SlideShare une entreprise Scribd logo

Platform Security Presentation

Tyson Key
Tyson Key
Technologie
1  sur  3
Télécharger pour lire hors ligne
i9 Platform Security Microkernel-based design, with strictly enforced Messagebus and server architecture ensures that the core of the system is stable, and will not fall over if a component (e.g. a driver or a component of the network stack) fails for some reason The entire system as provided by the i9 Project is provided as Open Source (naturally, this doesn't always extend to things that the user installs), and does not contain any binary-only components quot;out of the boxquot; Deep instrumentation and visibility throughout the system, with full access for users and developers, and no hidden ways of preventing a process from being instrumented (as happened with Apple's DTrace port and QuickTime/iTunes, to the disgust of many) Only One Way to do IPC throughout the system - through the system Messagebus and a transparent API/ABI quot;Trapquot; specific to each IPC type (e.g. D-BUS and System V IPC) All drivers, and components non-critical to the functionality of the kernel are implemented as Servers in userland (e.g FSServer, and NetServer), with connectivity via the Messagebus to the kernel Although it is possible to view the raw contents of RAM (via /dev/mem), it is not possible for any process other than the Microkernel (including those owned by 'root') to write directly to it Additionally, it is not possible to patch raw areas of RAM from within the userland (so folks looking to hook in to implement DRM, or some form of malware should go elsewhere, although they wouldn't have much success) Most importantly, these measures are not intended to be obnoxious or annoying to developers and end users, a security panacea/be-all-end-all (although that applies equally to every system), or there to enable the implementation of DRM systems or other restrictive technologies, or even to prevent some form of malicious software to be written and executed (and yes, we realize that there are probably ways to circumvent this stuff) 5th May 2008 http://i9.house404.co.uk
Granular Process Control Granular Process Control is a system for restricting the usage of processes and System Servers from boot time, either across the whole system, or only for specific user accounts They can be used in conjunction with POSIX Personality permissions/ACLs, and the security features of other Personalities, or on their own, depending on the desired effect, and remain in effect, even if a user elevates to an account with higher privileges (e.g. by using su or sudo) or switches the active shell Personality They can also used to reinforce the settings in /etc/personalities It can be configured by modifying the commented configuration files in /etc/boot/processcontrol, or potentially by using an LDAP or NIS server record (you could create a fancy CLI or GUI tool for this, and upload it to i9Forge ;) ) There are a number of use cases for this (including, but not limited to these): Restricting or disabling use of external storage devices on corporate systems, to decrease the chances of users leaking confidential information Disabling non-essential system components, to reduce the potential attack surface, or to decrease the system resource footprint Providing remote-access systems with restricted network functionality (e.g. a system for compiling source code uploaded with FTP and providing the user with access to the resulting product, without allowing the system to be used for access to other systems external to it) Use in conjunction with a firewall (e.g. iptables) to prevent users from opening certain inbound or outbound IP ports, or launching executables that listen on them (e.g. SMTP daemons) to prevent a system being used as a spam relay 5th May 2008 http://i9.house404.co.uk
The Big Picture See below for a rough diagram of how this stuff fits into the system: (Disclaimer: This does not show every possible component, or how every single component integrates into the system) Support for the somewhat controversial Trusted Platform Module (TPM) cryptoprocessor and certificate storage module is not currently planned, and the position it would have within the i9 Platform Security Framework is unknown. EnforceGPC SecurityFramework Microkernel Messagebus PersonalityServer FSServer Personalities User Processes NetServer Other Servers 5th May 2008 http://i9.house404.co.uk

Recommandé

Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 
Windows server2008
Windows server2008Windows server2008
Windows server2008
jaimeccanto
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
FOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedFOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure Embedded
Toshiharu Harada, Ph.D
 
Windows Defense101
Windows Defense101Windows Defense101
Windows Defense101
NickAlholinna
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
James Morris
 

Recommandé

Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 
Windows server2008
Windows server2008Windows server2008
Windows server2008
jaimeccanto
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
FOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure EmbeddedFOSDEM'08: TOMOYO Linux for Secure Embedded
FOSDEM'08: TOMOYO Linux for Secure Embedded
Toshiharu Harada, Ph.D
 
