Loading…
May 10-12 | Vancouver, British Columbia + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Linux Security Summit North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC-7. To see the schedule in your preferred timezone, select from the drop-down menu to the right, above "Filter by Date." 

The schedule is subject to change.

Simple
Expanded
Grid
By Venue
Wednesday, May 10
 

7:30am PDT

Continental Breakfast
Wednesday May 10, 2023 7:30am - 9:00am PDT
Room 212-214
  Breaks & Networking

7:30am PDT

Zen Zone
All attendees may feel free to use the Zen Zone as needed for sensory relaxation, meditation and worship. It is a physical space where conversation and interaction are not allowed, where attendees can go if for any reason they can’t interact with other attendees at that time.
Wednesday May 10, 2023 7:30am - 6:00pm PDT
  Breaks & Networking

7:30am PDT

Registration & Badge Pick-up
Wednesday May 10, 2023 7:30am - 6:00pm PDT
West Level 1 - City Foyer
  Registration & Badge Pick-up

7:30am PDT

Coat & Bag Check
Wednesday May 10, 2023 7:30am - 7:30pm PDT
West Level 1 - Across Room 108
  Registration & Badge Pick-up

9:00am PDT

Welcome & Opening Remarks - James Morris, Microsoft
Speakers
avatar for James Morris

James Morris

Linux Kernel & Security Manager, Microsoft
James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Wednesday May 10, 2023 9:00am - 9:05am PDT
Room 212-214
  Opening / Closing Remarks

9:05am PDT

Verifiable End To End Secure OCI Native Machines - Serge Hallyn & Joy Latten, Cisco
How do you know the workload you've started really is running what you intended? This talk will present "project machine" - an end to end secure toolchain utilizing secure build, storage, distribution, and execution of container images, machine images, and machines, all using signed OCI images. Combining existing tools like cosign, dmverity, stacker and zot with new tools and concepts, project machine provides the following guarantees about a running host. First: if anything in firmware, shim, kernel, or the host or container filesystems, or host configuration has been modified, boot will not proceed. Second: if the firmware or UKI (kernel and initrd) have been tampered with, the host's LUKS keys and provisioned private (SUDI) key cannot be leaked. And third, building upon the previous: when beginning to communicate with a host, you can verify that the software stack it booted was the one you signed. Most of the new (and existing) pieces of this have been in internal use for some time. However the complete open source implementation, to which existing users will eventually move, is still under development. Therefore feedback from the community will be tremendously helpful.
Speakers
avatar for Serge Hallyn

Serge Hallyn

Principal Engineer, Cisco
Serge Hallyn is a principal engineer at Cisco. He took part in the early Linux Security Modules (LSM) work when he was a graduate student. He implemented several now defunct security modules, including DTE and bsdjail; was the second person to attempt to upstream a stacker module... Read More →
avatar for Joy Latten

Joy Latten

Software Engineer, Cisco
Member of the puzzleOS team at Cisco. Currently working on various security tasks for puzzleOS. Have worked on security projects in opensource for 18+ years.

Verifiable end to end secure OCI native machines pdf
Wednesday May 10, 2023 9:05am - 9:50am PDT
Room 212-214
  Refereed Presentations, Advanced
  • Session Slides Attached Yes

9:55am PDT

systemd and TPM2 - Lennart Poettering, Microsoft
systemd is the system and service manager of most contemporary Linux distributions. Recently it gained support for various TPM2-related features. In this talk we'll cover the existing ones, and those which will come next. Specifically: * TPM2 based disk unlocking * PCR hash and signed PCR policies * System and service credentials that encrypted/authenticated to TPM2 keys * systemd TPM2 logic for Confidential Computing * Measurement of system + file system identity and volume encryption keys * Pre-boot TPM2 hook-up in systemd-stub UEFI stub * Automatic enrollment to encrypted volumes to TPM2 at boot * Boot phases and PCR measurements * Reproducible and deterministic PCR measurements
Speakers
LP

