Core Policy Management Infrastructure for SELinux
|
|
- Rafe Andrews
- 5 years ago
- Views:
Transcription
1 Core Policy Management Infrastructure for SELinux 2005 SELinux Symposium Karl MacMillan Tresys Technology
2 Core Policy Management Infrastructure Production systems need policy management addition and removal of application policy updates to existing policy user and role administration Required to fully leverage dynamic policy core capability available supporting infrastructure required Infrastructure needs to be secure and robust ideally across multiple systems
3 Policy Management Robustness Current policy management not robust changes and updates use a compile process errors are compile errors requires complete development environment no strong dependency model source policy is closely coupled difficult to automate with tools Current weaknesses force compromises Fedora / RHEL does not require source policy prevents important local customizations Some workarounds available transformation of binary policy on load
4 Policy Management Security Policy modifications are controlled but only in a granular way Single permission for policy loading grants access to change any portion of the policy no provision for least-privilege e.g., seuser granted complete policy control No secure delegation of policy administration give ability to change portion of a policy ensure that overall policy intent not changed No means to verify security goals on policy change e.g., automated analysis Policy managed on a single system basis
5 User-space Object Managers User-space object managers enforce access control over internal resources using the SELinux access control model DBus, passwd, and X are current examples Creates additional object classes currently requires kernel modifications no dynamic object class registration All policy loaded into kernel even policy only enforced in user-space wastes precious kernel resources
6 Policy Management Projects Tresys working on two projects policy modules policy server Both addresses robustness and security Policy modules functionally complete submission for upstream soon Policy server in progress continuation of module work prototype available Projects available on Sourceforge
7 Policy Module Introduction Three main goals create manageable binary policy modules different from existing kernel binary format including labeling information support loosely coupled policies strong dependency model infrastructure to securely manage modules manage and link modules on production systems maintain consistent, coherent policy at all times verify security goals on policy change Other design goals migration path from existing infrastructure preserve existing kernel binary format
8 Policy Module Architecture Introduction Two major components development tools checkmodule, sepackagemodule,... policy module store and tools semodule Development tools allow policy developers to create policy modules Policy module store and tools manage policy modules on production systems
9 Policy Module Infrastructure file contexts application source checkmodule policy module policy package Module Store modules base module linker K development production semodule linked policy e r n file contexts expander e l policy source checkmodule base module base package file contexts kernel binary
10 Policy Module Challenges Linking modules requires preserving and expanding attributes expanding wildcards ( * and ~ ) in both rules and declarations addition and awareness of identifier scope Required widespread changes to libsepol modified libsepol supports kernel binary format base module format module format security-server functionality only supports kernel format
11 Policy Store and Tools Policy store is structured files and directories protected by the policy contains modules and file contexts semodule manages the policy store provides atomic transactions multiple modules can be added or removed failures result in abort of entire transaction enforces consistency and coherency performs locking against multiple writers executes policy verification applications creates and loads kernel binary
12 Checkmodule New policy compiler for modules Introduces new language features language subset for modules - excludes object class declaration labeling statements dependency handling of policy identifiers users, roles, types, attributes, object classes, and bools both required and optional identifier sets link-time conditional policy statements based on optional identifier sets Shares substantial code with checkpolicy
13 Module Language Example module test 1.0; require { class file { getattr setattr read write ioctl read execute entrypoint lock };... attribute domain, userdomain, file_type, exec_type; role sysadm_r, user_r, system_r; type sysadm_t, user_t; } optional gnome { type gnome_t, xserver_t; } type test_t, domain; type test_exec_t, file_type, exec_type; role sysadm_r types test_t; role user_r types test_t; domain_auto_trans(userdomain, test_exec_t, test_t) ifopt (gnome) { allow test_t gnome_t : file { getattr read }; allow test_t xserver_t : file { read write ioctl getattr setattr }; }
14 Policy Server Introduction Three goals fine-grained policy access control least-privilege on policy change delegation of policy management enhanced policy management (local and remote) robust support for user-space object managers Architecture comprised of two components policy management server user-space security server
15 Architecture Overview Policy management server contains canonical policy mediates all changes to policy eventually including remote changes enforces access control on policy policy object model hierarchical constraints distributes policy to security servers (user and kernel) kernel only receives kernel policy User-space security server provides access control decisions to user-space dynamic object class management / registration
16 Language extensions Policy object model abstraction of policy into object classes e.g., policy.user, policy.role, policy.type objects explicitly labeled policycon policy rules controls changes to policy meta-policy Hierarchical constraints introduces hierarcy into policy identifier namespaces e.g., apache, apache.cgi, apache.cgi.user children s access constrained to be a subset of the parent patches and separate verifier available
17 Policy Management Infrastructure QUESTIONS?
Design and Implementation of the SELinux Policy Management Server
Design and Implementation of the SELinux Policy Management Server Joshua Brindle, Karl MacMillan, Frank Mayer, David Caplan, and Jason Tang, Tresys Technology, LLC Policy Management What is policy management?
