|
|
  
Security
Bradley SPENGLER
Laurent OUDOT
Keywords
-
Kernel security
-
Firewalls
-
Intrusion Detection Systems
-
Honeypots
-
Secure Programming
-
PKI
Motivation
Security is a necessary component of any piece of software or hardware,
whether it operate on a high or low level, or used for commercial or
personal use.
Since there is no single solution to security problems, the
best procedure is to implement a variety of defenses. Our goal in this
topic is to present a variety of defenses to aid the audience in securing
their systems and networks.
Feel free to join our dedicated mailing list to ask your questions about this topic..
Subtopics
-
System Security : this subtopic aims at analysing
problems and solutions at the system layer, through the kernel at a very
low level.
-
Network Security : this subtopic deals with
network security by going from problems like rerouting attacks or deny
of service, to some kind of solutions like firewalls and VPN.
-
Applications Security : this one will
help at knowing problems that exists at the software layer and how they
could be avoid generally and with a given specific example of priviledge
separation.
-
Intrusion Detection and Honeypots : here
you'll find discussions about host and network based intrusion detection
and how they may be bypassed, and also about still weird protections called
honeypots.
-
PKI : here
you'll find discussions about Public Key Infrastructure and the way it helps
at securing exchanges between multiples people, processes, etc,
with cool things like authentication, certificates...
-
Opened Round Table about Security and Opensource
: this will end the Security Topic of the LSM2002 with an opened interactive
discussion between the public and experts on current and future problems
and solutions.
Content of the Security Topic
1. System Security
Bradley Spengler
spender@grsecurity.net
http://www.grsecurity.net/ |
Detection, Prevention, and Containment: A Study of grsecurity
An in-depth look into the motivations behind grsecurity.
Will cover a detailed examination of PaX: what it does, and how it does it.
Also covers a rationale on the implementations of important features of grsecurity, as
well as an overview of its ACL system.
Performance of the ACL system and PaX will be discussed in detail. |
Tim Yardley
liquid@dqc.org
http://nmedia.net/~liquid/ |
"Trusted Operating Systems: The Wave Of The Future?"
This discussion will cover the current security problems and why a
standard system cannot solve those problems.
The basics behind trusted operating systems will be explained, including
overviews of the different underlying security models.
After the basics are explained, further detail will be drawn in the
form of benefits and drawbacks of each type of system. This will include
discussion about the difficulties in the use of universal mandatory access
control (MAC) vs non-universal MAC models.
Future evolution of these systems and their application will also be
discussed. Further attention will be paid to future threats and ways to
strengthen your systems against those threats now, if time allows. |
Philippe Biondi
biondi@cartel-securite.fr
http://www.lids.org/ |
General presentation about Linux kernel security, focusing
on LIDS
An overview of various security systems for Linux: Linux Security Modules
(LSM) for 2.5, LIDS, Medusa DS9, RSBAC, LOMAC, and SELinux.
|
Marius Aamodt Eriksen
marius@citi.umich.edu
http://www.citi.umich.edu/u/marius/ |
NFSv4 and Security (GSS/Kerberos...)
|
Niels Provos
provos@citi.umich.edu
http://www.citi.umich.edu/u/provos/systrace/ |
Systrace - Interactive Policy Generation for System Calls
Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.
With systrace untrusted binary applications can be sandboxed. Their access to the system can be restricted almost arbitrarily. Sandboxing applications available only as binaries is only sensible as it is not possible to directly analyze what they are designed to do.
|
top
2. Network Security
Harald Welte
laforge@gnumonks.org
http://www.gnumonks.org/users/laforge/ |
Current netfilter/iptables development and our plans for kernel
2.5.x (failover, pkt_tables, nfnetlink, ...)
Duration: 1 hour
Audience: Developers |
Harald Welte
laforge@gnumonks.org
http://www.gnumonks.org/users/laforge/ |
An advance netfilter/iptables presentation about the design and
implementation
Duration: 1.5-2 hours
Audience: Advanced Admins, Developers |
Cedric Blancher
blancher@cartel-securite.fr |
Switched network security : a fairy tale...
Most network engineers think their network is sniff-proof because
of their use of switches. The goal of this presentation is to demonstrate
why switched networks are insecure, and to show some consequences that can
be even worse than in non-switched environments.
