’re reading this, you’re in :-) Using the code, you can save 20%, which is currently $80 USD.
That’s enough to buy a Red Sox ticket and a hot dog.
Email me directly for the code at email@example.com.
The aim of the Linux Security Summit is to bring developers, researchers and end users together to analyze and solve Linux security challenges.
This is not just for “security people” — it’s intended to be a forum for collaboration between the wider community (sysadmins, operations, architects, developers etc.) and Linux security developers.
The format of the event is expected to be a mix of brief technical talks, panel discussions, and lightning talks. It will be held on Monday 9th August, 2010 in Boston, co-located with LinuxCon.
The program committee is currently seeking proposals for talks and panel discussion topics: see the CFP for details.
In particular, we’d like to encourage folks with significant real-world deployments to attend and discuss what they’re doing and what they need in terms of security from the OS.
From a security developer point of view, much effort over the last decade has gone into adding security features to Linux and integrating them into distributions. End users have now been through a few product release cycles with these features, so it seems like a good opportunity now to get together and discuss what’s working, what’s not, and how we can work together to continue improving Linux security.
Attendance is open to all registered LinuxCon delegates.
Last week, I attended FOSS.IN, which had its origins as a community event ten years ago, and has evolved to become one of the world’s leading Free and Open Source developer gatherings. Even in the years I’ve attended since 2005, it’s been remarkable to see the progress of the event, from a somewhat traditional presentation-based conference with most attendees being end users, to a developer-oriented week where the main track talks are secondary, and where a lot of real work is done.
This year, the program included Project of the Day sessions, where major FOSS projects held a mini-conferences. I attended some of the Fedora PoTD sessions, including Joerg Simon’s talk on creating a Fedora Security Spin. An expo area was also assigned for major projects throughout the conference, where you’d often find Fedora, KDE etc. folk hanging out — hacking, chatting, and helping people who passed by (including myself, when my Macbook decided to have EFI issues with F12).
Fedora table at the FOSS expo area.
There were also workshops (tutorials), and workout sessions, where groups of people would gather and work on a project for a period of hours or days (up to the full length of the conference). Notable here were Harald Welte’s GSM workout, and a well-attended hardware hacking workout, run by Milosch and Brita Meriac of CCC and Blinkenlights fame. I think these ran all week. There were also workouts for GNOME performance, the SAHANA disaster management system, KStars, and web identity, to name a few that I can recall off-hand. There really was an incredible amount of stuff going on.
I participated in the Linux Kernel workout, which filled the final afternoon of the conference, as well as all the remaining room in the workout area.
Linux Kernel Workout Session
The kernel workout, which was organized by Kamalesh Babulal, included work on specific development tasks, and mentoring of new kernel developers. It was a little chaotic at first, but ended up being a very productive session, and seemed to be over too soon. I’d suggest holding this over perhaps 2-3 entire days next year.
I also gave a talk on SELinux Sandboxing internals, to demonstrate how to utilize various Linux OS features such as namespaces and Mandatory Accees Control (MAC) security, and also how useable and effective security can be implemented via high-level abstractions and encapsulation. This was similar to the talk I gave at FOSS.MY (and will also give at LCA), the slides of which may be found here. I think it’s very important for people to understand that there are no silver bullets for security, especially as we’re working with an OS which was not designed with security primarily in mind. At the lowest levels, security on a general purpose OS is inherently complicated, and like most other problems in computing, we solve this with layers of abstraction. You don’t need to understand the inner working of your CPU to play Scrabulous, for example. I think we’re gradually getting the message across, and I really hope to see more people engaged in helping to solve the always increasingly difficult problems in computer security. We’ve made a lot of progress overall, but still have a long way to go.
Preparing for the closing session.
I’d like to give a special thanks to the FOSS.IN team, who are all volunteers, and who manage each year to organize a very complex event and provide truly great hospitality. I missed the closing talk (and rock concert) to make a flight, although read that Atul Chitnis will be stepping back as leader of the event next year. The conference as it is today reflects his personal vision for fostering core FOSS development activity in India, and it has been inspirational to witness the progress of this. It will be interesting to see who steps up to lead the conference next, and where they will take it.
