August 27 - 28 - Vancouver, BC, Canada
Click for Information & Registration
Discussion Topics [clear filter]
Monday, August 27

4:20pm PDT

How to Safely Restrict Access to Files in a Programmatic Way with Landlock? - Mickaël Salaün, ANSSI
Mandatory Access Control is implemented in four major LSMs. They either identify a file with its inode attribute (SELinux and Smack) or with its path (AppArmor and Tomoyo). This techniques share a common drawback: they cannot safely be used from an unprivileged context. One of Landlock's goal is to tackle this problem with a new hybrid way to identify a file from a user-defined security policy.

After a brief recap of the main mechanisms used by Landlock (covered in LSS 2017), this talk highlight the constraints of applying an unprivileged access-control on files, what was the previous Landlock attempts, and how works the new way to programmatically describe a file access (cf. the eighth patch series of Landlock). We illustrate this with a demo of a dynamic access-control for end user. Finally, we discuss some drawbacks and how much it depends on the internal kernel implementation.

avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now... Read More →

Monday August 27, 2018 4:20pm - 4:50pm PDT
Room 301
Tuesday, August 28

8:30am PDT

Life Behind the Tinfoil: A Look at Qubes and Copperhead - Konstantin Ryabitsev, The Linux Foundation
Konstantin Ryabitsev shares his day-to-day experience using QubesOS on his primary workstation and CopperheadOS on his smartphone. What are the impacts of using products promising higher security and higher privacy? How well do Qubes and Copperhead measure up to those promises? What kind of trade-offs are expected from someone coming from run-of-the-mill Linux and Android platforms? Are these trade-offs worth it?

avatar for Konstantin Ryabitsev

Konstantin Ryabitsev

Director, IT, The Linux Foundation
Konstantin has worked at the Linux Foundation over the past decade, providing both IT and security support to kernel.org and many other software projects. He lives in Montreal, Canada, with his wife, two children and several cats.

Tuesday August 28, 2018 8:30am - 9:10am PDT
Room 301
  Discussion Topics
  • Experience Level Any

12:00pm PDT

Proactive Software Defense against Side Channel Attacks - Kristen Accardi, Intel
Side channel attacks are here to stay. What can we do inside the operating system to proactively defend against them? This talk will walk through a few of the ideas that Intel’s Open Source Technology Center are developing to improve our resistance to side channel attacks as part of our new side channel defense project. We would also like to gather ideas from the rest of the community on what our top priorities for side channel defense for the Linux kernel should be.


Kristen Accardi

Security Architect, Intel
Kristen is a Security Architect for Intel’s Open Source Technology Center (OTC), focusing on the Linux kernel. Kristen has contributed to the Linux kernel for over 15 years in various different subsystems including PCI, SATA, ACPI, and Power Management. Kristen is currently leading... Read More →

Tuesday August 28, 2018 12:00pm - 12:30pm PDT
Room 301
  Discussion Topics
  • Experience Level Any

4:40pm PDT

Extending OpenPOWER Boot Security to Guests - George Wilson, IBM
The KVM and PowerVM guest environments are significantly different from the OpenPOWER host environment: the boot sequence is shorter, the firmware components are simpler, and the bootloader is entirely replaced. A secure boot design must accommodate the dissimilarities and, consequently, the solution for the OpenPOWER host is not directly applicable to guests. Yet, much as for the host case, existing open source elements can help solve the problem of booting guest OSs securely. This talk follows last year's OpenPOWER host secure boot talk and discusses possible design alternatives that reuse open source code to bring OS boot security improvements to KVM on OpenPOWER and PowerVM guests.

avatar for George Wilson

George Wilson

Security Architect and Development Team Lead, IBM's Linux Technology Center
George Wilson is a security architect and development team lead in IBM's Linux Technology Center. Since joining the LTC in 2004, he has led IBM's Linux security certification activities and development of open source security technology including key management, Trusted Computing... Read More →

Tuesday August 28, 2018 4:40pm - 5:10pm PDT
Room 301
Filter sessions
Apply filters to sessions.