More informationSecurity Enhanced Linux. Thanks to David Quigley
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4
More informationWhat's New with SELinux
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in
More informationApplication Virtualization and Desktop Security
Application Virtualization and Desktop Security Karl MacMillan kmacmillan@tresys.com Tresys Technology 1 Application Virtualization Introduction Encapsulates a single application Bundles application into
More informationRASS Framework for a Cluster-Aware SELinux
RASS Framework for a Cluster-Aware SELinux Arpan Darivemula 1, Chokchai Leangsuksun 1, Anand Tikotekar 1 Makan Pourzandi 2 Louisiana Tech University 1 Open Systems Lab, Ericsson Research Canada 2 apd005@latech.edu
More informationPREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX
PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX Final Report 12/10/09 Mike Detwiler UMBC Student CMSC Course 426 Baltimore, MD Det1@umbc.edu Peter Coddington UMBC Student CMSC Course 626 Baltimore, MD
More informationEditing and Configuring Policies
Editing and Configuring Policies Security Policy Development Primer for Security Enhanced Linux (Module 13) 2 Changing a Policy Many ways to change/write a policy Much easier to modify the base policy
More informationSELinux. Don Porter CSE 506
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file
More informationSELinux Policy Development. Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com
SELinux Policy Development Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com Overview 1. Whoami 2. What is SELinux? 3. Parts of an SELinux Policy 4. Policy Modules 5. Reference Policy a. Perms b. Patterns
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationMadison: A New Approach to Policy Generation
Madison: A New Approach to Policy Generation Karl MacMillan Red Hat kmacmill@redhat.com Abstract This paper introduces a new library and associated tools, called Madison, for automatic policy generation.
More informationReference Policy for Security Enhanced Linux Christopher J. PeBenito, Frank Mayer, Karl MacMillan Tresys Technology
Reference Policy for Security Enhanced Linux Christopher J. PeBenito, Frank Mayer, Karl MacMillan Tresys Technology Abstract The Reference Policy project is an effort to restructure the NSA example policy
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationThough numerous security tools exist for protecting specific services, as well as user
17 CHAPTER Security-Enhanced Linux Though numerous security tools exist for protecting specific services, as well as user information and data, no tool has been available for protecting the entire system
More informationAdvanced Systems Security: Security-Enhanced Linux
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationType Enforcement Rules and Macros
Type Enforcement Rules and Macros Security Policy Development Primer for Security Enhanced Linux (Module 7) 2 Overview of Type Enforcement Rules Set of policy rules that specify relationships between types
More informationRoles and Users Security Policy Development Primer for Security Enhanced Linux (Module 8)
Roles and Users Security Policy Development Primer for Security Enhanced Linux (Module 8) 2 Role-based Access Control Model Traditional RBAC policy assigns privileges and authorizations to roles authorizes
More informationSELinux. Daniel J Walsh SELinux Lead Engineer
SELinux Daniel J Walsh SELinux Lead Engineer 0 Day Exploits Patch Cycle Someone discovers a vulnerability in software Package Maintainer and OS Vendor Notified Fix generated/distributed Fix installed by
More informationLandlock LSM: toward unprivileged sandboxing
Landlock LSM: toward unprivileged sandboxing Mickaël Salaün ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle
More informationSEEdit: SELinux Security Policy Configuration System with Higher Level Language
SEEdit: SELinux Security Policy Configuration System with Higher Level Language Yuichi Nakamura, Yoshiki Sameshima Hitachi Software, Japan {ynakam,same}@hitachisoft.jp Toshihiro Tabata Okayama University,
More informationConcurrency Control Service 7
Concurrency Control Service 7 7.1 Service Description The purpose of the Concurrency Control Service is to mediate concurrent access to an object such that the consistency of the object is not compromised
More informationFile access-control per container with Landlock