Windows Defense101
Windows Defense101Windows Defense101
Windows Defense101
NickAlholinna
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
James Morris
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Linux security firewall and SELinux
Linux security firewall and SELinuxLinux security firewall and SELinux
Linux security firewall and SELinux
Sreenatha Reddy K R
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)
cnokia
 
Unified threat management software 21 july 17
Unified threat management software 21 july 17Unified threat management software 21 july 17
Unified threat management software 21 july 17
Yabibo
 
Unified threat management software 15 july 17
Unified threat management software 15 july 17Unified threat management software 15 july 17
Unified threat management software 15 july 17
Yabibo
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
CRISIL Limited
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11
githe26200
 
Os security issues
Os security issuesOs security issues
Os security issues
JOLLUSUDARSHANREDDY
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
English Week14
English Week14English Week14
English Week14
s1160202
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426
Todd Deshane
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
Louis armstrong
Louis armstrongLouis armstrong
Louis armstrong
filipj2000
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpi
filipj2000
 
Andalusia
AndalusiaAndalusia
Andalusia
filipj2000
 

Contenu connexe

Tendances

Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)
cnokia
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
CRISIL Limited
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11
githe26200
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
Todd Deshane
 
English Week14
English Week14English Week14
English Week14
s1160202
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426
Todd Deshane
 

Tendances (19)

Selinux
SelinuxSelinux
Selinux
 
Linux security firewall and SELinux
Linux security firewall and SELinuxLinux security firewall and SELinux
Linux security firewall and SELinux
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)
 
Unified threat management software 21 july 17
Unified threat management software 21 july 17Unified threat management software 21 july 17
Unified threat management software 21 july 17
 
Unified threat management software 15 july 17
Unified threat management software 15 july 17Unified threat management software 15 july 17
Unified threat management software 15 july 17
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Session 11 Tp 11
Session 11 Tp 11Session 11 Tp 11
Session 11 Tp 11
 
Os security issues
Os security issuesOs security issues
Os security issues
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
English Week14
English Week14English Week14
English Week14
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426
 
Unix Security
Unix SecurityUnix Security
Unix Security
 

En vedette

Louis armstrong
Louis armstrongLouis armstrong
Louis armstrong
filipj2000
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpi
filipj2000
 
Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3
filipj2000
 
Ki cuba-2007 dg
Ki cuba-2007 dgKi cuba-2007 dg
Ki cuba-2007 dg
filipj2000
 
αεροδρομια
αεροδρομιααεροδρομια
αεροδρομια
filipj2000
 
Noches griegas
Noches griegasNoches griegas
Noches griegas
filipj2000
 
The beautyofnight
The beautyofnightThe beautyofnight
The beautyofnight
filipj2000
 
G.v.blue train s.africa
G.v.blue train s.africaG.v.blue train s.africa
G.v.blue train s.africa
filipj2000
 
alpy panorama
alpy panorama alpy panorama
alpy panorama
filipj2000
 

En vedette (20)

Louis armstrong
Louis armstrongLouis armstrong
Louis armstrong
 
Statie meteo in alpi
Statie meteo in alpiStatie meteo in alpi
Statie meteo in alpi
 
Andalusia
AndalusiaAndalusia
Andalusia
 
Antarctic
AntarcticAntarctic
Antarctic
 
Machu picchu
Machu picchuMachu picchu
Machu picchu
 
China 60
China 60China 60
China 60
 
Alsacefrance
AlsacefranceAlsacefrance
Alsacefrance
 
English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02English Value Prop Tx Spain Z02
English Value Prop Tx Spain Z02
 
Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3Best pictures-of-the-year-1196405949343956-3
Best pictures-of-the-year-1196405949343956-3
 
People scenes
People scenesPeople scenes
People scenes
 
navidad
navidadnavidad
navidad
 
Ki cuba-2007 dg
Ki cuba-2007 dgKi cuba-2007 dg
Ki cuba-2007 dg
 
αεροδρομια
αεροδρομιααεροδρομια
αεροδρομια
 
Loboda
LobodaLoboda
Loboda
 
Noches griegas
Noches griegasNoches griegas
Noches griegas
 
The beautyofnight
The beautyofnightThe beautyofnight
The beautyofnight
 
G.v.blue train s.africa
G.v.blue train s.africaG.v.blue train s.africa
G.v.blue train s.africa
 
alpy panorama
alpy panorama alpy panorama
alpy panorama
 
Norveg fiords
Norveg fiordsNorveg fiords
Norveg fiords
 
Landmarks
LandmarksLandmarks
Landmarks
 

Similaire à Platform Security Presentation

Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
Priyanka Aash
 
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Phil Cryer
 
110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp
Jessica Hirst
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expert
dlfrench
 