The presentation was an overview of sandboxing as a concept; how we can enhance it with MAC security; and how it’s being implemented in Fedora 12 with SELinux. I also discussed the need for a standard security API for Linux, so that developers will be more inclined to incorporate enhanced security support in their software, and to generally increase security adoption via standardization. We’ve seen this work well thus far with sVirt, so it should be feasible
The SELinux Sandbox stuff will be familiar if you’ve seen Dan Walsh’s recent talks on the topic, although in this case, I included his cell phone number in the presentation if people have detailed questions, seeing as he’s not here in person.
It’s been yet another busy conference trip, with KS and JLS last week — I attended some of the JLS security talks and a Japanese Secure OS user group dinner. It was a very interesting and productive time.
I dented this a few days ago, but got no answer (and also dragged DaveM to see it & he couldn’t figure it out, either): does anyone know what this mystery object is?
Many thanks to the folk at LF and the LPC organizers, especially Niv (also for the HTML listing above).
If you attended LPC, or make use of the videos or slide, please drop by this thread at LWN to say thanks. If you have any suggestions for improvements, feel very free to volunteer your time at the next event.
The SELinux event went very smoothly, with around twenty-five attendees from the core SELinux developer community. Given tight travel budgets all-round, this level of attendance was very good to see. I’d like to thank Angela Brown, Craig Ross and the rest of the Linux Foundation team for making everything work perfectly for us (this was a co-located event ahead of LinuxCon).
The day was divided into two sessions: standard presentations in the morning, followed by a more open general session in the afternoon. It was good to catch up on the latest development work and directions in the project, and also to bring the otherwise globally distributed team together in the same place.
The inaugural LinuxCon then ran for three days, with an expansive programme. I gave a talk on adding extended attribute support to Linux NFSv3 — the slides for which may be downloaded as PDF or viewed on slideshare. I completed the initial code on the flight to the US and posted it from the hotel. Feedback so far has been positive, although I haven’t heard from the NFS maintainers yet (who are likely busy with the merge window). The rationale and technical approach is similar the NFSv3 ACL support which was merged some time ago; and the implementation is based on a fielded IRIX version (released under the GPL) — both factors which I hope will help with upstream acceptance.
Also at LinuxCon: Dan Walsh gave a talk on sVirt, which I introduced earlier this year at LCA (and previewed of during a lightning talk last year at FOSS.MY). It seems to have been well-received (see LWN coverage), and it’s a good example of the high-level security abstractions which we can build once we have the underlying mechanisms in place. In the case of sVirt, where we apply strong mandatory isolation to process-based virtualization (e.g. SELinux+KVM), there is zero configuration — it configures itself automatically depending on which security model you have enabled. It should work with any label security scheme, such as Smack, and I’ve also heard that the AppArmor folk have it working (even though sVirt was not explicitly designed for pathname security).
Dan gave a LinuxCon lightning talk at Linux on yet another high-level security feature: Sandbox X, which extends the SELinux sandbox mechanism to the desktop by running applications in isolated X servers via Xephyr. He gave a full talk on this the Linux Plumbers Conference, slides of which may be found here.
I don’t have the time to cover everything at LinuxCon — check the web site for videos and slides. Also see my flickr photo set. It was a very impressive first conference, with LCA-quality social events and catering (Angela Brown has been quietly studying LCA, in fact) and certainly sets a new standard for such events in North America. LinuxCon will be held in Boston next year — I wonder what they’ll come up with to beat bacon-maple donuts for breakfast.
Following LinuxCon, the second Linux Plumbers Conference was held, and we were fortunate to get a double session for the security microconf (a special thanks to Nivedita Singhvi and team for making this possible). We had talks on several Linux security projects, including Herbert Xu with an update on the kernel crypto API, Caleb Case on SELinux in Ubuntu, David Safford on IMA, and Casey Schaufler on the Smack application ecosystem (some high-end televisions will soon be shipping with Smack, to isolate the applications of competing content providers).
The XACE talk was very interesting, as we’re getting close to having workable support for MAC security inside X, which will allow the desktop to be locked down with fine-grained and comprehensive controls. While typically envisaged for MLS use (e.g. having “secret” and “unclassified” desktop applications running on the same system), there are also many general purpose scenarios, such as separating your online banking session from your IRC chats. It will be interesting to see what’s possible when combining XACE window labeling with Sandbox X — stay tuned.
