-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #87 from gkwhite/master
Add BSDCan 2020 videos by Stone, Beh, Long and Shirk #79.
- Loading branch information
Showing
4 changed files
with
44 additions
and
0 deletions.
There are no files selected for viewing
11 changes: 11 additions & 0 deletions
11
content/2020/BSDcan/beh-iocage_FreeBSD_Jail_Management_Tool.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| --- | ||
| layout: video | ||
| title: "The iocage FreeBSD Jail management tool, an overview, its Plugins, and Plugin development" | ||
| date: 2020-06-05 | ||
| author: Conor Beh | ||
| email: [email protected] | ||
| youtube: HaYArIBQNao | ||
| --- | ||
| The FreeBSD Jail isolation mechanism celebrates its 20th anniversary in 2020 and has provided administrators a convenient, lightweight virtualization solution for virtual hosting, package building, and countless administrative support tasks. Of the many Jail management tools available, iocage provides not only management features but also includes a sophisticated|comprehensive Plugins system that provides collections of prepackaged software for a number of roles ranging from personal cloud services, to source control systems, to media servers. | ||
|
|
||
| This talk will provide an overview of the iocage Jail management system, a survey of its plugins, and a demonstration of how to create a new iocage plugin. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| --- | ||
| layout: video | ||
| title: "Thunderbolt on FreeBSD" | ||
| date: 2020-06-05 | ||
| author: Scott Long | ||
| youtube: VbAJf2PBE-M | ||
| --- | ||
| Thunderbolt3 combines external USB3, PCIe, and DisplayPort peripherals into a converged interface. While the original intent was that OS-specific drivers would not be needed for peripherals to function, the reality is that a driver is needed to interact with the security features of the subsystem, flash firmware, and manage bandwidth and error handling. Additionally, the OS must provide robust PCI hotplug support in order to handle device arrival and departure. | ||
|
|
||
| This talk will present the architecture of the FreeBSD thunderbolt driver, the challenges faced with hot-plug, and the roadmap for future support, including USB4. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| --- | ||
| layout: video | ||
| title: "BSD Honeypots - Of course it runs on BSD" | ||
| date: 2020-06-06 | ||
| author: Michael Shirk | ||
| youtube: qmq1GTJuxOw | ||
| --- | ||
| In the past, there was some interest in the setting up of honeypots on BSD operating systems with tools like honeyd. Honeypots attempt to capture malicious code, network worms and attackers by emulating vulnerable services using a variety of methods. An opportunity came up for me to try to capture some malicious code using a simple setup with FreeBSD and jails. The setup was simple and easy to replicate as a way to perform security research on current attacks across the Internet and correlate with other threat sources for analysis. | ||
|
|
||
| The goal for this talk will be to walk through a brief introduction of honeypots, followed by a background of honeypots on the BSD operating systems such as honeyd. I will walk through the simple steps I used to setup the necessary services and network configs with a FreeBSD jail and the additional jails I utilized for monitoring the honeypot with a Network Security tool such as Zeek, Suricata or Snort. I will also cover some other ways to setup honeypots on all of the BSD operating systems. |
13 changes: 13 additions & 0 deletions
13
content/2020/BSDcan/stone-Oblivious_Sandboxing_Capsicum_eBPF.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| layout: video | ||
| title: "Oblivious Sandboxing with Capsicum and EBPF" | ||
| date: 2020-06-05 | ||
| author: Ryan Stone | ||
| email: [email protected] | ||
| youtube: TGA4wbjbqXc | ||
| --- | ||
| The Capsicum sandboxing framework currently has the limitation that programs must have their source modified to make them amenable to sandboxing. A long-term goal of the project is oblivious sandboxing: running programs with no knowledge of Capsicum inside of a sandbox with the full protections offered by Capsicum. This would allow the sandboxing of third-party applications that are unlikely to accept large patches for Capsicum support. | ||
|
|
||
| In this talk, we build upon previous work in this area to demonstrate how eBPF bytecode programs can be used to realize the promise of oblivious Capsicum sandboxing. By adding an eBPF entry point in the syscall path, it is possible to write eBPF programs that dynamically transform disallowed operations performed by the sandboxed application into operations allowed by Capsicum. | ||
|
|
||
| We will begin with an overview of eBPF and its programming environment. We will then show how an eBPF program can intercept a syscall at runtime and change its behaviour. Using this ability, we will demonstrate eBPF programs that force existing applications to conform to the restrictions placed by Capsicum while maintaining their behaviour. Using real-world programs like clang and tar as examples, we will show the eBPF programs and the extensions to the eBPF runtime required to safely sandbox these programs without requiring source modifications. |