The document discusses various techniques for debugging Linux kernel modules and device drivers, including:
1) Using printk statements to output debugging messages from within the kernel.
2) Examining the interaction between kernel and userspace using strace to see system calls.
3) Adding entries to /proc filesystem for additional output.
4) Enabling kernel debugging with kgdb or hardware debuggers.
5) Common error types like kernel panics and oops messages that indicate issues.
The document summarizes the steps taken to analyze and exploit a DEFCON CTF binary file called "annyong". It describes using various Linux commands like file, strings, hexdump, readelf, and checksec to gather information about the binary. The analysis revealed the binary is position independent and has NX, PIE, and partial RELRO protections. The exploit uses return oriented programming (ROP) to execute a system call and spawn an interactive shell, bypassing protections by overwriting return addresses on the stack.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
Reverse engineering techniques are used to analyze malware and understand obfuscated code. The document discusses various anti-research techniques used by malware authors to obstruct reverse engineering, including indirect jumps, self-modifying code, encryption, anti-debugging methods, and anti-emulation tricks. It also presents the author's research on a binary emulation system called BE-PUM that uses symbolic execution and pushdown modeling to analyze obfuscated code and handle anti-research obstructions.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
Nowadays system administrators have great choices when it comes down to Linux performance profiling and monitoring. The challenge is to pick the appropriate tools and interpret their results correctly.
This talk is a chance to take a tour through various performance profiling and benchmarking tools, focusing on their benefit for every sysadmin.
More than 25 different tools are presented. Ranging from well known tools like strace, iostat, tcpdump or vmstat to new features like Linux tracepoints or perf_events. You will also learn which tools can be monitored by Icinga and which monitoring plugins are already available for that.
At the end the goal is to gather reference points to look at, whenever you are faced with performance problems.
Take the chance to close your knowledge gaps and learn how to get the most out of your system.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Valgrind is an open source tool for debugging and profiling Linux x86 programs. It uses dynamic binary instrumentation to detect memory errors like use of uninitialized values, memory leaks, and invalid reads/writes. It includes tools like Memcheck for memory errors, Massif for heap profiling, Helgrind for data race detection, and Callgrind for call graph and profiling information. The presentation discusses how Valgrind works, its various tools, and best practices for using it to improve code quality and find bugs.
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
This document discusses using JavaScript for embedded programming on microcontrollers. It introduces Espruino, which allows programming microcontrollers using JavaScript. Espruino provides inexpensive hardware with peripherals and libraries, making it suitable for hobbyists and prototyping. In contrast to Arduino, Espruino includes a debugger. The document demonstrates examples of using Espruino to read temperature and humidity sensors and expose sensor data over Bluetooth Low Energy. It encourages exploring Espruino and related projects like Tessel and Neonious for embedded JavaScript development.
The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
This document discusses the crash reporting mechanism in Tizen. It describes the crash client, which handles crash signals and generates crash reports. It covers Samsung's crash-work-sdk and Intel's corewatcher crash clients. It also discusses the crash server that receives reports and the CrashDB web interface. Finally, it mentions crash reason location algorithms.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
This document provides VHDL code for implementing various logic gates and basic digital circuits. It includes code for AND, OR, NOT, NAND, NOR, XOR and XNOR gates. It also provides code for half adder, full adder, multiplexer, demultiplexer, decoder, encoder, comparator, BCD to binary converter, JK flip-flop, and an n-bit counter. For each circuit, the VHDL code and a sample waveform output is given. The purpose is to design these basic digital components using VHDL and simulate their behavior.
This document discusses Linux monitoring tools. It defines monitoring as observing an application to understand what it is doing, debug issues, and enhance performance. Linux has many built-in monitoring tools ranging from basic GUI tools to powerful command line tools. Top tools discussed include GNOME System Monitor, KSysGuard, XFCE Task Manager, and the console-based tool top, which shows CPU usage. Top has many advanced options like killing processes, customizing fields, and viewing by threads. Scripting and automating tools is recommended for effective monitoring.
Linux and system performance analysis.
Talk given at Sysadmin #6 - Feb 2016
- Global knowledge of how Linux on x86 works
- Measurements and gathering metrics
- Hunting down trouble-makers
- Specific optimizations with hardware
Perfomance Tuning, Monitoring, Management: Getting the Most from SUSE Linux E...Novell
This session discusses and demonstrates the less-known tools and options in SUSE Linux Enterprise Server 11. These tools, while perhaps less obvious, can be very valuable to the experienced user or administrator.
