summaryrefslogtreecommitdiff
path: root/security/advanced
diff options
context:
space:
mode:
Diffstat (limited to 'security/advanced')
-rw-r--r--security/advanced/Makefile6
-rw-r--r--security/advanced/frm_capabilities.tex269
-rw-r--r--security/advanced/frm_exploit_mitigation.tex228
-rw-r--r--security/advanced/frm_mac.tex206
-rw-r--r--security/advanced/frm_multiuser_dac.tex363
-rw-r--r--security/advanced/frm_namespace_container.tex132
-rw-r--r--security/advanced/frm_process_thread.tex113
-rw-r--r--security/advanced/pres_advanced_sec.tex3
-rw-r--r--security/advanced/pres_capability.tex20
-rw-r--r--security/advanced/pres_exploit.tex20
-rw-r--r--security/advanced/pres_mac.tex20
-rw-r--r--security/advanced/pres_multiuser_dac.tex20
-rw-r--r--security/advanced/pres_namespace_container.tex20
-rw-r--r--security/advanced/pres_process_thread.tex20
14 files changed, 1440 insertions, 0 deletions
diff --git a/security/advanced/Makefile b/security/advanced/Makefile
index f6ab95b..2643c9e 100644
--- a/security/advanced/Makefile
+++ b/security/advanced/Makefile
@@ -1 +1,7 @@
obj-$(CONFIG_SECURITY_ADV) += pres_advanced_sec.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_capability.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_exploit.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_process_thread.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_multiuser_dac.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_namespace_container.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_mac.pdf
diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex
new file mode 100644
index 0000000..7e514df
--- /dev/null
+++ b/security/advanced/frm_capabilities.tex
@@ -0,0 +1,269 @@
+% ----------------------------
+\subsubsection{Basics}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{What is a Linux Capability?}
+\begin{itemize}
+\item Syscalls
+ \begin{itemize}
+ \item Application Programming Interface (API) to the Kernel
+ \item some Syscalls need special privileges (EPERM)
+ \end{itemize}
+\item User Privileges
+ \begin{itemize}
+ \item root (UID == 0): all privileges
+ \item users (UID > 0): no privileges
+ \end{itemize}
+\item Capability
+ \begin{itemize}
+ \item single privilege
+ \item can be raised or dropped
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{How it works}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Control Flow}
+ \begin{figure}[h]
+ \centering
+ \includegraphics[width=8cm]{images/syscall_flow.png}
+ \end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Type of Syscalls}
+\begin{itemize}
+\item unprivileged Syscalls:
+ \begin{itemize}
+ \item sys\_gethostname()
+ \item sys\_read() / sys\_write()
+ \item sys\_getuid() / sys\_getgid()
+ \item \dots
+ \end{itemize}
+\item privileged Syscalls:
+ \begin{itemize}
+ \item sys\_sethostname()
+ \item sys\_open()
+ \item sys\_setuid() / sys\_setgid()
+ \item \dots
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capabilities}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.5\textwidth}
+ \begin{itemize}
+ \item CAP\_MKNOD
+ \item CAP\_KILL
+ \item CAP\_SETGID
+ \item CAP\_SETUID
+ \item CAP\_SETPCAP
+ \item CAP\_SYS\_BOOT
+ \item CAP\_SYS\_NICE
+ \item CAP\_SYS\_TIME
+ \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+ \begin{itemize}
+ \item CAP\_SYS\_MODULE
+ \item CAP\_SYS\_RAWIO
+ \item CAP\_SYS\_PTRACE
+ \item CAP\_NET\_BIND\_SERVICE
+ \item CAP\_NET\_BROADCAST
+ \item CAP\_NET\_RAW
+ \item CAP\_SYS\_ADMIN
+ \item CAP\_NET\_ADMIN
+ \end{itemize}
+ \end{column}
+\end{columns}
+Full list: \\
+Kernel Source: include/uapi/capability.h \\
+Distribution: /usr/include/linux/capability.h
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Process and File}
+\begin{itemize}
+\item Process/Task
+ \begin{itemize}
+ \item Capability bitfields in task context:
+ \begin{itemize}
+ \item Permitted
+ \item Effective
+ \item Inheritable
+ \end{itemize}
+ \end{itemize}
+\item File
+ \begin{itemize}
+ \item Bitfields in file-attributes (xattr)
+ \begin{itemize}
+ \item Permitted
+ \item Inheritable
+ \item Auto-load Effective (single bit)
+ \end{itemize}