Lennart Poettering

Principal Engineer, Microsoft
Lennart hacks on systemd.

systemd and TPM2 pdf
Wednesday May 10, 2023 9:55am - 10:40am PDT
Room 212-214
  Refereed Presentations, Advanced

10:40am PDT

Break & Networking
Wednesday May 10, 2023 10:40am - 11:10am PDT
Room 212-214
  Breaks & Networking

11:10am PDT

System Calls for the Linux Security Module Infrastructure - Casey Schaufler, The Smack Project
Linux security modules have traditionally provided special purpose filesystem interfaces for administration and process attribute manipulation. Applications may encounter problems when different security modules use different interfaces for what is essentially equivalent information. Worse yet, they have problems when the same interface is used for significantly different information. Efforts to address these issues while continuing to use filesystem interfaces instead highlighted these shortcomings. Rather than continue to fight with filesystem interfaces a new set of system calls are being introduced. This talk will describe the problems with the filesystem interfaces, the advantages of system calls, and the initial set of system calls being introduced. Some of the challenges encountered will be discussed. Implications for applications and future LSM directions will also be presented.
Speakers
avatar for Casey Schaufler

Casey Schaufler

Founder, The Smack Project
Casey Schaufler founded the Smack project in 2006 after an especially heated debate with the SELinux developers on a topic now long forgotten. He has been developing secure operating systems since the late 1980's, starting the system that became Trusted Solaris and architecting Trusted... Read More →

2023 05 LSSNA LSM syscalls pdf
Wednesday May 10, 2023 11:10am - 11:55am PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

12:00pm PDT

How to Backdoor the Linux Kernel (and fail?) - Konstantin Ryabitsev, The Linux Foundation
In this presentation, the author investigates possible venues for sneaking in a backdoor into a Linux kernel release. Should it be done during patch submission stage? Or is it easier to trick Linus into applying a bogus git pull request? Maybe replace a tarball on kernel.org? Or to wait until someone from the targeted company tries to download it? The author describes the steps that are already in place to ensure that these attacks are ineffective, and investigates the remaining weak links in the trust chain.
Speakers
avatar for Konstantin Ryabitsev

Konstantin Ryabitsev

Director, IT, The Linux Foundation
Konstantin has worked at the Linux Foundation over the past decade, providing both IT and security support to kernel.org and many other software projects. He lives in Montreal, Canada, with his wife, two children and several cats.

backdoor and fail pdf
Wednesday May 10, 2023 12:00pm - 12:30pm PDT
Room 212-214
  Short Topics, Intermediate

12:30pm PDT

Lunch (Attendees on Own)
Wednesday May 10, 2023 12:30pm - 2:00pm PDT
  Breaks & Networking

2:00pm PDT

HotBPF++: A More Powerful Memory Protection for the Linux Kernel - Zicheng Wang & Yueqi Chen, University of Colorado Boulder
The large time window between the disclosure and patching of kernel vulnerabilities leaves the system open for exploitation. In the LSS Europe 2022, we presented HotBPF designed against heap exploitation during this time window. While HotBPF received wide interest from industry leaders including Huawei and Meta, its capability is restricted to heap corruption without considering other error types. As such, we designed a more powerful protection - HotBPF++. It inherits all advantages that HotBPF has: automatic deployment, on-the-fly enabling, hardware-independence, and lightweight design. However, HotBPF++ goes beyond HotBPF by not only preventing corruptions in memory regions other than heap but also detecting the root cause of corruptions. In this talk, we will describe the core idea of HotBPF++. After this, we will delve into more details of protection policies already integrated into HotBPF++, which cover five most common errors that can be reported by state-of-the-art sanitizers. Finally, we will evaluate the performance/memory overhead and scalability of HotBPF++ using various benchmarks and demonstrate its security improvement using real-world vulnerabilities.
Speakers
ZW