This session will include an overview of:
1. Performance tuning
2. Kernel resource management
3. Built-in monitoring capabilities
This document discusses troubleshooting issues with network cards on a Linux Debian server. It describes a problem where the network card is not detected and errors out, and provides a solution of editing the udev rules file to correctly assign the network interface name based on the hardware address to resolve the issue.
Operating systems control our hardware and run our applications on them, how can we monitor linux operating system?
When we speak about monitoring it's the matter of all hardwares and users.
The slides below will describe the very common command line basic tools for monitoring.
This session will first discuss basic analysis of a Linux system with pre-installed tools. You will learn several commands to help you understand Linux issues better.
In the second step, you will learn how to fix a broken Linux system. The session will teach some major troubleshooting techniques and will be filled with lots of demos that will show you how to fix real problems on real broken systems.
The document provides an overview of kernel crash dump analysis including:
- The tools and data required such as the crash utility, kernel symbol files, vmcore files
- How to install and use these components
- Basic crash commands to analyze system, memory, storage, and network subsystems
- How to dynamically load crash extension modules to add custom commands
When your whole system is unresponsive, how to investigate on this failure ?
We'll see how to get a memory dump for offline analysis with kdump system.
Then how to analyze it with crash utility.
And finally, how to use crash on a running system to modify the kernel memory (at your own risks !)
Extreme Linux Performance Monitoring and TuningMilind Koyande
This document provides an introduction to monitoring Linux system performance. It discusses determining the type of application running and establishing a baseline of typical system usage. Key CPU concepts are then outlined such as hardware interrupts, soft interrupts, real-time threads and kernel/user threads. Context switches between threads and the thread scheduling queue are also introduced. The goal is to understand typical system behavior and identify any bottlenecks.
The document provides an overview and introduction to crash dump analysis on Nexenta systems. It discusses core dumps, crash dumps, the panic process, and basic crash dump analysis using mdb. Key topics include process and thread terminology, interrupts and traps, hangs vs crashes vs panics, forensic data sources like console logs and crash dumps, and C language basics relevant to crash analysis like data types and functions. Examples of panic strings, stack traces, and thread lists from crash dumps are also provided, as well as guidance on determining if an issue is hardware, firmware, or software-related.
Monitoring CPU Utilization on LINUX (Shell Script Project)Dmitry Ponomarenko
This document describes a shell script that monitors CPU utilization on a Linux server. The script checks CPU usage every 15 minutes using the 'top' utility. If usage exceeds 75% but is less than 85%, it sends a warning to the administrator and users of the top 10 processes. If usage goes above 85%, it kills the top process and notifies the user. The script runs in the background via cron, and technical details are provided on how it extracts CPU usage and process details.
This document discusses Linux kernel crash capture and analysis. It begins with an overview of what constitutes a kernel crash and reasons crashes may occur, both from hardware and software issues. It then covers using kdump to capture virtual memory cores (vmcores) when a crash happens, and configuring kdump for optimal core collection. Finally, it discusses analyzing vmcores after collection using the crash utility, including commands to inspect system information, backtraces, logs, and more.
This is a high level presentation I delivered at BIWA Summit. It's just some high level thoughts related to today's NoSQL and Hadoop SQL engines (not deeply technical).
kexec / kdump implementation in Linux Kernel and Xen hypervisorThe Linux Foundation
kexec and kdump allow restarting the Linux kernel without rebooting into the BIOS. kexec loads a new kernel into memory, while kdump facilitates debugging of crashed systems by loading a dump capture kernel. These features were introduced in Linux 2.6.13 and are currently supported on several platforms. Development is ongoing to support kexec/kdump for paravirtualized Xen guests. Future plans include enabling crash recovery across Xen and guest domains.