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability Bitfields}
+\begin{figure}[h]
+\centering
+\includegraphics[width=7cm]{images/cap_bitfields.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability transition during execve()}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/cap_trans_execve.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Capabilities in Applications}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability Handling in Applications (libcap)}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.45\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Capability Set Handling}
+ \begin{tiny}
+ \begin{verbatim}
+#include <sys/capability.h>
+
+int list_n = 1;
+cap_t caps;
+cap_value_t list[list_n];
+
+caps = cap_get_proc();
+
+/* Capability Bitfield Modifications */
+
+cap_set_proc(caps);
+
+/* Continue with modified privileges */
+
+cap_free(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+ \begin{column}{0.45\textwidth}
+Capability Bitfield Modifications
+ \begin{beamerboxesrounded}[shadow=true]{gain (temp):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps, CAP_EFFECTIVE,
+ list_n, list, CAP_SET);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \begin{beamerboxesrounded}[shadow=true]{drop (temp):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps,CAP_EFFECTIVE,
+ list_n, list,CAP_CLEAR);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \begin{beamerboxesrounded}[shadow=true]{drop (finally):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps,CAP_PERMITTED,
+ list_n, list,CAP_CLEAR);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% % ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability scenario}
+Scenario for dropping capabilities in suid-root processes
+\begin{enumerate}
+\item Run process with effective UID == 0
+\item use libcap to drop not required capabilities
+ \begin{itemize}
+ \item effective: drop all
+ \item permitted: keep only required
+ \end{itemize}
+\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS))
+\item set all UIDs to non-zero
+\item raise capability in effecive set before calling a privileged syscall
+\item drop capability from effective set after syscall
+\end{enumerate}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Tooling \& Documentation}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tooling for Capabilities}
+\begin{itemize}
+\item capsh\\
+Modify security properties of a task (including capabilities)
+\item getcap/setcap\\
+Modify file capability settings
+\item libpam-cap\\
+Preset users inheritable capabilities during login
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Further Information about Capabilities}
+\begin{itemize}
+\item cat /proc/<pid>/status
+\item Man-Pages (man 7 capabilities, ff.)
+\item The Linux Programming Interface (Michael Kerisk),\\
+ ISBN 978-1-59327-220-3
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Summary}
+\begin{itemize}
+\item A Capability allows to use a privileged syscall
+\item Task-Capabilities:
+ \begin{itemize}
+ \item 3 bitfields
+ \item permitted, effective, inheritable
+ \end{itemize}
+\item File Capabilities:
+ \begin{itemize}
+ \item File extended attributes
+ \item 2 bitfields, 1 flag
+ \item permmitted, inheritable, effecitve (flag)
+ \end{itemize}
+\item Capability transition for fork() and execve()
+\item Conclusion\\
+ \begin{itemize}
+ \item root/non-root: all or nothing\\
+ \item Capabilities: fine grain privileges
+ \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/advanced/frm_exploit_mitigation.tex b/security/advanced/frm_exploit_mitigation.tex
new file mode 100644
index 0000000..559b60e
--- /dev/null
+++ b/security/advanced/frm_exploit_mitigation.tex
@@ -0,0 +1,228 @@
+% ----------------------------
+\subsubsection{Exploits}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Exploit Types}
+\begin{itemize}
+\item Application Level Exploits
+ \begin{itemize}
+ \item SQL Injection
+ \item Cross-side scripting
+ \item Backdoors
+ \item Protocol Implementation
+ \item \dots
+ \end{itemize}
+\item Low-Level Exploits
+ \begin{itemize}
+ \item Stack
+ \item Heap
+ \item Syscall
+ \item Race conditions
