-
The Kernel Lockdown feature that was merged in Linux 5.4 is designed to prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorized modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still …
Read More -
Due to the security features that Linux offers, like booting directly into a readonly filesystem, making filesystems readonly at runtime for apps and containers, some attacks have been using what is known as "fileless binary execution" to avoid such protections, and gain the ability to execute binaries …
Read More -
At the eBPF Summit 2021, I gave a talk about how to take advantage of eBPF to try to bridge some cloud and IoT security features. My Talk can be found here: BPF to bridge Cloud and IoT Linux Security on youtube All eBPF Summit 2021 here: eBPF Summit 2021 Youtube Channel
Read More -
Some friends pinged me about a GitHub post that lists Open Source projects used into space, more precisely within the Mars ingenuity mission. The Github post is here: Open source goes to Mars
Read More -
All systems go Conference - Modern deployment for Embedded Linux and IoT Talk
The Userspace Linux Conference All Systems Go! 2017 videos and talks are now available online. My talk "Modern Deployment for Embedded Linux and IoT" is available here: Video - Slides All video talks are here
Read More -
TL;DR: The Linux kernel procfs suffers from a historical design that prevents having multiple separate procfs instances inside the same PID namespace. All the mounts are a mirror of the internal one. This blocks developement of Linux containers, sandboxes, and other security related features. Patch solution: PATCH RFC …
Read More -
TL;DR: Currently, an explicit call to load or unload kernel modules require CAP_SYS_MODULE capability. However unprivileged users have always been able to load some modules using the implicit auto-load operation. An automatic module loading happens when programs request a kernel feature from a module that is not …
Read More -
TL;DR: In Linux kernel and as part of the Kernel Self Protection Project we are pushing for new lightweight security mechanisms. On top of that, in systemd we are implementing new lightweight container mechanisms that target Embedded Linux and IoT. Our goal is to make it easy to deploy Secure Embedded Linux and IoT …
Read More -
Sandboxing IoT Apps using lightweight containers is an important step for Linux-IoT based devices, it allows to reduce the exposure from mis-configuration, bugs, or vulnerability exploitation. As a simple example the BrickerBot and similar worms did not use complex 0day exploits. They used simple attack vectors like …
Read More -
Just to share that Linux /proc/pid/environ suffers from bugs referenced and fixed here: proc: /proc//environ offset fixes that can be considered vulnerabilities. The fixes are in the mainline now. The PoC to dump exec area can found here: http://lkml.org/lkml/2012/7/22/163 Linux Procfs suffers from other …
Read More