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
Session ID: HKG18-TR14
Session Name: HKG18-TR14 - Postmortem Debugging with Coresight
Speaker: Leo Yan
Track: Training
★ Session Summary ★
For most cases we can easily debug with kernel's oops dumping info, but sometimes we need to know more information for program execution flow before the issue happens. So we can rely on two tracing methods to reproduce the program execution flow, one method is using software tracing which is kernel's pstore method; another method is to rely on Coresight hardware tracing, this method also can avoid extra workload introduced by tracing itself. Coresight has provided two mechanisms for Postmortem debugging, one method is Coresight CPU debug module so we can extract CPU program counter info, this is quite straightforward to debug CPU lockup issue; Another is Coresight panic kdump, we connect kernel kdump mechanism to extract Coresight tracing data so we can reproduce the last execution flow before panic (even hang issue with some tweaking in kernel). This session wants to go through these topics and demonstrate the debugging tools on 96boards Hikey in 25 minutes session.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-tr14/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-tr14.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-tr14.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Training
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
The document discusses the "Hello World" program in C and assembly languages. It provides the C code, compiles and runs it using GCC and LLVM, and examines the output assembly code, object file and executable using various Linux tools like objdump, readelf, nm, and strace. It explains concepts like sections, segments, symbol tables, relocation records, and the role of linker and loader.
These slides were presented during technical event at my organization. It focuses on overview to find a root cause of the unexpected system down events. It is mainly useful for Linux or Unix system administrators. Here, I tried to cover all aspects of the topic. It took me more than 2 hours to present these slides, but one can also cover these slides within short time-span. Gray background of slides is implemented to hide the company logo and to preserve the confidentially of private template. However, The Knowledge is not restricted :)
This document summarizes the Linux audit system and proposes improvements. It begins with an overview of auditd and how audit messages are generated and processed in the kernel. Issues with auditd's performance, output format, and filtering are discussed. An alternative approach is proposed that uses libmnl for netlink handling, groups related audit messages into JSON objects, applies Lua-based filtering, and supports multiple output types like ZeroMQ and syslog. Benchmark results show this rewrite reduces CPU usage compared to auditd. The document advocates for continued abstraction and integration of additional data sources while avoiding feature creep.
The document discusses transaction-based hardware-software co-verification using emulation. It describes how traditional cycle-based co-verification is slow due to communication overhead between the testbench and emulator. Transaction-based co-verification improves speed by only synchronizing when required and allowing parallel execution. Transactors are used to convert high-level commands from the testbench to a bit-level protocol for the emulator. This allows emulation speeds of tens of MHz, orders of magnitude faster than cycle-based. An example transactor for a virtual memory is presented.
Shellcode is machine code that executes a shell when run. This document discusses shellcode, including:
- Shellcode injects machine code into a vulnerable application to spawn a shell.
- Three examples of shellcode are provided: an exit system call, displaying a message, and spawning a shell.
- Registers, assembly instructions, and system calls used in Linux are explained for creating shellcode.
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
Talk by Brendan Gregg for OSSNA 2017. "Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will be a dive deep on these new tracing, observability, and debugging capabilities, which sooner or later will be available to everyone who uses Linux. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
This document discusses the evolution of systems performance analysis tools from closed source to open source environments.
In the early 2000s with Solaris 9, performance analysis was limited due to closed source tools that provided only high-level metrics. Opening the Solaris kernel code with OpenSolaris in 2005 allowed deeper insight through understanding undocumented metrics and dynamic tracing tools like DTrace. This filled observability gaps across the entire software stack.
Modern performance analysis leverages both traditional Unix tools and new dynamic tracing tools. With many high-resolution metrics available, the focus is on visualization and collecting metrics across cloud environments. Overall open source improved systems analysis by providing full source code access.
This document discusses building a virtual platform for the OpenRISC architecture using SystemC and transaction-level modeling. It covers setting up the toolchain, writing test programs, and simulating the platform using event-driven or cycle-accurate simulation with Icarus Verilog or the Vorpsoc simulator. The virtual platform allows fast development and debugging of OpenRISC code without requiring physical hardware.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
VMware’s Nathan Small who works as a Staff Engineer at Global Support Services has put together a great presentation about Advanced Root Cause Analysis. The presentation was designed to give you more insight into how a VMware Technical Support Engineer reviews logs, gathers data and performs in-depth analysis. Nathan is hoping to show you the skills they’re using every day to help determine the root cause for an issue in your environment. With this core knowledge, you will become more self-sufficient within your own environment and be able to diagnose an issue as it occurs rather than after the damage has been done.
This document provides information on advanced root cause analysis techniques for VMware ESX environments. It discusses log file locations and purposes, how to increase logging levels for specific drivers to provide more debug information, listing and setting loadable module parameters, setting up serial logging and remote syslog, and forcing crashes to collect memory dumps. The document aims to equip support engineers with tools and techniques for thorough troubleshooting when initial logs are insufficient.