Zicheng Wang

Professional Research Assistant, University of Colorado Boulder
Wang Zicheng is currently serving as a Research Assistant at the University of Colorado Boulder, he is also pursuing a Ph.D. in Computer Science at Nanjing University in China. With a deep interest in operating system security, Wang's ongoing research focuses on leveraging the power... Read More →
avatar for Yueqi Chen

Yueqi Chen

Assistant Professor, University of Colorado Boulder
Yueqi Chen is an Assistant Professor in the Department of Computer Science at CU Boulder. His research focuses on system security and software security. He is particularly interested in revolutionizing exploitation techniques, formalizing weird machine, and using outcomes of these... Read More →

HotBFP^LM^LM05010 pdf
Wednesday May 10, 2023 2:00pm - 2:45pm PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

2:50pm PDT

Controlling Script Execution - Mickaël Salaün, Microsoft
Linux can rely on several mechanisms to control executable code. However, scripts have always been a grey area because they are not directly executed by the kernel but by a user space interpreter. We propose a new way to control script execution, relying on the kernel to manage a global consistent execution policy. While it may be seen as a simple problem at first, we'll see the different use cases and challenges that led to the current implementation, going through the previous O_MAYEXEC open flag and the dedicated trusted_for syscall approaches.
Speakers
avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now... Read More →

2023 05 10 LSS Script execution control pdf
Wednesday May 10, 2023 2:50pm - 3:35pm PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

3:35pm PDT

Break & Networking
Wednesday May 10, 2023 3:35pm - 4:05pm PDT
Room 212-214
  Breaks & Networking

4:05pm PDT

BoF Session: To Be Announced - In Person Attendees Welcome to Attend
Wednesday May 10, 2023 4:05pm - 5:05pm PDT
Room 212-214
  BoF Sessions
 
Thursday, May 11
 

8:00am PDT

Continental Breakfast
Thursday May 11, 2023 8:00am - 9:00am PDT
Room 212-214
  Breaks & Networking

8:00am PDT

Zen Zone
All attendees may feel free to use the Zen Zone as needed for sensory relaxation, meditation and worship. It is a physical space where conversation and interaction are not allowed, where attendees can go if for any reason they can’t interact with other attendees at that time.
Thursday May 11, 2023 8:00am - 6:00pm PDT
  Breaks & Networking

8:00am PDT

Registration & Badge Pick-up
Thursday May 11, 2023 8:00am - 6:00pm PDT
West Level 1 - City Foyer
  Registration & Badge Pick-up

8:00am PDT

Coat & Bag Check
Thursday May 11, 2023 8:00am - 7:00pm PDT
West Level 1 - Across Room 108
  Registration & Badge Pick-up

9:00am PDT

Welcome Back & Daily Announcements - James Morris, Microsoft
Speakers
avatar for James Morris

James Morris

Linux Kernel & Security Manager, Microsoft
James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Thursday May 11, 2023 9:00am - 9:05am PDT
Room 212-214
  Opening / Closing Remarks

9:05am PDT

MPK/PKS Linux Kernel Compartmentalization - Sebastian Österlund, Intel
Kernel exploitation through memory errors -- as well as transient execution attacks -- often rely on privileged gadgets in the kernel, which by design has access to all memory and devices on the machine. In this presentation, the design and implementation of a new kernel hardening strategy will be discussed which compartmentalizes the kernel by leveraging Intel Protection Keys for Supervisor (PKS). The goal of this security feature is to hinder possible gadgets in locations such as eBPF and third-party kernel modules from accessing arbitrary (and by extension sensitive) kernel data. By limiting memory accesses in these critical regions using PKS, we are able to significantly reduce the attack surface and provide a robust -- yet compatible and lightweight -- mitigation against a large class of vulnerabilities. Furthermore, the presentation will discuss how this design fits into the ongoing efforts of implementing Address-space Isolation (ASI).
Speakers
avatar for Sebastian Österlund

Sebastian Österlund

Offensive Security Researcher, Intel
Sebastian is an Offensive Security Researcher at Intel STORM/ SPEAR working on fuzzing, analysis of microcode, and enablement of new hardware security features. Before joining Intel, he was a PhD student in the Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam... Read More →

