#linux landlock | Explore Tumblr posts and blogs

illuminarch · 4 years ago

Text

Kernel Linux 5.13 lançado com suporte para chips M1 e mais segurança

O mundo Linux teve um final de semana animado com a chegada do novo Kernel Linux 5.13 que foi lançado com suporte para chips M1 e mais opções de segurança aos usuários. O anúncio oficial, como sempre, partiu do principal desenvolvedor Linus Torvalds. Ele comunicou a chegada da nova versão estável do kernel Linux, que promete implementação de recursos importantes desde o começo desta série 5.

A nova versão tem o codinome “Opossums on Parade” e atinge todos os usuários com um grande número de mudanças e novos recursos, que vão desde o suporte para chips Apple M1 até os principais aprimoramentos de segurança neste sistema operacional.

Embora muitos de nós esperássemos um novo Release Candidate (o oitavo, especificamente), Linus Torvalds decidiu que não era necessário estender o desenvolvimento desta nova versão por mais tempo, pois o RC7 é uma versão que quase não recebeu alterações. O novo kernel Linux 5.13 é uma das maiores versões vistas nos últimos anos, com um total de mais de 16.000 mudanças no código que vieram das mãos de mais de 2.000 desenvolvedores. Não é uma versão que revoluciona o kernel, mas é muito importante para o futuro.

Kernel Linux 5.13 lançado com suporte para chips M1 e mais segurança. O que mais há de novo?

Esta nova versão do kernel vem com uma série de mudanças internas dignas de destaque. Um dos mais importantes e esperados é que, por fim, será compatível com os processadores Apple M1 lançados em 2020. Além disso, o driver Intel também foi aprimorado para reduzir a temperatura, o driver AMD Energy foi eliminado por falta de suporte, e mais mudanças relacionadas ao processador foram implementadas, como:

Erros corrigidos no AMD Zen.

Perf compatível com Intel Alder e AMD Zen 3.

Melhorias no RISC-V.

Suporte em Loongson 2K1000.

PowerPC de 32 bits agora suporta eBPF e KFENCE.

Suporte ao Hyper-V em processadores ARM de 64 bits.

Suporte para o coprocessador AMD Crypto.

Suporte para bloqueio de barramento Intel.

Novo utilitário KCPUID.

Este novo kernel também atualizou tudo relacionado a drivers gráficos. Por exemplo, o suporte inicial para Intel Alder Lake S iGPU foi adicionado, bem como o suporte para gráficos discretos da Intel continuou. No caso da AMD, o suporte para FreeSync via HDMI e o suporte inicial para AMD Aldebaran foram finalmente adicionados.

Outras novidades que podemos encontrar são:

Possibilidade de usar um Raspberry Pi Zero como adaptador para monitor USB.

Suporte para telemetria da Tecnologia de monitoramento de plataforma Intel DG1.

Removido o driver POWER9 NVLink 2.0.

Outras melhorias relacionadas aos drivers de renderização.

Em relação ao armazenamento, também podemos encontrar algumas mudanças. As mais importantes são as melhorias no suporte BTRFS , melhorias de desempenho IO_uring , novas opções de montagem F2FS, compactação UBIFS no Zstd e uma grande melhoria de desempenho no OrangeFS.

A rede também recebeu um número significativo de alterações e correções. Por exemplo, o suporte para o subsistema WWAN foi adicionado, o desempenho da VLAN foi aprimorado e o suporte para os chips Realtek RTL8156 e RTL8153D.

Outras notícias relacionadas a hardware que podemos encontrar são:

Suporte para o remoto Amazon Luna.

Suporte para novo hardware de som Realtek

Codificador/decodificador JPEG.

Suporte para Apple Magic Mouse 2.

Agora o teclado e o touchpad do novo Microsoft Surface funcionam.

Atualizações em USB e Thunderbolt.

Melhorias de energia.

Novo controlador de temperatura WMI para placas Gigabyte.

E, por fim, na segurança também podemos encontrar várias novidades. Por exemplo, o módulo Landlock Linux, que está em desenvolvimento há anos, está finalmente pronto. Também podemos ver como o código Retpoline foi simplificado. E também incluíram melhorias na integridade do código Clang CFI e na codificação das chamadas de sistema do kernel.

Como baixar

Se tivermos conhecimentos avançados e quisermos compilá-lo nós mesmos, no site do Kernel já podemos encontrar e baixar esta nova versão. No entanto, a maioria das pessoas geralmente espera por métodos alternativos para obter esta nova distribuição.

Se tivermos um sistema Rolling Release, nas próximas horas receberemos automaticamente a nova versão como mais uma atualização, uma das vantagens deste tipo de sistema. Caso contrário, teremos que esperar pela próxima versão da distro que usarmos (como o Ubuntu) para podermos curtir as novidades desta versão do kernel.

