Hugo Lefeuvre

Software compartmentalization decomposes applications into lesser-privileged components that only have access to what they need to do their job. Properly applied, compartmentalization can limit the impact of many memory safety issues by containing corruption within the vulnerable component. Use-cases are plentiful: library sandboxing, protection of SSL keys, sandboxing of network-facing code, and more.

In the last decade we have seen the appearance of many new mechanisms that enable compartmentalization at a relatively low performance cost (Intel PKU, the upcoming Intel PKS, CHERI hardware capabilities, vmfunc). This generated a lot of research with a strong focus on compartmentalizing existing software, at a fine grain (isolating libraries or components), and as automatically as possible. The promises are great: the compartmentalization of legacy software, with a low engineering effort, and at a low performance cost.

Alas, in this process, the interfaces between compartments are often neglected: they are hard to reason about and difficult to secure automatically, and compartmentalizing at finer and finer-grain exacerbates the issue. This is a major problem, as weak interfaces enable for many attacks well-known in the confidential computing world.

In this talk I will present the result of a study on the impact of neglecting compartment interfaces. I will define and classify compartment interface vulnerabilities, and present a fuzzer specialized to catch them. Having applied it to 25 popular applications and 36 possible compartment APIs, revealing 629 interface vulnerabilities, I will present insights into what makes interfaces vulnerable, and how to make them more resilient when compartmentalizing.

Inaugural secure enclave platforms operate at the single user process level (e.g. SGX), meaning a single address space with potentially multiple threads, with a standard OS outside the enclave responsible for resource management and scheduling. More recent platforms (AMD SEV, Intel TDX, AWS Nitro Enclaves) operate at the VM level. This provides significant new capabilities for multi-process abstractions such as mmap and fork, which will be beneficial for enclavizing legacy software.

However, taking a VM image and running it in an enclave is not great from a TCB minimization standpoint. For platforms where there's currently no alternative (AMD, AWS), how can we build--with a minimal TCB--an abstraction that's similar to single-process enclaves? Of course you can “just run Linux” with a single process but this again is clearly suboptimal. We'll explore the solution space in this interactive session.

Other people: Marta Rybczynska Vasily A. Sartakov Mike Bursell Jo Van Bulck Jethro G. Beekman

Operating Systems (OSes) have historically been classified according to their isolation properties: monolithic OSes, microkernels, single-address-space OSes, or unikernels... Decades of experience in research and industry showed that there is no silver bullet and that different use-cases might demand different approaches to optimize safety and performance.

What if we tried to design an operating system able to be easily reconfigured into any of these points in the OS design space? What if the OS could be a microkernel, a unikernel, or a monolithic OS, at will, and using a wide range of hardware- and software-backed isolation mechanisms?

In this talk, we will present FlexOS, the result of our recent research work in trying to answer this question. FlexOS is an OS allowing users to easily specialize the safety and isolation strategy of an OS at compilation/deployment time, instead of design time. Depending on the configuration, the same FlexOS code can mimic a microkernel with multiple address-spaces, a single-address-space OS with Intel MPK compartments, or many other OS isolation approaches. We have implemented a prototype of FlexOS on top of Unikraft, a popular library OS framework.

Started in late 2014, [Debian LTS](https://wiki.debian.org/LTS/ "Debian LTS") exists and has provided additional security support for the Squeeze, Wheezy and Jessie releases. LTS support for Stretch is also planned. In this BoF we want to briefly explain how LTS is done, how you can support it, either finanically or by volunteer work and provide a venue for discussions how to improve it. The targetted audience for this talk is everyone, user, contributor, sysadmin, sponsor, you. Though of course due to the subjects being discussed this will be a quite technical discussion.

Other people: Chris Lamb Holger Levsen Markus Koschany

GNU Ring is a free software for universal communication which respects the freedoms and privacy of its users. The program allows users to communicate with each other without relying on a centralized server to relay messages. This presentation will give a short overview of the challenges faced by the Ring project, both technical and non-technical. Among others we will discuss the question of attracting external contributors in the special context of Ring, as well as the technical challenges arising from the development of offline messaging and name servers in a fully distributed network.