Linux Security Summit 2021: Full Schedule

The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for Linux Security Summit to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC-7. Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."

8:00am PDT

Registration & Badge Pick-up

Wednesday September 29, 2021 8:00am - 5:45pm PDT
3rd Floor Foyer

Breaks & Networking

9:00am PDT

(IN PERSON) Welcome & Opening Remarks - James Morris

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Wednesday September 29, 2021 9:00am - 9:05am PDT
Room 402 - Chiliwack

General Sessions

Talk Type In Person

9:05am PDT

(IN PERSON) SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs - Xiaochen Zou, University of California, Riverside

It is well-known that the lack of understanding of security impact can lead to delayed bug fixes as well as patch propagation. Even worse, for the syzbot platform that continuously fuzzes Linux kernels, all bug reports and their reproducers are made public on a dashboard as soon as they are generated. This can become a goldmine for adversaries if they can infer the bugs' security impacts before defenders do. Therefore, we propose the following questions: 1.Are those seemingly low-risk bugs actually low-risk? 2.Do bug reports reveal the real impact of bugs? 3.Can we convert a seemingly low-risk bug to a high-risk bug automatically? We develop SyzScope, a system that can automatically uncover new "high-risk" impacts given a bug with only "low-risk" impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 133 low-risk bugs in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write, many of which still do not have patches available yet.

Speakers

Xiaochen Zou

Research Assistant, University of California, Riverside

I'm a PhD student at UC Riverside. I currently work on kernel fuzzing and exploitation. I just finished a project called SyzScope that helps developers and maintainers evaluate the severity of fuzzing-exposed bugs. SyzScope utilize fuzzing, static analysis, and symbolic execution... Read More →

SyzScope in Linux Security Summit pdf

Wednesday September 29, 2021 9:05am - 9:50am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type In Person

9:50am PDT

(VIRTUAL) Hardening the Linux Guest for the Confidential Cloud Computing - Elena Reshetova, Intel

Confidential Cloud Computing is a powerful security model where the cloud tenants are not required to trust the SW stack provided by Cloud Service Providers (CSPs). This includes the Virtual Machine Monitor (VMM) that has been an internal part of VM guest’s TCB for decades. In recent years CPU vendors are coming forward with the technologies that make possible to support this changed threat model (AMD SEV, Intel TDX, etc.), but a lot of work also needs to be done on the VM guest SW stack to truly make this setup secure. This talk would present our efforts and methodology for hardening the mainline Linux kernel that can be used as a secure VM guest kernel. We will talk about the challenges we have faced, successful and failed approaches, as well as share some initial results. We also hope to start a discussion with the Linux community on how we all can work together to develop and integrate these hardening measures into the general practices for all involved components of the Linux guest SW stack.

Speakers

Elena Reshetova

Security architect, Intel

Elena Reshetova is a security architect and researcher at Intel working on various Linux security projects. Her current research interests evolve around Linux kernel hardening for the confidential cloud computing.

LSS HardeningLinuxGuestForCCC pdf

Wednesday September 29, 2021 9:50am - 10:35am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

10:35am PDT

Morning Break

Wednesday September 29, 2021 10:35am - 11:05am PDT
Room 403 - Cispus

Breaks & Networking

11:05am PDT

(VIRTUAL) Deep Dive into Landlock Internals - Mickaël Salaün, Microsoft

Landlock is the first Mandatory Access Control available to unprivileged processes on Linux. It is available since Linux 5.13, which enables all applications to sandbox themselves. Landlock development started 5 years ago, and multiple approaches were tried (e.g. extending seccomp, using eBPF) before picking the good one. This talk first explains the goal of Landlock and the related consequences. This will enable to explain the kernel implementation constraints, the choices that led to the current design, and the potential and limits of the current and future features. More information about Landlock can be found on the official website: https://landlock.io

Speakers

Mickaël Salaün

Senior Software Engineer, Microsoft

Mickaël Salaün is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock... Read More →

2021 09 29 LSS Deep Dive into Landlock Internals pdf

Wednesday September 29, 2021 11:05am - 11:50am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

11:50am PDT

(VIRTUAL) Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT - Joao Moreira, Intel

