Fraser Tweedale

We conclude the Haskell devroom with words of thanks to our speakers and supporters, and a prize draw where we will give away some books to Haskell newcomers! (Kindly donated by Haskell Foundation)

A brief update about the state of the Haskell Security Advisory Database initiative, why it is important, and our next steps.

Introduction and welcome to the Haskell devroom.

The Kerberos PKINIT extension replaces password authentication with X.509 PKI. This bring some advantages but also new risks. This presentation explains and demonstrates how PKINIT works, and presents a novel attack against FreeIPA's PKINIT implementation.

Kerberos is an authentication and single sign-on protocol based on symmetric cryptography. To avoid the drawbacks and risks of passwords, the PKINIT protocol extension enables clients to authenticate using public key cryptography and X.509 certificates. To further improve security, private keys can reside and signing/decrytion operations can be performed on hardware cryptographic tokens (smart card, PIV, TPM, etc).

I will start the talk with a brief overview of the core Kerberos protocol. Next I will explain how the PKINIT extension works, and demonstrate how to set up and use PKINIT in a FreeIPA environment. (FreeIPA is a free software identity management system that includes MIT Kerberos and Dogtag PKI.)

Finally I will discuss some of the risks that arise when using PKINIT, and security considerations for implementers and deployers. I will present and demonstrate a recently discovered PKINIT security flaw in some older (but still supported) versions of FreeIPA.

Linux container escapes continue to affect Kubernetes and derived products. User namespaces are one technology that can mitigate the risk. In this presentation I will explain the past, present and future of user namespace support in Kubernetes, and discuss how to run systemd-based containers in user namespaces. And why you would even want to try. There will be demos! Attendees will learn about what containers are, the technologies that underpin Linux containers, and how Kubernetes actually runs containers.

"systemd in a container? What! Why!?" We had our Reasons, and I'll even explain them. But more interesting than the "why" is the "how", and that's what this talk is about. Come and learn about the upcoming and in-development Kernel and Kubernetes security features that will enable better container isolation and secure deployment of systemd-based workloads.

This is a talk about what happened when a handful of complete container newbies tried to port their massive, complex, legacy application to Kubernetes. As a monolithic container. Based on systemd.

The runtime shunned our container and refused to execute it. Cloud engineers recoiled in horror at our architecture. With astounding hubris we ignored their admonitions and doubled down. If the container runtime won't run our application, well, we'll just modify the container runtime!

And so we did. Our journey took us into the darkest corners of container runtimes, Kubernetes and systemd. And we have emerged to tell you the tale. There will be demos.

Attendees will learn about the security technologies that underpin Linux containers, including namespaces and cgroups, as well as the behaviour of systemd in containers. I will also discuss the recent and planned changes in Kubernetes to provide official support for running containers in user namespaces.