sig-security: add meeting notes from 2017-07-05

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2025-07-19 17:26:28 +00:00 · 2017-07-05 11:44:22 -07:00 · 2017-07-05 11:44:22 -07:00 · aaa39763b4
commit aaa39763b4
parent bfb82fb8aa
1 changed files with 42 additions and 0 deletions
--- a/reports/sig-security/2017-07-05.md
+++ b/reports/sig-security/2017-07-05.md
@ -20,3 +20,45 @@ Previous meeting notes: [2017-06-21](2017-06-21.md)
 - Next meeting: 2017-07-19
  - deep dive TBD
  - we can propose additional deep dives and discussion topics!
+
+## Meeting Notes
+Scribe: @mgoelzer
+
+- Next meeting: July 19th
+
+- Automatic Privilege Separation
+    - OPS = opportunistic privilege separation (meta project)
+    - Our infra operates on a large, untrusted code base.  Easily exploitable.  “Titanic”
+        - Lots of layers of vulnerable code.
+        - Lots of code.  E.g., Every version of Linux kernel is >1000 developers contributing
+        - Monolithic
+
+    - Strategies to address these problems:
+	    - Replace (microkernel), or
+	    - Harden + Separate
+	        - Harden = making external shell more resistant to attack
+	        - Separate = each internal component having minimal privileges so even a compromised component can do only limited damage (eg SELinux, Landlock)
+
+    - What about flipping the script? - by default everything is protected and then whitelist
+        - In contrast to current model where by default you have access to everything and then you bolt on protections after the fact
+
+    - Limitations of existing approaches
+	    - No ephemeral state
+	    - manual policy
+	    - don’t address kernel principles
+	    - lack of visibility into app
+	    - (others mentioned)
+
+
+    - Tools / Projects:
+        - OPS (Opportunistic Priv. Sep.):  end to end approach for fine grained security policy retrofitting
+	        - Core hypoth:  we can automatically derive policies from system behavior.  Use ML to set up initial separation policy.
+	        - Similar to an optimizing compiler.
+        - LINX:  linux nested kernel
+        - kr^x:  kernel randomization
+        - Memorizer:  dynamic tracer
+	        - Creates “maps” (like CAPs)
+	        - CAPMAPs
+	        - Takes kernel source -> pass it through instrumentation  (piggybacking on kernel address sanitizer to hook all allocations with KASAN) -> now all allocs are hooked
+		    - Stack is hooked through KASAN
+        - SLICE