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Code Example I}
+\begin{beamerboxesrounded}[shadow=true]{Bad copy to stack local buffer}
+\begin{tiny}
+\begin{verbatim}
+#include <string.h>
+
+void foo (char *p) {
+ char buf[16];
+ strcpy(buf, p);
+}
+
+int main (int argc, char **argv) {
+ foo(argv[1]);
+}
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Code Example II}
+\begin{beamerboxesrounded}[shadow=true]{Manipulation of return address}
+\begin{tiny}
+\begin{verbatim}
+#include <stdio.h>
+#include <string.h>
+
+void function(int a, int b, int c)
+{
+ char buffer1[8];
+ char buffer2[16];
+ char *ret;
+
+ ret = (char *)(buffer1 + 0x18);
+ (*ret) += 0x7;
+}
+
+void main(void)
+{
+ int x;
+
+ x = 0;
+ function(1,2,3);
+ x = 1;
+ printf("%d\n",x);
+}
+
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack: Layout I}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/em_stack_layout1.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack}
+\begin{itemize}
+\item Overwrite return address
+\item change stack-local variables
+\item inject malicious code
+ \begin{itemize}
+ \item shell code
+ \item backdoors
+ \item thread hijacking
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Mitigation}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Address Space Layout}
+\begin{itemize}
+\item Fixed layout of segment start addresses
+\item Easy to exploit
+\item Address Space Layout Randomization
+ \begin{itemize}
+ \item basic implementation (Linux v2.6.12)
+ \item full implementation (Linux v3.19)
+ \end{itemize}
+\item Configuration: /proc/sys/kernel/randomize\_va\_space
+ \begin{itemize}
+ \item 0: Disabled
+ \item 1: randomize stack, data, dynamic libraries
+ \item 2: randomize stack, data, dynamic libraries, heap
+ \end{itemize}
+\item Process maps: /proc/<pid>/maps
+\end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+\frametitle{Process Memory Map}
+\begin{beamerboxesrounded}[shadow=true]{/proc/<pid>/maps}
+\begin{tiny}
+\begin{verbatim}
+$ cat /proc/self/maps
+00400000-0040c000 r-xp 00000000 fe:00 23360017 /bin/cat
+0060b000-0060c000 r--p 0000b000 fe:00 23360017 /bin/cat
+0060c000-0060d000 rw-p 0000c000 fe:00 23360017 /bin/cat
+0060d000-0062e000 rw-p 00000000 00:00 0 [heap]
+7ffff7a31000-7ffff7bd3000 r-xp 00000000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7bd3000-7ffff7dd2000 ---p 001a2000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd2000-7ffff7dd6000 r--p 001a1000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd6000-7ffff7dd8000 rw-p 001a5000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7dd8000-7ffff7ddc000 rw-p 00000000 00:00 0
+7ffff7ddc000-7ffff7dfc000 r-xp 00000000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7e09000-7ffff7fce000 r--p 00000000 fe:00 3932237 /usr/lib/locale/locale-archive
+7ffff7fce000-7ffff7fd1000 rw-p 00000000 00:00 0
+7ffff7fd4000-7ffff7ff8000 rw-p 00000000 00:00 0
+7ffff7ff8000-7ffff7ffa000 r-xp 00000000 00:00 0 [vdso]
+7ffff7ffa000-7ffff7ffc000 r--p 00000000 00:00 0 [vvar]
+7ffff7ffc000-7ffff7ffd000 r--p 00020000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffd000-7ffff7ffe000 rw-p 00021000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
+7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack Protect}
+\begin{itemize}
+\item Canaries
+ \begin{itemize}
+ \item Compiler Support (gcc)
+ \begin{itemize}
+ \item -fno-stack-protector
+ \item -fstack-protector
+ \item -fstack-protector-all
+ \item -fstack-protector-strong (since gcc v4.9)
+ \end{itemize}
+ \end{itemize}
+ \begin{itemize}
+ \item Kernel Configuration
+ \begin{itemize}
+ \item CONFIG\_CC\_STACKPROTECTOR\_NONE
+ \item CONFIG\_CC\_STACKPROTECTOR\_REGULAR \\
+ (coverage: 2.81 \%, code size: +0.33 \% )
+ \item CONFIG\_CC\_STACKPROTECTOR\_STRONG \\
+ (coverage: 20.5 \%, code size: +2.4 \% )
+ \end{itemize}
+ \end{itemize}
+\item Stack order randomization
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Stack Canaries: Stack layout}
+\begin{figure}[h]
+\centering
+\includegraphics[width=6cm]{images/em_stack_layout2.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Hardware-based}