This talk presents FineIBT, a compiler-based enhancement that enables fine-grained forward-edge Control-Flow Integrity (CFI) policies on top of Intel's Control-flow Enforcement Technology (CET). By combining the new hardware features with compiler instrumentation, FineIBT anchors indirect control transfers to sanity checks, enabling policies more restrictive than those supported solely by CET and increasing its effectiveness against control-flow hijacking attacks. An evaluation through custom benchmarks shown that FineIBT provides similar security guarantees with less performance costs when compared to Clang CFI, retaining its penalty between 1% and 7% while the latter added overheads between 5% and 53%. Beyond that, FineIBT also has other perks, such as benefiting from the CET's hardening against transient execution attacks and not depending on Link-Time Optimizations. This talk will explore the FineIBT implementation recently sent to the kernel-hardening mailing list, then discuss specific scenarios, such as how it could be used in the Linux kernel, possible improvements and expected challenges. Technical reference: https://www.openwall.com/lists/kernel-hardening/2021/02/11/1

Speakers

Joao Moreira

Offensive Security Researcher, Intel

Joao is an Offensive Security Researcher at Intel. His research interests are mostly focused in compiler-enabled features and analyses, but he will normally be down to chat about anything that involves binaries. Joao holds a PhD from the University of Campinas, where he worked on... Read More →

LSS FINEIBT JOAOMOREIRA pdf

Wednesday September 29, 2021 11:50am - 12:35pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

12:35pm PDT

Lunch

Wednesday September 29, 2021 12:35pm - 2:00pm PDT

Breaks & Networking

2:00pm PDT

(IN PERSON) AMD SEV-SNP Development Update - David Kaplan, Advanced Micro Devices & Brijesh Singh, SMTS

In 2019, AMD introduced SEV-SNP (Secure Nested Paging), the latest generation of AMD VM isolation technology designed for confidential computing. Now that SEV-SNP hardware is commercially available, AMD is focusing on upstream enablement of the various new security capabilities provided by this technology, including memory integrity protection, new attestation models, interrupt security, and more. In this talk, we will provide a brief overview of these new capabilities and the status of upstream enablement work in the Linux kernel, QEMU, and related projects. We’ll also discuss planned future areas of development and how anyone interested can get involved.

Speakers

David Kaplan

Security Architect, Advanced Micro Devices

David Kaplan is a Fellow at AMD who focuses on developing new security technologies across the AMD product line as part of the Product Security Organization. He is the lead architect for the AMD encrypted virtualization features and has worked on both CPU and SOC level security features... Read More →

Brijesh Singh

SMTS, Advanced Micro Devices

Brijesh Singh is a member of the Linux OS group at Advanced Micro Devices. He is responsible for enabling and enhancing support for AMD processor features in the Linux kernel. He is currently working on extending the SEV support to enable SEV-SNP (Secure Nested Paging).

AMD SEV SNP Development Update Final pdf

Wednesday September 29, 2021 2:00pm - 2:45pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type In Person
Presentation Slides Attached Yes

2:45pm PDT

(VIRTUAL) Device Mapper Target Measurements for Remote Attestation using IMA - Tushar Sugandhi, Microsoft Corp & Alasdair G Kergon, Red Hat

For a given system, various external services/infrastructure tools interact with it (during setup and system run-time.) They share sensitive data/execute critical workload on that system. The external services may want to verify the current run-time state of the kernel subsystems before fully trusting the system with business-critical data/workload. Device mapper is one such subsystem that plays a critical role on a given system by providing various important functionalities to the block devices e.g. crypt, verity, integrity etc. The attributes chosen to configure these target types can significantly impact the security profile of the block device, and of the system itself. So, verifying the current state of various block devices and their target attributes is crucial for external services before fully trusting the system with business-critical data/workload. IMA provides the necessary functionality for device mapper to measure the state and configuration of various block devices. Our work includes using the IMA functionality to measure the device state and configuration changes and store those in IMA logs, so that it can be used by external services for managing the system.

