Ignat Korchagin
Cloudflare, Linux Guru
London, United Kingdom
Actions
Ignat is a systems engineer at Cloudflare working mostly on Linux, platforms and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before Cloudflare, Ignat worked as a senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.
Awards
Area of Expertise
Topics
“Helpful” eBPF: how BPF helpers help create security vulnerabilities
The Linux Kernel extended Berkeley Packet Filter subsystem (eBPF) is the new hot goto solution for many operational and security applications. It allows inserting small custom programs directly into the running kernel, which can provide insight into the kernel internals. There are many commercial and open source solutions these days utilizing eBPF for observability, security monitoring and enforcement and kernel hacking.
The biggest advantage of eBPF is safety: even though eBPF programs execute directly in the kernel context, a bad program can never crash the kernel or do any other harm (unlike kernel modules, for example). This is enforced by the in-kernel eBPF virtual machine, which checks all programs for bad behavior before executing them.
However, over time to make eBPF more useful and feature rich BPF helpers were introduced. BPF helpers are “canned” kernel functions, which can be called from eBPF programs. They may provide some small functionality, like getting a value from some kernel data structure or helping track kernel data across different programs.
BPF helpers are real in-kernel functions, so they are not subject to eBPF virtual machine checks. Even though the code for BPF helpers is fixed, a carefully crafted eBPF program may utilize them to introduce new unexpected in-kernel code execution paths, which may lead to security vulnerabilities. And since such code execution paths are created at runtime by eBPF users, they cannot be easily discovered by static or dynamic analysis.
This presentation provides one such example, where a BPF helper could be used to create a security vulnerability in otherwise properly written kernel code. We also explore some kernel security knobs, which could make eBPF usage safer.
TPMs and the Linux Kernel: unlocking a better path to hardware security
TPMs have been present in modern laptops and servers for some time now, but their adoption is quite low. While operating systems do provide some security features based on TPMs (think of BitLocker on Windows or dm-verity on Linux) third party applications or libraries usually do not have TPM integrations.
One of the main reasons of low TPM adoption is that interfacing with TPMs is quite hard: there are competing TPM software stacks, lack of key format standardization and many operating systems are not set up from the start to make TPM easily available (TPM device file is owned by root or requires privileged group for access). Even with a proper software stack the application may have to deal with low-level TPM communication protocols, which are hard to get right.
In this presentation we will explore a better integration of TPMs with some Linux Kernel subsystems, in particular: kernel keystore and cryptographic API. We will see how it allows the Linux Kernel to expose hardware-based security to third party applications in an easy to use manner by encapsulating the TPM communication complexities as well as providing higher-level use-case based security primitives.
TPMs and the Linux Kernel: unlocking a better path to hardware security
TPMs have been present in modern laptops and servers for some time now, but their adoption is quite low. While operating systems do provide some security features based on TPMs (think of BitLocker on Windows or dm-verity on Linux) third party applications or libraries usually do not have TPM integrations.
One of the main reasons of low TPM adoption is that interfacing with TPMs is quite hard: there are competing TPM software stacks, lack of key format standardization and many operating systems are not set up from the start to make TPM easily available (TPM device file is owned by root or requires privileged group for access). Even with a proper software stack the application may have to deal with low-level TPM communication protocols, which are hard to get right.
In this presentation we will explore a better integration of TPMs with some Linux Kernel subsystems, in particular: kernel keystore and cryptographic API. We will see how it allows the Linux Kernel to expose hardware-based security to third party applications in an easy to use manner by encapsulating the TPM communication complexities as well as providing higher-level use-case based security primitives.
Go as a scripting language in Linux
Why use Go as a scripting language? Short answer: why not? Go is relatively easy to learn, not too verbose and there is a huge ecosystem of libraries which can be reused to avoid writing all the code from scratch. Some other potential advantages it might bring:
* build your complex Go project with Go-based build system: no Makefiles, bash or Python - all pure Go!