Sebastian Osterlund LSS MPK PKS compartment pdf
Thursday May 11, 2023 9:05am - 9:50am PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

9:55am PDT

Enforcing Runtime Integrity with Maat - Jonathan Myers & Andrew Guinn, Johns Hopkins University Applied Physics Laboratory
This talk presents Maat, a tool for runtime integrity measurement and appraisal. While existing tools provide integrity measurement to account for kernel boot and kernel module loading, they do not detect or protect against unauthorized modifications or malware infections after system startup. Runtime integrity measurement and appraisal allows integrity check throughout the lifecycle of system execution. Maat is an open-source framework and tool that enables and provides runtime integrity measurement suitable for critical Linux systems, as well as general-purpose use on desktop or server Linux machines. This talk will cover the goals and challenges of runtime integrity measurement, including multi-layered measurement and appraisal of a running system including hypervisor, OS and userspace; the challenges of performing trustworthy measurement on a potentially compromised system; the design of Maat; and other practical use cases enabled by Maat.
Speakers
JM

Jonathan Myers

Computer Scientist, Johns Hopkins University Applied Physics Laboratory
Jonathan Myers has worked and published on challenging computer security problems as well as computationally challenging problems arising in the natural sciences. Currently at the Johns Hopkins University Applied Physics Laboratory (JHU/APL), he is a project manager and senior computer... Read More →
AG

Andrew Guinn

Computer Scientist, Johns Hopkins University Applied Physics Laboratory
Andrew Guinn is a computer scientist at Johns Hopkins University Applied Physics Laboratory (JHU/APL), working in a group specializing in a range of defensive security topics, including platform security and integrity, formal methods and verification of software, and static analysis... Read More →

LSS maat final pdf
Thursday May 11, 2023 9:55am - 10:40am PDT
Room 212-214
  Refereed Presentations, Intermediate

10:40am PDT

Break & Networking
Thursday May 11, 2023 10:40am - 11:10am PDT
Room 212-214
  Breaks & Networking

11:10am PDT

Heki: Hypervisor-Enforced Kernel Integrity for Linux with KVM - Mickaël Salaün, Microsoft
On common operating systems, one powerful way to bypass security policies is to exploit the kernel. Linux kernel vulnerabilities are common and exploited. Among other things, kernel self-protection mechanisms include control-register pinning and memory page protection restrictions that help harden systems. Unfortunately, none is bullet proof because they are implemented at the same level as the vulnerabilities they try to protect against. To get a more effective defense, we propose to move (or copy) some of these protection mechanisms out of the kernel thanks to virtualization. Our implementation is based on the Kernel-based Virtual Machine (KVM) hypervisor and designed to be merged with the mainline project. It is inspired from other private implementations currently in use (e.g. Windows's Virtual Secure Mode), but our approach is tailored to Linux specificities.
Speakers
avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now... Read More →

2023 05 11 LSS Heki pdf
Thursday May 11, 2023 11:10am - 11:55am PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

12:00pm PDT

When Confidential Containers Meet Arm CCA - Jia He, Arm China
The goal of the CoCo short for Confidential Containers project is to standardize confidential computing at the container level that is Paas and simplify its consumption in Kubernetes. It leveraged TEE to protect container and data, with contributors from Arm, Alibaba, AMD, IBM, Intel, Redhat, Microsoft and others. Justin He will summarize what they have contributed for CoCo project, such as bringing up CoCo in the Arm FVP and attestation integration. 
Speakers
avatar for Jia He

Jia He

Principle Software Engineer, Arm China
Justin He is a Principal Software Engineer at Arm in the Opensource Software Ecosystem. He focuses on virtualization/container areas. He and his team will focus on the CoCo projects (short for Confidential Containers). CoCo is a CNCF sandbox open source project to enable cloud native... Read More →

