KernelTLV meetup - Linux Kernel Security


18:45-19:10 - Mingle with bears and snacks
19:10-19:15 - Opening and welcome note
19:15-19:45 - “uLSM” - A user-space tool for testing Linux security faster (Avi Yeger - Team leader @ Argus cyber security)
19:45-20:15 - IPSEC datapath offload with Kernel control capabilities (Stefan Chulski - Staff Software Engineer @ Marvell)
20:15-21:45 - Analysis of a hacked Linux Server (Amir Rossert - Senior developer @ SafeBreach)


“uLSM” - A user-space tool for testing Linux security faster / Avi Yeger - Team leader @ Argus cyber security

In this presentation we provide a quick and useful tool for verifying and testing Linux security using LSM (Linux Security Module).
LSM is a de-facto standard mechanism for implementing MAC policies over user-space application (e.g SELinux).
As part of our work in Argus, we wished to provide researches with an easy tool for creating POCs to test security concepts faster. We present “ulsm” - a user-space development tool for LSM implementation.
In our lecture we will present the “ulsm” implementation, show some pros and cons of our tool and provide usage examples.
We are sure this tool will be of great benefit of the Linux security community and hope it will inspire other to develop similar security research utilities and build on top of “ulsm”.

IPSEC datapath offload with Kernel control capabilities / Stefan Chulski - Staff Software Engineer @ Marvell

  1. Will provide brief explanation about IPSEC security concepts(Route based vs Policy based) and IKE
  2. Overview of Kernel based IPSEC solution.
    2.a. IPsec packet walkthrough inside Kernel Network Stack
    2.b. XFRM netlink infrastructure inside Kernel
    2.c. Overview of security association set up by Kernel and Strongswan
    2.d. Advantages and disadvantages of Kernel based IPSEC solution
  3. Introduce IPSEC datapath offload solution with Kernel control capabilities

Analysis of a hacked Linux Server / Amir Rossert - Senior developer @ SafeBreach

I will show how to perform “Analysis of a hacked Linux Server” using a tool called Sysdig that collects system calls stream from the kernel.
The topics are:

  • Honeypots
  • Userspace vs Kernel space
  • System calls
  • Sysdig in high level
  • The experiment procedure - hopefully, to bring some real data from a real hacked server.

Argus offices (Short walk from HaShalom train station)
Alon Towers 1, 36th Floor, Yigal Alon 94 St, Tel Aviv-Yafo.

See you all there!