Bio

Mickaël Salaün [mi.ka.ɛl sa.lɛ̃] is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes (e.g. StemJail) before hacking into the kernel on a new LSM called Landlock.

Projects

Landlock

Unprivileged access control

The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.

StemJail

Dynamic sandboxer (only) using Linux user namespaces

StemJail is a proof of concept to isolate groups of processes pertaining to the same activity into an environment exposing only the relevant subset of user data. Dynamic activity discovery allows seamless integration into the user workflow. Moreover, StemJail is designed to run without intrusive changes to the system and to be configured and used by any unprivileged user thanks to the Linux user namespaces. Last but not least, StemJail is developed in Rust to help prevent a wide range of recurring security vulnerabilities, without performance compromise.

Linux kernel contributions

Miscellaneous features and fixes

Touching subsystems like seccomp, User-mode Linux, BPF, LSM and grsecurity. Some patches may be in flight.

Linux security patches archives

grsecurity's Git repository (reconstruction)

grsecurity is the most advanced Linux kernel hardening patchset. This repository, not affiliated with the upstream project, aggregate most public grsecurity patches applied to consistent Linux source trees. The raw grsecurity patches, PaX patches and combined VServer + grsecurity patches are also available with their associated changelogs.

Linux-VServer's Git repository (reconstruction)

Linux-VServer provides virtualization (nowadays called containerization) for GNU/Linux systems. This repository, not affiliated with the upstream project, aggregate most public Linux-VServer patches applied to consistent Linux source trees (cf. vserver-* branches). The raw Linux-VServer patches are also available.

XenCC

Proof of concept of a Xen covert channel

This cover channel exploit the mechanism used by the Xen hypervisor to share the host's memory with virtual machines. The proof of concept is a Linux driver which creates a device /dev/xencc enabling user space from one guest to communication with another guest.

PhD

Involving the end user in access control: from confined processes to trusted human-computer interface

This thesis aims to provide end users with tools enhancing the security of the system they use. First, user activities of different sensitivities require to be confined in dedicated domains by an access control fitting the user's needs. Next, in order to maintain this confinement, users must be able to reliably identify the domains they interact with, from their machine's interface.

In the first part, we present a new confinement mechanism that seamlessly adapts to user activity changes, without altering the behavior of existing access controls nor degrading the security of the system. We also describe a first implementation named StemJail, based on Linux namespaces. We improve this confinement tool by creating a new Linux security module named Landlock which can be used without requiring privileges. In a second step, we identify and model the security properties a human-computer interface (HCI) requires for the reliable and secure understanding of the system by the user. Precisely, the goal is to establish a link between the entities with which the users think they communicate, and those with which they actually communicate. This model enables to evaluate the impact of HCI components jeopardization and helps assessing a given architecture.