Speakers

Tushar Sugandhi

Senior Software Developer, Microsoft Corp

Tushar Sugandhi works as a Senior Software Development Engineer for Microsoft, and is located in Redmond WA. He has worked in areas Container Security, Hardware Based Isolation, System Integrity, Remote Attestation etc. Currently he is working in Linux Kernel Device Mapper space to... Read More →

Alasdair G Kergon

Member of the Kernel Storage Group at Red Hat., RedHat

Alasdair Kergon is a member of the kernel storage group at Red Hat. He is a maintainer of Device-Mapper framework provided by the Linux kernel for mapping physical block devices onto higher-level virtual block devices.

Wednesday September 29, 2021 2:45pm - 3:30pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

3:30pm PDT

Afternoon Break

Wednesday September 29, 2021 3:30pm - 4:00pm PDT
Room 403 - Cispus

Breaks & Networking

4:00pm PDT

(VIRTUAL) Kernel Self-Protection Project - Kees Cook, Google

This presentation will cover the last two years of the Kernel Self-Protection Project. The project continues to eliminate classes of bugs and block exploitation techniques in the kernel. First we'll review of all the security defenses that landed in kernels 5.3 through 5.13. Some highlights are improved heap sanity checking, better entropy, generic refcount_t, sane API size argument limits, array bounds checking, shadow call stack, control flow integrity, stack variable zeroing, and set_fs() removal. Then we'll take a quick look at the evolution of kernel CVE lifetimes, counts, and bug classes with a focus on buffer overflows over the last few years. Additionally, we'll have a summary of kernel testing as seen through the lens of kernelci.org. Finally, there will be an overview of what defenses are still under development, and a review of some areas where help is especially needed.

Speakers

Kees Cook

Kernel Security Engineer, Google

Kees Cook has been working with Free Software since 1994, has been a Debian Developer since 2007, and has been a member of the Linux Kernel Technical Advisory Board since 2019. He is currently employed as a Linux kernel security engineer by Google, focusing on upstream kernel security... Read More →

Wednesday September 29, 2021 4:00pm - 4:45pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

4:45pm PDT

(VIRTUAL) Securing TPM Secrets in the Datacenter - Paul Moore, Microsoft & Joy Latten, Cisco

This talk will focus on how existing technologies such as UEFI Secure Boot, the UEFI shim bootloader, and TPM2 can be combined to provide a secure secret storage such that only authorized OSes are able to access the secrets. Further, the approach described in this presentation has been designed to function across lights-out firmware, bootloader, and system updates, making this solution appealing for datacenter systems with limited physical access. Additional discussion points will include considerations for unrestricted developer systems and reprovisioning the TPM2 in deployed systems. The first half of this presentation will discuss the ideas behind the design of our solution, including why a different approach was necessary. The second half of this presentation will describe our experience implementing this design and the lessons we learned along the way.

Speakers

Paul Moore

Principal Software Engineer, Microsoft

Paul Moore has been involved in various Linux platform security efforts since 2004 at Hewlett-Packard, Red Hat, Cisco, and Microsoft. He currently maintains the SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as the libseccomp userspace library.

Joy Latten

Software Engineer, Cisco

Member of the puzzleOS team at Cisco. Currently working on various security tasks for puzzleOS. Have worked on security projects in opensource for 18+ years.

Wednesday September 29, 2021 4:45pm - 5:30pm PDT
AccelEvents

Refereed Presentation

Talk Type Virtual

8:00am PDT

Registration & Badge Pick-up

Thursday September 30, 2021 8:00am - 5:30pm PDT
3rd Floor Foyer

Breaks & Networking

9:00am PDT

(IN PERSON) Welcome Back and Remarks - James Morris

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Thursday September 30, 2021 9:00am - 9:05am PDT
Room 402 - Chiliwack

General Sessions

Talk Type In Person

9:05am PDT

(VIRTUAL) Subsystem Update: Linux Integrity Status Update - Mimi Zohar, IBM

The Integrity subsystem status update will provide an overview of the new features and other changes upstreamed the past two years, as well as discuss current and future development.