Modern CPUs use various techniques to improve performance such as instruction pipelining, cache memory, superscalar execution, out-of-order execution, speculative execution, and branch prediction. However, these optimizations can introduce security vulnerabilities like Spectre and Meltdown attacks which exploit side effects of speculative execution in the CPU cache to leak secret data from memory. Speculative execution may process instructions early before branch resolution, potentially loading secret data into the cache where an attacker can detect it using precise timing measurements. While fixes have been developed, fully mitigating these issues remains an ongoing challenge for CPU architecture.
The document discusses exploiting a use-after-free vulnerability on Android devices to gain remote code execution. It explains how the vulnerability works, analyzing the crash to gain control of the R0 register and needing to control heap memory to redirect execution to shellcode. The goal is to populate the heap to control where shellcode is placed, hijack control flow to it by overwriting a pointer, and thereby execute arbitrary code on the device.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
"In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike."
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...David Beazley (Dabeaz LLC)
The document describes an embedded error recovery and debugging mechanism for scripting language extensions. It discusses how errors can occur both in script code and extension code built as shared libraries. Debugging errors in extension code is challenging as typical debuggers and tracebacks do not work. The document then presents the Wrapped Application Debugger (WAD) which allows debugging of extension code as if it were part of the script by capturing signals and integrating with the GNU Debugger (GDB).
Similar to Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1 (20)
The Challenge of Interpretability in Generative AI Models.pdfSara Kroft
Navigating the intricacies of generative AI models reveals a pressing challenge: interpretability. Our blog delves into the complexities of understanding how these advanced models make decisions, shedding light on the mechanisms behind their outputs. Explore the latest research, practical implications, and ethical considerations, as we unravel the opaque processes that drive generative AI. Join us in this insightful journey to demystify the black box of artificial intelligence.
Dive into the complexities of generative AI with our blog on interpretability. Find out why making AI models understandable is key to trust and ethical use and discover current efforts to tackle this big challenge.
Discover practical tips and tricks for streamlining your Marketo programs from end to end. Whether you're new to Marketo or looking to enhance your existing processes, our expert speakers will provide insights and strategies you can implement right away.
IT market in Israel, economic background, forecasts of 160 categories and the infrastructure and software products in those categories, professional services also. 710 vendors are ranked in 160 categories.
Securiport Gambia is a civil aviation and intelligent immigration solutions provider founded in 2001. The company was created to address security needs unique to today’s age of advanced technology and security threats. Securiport Gambia partners with governments, coming alongside their border security to create and implement the right solutions.
Ensuring Secure and Permission-Aware RAG DeploymentsZilliz
In this talk, we will explore the critical aspects of securing Retrieval-Augmented Generation (RAG) deployments. The focus will be on implementing robust secured data retrieval mechanisms and establishing permission-aware RAG frameworks. Attendees will learn how to ensure that access control is rigorously maintained within the model when ingesting documents, ensuring that only authorized personnel can retrieve data. We will also discuss strategies to mitigate risks of data leakage, unauthorized access, and insider threats in RAG deployments. By the end of this session, participants will have a clearer understanding of the best practices and tools necessary to secure their RAG deployments effectively.
How CXAI Toolkit uses RAG for Intelligent Q&AZilliz
Manasi will be talking about RAG and how CXAI Toolkit uses RAG for Intelligent Q&A. She will go over what sets CXAI Toolkit's Intelligent Q&A apart from other Q&A systems, and how our trusted AI layer keeps customer data safe. She will also share some current challenges being faced by the team.
Selling software today doesn’t look anything like it did a few years ago. Especially software that runs inside a customer environment. Dreamfactory has used Anchore and Ask Sage to achieve compliance in a record time. Reducing attack surface to keep vulnerability counts low, and configuring automation to meet those compliance requirements. After achieving compliance, they are keeping up to date with Anchore Enterprise in their CI/CD pipelines.
The CEO of Ask Sage, Nic Chaillan, the CEO of Dreamfactory Terence Bennet, and Anchore’s VP of Security Josh Bressers are going to discuss these hard problems.
In this webinar we will cover:
- The standards Dreamfactory decided to use for their compliance efforts
- How Dreamfactory used Ask Sage to collect and write up their evidence
- How Dreamfactory used Anchore Enterprise to help achieve their compliance needs
- How Dreamfactory is using automation to stay in compliance continuously
- How reducing attack surface can lower vulnerability findings
- How you can apply these principles in your own environment
When you do security right, they won’t know you’ve done anything at all!
