LVBS and Advanced Kernel Integrity - Thara Gopinath, Microsoft // TRAIN BRAIN

LVBS and Advanced Kernel Integrity - Thara Gopinath, Microsoft

LVBS and Advanced Kernel Integrity - Thara Gopinath, Microsoft
Linux Virtualization based Security (LVBS) is a security feature that can a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the kernel gets compromised. VBS uses hardware virtualization and the hypervisor (Hyper-V) to create an isolated virtual environment that runs as a higher trust level, called Virtual Trust Level 1 (VTL1). In earlier talks on LVBS we explored the fundamentals of having a secure kernel running in VTL1 and how we support basic kernel integrity through LVBS. In this talk we explore how LVBS can be extended to offer advanced kernel integrity features. We examine the status quo in Linux kernel today and the various kernel features that manipulate page tables to inject/modify kernel code. We then discuss how these features can be hardened via LVBS to ensure that authenticity and integrity of the modified/loaded code can be ensured, even if the kernel is compromised. We will also present the status of our work in hardening some of these features. Finally, as future work we also explore hardening of key kernel data structures that are target to attack and present our goals in guarding them against unauthorized modification.

The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the L...

Linux Foundation Member Summit 2024 - Keynote Sessions

Keynote: Closing Remarks - Bailey Hayes, CTO, Cosmonic

Keynote: Welcome Back Remarks - Bailey Hayes, CTO, Cosmonic

Behind the Scenes: Debugging Kotlin/Wasm - Artem Kobzar, JetBrains

Keynote: Safety-Critical Meets Web-Native: Wasm Revolutionizes Embedded Systems - Panel Discussion

Keynote: FaaS Platform Engineering with Wasm- Vamsi Sangavarapu, VP of Engineering, American Express

Wasm Ecosystem Q&A - Alex Crichton, Fermyon

Workshop: Choose Your Own Adventure: Wasm Edition - Bailey Hayes & Taylor Thomas, Cosmonic

Keynote: WebAssembly & the Future of NGINX - Oscar Spencer, Principal Engineer, F5 NGINX

wRPC: Distributed Components, No Assembly Required - Roman Volosatovs & Taylor Thomas, Cosmonic

Panel Discussion: Playing Safely in the... Ram Iyengar, Ralph Squillace, Luke Wagner & Bailey Hayes

Sponsored Keynote: WordPress Meets WASM: Full Power of the CMS In Any... Jason Bahl, Code Wrangler

Keynote: FaaS Platform Engineering with Wasm - Vamsi Sangavarapu, VP of Engineering

Whamm! A WebAssembly Bytecode Instrumentation DSL - Elizabeth Gilbert

Keynote: Welcome & Opening Remarks - Nigel Poulton, Author and Video Trainer

Distributing and Running Containers for Wasm-Enabled Environments - Kohei Tokunaga, NTT

Unleash the Power of Open Source WASM on a Hyper-Distributed Clo... Colin Murphy & Douglas Rodrigues

The Future of Green Cloud: Serverless WebAssembly on Arm64 Archi... Kate Goldenring & Aaron Williams

WebAssembly at Google - Thomas Nattestad & Thomas Steiner, Google

Wasi-Webgpu: Build Beautiful Graphics and Safely Run AI with Any GPU - Sean Isom & Mendy Berger

Lightning Talk: From Server to Client: Ruby on Rails on WebAssembly - Vladimir Dementyev

Composable Concurrency for WebAssembly Components - Joel Dice, Fermyon Technologies

Keynote - Larry Carvalho, Chris Woods, Dan Mihai Dumitriu, Stephen Berard, Moderated by Divya Mohan

Mentorship Session: Using Clang and LLVM to Build the Linux Kernel

LF Networking’s Thoth enables telcos to leverage domain-specific AI

Countdown to #KubeCon + #CloudNativeCon NA in Salt Lake City!