. Introduction : Layer 2 protocols, IP and ARP ; ethernet
. Ethernet basics : technology, topology, segmentation
. Hubs : consequences
. Switches : goals, security issues, urban legends ;)
. ARP protocol attacks : traffic redirection HOWTO
. Consequences : sniffing, DoS, trafic capture, MITM...
. Some ways and tools to prevent and detect ARP attacks
. Other layer 2 protocols to fucs on : HSRP, VRRP, CDP, VTP,
DTP, etc...
A mini-demo of attacks presented below will be available during the
speech. |
Victor Vuillard
victor.vuillard@utbm.fr |
OpenBSD and some of it's interests :
- Licences, goals and principles : differences between Linux and OpenBSD
- ipf and pf : OpenBSD firewalling.
- authpf : how to create dynamic firewall ? (for example to secure
a gateway that connects a wireless network to the rest of the non-radio
network)
- ipsec implementation and quick example (connecting a Linux-FreeS/WAN
and OpenBSD using isakmpd) |
Sebastien Lacoste-Seris
kaneda@securite.org
Nicolas Fischbach
nico@securite.org
http://www.securite.org/ |
Security in large Service Provider networks
This talk will focus on the usage and integration of
free/opensource tools to increase the security of a large IP
network. They will describe some setups (for example : (D)DoS detection
based on Netflow data sent to a cflow gatherer, stored in RRDtool
files, analyzed with Flowscan and reported using Apache::Embperl).
They will also discuss the pros and cons of such tools (for example
IDSes in a dial-up/hosting environment). |
Hervé Eychenne
herve.eychenne@kdx.fr
http://www.wallfire.org/
|
WallFire: a multi-platform firewall admnistration toolkit.
The goal of the WallFire project is to build a very general and
modular firewalling application based on Netfilter or any kind of
low-level framework.
It will enable to manage every aspect of a firewall administration,
from configuration to monitoring, intrusion detection, etc...
|
top
3. Applications Security
Marius Aamodt Eriksen
marius@citi.umich.edu
http://www.citi.umich.edu/u/marius/ |
Proxide Project.
Network and applications security for instant messages, etc. Proxide is a context sensitive generic network filter. It relies on plugins to perform the operations of putting internet protocols into a common context, as well as to provide the filters that operate upon common context, the protocol plugin is then responsible for reassembling the message and sending it to the intended recipient... |
Denis Ducamp
Denis.Ducamp@hsc.fr
http://www.hsc.fr/ |
How to design secure applications based on privilege
separation
What are the basic security functionalities under Unix needed to build
privilege separation and how to use them to design more secure applications |
Frederic Raynal
pappy@miscmag.com
http://minimum.inria.fr/~raynal/ |
(In)Secure Programming :
- escape shells
- memory management (stack, heap...) and function calls
- buffer overflows in the stack
- buffer overflows in the "low" sections (heap, bss, data)
- format bugs
[- malloc's tricks ?]
[- race conditions ?] |
top
4. Intrusion detection and
Honeypots
Niels Provos
provos@citi.umich.edu
http://www.citi.umich.edu/u/provos/honeyd/ |
Virtual honeypots with honeyd
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses - he has tested up to 65536 - on a LAN for network simulation.
|
Yoann Vandoorselaere
yoann@mandrakesoft.com
http://www.prelude-ids.org/
Krzysztof Zaraska
kzaraska@student.uci.agh.edu.pl
Sylvain Gil
tootella@tootella.org
Laurent Oudot
oudot.laurent@wanadoo.fr
|
Intrusion Detection through the Prelude-IDS project
About Prelude-IDS
History
Distributed architecture
How it works
Evasion
How to deploy it
Managing IDS
The future
|
top
5. Public Key Infrastructure (PKI)
yannick Quenec'hdu
quenechdu@cartel-securite.fr
Patrick Duplouy
duplouy@cartel-securite.fr
http://pki.cartel-securite.fr/ |
MetaPKI a new design for PKI project
The goal of the MetaPKI is to build a flexible and very modular PKI
application.