* easy non-privileged package management out of the box: if you want to use a third-party library in your script, you can simply `go get` it to your `GOPATH`
* quick code prototyping on early project stages: short-circuit the *"edit->compile->check"* cycle, instead immediately execute your source file
* fail early with strongly-typed scripting language: if you have a typo in your 2k line script, it will fail to start instead of executing first 1800 lines and leave your system in an inconsistent state
There were previous attempts to make Go scriptable using a shebang line, however (mostly because lines starting with `#` are not valid in Go) the solution is not perfect: you end up with `.go` files either to be used as scripts only or as real compilable Go programs, but not both. This talk describes how one can use some advanced features of binary execution on Linux to overcome previous problems and make Go truly native scripting language.
Linux user namespaces: a blessing and a curse
Unprivileged Linux user namespaces is a rather controversial topic in the security community, Linux Kernel community and in software engineering in general. On one side it allows building unprivileged and sandboxed services and applications, which would otherwise require elevated privileges to successfully run and provide features to their users. Not granting privileges to such applications follows the least privilege principle and makes our systems more secure.
On the other side, this mechanism has been repeatedly used in various vulnerabilities and exploits as a starting attack vector, multiplying the damage and impact of these exploits. And since it became so popular within the offensive industry, many Linux distributions and security guidances started recommending disabling this feature altogether.
There is an ongoing debate whether unprivileged user namespaces provide more security or make the system more vulnerable. In this presentation we will review how user namespaces might help building sandboxed secure applications. But we will also show how a recently discovered Linux kernel bug turned into a security vulnerability just because user namespaces are available on the system. Finally, we will give recommendations on how to get the best of both worlds: allow well-behaved applications to utilize user namespaces for better security, while blocking the feature for potentially malicious users/code.
How to protect yourself from the biggest Internet threats
Nowadays, there are many attack vectors an adversary can employ to either break into the system or impact its operations. Oftentimes a successful attack is a clever combination of smaller vectors, which on their own do not seem very important or dangerous. That’s why to efficiently mitigate modern Internet threats the system should be built with the “defense in depth” in mind.
In this presentation we will discuss the various approaches and technical solutions Cloudflare implemented to protect infrastructure and services from the biggest Internet threats. We will review a layered approach to security starting from the Internet itself, then data centre networking, server and operating systems layers, application and service layers. We will see how the Internet today has become the global “security perimeter” and how to protect modern cloud workloads and corporate services.
Sandboxing in Linux with zero lines of code
Linux seccomp is a simple, yet powerful tool to sandbox running processes and significantly decrease potential damage in case the application code gets exploited. It provides fine-grained controls for the process to declare what it can and can’t do in advance and in most cases has zero performance overhead.
The only disadvantage: to utilise this framework, application developers have to explicitly add sandboxing code to their projects and developers usually either delay this or omit completely as their main focus is mostly on the functionality of the code rather than security. Moreover, the seccomp security model is based around system calls, but many developers, writing their code in high-level programming languages and frameworks, either have little knowledge to no experience with syscalls or just don’t have easy-to-use seccomp abstractions or libraries for their frameworks.
All this makes seccomp not widely adopted—but what if there was a way to easily sandbox any application in any programming language without writing a single line of code? This presentation discusses potential approaches with their pros and cons.
What is Linux kernel keystore and why you should use it in your next application
Did you know that Linux has a full-featured keystore ready to be used by any application or service it runs? Applications can securely store and share credentials, secrets and cryptographic keys, sign and encrypt data, negotiate a common encryption key - all this by never touching a single byte of the underlying cryptographic material.
This is especially useful in the post-heartbleed and cloud-native environments, where services authenticate and securely talk to each other using some kind of credentials. But if a network-facing service also has some secret in its process address space, it sets itself up for a security failure as any potential out-of-bounds memory access vulnerability may allow the secret to be leaked. Imagine a world where you don’t have to run an SSH agent just to protect your SSH keys.