LSS2023 Justin He when confidential containers meet arm cca pdf
Thursday May 11, 2023 12:00pm - 12:30pm PDT
Room 212-214
  Short Topics, Beginner
  • Session Slides Attached Yes

12:30pm PDT

Lunch (Attendees on Own)
Thursday May 11, 2023 12:30pm - 2:00pm PDT
  Breaks & Networking

2:00pm PDT

Building the Largest Working Set of Apparmor Profiles - Alexandre Pujol, The Collaboratory @TUDublin
This talk tells the story of how we build the largest working set of apparmor profiles. The default set of apparmor profiles in Linux is small. It makes Apparmor less useful to prevent thread. apparmor.d is a work in progress project that aims to provide a full set of profiles tailored for all major Linux distributions: Debian, Ubuntu, OpenSUSE, Archlinux and Ubuntu Core. It includes over 1400 profiles; together, they ensure that most Linux processes remain confined. In this talk, we will be going over the main challenges we faced while working on these profiles. The security architecture of the profiles. How did we select the program to confine and why? As there are over 50000 Linux packages, we need to carefully select the profiles to write. How we use integration testing that uses Go, some VM and hundreds of both manually created and automatically generated tests to ensure the profiles do not break your setup. The profiles, tooling and documentation for the project has been published at https://github.com/roddhjav/apparmor.d
Speakers
avatar for Alexandre Pujol

Alexandre Pujol

Security Researcher, The Collaboratory @TUDublin
Alexandre Pujol is a French security researcher at The Collaboratory @TUDublin. He is is graduated from a PhD Student in computer security & privacy in University College Dublin, Ireland. His area of work includes user privacy, secret management, and system security. He is the author... Read More →

apparmor.d LSS NA 2023 pdf
Thursday May 11, 2023 2:00pm - 2:45pm PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

2:50pm PDT

SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers - Yu Hao, University of California, Riverside
Syzkaller has managed to find thousands of bugs in the Linux kernel. One necessary component of Syzkaller is a collection of syscall descriptions often provided by human experts. However, current syscall descriptions are largely written manually, which is both time-consuming and error-prone. It is especially challenging considering that there are many kernel drivers (for new hardware devices and beyond) that are continuously being developed and evolving over time. This talk presents a principled solution for generating syscall descriptions for Linux kernel drivers and the tool called SyzDescribe that has been tested for over hundreds of kernel drivers. The syscall descriptions produced by SyzDescribe are competitive to Syzkaller syscall descriptions, and much better than prior work (i.e., DIFUZE and KSG) in accuracy, fuzzing coverage and the number of crashes. SysDescribe finds 78 “bugs” in Syzkaller syscall descriptions. All the “bugs” have been reported to Syzkaller and all of them have been merged into Syzkaller‘s code. Besides, SyzDescribe recovers 154 syscall handlers for Pixel 6 kernel drivers and finds 18 crashes.
Speakers
avatar for Yu Hao

Yu Hao

Graduate Student Researcher, University of California, Riverside
Yu Hao is a Ph.D. candidate in computer science at UC Riverside, where he is conducting research under the supervision of Professor Zhiyun Qian. His research focuses on system security, particularly Linux kernel security. He is working on improving kernel fuzzing and analyzing the... Read More →

LSS NA 23 SyzDescribe pdf
Thursday May 11, 2023 2:50pm - 3:35pm PDT
Room 212-214
  Refereed Presentations, Beginner
  • Session Slides Attached Yes

3:35pm PDT

Break & Networking
Thursday May 11, 2023 3:35pm - 4:05pm PDT
Room 212-214
  Breaks & Networking

4:05pm PDT

BoF Session: To Be Announced - In Person Attendees Welcome to Attend
Thursday May 11, 2023 4:05pm - 5:05pm PDT
Room 212-214
  BoF Sessions
 
Friday, May 12
 

8:00am PDT

Continental Breakfast
Friday May 12, 2023 8:00am - 9:00am PDT
Room 212-214
  Breaks & Networking