File access-control per container with Landlock Mickaël Salaün ANSSI February 4, 2018 1 / 20 Secure user-space software How to harden an application? secure development follow the least privilege principle
More informationModellistica Medica. Maria Grazia Pia, INFN Genova. Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico
Modellistica Medica Maria Grazia Pia INFN Genova Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico 2002-2003 Lezione 9 OO modeling Design Patterns Structural Patterns Behavioural Patterns
More informationModule: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to
More informationSecurity Enhanced Linux
Security Enhanced Linux Security Group Meeting 29 November 2002 Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217/ Computer Laboratory, University of Cambridge Copyright c Steven. J. Murdoch p.1 Summary
More informationDiscriminating Hierarchical Storage (DHIS)
Discriminating Hierarchical Storage (DHIS) Chaitanya Yalamanchili, Kiron Vijayasankar, Erez Zadok Stony Brook University Gopalan Sivathanu Google Inc. http://www.fsl.cs.sunysb.edu/ Discriminating Hierarchical
More informationFall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li
Securing Linux Hyungjoon Koo and Anke Li Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity
More informationWhat is orbac? ability to group several authorizations in to profiles to easily add/remove a set of authorizations to an employee
What is orbac? orbac orbac (opns Role Based Access Control) is a IT security solution that enables a structured, centralized, hierarchical and delegated management of IT privileges. orbac is based on the
More informationSELi He nux a dlin in F e edora 8 Dan N W am als e h Red D H a at te
SELinux Headline Fedora 8 Dan Walsh Name Red Hat Date SELinux History In Fedora Fedora 2 SELinux Introduced Strict Policy, Disabled, Confine User/Daemons Fedora 3 Targeted Policy, Enabled,
More informationSecure Sharing of an ICT Infrastructure Through Vinci
Secure Sharing of an ICT Infrastructure Through Vinci Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa, Italy 2 Department of Computer Science, University of Pisa,
More informationPractical Techniques to Obviate Setuid-to-Root Binaries
Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain, Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science
More informationSELinux. Sven Vermeulen
Sven Vermeulen Who is using one of these? These are Linux distributions that run with enabled by default but what is? but what is? PREVENTS my Something that applications from working? Security Offering
More informationSecurity Configuration Domain Specific Language (DSL) SELinux Developers Summit Ottawa 2008
Security Configuration Domain Specific Language (DSL) SELinux Developers Summit Ottawa 2008 Peter White Outline Policy DSL objectives Project architecture Shrimp: Reference policy with type kind checking
More informationA new Distributed Security Model for Linux Clusters
A new Distributed Security Model for Linux Clusters Makan.Pourzandi@Ericsson.Com Open Systems Lab Montréal Canada June, 2004 Rev PA1 07/05/04 1 Outline Context Distributed Security Distributed Access Control
More informationUsing GConf as an Example of How to Create an Userspace Object Manager
Using GConf as an Example of How to Create an Userspace Object Manager James Carter National Security Agency Abstract GConf is a configuration system for GNOME. It does not provide adequate security controls
More informationPartner Center: Secure application model
Partner Center: Secure application model The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including
More informationModule 4: Access Control
Module 4: Access Control Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson, MS 39232 E-mail: natarajan.meghanathan@jsums.edu Access Control In general,
More informationPRAGATHI TECHNOLOGIES BTM Marathahalli Ph:
PRAGATHI TECHNOLOGIES BTM Marathahalli Ph: 97420-95494 Course 20413C: Designing and Implementing a Server Infrastructure Course Outline Module 1: Planning Server Upgrade and Migration This module explains
More informationSELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany
SELinux Updates Thorsten Scherf Senior Consultant Red Hat Global Professional Services 01.12.2011 Berlin / Germany Agenda SELinux review What happened to strict policy Policy customization and development
More informationSELinux For Mere Mortals
SELinux For Mere Mortals (Or, Don't Turn It Off ) Dan Walsh Principal Software Engineer, Red Hat Thomas Cameron, RHCA Managing Solutions Architect, Red Hat June 23rd, 2010 Agenda About Us What is SELinux?
