From 13393400041f589d1862b8a0eb3e95796cb1927e Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 7 Jun 2017 10:43:36 -0700 Subject: [PATCH] sig: notes for 2017-06-07 Signed-off-by: Riyaz Faizullabhoy --- reports/sig-security/2017-06-07.md | 54 ++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/reports/sig-security/2017-06-07.md b/reports/sig-security/2017-06-07.md index 56ec9f019..e4a677ce3 100644 --- a/reports/sig-security/2017-06-07.md +++ b/reports/sig-security/2017-06-07.md @@ -3,7 +3,9 @@ Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://ww Meeting location: https://docker.zoom.us/j/779801882 -Announcement: Moby project forum post coming soon! +Announcement: [Moby project forum post](https://forums.mobyproject.org/t/2017-06-07-linuxkit-security-sig-meeting/58) + +Video recording: Processing, coming soon! Previous meeting notes: [2017-05-24](2017-05-24.md) @@ -13,7 +15,7 @@ Previous meeting notes: [2017-05-24](2017-05-24.md) - proof-of-concept in LinuxKit repo - proposed process for promotion to channel, out of channel - buildchain security: PIE/ASLR for packages @fntlnz (10 min) -- `miragesdk` deep dive - @avsm @samoht (20 min) +- `miragesdk` deep dive - @avsm @samoht @yomimono @talex5 (20 min) - What is it? Why do we care? - RFC: which system daemons should we implement? - architecture deep dive @@ -24,3 +26,51 @@ Previous meeting notes: [2017-05-24](2017-05-24.md) - we can propose additional deep dives and discussion topics! ## Meeting Notes +Scribe: @mgoelzer + +- Introductions for new attendees - welcome! + +- probational channel: + - calling it “Probational Channel” (vs “hardened” to avoid implying that LinuxKit itself is soft) + - goal is to have a curated channel of what’s in `/projects` + - also goal: reduce bit rot + - RFC here: https://docs.google.com/document/d/1V3R_eF-_JTEcWmw_pKERuRAWMDxZ3iCy_6piLPhtZSA/edit#heading=h.99zlrcqz1kzx + - goal of RFC is build your project based on a delta against base LinuxKit (e.g., add Wireguard, add Landlock) + - @cschaufler: let’s have at least one that is all the projects, and then others for explicitly requested combos of projects + - @justincormack: probation/promotion is orthogonal to the tooling problem. + - against any tooling in the project, tooling should be upstream. + - @avsm: just have a Makefile snippet you can include, will help with the bit rot problem + +- buildchain security: + - discussion lead: @fntlnz + - issues are PIEs, ASLR, signing. Binaries today are not using linker best practices. + - two concerns: + - we should be using PIE, ASLR - current state discussed on [issue](https://github.com/linuxkit/linuxkit/issues/1902) + - golang compiling produces [static PIE executables](https://github.com/linuxkit/linuxkit/blob/master/tools/go-compile/compile.sh#L100) + - c compiling benefits from Alpine Linux default flags + - we have to check that future binaries in LinuxKit builds should be compiled with the appropriate flags + - including stuff written in other languages like Rust + - we would benefit from tools to start binary in isolation, look at its runtime environment - works with anything (libc, muscl, etc) + - @cschaufler: take a look at Yocto’s buildchain checks + - @avsm: need to modify some language configs as well (for OCaml binaries) + - @justincormack: runc is not linked correctly + - @riyazdf: next meeting let’s also discuss how we can go beyond signing, better checks + +- mirageSDK + - discussion lead: @avsm + - slides: https://speakerdeck.com/avsm/a-modern-services-sdk-for-linuxkit + - goal is to rebuild the services on top of LinuxKit with advanced security features: + - type safety + - container-native daemons + - daemons: [dhcpd in repo today](https://github.com/linuxkit/linuxkit/tree/master/projects/miragesdk), working on others. Open to feedback for prioritizing future type-safe daemons (ntp, dns, https, etc) + - containerized, but still written in C and require high system privilege + - want to make these components less monolithic, more container native. + - dhcpd: + - in a cloud environment, you really only need it once. You’re more likely to kill machine than want to change its IP after boot. + - requires very low level access - eg IP route tables + - described 3-part priv separated architecture + - Capnp - RPC system for how these 3 processes communicate + - @yomimono: demo fuzz testing with American Fuzzy Lop (afl) + - asciinema of demo: https://asciinema.org/a/3ljccmn19m25uj02kve678xp6 + - afl: http://lcamtuf.coredump.cx/afl/ + - Also focusing on other services: DNS, HTTPS