Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux, linux-hwe).

  • Josh Bressers: Who are the experts

    These are certainly strange times we are living in. None of us will ever forget what’s happening and we will all retell stories for the rest of our days. Many of us asked “tell me about the depression grandma”, similar questions will be asked of us someday.

    The whirlwind of confusion and chaos got me thinking about advice and who we listen to. Most of us know a staggering number of people who are apparently experts in immunology. I have no intention of talking about the politics of the current times, goodness knows nobody in their right mind should care what I think. What all this does have me pondering is what are experts and how can we decide who we should listen to?

    So I’ve been thinking a lot about “experts” lately. Especially in the context of security. There have been a ton of expert opinions on how to work from home, and how to avoid getting scammed, which video conferencing software is the best (or worst). There are experts everywhere, but which ones should we listen to? I’m not an expert in anything, but there are some topics I know enough about to question some of these “experts”.

  • seL4 Microkernel Optimized for Security Gets Support of Linux Foundation

    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it will host the seL4 Foundation, the nonprofit organization established by Data61, the digital specialist arm for Australia’s national science agency CSIRO. The seL4 microkernel is the world’s first operating system (OS) kernel that is proved secure; it is designed to ensure the security, safety and reliability of real-world critical computer systems.

    The new Foundation aims to accelerate the development of seL4 and related technologies, and under the Linux Foundation will provide a global, independent and neutral organization for funding and steering the future evolution of seL4. Founding members include Cog Systems, DornerWorks, Ghost Locomotion, HENSOLD Cyber and UNSW Sydney.

    The trustworthiness of embedded computing systems is vital to improving the security of critical systems around the world to safeguard them from cyber threats. This is particularly paramount in industries including avionics, autonomous vehicles, medical devices, critical infrastructure and defense. The seL4 microkernel is the world’s first operating system with a proof of implementation correctness and presents an unparalleled combination of assurance, generality and performance, making it an ideal base for building security- and safety-critical systems. The seL4 Foundation provides a forum for developers to collaborate on growing and integrating the seL4 ecosystem.

  • The Linux Foundation Throws Weight Behind Secure Microkernel

    Gernot Heiser, who will serve as chair of the new foundation, said the seL4 is unique in that it is mathematically proven to be secure, which provides a robust foundation on which a new generation of embedded systems can be built to drive, for example, internet of things (IoT) applications.

    Founding members of the seL4 Foundation include Data61, University of New South Wales in Sydney, HENSOLDT Cyber GmbH, Ghost Locomotion Inc., Cog Systems Inc. and DornerWorks Ltd.

    The hosting of the seL4 Foundation is sure to add more fuel to an increasingly fierce debate over the future of operating systems. Advocates of microkernels contend operating systems in terms of functions and size should be kept to an absolute minimum to both ensure security and maximize flexibility.

Linux Foundation backs security-oriented seL4

  • Linux Foundation backs security-oriented seL4 microkernel operating system

    However, SeL4 can be used, in theory, as a foundation for Linux and other Unix related operating systems. For example, it was briefly considered for use in Richard M. Stallman's still-born Gnu Hurd operating system. Now, with its latest edition and broader support, seL4 may be more broadly deployed.

    This kernel is a member of the L4 microkernel family. SeL4 is a mathematically proven correct, bug-free operating system kernel. It's designed to enforce strong security properties. Data61 claims it's the world's first operating system with such proof. It's also, they say, the only proven operating system featuring fine-grained, capability-based security and high performance. In the real world, it supports mixed criticality real-time systems.

Linux Foundation To Support seL4 Foundation

  • Linux Foundation To Support seL4 Foundation

    The Linux Foundation will be hosting seL4 Foundation, the nonprofit organization established by Data61 (the digital specialist arm for Australia’s national science agency CSIRO). The seL4 microkernel is designed to ensure the security, safety and reliability of real-world critical computer systems.

The seL4 microkernel: Optimized for security and endorsed...

  • The seL4 microkernel: Optimized for security and endorsed by the Linux foundation

    The Linux Foundation is a fundamental organization for the promotion of open source software and has officially endorsed the seL4 microkernel. To further boost seL4, the Linux Foundation will host seL4 Foundation, which is a non-profit organization, established by Data61.

    In order to understand seL4, we must first know what a microkernel is. A microkernel is the bare minimum of components needed to form an operating system. Usually, microkernels are comprised of...