More informationEE382 Processor Design. Processor Issues for MP
EE382 Processor Design Winter 1998 Chapter 8 Lectures Multiprocessors, Part I EE 382 Processor Design Winter 98/99 Michael Flynn 1 Processor Issues for MP Initialization Interrupts Virtual Memory TLB Coherency
More informationMeeting Critical Security Objectives with Security-Enhanced Linux
Meeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research Group National Security Agency Co-author: Stephen D. Smalley, NAI Labs Information Assurance
More informationDynamic Metadata Management for Petabyte-scale File Systems
Dynamic Metadata Management for Petabyte-scale File Systems Sage Weil Kristal T. Pollack, Scott A. Brandt, Ethan L. Miller UC Santa Cruz November 1, 2006 Presented by Jae Geuk, Kim System Overview Petabytes
More informationOracle System Administrator Fundamentals It s All about Controlling What Users Can See and Do
Oracle System Administrator Fundamentals It s All about Controlling What Users Can See and Do Jim Childerston Introduction In this presentation, we will look at basic system administration from a functional
More informationReal Application Security Administration
Oracle Database Real Application Security Administration Console (RASADM) User s Guide 12c Release 2 (12.2) E85615-01 June 2017 Real Application Security Administration Oracle Database Real Application
More informationStatic Lock Capabilities for Deadlock-Freedom
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon
More informationTrust is the Foundations for Computer Security
Christian Damsgaard Jensen Department of Applied Mathematics and Computer Science Technical University of Denmark Christian.Jensen@imm.dtu.dk Security and Trust Computer security is sometimes divided into:
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites
Oracle Database Real Application Security Administration 12c Release 1 (12.1) E61899-04 May 2015 Oracle Database Real Application Security Administration (RASADM) lets you create Real Application Security
More informationAdvanced Systems Security: Security-Enhanced Linux
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationDesign Patterns. Manuel Mastrofini. Systems Engineering and Web Services. University of Rome Tor Vergata June 2011
Design Patterns Lecture 1 Manuel Mastrofini Systems Engineering and Web Services University of Rome Tor Vergata June 2011 Definition A pattern is a reusable solution to a commonly occurring problem within
More informationNFS version 4 LISA `05. Mike Eisler Network Appliance, Inc.
NFS version 4 LISA `05 Mike Eisler Network Appliance, Inc. email2mre-lisa@yahoo.com Outline Top 5 things to you need to know about NFSv4 Acronyms Basic concepts Futures Pointers Questions 2 Top 5 things
More informationThe Functionality-based Application Confinement Model
International Journal of Information Security manuscript No. (will be inserted by the editor) The Functionality-based Confinement Model Z. Cliffe Schreuders Christian Payne Tanya McGill Received: date
More informationDatabase Systems: Design, Implementation, and Management Tenth Edition. Chapter 9 Database Design
Database Systems: Design, Implementation, and Management Tenth Edition Chapter 9 Database Design Objectives In this chapter, you will learn: That successful database design must reflect the information
More informationSAS Environment Manager A SAS Viya Administrator s Swiss Army Knife
Paper SAS2260-2018 SAS Environment Manager A SAS Viya Administrator s Swiss Army Knife Michelle Ryals, Trevor Nightingale, SAS Institute Inc. ABSTRACT The latest version of SAS Viya brings with it a wealth
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationFun with SELinux. Writing SELinux Policy Permissive Domains Real bugs. Miroslav Grepl Presented by
Fun with SELinux Writing SELinux Policy Permissive Domains Real bugs Presented by Miroslav Grepl mgrepl@redhat.com Today's Topics 1. Show process of writing a policy - understanding basics of SELinux ==
More informationDatabase Management Systems
Database Management Systems Concurrency Control Doug Shook Review Why do we need transactions? What does a transaction contain? What are the four properties of a transaction? What is a schedule? What is
More informationConfiguring RBAC Using Admin UI
CHAPTER 13 This chapter describes the Security feature of Prime Cable Provisioning. Use this feature to configure and manage various levels of security. For conceptual information about the RBAC feature,
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationW11 Hyper-V security. Jesper Krogh.
W11 Hyper-V security Jesper Krogh jesper_krogh@dell.com Jesper Krogh Speaker intro Senior Solution architect at Dell Responsible for Microsoft offerings and solutions within Denmark Specialities witin:
More informationNFSv4 Multi-Domain Access. Andy Adamson ABFAB WG, IETF 80 March 2011
NFSv4 Multi-Domain Access Tag line, tag line Andy Adamson andros@netapp.com ABFAB WG, IETF 80 March 2011 Table of Contents Motivation NFSv4 Authentication Identity NFSv4 Authorization Identity Multi-Domain
More informationLiferay Security Features Overview. How Liferay Approaches Security
Liferay Security Features Overview How Liferay Approaches Security Table of Contents Executive Summary.......................................... 1 Transport Security............................................