Speakers

Mimi Zohar

Software Engineer, IBM

Mimi Zohar is a member of the Secure Systems Group at the IBM T.J. Watson Research Center. Her current interests are in the areas of system security and integrity, a natural progression from prior work in firewall design for perimeter security. She is the linux-integrity subsystem... Read More →

Thursday September 30, 2021 9:05am - 9:35am PDT
Room 402 - Chiliwack

Short Topic

Talk Type Virtual

9:35am PDT

(VIRTUAL) Patatt: End-to-end Patch Cryptographic Attestation for Patches - Konstantin Ryabitsev, The Linux Foundation

The kernel, along with several other important projects, continue to use fully decentralized means of collaboration that is based on sending patches and code reviews via email. Existing end-to-end email attestation mechanisms, such as PGP/MIME or S/MIME, have important drawbacks that limit their usefulness when it comes to attesting structured content like patches. Patatt is a small library that adopts the DKIM standard to introduce end-to-end cryptographic signing of patches. When incorporated into maintainer tools like b4, it allows for full end-to-end attestation of code, as well as public keyring management via the git repository itself.

Speakers

Konstantin Ryabitsev

Director, IT Projects, The Linux Foundation

Konstantin has been part of the IT management team behind kernel.org for the past 10 years. Part of his duties has been to help improve maintainer tooling and the end-to-end security of the development workflow behind the Linux kernel.

Patatt for LSS pdf

Thursday September 30, 2021 9:35am - 10:05am PDT
Room 402 - Chiliwack

Short Topic

Talk Type Virtual
Presentation Slides Attached Yes

10:05am PDT

(IN PERSON) The Future of Code Integrity Enforcement: Extending IMA - Fan Wu, Microsoft

Last year an LSM called IPE was proposed. It has a similar purpose to IMA appraisal – to provide system-wide Code Integrity policy enforcement on executables. Fan is attempting to extend IMA to cover the IPE use cases to bridge the two systems. In this talk, Fan will present the current progress of the extension of IMA, along with some difficulties due to its original architecture limitation that was discovered during the implementation process, then offer some potential solutions.

Speakers

Fan Wu

Software Engineer, Microsoft

Fan Wu is a software engineer at Microsoft, his current focus is operating system security.

Thursday September 30, 2021 10:05am - 10:35am PDT
Room 402 - Chiliwack

Short Topic

Talk Type In Person

10:35am PDT

Morning Break

Thursday September 30, 2021 10:35am - 11:05am PDT
Room 403 - Cispus

Breaks & Networking

11:05am PDT

(VIRTUAL) Where do Security and Safety Meet? - Elana Copperman, Mobileye/Intel

System security and safety have common goals, yet often follow divergent development paths. We are taking a look at the Linux kernel configuration features, many of which were originally designed for security, which can be used to enable safety critical applications. In this talk, we will give an overview of our recent work researching existing kernel features important to enable safety critical applications. The kernel configurations are mapped onto Common Weakness Enumerations, but more significantly we demonstrate how they are specifically relevant to support basic safety features such as kernel memory or avoiding race conditions. The work is in the context of ELISA (https://elisa.tech), striving to promote the acceptance of Linux in industries such as avionics, medical devices, and automotive, for which safety is an essential requirement. Our goal is to discuss our work with the Linux kernel developers engaged in the Linux Self-Protection Project and others interested in this area.

Speakers

Elana Copperman

System Architect, Mobileye

Elana Copperman, PhD is a System Software Architect at Mobileye (until recently, part of Intel). She provides support for designing safety features in Mobileye products, including system boot, drivers, and Linux infrastructure. Before working at Mobileye, she worked as a Security... Read More →

Security Meets Safety LSS2021 Final pdf

Thursday September 30, 2021 11:05am - 11:50am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

11:50am PDT

(IN PERSON) Triaging Kernel Out-Of-Bounds Write Vulnerabilities - Weiteng Chen, University of California, Riverside

