September 2023

CNCF Report: The State of WebAssembly 2023

CNCF, webassembly / / September 25, 2023

WebAssembly (Wasm) is a technology that allows developers to write code in various languages and run it on any platform and environment. Wasm can offer benefits such as performance, security, portability, and interoperability. Some of the use cases of Wasm are:

  • Web development: Wasm can enhance web applications by enabling them to use native code for computationally intensive tasks, such as image processing, video editing, gaming, machine learning, and more. Wasm can also improve the compatibility and usability of web applications by allowing them to use existing libraries and frameworks written in languages other than JavaScript.
  • Edge computing: Wasm can enable edge computing by allowing developers to deploy lightweight and portable code to edge devices, such as IoT sensors, smart cameras, drones, and more. Wasm can also provide security and isolation for edge applications by running them in a sandboxed environment.
  • Serverless computing: Wasm can enable serverless computing by allowing developers to write and run functions in any language and on any cloud provider. Wasm can also reduce the cold start time and resource consumption of serverless functions by using a compact and efficient binary format.
  • Microservices: Wasm can enable microservices by allowing developers to write and run modular and independent services in any language and on any platform. Wasm can also facilitate the communication and integration of microservices by using a common interface and protocol.
  • Machine learning: Wasm can enable machine learning by allowing developers to write and run models in any language and on any device. Wasm can also optimize the performance and accuracy of machine learning models by using native code and hardware acceleration.

However, despite its potential, Wasm is still experiencing slow adoption in the industry. Some of the reasons for this are:

  • Lack of awareness: Many developers are not aware of the existence or benefits of Wasm, or how to use it in their projects. There is a need for more education and outreach to raise awareness and interest in Wasm among developers.
  • Lack of tooling: Many tools and frameworks that support Wasm are still immature or experimental, or lack features or documentation. There is a need for more development and improvement of the tooling ecosystem for Wasm, such as compilers, runtimes, libraries, SDKs, debuggers, and more.
  • Lack of standards: Many standards and specifications that define the features and functionality of Wasm are still under development or not widely adopted. There is a need for more collaboration and coordination among the stakeholders and communities involved in the standardization process for Wasm, such as the World Wide Web Consortium (W3C), the WebAssembly Community Group (WCG), the Bytecode Alliance, the Cloud Native Computing Foundation (CNCF), and more.
  • Lack of support: Many platforms and environments that could benefit from Wasm do not support it natively or fully. There is a need for more adoption and integration of Wasm by the platforms and environments that developers use, such as web browsers, cloud providers, edge devices, operating systems, and more.

Wasm is a promising technology that has the potential to revolutionize the development and deployment of applications across various domains and platforms. However, Wasm also faces some challenges and barriers that need to be addressed by the community and the industry.

CNCF has recently published a report titled “The State of WebAssembly in 2023”, which provides an overview of the current trends and challenges of Wasm in the cloud-native ecosystem. The report is based on a survey of over 500 developers, operators, and decision-makers from various industries and regions.

The report covers the following topics:

  • The benefits and use cases of Wasm: The report highlights the main benefits of Wasm, such as performance, security, portability, and interoperability. The report also showcases some of the use cases of Wasm in different domains, such as edge computing, serverless computing, microservices, machine learning, gaming, and more.
  • The challenges and barriers of Wasm adoption: The report identifies some of the challenges and barriers that hinder the adoption of Wasm in the cloud-native ecosystem, such as lack of awareness, tooling, documentation, standards, and support. The report also provides some recommendations and best practices to overcome these challenges and barriers.
  • The state of Wasm tools and frameworks: The report analyzes the current state of Wasm tools and frameworks, such as compilers, runtimes, libraries, SDKs, and more. The report also evaluates the maturity and popularity of these tools and frameworks based on various criteria, such as features, stability, performance, community, and more.
  • The future outlook and trends of Wasm: The report predicts the future outlook and trends of Wasm in the cloud-native ecosystem based on the survey results and expert opinions. The report also discusses some of the emerging topics and opportunities for Wasm development and innovation, such as WASI (WebAssembly System Interface), Wasmtime (a standalone Wasm runtime), eBPF (extended Berkeley Packet Filter), and more.

