SlideShare ist ein Scribd-Unternehmen logo

Platform Security Presentation

Tyson Key
Tyson Key
Technologie
1 von 3
Downloaden Sie, um offline zu lesen
i9 Platform Security Microkernel-based design, with strictly enforced Messagebus and server architecture ensures that the core of the system is stable, and will not fall over if a component (e.g. a driver or a component of the network stack) fails for some reason The entire system as provided by the i9 Project is provided as Open Source (naturally, this doesn't always extend to things that the user installs), and does not contain any binary-only components quot;out of the boxquot; Deep instrumentation and visibility throughout the system, with full access for users and developers, and no hidden ways of preventing a process from being instrumented (as happened with Apple's DTrace port and QuickTime/iTunes, to the disgust of many) Only One Way to do IPC throughout the system - through the system Messagebus and a transparent API/ABI quot;Trapquot; specific to each IPC type (e.g. D-BUS and System V IPC) All drivers, and components non-critical to the functionality of the kernel are implemented as Servers in userland (e.g FSServer, and NetServer), with connectivity via the Messagebus to the kernel Although it is possible to view the raw contents of RAM (via /dev/mem), it is not possible for any process other than the Microkernel (including those owned by 'root') to write directly to it Additionally, it is not possible to patch raw areas of RAM from within the userland (so folks looking to hook in to implement DRM, or some form of malware should go elsewhere, although they wouldn't have much success) Most importantly, these measures are not intended to be obnoxious or annoying to developers and end users, a security panacea/be-all-end-all (although that applies equally to every system), or there to enable the implementation of DRM systems or other restrictive technologies, or even to prevent some form of malicious software to be written and executed (and yes, we realize that there are probably ways to circumvent this stuff) 5th May 2008 http://i9.house404.co.uk
Granular Process Control Granular Process Control is a system for restricting the usage of processes and System Servers from boot time, either across the whole system, or only for specific user accounts They can be used in conjunction with POSIX Personality permissions/ACLs, and the security features of other Personalities, or on their own, depending on the desired effect, and remain in effect, even if a user elevates to an account with higher privileges (e.g. by using su or sudo) or switches the active shell Personality They can also used to reinforce the settings in /etc/personalities It can be configured by modifying the commented configuration files in /etc/boot/processcontrol, or potentially by using an LDAP or NIS server record (you could create a fancy CLI or GUI tool for this, and upload it to i9Forge ;) ) There are a number of use cases for this (including, but not limited to these): Restricting or disabling use of external storage devices on corporate systems, to decrease the chances of users leaking confidential information Disabling non-essential system components, to reduce the potential attack surface, or to decrease the system resource footprint Providing remote-access systems with restricted network functionality (e.g. a system for compiling source code uploaded with FTP and providing the user with access to the resulting product, without allowing the system to be used for access to other systems external to it) Use in conjunction with a firewall (e.g. iptables) to prevent users from opening certain inbound or outbound IP ports, or launching executables that listen on them (e.g. SMTP daemons) to prevent a system being used as a spam relay 5th May 2008 http://i9.house404.co.uk
The Big Picture See below for a rough diagram of how this stuff fits into the system: (Disclaimer: This does not show every possible component, or how every single component integrates into the system) Support for the somewhat controversial Trusted Platform Module (TPM) cryptoprocessor and certificate storage module is not currently planned, and the position it would have within the i9 Platform Security Framework is unknown. EnforceGPC SecurityFramework Microkernel Messagebus PersonalityServer FSServer Personalities User Processes NetServer Other Servers 5th May 2008 http://i9.house404.co.uk

Empfohlen

Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedoraBadrul Alam
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Windows server2008
Windows server2008Windows server2008
Windows server2008jaimeccanto
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
FOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedFOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedToshiharu Harada, Ph.D
 
Windows Defense101
Windows Defense101Windows Defense101
Windows Defense101NickAlholinna
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 

Empfohlen

Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedoraBadrul Alam
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Windows server2008
Windows server2008Windows server2008
Windows server2008jaimeccanto
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
FOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedFOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedToshiharu Harada, Ph.D
 