+\begin{itemize}
+\item NX (no execute flag for pages)
+ \begin{itemize}
+ \item No Execute Flag for pages (PTE)
+ \item Architectures: x86, PPC, S390, ARM (some)
+ \end{itemize}
+\item MPX (Boundary Protection)
+ \begin{itemize}
+ \item Architecture: x86
+ \item high performance impact
+ \item test only
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% % ----------------------------
+\begin{frame}[fragile]
+\frametitle{grsecurity}
+\begin{itemize}
+\item Security enhancement
+\item Kernel patches (PAX)
+\item Role-based access control
+\item Thread isolation
+\item Container isolation
+\item BPF JIT enhancements
+\item Return Address Protection (GCC)
+\end{itemize}
+
+\end{frame}
diff --git a/security/advanced/frm_mac.tex b/security/advanced/frm_mac.tex
new file mode 100644
index 0000000..31a3915
--- /dev/null
+++ b/security/advanced/frm_mac.tex
@@ -0,0 +1,206 @@
+% ----------------------------
+\subsubsection{Linux Security Modules}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Security Modules}
+\begin{itemize}
+\item Problem: Malware, Exploits
+\item Solution: Mandatory Access Control
+ \begin{itemize}
+ \item Categories: Subjects and Objects
+ \item systemwide, static rule set
+ \item Context sensitive Resource Access
+ \end{itemize}
+\item Implementation
+ \begin{itemize}
+ \item SE-Linux
+ \item AppArmor
+ \item SMACK
+ \item Tomoyo
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Terms}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/mac_terms.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain}
+\begin{itemize}
+\item Domain transition for each starting Process
+\item Default: Inherit previous Domain
+\item Note: Domains are unique
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example:}
+\begin{small}
+\begin{verbatim}
+<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl
+<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \
+ /bin/bin/bash /usr/local/bin/myappl
+\end{verbatim}
+\end{small}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain Transition Management}
+\begin{itemize}
+\item Control Domain Transition Behavior
+\item Syntax: \\
+\begin{verbatim}
+<directive> <domain> from <domain>
+\end{verbatim}
+\item Directives:
+\begin{itemize}
+\item initialize\_domain / no\_initialize\_domain
+\item keep\_domain / no\_keep\_domain
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Profile}
+\begin{itemize}
+\item Profiles define Domain restriction behavior
+\item Profile Relation to Domain: n..m
+\item Up to 255 Profiles
+\item Profile Modes:
+ \begin{itemize}
+ \item disabled
+ \item learning
+ \item permissive
+ \item enforcing
+ \end{itemize}
+\item Logging
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Policy}
+\begin{itemize}
+\item Policies describe Domain restrictions
+\item Policy for each Domain
+\item Directives:
+\begin{itemize}
+\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots)
+\item misc env
+\item network inet (stream, dgram, raw)
+\item network unix (stream, dgram, seqpacket)
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Examples}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example I}
+\begin{beamerboxesrounded}[shadow=true]{profile.conf:}
+\begin{tiny}
+\begin{verbatim}
+PROFILE_VERSION=20110903
+0-COMMENT=-----Disabled Mode-----
+0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
+1-COMMENT=-----Learning Mode-----
+1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+1-CONFIG={ mode=learning grant_log=no reject_log=yes }
+2-COMMENT=-----Permissive Mode-----
+2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
+3-COMMENT=-----Enforcing Mode-----
+3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
+4-COMMENT=-----Permissive Mode File-only -----
+4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
+4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes }
+4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no }
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example II}
+\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf:}
+\begin{tiny}
+\begin{verbatim}
+initialize_domain /sbin/ldconfig from any
+keep_domain any from /sbin/ldconfig