8:00am PDT

Zen Zone
All attendees may feel free to use the Zen Zone as needed for sensory relaxation, meditation and worship. It is a physical space where conversation and interaction are not allowed, where attendees can go if for any reason they can’t interact with other attendees at that time.
Friday May 12, 2023 8:00am - 1:00pm PDT
  Breaks & Networking

8:00am PDT

Registration & Badge Pick-up
Friday May 12, 2023 8:00am - 1:00pm PDT
West Level 1 - City Foyer
  Registration & Badge Pick-up

8:00am PDT

Coat & Bag Check
Friday May 12, 2023 8:00am - 5:00pm PDT
West Level 1 - Across Room 108
  Registration & Badge Pick-up

9:00am PDT

Welcome Back & Daily Announcements - James Morris, Microsoft
Speakers
avatar for James Morris

James Morris

Linux Kernel & Security Manager, Microsoft
James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Friday May 12, 2023 9:00am - 9:05am PDT
Room 212-214
  Opening / Closing Remarks

9:05am PDT

Dynamic Key Managed PowerPC Guest Secure Boot - Sudhakar Kuppusamy & George Wilson, IBM's Linux Technology Center
Boot-level attacks can be silent and persistent. Malicious Grand Unified Bootloader (GRUB), GRUB modules, kernel, or kernel modules can subvert the entire OS every time it starts. Until recently, we have very few mechanisms to verify boot components for Power Logical Partitions (LPARs), one of that is static key solution. While a static key secure boot has been available in distros for over a year, it has proven to have a number of shortcomings. A new dynamic key secure boot has been proposed to improve Power secure boot, which includes using a new hypervisor Platform KeyStore to effect authenticated variables that are used to verify appended signatures on Power GRUB and kernels. This talk discusses the shortcomings of static key secure boot in Power LPARs, new mechanisms for dynamic key management, and proposes extending the GRUB Secure Boot Advanced Targeting (SBAT) concept into the kernel.
Speakers
avatar for Sudhakar Kuppusamy

Sudhakar Kuppusamy

Linux Security Engineer, IBM's Linux Technology Center
Sudhakar Kuppusamy is a Linux Security Engineer in IBM's Linux Technology Center, INDIA. Since joining the LTC in 2022, he has contributing on PowerPC Guest Secure Boot. Prior to the IBM LTC, He worked for 12+ years as software developer on various security products and IT industry... Read More →
avatar for George Wilson

George Wilson

Security Architect and Development Team Lead, IBM's Linux Technology Center
George Wilson is a security architect and development team lead in IBM's Linux Technology Center. Since joining the LTC in 2004, he has led IBM's Linux security certification activities and development of open source security technology including key management, Trusted Computing... Read More →

LSS 2023 Dynamic Key Guest Secure Boot v17 pdf
Friday May 12, 2023 9:05am - 9:50am PDT
Room 212-214
  Refereed Presentations, Any

9:55am PDT

Progress On Bounds Checking in C and the Linux Kernel - Kees Cook, Google & Gustavo A.R. Silva, The Linux Foundation
Linux, like all C code, regularly suffers from heap buffer overflow flaws. Especially frustrating is that the compiler usually has enough context to have been able to stop the overflow but has been hampered by needing to support legacy coding styles, ambiguous language definitions, and fragile APIs. This has forced the compiler to frequently ignore the intent of programmers in an effort to support sloppy code patterns that may not exist in a project at all.