Windows Defense101
Windows Defense101Windows Defense101
Windows Defense101NickAlholinna
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Linux security firewall and SELinux
Linux security firewall and SELinuxLinux security firewall and SELinux
Linux security firewall and SELinuxSreenatha Reddy K R
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)cnokia
 
Unified threat management software 21 july 17
Unified threat management software 21 july 17Unified threat management software 21 july 17
Unified threat management software 21 july 17Yabibo
 
Unified threat management software 15 july 17
Unified threat management software 15 july 17Unified threat management software 15 july 17
Unified threat management software 15 july 17Yabibo
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT SecurityCRISIL Limited
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11githe26200
 
Os security issues
Os security issuesOs security issues
Os security issuesJOLLUSUDARSHANREDDY
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database ServerFahri Firdausillah
 
English Week14
English Week14English Week14
English Week14s1160202
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Louis armstrong
Louis armstrongLouis armstrong
Louis armstrongfilipj2000
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpifilipj2000
 
Andalusia
AndalusiaAndalusia
Andalusiafilipj2000
 

Weitere ähnliche Inhalte

Was ist angesagt?

Linux security firewall and SELinux
Linux security firewall and SELinuxLinux security firewall and SELinux
Linux security firewall and SELinuxSreenatha Reddy K R
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)cnokia
 
Unified threat management software 21 july 17
Unified threat management software 21 july 17Unified threat management software 21 july 17
Unified threat management software 21 july 17Yabibo
 
Unified threat management software 15 july 17
Unified threat management software 15 july 17Unified threat management software 15 july 17
Unified threat management software 15 july 17Yabibo
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT SecurityCRISIL Limited
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11githe26200
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
English Week14
English Week14English Week14
English Week14s1160202
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 

Was ist angesagt? (19)

Selinux
SelinuxSelinux
Selinux
 
Linux security firewall and SELinux
Linux security firewall and SELinuxLinux security firewall and SELinux
Linux security firewall and SELinux
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)
 
Unified threat management software 21 july 17
Unified threat management software 21 july 17Unified threat management software 21 july 17
Unified threat management software 21 july 17
 
Unified threat management software 15 july 17
Unified threat management software 15 july 17Unified threat management software 15 july 17
Unified threat management software 15 july 17
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11
 
Os security issues
Os security issuesOs security issues
Os security issues
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
English Week14
English Week14English Week14
English Week14
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426
 
Unix Security
Unix SecurityUnix Security
Unix Security
 

Andere mochten auch

Louis armstrong
Louis armstrongLouis armstrong
Louis armstrongfilipj2000
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpifilipj2000
 
English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02Carlos Etxeberria
 
Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3filipj2000
 
Ki cuba-2007 dg
Ki cuba-2007 dgKi cuba-2007 dg
Ki cuba-2007 dgfilipj2000
 
αεροδρομια
αεροδρομιααεροδρομια
αεροδρομιαfilipj2000
 
Noches griegas
Noches griegasNoches griegas
Noches griegasfilipj2000
 
The beautyofnight
The beautyofnightThe beautyofnight
The beautyofnightfilipj2000
 
G.v.blue train s.africa
G.v.blue train s.africaG.v.blue train s.africa
G.v.blue train s.africafilipj2000
 
alpy panorama
alpy panorama alpy panorama
alpy panoramafilipj2000
 

Andere mochten auch (20)

Louis armstrong
Louis armstrongLouis armstrong
Louis armstrong
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpi
 
Andalusia
AndalusiaAndalusia
Andalusia
 
Antarctic
AntarcticAntarctic
Antarctic
 
Machu picchu
Machu picchuMachu picchu
Machu picchu
 
China 60
China 60China 60
China 60
 
Alsacefrance
AlsacefranceAlsacefrance
Alsacefrance
 
English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02
 
Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3
 
People scenes
People scenesPeople scenes
People scenes
 
navidad
navidadnavidad
navidad
 
Ki cuba-2007 dg
Ki cuba-2007 dgKi cuba-2007 dg
Ki cuba-2007 dg
 
αεροδρομια
αεροδρομιααεροδρομια
αεροδρομια
 
Loboda
LobodaLoboda
Loboda
 
Noches griegas
Noches griegasNoches griegas
Noches griegas
 
The beautyofnight
The beautyofnightThe beautyofnight
The beautyofnight
 
G.v.blue train s.africa
G.v.blue train s.africaG.v.blue train s.africa
G.v.blue train s.africa
 
alpy panorama
alpy panorama alpy panorama
alpy panorama
 
Norveg fiords
Norveg fiordsNorveg fiords
Norveg fiords
 
Landmarks
LandmarksLandmarks
Landmarks
 

Ähnlich wie Platform Security Presentation

James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)Felipe Prado
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsPriyanka Aash
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
Chapter 09
Chapter 09Chapter 09
Chapter 09cclay3
 
