Loading…
The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for Linux Security Summit to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC-7. Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, September 29
 

9:50am PDT

(VIRTUAL) Hardening the Linux Guest for the Confidential Cloud Computing - Elena Reshetova, Intel
Confidential Cloud Computing is a powerful security model where the cloud tenants are not required to trust the SW stack provided by Cloud Service Providers (CSPs). This includes the Virtual Machine Monitor (VMM) that has been an internal part of VM guest’s TCB for decades. In recent years CPU vendors are coming forward with the technologies that make possible to support this changed threat model (AMD SEV, Intel TDX, etc.), but a lot of work also needs to be done on the VM guest SW stack to truly make this setup secure. This talk would present our efforts and methodology for hardening the mainline Linux kernel that can be used as a secure VM guest kernel. We will talk about the challenges we have faced, successful and failed approaches, as well as share some initial results. We also hope to start a discussion with the Linux community on how we all can work together to develop and integrate these hardening measures into the general practices for all involved components of the Linux guest SW stack.

Speakers
avatar for Elena Reshetova

Elena Reshetova

Security architect, Intel
Elena Reshetova is a security architect and researcher at Intel working on various Linux security projects. Her current research interests evolve around Linux kernel hardening for the confidential cloud computing.



Wednesday September 29, 2021 9:50am - 10:35am PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes

11:05am PDT

(VIRTUAL) Deep Dive into Landlock Internals - Mickaël Salaün, Microsoft
Landlock is the first Mandatory Access Control available to unprivileged processes on Linux. It is available since Linux 5.13, which enables all applications to sandbox themselves. Landlock development started 5 years ago, and multiple approaches were tried (e.g. extending seccomp, using eBPF) before picking the good one. This talk first explains the goal of Landlock and the related consequences. This will enable to explain the kernel implementation constraints, the choices that led to the current design, and the potential and limits of the current and future features. More information about Landlock can be found on the official website: https://landlock.io

Speakers
avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock... Read More →



Wednesday September 29, 2021 11:05am - 11:50am PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes

11:50am PDT

(VIRTUAL) Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT - Joao Moreira, Intel
This talk presents FineIBT, a compiler-based enhancement that enables fine-grained forward-edge Control-Flow Integrity (CFI) policies on top of Intel's Control-flow Enforcement Technology (CET). By combining the new hardware features with compiler instrumentation, FineIBT anchors indirect control transfers to sanity checks, enabling policies more restrictive than those supported solely by CET and increasing its effectiveness against control-flow hijacking attacks. An evaluation through custom benchmarks shown that FineIBT provides similar security guarantees with less performance costs when compared to Clang CFI, retaining its penalty between 1% and 7% while the latter added overheads between 5% and 53%. Beyond that, FineIBT also has other perks, such as benefiting from the CET's hardening against transient execution attacks and not depending on Link-Time Optimizations. This talk will explore the FineIBT implementation recently sent to the kernel-hardening mailing list, then discuss specific scenarios, such as how it could be used in the Linux kernel, possible improvements and expected challenges. Technical reference: https://www.openwall.com/lists/kernel-hardening/2021/02/11/1

Speakers
avatar for Joao Moreira

Joao Moreira

Offensive Security Researcher, Intel
Joao is an Offensive Security Researcher at Intel. His research interests are mostly focused in compiler-enabled features and analyses, but he will normally be down to chat about anything that involves binaries. Joao holds a PhD from the University of Campinas, where he worked on... Read More →



Wednesday September 29, 2021 11:50am - 12:35pm PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes

2:00pm PDT

(IN PERSON) AMD SEV-SNP Development Update - David Kaplan, Advanced Micro Devices & Brijesh Singh, SMTS
In 2019, AMD introduced SEV-SNP (Secure Nested Paging), the latest generation of AMD VM isolation technology designed for confidential computing. Now that SEV-SNP hardware is commercially available, AMD is focusing on upstream enablement of the various new security capabilities provided by this technology, including memory integrity protection, new attestation models, interrupt security, and more. In this talk, we will provide a brief overview of these new capabilities and the status of upstream enablement work in the Linux kernel, QEMU, and related projects. We’ll also discuss planned future areas of development and how anyone interested can get involved.

Speakers
avatar for David Kaplan

David Kaplan

Security Architect, Advanced Micro Devices
David Kaplan is a Fellow at AMD who focuses on developing new security technologies across the AMD product line as part of the Product Security Organization. He is the lead architect for the AMD encrypted virtualization features and has worked on both CPU and SOC level security features... Read More →
BS

Brijesh Singh

SMTS, Advanced Micro Devices
Brijesh Singh is a member of the Linux OS group at Advanced Micro Devices. He is responsible for enabling and enhancing support for AMD processor features in the Linux kernel. He is currently working on extending the SEV support to enable SEV-SNP (Secure Nested Paging).



