![Page 1: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/1.jpg)
Software LOPAApproach to Performing a Layers of Protection Analysis for
Complex Software
OpenTech
Andreas Platschek<[email protected]>
May 23, 2017
c©Andreas Platschek (OpenTech) May 23, 2017 1 / 31
![Page 2: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/2.jpg)
c©Andreas Platschek (OpenTech) May 23, 2017 2 / 31
![Page 3: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/3.jpg)
”Yet further concerns relate to whether a consequence can be sosevere that the frequency of the hazardous situation should not betaken into account, thus negating the concept fo ’risk’ in selectingthe appropriate set of implementation techniques. In order toaddress this concern IEC 61511 formalised the concept of ’layers ofprotection’ requiring diversity between the different layers.”
Audrey Canning, in: Functional Safety: Where have we comefrom? Where are we going?
c©Andreas Platschek (OpenTech) May 23, 2017 3 / 31
![Page 4: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/4.jpg)
LOPA Principle
Identi ed
Hazard
IE1
IE2
IE3IE4
IE5
IE1-IE5 . . . Initiating EventsIPL1-IPL4 . . . Independent Layers of Protection
c©Andreas Platschek (OpenTech) May 23, 2017 4 / 31
![Page 5: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/5.jpg)
LOPA Principle
Identi ed
Hazard
IPL3
IPL2
IPL1
IE1
IE2
IE3IE4
IE5
IPL4
IE1-IE5 . . . Initiating EventsIPL1-IPL4 . . . Independent Layers of Protection
c©Andreas Platschek (OpenTech) May 23, 2017 5 / 31
![Page 6: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/6.jpg)
LOPA Principle
Identi ed
Hazard
IPL3
IPL2
IPL1
IE1
IE2
IE3IE4
IE5
IPL4
IE1-IE5 . . . Initiating EventsIPL1-IPL4 . . . Independent Layers of Protection
c©Andreas Platschek (OpenTech) May 23, 2017 6 / 31
![Page 7: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/7.jpg)
LOPA Basics Properties
Independence
Effectiveness
Auditability
c©Andreas Platschek (OpenTech) May 23, 2017 7 / 31
![Page 8: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/8.jpg)
Auditability
Open-Source Rules!
If a Software LOPA is doable at all, then open-source software isdefinitely the prime suspect.
c©Andreas Platschek (OpenTech) May 23, 2017 8 / 31
![Page 9: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/9.jpg)
Auditability
Open-Source Rules!
If a Software LOPA is doable at all, then open-source software isdefinitely the prime suspect.
c©Andreas Platschek (OpenTech) May 23, 2017 8 / 31
![Page 10: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/10.jpg)
Effectiveness
Do the IPLs actually mitigate againstthe hazard?
c©Andreas Platschek (OpenTech) May 23, 2017 9 / 31
![Page 11: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/11.jpg)
Independence
Multiple layers only make sense ifthey fail independently!
BUT“Independence is an important concept, although absoluteindependence is generally not achievable. ... However, IPLs shouldbe sufficiently independent such that the degree ofinterdependence is not statistically significant.“ [1,Section3.2]
c©Andreas Platschek (OpenTech) May 23, 2017 10 / 31
![Page 12: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/12.jpg)
Independence
Multiple layers only make sense ifthey fail independently!
BUT“Independence is an important concept, although absoluteindependence is generally not achievable. ... However, IPLs shouldbe sufficiently independent such that the degree ofinterdependence is not statistically significant.“ [1, Section3.2]
c©Andreas Platschek (OpenTech) May 23, 2017 10 / 31
![Page 13: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/13.jpg)
Prospective SW IPLs(SIL2LinuxMP Context)
seccomp
cgroups
CPU-shielding
Namespaces
PALLOC
. . .
Code Review (assure restricted use of syscalls)
Static Code Analysis (coccinelle)
Error Handling to detect faultsc©Andreas Platschek (OpenTech) May 23, 2017 11 / 31
![Page 14: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/14.jpg)
Hardened NooM Container
CPU 0
RAMbank 0..n
CPU 1
RAMbank n+1..m
CPU 2
RAMbank m+1..i
CPU 3
RAMbank i+1..j
glibc
busybox
Monitoring
glibc 32bit
seccomp
Safety app.
32bit FP
glibc 64bit
seccomp
Safety app.
64bit INT
SIL 0
Debian
Container
SIL 2 SIL 2
SIL2LinuxMP base system
At present this is the strongest multi-layer approach we are lookingat.
c©Andreas Platschek (OpenTech) May 23, 2017 12 / 31
![Page 15: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/15.jpg)
Independence of Layers
How to perform LOPA and show INDEPENDECE of thosedifferent protection layers?