Via Softzone

O post Kernel Linux 5.13 lançado com suporte para chips M1 e mais segurança apareceu primeiro em SempreUpdate.

source https://sempreupdate.com.br/kernel-linux-5-13-lancado-com-suporte-para-chips-m1-e-mais-seguranca/

0 notes

thegloober · 7 years ago

Text

Linus Torvalds talks about coming back to work on Linux

Linus Torvalds quietly met with Linux’s top 40 or so developers at the Maintainers’ Summit, held in concert with Open Source Summit Europe in Scotland. Afterward, we spoke about his return to Linux, the adoption of the Linux Code of Conduct (CoC), and how Berkeley Packet Filter (BPF) is changing Linux.

What’s happening now?

First, Torvalds is back in the driver’s seat.

“‘I’m starting the usual merge window activity now,” said Torvalds. But it’s not going to be kernel development as usual. “We did talk about the fact that now Greg [Kroah-Hartman] has write rights to my kernel tree, and if will be easier to just share the load if we want to, and maybe we’ll add another maintainer after further discussion.”

So, Kroah-Hartman, who runs the stable kernel, will have a say on Linus’ cutting-edge kernel. Will someone else get write permission to Torvalds’ kernel code tree to help lighten the load?

Stay tuned.

Also: How GitHub became the nexus of software automation

Going forward, at least for now, “the merge window plans is to try to keep it all normal (well, with the exception that I’m on the road as the merge window opens, something that I normally try to avoid because the first few days of the merge window tend to be the busiest ones),” he said.

What did Torvalds do during his break?

Torvalds stepped away from managing the Linux kernel because he needed to, as he explained it, “change some of my behavior, which had hurt and possibly drove away some people from kernel development.” He wanted to “take time off and get some assistance on how to understand people’s emotions and respond appropriately.”

So, what has he done since then?

Torvalds said, “I expect it to be a continuing process, but for now I have an email filter in place (that might be expanded upon or modified as needed or as I come up with more esoteric swearing — the current filter is really pretty basic). And I have been talking weekly with a professional, although again right now my travel is messing with that schedule.”

Also: Linux Foundation: Microsoft’s GitHub buy is a win

Torvalds thinks “to some degree the most important part of that process was that I just asked the maintainers at the KS [Kernel Summit] today to just send me email if they feel I’ve been unnecessarily abrupt. Or, some other maintainer, for that matter.”

He said, “We don’t want the CoC [Code of Conduct] to define the tone of the discussion, I think we’re actually much better off if we can just try to see the CoC as a last resort that never even gets invoked, simply because we encourage people to try to head any issues off before they escalate.”

Torvalds said he didn’t directly set up the CoC: “I actually stepped away from the CoC discussions exactly because I did *not* want it to be seen as me personally being involved in the discussion. So I was off-line partly to just let that whole discussion happen without people feeling like I was influencing it.” But, he “did end up following email just to not be out of the loop.”

Leaving the CoC alone

Now that the CoC is literally part of the Linux code, Torvalds shared that he doesn’t mind the CoC itself. “It’s the ‘bike shedding’ around it and the discussions that I tend to really find not very productive,” he said. “Everybody has an opinion on it, and there is very little agreement or objective measures of what the right CoC is.”

Looking ahead, Torvalds said, “I want to leave it alone, and wait until we actually have any real issues. I’m hoping there won’t be any, but even if there are, I want the input to be colored more by real and *actual* concerns, rather than just people arguing about it.”

Also: Git: A cheat sheet TechRepublic

That’s also the take of the senior Linux developers. Kroah-Hartman wrote on the Linux Kernel Mailing List (LKML), “As we discussed today in the Maintainers summit, let’s leave the Code of Conduct text alone for now.”

Kroah-Hartman continued, “Let’s let things settle down and not worry about hypothetical situations that might possibly happen in some way or another as we can debate that type of thing endlessly (it’s a good skill we have which makes us great kernel developers, but it not always transferrable to other environments). If real issues do come up in the future, we will address them then, as we always have the option to change and revisit things as needed.”

What about the code?

But, enough of the personal and social issues of Linux, what about the code?

We spoke about the rise in use of the BPF in Linux. As Jon Corbet, kernel developer and editor of LWN, explained in a keynote at Open Source Europe, BPF is an in-kernel VM. It’s different from the others, because it allows user-space processes to load processes into kernel space.

Traditionally, Linux is made of the kernel and user space and never the twain shall meet — except by well-defined application programming interfaces (APIs).

Also: What happens if you try to take your code out of Linux?

BPF — which has been used both for network filtering, as it name suggests, and performance analysis — is now being used for security policy decisions, seccomp, and the forthcoming Landlocked security module. By becoming an increasingly important of Linux, it’s breaking down the wall between kernel and user.