More informationPastures: Towards Usable Security Policy Engineering
Pastures: Towards Usable Security Policy Engineering Institute for Security Technology Studies Department of Computer Science Dartmouth College A practitioner s look at the field Powerful formalisms exist:
More informationSELinux: A New Approach to Secure Systems
SELinux: A New Approach to Secure Systems by Chris Runge Abstract In this whitepaper, we will examine Security-Enhanced Linux (SELinux), the benefits it brings, and how Red Hat is working to make those
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationMobiControl v13: Package Rules to Profiles Migration Guide. January 2016
MobiControl v13: Package Rules to Profiles Migration Guide January 2016 Copyright 2016 SOTI Inc. All rights reserved. This documentation and the software described in this document are furnished under
More informationNFSv4.1 Using pnfs PRESENTATION TITLE GOES HERE. Presented by: Alex McDonald CTO Office, NetApp
NFSv4.1 Using pnfs PRESENTATION TITLE GOES HERE Presented by: Alex McDonald CTO Office, NetApp Webcast Presenter Alex McDonald joined NetApp in 2005, after more than 30 years in a variety of roles with
More informationJava Model of Basic Algebraic Structures
Java Model of Basic Algebraic Structures Petr Grillinger * pgrillin@kiv.zcu.cz Jaroslav Kačer * jkacer@kiv.zcu.cz Abstract This article presents a model of basic algebraic structures implemented in Java.
More informationDistributed File Systems Issues. NFS (Network File System) AFS: Namespace. The Andrew File System (AFS) Operating Systems 11/19/2012 CSC 256/456 1
Distributed File Systems Issues NFS (Network File System) Naming and transparency (location transparency versus location independence) Host:local-name Attach remote directories (mount) Single global name
More informationProduced by. Design Patterns. MSc in Communications Software. Eamonn de Leastar
Design Patterns MSc in Communications Software Produced by Eamonn de Leastar (edeleastar@wit.ie) Department of Computing, Maths & Physics Waterford Institute of Technology http://www.wit.ie http://elearning.wit.ie
More informationMULTIPROCESSORS AND THREAD-LEVEL. B649 Parallel Architectures and Programming
MULTIPROCESSORS AND THREAD-LEVEL PARALLELISM B649 Parallel Architectures and Programming Motivation behind Multiprocessors Limitations of ILP (as already discussed) Growing interest in servers and server-performance
More informationConfiguring and Troubleshooting Windows Server 2008 Active Directory Domain Services
6425 - Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Duration: 5 days Course Price: $2,975 Software Assurance Eligible Course Description Microsoft Windows Server
More informationMULTIPROCESSORS AND THREAD-LEVEL PARALLELISM. B649 Parallel Architectures and Programming
MULTIPROCESSORS AND THREAD-LEVEL PARALLELISM B649 Parallel Architectures and Programming Motivation behind Multiprocessors Limitations of ILP (as already discussed) Growing interest in servers and server-performance
More informationProtect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt
Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt Instructor, Consultant and Author Sandervanvugt.nl About Sander van Vugt Trainer, consultant and author Doing much
More informationEC 513 Computer Architecture
EC 513 Computer Architecture Cache Coherence - Snoopy Cache Coherence rof. Michel A. Kinsy Consistency in SMs CU-1 CU-2 A 100 Cache-1 A 100 Cache-2 CU- bus A 100 Consistency in SMs CU-1 CU-2 A 200 Cache-1
More informationAccess Control/Capabili1es
Access Control/Capabili1es Some slides/ideas adapted from Ninghui Li 1 Why Computers are Vulnerable? Programs are buggy Humans make mistakes Access control is not good enough Discretionary Access Control
More informationUMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group
UMA and Dynamic Client Registration Thomas Hardjono on behalf of the UMA Work Group 1 UMA is... A web protocol that lets you control authorization of data sharing and service access made on your behalf
More informationNFSv4.1 Plan for a Smooth Migration
NFSv4.1 Plan for a Smooth Migration PRESENTATION TITLE GOES HERE Hosted by: Gilles Chekroun Distinguished Engineer, Cisco Presented by: Alex McDonald CTO Office, NetApp Webcast Presenter Alex McDonald
More informationSecuring Inter-process Communications in SELinux Spencer Shimko, Joshua Brindle Tresys Technology, LLC
Securing Inter-process Communications in SELinux Spencer Shimko, Joshua Brindle Tresys Technology, LLC Abstract In the modern computing world, a secure system is best implemented with mandatory access
More informationSELinux Sandbox. Daniel Walsh Red Hat
SELinux Sandbox Daniel Walsh Red Hat What is a sandbox Run general applications in a locked down environment. Less privileged then other processes run by the user. Block Networking Block Access to other
More informationUsing the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0
