NICOLÁS BAREIL()

Sandboxing based on SECCOMP for Linux kernel

We would like to introduce a new sandboxing method based on SECCOMP,
mechanism already available in Linux kernel. This project, called
seccomp-nurse, aims to provide a secure jail environment. It is
designed to run "cloud applications" with access control mechanisms.

It is a free software available at http://chdir.org/~nico/seccomp-nurse/

This talk will introduce the problematic of sandboxing, why it so hard
to get it right? What is the state of art? What is wrong with
available tools?

Based on these problematics, we will dive into Linux internals in
order to see how we could use some "barely known" features to create a
jail without requiring patches to softwares or to the host environment.

Finally, we will explain how hard it is to validate syscalls, from an
implementation point of view to the semantic level. We will introduce
our Python engine handling these security checks.

The goal of this talk is to give seccomp-nurse to the community: this
would the official take-off of the project. It is now usable and is
ready to receive feedback!

Sobre Nicolás Bareil

He is a french security researcher working at EADS Innovation Work, he is in charge of pentesting networks, application audits (blackbox/whitebox), training and research. His interests are OS hardening, network security, VoIP and sandboxing.

Also a free software developper, he authored a few security tools
(ilty, a phone interception system on Cisco VoIP; ipt_scrub, a Linux
implementation of OpenBSD\'s scrub) and he takes part in several
projects (scapy, Linux kernel, Debian packages).

« volver a Speakers

NOVEDADES


diseño: GrafikaWeb