The history of the C language specification's "flex array member" (FAM) is long and twisty, and technical debt exists due to ambiguous implementations. With the introduction of -fstrict-flex-arrays, C can now unambiguously declare array sizes. In the kernel we can build on this, by transforming trailing zero-length and one-element arrays into modern C99 FAMs, adding the use of __builtin_dynamic_object_size(), applying it to defenses like FORTIFY_SOURCE, and expanding where the compiler can use this knowledge internally for improving existing sanitizers. Finally, adding a new struct member attribute, we can expand object size tracking to cover all array types, freeing Linux from this persistent class of buffer overflows flaws.
Speakers
avatar for Kees Cook

Kees Cook

Kernel Security Software Engineer, Google
Kees Cook has been working with Free Software since 1994, has been a Debian Developer since 2007, and has been a member of the Linux Kernel Technical Advisory Board since 2019. He is currently employed as a Linux kernel security engineer by Google, focusing on upstream kernel security... Read More →
avatar for Gustavo A. R. Silva

Gustavo A. R. Silva

Upstream Linux Kernel Engineer, The Linux Foundation
Gustavo works full-time as an upstream Linux kernel Engineer, focused on security. Over the last years, he’s been hunting and fixing all sorts of bugs and issues all over the kernel tree. He is an active contributor to the Kernel Self-Protection Project and his work is supported... Read More →

Progress on Bounds Checking pdf
Friday May 12, 2023 9:55am - 10:40am PDT
Room 212-214
  Refereed Presentations

10:40am PDT

Break & Networking
Friday May 12, 2023 10:40am - 11:10am PDT
Room 212-214
  Breaks & Networking

11:10am PDT

SecurityPerf: A New Open-Source Framework for Benchmarking the Performance Impact of Linux Security Solutions - Austin James Gadient, Vali Cyber
In this session, Austin presents SecurityPerf. SecurityPerf is an open-source benchmarking framework for Linux security solutions. The session begins with a general overview of different benchmarking strategies, then shows how SecurityPerf provides insights into the performance impact of security solutions on real-world workloads. SecurityPerf’s benchmarks are all containerized, enabling them to run on any Linux infrastructure supporting containerization. By default, SecurityPerf provides benchmarks for loads run against Apache, MySQL, WordPress, MongoDB, and RabbitMQ services. SecurityPerf captures metrics including mean performance and standard deviation. After presenting SecurityPerf, Austin discusses results generated for three Linux security tools, the Linux Security Module Apparmor, the eBPF runtime security agent Falco, and the file scanner ClamAV. Austin uses the results to demonstrate where each solution exhibits performance overhead. Austin then discusses how these results can be leveraged to identify bottlenecks in security solutions and improve their performance. Austin concludes the presentation by explaining how community members can contribute to SecurityPerf.
Speakers
avatar for Austin James Gadient

Austin James Gadient

Chief Technology Officer, Vali Cyber
Austin Gadient is a co-founder of Vali Cyber where he serves as Vali’s Chief Technology Officer. Austin is the primary developer of Vali’s product, ZeroLock, a security solution for Linux systems. Austin is also the lead developer for SecurityPerf, an open-source benchmarking... Read More →

LSS Slides Final pdf
Friday May 12, 2023 11:10am - 11:55am PDT
Room 212-214
  Refereed Presentations, Intermediate
  • Session Slides Attached Yes

12:00pm PDT

Coupling Key-Ring and Linux Crypto-API Framework(LCF) via Crypto-Transformation(tfm) - Pankaj Gupta & Varun Sethi, NXP Semiconductor
Apart from the traditional cryptographic key attributes i.e. key length & key buffer, there are additional key attributes that can be provided by the user, for dictating the proper usage of the keys. The cryptographic keys must not be used if the associated conditions are not met. In the case of Linux, the “keyctl” command provides an interface to supply these attributes. . Since currently there is no connection between Kernel’s Crypto-API and keyring, the information regarding the proper key usage is unavailable to the crypto API. As a result, the proper usage of the key can't be enforced, thus potentially compromising the system state. After coupling the Crypto-API with keyring, the driver will get the additional key attributes, which can be validated by the Crypto-API driver. Once validated, only the permitted crypto operation will be performed. In this presentation we present a mechanism for linking crypto api with the keyring, such that the additional key attributes can be made available to the api. We will be covering this method in great detail during the presentation.
Speakers
avatar for Pankaj Gupta