The generic idea is to supply a simple solution of access who necessite no
modification of the code to adapt the product to its needs.
|
top
6. Opened Round Table about
Security and Opensource
Renaud Deraison
deraison@nessus.org
http://www.nessus.org/ |
This will end the Security Topic of the LSM2002 with an opened interactive
discussion between the public and experts on current and future problems
and solutions |
top
Links
http://www.grsecurity.net/
http://www.gnumonks.org/users/laforge/
http://www.citi.umich.edu/u/provos/
http://www.citi.umich.edu/u/marius/
http://www.lids.org/
http://www.prelude-ids.org/
http://www.nessus.org/
http://www.hsc.fr/
http://www.groar.org/
http://www.securite.org/
http://pki.cartel-securite.fr/
http://minimum.inria.fr/~raynal/
Schedule
Wednesday, July 10th
| 9:00 - 10:20 | An in-depth look at grsecurity ![[TECH]](/images/type_tech.png) ,
by Bradley SPENGLER | ENSEIRB
Amphi B |
| 10:20 - 10:40 | Geeks' break | |
| 10:40 - 11:40 | Systrace - Interactive Policy Generation for System Calls ,
by Niels PROVOS | ENSEIRB
Amphi B |
| 11:40 - 12:40 | General presentation about kernel security under linux systems that will ends on LIDS ,
by Philippe BIONDI | ENSEIRB
Amphi B |
| 12:40 - 13:40 | Geeks' meal | |
| 14:00 - 15:00 | Current netfilter/iptables development and our plans for kernel 2.5.x ,
by Harald WELTE | ENSEIRB
Amphi B |
| 15:00 - 16:00 | OpenBSD and some of it's interests ,
by Victor VUILLARD | ENSEIRB
Amphi B |
| 16:00 - 16:20 | Geeks' break | |
| 16:20 - 17:20 | Switched network security : a fairy tale... ,
by Cedric BLANCHER | ENSEIRB
Amphi B |
| 17:20 - 18:20 | Proxide Project ,
by Marius Aamodt ERIKSEN | ENSEIRB
Amphi B |
Thursday, July 11th
| 9:00 - 10:20 | How to design secure applications based on privilege separation ,
by Denis DUCAMP | ENSEIRB
Amphi B |
| 10:20 - 10:40 | Nerds' break | |
| 10:40 - 12:40 | (In)Secure Programming ,
by Frederic RAYNAL | ENSEIRB
Amphi B |
| 12:40 - 13:40 | Nerds' meal | |
| 14:00 - 16:00 | Prelude IDS ,
by Prelude Team | ENSEIRB
Amphi B |
| 16:00 - 16:20 | Nerds' break | |
| 16:20 - 17:20 | Honeyd ,
by Niels PROVOS | ENSEIRB
Amphi B |
| 17:20 - 18:20 | NFSv4 GSS/API, ,
by Marius Aamodt ERIKSEN | ENSEIRB
Amphi B |
Friday, July 12th
| 9:00 - 10:20 | Security in large Service Provider networks ,
by Sebastien LACOSTE-SERIS, Nicolas FISCHBACH | ENSEIRB
Amphi B |
| 10:20 - 10:40 | Cool break | |
| 10:40 - 12:40 | An advance netfilter/iptables presentation about the design and implementation ,
by Harald WELTE | ENSEIRB
Amphi B |
| 12:40 - 13:40 | Cool meal | |
| 14:00 - 15:00 | WallFire: a multi-platform firewall admnistration toolkit ,
by Hervé Eychenne | ENSEIRB
Amphi B |
| 15:00 - 16:00 | MetaPKI a new design for PKI project ,
by Yannick QUENEC'HDU, Patrick DUPLOUY | ENSEIRB
Amphi B |
| 16:00 - 16:20 | Cool break | |
| 16:20 - 17:20 | Trusted Operating Systems: The Wave Of The Future? ,
by Tim YARDLEY | ENSEIRB
Amphi B |
| 17:20 - 19:20 | Opened Security Round Table ![[PUBLIC]](/images/type_public.png) ,
by Renaud DERAISON | ENSEIRB
Amphi B |
|
http://lsm2002.abul.org/program/topic02/topic02.php3
© ABUL, 2000
Page maintained by : Laurent OUDOT
Last modified : Sunday June 30 2002, 02:30:41
|
|
http://lsm2002.abul.org/program/topic02/topic02.php3