Tag Archives: kernel

Linux Security Summit 2011 – Schedule Published

For those that didn’t catch the email announcement, the schedule for the 2011 Linux Security Summit is now published.

The format of the conference is refereed talk sessions, followed by in-depth roundtable discussions.

Here’s a summary of the programme:

Refereed talks:

  • “Smack is Alive and Well”
    Casey Schaufler

  • “MeeGo Security Update”
    Ryan Ware, Intel

  • “An Overview of the Linux Integrity Subsystem: Use Cases and Demonstration”
    David Safford and Mimi Zohar, IBM

  • “Digital Signature support for IMA/EVM”
    Dmitry Kasatkin and Ryan Ware, Intel

  • “Protecting the Filesystem Integrity of a Fedora 15 Virtual Machine from Offline Attacks using IMA/EVM”
    Peter Kruus, The Johns Hopkins University Applied Physics Laboratory

  • “Efficient, TPM-free system integrity checking with device mapper: dm-verity”
    Will Drewry and Mandeep Baines, Google

Roundtable discussions:

  • Kernel Hardening
    Lead by Kees Cook, Canonical and Will Drewry, Google

  • LSM Architecture
    Lead by Kees Cook, Canonical and Casey Schaufler

See the full schedule for more detail.

Attendance is open to all registered attendees of the Linux Plumbers Conference.  Early-bird registration is available for LPC until the end of today (US time).

Linux Security Summit 2010 (Boston) – Schedule Published

For those who missed the mailing list announcements and tweets, the schedule for the upcoming Linux Security Summit has now been published: click here for the timetable and links to talk abstracts.

The summit is to be held on Monday, 9th of August in conjunction with LinuxCon.   Remember that you need to be registered for LinuxCon to attend the Security Summit (see my last post for details on a registration discount code).  You do not need to pay anything further for the Security Summit.

We had a very strong field of proposals for the summit, and the voting process was reasonably tough.  Proposals required a minimum average score of 4/5 from the program committee to be accepted as a main talk.  We had to reject several good proposals which did not make this grade, and they now have priority as lighting talks.  (Lightning talks will otherwise to be allocated on a first-come first-served basis on the day).

Here’s a summary of the accepted main talks:

  • Recent Advances in the SELinux Sandbox – Dan Walsh, Red Hat
  • in ur webserver, writin ur logs – Joshua Brindle, Tresys
  • Integrating Security into Vyatta – Stephen Hemminger, Vyatta
  • MSF Security Framework Overview – Elena Reshetova, Nokia
  • Access Control in the MSF Security Framework – Janne Karhunen, Nokia
  • Linux Security in 10 Years – Brad Spengler, grsecurity
  • Using EVM to protect security extended attributes – Mimi Zohar, IBM
  • Secstate: Integrating SCAP and Puppet for System Lockdown – Karl MacMillan, Tresys
  • Widely Used But Out-Of-Tree, Kees Cook – Canonical
  • Linux Security Usability, Z. Cliffe Schreuders – Murdoch University
  • System Security Services Daemon (SSSD) – Stephen Gallagher, Red Hat

These talk sessions are intended to be as collaborative and interactive as possible.  They’re thirty minutes each, with at least ten minutes of discussion included. The pace will be fairly brisk, and hopefully leave people wanting more and generating subsequent discussions.  Many people will be there for the week, and it’s been my experience over the years that much of the best discussion ends up happening after the talks in the various hallway and dinner tracks.

We’ll also have a panel session and, as mentioned, lightning talks.  See the schedule page for more details, and for any updates.

I hoped we’d see more proposals from folk on the operational side of things — we probably need to reach out in that direction better next time.  A significant aim of the summit is to foster collaboration between the development community and those running real systems, so if you’re in the latter group, definitely consider attending.  This will be a great opportunity to catch up on current developments in Linux security, and to provide your input and feedback.

Also, please join the event mailing list if you’re planning on attending in any capacity, so we can get any updates out to you, as well as better estimate attendance.  There’s also a Facebook page (which I don’t seem to be able to make public, ironically).

See you there!

Linux Security Summit 2010 – CFP closing this week

Just a reminder that the CFP for the Linux Security Summit ends this Friday, 4th of June.

If you have something interesting to discuss, send your proposal to the program committee via plain text email per the CFP announcement.

We have some very interesting proposals so far — if you have any interest in Linux security, you should probably try and be there.

Note that you need to be registered for LinuxCon to attend. As a speaker at the main conference, I’ve been given a discount code to hand out to people “in my network”. If you’re reading this, you’re in :-) Using the code, you can save 20%, which is currently $80 USD.

That’s enough to buy a Red Sox ticket and a hot dog.

Boston v. NY, 1912
Boston vs. NY, 1912 World Series (LOC).

Email me directly for the code at jmorris@namei.org.