The monolithic nature of modern OS kernels leads to a constant stream of bugs being discovered. It is often unclear which of these bugs are worth fixing, as only a subset of them may be serious enough to lead to security takeovers (i.e., privilege escalations). Therefore, researchers have recently started to develop automated exploit generation techniques (for UAF bugs) to assist the bug triage process. In this paper, we investigate another top memory vulnerability in Linux kernel—out-of-bounds (OOB) memory write from heap. We design KOOBE to assist the analysis of such vulnerabilities based on two observations: (1) Surprisingly often, different OOB vulnerability instances exhibit a wide range of capabilities. (2) Kernel exploits are multi-interaction in nature which allows the exploit crafting process to be modular. Specifically, we focus on the extraction of capabilities of an OOB vulnerability and the subsequent exploitability evaluation process. In our evaluation, we analyze 17 most recent Linux kernel OOB vulnerabilities, for which KOOBE successfully generated candidate exploit strategies for 11 of them. Further, we are able to construct fully working exploits for all of them.

Speakers

Weiteng Chen

University of California, Riverside

Weiteng Chen is a 5th-year PhD student in the computer science department at University of California, Riverside, where he is working with professor Zhiyun Qian. His research focuses on OS security and vulnerability analysis. He is particularly interested in exploitability assessment... Read More →

koobe LSS pdf

Thursday September 30, 2021 11:50am - 12:35pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type In Person

12:35pm PDT

Lunch

Thursday September 30, 2021 12:35pm - 2:00pm PDT

Breaks & Networking

2:00pm PDT

(VIRTUAL) /dev/random - A New Approach - Stephan Mueller, atsec information security GmbH

A new approach for providing a /dev/random implementation is publicly available with the LRNG implementation and sent to the Linux kernel community for review. This new implementation provides the following benefits: * Sole use of contemporary cryptographic algorithms for data processing * Significant performance gains in performance critical interrupt handler * Availability of test interfaces allowing all execution steps to be validated including extracting of raw noise for entropy assessments * Flexible configuration including runtime-replacement of cryptographic components for crypto-agility * Clean design of combining multiple entropy sources With its API and ABI compliant interfaces to the existing /dev/random implementation the LRNG can be used as a drop-in replacement. The presentation is intended to introduce the different aspects of the LRNG and explain how the LRNG integrates with the Linux kernel. The goal is to allow peer kernel developers to understand the LRNG. The presentation also provides suggestions on how the LRNG may be integrated into the mainline kernel.

Speakers

Stephan Mueller

Consultant, atsec information security GmbH

Stephan Mueller works in the field of IT security for more than 20 years with atsec. The tasks mainly revolve around supporting vendors and developers to successfully perform various types of validations including FIPS 140-2. In addition, assessments of cryptographic implementations... Read More →

lrng presentation LSS 2021 V2 pdf

Thursday September 30, 2021 2:00pm - 2:45pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

2:45pm PDT

(VIRTUAL) Fuzzing Linux with Xen - Tamas K Lengyel, Intel

Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel Processor Trace has also been upstreamed. Combined with the native Virtual Machine Introspection (VMI) capability Xen now provides a unique platform for fuzzing and binary analysis. To illustrate the power of the platform we'll present the details of a real-world fuzzing operation that targeted Linux kernel-modules from an attack-vector that has previously been hard to reach: memory exposed to devices via Direct Memory Access (DMA) for fast I/O. If the input the kernel reads from DMA-exposed memory is malformed or malicious - what could happen? So far we discovered: 9 NULL-pointer dereferences; 3 array index out-of-bound accesses; 2 infinite-loops in IRQ context and 2 instances of tricking the kernel into accessing user-memory but thinking it is kernel memory. The bugs have been in Linux for many years and were found in kernel modules used by millions of devices. All bugs are now fixed upstream. In this talk we'll show how we found these bugs.

