Home Blog Page 3

WebAssembly Security, Now and in the Future

By Marco Fioretti

Introduction

WebAssembly is, as we explained recently, a binary format for software written in any language, designed to eventually run on any platform without changes. The first application of WebAssembly is inside web browsers, to make websites faster and more interactive. Plans to push WebAssembly beyond the Web, from servers of all sorts to the Internet of Things (IoT), create as many opportunities as security issues. This post is an introductory overview of those issues and of the WebAssembly security model.

WebAssembly is like JavaScript

Inside web browsers, WebAssembly modules are managed by the same Virtual Machine (VM) that executes JavaScript code. Therefore, WebAssembly may be used to do much of the same harm that is doable with JavaScript, just more efficiently and less visibly. Since JavaScript is plain text that the browser will compile, and WebAssembly a ready-to-run binary format, the latter runs faster, and is also harder to scan (even by antivirus software) for malicious instructions.

This “code obfuscation” effect of WebAssembly has been already used, among other things, to pop up unwanted advertising or to open fake “tech support” windows that ask for sensitive data. Another trick is to automatically redirect browsers to “landing” pages that contain the really dangerous malware.

Finally, WebAssembly may be used, just like JavaScript, to “steal” processing power instead of data. In 2019, an analysis of 150 different Wasm modules found out that about 32% of them were used for cryptocurrency-mining.

WebAssembly sandbox, and interfaces

WebAssembly code runs closed into a sandbox managed by the VM, not by the operating system. This gives it no visibility of the host computer, or ways to interact directly with it. Access to system resources, be they files, hardware or internet connections, can only happen through the WebAssembly System Interface (WASI) provided by that VM.

The WASI is different from most other application programming interfaces, with unique security characteristics that are truly driving the adoption of WASM on servers/edge computing scenarios, and will be the topic of the next post. Here, it is enough to say that its security implications greatly vary, when moving from the web to other environments. Modern web browsers are terribly complex pieces of software, but lay on decades of experience, and of daily tests from billions of people. Compared to browsers, servers or IoT devices are almost uncharted lands. The VMs for those platforms will require extensions of WASI and thus, in turn, surely introduce new security challenges.

Memory and code management in WebAssembly

Compared to normal compiled programs, WebAssembly applications have very restricted access to memory, and to themselves too. WebAssembly code cannot directly access functions or variables that are not yet called, jump to arbitrary addresses or execute data in memory as bytecode instructions.

Inside browsers, a Wasm module only gets one, global array (“linear memory”) of contiguous bytes to play with. WebAssembly can directly read and write any location in that area, or request an increase in its size, but that’s all. This linear memory is also separated from the areas that contain its actual code, execution stack, and of course the virtual machine that runs WebAssembly. For browsers, all these data structures are ordinary JavaScript objects, insulated from all the others using standard procedures.

The result: good, but not perfect

All these restrictions make it quite hard for a WebAssembly module to misbehave, but not impossible.

The sandboxed memory that makes it almost impossible for WebAssembly to touch what is outside also makes it harder for the operating system to prevent bad things from happening inside. Traditional memory monitoring mechanisms like “stack canaries”, which notice if some code tries to mess with objects that it should not touch, cannot work there.

The fact that WebAssembly can only access its own linear memory, but directly, may also facilitate the work of attackers. With those constraints, and access to the source code of a module, it is much easier to guess which memory locations could be overwritten to make the most damage. It also seems possible to corrupt local variables, because they stay in an unsupervised stack in the linear memory.

A 2020 paper on the binary security of WebAssembly noted that WebAssembly code can still overwrite string literals in supposedly constant memory. The same paper describes other ways in which WebAssembly may be less secure than when compiled to a native binary, on three different platforms (browsers, server-side applications on Node.js, and applications for stand-alone WebAssembly VMs) and is recommended further reading on this topic.

In general, the idea that WebAssembly can only damage what’s inside its own sandbox can be misleading. WebAssembly modules do the heavy work for the JavaScript code that calls them, exchanging variables every time. If they write into any of those variables code that may cause crashes or data leaks in the unsafe JavaScript that called WebAssembly, those things will happen.

The road ahead

Two emerging features of WebAssembly that will surely impact its security (how and how much, it’s too early to tell) are concurrency, and internal garbage collection.

Concurrency is what allows several WebAssembly modules to run in the same VM simultaneously. Today this is possible only through JavaScript web workers, but better mechanisms are under development. Security-wise, they may bring in “a lot of code… that did not previously need to be”, that is more ways for things to go wrong.

A native Garbage Collector is needed to increase performance and security, but above all to use WebAssembly outside the well-tested Java VMs of browsers, that collect all the garbage inside themselves anyway. Even this new code, of course, may become another entry point for bugs and attacks.

On the positive side, general strategies to make WebAssembly even safer than it is today also exist. Quoting again from here, they include compiler improvements, separate linear memories for stack, heap and constant data, and avoiding to compile as WebAssembly modules code in “unsafe languages, such as C”.

The post WebAssembly Security, Now and in the Future appeared first on Linux Foundation – Training.