Slides from the LPC microconf will be at the event web site soon, and I’ve also made all them available for download here.
It was a fairly intense week — three conferences plus the travel to and from Sydney, as well as the merge window opening a few days before. I’ve got a few weeks to recover and then it’s Japan for the Kernel Summit and Japan Linux Symposium, stopping in Kuala Lumpur on the way back for FOSS.MY (where I’ll be covering the latest in SELinux Sandboxing).
From the announcement:
This year's event will be divided into two main sessions. The first will be for traditional conference presentations which were accepted via the CfP: * Labeled NFS Community Involvement - Dave Quigley (NSA) * Update on Flask/TE Support for X - Eamon Walsh (NSA) * Work on a Higher-Level Policy Language - James Carter (NSA) * Video Streaming in Policy Confined Environments - Philip Tricca (USAF) * A New Policy Infrastructure for SELinux Joshua Brindle (Tresys) * Policy Distribution Joshua Brindle (Tresys) * Refpolicy and Userspace Joshua Brindle (Tresys) * Analysis of Flask Policies in VM Systems Trent Jaeger (PSU) Aside from Josh's talks (which are combined into one 60-minute slot), these are 30-minute slots. For speakers, the recommended format is 20-minutes of presenting and 10-minutes of Q&A. The second main session, after lunch, is intended to be fully collaborative in that everyone in attendance may (and should) participate. This is divided into three sections: * Lightning talks, 5 minutes each. Any attendee may propose a lightning talk via the wiki or on the day. * Development sessions. This is a flexible format where developers can work in small self-organized groups on specific tasks, taking advantage of the fact that we're all in the same place for the day. We'll discuss this further on the event mailing list -- it's important to identify tasks, teams and goals beforehand, and also to make sure everyone is set up to get straight to work on the day. * General project discussion. We'll spend about an hour discussing project and development issues. Candidate agenda items should first be posted to the event mailing list, and the agenda will be finalized immediately prior to the event. For attendees who are yet to do so, ensure you are registered for LinuxCon, which is co-hosting the event for us: http://events.linuxfoundation.org/events/linuxcon LinuxCon registration is a requirement for attending the SELinux Developer Summit. The current discounted registration rate ends on August 15th.
If you’re still considering whether to attend the SELinux Developer Summit, keep in mind that in addition to being part of LinuxCon, there’s also Linux Plumbers directly following that at the same venue, which includes a general Linux security microconf. Travel budgets are tight for everyone this year, so hopefully the co-location of these events will help make a business case for people who are still working on travel approval.
For those who can’t make it, we’ll try and ensure that all available materials and minutes from the event are published in a timely manner. I’d encourage those who are able to attend to blog/dent/tweet anything related to the event that they feel might be useful to others.
I was in Brisbane last week to talk about Linux Kernel Security at Kernel Conference Australia (KCA).
The aims of the talk were to provide a general overview of security features in the Linux kernel, and to examine historical context around Unix security and how Linux is evolving to address modern security requirements.
The conference was streamed live online, and the video from my talk may be viewed here. I’m watching to see how the talk, and my speaking in general, might be improved. As painful as this may be, it seems very effective in understanding what worked and what didn’t. I think I can tighten this talk up for possible future use, and focus more on how our development process—not merely the technology—helps address evolving security requirements.
I later participated in an OS security panel with Cristina Cifuentes and Fernando Gont, the video of which is also online.
I’ve also uploaded a flickr photo set. Brisbane is a great location for a conference, especially in the southern hemisphere winter.
It was unusual being the only Linux speaker at a conference. I hope the talk was useful, if at least to encourage more thinking about security in operating systems.
The primary organizer of KCA, James MacPherson, has posted an initial wrap-up of the conference. If the conference continues—I hope it does; it has a lot of potential for the Australian kernel R&D community—I think it would be highly advantageous to more actively seek speakers (and even organizers), from the broader community. One major local Linux kernel developer had a Linux kernel video talk rejected, which seemed odd given that similar talks were accepted (e.g. the new OpenSolaris sound system), and that an additional OpenSolaris talk was added to the program after the CfP closed.
I understand that organizing conferences is difficult, so I hope this is taken as constructive feedback. I’d certainly be interested in helping review papers or otherwise help out in the future if the conference is held again, and if it is aimed at the broader community.