Torvalds isn’t worried:

“BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn’t enabled until asked for. Things like tracing and statistics (and obviously network filters) are prime examples of things where people want to do

localized things for one particular machine (or one particular site) that aren’t of the “everybody wants the same thing” kind. And that’s where the whole dynamic ‘build a small program for it and attach it to xyz’ comes in really useful.”

That last part is the traditional Unix/Linux way of building software.

Getting back to normal coding issues

So, in the end, it sounds like things are getting back to normal in Linux development land. Instead of dealing with social issues, it’s back to coding issues.

That said, the Linux community did need a kinder, gentler Torvalds and a fairer, more balanced way of dealing with its contributors. We’ll see going forward how well it all works out.

Related stories:

Source: https://bloghyped.com/%e2%80%8blinus-torvalds-talks-about-coming-back-to-work-on-linux/

0 notes

ph4z0n · 8 years ago

Link

Slowly running the LKML gauntlet but hopefully will make it through and see mainline soon™ (or even eventually).

Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. The current version allows only a process with the global CAP_SYS_ADMIN capability to create such sandboxes but the ultimate goal of Landlock is to empower any process, including unprivileged ones, to securely restrict themselves.

Interesting stuff when ready for prime time.

#Linux #Linux Kernel

0 notes

gilbertineonfr2 · 8 years ago

Text

SSTIC 2017 Wrap-Up Day #1

I’m in Rennes, France to attend my very first edition of the SSTIC conference. SSTIC is an event organised in France, by and for French people. The acronym means “Symposium sur la sécurité des technologies de l’information et des communications“. The event has a good reputation about its content but is also known to have a very strong policy to sell tickets. Usually, all of them are sold in a few minutes, spread across 3 waves. I was lucky to get one this year. So, here is my wrap-up! This is already the fifteen edition with a new venue to host 600 security people. A live streaming is also available and a few hundred people are following talks remotely.

The first presentation was performed by Octave Klaba who’s the CEO of the OVH operator. OVH is a key player on the Internet with many services. It is known via the BGP AS16276. Octave started with a complete overview of the backbone that he build from zero a few years ago. Today, it has a capacity of 11Tpbs and handles 2500 BGP sessions. It’s impressive how this CEO knows his “baby”. The next part of the talk was a deep description of their solution “VAC” deployed to handle DDoS attacks. For information, OVH is handler ~1200 attacks per day! They usually don’t communicate with them, except if some customers are affected (the case of Mirai was provided as an example by Octave). They chose the name “VAC” for “Vacuum Cleaner“. The goal is to clean the traffic as soon as possible before it enters the backbone. An interesting fact about anti-DDoS solutions: it is critical to detect them as soon as possible. Why? Let’s assume that your solution detects a DDoS within x seconds, attackers will launch attacks of less than x seconds. Evil! The “VAC” can be seen as a big proxy and is based on multiple components that can filter specific types of protocols/attacks. Interesting: to better handle some DDoS, the OVH teams reversed some gaming protocols to better understand how they work. Octave described in deep details how the solution has been implemented and is used today… for any customer! This is a free service! It was really crazy to get so many technical details from a… CEO! Respect!

The second talk was “L’administration en silo” by Aurélien Bordes and focused on some best practices for Windows services administration. Aurélien started with a fact: When you ask a company how is the infrastructure organised, they speak usually about users, data, computers, partners but… they don’t mention administrative accounts. From where and how are managed all the resources? Basically, they are three categories of assets. They can be classified based on colours or tiers.

Red: resources for admins

Yellow: core business

Green: computers

The most difficult layer to protect is… the yellow one. After some facts about the security of AD infrastructure, Aurélien explained how to improve the Kerberos protocol. The solution is based on FAST, a framework to improve the Kerberos protocol. Another interesting tool developed by Aurélien: The Terminal Server Security Auditor. Interesting presentation but my conclusion is that in increase the complexity of Kerberos which is already not easy to master.

During the previous talk, Aurélien presented a slide with potential privilege escalation issues in an Active Directory environment. One of them was the WSUS server. It’s was the topic of the research presented by Romain Coltel and Yves Le Provost. During a pentest engagement, they compromised a network “A” but they also discovered a network “B” completely disconnected from “A”. Completely? Not really, there were WSUS servers communicating between them. After a quick recap of the WSUS server and its features, they explained how they compromised the second network “B” via the WSUS server. Such a server is based on three major components:

A Windows service to sync

A web service web to talk to clients (configs & push packages)

