Linux Security Summit North America 2025

Linux Security Summit North America 2025

June 26 - 27 | Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Linux Security Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (MDT | UTC-6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

8:00am MDT

Registration + Badge Pick-up

Thursday June 26, 2025 8:00am - 5:30pm MDT

Bluebird Ballroom Foyer

Thursday June 26, 2025 8:00am - 5:30pm MDT
Bluebird Ballroom Foyer

Registration / Breaks

9:00am MDT

Welcome + Opening Remarks - James Morris, Microsoft

Thursday June 26, 2025 9:00am - 9:05am MDT

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

James is the maintainer of the Linux security subsystem, and engineering manager at Microsoft.

Thursday June 26, 2025 9:00am - 9:05am MDT
Room BBB 3G+3H

Opening / Closing Remarks

9:05am MDT

Kernel Hardening: Ten Years Deep - Kees Cook, Google

Thursday June 26, 2025 9:05am - 9:50am MDT

The Linux Kernel Self-Protection Project was announced in 2015 as a way to gather folks doing security hardening work under a single umbrella and gain upstream traction for killing bug classes and eliminating exploitation methods. Linux security has made significant advances over the last decade as a result of the project's contributors.

We'll review the bug classes that have been completely eliminated (e.g. VLAs, setfs(), switch fall-through, stack variable zeroing), as well as bug classes that have gained wide mitigation coverage (e.g. refcount overflow, FORTIFY_SOURCE, allocation overflow, array overflow). We'll take a look at exploit blocking methods now in place (e.g. vmap stack, W^X, KASLR, slab hardening, %p hashing, IBT/BTI, SCS, KCFI), and newly available attack surface reduction (e.g. seccomp, __ro_after_init, lockdown).

What has the impact been after all this work? We'll review bug class frequency and severity to examine the trends. With so much of the low hanging fruit getting handled, we're now faced with trickier problems such as Use After Free flaws. We'll take a look at what's on the horizon to solve this and other kernel self-protection concerns.

Speakers

Kees Cook

Kernel Security Engineer, Google

Kees Cook has been working with Free Software since 1994, has been a Debian Developer since 2007, and has been a member of the Linux Kernel Technical Advisory Board since 2019. He is currently employed as a Linux kernel security engineer by Google, focusing on upstream kernel security... Read More →

Thursday June 26, 2025 9:05am - 9:50am MDT
Room BBB 3G+3H

Refereed Presentation

9:55am MDT

Lessons Learned While Making an AppArmor Play Machine - Alexandre Pujol, Linagora

Thursday June 26, 2025 9:55am - 10:40am MDT

A Play Machine is what is called a system with root as the guest account with only Apparmor to restrict access. It aims to demonstrate that necessary security can be provided by Apparmor without any Unix permissions and thus that root is not everything in modern security.

This play machine uses the apparmor.d project with the Full System Policies (FSP) mode enabled and enforced.
FSP is a special mode of apparmor.d that aims to provide profiles and user roles for every process and users and that ensure no unconfined process can run on the system.

In this talk, we will review the main challenges we encountered — including the security architecture of the profiles, testing, and profile integration. We will also discuss the complications involved in providing open root access on a VM to everyone.

The profiles, tooling, and documentation for the project have been published at https://github.com/roddhjav/apparmor.d. The play machine itself is available at https://play.pujol.io/

Speakers

Alexandre Pujol

System Engineer, Linagora

Alexandre Pujol is a French system engineer at Linagora. He is is graduated from a PhD Student in computer security & privacy in University College Dublin, Ireland. His area of work includes user privacy, secret management, and system security. He is the author of multiple password-store... Read More →

Thursday June 26, 2025 9:55am - 10:40am MDT
Room BBB 3G+3H

Refereed Presentation

10:40am MDT

Break + Networking

Thursday June 26, 2025 10:40am - 11:05am MDT

BBB 3G+3H Foyer

Thursday June 26, 2025 10:40am - 11:05am MDT
BBB 3G+3H Foyer

Registration / Breaks

11:05am MDT

SeaBee: Defense for the Defense - Alan Wandke & Jacob Satterfield, National Security Agency

Thursday June 26, 2025 11:05am - 11:50am MDT

In recent years, security researchers and companies have looked to eBPF to build innovative security mechanisms with kernel independent bytecode and a soft guarantee of runtime safety. eBPF and the eBPF LSM in particular are especially useful in environments with bespoke security requirements where other LSMs cannot be or are not used, or kernel rebooting/recompilation is undesirable.
However, eBPF programs, but their nature, present a unique security challenge: any privileged process can fully manipulate the inner workings of all eBPF objects. While SELinux provides a level of coarse-grained access control over eBPF, it is difficult for eBPF developers to tailor SELinux policy to protect their individual tools.
This talk attempts to fill the gap by presenting an eBPF-based mandatory access control framework for protecting eBPF-based tools. The framework uses a configurable policy and no code change required for other tools to opt-in. We will present the design, implementation, and a policy example. We will also highlight areas for future work in the eBPF and LSM subsystems to provide more granular access controls.

