Loading…
September 14-15, 2017 - Los Angeles, CA
Click Here For Information & Registration
View analytic
Thursday, September 14 • 10:45am - 11:30am
Landlock LSM: Toward Unprivileged Sandboxing - Mickaël Salaün, Developer

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Linux has multiple access-control systems that can help containing malicious processes. However, it may be difficult and inefficient, especially for unprivileged users, to create a sandboxed application because of the currently administrator-oriented security. Unlike XNU Sandbox (macOS, iOS), Capsicum (FreeBSD) or Pledge (OpenBSD), seccomp-bpf lacks the ability to create a full standalone sandbox (e.g. restrict access to a set of files).

In this talk, we present a new LSM called Landlock. Its final aim is to enable unprivileged users to isolate their processes following the principle of least privilege. To achieve this goal, Landlock leverages eBPF to create flexible access-control rules. Thanks to multiple reviews, Landlock is getting closer to upstream, while gaining interest from the hardening and the container communities.

Speakers
MS

Mickaël Salaün

Security Engineer, ANSSI
Mickaël Salaün is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He works on system hardening and has built security sandboxes (e.g. StemJail) before hacking... Read More →


Thursday September 14, 2017 10:45am - 11:30am
Gold 4

Attendees (23)