Why healthcare trails in open source adoption | Linux Foundation Research

LFX Mentorship Showcase - Moderated by Shuah Khan, The Linux Foundation

KubeCon + CloudNativeCon Experience

LF Live Webinar: GenAI & Coding: Prompts for Maximum Workflow

Open Source Summit Europe 2024 Vienna Highlights

Secure and Encrypted Boot in Zephyr RTOS - Parthiban N, Linumiz

The Power of Global Community Support at #KubeCon + #CloudNativeCon

Empowering Diversity and Collaboration at #Kubecon + #cloudnativecon

Rethinking Kubernetes Management #kubernetes #cloudnative

Improving Bpftrace Reliability - Daniel Xu, Meta

How Can Your OSPO Maximize Open Source Business Value for the Organization? - Masae Shida, Broadcom

Contributing to KernelCI for Better Testing and Collaboration - Arisu Tachibana, Cybertrust Japan Co

Step by Step, What Should We Do for the Kernel Ecosystem? - Hirotaka Motai, Cybertrust Japan

Democratizing Diffusion Models with Diffusers - Sayak Paul, Hugging Face

Exploring CXL Memory: Configuration and Emulation - Yasunori Goto, Fsas Technologies Inc.

A Next-generation IoT Platform for Edge AI Apps Leveraging Se...- Munehiro Shimomura & Kenji Shimizu

Unlocking Local LLMs with Quantization - Marc Sun, Hugging Face

Optimize Your AI Cloud Infrastructure: A Hardware Perspective - Liang Yan, CoreWeave

eBPF BoF - Shung-Hsi Yu, SUSE & Yutaro Hayakawa, Isovalent

Discover Valkey: The Path to Now - Hayato Tustsumi, AWS

Data Prep Kit: A Comprehensive Cloud-Native Toolkit for Scalable Da... - Daiki Tsuzuku & Takuya Goto

Recent TPM Security Enhancements to the Linux Kernel - James Bottomley, Microsoft

Middle-Platform Empowerment: Growing and Sustaining Open Source Projects...- Xiaoya Xia & Peggy Dong

Exploring Distributed Caching for Faster GPU Training with NVMe, GDS, and RDMA - Hope Wang & Bin Fan

Why #Kubecon + #cloudnativecon is amazing?

KubeCon Scholarship Journey #kubecon #cloudnativecon

Action Deduplication: Faster and Cheaper Remote Builds Without Lifting a Finger - Christian Scott

Building 1300 Container Images in 4 Minutes - Sushain Cherivirala, Stripe

Pigweed and Bazel for Embedded Development - Ted Pudlik, Google, LLC

Spotify's Journey to Releasing One of the World's Largest Apps wit... Luka Cindro & Gabriel Borglund

Aspect Build - Alex Eagle, Aspect Build Systems

BazelCon Keynote - Mícheál Ó Foghlú & Tobias Werth, Alex Eagle, Helen Altshuler, Chuck Grindel

State of the Union - Tobias Werth & John Field, Google

Post Mortems for 4 Years of Remote Execution - Ulf Adams, EngFlow Inc.

Performant Bazel Builds for Web Monorepos at Scale - Sharmila Jesupaul, Airbnb

Introducing Remote Bazel - Maggie Lou, BuildBuddy

Running a Start-up on Bazel - Prasanna Swaminathan, Ergatta

Perfect Sandboxing in Bazel - Rahul Butani, Intel

Bazel’s Take on (Cc) Shared Libraries - Claudio Bley, Modus Create

The Classics Never Go Out of Style: An Empirical Study of Downgrades from Bazel - Shane McIntosh

Lessons from a Large JVM Monorepo - Janusz Kudelka, Airbnb

A celebration of community! #KubeCon #CloudNativeCon

LF Live Webinar: Simplify Your Kubernetes Connectivity with NGINX Gateway Fabric

GPU allocation Insights from NVIDIA

Boost Your Networking and Balance

In-Person Learning at #Kubecon #cloudnativecon

Connect, Learn & Thrive Strategically #kubecon #cloudnativecon

Value of Community at #KubeCon

Mentorship Session: The Maple Tree: Structure and Algorithms

Fast & Efficient Access to External Infrastructure

DevSecOps Transformation at Speed and Scale Using Tekton - Caroline Cameron & Tony Higham, IBM

Sponsored Session: Solving for the Cloud Native Security Paradox - Robert Sirchia, SUSE

Compartmentalizing Vulnerable Kernel Components Without Stopping the Machine - Qinrun Dai

Systemd & TPMs - Lennart Poettering, Microsoft