Speakers

Tamas K Lengyel

Senior Security Researcher, Intel

Tamas works as Senior Security Researcher at Intel. He received his PhD in Computer Science from the University of Connecticut where he built hypervisor-based malware-analysis and collection tools. In his free time he is maintainer of the Xen Project Hypervisor's VMI subsystem, LibVMI... Read More →

Thursday September 30, 2021 2:45pm - 3:30pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

3:30pm PDT

Afternoon Break

Thursday September 30, 2021 3:30pm - 4:00pm PDT
Room 403 - Cispus

Breaks & Networking

4:00pm PDT

(VIRTUAL) Abstracting TEE Silicon Implementations with Shims - Nathaniel McCallum & Harald Hoyer, Profian

Enarx provides a WebAssembly runtime across multiple TEE implementations, currently targeting Intel SGX and AMD SEV, with plans for others in the future (including from Arm and IBM). The various architectures presented by the silicon vendors are very diverse, and creating a design that allows implementations on the various platforms has presented a variety of challenges. In this talk, Nathaniel & Harald will concentrate on the shim layers below the WebAssembly runtime, and the approaches the project has taken to support Intel SGX and AMD SEV in particular. They will discuss design trade-offs and choice of language for implementation. They will also talk about pitfalls which presented themselves and what implementations on future silicon is likely to require, based on information already available in the public domain.

Speakers

Nathaniel McCallum

CTO, Profian

Nathaniel is CTO at Profian, a start-up in the Trusted Execution Space, based around Enarx (https://enarx.dev/), an open source project which is part of the Confidential Computing Consortium, a Linux Foundation project. By day, he tackles tough security problems. By night, he tackles... Read More →

Harald Hoyer

Distinguished Software Engineer, Profian

- Creator of dracut (initramfs generator and runtime)- Contributor to udev and systemd in the early days- Merger of / and /usr- Fedora/Red Hat contributor for over 20 years

Thursday September 30, 2021 4:00pm - 4:45pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

4:45pm PDT

(IN PERSON) IPE Namespaces: Targeted Enforcement of CI - Deven Bowers, Microsoft

Code integrity is widely recognized as one of the most effective security mitigations for modern threats, especially those targeting high-value systems. However, code integrity policies typically apply to an entire system, which may not be possible depending on the system's workload. This presentation will cover the newest update to Integrity Policy Enforcement (IPE), namespaces, which allows system builders to apply a code integrity namespace to a specific process and all of its descendants, allowing more targeted policy enforcement for systems such as docker hosts. There will be a live, proof-of-concept example, demonstrating its functionality. The presentation will work through an example where a system's workload is not acceptable for full-integrity verification, and how that issue is solved through namespaces, and some of the more interesting design decisions around the namespace implementation within IPE.

Speakers

Deven Bowers

Software Engineer, Microsoft

I graduated college in 2017 from UNC-Chapel Hill. I joined Microsoft shortly after, where I worked on code integrity (CI) systems in NTOS until late 2019, at which I transitioned to working on CI in Linux as my primary responsibility at Microsoft. I presented at LSS 2020 on my Integrity... Read More →

LSS 2021 Namespaces pdf

Thursday September 30, 2021 4:45pm - 5:30pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type In Person

8:00am PDT

Registration & Badge Pick-up

Friday October 1, 2021 8:00am - 1:00pm PDT
3rd Floor Foyer

Breaks & Networking

9:00am PDT

(IN PERSON) Welcome Back and Remarks - James Morris

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Friday October 1, 2021 9:00am - 9:05am PDT
Room 402 - Chiliwack

General Sessions

Talk Type In Person

9:05am PDT

(VIRTUAL) Mitigating Linux Kernel Memory Corruptions with ARM Memory Tagging - Andrey Konovalov, xairy.io

Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag. As of now, MTE is integrated into the Linux kernel. It is available in both mainline and the Android common kernels. This talk focuses on the way MTE is used to assert the validity of kernel memory accesses. The talk describes the current state of the newly added Hardware Tag-Based KASAN mode and its planned improvements.

Speakers

Andrey Konovalov

Security Engineer, xairy.io

Andrey Konovalov is a security engineer focusing on the Linux kernel. Andrey is a contributor to several security-related Linux kernel subsystems and tools: KASAN — a bug detector and a security mitigation, KCOV — a coverage collection subsystem, and syzkaller — a production-grade... Read More →

[submit] Mitigating Linux kernel memory corruptions with ARM Memory Tagging [slides] pdf

Friday October 1, 2021 9:05am - 9:50am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual
Presentation Slides Attached Yes

9:50am PDT

(VIRTUAL) All the Things You Can Do with ARMv8 Virtualization - Janne Karhunen & Jani Hyvönen, Digital 14

ARMv8 is heavily under-utilized architecture when it comes to Linux. In this talk we will be showing how to tweak it to do AMD SEV/INTEL TDX like secure virtualization with the KVM and the plain MMU, how to protect the host and the guest Linux kernels via the hypervisor mode and how you can model your secure virtual hardware to run Linux or even Android. The talk covers the quirks of the real life ARMv8 implementations people carry in their pockets.

