Tag Archives: kernel

Linux Security Summit 2012 – Schedule Published

The schedule for LSS 2012 is now published. See also the email announcement.

As previously mentioned, LSS this year will be a two-day event, co-located with LinuxCon.

On Day 1, we’re privileged to have a keynote by Matthew Garrett. He’s one of the best speakers in the community, and I believe he’ll be discussing secure boot.

Following the keynote, we have eight refereed presentations on new and interesting Linux security development topics.

On Day 2, we’ll have kernel security subsystem updates from maintainers, followed by an afternoon of breakout sessions. The breakout sessions are for deeper dives into specific areas, and may include development discussions and hack sessions. An BoF is planned to discuss an LF Security Workgroup, and attendees may propose more sessions in the leadup to the conference by emailing the program committee.

Thanks to all of the committee members for reviewing the proposals and helping to organize the summit — it’s shaping up as an interesting and productive event!

Congratulations to Chris Mason

As many of you will know, I started a new role at Oracle earlier in the year, going to work on Chris Mason’s team. He announced this week that he’s moving onto a new position at Fusion-io. His leadership at Oracle will be missed, and I would like to congratulate him on his new role.

Also, just to head off the inevitable internet rumours, I thought I’d post here that I will be taking on many of Chris’s previous responsibilities at Oracle, including leading the mainline kernel development team. We’re actively hiring, by the way, so if you want to hack on the Linux kernel for a great company—remotely, from almost anywhere on the planet—email me :-)

Kernel Security Talk at LinuxCon Japan

Just to let folk know — I’ll be giving a talk on the state of Linux kernel security development at LinuxCon Japan in Yokohama on June 8th. From the abstract:

In this talk, we’ll examine the current state of the Linux kernel security subsystem. Starting with a brief overview of existing features, we’ll discuss recent developments, current efforts and future directions. We’ll also discuss the evolving threat landscape, and the increasing need for mobile and cloud security. This will be a high-level technical discussion aimed at IT professionals. A good general knowledge of operating system and computer security concepts will be advantageous.

I’ll also likely be in Tokyo briefly — if any kernel security development folk there want to meet up, let me know.

Save the date: 2012 Linux Security Summit, 30-31 August, San Diego

This is a pre-announcement so people can start planning travel for the year.

The Linux Security Summit for 2012 will be held on the 30th and 31st of August in San Diego, CA, USA.  It will be co-located with LinuxCon North America, plumbers and the kernel summit.

More details to follow.

New git repository for the Linux kernel security subsystem

I’ve set up a new git repository for the Linux kernel security subsystem on the new kernel.org server.

The URLs are:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
http://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git

Developers should work against the “next” branch.

A web-browsable interface via gitweb may be found at:

http://git.kernel.org/?p=linux/kernel/git/jmorris/linux-security.git;a=summary

The temporary repo on selinuxproject.org will go away soon, so please update your repositories.

New GPG Key

In support of the new kernel.org security scheme, I’ve created a new 4096 bit RSA key:

pub   4096R/FA118320 2011-10-23
      Key fingerprint = 4ED7 50E6 F7F9 ACED 29DD  B750 EB75 1458 FA11 8320
uid   James Morris <jmorris@namei.org>

I’ve published the key via the MIT key server.

I’ll continue to host the security subsystem tree on selinuxproject.org until things are fully set up on kernel.org.

Linux Security Summit 2011 – Presentation Slides

Just over a week ago, the 2011 Linux Security Summit was held in Santa Rosa CA, co-located with Linux Plumbers. It ran for a day, starting with refereed presentations, and then round-table discussions.

The home page for the summit is on the kernel.org wiki, and is currently unavailable, so I’m posting links to the slides here:

* Smack is Alive and Well
Casey Schaufler, Intel

* An Overview of the Linux Integrity Subsystem: Use Cases and Demonstration
David Safford and Mimi Zohar, IBM

* Digital Signature support for IMA/EVM
Dmitry Kasatkin and Ryan Ware, Intel  (presented by Casey)

* Protecting the Filesystem Integrity of a Fedora 15 Virtual Machine from Offline Attacks using IMA/EVM
Peter Kruus, The Johns Hopkins University Applied Physics Laboratory

* Efficient, TPM-free system integrity checking with device mapper: dm-verity
Will Drewry and Mandeep Baines, Google

* The Case for SE Android
Stephen Smalley, NSA

Roundtable discussions:

* Kernel Hardening [no slides]
Lead by Kees Cook, Canonical and Will Drewry, Google

* LSM Architecture
Lead by Kees Cook, Canonical and Casey Schaufler

The SE Android talk was a last minute replacement for Ryan Ware’s talk on MeeGo (Ryan was unfortunately not able to make it).

