Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
66 lines (52 sloc) 2.8 KB


Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location:

Announcement: Moby project forum post

Video recording:

Previous meeting notes: 2017-06-21


  • Introductions & Administrivia (5 min)
  • Automatic privilege separation and Memorizer deep dive - @ndauten (30 min)
    • What is automatic privilege separation?
    • Introduction to Memorizer
    • Discussion about tracking namespaces, other feedback
    • demo
  • Project updates (10 min)
  • Next meeting: 2017-07-19
    • deep dive TBD
    • we can propose additional deep dives and discussion topics!

Meeting Notes

Scribe: @mgoelzer

  • Next meeting: July 19th

  • Automatic Privilege Separation

    • Presentation slides here

    • OPS = opportunistic privilege separation (meta project)

    • Our infra operates on a large, untrusted code base. Easily exploitable. “Titanic”

      • Lots of layers of vulnerable code.
      • Lots of code. E.g., Every version of Linux kernel is >1000 developers contributing
      • Monolithic
    • Strategies to address these problems:

      • Replace (microkernel), or
      • Harden + Separate
        • Harden = making external shell more resistant to attack
        • Separate = each internal component having minimal privileges so even a compromised component can do only limited damage (eg SELinux, Landlock)
    • What about flipping the script? - by default everything is protected and then whitelist

      • In contrast to current model where by default you have access to everything and then you bolt on protections after the fact
    • Limitations of existing approaches

      • No ephemeral state
      • manual policy
      • don’t address kernel principles
      • lack of visibility into app
      • (others mentioned)
    • Tools / Projects:

      • OPS (Opportunistic Priv. Sep.): end to end approach for fine grained security policy retrofitting
        • Core hypoth: we can automatically derive policies from system behavior. Use ML to set up initial separation policy.
        • Similar to an optimizing compiler.
      • LINX: linux nested kernel
      • kr^x: kernel randomization
      • Memorizer: dynamic tracer
        • Creates “maps” (like CAPs)
        • CAPMAPs
        • Takes kernel source -> pass it through instrumentation (piggybacking on kernel address sanitizer to hook all allocations with KASAN) -> now all allocs are hooked
        • Stack is hooked through KASAN
      • SLICE
You can’t perform that action at this time.