YoVDO

NFS Support for Linux Integrity Measurement Architecture

Offered By: Linux Foundation via YouTube

Tags

Distributed Systems Courses Data Integrity Courses Access Control Lists Courses Kerberos Courses

Course Description

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore a conference talk detailing the proposed extension of the NFS protocol to support the Linux Integrity Measurement Architecture (IMA). Delve into the design's strengths, limitations, and remaining challenges in implementing integrity measurement support for NFS. Learn about the complexities of extending protection from NFS servers to end users on NFS clients, enabling IMA-protected executable installation, and allowing different appraisal policies across NFS clients. Examine the technical considerations, including corruption detection methods, protocol support issues, and performance implications. Gain insights into the decision-making process for determining the effectiveness and completeness of the specified extension, as well as potential future developments such as IMA offload.

Syllabus

NFS Support for the Linux Integrity Measurement Architecture Chuck Lever, Oracle Corporation
NFS with Integrity Measurement
Some storage servers do not have a user execution environment (e.g., filers) Storage servers and clients may run different operating systems with different semantics • Filesystems on storage server may not support Linux-style extended attributes
Extend envelope of protection from NFS server to end users on NFS clients • Enable installation of IMA-protected executables from NFS clients Enable appraisal policy on an NFS client to be different than its peers or the policy on the NFS server
transport via NFS - Corruption of IMA metadata is detected when signature is verified - Corruption of file content is detected when it is appraised
supported by NFS protocol - NFSv4 ACLs are not the same as POSIX ACLS - NFS protocol would need to expose the list of protected attributes and FS UUID
How do we decide if the specified extension is effective complete? - When will prototype implementation be ready to merge upstream? • Is performance a consideration? • Is IMA offload an interesting use case?
Whine about legacy technologies! - Kerberized NFS, NFSv4 ID mapping and ACLS Throw tomatoes at new topics! - NFS support for capabilities and other LSM
LINUX SECURITY SUMMIT


Taught by

Linux Foundation

Tags

Related Courses

Advanced Operating Systems
Georgia Institute of Technology via Udacity
High Performance Computing
Georgia Institute of Technology via Udacity
GT - Refresher - Advanced OS
Georgia Institute of Technology via Udacity
Distributed Machine Learning with Apache Spark
University of California, Berkeley via edX
CS125x: Advanced Distributed Machine Learning with Apache Spark
University of California, Berkeley via edX