+
+path_group ANY_PATHNAME /
+path_group ANY_PATHNAME /\*
+path_group ANY_PATHNAME /\{\*\}/
+path_group ANY_PATHNAME /\{\*\}/\*
+path_group ANY_PATHNAME \*:/
+path_group ANY_PATHNAME \*:/\*
+path_group ANY_PATHNAME \*:/\{\*\}/
+path_group ANY_PATHNAME \*:/\{\*\}/\*
+path_group ANY_PATHNAME \*:[\$]
+path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
+path_group ANY_DIRECTORY /
+path_group ANY_DIRECTORY /\{\*\}/
+path_group ANY_DIRECTORY \*:/
+path_group ANY_DIRECTORY \*:/\{\*\}/
+
+acl_group 1 file read/getattr @ANY_DIRECTORY
+acl_group 1 file read/getattr @ANY_PATHNAME
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Example III}
+\begin{beamerboxesrounded}[shadow=true]{profile.conf:}
+\begin{tiny}
+\begin{verbatim}
+<kernel>
+use_profile 4
+use_group 1
+
+<kernel> /sbin/ldconfig
+use_profile 4
+use_group 1
+file create /etc/ld.so.cache~ 0600
+file write /etc/ld.so.cache~
+file chmod /etc/ld.so.cache~ 0644
+file rename /etc/ld.so.cache~ /etc/ld.so.cache
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Tools}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tools}
+\begin{itemize}
+\item tomoyo-editpolicy
+\item tomoyo-selectpolicy
+\item tomoyo-patternize
+\item tomoyo-diffpolicy
+\item tomoyo-sortpolicy
+\item tomoyo-loadpolicy
+\end{itemize}
+\end{frame}
+
diff --git a/security/advanced/frm_multiuser_dac.tex b/security/advanced/frm_multiuser_dac.tex
new file mode 100644
index 0000000..8085466
--- /dev/null
+++ b/security/advanced/frm_multiuser_dac.tex
@@ -0,0 +1,363 @@
+% ----------------------------
+\subsubsection{Users and Groups}
+
+\begin{frame}[fragile]
+\frametitle{Users}
+\begin{itemize}
+\item Multiple Users per System
+\item Login spawn shell with user privileges
+\item Process(es) inherit user privileges
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Tools:}
+\begin{tiny}
+\begin{verbatim}
+# Add new user (interactive)
+adduser <new_user>
+# Remove existing user
+deluser <user_name>
+
+# Change password
+passwd [<user_name>]
+
+# Switch user ID
+su <user_name>
+# Run command as superuser (root)
+sudo <command>
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Groups}
+\begin{itemize}
+\item Group contain 0..n users (static)
+\item Default group for each user
+\item 0..n supplementary groups for each user
+\item User can change group dynamically (password required)
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Tools:}
+\begin{tiny}
+\begin{verbatim}
+# Add new group
+addgroup <new_group>
+# Remove existing group
+delgroup <group_name>
+
+# Add user to group
+usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>]
+
+# Show current user and group ID
+id
+# Switch group ID
+newgrp <group_name>
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Local Authentication Databases}
+\begin{itemize}
+\item User Database: /etc/passwd
+\item Group Database: /etc/group
+\item Password Database: /etc/shadow
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Pluggable Authentication Modules (PAM)}
+\begin{frame}[fragile]
+\frametitle{Pluggable Authentication Modules (PAM)}
+\begin{itemize}
+\item Pluggable shared libraries
+\item System-wide Authentication
+\item Plugins available for:
+\begin{itemize}
+\item UserID and Password (local)
+\item LDAP
+\item Kerberos (e.g. NIS, Windows Domain Controller)
+\item Hardware-based Authentication (e.g. SmartCard)
+\end{itemize}
+\item Extendable with own PAM modules
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{File Access Control}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{File Access Control}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/file_access_control.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Basic File Permissions}
+\begin{itemize}
+\item for each File or Directory
+\item checked by Virtual Filesystem Layer
+\item Access Mode: \\
+ read, write, execute (entry)
+\item Access Role: \\
+ user, group, other
+\item Special: \\
+ set UID, set GID, sticky
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Basic File Permissions: Example}
+\begin{beamerboxesrounded}[shadow=true]{Example}
+\begin{tiny}
+\begin{verbatim}
+$ ls -l /dev/ttyS?
+crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0
+crw-rw---- 1 root dialout 4, 65 Nov 5 08:14 /dev/ttyS1
+crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2
+crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3
+
+# Change ownership
+chown service /dev/ttyS1
+chgrp test /dev/ttyS1
+
+# Change permissions
+chmod u=rw g=r o= /dev/ttyS1
+
+$ ls -l /dev/ttyS?
+crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0
+crw-r----- 1 service test 4, 65 Nov 5 08:14 /dev/ttyS1
+crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2
+crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Access Control Lists}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Access Control List (ACL)}
+\begin{itemize}
+\item More Users and Groups
+\item Round up Groups
+\item Tools: \\
+ setfacl, getfacl
+\item Requires: \\
+ mount \dots -o acl
+\item Pitfalls: \\
+ Not all tools like tar support ACLs
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example}
+\begin{itemize}
+\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are
+members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}.
+\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob
+and Henry?
+\item A: Not mandatory.
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
+\begin{tiny}
+\begin{verbatim}
+mkdir /data/shared/project_x
+chown pm_admin:pm_admin /data/shared/project_x
+setfacl -m user:sue:rwx /data/shared/project_x
+setfacl -m user:bob:rwx /data/shared/project_x
+setfacl -m user:henry:rwx /data/shared/project_x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example (2)}
+\begin{beamerboxesrounded}[shadow=true]{Result:}
+\begin{tiny}
+\begin{verbatim}
+getfacl /data/shared/project_x
+# file: data/shared/project_x/
+# owner: pm_admin
+# group: pm_admin
+user::rwx
+user:sue:rwx
+user:bob:rwx
+user:henry:rwx
+group::r-x
+mask::rwx
+other::r-x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Extended File Attributes}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Extended File Attributes}
+\begin{itemize}
+\item More File Attributes
+ \begin{itemize}
+ \item a - append only
+ \item i - immutable
+ \item s - Override with zeros on delete
+ \end{itemize}
+\item Tools: \\
+ lsattr, chattr
+\item Requires: \\
+ root or mount \dots -o user\_xattr
+\item Pitfalls: \\
+ Not all tools like tar support xattr
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{xattr: Example}
+\begin{itemize}
+\item Q: You want to check what user Franz is typing on commandline?
+\item A: Look at /home/franz/.bash\_history
+\item But Franz is clever and deletes /home/franz/.bash\_history
+\item Q: How can you prevent that?
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+sudo chattr +a /home/franz/.bash_history
+lsattr /home/franz/.bash_history
+-----a-------e-- /home/franz/.bash_history
+rm /home/franz/.bash_history
+rm: cannot remove `/home/franz/.bash_history': Operation not permitted
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Multi-user Programming}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UserIDs and GroupIDs of a Process}
+\begin{itemize}
+\item Real
+ \begin{itemize}
+ \item privileged: \\
+ set to any value
+ \item unprivileged: \\
+ set to real or effective
+ \end{itemize}
+\item Effective
+ \begin{itemize}
+ \item privileged: \\
+ set to any value
+ \item unprivileged: \\
+ set to real, effective, saved
+ \end{itemize}
+\item Saved
+ \begin{itemize}
+ \item normal: \\
+ set to real UID/GID
+ \item s-Bit: \\
+ set to file UID/GID
+ \item privileged: \\
+ set to any value
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: change}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/proc_uidgid.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: Programming I}
+\begin{beamerboxesrounded}[shadow=true]{temporary change of Effective:}
+\begin{tiny}
+\begin{verbatim}
+printf("\nChange effective UID/GID back...\n");
+if(setegid(real_gid))
+ /* error handling */;
+if(seteuid(real_uid))
+ /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{and back again:}
+\begin{tiny}
+\begin{verbatim}
+printf("...and forth\n");
+if(seteuid(saved_uid))
+ /* error handling */;
+if(setegid(saved_gid))
+ /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{Drop finally:}
+\begin{tiny}
+\begin{verbatim}
+printf("\nChange finally to stored UID/GID“);
+printf(" (there is no way back)\n");
+if(setregid(saved_gid, saved_gid))
+ /* error handling */;
+if(setreuid(saved_uid, saved_uid))
+ /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: Programming II}
+\begin{beamerboxesrounded}[shadow=true]{Result:}
+\begin{tiny}
+\begin{verbatim}
+$ ls -l
+-rwsr-sr-x 1 dengler dengler 8480 Aug 19 17:22 ugid_to_stored
+
+$ ./ugid_to_stored
+Backup all UID/GID
+UIDs/GIDs after start
+eUID 1000 (rUID 1002, sUID 1000)
+eGID 1000 (rGID 1002, sGID 1000)
+
+Change effective UID/GID back...