Static code analysis
Development data
c©Andreas Platschek (OpenTech) May 23, 2017 13 / 31
![Page 16: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/16.jpg)
Independence of Layers
How to perform LOPA and show INDEPENDECE of thosedifferent protection layers?
Static code analysis
Development data
c©Andreas Platschek (OpenTech) May 23, 2017 13 / 31
![Page 17: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/17.jpg)
Static Code Analysis
Analyze functions called by subsystems (callgraphs)
Find and analyze overlaps in callgraphs
c©Andreas Platschek (OpenTech) May 23, 2017 14 / 31
![Page 18: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/18.jpg)
Intersection ofConfigurations
Basecon�g (BASE)
Basecon�g+Seccomp (SEC)
c©Andreas Platschek (OpenTech) May 23, 2017 15 / 31
![Page 19: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/19.jpg)
Intersection outsideof Baseconfig
Basecon�g (BASE)
Basecon�g+Seccomp (SEC)
Basecon�g+CGROUPS (CGR)
(SEC � CGR) \ BASE = Ȃ
c©Andreas Platschek (OpenTech) May 23, 2017 16 / 31
![Page 20: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/20.jpg)
Intersection in Baseconfig
Basecon�g
c©Andreas Platschek (OpenTech) May 23, 2017 17 / 31
![Page 21: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/21.jpg)
Analysis of Subsystems
f3
RCU
atomic
new_funcs_base_both
funcs_base_both
c©Andreas Platschek (OpenTech) May 23, 2017 18 / 31
![Page 22: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/22.jpg)
Preliminary Results
Set Nr. Functions
baseconfig 20829baseconfig+seccomp 21401seccomp 572baseconfig+cgroups 21120cgoups 679both not in baseconfig 0funcs base 13792funcs base seccomp 7131funcs base cgroups 7391funcs base both 6665rcu funcs 6511atomic funcs 294new funcs base both 185
c©Andreas Platschek (OpenTech) May 23, 2017 19 / 31
![Page 23: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/23.jpg)
Developers Overlap
seccomp cgroups
Author cur hist cur hist
Kees Cook 2740 26 4 2
Arnaldo Carvalho de Melo 50 2 18 6
Linus Torvalds 44 15 1 139
Daniel Borkmann 61 5 201 6
Paul Mundt 10 1 1 1
Al Viro X 1 X 10
Andrew Morton X 1 X 2
Fabian Frederick X 1 X 2
James Morris X 2 X 6
Stephen Rothwell X 2 X 2
David Howells X 3 X 5
cur . . . Number of lines in v4.9.18 . hist . . . Number of commits in all versions.
c©Andreas Platschek (OpenTech) May 23, 2017 20 / 31
![Page 24: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/24.jpg)
Analysis of Effectiveness
Similar to traditional LOPA . . .
Identify all IEs (Hazard Analysis)
Identify suitable IPLs for each identified IE
Choose IPLs that are used
c©Andreas Platschek (OpenTech) May 23, 2017 21 / 31
![Page 25: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/25.jpg)
Example
Scenario: An application uses 2 devices, one is only written to, thesecond one is only read from.
IE: Writing to the read-only device leads to a hazardous situation.
Error handling.
Source-code review/audit.
cgroups device controller rules prevent wrong access todevices.
seccomp rules check if system calls to wrong usage areperformed.
c©Andreas Platschek (OpenTech) May 23, 2017 22 / 31
![Page 26: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/26.jpg)
Example
Scenario: An application uses 2 devices, one is only written to, thesecond one is only read from.
IE: Writing to the read-only device leads to a hazardous situation.
Error handling.
Source-code review/audit.
cgroups device controller rules prevent wrong access todevices.
seccomp rules check if system calls to wrong usage areperformed.
c©Andreas Platschek (OpenTech) May 23, 2017 22 / 31
![Page 27: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/27.jpg)
Example
Scenario: An application uses 2 devices, one is only written to, thesecond one is only read from.
IE: Writing to the read-only device leads to a hazardous situation.
Error handling.