From Data Center Knowledge

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Kernel: Virtualisation, BPF, and Btrfs

  • QEMU 5.1 Bringing Many CPU Improvements From Loongson To RISC-V To s390

    QEMU 5.1-rc0 is available as the first step towards this next feature release of this important component to the Linux virtualization stack. The QEMU 5.1-rc0 release marks the hard feature freeze for this next release. Weekly release candidates will continue until QEMU 5.1 is ready to ship around the middle of August.

  • Sleepable BPF programs

    When support for classic BPF was added to the kernel many years ago, there was no question of whether BPF programs could block in their execution. Their functionality was limited to examining a packet's contents and deciding whether the packet should be forwarded or not; there was nothing such a program could do to block. Since then, BPF has changed a lot, but the assumption that BPF programs cannot sleep has been built deeply into the BPF machinery. More recently, classic BPF has been pushed aside by the extended BPF dialect; the wider applicability of extended BPF is now forcing a rethink of some basic assumptions. BPF programs can now do many things that were not possible for classic BPF programs, including calling helper functions in the kernel, accessing data structures ("maps") shared with the kernel or user space, and synchronizing with spinlocks. The core assumption that BPF programs are atomic has not changed, though. Once the kernel jumps into a BPF program, that program must complete without doing anything that might put the thread it is running in to sleep. BPF programs themselves have no way of invoking any sort of blocking action, and the helper functions exported to BPF programs by the kernel are required to be atomic. As BPF gains functionality and grows toward some sort of sentient singularity moment, though, the inability to block is increasingly getting in the way. There has, thus, been interest in making BPF programs sleepable for some time now, and that interest has recently expressed itself as code in the form of this patch set from Alexei Starovoitov. The patch adds a new flag, BPF_F_SLEEPABLE, that can be used when loading BPF programs into the kernel; it marks programs that may sleep during their execution. That, in turn, informs the BPF verifier about the nature of the program, and brings a number of new restrictions into effect. Most of these restrictions are the result of the simple fact that the BPF subsystem was never designed with sleepable programs in mind. Parts of that subsystem have been updated to handle sleeping programs correctly, but many other parts have not. That is likely to change over time but, until then, the functionality implemented by any part of the BPF subsystem that still expects atomicity is off-limits to sleepable programs. For example, of the many types of BPF programs supported by the kernel, only two are allowed to block: those run from the Linux security module subsystem and tracing programs (BPF_PROG_TYPE_LSM and BPF_PROG_TYPE_TRACING). Even then, tracing programs can only sleep if they are attached to security hooks or are attached to functions that have been set up for error injection. Other types of programs are likely to be added in the future, but the coverage will never be universal. Many types of BPF programs are invoked from within contexts that, themselves, do not allow sleeping — deep within the network packet-processing code or attached to atomic functions, for example — so making those programs sleepable is just not going to happen.

  • Btrfs at Facebook

    The Btrfs filesystem has had a long and sometimes turbulent history; LWN first wrote about it in 2007. It offers features not found in any other mainline Linux filesystem, but reliability and performance problems have prevented its widespread adoption. There is at least one company that is using Btrfs on a massive scale, though: Facebook. At the 2020 Open Source Summit North America virtual event, Btrfs developer Josef Bacik described why and how Facebook has invested deeply in Btrfs and where the remaining challenges are. Every Facebook service, Bacik began, runs within a container; among other things, that makes it easy to migrate services between machines (or even between data centers). Facebook has a huge number of machines, so it is impossible to manage them in any sort of unique way; the company wants all of these machines to be as consistent as possible. It should be possible to move any service to any machine at any time. The company will, on occasion, bring down entire data centers to test how well its disaster-recovery mechanisms work.

today's howtos

Home Assistant improves performance in 0.112 release

The Home Assistant project has released version 0.112 of the open-source home automation hub we have previously covered, which is the eighth release of the project this year. While previous releases have largely focused on new integrations and enhancements to the front-end interface, in this release the focus has shifted more toward improving the performance of the database. It is important to be aware that there are significant database changes and multiple potential backward compatibility breaks to understand before attempting an upgrade to take advantage of the improvements. According to the release notes written by contributor Franck Nijhof, better performance has been a major goal of this release with a focus on both the logbook and history components. This builds on the work of the previous release (v0.111) from a performance perspective, which focused on reducing the time it takes to initialize the hub at startup. Read more

Android Leftovers