1. Troubleshooting Linux Kernel Modules and Device Drivers Mike Anderson Chief Scientist The PTR Group, Inc. [email_address] Source: www.crobike.de
2. What We’ll Talk About How do errors show up in the kernel? Watching kernel/user-space interaction via strace Debugging with printk Using the /proc file system Using the kgdb debugger Debugging with hardware ala LEDs or a JTAG unit
3. Challenges of Kernel Debugging There are many features that can make kernel debugging especially difficult Optimizing compilers can rearrange code Instruction pointer seems to jump around The use of the MMU can obfuscate addresses Physical vs. virtual addresses Startup code is particularly difficult to debug because of its closeness to the “metal” No equivalent for the user-space gdbserver for drivers Early kernel debugging may require hardware assistance
4. Device Drivers/Kernel Modules Assuming that your kernel is otherwise working, most of the problems that you’ll encounter are related to device drivers Drivers can either be statically linked or dynamically loaded to the kernel A dynamically loaded driver takes the form of a kernel module Can be dynamically loaded and unloaded at kernel run time Frequently handled by daemons such as udev
6. When Things go Wrong… Problems in device drivers typically manifest themselves in one of three ways Kernel panic Fatal to the system Kernel oops Near fatal to the system Hardware just doesn’t work correctly Could be fatal to you! Source: picasaweb.google.com
7. Kernel Panic When the Linux kernel determines that a fatal error has occurred, and no recovery is possible, it “panics” Frequently, an exception in an interrupt context Panic outputs a message to the console The output will help you find the source of the bug Typically results in a system reboot on an embedded Linux target Or, blinking keyboard LEDs on some desktop versions of Linux Source: regmedia.co.uk
9. Kernel oops An oops message is displayed when a recoverable error has occurred in kernel space: Access to bad address, e.g., through a NULL pointer Illegal or invalid instruction Etc… The calling user process is killed The system should be considered unstable at this point The oops message displays: The state of the processor at the time of the fault, including registers and address of faulting instruction function call stack traceback The addresses are replaced with symbols if the kallsyms kernel configuration option is selected at kernel compile time
13. Module Debugging Techniques Examine the interaction with the kernel via strace The next line of defense is printk There may be additional output you’re not seeing Next, we can try adding /proc file system entries Instrument the driver for debugging Enable source debugging via kgdb Using hardware debuggers and “blinky lights”
14. Using strace to Watch System Calls When debugging what appears to be a kernel-space error, it can be helpful to watch the system calls that are made from user-space See what events lead to the error strace displays all system calls made by a program Can display timestamp information per system call as well
15. Using strace to Watch System Calls #2 strace displays each system call’s arguments and return values string arguments are printed – very helpful! errno values displayed symbolically The program being traced runs normally Not under control of a debugger No need to specially compile the user application You can attach to a running program And trace forked applications as well…
17. Debugging with printk printk debugging is the debug method preferred by Linus At least, according to his email traffic… Insert messages to be displayed at points of interest in kernel-space code E.g., printk(KERN_INFO “my_x= %d”, my_x); Printk works like printf does in user-space except that printk can only print integers, strings & addresses printk can also be called from within ISRs Messages can have “importance” settings that allow filtering Importance is set by prepending a 3-character string to the output message: “< n >”
18. Debugging with printk #2 The messages are placed in a circular buffer that can be retrieved post mortem if needed The “importance” string that is prepended to the printk message can be found in include/linux/kernel.h : #define KERN_EMERG "<0>" /* system is unusable */ #define KERN_ALERT "<1>" /* action to be taken immediately */ #define KERN_CRIT "<2>" /* critical conditions */ #define KERN_ERR "<3>" /* error conditions */ #define KERN_WARNING "<4>" /* warning conditions */ #define KERN_NOTICE "<5>" /* normal but significant condition */ #define KERN_INFO "<6>" /* informational */ #define KERN_DEBUG "<7>" /* debug-level messages */
19. Debugging with printk #3 Some level of control for printk output can be found in /proc/sys/kernel/printk Let’s look at the following output: # cat /proc/sys/kernel/printk 7 4 1 7 This indicates: The console_loglevel is 7, so messages with importance of 0..6 will currently go to the console The default message log level is 4, so messages that do not specify an importance are treated as level 4 The minimum console log level is 1, so console_loglevel cannot be set to any value less than 1 The default console log level is 7, so console_loglevel starts out set to 7
