Blog
Random insights of our daily work
Investigating Paranormal Shell Activities
Recently, while attending a conference, I observed an unusual occurrence in my terminal emulator: terminal tab windows were getting highlighted without any apparent notification within the shell session. Time to unpack our trusty debugging tools to uncover the mystery of these activities.
Analyzing Packet Drops Without Tooling: Or ftrace the Pure Way
Linux offers a lot of tools to understand internals, today we'll analyze the network stack with zero tools installed.
No Love for Negative Permissions
Negative permissions have always been bad practice, with the help of container tooling they can be bypassed too.
CVE-2023-31147: Insufficient randomness for DNS query identifiers in c-ares
We've been part of a team that audited c-ares. This is a writeup of how we discovered that DNS query identifiers generated by c-ares are not always properly random which lead to CVE-2023-31147.
Let's Embed a Go Program into the Linux Kernel
Today, we would like to present a lesser-known feature of the Linux kernel. Instead of launching a program from a file system, regardless of whether it's virtual or not, it is also possible to embed a user-space program directly into the kernel image itself and start it from there.
Embedded Open Source Summit 2023 in Prague
The Embedded Open Source Summit in Prague offered valuable insights and connections for our company, focusing on Linux and security, as our first major conference since the pandemic.
Who's your canary?
Stack canaries are a common security feature to mitigate buffer-overflows. However, it's value is generated differently in every libc-implementation, which has security implications.
Restricting network access using Linux Network Namespaces
Our last blog post on Linux mount namespaces explored ways to restrict access to the file system. In this post we'll show how to restrict access to the network.
Too many CPUs to build
Lately we've been facing strange build errors on one of our build servers. The root cause was quite surprising.
Restricting file system access using Linux Mount Namespaces
Linux offers a variety of mechanisms to confine a process, one of them are namespaces. Today they are mostly used as foundation for Linux containers. In this blog post we'll demonstrate how namespaces can be used to restrict access to the file system for a given process and all its children.
Training: Kernel Internals for Linux Admins
Understanding certain kernel internals is not only useful for persons that intend developing kernel related software.
Securely booting x86 using Heads
An overview about x86 firmware security and Heads, a project aiming to gain more trust in the boot process.
Alpine Linux Persistence and Storage Summit 2022
ALPSS 2022 took place again and here's what happened
EROFS vs. SquashFS: A Gentle Benchmark
This blog post gives an overview of EROFS vs. SquashFS and tries to compare them with a simple benchmark.
Our ProtonMail Adventure - A Five Act Drama
In 2021 we switched to ProtonMail and figured the hard way that it is not the right thing for us.
Get in touch
+43 5 9980 400 00
sigma star gmbh
Eduard-Bodem-Gasse 6, 1st floor
6020 Innsbruck | Austria