Pankaj Gupta

Software architect, NXP Semiconductor
Pankaj Gupta is a software security architect in the NXP security technology center (STEC), part of the Secure Connected Edge(SCE) business group. He has over 19 years of experience in the IT industry He is actively contributing to the Linux kernel crypto subsystem. He is also the... Read More →
avatar for Varun Sethi

Varun Sethi

Senior engineering manager for the MPU Linux infrastructure security team, NXP Semiconductor
Varun Sethi is a senior engineering manager, leading the MPU Linux security infrastructure team in the security technology center at NXP's secure connected edge business group. He has more than 21 years of experience in the IT industry. Currently, he's focusing on security enablement... Read More →

LF PPT on coupling KRing and LCF pdf
Friday May 12, 2023 12:00pm - 12:45pm PDT
Room 212-214
  Refereed Presentations, Intermediate

12:45pm PDT

Lunch (Attendees on Own)
Friday May 12, 2023 12:45pm - 2:15pm PDT
  Breaks & Networking

2:15pm PDT

LSM Maintainers Panel - John Johansen, Canonical; Mickaël Salaün, Microsoft; Casey Schaufler, The Smack Project; Mimi Zohar, IBM and Moderated by Paul Moore, Microsoft Corporation
This panel will bring several LSM maintainers together on stage to discuss significant security developments in both the LSMs and the Linux Kernel from the past year, as well as work that is currently in development. Questions will be sourced from social media prior to the event and those in attendance will have an opportunity to ask questions live.
Speakers
avatar for John Johansen

John Johansen

Software Engineer, Canonical
John Johansen began working with open source software in the late 80s and began playing with Linux in 93. He completed a masters in mathematics at the University of Waterloo and the began working for Immunix doing compiler hardening, and then AppArmor. After Immunix was acquired by... Read More →
avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now... Read More →
avatar for Casey Schaufler

Casey Schaufler

Founder, The Smack Project
Casey Schaufler founded the Smack project in 2006 after an especially heated debate with the SELinux developers on a topic now long forgotten. He has been developing secure operating systems since the late 1980's, starting the system that became Trusted Solaris and architecting Trusted... Read More →
avatar for Paul Moore

Paul Moore

Principal Software Engineer, Microsoft Corporation
Paul Moore has been involved in various Linux platform security efforts since 2004 at Hewlett-Packard, Red Hat, Cisco, and Microsoft. He currently maintains the Linux Security Module (LSM) layer as well as the SELinux, audit, and labeled networking subsystems in the Linux Kernel... Read More →
MZ

Mimi Zohar

Software Engineer, IBM
Mimi Zohar is a member of the Cloud and Systems Security Research group at the IBM T.J. Watson Research Center. Her current interests are in the areas of system security and integrity, a natural progression from prior work in firewall design for perimeter security. She is the linux-integrity... Read More →

Friday May 12, 2023 2:15pm - 3:00pm PDT
Room 212-214
  Refereed Presentations, Intermediate

3:00pm PDT

Closing Remarks - James Morris, Microsoft
Speakers
avatar for James Morris

James Morris

Linux Kernel & Security Manager, Microsoft
James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Friday May 12, 2023 3:00pm - 3:05pm PDT
Room 212-214
  Opening / Closing Remarks
 
  • Timezone
  • Filter By Date Linux Security Summit North America 2023 May 10 -12, 2023
  • Filter By Venue Vancouver Convention Centre West Building, Canada Place, Vancouver, BC, Canada
  • Filter By Type
  • BoF Sessions
  • Breaks & Networking
  • Opening / Closing Remarks
  • Refereed Presentations
  • Registration & Badge Pick-up
  • Short Topics
  • Session Slides Attached
Filter sessions
Apply filters to sessions.
Wednesday, May 10
Thursday, May 11
Friday, May 12
Room 212-214
West Level 1 - Across Room 108
West Level 1 - City Foyer
  • BoF Sessions
  • Breaks & Networking
  • Opening / Closing Remarks
  • Refereed Presentations
  • Registration & Badge Pick-up
  • Short Topics
  • Session Slides Attached
  • Yes