Speakers

Janne Karhunen

Senior Principal Engineer, Digital 14

Janne Karhunen is a longtime Linux kernel and security engineer with background with various kernel subsystems, primarily focusing on the Linux security subsystem applications for the mobile use cases. Ever since the mobile ARMv8 chipsets properly started to support virtualization... Read More →

Jani Hyvönen

Principal Engineer, Digital 14

Jani is a longtime mobile chipset wizard, lately primarily focusing on the Qualcomm chipsets and their features, as well as development/debugging environments.

lss2021 pdf

Friday October 1, 2021 9:50am - 10:35am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

10:35am PDT

Morning Break

Friday October 1, 2021 10:35am - 11:05am PDT
Room 403 - Cispus

Breaks & Networking

11:05am PDT

(IN PERSON) Finding Multiple Bug Effects for More Precise Exploitability Estimation - Zhenpeng Lin & Yueqi Chen, Penn State University

Syzkaller, the state-of-the-art kernel fuzzing tool, has significantly expedited the bug finding in the Linux kernel, which generates 1000+ kernel bug reports over the past two years. In the Linux kernel, a possible trend in the future would be the number of bugs found grows faster than the number of bugs fixed. Limited human resources and efforts should be put into fixing bugs that have more potential to be exploited. The exploitability of bugs can be approximated by looking at the memory corruption ability shown in the bug reports. However, a bug could have many bug effects[ by triggering the root cause differently. A bug report that shows a General Protection Fault error could have the same root cause as the one showing a Use After Free error. Knowing all the bug effects gives precise exploitability estimation. In this talk, we will introduce a new approach to find all the potential bug effects given a kernel bug report. We will show our evaluation results to demonstrate the effectiveness and efficiency of our tool.

Speakers

Yueqi Chen

PhD student, Penn State University

Yueqi Chen received his B.Sc degree from Nanjing University in 2017 and is currently a PhD Student with Dr. Xinyu Xing at Pennsylvania State University. He was awarded the IBM PhD Fellowship 2020. His research focuses on OS security and vulnerability analysis. He is particularly interested... Read More →

Zhenpeng Lin

PhD student, Penn State University

Zhenpeng Lin is a PhD student advised by Dr. Xinyu Xing at Pennsylvania State University. His research focuses on vulnerability discovery and exploitation. His work was published at CCS 2020. In addition, he plays CTF a lot. As a core member of Nu1L, he won 1st place in BCTF 2017... Read More →

LSS 2021 Multiple Error Behavior pdf

Friday October 1, 2021 11:05am - 11:50am PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type In Person

11:50am PDT

(VIRTUAL) Live Migration Architecture for Intel TDX-based Confidential VMs - Ravi Sahita & Jun Nakajima, Intel

Confidential computing establishes a new security model for data-in-use protection - a large volume of sensitive data is processed in public clouds, where the trusted computing base (TCB) is large including hypervisors, host operating system, operators, orchestration software, devices (with firmware), and BIOS/SMM. Intel TDX (Trust Domain Extensions) provides capabilities to limit the TCB for VM workloads, with the goal to removing the host software from the TCB (by running the VM as a TD VM). At the same time, cloud and enterprise operators require capabilities such as live migration of VM workloads to support reliability and availability of the infrastructure. This talk describes the Intel TDX architecture to enable live migration of TD VMs running confidential workloads. The proposed architecture provides live-migration while maintaining the baseline functionality and security requirements of Intel TDX. The talk will describe the expanded threat model, and the platform capabilities to address these potential new threats, followed by a summary of the modifications to KVM/QEMU and implications to the TD VM owners when opting-in to live migration of TD VMs.