Source-code review/audit.
cgroups device controller rules prevent wrong access todevices.
seccomp rules check if system calls to wrong usage areperformed.
c©Andreas Platschek (OpenTech) May 23, 2017 22 / 31
![Page 28: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/28.jpg)
Evidence
Let’s check it out!
c©Andreas Platschek (OpenTech) May 23, 2017 23 / 31
![Page 29: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/29.jpg)
Literature
[0] IEC 61511: Functional safety – Safety instrumented systemsfor the process industry sector[1] Guidelines for Initiating Events and Independent ProtectionLayers in Layer of Protection Analysis, Center for ChemicalProcess Safety[2] Safety Integrity Level Selection – Systematic Methods IncludingLayer of Protection Analysis, Ed Marszal and Eric Scharpf[3] Lines of Defence/Layers of Protection Analysis in the COMAHContext, Prepared by Amey VECTRA Limited for the Health andSafety Executive ,http://www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf[4] Functional Safety: Where have we come from? Where are wegoing? Audrey Canning
c©Andreas Platschek (OpenTech) May 23, 2017 24 / 31
![Page 30: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/30.jpg)
Questions?
Ask now, or e-mail me later!
Andreas Platschek<[email protected]>
c©Andreas Platschek (OpenTech) May 23, 2017 25 / 31
![Page 31: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/31.jpg)
Seccomp DevelopersLines in current version
linux-stable$ find . -name *seccomp*\.[ch] | \
xargs git log --no-merges --format="%an" | sort | \
uniq -c | sort -nr
27 Kees Cook
7 Will Drewry
7 Andy Lutomirski
7 Alexei Starovoitov
5 Daniel Borkmann
4 Mickael Salaun
4 Matt Redfearn
3 Ralf Baechle
3 David Howells
3 Andrea Arcangeli
c©Andreas Platschek (OpenTech) May 23, 2017 26 / 31
![Page 32: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/32.jpg)
cgroup developersLines in current version
linux-stable$ find . -name *cgroup*\.[ch] | \
xargs git log --no-merges --format="%an" | sort | \
uniq -c | sort -nr
641 Tejun Heo
137 Li Zefan
42 Paul Menage
29 Vivek Goyal
22 Al Viro
18 Aristeu Rozanski
15 Ben Blum
13 Lai Jiangshan
12 Daniel Wagner
11 Johannes Weiner
c©Andreas Platschek (OpenTech) May 23, 2017 27 / 31
![Page 33: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/33.jpg)
seccomp developerscommits over all versions
linux-stable$ for FILE in $(find . -name *seccomp*\.[ch]); do \
git blame --line-porcelain $FILE | egrep "^author "; done | \
cut -d " " -f 2- | sort | uniq -c | sort -nr
2740 Kees Cook
241 Will Drewry
100 Andy Lutomirski
89 Tycho Andersen
69 Matt Redfearn
61 Daniel Borkmann
55 AKASHI Takahiro
50 Arnaldo Carvalho de Melo
48 David Howells
44 Linus Torvalds
c©Andreas Platschek (OpenTech) May 23, 2017 28 / 31
![Page 34: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/34.jpg)
cgroups developerscommits over all versions
linux-stable$ for FILE in $(find . -name *cgroup*\.[ch]); do \
git blame --line-porcelain $FILE | egrep "^author "; done | \
cut -d " " -f 2- | sort | uniq -c | sort -nr
8772 Tejun Heo
907 Paul Menage
492 Aristeu Rozanski
407 Aneesh Kumar K.V
366 Aleksa Sarai
318 Serge E. Hallyn
288 Li Zefan
211 Sargun Dhillon
204 Daniel Borkmann
192 Aditya Kali
c©Andreas Platschek (OpenTech) May 23, 2017 29 / 31
![Page 35: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/35.jpg)
seccomp
Default behavior – deny all system calls:
ctx = seccomp init(SCMP ACT KILL);
Add used, safe system calls explicitly:
seccomp rule add exact(ctx, SCMP ACT ALLOW,
SCMP SYS(read), 1, SCMP A0(SCMP CMP EQ, fd));
c©Andreas Platschek (OpenTech) May 23, 2017 30 / 31
![Page 36: Software LOPAhofr.at/assets/slides/SCSSS_2017_LOPA.pdf · IE4 IE5 IPL4 IE1-IE5 ... Error Handling to detect faults c Andreas Platschek (OpenTech) May 23, 2017 11 / 31. Hardened NooM](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa5f2537f8b9a2f048e201f/html5/thumbnails/36.jpg)
cgroups
Add a new cgroup (device controller):# cd /sys/fs/cgroup/devices/
# mkdir newgroup
# cd newgroup
Access Permissions per cgroup (read/write/mknod) aredefined per device:# echo a > devices.deny
# echo ’c 1:3 w’ > devices.allow
Add application to cgroup:# echo $$ > tasks
EPERM is returned by systemcalls that violate cgroups devicecontroller rules:open("/dev/urandom", O RDWR) = -1 EPERM (Operation not permitted)
c©Andreas Platschek (OpenTech) May 23, 2017 31 / 31