7 signs you survived the best era of IT

Keep score to see how many of these technologies you remember and discover whether you’re old, er – experienced.
Read More at Enable Sysadmin

The Linux Foundation and the TODO Group Announce Call for Proposals for OSPOCon and the OSPO Landscape

OSPOCon is an event dedicated to creating better, more efficient open source ecosystems.

SAN FRANCISCO, March 23, 2020The Linux Foundation, the nonprofit organization enabling mass innovation through open source, along with co-host the TODO Group, an open group of organizations who collaborate on practices, tools and other ways to run successful and effective open source programs and projects, has opened its Call for Proposals for OSPOCon.  The event will take place September 29 – October 1 in Dublin, Ireland, alongside Open Source Summit + Embedded Linux Conference 2021. The TODO Group has also launched an OSPO Landscape as a resource for the community to learn more about OSPOs. The community is encouraged to contribute to the landscape.

OSPOCon is a new event, dedicated to those working to create a center of competency for open source in their organizations in order to join together to overcome challenges through sharing experiences, best practices, and tooling. Open Source Program Offices (OSPOs) face many obstacles, such as ensuring high-quality and frequent releases, engaging with developer communities, and contributing back to other projects effectively. Collaborating together with others working on the same concerns helps the entire ecosystem improve.

“I am thrilled to be a part of the inaugural OSPOCon and see it brought to life to support the many hardworking and dedicated people involved in creating and sustaining OSPOs,” said Chris Aniszczyk, co-founder of the TODO Group and CTO at The Linux Foundation. “The impact OSPOs are having grows every day as they become a strategic function for organizations, from companies to governments to research institutions. Their contributions are tremendously valued and we look forward to furthering their abilities to collaborate, grow, and learn from each other.”

Proposals to speak at OSPOCon are being accepted now through June 13 at 11:59pm PDT.

Submission types requested include:

  • Session Presentation (~40-50 minutes in length)
  • Panel Discussion (~40-50 minutes in length)
  • Birds of a Feather Session (BoFs are typically held in the evenings, (~45 minutes – 1 hour in length)
  • Tutorial (~1.5 hours in length)
  • Lightning Talk (~5-10 minutes in length)

Suggested Topics include:

Open Source Program Management

  • Creation and Best Practices of Open Source Program Offices (OSPOs)
  • Consuming and Contributing to Open Source
  • Managing Competing Corporate Interests while Driving Coherent Communities
  • How to Vet the Viability of OS Projects
  • Internal vs External Developer Adoption
  • Handling License Obligations in Organizations
  • Open Source Corporate Sustainability

All interested parties are welcome to submit proposals. Those submitting will be notified of a decision by Thursday, July 22. To learn more and/or submit, please click here.

OSPOCon will be presented as a hybrid event – attendees can join and participate in person or virtually. Registration will open in late Spring 2021.  To receive an email alert when registration opens, please click here. The Linux Foundation provides diversity and need-based registration scholarships for this event to anyone that needs it; for information on eligibility please click here. Visit our website and follow us on Twitter, Facebook, and LinkedIn for all the latest event updates and announcements.

Sponsor:
OSPOCon offers two sponsorship levels for your consideration, Co-host and Supporter.  To see all sponsorship benefits, please click here or email us here.

Members of the press who would like to request a media pass should contact Kristin O’Connell.

About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

####

Media Contact:
Kristin O’Connell
The Linux Foundation
koconnell@linuxfoundation.org

The post The Linux Foundation and the TODO Group Announce Call for Proposals for OSPOCon and the OSPO Landscape appeared first on Linux Foundation.

6 OpenSSL command options that every sysadmin should know

6 OpenSSL command options that every sysadmin should know

Look beyond generating certificate signing requests and see how OpenSSL commands can display practical information about certificates.
Anthony Critelli
Mon, 3/22/2021 at 10:22pm

Image

Image by Uwe Baumann from Pixabay

Transport layer security (TLS) is an important part of any security strategy, and applications beyond web servers increasingly take advantage of the protections offered by public-key cryptography. The OpenSSL toolkit is the fundamental utility that any systems administrator must know if they are responsible for maintaining TLS-protected applications. In this article, I demonstrate some of the most common commands that I use daily.

Topics:  
Linux  
Linux Administration  
Security  
Command line utilities  
Read More at Enable Sysadmin

Presto At Uber

In this special series on PrestoCon Day 2021 coverage, Swapnil Bhartiya at TFIR sat down with Girish Baliga, Engineering Manager of Data Infrastructure at Uber. Girish manages Pinot, Flink, and Presto teams at Uber. He is helping the team build a comprehensive self-service real-time analytics platform to power business-critical external-facing dashboards and metrics. Girish is also the Chairman of the Presto Linux Foundation Governing Board.

OpenPOWER Foundation Provides Microwatt for Fabrication on Skywater Open PDK Shuttle

The OpenPOWER based Microwatt cpu core has been selected to be included in the Efabless Open MPW Shuttle Program. Microwatt’s inclusion in the program represents a lower barrier to entry for chip manufacturing. It also demonstrates the ability to create fully designed, fabricated chips relying on a complete, end-to-end open source environment – including open governance, specifications, tooling, IP, hardware, software, and manufacturing.