The report concludes that Wasm is a promising technology that has the potential to revolutionize the cloud-native ecosystem by enabling faster, safer, and more portable applications. However, Wasm also faces some challenges and barriers that need to be addressed by the community and the industry. The report suggests that CNCF can play a key role in facilitating the adoption and advancement of Wasm by providing guidance, support, resources, and collaboration opportunities for the Wasm community.

You can read the full report from its official website or download it as a PDF file.

CNCF Report: The State of WebAssembly 2023 Read More »

How to Protect Your Linux Systems from Malware with SELinux

linux, security / / September 17, 2023

Linux is widely regarded as a secure and stable operating system, but it is not immune to malware attacks. In recent years, there has been an increase in the number of malware campaigns targeting Linux systems, such as ransomware, cryptojacking, botnets, and backdoors. These malicious programs can compromise the security and performance of your Linux servers and devices, and expose your sensitive data and resources to hackers.

One of the ways to protect your Linux systems from malware is to use SELinux, a security-enhanced version of Linux that implements mandatory access control (MAC) policies. SELinux enforces strict rules on what processes and users can access what files, directories, ports, and devices on your system. SELinux can prevent unauthorized or malicious activities from affecting your system, such as modifying system files, executing commands, or accessing network resources.

However, SELinux can also be challenging to configure and use, especially for beginners. SELinux has a complex set of policies that define the permissions and roles for different types of objects and subjects on your system. If you do not understand how SELinux works, you may encounter errors or conflicts when running your applications or services. You may also be tempted to disable SELinux altogether, which would expose your system to potential threats.

In this blog post, we will show you how to write an SELinux policy that can help you secure your Linux system from malware. We will explain the basic concepts and components of SELinux policies, and provide a step-by-step guide on how to create and apply a custom policy for a specific scenario. We will also share some tips and best practices on how to troubleshoot and manage your SELinux policies.

What is an SELinux Policy?

An SELinux policy is a set of rules that define how SELinux controls the access of processes and users to resources on your system. An SELinux policy consists of three main components: types, rules, and modules.

  • Types: Types are labels that identify the security context of an object or a subject on your system. An object is anything that a process can access, such as a file, a directory, a port, or a device. A subject is anything that can initiate an action on an object, such as a process or a user. For example, a file may have the type httpd_sys_content_t, which means it is a web content file that can be accessed by the Apache web server. A process may have the type httpd_t, which means it is an Apache web server process that can access web content files.
  • Rules: Rules are statements that specify what actions are allowed or denied between types. Rules are based on the principle of least privilege, which means that only the minimum necessary permissions are granted to each type. For example, a rule may allow the type httpd_t to read the type httpd_sys_content_t, but deny it from writing or executing it. Rules can also specify other attributes or conditions for the access, such as the role, the user, the class, or the boolean.
  • Modules: Modules are collections of types and rules that define the security policy for a specific application or service. Modules are stored in binary files with the extension .pp, which can be loaded or unloaded by SELinux. For example, there may be a module for Apache web server that contains all the types and rules related to its operation.

How to Write an SELinux Policy?