KCA slides, photos and videos

I was in Brisbane last week to talk about Linux Kernel Security at Kernel Conference Australia (KCA).

The aims of the talk were to provide a general overview of security features in the Linux kernel, and to examine historical context around Unix security and how Linux is evolving to address modern security requirements.

People may be interested in my slides. They’re available as a PDF download and via Slideshare. Note that full speaker notes are included in the slides, in the second half of the deck.

The conference was streamed live online, and the video from my talk may be viewed here. I’m watching to see how the talk, and my speaking in general, might be improved. As painful as this may be, it seems very effective in understanding what worked and what didn’t. I think I can tighten this talk up for possible future use, and focus more on how our development process—not merely the technology—helps address evolving security requirements.

I later participated in an OS security panel with Cristina Cifuentes and Fernando Gont, the video of which is also online.

I’ve also uploaded a flickr photo set. Brisbane is a great location for a conference, especially in the southern hemisphere winter.

It was unusual being the only Linux speaker at a conference. I hope the talk was useful, if at least to encourage more thinking about security in operating systems.

The primary organizer of KCA, James MacPherson, has posted an initial wrap-up of the conference. If the conference continues—I hope it does; it has a lot of potential for the Australian kernel R&D community—I think it would be highly advantageous to more actively seek speakers (and even organizers), from the broader community. One major local Linux kernel developer had a Linux kernel video talk rejected, which seemed odd given that similar talks were accepted (e.g. the new OpenSolaris sound system), and that an additional OpenSolaris talk was added to the program after the CfP closed.

I understand that organizing conferences is difficult, so I hope this is taken as constructive feedback. I’d certainly be interested in helping review papers or otherwise help out in the future if the conference is held again, and if it is aimed at the broader community.

A brief note on the 2.6.30 kernel null pointer vulnerability

This is just to note that the Red Hat Security Response team have issued a preliminary comment on the 2.6.30 kernel null pointer vulnerability, as a comment in the associated bugzilla entry:

From Eugene Teo (Security Response Team)  2009-07-17 07:23:57 EDT

The Red Hat Security Response Team is aware of the Linux kernel local privilege
escalation exploit that is published in a number of security mailing lists and
websites. The flaw identified by CVE-2009-1897 is a null pointer dereference
vulnerability in the tun_chr_poll() function of the Linux kernel, introduced
via the upstream git commit 33dccbb0. This flaw affects kernel versions between
2.6.30-rc1 and 2.6.30-rc3 2.6.31-rc3 , and was addressed via the upstream
git commit 3c8a9c63.

The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the
upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix.
We will be addressing this flaw in a future update to the beta kernel. It is
also possible to mitigate this flaw by ensuring that the permissions for
/dev/net/tun is restricted to root only.

The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in
the unconfined domains to map low memory in the kernel. The exploit did not
bypass the null pointer dereference protection in the Linux kernel. However, we
are updating the selinux-policy package to change this default configuration,
so that it prevents the unconfined processes from being able to map the low
memory. See bug 511143 for more information.

This issue does not affect any other released kernel in any Red Hat product.

In addition, future updates to Red Hat Enterprise Linux kernels may include the
'-fno-delete-null-pointer-checks' gcc CFLAGS. See:
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf

We would like to thank Brad Spengler for bringing these issues to our
attention.

Note that I’m not a member of the security response team: I’m cc’d on the bug and noticed the statement when it was posted.

It is also worth highlighting that you should ensure that the permissions on 

/dev/net/tun

are correct.  It should look like this:


# ls -l /dev/net/tun
crw------- 1 root root 10, 200 2009-07-07 09:52 /dev/net/tun

It’s possible that some VPN package may change the permissions on this.

In terms of the SELinux aspect of the exploit, I’ve posted a brief comment in the LWN thread here.

Yes, there was a mistake in the SELinux policy, which allowed the unconfined user to bypass the mmap_min_addr check, which otherwise would have been enforced if the check was enabled (many disable it to get wine etc. working, btw, google disable mmap_min_addr).

This is being fixed in the policy.

The lesson learned here is that more careful review of policy changes needs to happen, and to ask the question as to whether the policy is capable of weakening default security.

The LSM interface is theoretically designed to only allow further restriction of access, but this is a special case, where we are applying policy to a kernel compilation option which can also have its value set via a sysctl. It’s not a typical “access this resource or not?” decision.

The policy bug is now fixed in the selinux-policy-2.4.6-252.el5 package.

The challenge now is to try and ensure that we don’t see this class of problem crop up again, for unusual cases such as this where the normally “restrictive” mode of LSM (i.e. where permissions can only be further restricted) does not apply.  We may need to rethink how this is managed in the kernel to reduce the possibility of such issues in LSM module policy, as the LSM API here appears to be violating the Hard to Misuse design principle.