Star Lab has long believed that Secure by Design is the best strategy for approaching security problems. To understand why this principle guides our work, you first need to understand the difficult class of problems we hope to address.
Read MoreOne question we frequently get is “Why would I use something like Titanium Security Suite, instead of other Linux Security Modules (LSMs) like SELinux or AppArmor?”. In short, there’s no reason you can’t use both. SELinux and Titanium primarily differ in their threat model, concept of operations (CONOPS), and flexibility.
Read MoreYou are a security conscious systems-engineer using a Linux-based operating system for your project. You’ve already taken a tour of Linux Security Modules (LSMs) and know how you might use them to increase the security of your system.
However, you may have also heard about Linux’s Secure Computing (seccomp) facilities. You may wonder how LSMs and seccomp compare to one another, why you cannot implement the features of seccomp as an LSM, and when you should use each. This post aims to provide some answers.
Seccomp and LSMs both result in the kernel constraining how a process interacts with the system, but with important differences. Namely, Secure Computing Mode, or seccomp, is about limiting the system calls a process can make. LSMs, in contrast, are about controlling access to objects in the kernel.
Read MoreEarly computer architectures, like the first Acorn RISC Machine pictured in Figure 0, had no support for CPU virtualization. In the 30 years since, processor designers have added new hardware components to fully enable virtualization.
This article explores how the Xen hypervisor supports CPU virtualization on modern ARM processors. We will start with a short background on virtualization and Xen, followed by a discussion of how ARM supports CPU virtualization with the virtualization extensions and finishing with a discussion of how Xen utilizes these features.
We are focused specifically on the ARMv8 architecture, commonly referred to as AArch64, and systems that support the ARM virtualization extensions. We will be assuming that a device tree is used for hardware discovery as is the case for nearly all embedded ARM devices.
Read MoreThis article will explore how the Xen hypervisor uses the Memory Management Unit (MMU) on ARM architecture to support virtualization. We’ll take a brief look at the history and purpose of the MMU then dive into Xen specifics, focusing on the ARMv8 implementation.
Read MoreAt Star Lab, we’ve seen a recent increase in the number of defense industry research projects calling for the use of Machine Learning (ML) in innovative and unique ways. As we continue to work on these projects, we have noticed the need for better collaboration between software developers and data scientists. Better communication and a comprehensive understanding of what the other field needs and why it is needed has proven necessary for efficient and effective incorporation of ML elements into traditional defense industry projects.
Read MoreAt Star Lab, we’ve seen a recent increase in the number of defense industry research projects calling for the use of Machine Learning (ML) in innovative and unique ways. As we continue to work on these projects, we have noticed the need for better collaboration between software developers and data scientists. Better communication and a comprehensive understanding of what the other field needs and why it is needed has proven necessary for efficient and effective incorporation of ML elements into traditional defense industry projects.
Read MoreAchieving memory safety is hard. Code is written by humans, and humans are bound to make mistakes. Tack on pointer arithmetic and strict aliasing and the situation only becomes more complex. ZDNet recently posted an article stating that 70 percent of all (Microsoft) security bugs are memory safety issues, and I would guess that this statistic is not specific to Microsoft. In LLVM 3.1 and in GCC 4.8, the compilers introduced the -fsanitize=address
option and the asan
libraries for user-space applications to be built with the Address Sanitizer.
I’m guessing, if you’re reading this post, you already have some familiarity with Linux Security Modules (LSMs). If you’ve used SELinux or AppArmor then you’ve used an LSM. If you’ve used any modern Linux distribution or Android-based device, you’ve (probably) used an LSM.
Read MoreThere are many great tools that are useful for debugging the Linux kernel, including good old-fashioned printk
, ftrace, and kgdb
. In this post we’ll be exploring how to use the kernel debugger (kgdb
) to debug a QEMU VM, although some of the techniques below may be applied to debugging via hardware interfaces like JTAG. Using gdb
as a front-end for the kernel debugger allows us to debug the kernel in the familiar and powerful debugging interface of gdb
.