Wednesday September 29, 2021 2:00pm - 2:45pm PDT
Room 402 - Chiliwack
  Refereed Presentation
 
Thursday, September 30
 

9:35am PDT

(VIRTUAL) Patatt: End-to-end Patch Cryptographic Attestation for Patches - Konstantin Ryabitsev, The Linux Foundation
The kernel, along with several other important projects, continue to use fully decentralized means of collaboration that is based on sending patches and code reviews via email. Existing end-to-end email attestation mechanisms, such as PGP/MIME or S/MIME, have important drawbacks that limit their usefulness when it comes to attesting structured content like patches. Patatt is a small library that adopts the DKIM standard to introduce end-to-end cryptographic signing of patches. When incorporated into maintainer tools like b4, it allows for full end-to-end attestation of code, as well as public keyring management via the git repository itself.

Speakers
avatar for Konstantin Ryabitsev

Konstantin Ryabitsev

Director, IT Projects, The Linux Foundation
Konstantin has been part of the IT management team behind kernel.org for the past 10 years. Part of his duties has been to help improve maintainer tooling and the end-to-end security of the development workflow behind the Linux kernel.



Thursday September 30, 2021 9:35am - 10:05am PDT
Room 402 - Chiliwack
  Short Topic
  • Talk Type Virtual
  • Presentation Slides Attached Yes

11:05am PDT

(VIRTUAL) Where do Security and Safety Meet? - Elana Copperman, Mobileye/Intel
System security and safety have common goals, yet often follow divergent development paths. We are taking a look at the Linux kernel configuration features, many of which were originally designed for security, which can be used to enable safety critical applications. In this talk, we will give an overview of our recent work researching existing kernel features important to enable safety critical applications. The kernel configurations are mapped onto Common Weakness Enumerations, but more significantly we demonstrate how they are specifically relevant to support basic safety features such as kernel memory or avoiding race conditions. The work is in the context of ELISA (https://elisa.tech), striving to promote the acceptance of Linux in industries such as avionics, medical devices, and automotive, for which safety is an essential requirement. Our goal is to discuss our work with the Linux kernel developers engaged in the Linux Self-Protection Project and others interested in this area.

Speakers
avatar for Elana Copperman

Elana Copperman

System Architect, Mobileye
Elana Copperman, PhD is a System Software Architect at Mobileye (until recently, part of Intel). She provides support for designing safety features in Mobileye products, including system boot, drivers, and Linux infrastructure. Before working at Mobileye, she worked as a Security... Read More →



Thursday September 30, 2021 11:05am - 11:50am PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes

2:00pm PDT

(VIRTUAL) /dev/random - A New Approach - Stephan Mueller, atsec information security GmbH
A new approach for providing a /dev/random implementation is publicly available with the LRNG implementation and sent to the Linux kernel community for review. This new implementation provides the following benefits: * Sole use of contemporary cryptographic algorithms for data processing * Significant performance gains in performance critical interrupt handler * Availability of test interfaces allowing all execution steps to be validated including extracting of raw noise for entropy assessments * Flexible configuration including runtime-replacement of cryptographic components for crypto-agility * Clean design of combining multiple entropy sources With its API and ABI compliant interfaces to the existing /dev/random implementation the LRNG can be used as a drop-in replacement. The presentation is intended to introduce the different aspects of the LRNG and explain how the LRNG integrates with the Linux kernel. The goal is to allow peer kernel developers to understand the LRNG. The presentation also provides suggestions on how the LRNG may be integrated into the mainline kernel.

Speakers
SM

Stephan Mueller

Consultant, atsec information security GmbH
Stephan Mueller works in the field of IT security for more than 20 years with atsec. The tasks mainly revolve around supporting vendors and developers to successfully perform various types of validations including FIPS 140-2. In addition, assessments of cryptographic implementations... Read More →



Thursday September 30, 2021 2:00pm - 2:45pm PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes
 
Friday, October 1
 

9:05am PDT

(VIRTUAL) Mitigating Linux Kernel Memory Corruptions with ARM Memory Tagging - Andrey Konovalov, xairy.io
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag. As of now, MTE is integrated into the Linux kernel. It is available in both mainline and the Android common kernels. This talk focuses on the way MTE is used to assert the validity of kernel memory accesses. The talk describes the current state of the newly added Hardware Tag-Based KASAN mode and its planned improvements.

Speakers
AK

Andrey Konovalov

Security Engineer, xairy.io
Andrey Konovalov is a security engineer focusing on the Linux kernel. Andrey is a contributor to several security-related Linux kernel subsystems and tools: KASAN — a bug detector and a security mitigation, KCOV — a coverage collection subsystem, and syzkaller — a production-grade... Read More →



Friday October 1, 2021 9:05am - 9:50am PDT
Room 402 - Chiliwack
  Refereed Presentation
  • Talk Type Virtual
  • Presentation Slides Attached Yes
 
  • Timezone
  • Filter By Date Linux Security Summit 2021 Sep 29 -Oct 1, 2021
  • Filter By Venue Seattle, WA, USA
  • Filter By Type
  • Breaks & Networking
  • General Sessions
  • Refereed Presentation
  • Short Topic
  • Talk Type
  • Presentation Slides Attached

Filter sessions
Apply filters to sessions.