Loading…
28 - 29 August | Amsterdam, Netherlands
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Linux Security Summit Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central European Summer Time (CEST | UTC+2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."
Type: Refereed Presentations clear filter
Thursday, August 28
 

09:05 CEST

Linux and CHERI: Back to the Future - Carl Shaw, Codasip
Thursday August 28, 2025 09:05 - 09:50 CEST
Speakers
avatar for Carl Shaw

Carl Shaw

Safety and Security Manager, Codasip
Prior to joining Codasip, Carl has provided security engineering and architecture consultancy to leading global electronics and semiconductor companies for more than 15 years. With a Physics Ph.D., and a career mixing electronics design in government defense, and OS and firmware development... Read More →
Thursday August 28, 2025 09:05 - 09:50 CEST
G102-103

10:55 CEST

Supporting Kernel Memory Integrity Through LVBS - Thara Gopinath & Femi Adeyemi, Microsoft
Thursday August 28, 2025 10:55 - 11:40 CEST
Linux Virtualization based Security (LVBS) is a security feature that leverages hypervisors to a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the guest kernel gets compromised by creating an isolated environment that runs at a higher trust level than the normal operating environment. A key kernel integrity feature of LVBS is to ensure that kernel memory protections (read-only, W^X) are backed up by this trusted environment using Second Level Page Tables so that even if the guest kernel is compromised, the kernel memory cannot be tampered with.
One of the challenges in enabling hypervisor-enforced kernel memory protection is that the Linux kernel inherently supports features that either modify existing kernel code or inject code into the kernel memory space. In this talk, we aim to examine a comprehensive list of such kernel features (which are inherently easier exploit surfaces) and then discuss how these features can be hardened via LVBS to ensure that the integrity and authenticity of patched code, even if the kernel is compromised. Finally, we present the status of our work in implementing these hardenings.
Speakers
avatar for Thara Gopinath

Thara Gopinath

Principal Software Eng Lead, Microsoft
Thara Gopinath is a Principal Software Engineering Lead at Microsoft. She has been working on various Linux kernel subsystems since 2009 and currently leads the team implementing Linux Virtualization Based Security (LVBS) at Microsoft.
avatar for Femi Adeyemi

Femi Adeyemi

Senior Software Engineer @ Microsoft, working on Virtualization Based Security, Microsoft
Femi Adeyemi is a Senior Software Engineer at Microsoft, enhancing Linux kernel security using virtualization technologies
Thursday August 28, 2025 10:55 - 11:40 CEST
G102-103
 
Friday, August 29
 

09:05 CEST

FineIBT Enhanced: Hardening Linux’s Microarchitectural Security on X86 - Scott Constable, Intel Labs & Sebastian Österlund, Intel
Friday August 29, 2025 09:05 - 09:50 CEST
Microarchitectural attacks such as Branch History Injection (BHI) can expose kernel data when instructions at a mispredicted indirect call target are executed speculatively with malicious data crafted by the attacker.

FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking) is a hardening technique adopted by the Linux kernel (first merged in 6.2) that performs a check at each indirect call target to ensure that the target’s type (e.g., void (*)(int)) matches the type of the function pointer that was used to make the call. Although FineIBT can provide substantial defense-in-depth against architectural attacks such as Call-Oriented Programming (COP), its current implementation does not address microarchitectural attacks.

This talk introduces a new enhancement to FineIBT that hardens the Linux kernel against a plethora of microarchitectural attacks—including BHI—by poisoning the contents of live registers whenever the FineIBT check fails, thus preventing an attacker from using those registers to pass malicious data to a mis-predicted call target. This enhancement has been merged into Linux 6.15.
Speakers
avatar for Scott Constable

Scott Constable

Defensive Security Researcher, Intel Labs
Scott Constable is a security researcher at Intel Labs. He received his PhD in computer science from Syracuse University in 2018. Scott has contributed: Load Value Injection mitigations to LLVM/clang (2021); malicious single-step mitigations to the Intel SGX SDK (2023); a transient... Read More →
avatar for Sebastian Österlund

Sebastian Österlund

Offensive Security Researcher, Intel
Sebastian is an Offensive Security Researcher at Intel IPAS STORM, working on Operating Systems security mitigations, microcode static analysis, confidential computing, fuzzing, and more. In the past Sebastian has worked extensively on speculative execution attacks, being one of the... Read More →
Friday August 29, 2025 09:05 - 09:50 CEST
G102-103

10:55 CEST

Landlock Config - Mickaël Salaün, Microsoft
Friday August 29, 2025 10:55 - 11:40 CEST
One of Landlock's main goals is to empower Linux users to sandbox their programs. We've focused on building the foundation of a new unprivileged access control system, including an interface for developers to sandbox programs. While sandboxing tools already leverage Landlock, a well-defined way to describe security policies is still needed.

To address this, we're designing a user-friendly configuration format, marking a significant step toward making Landlock more accessible. This format enables users to describe a set of restrictions enforced on their programs and helps democratize Linux sandboxing. The new configuration format and related library simplify sandbox creation by allowing users to compose modular security policies. Linux distributions can also provide predefined policies that users can customize, reducing the maintenance burden.

In this talk, we’ll explain the design of this new configuration format, available to end users via TOML and to developers via JSON. We'll also demonstrate a new tool that makes Landlock sandboxing straightforward and accessible.
Speakers
avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a kernel developer and open source enthusiast. He is mainly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now the... Read More →
Friday August 29, 2025 10:55 - 11:40 CEST
G102-103

13:45 CEST

Recoverable, Tamper-resistant Full-disk Encryption at the Distributed Edge - Kobus van Schoor, DataProphet
Friday August 29, 2025 13:45 - 14:30 CEST
This talk presents a fully open-source framework to achieve secure full disk encryption (FDE) for TPM-equipped Edge devices (IoT), balancing strong security guarantees with practical maintainability at scale. We address key features including automated disk unlocking and recovery, monitoring and remote access. The talk will cover the following:

* A fully verified boot chain, from EFI firmware through the initramfs. We'll cover which system components to verify and common pitfalls to avoid when setting up a secure boot chain.
* A newly-developed, open-source TPM PCR prediction mechanism enabling seamless reboots after kernel or initramfs updates.
* Automated disk encryption key onboarding and recovery using Tang and Clevis.
* Secure remote access and fleet observability while disks remain locked - using WireGuard, SSH, and Prometheus.
* Guidance on how to extend the initramfs (dracut) with your own tooling.
* Discussion of shortfalls and potential security risks

Our aim with this talk is to help you make FDE convenient, recoverable and monitored to make large-scale rollouts possible.
Speakers
avatar for Kobus van Schoor

Kobus van Schoor

Tech Lead, DataProphet
I’m a senior software engineer in the Edge team at DataProphet, a South-African company building a real-time data collection and analytics platform for manufacturers. Edge devices are fully remotely managed Linux-based factory appliances that collect data from a variety of datasources.I’m... Read More →
Friday August 29, 2025 13:45 - 14:30 CEST
G102-103
 
  • Filter By Date
  • Filter By Venue
  • Filter By Type
  • Timezone

Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.