Similaire à Platform Security Presentation (20)

James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our Router
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
Building Toward an Open and Extensible Autonomous Computing Platform Utilizi...
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp110006_perils_of_aging_emul_wp
110006_perils_of_aging_emul_wp
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of Systems
 
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
IRJET- Public Key Infrastructure (PKI) Understanding for Vxworks RTOS using A...
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expert
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Platform Security Presentation

  • 1. i9 Platform Security Microkernel-based design, with strictly enforced Messagebus and server architecture ensures that the core of the system is stable, and will not fall over if a component (e.g. a driver or a component of the network stack) fails for some reason The entire system as provided by the i9 Project is provided as Open Source (naturally, this doesn't always extend to things that the user installs), and does not contain any binary-only components quot;out of the boxquot; Deep instrumentation and visibility throughout the system, with full access for users and developers, and no hidden ways of preventing a process from being instrumented (as happened with Apple's DTrace port and QuickTime/iTunes, to the disgust of many) Only One Way to do IPC throughout the system - through the system Messagebus and a transparent API/ABI quot;Trapquot; specific to each IPC type (e.g. D-BUS and System V IPC) All drivers, and components non-critical to the functionality of the kernel are implemented as Servers in userland (e.g FSServer, and NetServer), with connectivity via the Messagebus to the kernel Although it is possible to view the raw contents of RAM (via /dev/mem), it is not possible for any process other than the Microkernel (including those owned by 'root') to write directly to it Additionally, it is not possible to patch raw areas of RAM from within the userland (so folks looking to hook in to implement DRM, or some form of malware should go elsewhere, although they wouldn't have much success) Most importantly, these measures are not intended to be obnoxious or annoying to developers and end users, a security panacea/be-all-end-all (although that applies equally to every system), or there to enable the implementation of DRM systems or other restrictive technologies, or even to prevent some form of malicious software to be written and executed (and yes, we realize that there are probably ways to circumvent this stuff) 5th May 2008 http://i9.house404.co.uk
  • 2. Granular Process Control Granular Process Control is a system for restricting the usage of processes and System Servers from boot time, either across the whole system, or only for specific user accounts They can be used in conjunction with POSIX Personality permissions/ACLs, and the security features of other Personalities, or on their own, depending on the desired effect, and remain in effect, even if a user elevates to an account with higher privileges (e.g. by using su or sudo) or switches the active shell Personality They can also used to reinforce the settings in /etc/personalities It can be configured by modifying the commented configuration files in /etc/boot/processcontrol, or potentially by using an LDAP or NIS server record (you could create a fancy CLI or GUI tool for this, and upload it to i9Forge ;) ) There are a number of use cases for this (including, but not limited to these): Restricting or disabling use of external storage devices on corporate systems, to decrease the chances of users leaking confidential information Disabling non-essential system components, to reduce the potential attack surface, or to decrease the system resource footprint Providing remote-access systems with restricted network functionality (e.g. a system for compiling source code uploaded with FTP and providing the user with access to the resulting product, without allowing the system to be used for access to other systems external to it) Use in conjunction with a firewall (e.g. iptables) to prevent users from opening certain inbound or outbound IP ports, or launching executables that listen on them (e.g. SMTP daemons) to prevent a system being used as a spam relay 5th May 2008 http://i9.house404.co.uk
  • 3. The Big Picture See below for a rough diagram of how this stuff fits into the system: (Disclaimer: This does not show every possible component, or how every single component integrates into the system) Support for the somewhat controversial Trusted Platform Module (TPM) cryptoprocessor and certificate storage module is not currently planned, and the position it would have within the i9 Platform Security Framework is unknown. EnforceGPC SecurityFramework Microkernel Messagebus PersonalityServer FSServer Personalities User Processes NetServer Other Servers 5th May 2008 http://i9.house404.co.uk