+eUID 1002 (rUID 1002, sUID 1000)
+eGID 1002 (rGID 1002, sGID 1000)
+...and forth
+eUID 1000 (rUID 1002, sUID 1000)
+eGID 1000 (rGID 1002, sGID 1000)
+
+Change finally to stored UID/GID (there is no way back)
+eUID 1000 (rUID 1000, sUID 1000)
+eGID 1000 (rGID 1000, sGID 1000)
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex
new file mode 100644
index 0000000..4e53733
--- /dev/null
+++ b/security/advanced/frm_namespace_container.tex
@@ -0,0 +1,132 @@
+% ----------------------------
+\subsubsection{Namespaces}
+
+\begin{frame}[fragile]
+\frametitle{Namespaces}
+\begin{itemize}
+\item Mount: \\
+ Provide different filesystem
+\item IPC: \\
+ Provide isolated inter process communication entities
+\item Network: \\
+ Provide isolated networking environment
+\item User: \\
+ Provide different User/UID mapping
+\item UTS: \\
+ Provide different hostname
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Container}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Containers}
+\begin{itemize}
+\item Application Isolation
+\item Lightweight Virtualisation
+\item Based on cgroups and namespaces
+\item Easy namespace configuration and management
+\item Projects:
+ \begin{itemize}
+ \item Docker
+ \item Linux-VServer
+ \item OpenVZ
+ \item Linux Container (LXC)
+ \item \dots
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{LXC Handling}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Containers (LXC)}
+\begin{beamerboxesrounded}[shadow=true]{Start/Stop container:}
+\begin{tiny}
+\begin{verbatim}
+# Start: Better for single commands
+lxc-execute -n cont_name [-f config] /bin/bash
+# Start: Better for container systems
+lxc-start -n cont_name [-f config]
+
+# Stop container
+lxc-stop -n foo
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+
+\begin{beamerboxesrounded}[shadow=true]{Control container:}
+\begin{tiny}
+\begin{verbatim}
+# Pause/resume container (controlling group of processes)
+lxc-freeze -n cont_name
+lxc-unfreeze -n cont_name
+
+# Monitor container states
+lxc-monitor -n cont_name
+
+# Attach to container console
+lxc-console -n cont_name
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Container (LXC): Configuration I}
+\begin{beamerboxesrounded}[shadow=true]{Networking example:}
+\begin{tiny}
+\begin{verbatim}
+lxc.utsname = myhostname
+lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.name = eth0
+lxc.network.hwaddr = 4a:49:43:49:79:bf
+lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Container (LXC): Configuration II}
+\begin{beamerboxesrounded}[shadow=true]{Controlgroup example:}
+\begin{tiny}
+\begin{verbatim}
+lxc.cgroup.cpuset.cpus = 0,1
+lxc.cgroup.devices.deny = a
+lxc.cgroup.devices.allow = c 1:3 rw
+lxc.cgroup.devices.allow = b 8:0 rw
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Container: Summary}
+\begin{itemize}
+\item lightweight virtualization
+\item isolation of applications
+\item hide system resources/configuration
+\item Problems:
+ \begin{itemize}
+ \item shared kernel
+ \item robustness against attacks
+ \end{itemize}
+\item Solution:
+ \begin{itemize}
+ \item combination of namespaces with Mandatory Access Control (MAC)
+ \end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/security/advanced/frm_process_thread.tex b/security/advanced/frm_process_thread.tex
new file mode 100644
index 0000000..b58a452
--- /dev/null
+++ b/security/advanced/frm_process_thread.tex
@@ -0,0 +1,113 @@
+% ----------------------------
+\subsubsection{Process Isolation}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Why isolating tasks?}
+\begin{figure}[h]
+\centering
+\includegraphics[width=5cm]{images/multithread_norm.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Multithreaded Application under attack}
+\begin{figure}[h]
+\centering
+\includegraphics[width=5cm]{images/multithread_attack.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Multi-process vs. Multi-thread}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/multiproc_norm.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Multi-process under attack}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/multiproc_attack.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Memory Management}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Memory Manangement}
+\begin{itemize}
+\item create process context
+\item overload VMA
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/proc_isol.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Multiprocess Programming}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Multiprocess Programming}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.45\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Program:}
+ \begin{tiny}
+ \begin{verbatim}
+[...]
