Using Capslock analysis to develop seccomp filters for Rust (and other) services
UB5.132 | Day 1 | 16:00 - 16:25 | Speakers: Adam Harvey
Abstract
The Capslock project was started within Google to provide a capability analysis toolkit for Go packages, and has since been open sourced and is being extended to support other languages.
In this talk, we'll walk through using the experimental cargo-capslock tool developed through a grant from Alpha-Omega to analyse the capabilities of Rust services. We'll then use the result of that analysis to create seccomp profiles that can be applied using container orchestration systems (such as Kubernetes) to restrict services and ensure that updates are unable to silently open new attack vectors, and discuss how this technique can be applied to services written in other languages as well.
Speakers
Adam works as a security-focused software developer at the Rust Foundation working on ecosystem security, especially around improving supply chain security for crates.io and Rust releases.
Professionally, his history includes stints as a developer at New Relic, deviantART, and Sourcegraph, while his open source work includes being a project member of Rust and PHP.
In his spare time, he plays cricket, kayaks, speaks Spanish extremely badly, throws tennis balls for his golden retriever, and tries to convince people that his Australian accent is actually flawless Canadian.
Links
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.