On top of keeping your secrets secret Linux keystore nicely integrates with specialized security hardware, like TPMs and HSMs and may provide a single entry point on the system for applications to obtain their secrets. Thus Linux keystore is a very useful building block for a corporate key management system.
An engineer's guide to Linux Kernel upgrades
Because the kernel code executes at the highest privilege level and a kernel bug usually crashes the whole system, many SREs, production engineers and system administrators try to avoid upgrading the kernel too often for the sake of stability. There is a tendency to create more obstacles to Linux kernel releases (requiring more approvals etc). But introducing all these obstacles and not treating kernel updates like any other software usually significantly increases the risk for the company and their service of being exploited.
One of the reasons SREs and engineers are too afraid of ANY kernel upgrade is that they don’t actually know the details about Linux kernel release process and policy. This talk tries to demystify Linux Kernel releases and provides a guide on how to distinguish a kernel bugfix release from a feature release. We also describe how kernel releases are implemented in our company and propose possible approaches to deploy kernel upgrades regularly with minimal risk.
Reconciling performance and security in high load environments
Most perceive security fixes and improvements as a necessary evil, because security is much “less tangible” than primary product functionality in terms of potential revenue. On top of not bringing any “meaningful” value to the overall system, security comes at a cost of potential performance degradation, as it steals precious CPU cycles and memory from the overall resource pool.
Because of the above in a performance-driven environment product and infrastructure security are either heavily avoided altogether or forcibly imposed by security teams, excusing themselves with numerous legal and compliance requirements. The fear of potential performance penalty and the need to balance performance vs security often leads to insecure architectures and designs or unnecessary complexity.
All this usually makes the rest of the organisation dislike and distrust security in the long term. But what if we can show that security actually improves performance? This presentation explores how to drive security in a high performance environment and make it a welcome and natural part of the product lifecycle.
Incontro DevOps Italia (IDI) 2025 Sessionize Event Upcoming
NDC Security 2025 Sessionize Event Upcoming
DefCamp 2024 Sessionize Event
NDC Porto 2024 Sessionize Event
NDC TechTown 2024 Sessionize Event
Render Atlanta 2024 Sessionize Event
Norfolk Developers Conference 2024 Sessionize Event
State of Open Con 24 Sessionize Event
NDC Security 2024 Sessionize Event
DevOps Vision 2023 Sessionize Event
POC2023
POC is established in 2006 and organized by Korean security experts. POC is an international security & hacking conference based in South Korea which focuses on highly technical academics and sharing creative discussions on latest hacking and security measures. The talks at POC conference shares variety of topics from vulnerability discovery, advanced exploitation on numerous softwares and outpouring of remarkable new ideas.
POC unlocks your intense appetite for sharing desires and passion for hacking and believes that the Power of Community will definitely contribute to the world the better way.
NDC TechTown 2023 Sessionize Event
SREcon Asia/Pacific
SREcon23 Asia/Pacific is a gathering of engineers who care deeply about site reliability, systems engineering, and working with complex distributed systems at scale. SREcon strives to challenge both those new to the profession as well as those who have been involved in it for decades. The conference has a culture of critical thought, deep technical insights, continuous improvement, and innovation.
WTF is SRE? A Conference by SREs for SREs 2023 Sessionize Event
NDC Security 2023 Sessionize Event
Black Hat
Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.
Black Hat Briefings and Trainings are driven by the needs of the global security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers and leaders in the public and private sectors. Today, Black Hat Briefings and Trainings are held annually in the United States, Europe, and Asia, providing premier venues for elite security researchers and trainers to find their audience.
Velocity Conference
Resilience. Performance. Security.
Explore cloud native infrastructure, DevOps, serverless, Kubernetes, security, and more.
Black Hat
Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.
Black Hat Briefings and Trainings are driven by the needs of the global security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers and leaders in the public and private sectors. Today, Black Hat Briefings and Trainings are held annually in the United States, Europe, and Asia, providing premier venues for elite security researchers and trainers to find their audience.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top