+pid = fork();
+switch (pid) {
+case -1:
+ /* error handling */
+case 0:
+ /* child processing */
+ execve(argv[0], &argv[0], envp);
+ break;
+default:
+ /* parent processing */
+ [...]
+ pid = wait(&status);
+}
+[...]
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+ \begin{column}{0.45\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Arguments:}
+ \begin{tiny}
+ \begin{verbatim}
+char *argv[] = {
+ "/bin/myappl",
+ "--config",
+ "/etc/myconfig",
+ NULL,
+};
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \begin{beamerboxesrounded}[shadow=true]{Environment:}
+ \begin{tiny}
+ \begin{verbatim}
+char *envp[] = {
+ "HOME=/myhome",
+ "PATH=/bin:/usr/bin",
+ "TZ=UTC0",
+ NULL,
+};
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+\end{columns}
+\end{frame}
diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex
index 1a8c0b6..ccbf05e 100644
--- a/security/advanced/pres_advanced_sec.tex
+++ b/security/advanced/pres_advanced_sec.tex
@@ -247,6 +247,9 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted
\end{frame}
% ----------------------------
+\input{security/advanced/frm_capabilities.tex}
+
+% ----------------------------
\subsubsection{Process}
\begin{frame}[fragile]
diff --git a/security/advanced/pres_capability.tex b/security/advanced/pres_capability.tex
new file mode 100644
index 0000000..cb4cf0e
--- /dev/null
+++ b/security/advanced/pres_capability.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Capabilities}
+
+\title{Linux Capabilities}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_capabilities.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
diff --git a/security/advanced/pres_exploit.tex b/security/advanced/pres_exploit.tex
new file mode 100644
index 0000000..5597c21
--- /dev/null
+++ b/security/advanced/pres_exploit.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Exploits and Mitigation}
+
+\title{Exploits and Mitigation}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_exploit_mitigation.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
diff --git a/security/advanced/pres_mac.tex b/security/advanced/pres_mac.tex
new file mode 100644
index 0000000..e50ec66
--- /dev/null
+++ b/security/advanced/pres_mac.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Mandatory Access Control}
+
+\title{Linux Mandatory Access Control}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_mac.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
diff --git a/security/advanced/pres_multiuser_dac.tex b/security/advanced/pres_multiuser_dac.tex
new file mode 100644
index 0000000..c45b009
--- /dev/null
+++ b/security/advanced/pres_multiuser_dac.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Multi User}
+
+\title{Linux Multi User}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_multiuser_dac.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
diff --git a/security/advanced/pres_namespace_container.tex b/security/advanced/pres_namespace_container.tex
new file mode 100644
index 0000000..7572b0c
--- /dev/null
+++ b/security/advanced/pres_namespace_container.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Namespaces}
+
+\title{Linux Namespaces}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_namespace_container.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
diff --git a/security/advanced/pres_process_thread.tex b/security/advanced/pres_process_thread.tex
new file mode 100644
index 0000000..a58f449
--- /dev/null
+++ b/security/advanced/pres_process_thread.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Process Isolation}
+
+\title{Linux Process Isolation}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_process_thread.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-10 09:52:31 +0000