Blog
Random insights of our daily work
Restricting network access using Linux Network Namespaces
Our last blog post on Linux mount namespaces explored ways to restrict access to the file system. In this post we'll show how to restrict access to the network.
Too many CPUs to build
Lately we've been facing strange build errors on one of our build servers. The root cause was quite surprising.
Restricting file system access using Linux Mount Namespaces
Linux offers a variety of mechanisms to confine a process, one of them are namespaces. Today they are mostly used as foundation for Linux containers. In this blog post we'll demonstrate how namespaces can be used to restrict access to the file system for a given process and all its children.
Training: Kernel Internals for Linux Admins
Understanding certain kernel internals is not only useful for persons that intend developing kernel related software.
Securely booting x86 using Heads
An overview about x86 firmware security and Heads, a project aiming to gain more trust in the boot process.
Alpine Linux Persistence and Storage Summit 2022
ALPSS 2022 took place again and here's what happened
EROFS vs. SquashFS: A Gentle Benchmark
This blog post gives an overview of EROFS vs. SquashFS and tries to compare them with a simple benchmark.
Our ProtonMail Adventure - A Five Act Drama
In 2021 we switched to ProtonMail and figured the hard way that it is not the right thing for us.
Summit on a Summit 2022 Edition
After a two years long break the Summit on a Summit was back in early June this year.
Linux process priorities demystified
Simple questions often have not so simple answers. One example is the question is, what priority does this process have?
Re-exploiting unsquashfs
Squashfs-tools recently fixed a security issue. In this blog post we show how to re-exploit it and how it got mitigated
Alpine Linux Persistence and Storage Summit 2021
ALPSS was back in 2021 and here's what happened :-)
How security-integration for IT Startups works best
If Startups invest money into security right from the scratch, the costs will be much lower in the end. Why? Read this article!
Enhanced Read-Only File System (EROFS) lands in Yocto
The upcoming Yocto 3.4 release will contain a small contribution by us. Over the last two years we learned to love EROFS, so we decided to add support for it to Yocto.
Docker to the rescue in an unexpected way
Imagine you find yourself in a restricted environment and you need some Linux rootfs that runs on the embedded system you just managed get access to. Of course the CPU architecture of the embedded system is not the same as your workstation. The circumstances are further complicated by the fact that the userspace should offer enough tooling to build a C/C++ application. In such a situation docker can help, but in an unexpected way.
The condemned live longer: Symlink races
In this blog post we will take a closer look at a symlink race vulnerability from 2018 in docker. We think the vulnerability is quite interesting since it is easy to exploit but not so obvious to find while reviewing. Attentive readers may ask themselves whether they’d have noticed the issue while developing or reviewing the affected lines of code.
Get in touch
+43 5 9980 400 00 (email preferred)
sigma star gmbh
Eduard-Bodem-Gasse 6, 1st floor
6020 Innsbruck | Austria