See the write-ups by by Paul Moore and LWN.

Feedback so far has been positive.  I think it’s valuable for the security developers to get together like this, after spending the rest of the year working remotely with each other.  Next year, we’ll likely be looking at co-locating with LPC/KS/LinuxCon in San Diego.  It may be worth thinking about expanding to a two-day event, with the first day following the same format, but then splitting into project groups on day two for BoFs/hack sessions.

Contact the program committee if you have any suggestions.

I’d like to thank the LPC folk, and especially Jesse Barnes, for allowing us to co-locate and taking care of all of the logistics — all we had to do was organize the talks and turn up.  Also thanks to the speakers, discussion leaders and attendees.  See you next year!

Linux Security Summit 2011 – Schedule Published

For those that didn’t catch the email announcement, the schedule for the 2011 Linux Security Summit is now published.

The format of the conference is refereed talk sessions, followed by in-depth roundtable discussions.

Here’s a summary of the programme:

Refereed talks:

  • “Smack is Alive and Well”
    Casey Schaufler
  • “MeeGo Security Update”
    Ryan Ware, Intel
  • “An Overview of the Linux Integrity Subsystem: Use Cases and Demonstration”
    David Safford and Mimi Zohar, IBM
  • “Digital Signature support for IMA/EVM”
    Dmitry Kasatkin and Ryan Ware, Intel
  • “Protecting the Filesystem Integrity of a Fedora 15 Virtual Machine from Offline Attacks using IMA/EVM”
    Peter Kruus, The Johns Hopkins University Applied Physics Laboratory
  • “Efficient, TPM-free system integrity checking with device mapper: dm-verity”
    Will Drewry and Mandeep Baines, Google

Roundtable discussions:

  • Kernel Hardening
    Lead by Kees Cook, Canonical and Will Drewry, Google
  • LSM Architecture
    Lead by Kees Cook, Canonical and Casey Schaufler

See the full schedule for more detail.

Attendance is open to all registered attendees of the Linux Plumbers Conference.  Early-bird registration is available for LPC until the end of today (US time).

Linux Security Summit 2010 (Boston) – Schedule Published

For those who missed the mailing list announcements and tweets, the schedule for the upcoming Linux Security Summit has now been published: click here for the timetable and links to talk abstracts.

The summit is to be held on Monday, 9th of August in conjunction with LinuxCon.   Remember that you need to be registered for LinuxCon to attend the Security Summit (see my last post for details on a registration discount code).  You do not need to pay anything further for the Security Summit.

We had a very strong field of proposals for the summit, and the voting process was reasonably tough.  Proposals required a minimum average score of 4/5 from the program committee to be accepted as a main talk.  We had to reject several good proposals which did not make this grade, and they now have priority as lighting talks.  (Lightning talks will otherwise to be allocated on a first-come first-served basis on the day).

Here’s a summary of the accepted main talks:

  • Recent Advances in the SELinux Sandbox – Dan Walsh, Red Hat
  • in ur webserver, writin ur logs – Joshua Brindle, Tresys
  • Integrating Security into Vyatta – Stephen Hemminger, Vyatta
  • MSF Security Framework Overview – Elena Reshetova, Nokia
  • Access Control in the MSF Security Framework – Janne Karhunen, Nokia
  • Linux Security in 10 Years – Brad Spengler, grsecurity
  • Using EVM to protect security extended attributes – Mimi Zohar, IBM
  • Secstate: Integrating SCAP and Puppet for System Lockdown – Karl MacMillan, Tresys
  • Widely Used But Out-Of-Tree, Kees Cook – Canonical
  • Linux Security Usability, Z. Cliffe Schreuders – Murdoch University
  • System Security Services Daemon (SSSD) – Stephen Gallagher, Red Hat

These talk sessions are intended to be as collaborative and interactive as possible.  They’re thirty minutes each, with at least ten minutes of discussion included. The pace will be fairly brisk, and hopefully leave people wanting more and generating subsequent discussions.  Many people will be there for the week, and it’s been my experience over the years that much of the best discussion ends up happening after the talks in the various hallway and dinner tracks.

We’ll also have a panel session and, as mentioned, lightning talks.  See the schedule page for more details, and for any updates.

I hoped we’d see more proposals from folk on the operational side of things — we probably need to reach out in that direction better next time.  A significant aim of the summit is to foster collaboration between the development community and those running real systems, so if you’re in the latter group, definitely consider attending.  This will be a great opportunity to catch up on current developments in Linux security, and to provide your input and feedback.

Also, please join the event mailing list if you’re planning on attending in any capacity, so we can get any updates out to you, as well as better estimate attendance.  There’s also a Facebook page (which I don’t seem to be able to make public, ironically).

See you there!