Read more at OpenPOWER Foundation

Liquid Prep intelligent watering solution now hosted by the Linux Foundation as a Call for Code project

Over the past several decades farmers have been depending increasingly on groundwater to irrigate their crops due to climate change and reduced rainfall. Farmers, even in drought-prone areas, continue to need to grow water-intensive crops because these crops have a steady demand.

In 2019, as part of Call for Code, a team of IBMers came together and brainstormed on ideas they were passionate about – problems faced by farmers in developing countries due to more frequent drought conditions. The team designed an end-to-end solution that focuses on helping farmers gain insight into when to water their crops and help them optimize their water usage to grow healthy crops. This team, Liquid Prep, went on to win the IBM employee Call for Code Global Challenge.

Liquid Prep provides a mobile application that can obtain soil moisture data from a portable soil moisture sensor, fetch weather information from The Weather Company, and access crop data through a service deployed on the IBM Cloud. Their solution brings all this data together, analyzes it, and computes watering guidance to help the farmer decide whether to water their crops right now or conserve it for a better time.

To validate the Liquid Prep prototype, in December 2019, one of the team members traveled to India and interviewed several farmers in the village Nuggehalli, which is near the town Hirisave in the Hassan district of Karnataka, India. The interviews taught the team that the farmers did not have detailed information on when they should water their specific crops and by how much, as they didn’t know the specific needs on a plant-by-plant basis. They also just let the water run freely if the water was available from a nearby source, like a river or stream, and some were entirely dependent on rainfall. The farmers expressed a great interest in the described Liquid Prep solution as it could empower them to make more informed decisions that could improve yields.

A prototype is born

After winning the challenge the Liquid Prep team took on the opportunity to convert the concept to a more complete prototype through an IBM Service Corps engagement. The team was expanded with dedicated IBM volunteers from across the company and they were assigned to optimize Liquid Prep from August through October 2020. During this time the team developed the Minimum Viable Product (MVP) for the mobile solution.

The prototype consists of three primary components:

  • A hardware sensor to measure soil moisture
  • A highly visual and easy-to-use mobile web application, and
  • A back-end data service to power the app.

It works like this: the mobile web application gets soil moisture data from the soil moisture sensor. The app requests environmental conditions from The Weather Company and crop data from the plant database via the backend service deployed on the IBM Cloud. The app analyzes and computes a watering schedule to help the farmer decide if they should water their crops now or at a later time.

Partners

Liquid Prep has a developed a great working relationship with partners SmartCone Technologies, Inc., and Central New Mexico Community College. Students in the Deep Dive Coding Internet of Things (IoT) Bootcamp at CNM are designing, developing, and producing a robust IoT sensor and housing it in the shape of a stick that can be inserted into the soil and transfer the soil moisture data to the Liquid Prep mobile app via Bluetooth. The collaboration gives students important real-world experience before they enter the workforce.

“SmartCone is honored to be part of this project.  This is a perfect example of technology teams working together to help make the world a better place, “ said Jason Lee, Founder & CEO, SmartCone Technologies Inc.

Additionally, Liquid Prep will work together with J&H Nixon Farms, who largely grow soybeans and corn crops on about 2800 acres of agricultural land in Ottawa, Canada. They have offered Liquid Prep the opportunity to pilot test the prototype on several plots of land that have different soil conditions, which in turn can expand the breadth of recommendation options to a larger number of potential users.

Now available as open source

Liquid Prep is now available as an open source project hosted by the Linux Foundation. The goal of the project is to help farmers globally farm their crops with the least amount of water by taking advantage of real-time information that can help improve sustainability and build resiliency to climate change.

Participation is welcomed from software developers, designers, testers, agronomists/agri experts/soil experts, IoT engineers, researchers, students, farmers, and others that can help improve the quality and value of the solution for small farmers around the world. Key areas the team are interested in developing include localizing the mobile app, considering soil properties for the improvement of the watering advice, updating project documentation, software and hardware testing, more in-depth research, and adding more crop data to the database.

Get involved in Liquid Prep now at Call For Code

The post Liquid Prep intelligent watering solution now hosted by the Linux Foundation as a Call for Code project appeared first on Linux Foundation.

Creating a backup of data stored in a Linux virtual machine

Creating a backup of data stored in a Linux virtual machine

Learn how one sysadmin backs up data from one virtual machine to another in a different geographic zone.
Saksham Lamba
Sun, 3/21/2021 at 2:46pm

Image

Image by Miguel Á. Padriñán from Pixabay

In this article, I cover what I’ve learned about backing up data stored in a Red Hat Enterprise Linux (RHEL) virtual machine (VM). During my first year of working with Linux, I had the idea of backing up data on a Linux VM deployed in the cloud.

Topics:  
Linux  
Linux Administration  
Backups  
Read More at Enable Sysadmin

A sysadmin’s favorite Linux history command line hack

When typing is necessary, it’s better to do it efficiently.
Read More at Enable Sysadmin

8 steps to developing an Ansible role in Linux

In this article, an existing Ansible playbook is used to deploy Vim and convert it to a role adding flexibility and reusability.
Read More at Enable Sysadmin