To write an SELinux policy, you need to follow these steps:

  1. Identify the scenario: You need to determine what application or service you want to secure with SELinux, and what resources it needs to access on your system. You also need to identify what threats or risks you want to prevent with SELinux.
  2. Create the types: You need to create new types for the objects and subjects involved in your scenario, or use existing types if they are suitable. You need to assign meaningful names to your types, and follow the naming conventions of SELinux.
  3. Create the rules: You need to create rules that allow or deny the access between your types. You need to use the appropriate syntax and keywords for writing rules, and follow the logic and structure of SELinux.
  4. Create the module: You need to create a module that contains your types and rules, and give it a name and a version number. You need to use the appropriate tools and commands for creating modules, such as checkmodule and semodule_package.
  5. Compile and load the module: You need to compile your module into a binary file with the extension .pp, and load it into SELinux with the command semodule -i. You need to verify that your module is loaded correctly with the command semodule -l.
  6. Test and debug the module: You need to test your module by running your application or service and checking if it works as expected. You also need to debug your module by checking the SELinux logs and messages, and using tools such as audit2allow and sealert to analyze and resolve any errors or conflicts.

Example of Writing an SELinux Policy

To illustrate how to write an SELinux policy, we will use a simple example scenario. Suppose you have a Linux system that runs a custom web application that uses a Python script to generate dynamic content. The Python script is located in the directory /var/www/cgi-bin, and it needs to access a configuration file in the directory /etc/webapp. The configuration file contains sensitive information, such as database credentials and API keys. You want to use SELinux to protect your web application from malware that may try to access or modify the configuration file, or execute malicious commands on your system.

To write an SELinux policy for this scenario, you can follow these steps:

  1. Identify the scenario: The application you want to secure is the custom web application that uses the Python script. The resources it needs to access are the Python script and the configuration file. The threats you want to prevent are malware that may access or modify the configuration file, or execute malicious commands on your system.
  2. Create the types: You need to create new types for the Python script and the configuration file, or use existing types if they are suitable. For example, you can create a new type called webapp_script_t for the Python script, and use the existing type etc_t for the configuration file. You also need to use the existing type httpd_t for the Apache web server process that runs the Python script. You can assign the types to the files with the command chcon -t, or use a file context specification file to make them persistent across reboots.
  3. Create the rules: You need to create rules that allow or deny the access between your types. For example, you can create a rule that allows the type httpd_t to execute the type webapp_script_t, but denies it from writing or executing the type etc_t. You can also create a rule that allows the type webapp_script_t to read the type etc_t, but denies it from writing or executing it. You can use the syntax and keywords of SELinux for writing rules, such as allow, deny, type_transition, type_change, etc.
  4. Create the module: You need to create a module that contains your types and rules, and give it a name and a version number. For example, you can create a module called webapp with the version number 1.0. You can use a text editor to write your module in a file with the extension .te, which stands for type enforcement. The content of your module may look something like this:
policy_module(webapp, 1.0)
type webapp_script_t;
type etc_t;
allow httpd_t webapp_script_t:file { read execute };
allow httpd_t etc_t:file read;
deny httpd_t etc_t:file { write execute };
allow webapp_script_t etc_t:file read;
deny webapp_script_t etc_t:file { write execute };

5. Compile and load the module: You need to compile your module into a binary file with the extension .pp, and load it into SELinux with the command semodule -i. You can use tools such as checkmodule and semodule_package for compiling modules, or use a Makefile to automate the process. For example, you can use these commands to compile and load your module:

checkmodule -M -m -o webapp.mod webapp.te
semodule_package -o webapp.pp -m webapp.mod
semodule -i webapp.pp

You can verify that your module is loaded correctly with the command semodule -l | grep webapp.

6. Test and debug the module: You need to test your module by running your web application and checking if it works as expected. You also need to debug your module by checking the SELinux logs and messages, and using tools such as audit2allow and sealert to analyze and resolve any errors or conflicts. For example, you can use these commands to check and troubleshoot your module:

    tail -f /var/log/audit/audit.log | grep webapp
    audit2allow -a
    sealert -a /var/log/audit/audit.log

    Tips and Best Practices for Writing SELinux Policies

    Writing SELinux policies can be a complex and tedious task, but it can also be rewarding and beneficial for securing your Linux systems from malware. Here are some tips and best practices that can help you write better SELinux policies:

    How to Protect Your Linux Systems from Malware with SELinux Read More »