Using the Horizon vcenter Orchestrator Plug-In VMware Horizon 6 6.0 You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also
More informationPanzura White Paper Panzura Distributed File Locking
Panzura White Paper Panzura Distributed File Locking Panzura s game-changing Freedom Family of Products finally brings the full power and benefits of cloud storage to enterprise customers, helping to break
More informationDatabases - Transactions II. (GF Royle, N Spadaccini ) Databases - Transactions II 1 / 22
Databases - Transactions II (GF Royle, N Spadaccini 2006-2010) Databases - Transactions II 1 / 22 This lecture This lecture discusses how a DBMS schedules interleaved transactions to avoid the anomalies
More informationLINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER
LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER E M B E D D E D S Y S T E M S W H I T E P A P E R w w w. m e n t o r. c o m INTRODUCTION With the proliferation of smart
More informationGoogle on BeyondCorp: Empowering employees with security for the cloud era
SESSION ID: EXP-F02 Google on BeyondCorp: Empowering employees with security for the cloud era Jennifer Lin Director, Product Management, Security & Privacy Google Cloud What is BeyondCorp? Enterprise
More informationOpen Verification Methodology (OVM)
Open Verification Methodology (OVM) Built on the success of the Advanced Verification Methodology (AVM) from Mentor Graphics and the Universal Reuse Methodology (URM) from Cadence, the OVM brings the combined
More informationDistributed Meta-data Servers: Architecture and Design. Sarah Sharafkandi David H.C. Du DISC
Distributed Meta-data Servers: Architecture and Design Sarah Sharafkandi David H.C. Du DISC 5/22/07 1 Outline Meta-Data Server (MDS) functions Why a distributed and global Architecture? Problem description
More informationIntroduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,
Preface p. xv Acknowledgments p. xvii Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations, and permissions
More informationNeuroLOG WP1 Sharing Data & Metadata
Software technologies for integration of process and data in medical imaging NeuroLOG WP1 Sharing Data & Metadata Franck MICHEL Paris, May 18 th 2010 NeuroLOG ANR-06-TLOG-024 http://neurolog.polytech.unice.fr
More informationONOS OVERVIEW. Architecture, Abstractions & Application
ONOS OVERVIEW Architecture, Abstractions & Application WHAT IS ONOS? Open Networking Operating System (ONOS) is an open source SDN network operating system (controller). Mission: to enable Service Providers
More informationSystem Security Features
System Security Features Overview Azeus Convene provides excellent user experience in holding meetings, as well as sharing, collaborating and accessing documents without compromising security. By using
More informationMaking Serverless Computing More Serverless
Making Serverless Computing More Serverless Zaid Al-Ali, Sepideh Goodarzy, Ethan Hunter, Sangtae Ha, Richard Han, Eric Keller University of Colorado Boulder Eric Rozner IBM Research * Views not representative
More informationB2SAFE metadata management
B2SAFE metadata management version 1.2 by Claudio Cacciari, Robert Verkerk, Adil Hasan, Elena Erastova Introduction The B2SAFE service provides a set of functions for long term bit stream data preservation:
More informationTecniche di Progettazione: Design Patterns
Tecniche di Progettazione: Design Patterns GoF: Composite 1 Composite pattern Intent Compose objects into tree structures to represent part-whole hierarchies. Composite lets clients treat individual objects
More informationManaging Group Policy application and infrastructure
CHAPTER 5 Managing Group Policy application and infrastructure There is far more to managing Group Policy than knowing the location of specific policy items. After your environment has more than a couple
More informationDesigning and Implementing a Server Infrastructure
Designing and Implementing a Server Infrastructure Duration: 5 Days Course Code: 20413 About this course Get hands-on instruction and practice planning, designing and deploying a physical and logical Windows
More informationInformatica ActiveVOS
Informatica ActiveVOS 9.2.4.1 Release Notes Informatica ActiveVOS 9.2.4.1 Release Notes Page 1 of 9 Contents Introduction... 3 New Features and Enhancements... 3 Additional Platforms Supported... 3 Required
More informationCSCD01 Engineering Large Software Systems. Design Patterns. Joe Bettridge. Winter With thanks to Anya Tafliovich
CSCD01 Engineering Large Software Systems Design Patterns Joe Bettridge Winter 2018 With thanks to Anya Tafliovich Design Patterns Design patterns take the problems consistently found in software, and
More informationIT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery And Support Week Four - OS IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 What is an Operating System (OS)? OS is a software that designed to run on specific hardware
More information