20. Debugging with printk #4 You may control the console_loglevel by writing to /proc/sys/kernel/printk To enable all printk messages with importance levels 0..7: # echo 8 > /proc/sys/kernel/printk If the kernel command line contains the word “debug”, the console_loglevel starts with a value of 10
21. Using the /proc File System Use /proc entries for driver instrumentation It is possible to register “write” functions that allow us to dynamically modify values in the kernel (or drivers, or modules) Write values to the /proc file system entry Read /proc entries allow us to retrieve information from a running kernel entity Information is provided “live” Look at the driver source, there may already be /proc entries that can help you
22. Techniques for Source Debugging The two primary ways to provide source debugging in the Linux kernel are based on either kgdb or on the use of a hardware JTAG probe Unfortunately, kgdb is not a standard feature of the kernel a/o 2.6.25.8 You’ll have to patch your kernel to enable it Either technique will require the use of a kernel image that is compiled with debugging symbols Unless you like debugging in assembly language
23. Compiling the Kernel with Debug Info This will increase the size of the debug kernel image by about 30% However, you don’t need to load the debug version of the kernel Load the non-debug version to the target, but use the debug version for the debugger/JTAG probe Save off the vmlinux and System.map file because these are used by the debugger or by you to find key addresses The (b)zImage can be loaded on the target as normal
25. Kernel gdb (kgdb) If you are using a stock kernel, kgdb is not included Linus doesn’t believe in a source debugger in the kernel Many commercial Linux vendors do include it in their distributions though kgdb can be downloaded from: http://kgdb.linsyssoft.com/downloads.htm or http://sourceforge.net and look for kgdb You’ll need to patch the kernel A new kgdb light is in the works for 2.6.26 Kgdb over the system console
27. Kgdb Light in 2.6.26-rc8 Uses system console for I/O
28. kgdb Lash up kgdb supports debugging via the serial port The gdb debugger is running on a second machine using the vmlinux you compiled with debugging symbols You attach to the system being debugged using gdb’s “target remote” command Host Target Network Ethernet RS-232
29. Hardware-assisted Debugging There are a number of devices that can help with debugging LEDs, JTAGs, logic analyzers, oscilloscopes, bus analyzers and more These can range from a few cents to implement to several 10s of thousands of dollars You typically get what you pay for
30. Debugging with LEDs Very simple: Blink on/off in various code sections under debug Blink in sequences Can display multiple-bit codes if multiple LEDs are available Very fast, little impact on run-time performance Adding LED debug code will likely not “make the problem go away” These may be the only option for debugging early x86 code
31. Debugging with LEDs, Caveats The LED(s) must be free for use Not tied in hardware to a network PHY or to displaying power status, for example LED are not very verbose You must decipher what the blinking means Can be difficult to determine where you are in the code You can also attach an oscilloscope to the GPIO pins found on many processors for more information
32. Hardware Debuggers In the past, in-circuit emulators (ICE) where the debugger of choice You pulled the CPU, plugged the ICE in and plugged the CPU into the ICE But, these where $80K+ each Logic analyzers are also good to have But, they are $35K+ for an empty mainframe PC-based versions can be had for < $1K IEEE 1149.1 (JTAG) has become the debugger da jour JTAG uses a boundary-scan protocol These range from $70 to $20K depending on model and features At a minimum, a JTAG is really a “must-have” for firmware and board bring up
33. Debugging with a JTAG Probe Debugging with a JTAG unit is much less involved than using kgdb Compile the kernel with debugging enabled No need to patch the kernel for kgdb Assumes your platform supports a JTAG interface You connect to the JTAG unit using whatever technique your JTAG probe requires Your JTAG GUI is dependent on the vendor For those JTAG units that are gdb-aware, use the appropriate target remote commands
34. Example JTAG Usage Connect the JTAG to the target and the host Start the host application to control the JTAG Reset the target and load the register configuration settings to the JTAG unit Load code and enjoy! Useful for debugging drivers as well as bringing up new firmware and BSPs
35. Summary “ Real developers” use printk – or at least Linus does Tools like strace allow you see the flow of execution The /proc filesystem gives you a window into the kernel/drivers Kgdb uses familiar gdb technology but at the kernel level LEDs are a fast and easy way to get info out of the machine as well Hardware JTAG debug tools may be available These can be invaluable if you can get one