Speakers

Ravi Sahita

Security Architect (Sr. PE), Intel

Ravi Sahita is a Senior Principal Engineer at Intel in the Data Platforms Group. He has 20 years of experience in computer security, hardware virtualization, systems and platform software, CPU ISA and applying machine learning for security. His current focus is on architecture development... Read More →

Jun Nakajima

Sr. Principal Engineer, Intel Corporation

Jun Nakajima is a Senior Principal Engineer at the Intel Open Source Technology Center, leading virtualization and security for open source projects. Jun presented a number of times at technical conferences, including LSS, KVM Forum, Xen Summit, LinuxCon, OpenStack Summit, and USENIX... Read More →

Friday October 1, 2021 11:50am - 12:35pm PDT
Room 402 - Chiliwack

Refereed Presentation

Talk Type Virtual

12:35pm PDT

Lunch

Friday October 1, 2021 12:35pm - 2:00pm PDT

Breaks & Networking

2:00pm PDT

(VIRTUAL) CVEHound: Audit Kernel Sources for Missing CVE Fixes - Denis Efremov, Oracle

CVEHound is a tool for checking Linux kernel sources for missing CVE fixes. Usual ways to track CVE fixes are vendor security announcements and a git history of a particular kernel tree. However, many vendors provide sources as tarballs without development history and don't publish enough information about security fixes. Hence, it's not possible to check these releases automatically without manually inspecting sources. CVEHound takes into account only C source code during work. Internally, the tool uses semantic patches (coccinelle patterns) to find missing backports of CVE fixes. This allows the tool to be agnostic from the kernel version and detect a missing fix in a half-open interval starting from the first commit where a bug was introduced and ending with the fix/backport patch. Since the tool uses a source-based approach this allows also to detect partial/broken/missing backports of security fixes. The talk is a tool presentation with a corresponding approach that can be interesting to kernel developers for maintaining kernel trees, certification labs for compliance checking, system administrators, and penetration testers for security audits.

Speakers

Denis Efremov

Developer, Oracle

Worked for 10 years at ISP RAS (Institute for System Programming Russian Academy of Science) as researcher/formal verification engineer. Recently joined Ksplice team at Oracle as a kernel developer.

Friday October 1, 2021 2:00pm - 2:30pm PDT
Room 402 - Chiliwack

Short Topic

Talk Type Virtual

2:30pm PDT

(IN PERSON) Analysing and Improving the Security Properties of Secret Memory - James Bottomley & Mike Rappoport, IBM

Various patches are advancing through the kernel to designate regions of memory as hidden or secret. The current implementation mechanism for almost all of them is to remove them from the direct map of the kernel, meaning that it becomes impossible to refer to the memory from within the kernel without finding a way to map it and if an address in secret memory is ever accessed by the kernel or from another user space process, a page fault will result. The enhanced security for secret memory comes from the fact that most of the attempts to exfiltrate secrets mostly rely either on rop gadgets or privilege escalation. Since root cannot gain access to the secret from userspace because of the lack of direct map entry, the only viable exfiltration mechanism is via rop. Since there are no easy gadgets available to map a kernel address, it involves constructing a complex rop chain, making the exfiltration significantly harder (although not impossible). What we'd like to discuss in this session is how we could improve the security posture of secret memory and what its use cases might be (we've already put together a preloader that allocates openssl private keys in secret memory).

We'll be using the Plumbers BBB infrastructure. You can try it out here
bbb5.lpc.events.

We've disabled the authentication, so just type your name to join
We'll be using the plumbers protocols, so unmute video to interact
It will all be streamed over the AccelEvents platform, so if you only want to ask questions over chat, you don't need to use BBB

Speakers

James Bottomley

DE, IBM

James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the BoardJames Bottomley is a Distinguished Engineer at IBM Research where he works on... Read More →

Mike Rapoport

Developer, IBM

Mike has lots of programming experience in different areas ranging from medical equipment to visual simulation, but most of all he likes hacking on Linux kernel and low level stuff. Throughout his career Mike promoted use of free and open source software and made quite a few contributions... Read More →

Friday October 1, 2021 2:30pm - 3:00pm PDT
Room 402 - Chiliwack

Short Topic