A big database

This database is complex and contains all the data related to patches and systems. Attacking a WSUS server is not new. In 2015, there was a presentation at BlackHat which demonstrated how to perform a man-in-the-middle attack against a WSUS server. But today, Romain and Yves used another approach. They wrote a tool to directly inject fake updates in the database. The important step is to use the stored procedures to not break the database integrity. Note that the tool has a “social engineering” approach and fake info about the malicious patch can be injected too to entice the admin to allow the installation of the fake patch on the target system(s). To be deployed, the “patch” must be a binary signed by Microsoft. Good news, plenty of tools are signed and can be used to perform malicious tasks. They use the tool psexec for the demo:

psexec -> cmd.exe -> net user /add

The DB being synced between different WSUS servers, it was possible to compromise the network “B”. The tool they developed to inject data into the WSUS database is called WUSpendu. A good recommendation is to put WSUS servers in the “red” zone (see above) and to consider them as critical assets. Very interesting presentation!

After two presentations focusing on the Windows world, back to the UNIX world and more precisely Linux with the init system called systemd. Since it was implemented in major Linux distribution, systemd has been the centre of huge debates between the pro-initd and pro-systemd. Same for me, I found it not easy to use, it introduces complexity, etc… But the presentation gave nice tips that could be used to improve the security of daemons started via systemd. A first and basic tip is to not use the root account but many new features are really interesting:

seccomp-bpf can be used to disable access to certain syscalls (like chroot() or obsolete syscalls)

capacities can be disabled (ex: CAP_NET_BIND_SERVICE)

name spaces mount (ex: /etc/secrets is not visible by the service)

Nice quick tips that can be easily implemented!

The next talk was about Landlock by Michael Salaün. The idea is to build a sandbox with unprivileged access rights and to run your application in this restricted space. The perfect example that was used by Michael is a multi-media player. This kind of application includes many parsers and is, therefore, a good candidate to attacks or bugs. The recommended solution is, as always, to write good (read: safe) code and the sandbox must be seen as an extra security control. Michael explained how the sandbox is working and how to implement it. The example with the media player was to allow it to disable write access to the filesystem except if the file is a pipe.

After the lunch, a set of talks was scheduled around the same topic: analysis of code. If started with “Static Analysis and Run-time Assertion checking” by Dillon Pariente, Julien Signoles. The presented Frama-C a framework of C code analysis.

Then Philippe Biondi, Raphaël Rigo, Sarah Zennou, Xavier Mehrenberger presented BinCAT (“Binary Code Analysis Tool”). It can analyse binaries (x86 only) but will never execute code. Just by checking the memory, the register and much other stuff, it can deduce a program behaviour. BinCAT is integrated into IDA. They performed a nice demo of a keygen tool. BinCAT is available here and can also be executed in a Docker container. The last talk in this set was “Désobfuscation binaire: Reconstruction de fonctions virtualisées” by Jonathan Salwan, Marie-Laure Potet, Sébastien Bardin. The principle of the binary protection is to make a binary more difficult to analyse/decode but without changing the original capabilities. This is not the same as a packer. Here there is some kind of virtualization that emulates proprietary bytecode. Those three presentations represented a huge amount of work but were too specific for me.

Then, Geoffroy Couprie, Pierre Chifflier presented “Writing parsers like it is 2017“. Writing parsers is hard. Just don’t try to write your own parser, you’ll probably fail. But parsers are available in many applications. They are hard to maintain (old code, handwritten, hard to test & refactor). Issues based on parsers can have huge security impacts, just remember the Cloudbleed bleed bug! The proposed solution is to replace classic parsers by something stronger. The criteria’s are: must be memory safe, called by / can call C code and, if possible, no garbage collection process. RUST is a language made to develop parsers like nom. To test it, it has been used in projects like the VLC player and the Suricata IDS. Suricata was a good candidate with many challenges: safety, performance. The candidate protocol was TLS. About VLC and parser, the recent vulnerability affecting the subtitles parser is a perfect example why parsers are critical.

The last talk of the day was about caradoc. Developed by the ANSSI (French agency), it’s a toolbox able to decode PDF files. The goal is not to extract and analyse potentially malicious streams from PDF files. Like the previous talk, the main idea was to avoid parsing issues. After reviewing the basics of the PDF file format, Guillaume Endignoux, Olivier Levillain made two demos. The first one was to open the same PDF file within two readers (Acrobat and Fox-It). The displayed content was not the same. This could be used in phishing campaigns or to defeat the analyst. The second demo was a malicious PDF file that crashed Fox-It but not Adobe (DDoS). Nice tool.

The day ended with a “rump” session (also called lighting talks by other conferences). I’m really happy with the content of the first day. Stay tuned for more details tomorrow! If you want to follow live talks, the streaming is available here.

[The post SSTIC 2017 Wrap-Up Day #1 has been first published on /dev/random]

from Xavier

#SSTIC 2017 Wrap-Up Day 1

0 notes