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...Phil Cryer
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestSandeep Patil
 
110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wpJessica Hirst
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of SystemsJamal Jamali
 
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...IRJET Journal
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expertdlfrench
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 

Ähnlich wie Platform Security Presentation (20)

James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our Router
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
 
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expert
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Platform Security Presentation

  • 1. i9 Platform Security Microkernel-based design, with strictly enforced Messagebus and server architecture ensures that the core of the system is stable, and will not fall over if a component (e.g. a driver or a component of the network stack) fails for some reason The entire system as provided by the i9 Project is provided as Open Source (naturally, this doesn't always extend to things that the user installs), and does not contain any binary-only components quot;out of the boxquot; Deep instrumentation and visibility throughout the system, with full access for users and developers, and no hidden ways of preventing a process from being instrumented (as happened with Apple's DTrace port and QuickTime/iTunes, to the disgust of many) Only One Way to do IPC throughout the system - through the system Messagebus and a transparent API/ABI quot;Trapquot; specific to each IPC type (e.g. D-BUS and System V IPC) All drivers, and components non-critical to the functionality of the kernel are implemented as Servers in userland (e.g FSServer, and NetServer), with connectivity via the Messagebus to the kernel Although it is possible to view the raw contents of RAM (via /dev/mem), it is not possible for any process other than the Microkernel (including those owned by 'root') to write directly to it Additionally, it is not possible to patch raw areas of RAM from within the userland (so folks looking to hook in to implement DRM, or some form of malware should go elsewhere, although they wouldn't have much success) Most importantly, these measures are not intended to be obnoxious or annoying to developers and end users, a security panacea/be-all-end-all (although that applies equally to every system), or there to enable the implementation of DRM systems or other restrictive technologies, or even to prevent some form of malicious software to be written and executed (and yes, we realize that there are probably ways to circumvent this stuff) 5th May 2008 http://i9.house404.co.uk
  • 2. Granular Process Control Granular Process Control is a system for restricting the usage of processes and System Servers from boot time, either across the whole system, or only for specific user accounts They can be used in conjunction with POSIX Personality permissions/ACLs, and the security features of other Personalities, or on their own, depending on the desired effect, and remain in effect, even if a user elevates to an account with higher privileges (e.g. by using su or sudo) or switches the active shell Personality They can also used to reinforce the settings in /etc/personalities It can be configured by modifying the commented configuration files in /etc/boot/processcontrol, or potentially by using an LDAP or NIS server record (you could create a fancy CLI or GUI tool for this, and upload it to i9Forge ;) ) There are a number of use cases for this (including, but not limited to these): Restricting or disabling use of external storage devices on corporate systems, to decrease the chances of users leaking confidential information Disabling non-essential system components, to reduce the potential attack surface, or to decrease the system resource footprint Providing remote-access systems with restricted network functionality (e.g. a system for compiling source code uploaded with FTP and providing the user with access to the resulting product, without allowing the system to be used for access to other systems external to it) Use in conjunction with a firewall (e.g. iptables) to prevent users from opening certain inbound or outbound IP ports, or launching executables that listen on them (e.g. SMTP daemons) to prevent a system being used as a spam relay 5th May 2008 http://i9.house404.co.uk
  • 3. The Big Picture See below for a rough diagram of how this stuff fits into the system: (Disclaimer: This does not show every possible component, or how every single component integrates into the system) Support for the somewhat controversial Trusted Platform Module (TPM) cryptoprocessor and certificate storage module is not currently planned, and the position it would have within the i9 Platform Security Framework is unknown. EnforceGPC SecurityFramework Microkernel Messagebus PersonalityServer FSServer Personalities User Processes NetServer Other Servers 5th May 2008 http://i9.house404.co.uk