Speakers

Alan Wandke

Computer Systems Researcher, National Security Agency

Alan Wandke is a computer systems researcher within the Laboratory for Advanced Cybersecurity Research at the National Security Agency. His technical expertise includes computer science and cybersecurity with a focus on operating systems and cloud security. Recently his research focus... Read More →

Jacob Satterfield

Computer Systems Researcher, National Security Agency

Jacob Satterfield is a senior computer systems researcher within the Laboratory for Advanced Cybersecurity Research (LACR) organization of the National Security Agency, where he performs R&D on novel Linux security mechanisms and trusted computing technologies. His technical experience... Read More →

Thursday June 26, 2025 11:05am - 11:50am MDT
Room BBB 3G+3H

Refereed Presentation

11:55am MDT

Ubuntu Permission Prompting - John Johansen, Canonical

Thursday June 26, 2025 11:55am - 12:25pm MDT

Ubuntu 24.10 introduced permissions prompting as a an experimental feature to improve security and confidentiality for the Linux desktop. Traditionally Linux desktop applications have not been designed to be sandboxed and separated like android or iOS applications, making them difficult to isolate within the desktop environment. While applications written to support portals can be sandboxed within the modern desktop there are many applications that have not been updated to support them. This presentation will discuss and dive into what Ubuntu is doing to bring confinement and data confidentiality to traditional and legacy applications.

Speakers

John Johansen

Security Engineer, Canonical

John Johansen began working with open source software in the late 80s and began playing with Linux in 93. He completed a masters in mathematics at the University of Waterloo and the began working for Immunix doing compiler hardening, and then AppArmor. After Immunix was acquired by... Read More →

Thursday June 26, 2025 11:55am - 12:25pm MDT
Room BBB 3G+3H

Short Topic

12:25pm MDT

Lunch Break

Thursday June 26, 2025 12:25pm - 1:40pm MDT

BBB 3G+3H Foyer

Thursday June 26, 2025 12:25pm - 1:40pm MDT
BBB 3G+3H Foyer

Registration / Breaks

1:40pm MDT

Bypass Kernel Barriers: Fuzzing Linux Kernel in Userspace With LKL - Xuan Xing & Eugene Rodionov, Google

Thursday June 26, 2025 1:40pm - 2:25pm MDT

Kernel fuzzing has been traditionally done either via on-device fuzzing or using VMs and primarily targeting the attack surface exposed to user-space programs.
In this talk the authors introduce a novel approach towards fuzzing Linux kernel interfaces completely in user space without relying on hardware or virtualization solutions by leveraging an open-source project LKL (Linux kernel library). Using LKL it is possible to build Linux kernel as a user-space library and hook it with a coverage-guided engine such as libFuzzer to fuzz kernel interfaces. This approach enables us to create lightweight coverage-guided modular fuzzers targeting specific kernel interfaces. This approach provides such advantages as high fuzzing performance, scalability and ease of debugging crashes. One of the major highlights of this approach is the ability to target device-to-kernel interfaces exposed to the malicious peripheral devices which are difficult to cover using traditional fuzzing approaches. We will provide deep dive into LKL fuzzing details, like enabling ASAN for LKL, adding code coverage, and showcase examples of fuzzing USB HID and Android binder driver.

Speakers

Xuan Xing

Manager of Google Android Red Team, Google

Xuan Xing is manager of Android RedTeam at Google. For the past several years, Xuan focused on finding security vulnerabilities in various low level components of Android/Pixel devices. He is passionate about software fuzzing for security research. Xuan has been a speaker at multiple... Read More →

Eugene Rodionov

Security Engineer, Google

Eugene Rodionov is a Security Engineer at Google on the Android Red Team. In his current position, Eugene focuses on finding and exploiting vulnerabilities in the low-level components of Android platform. His fields of interest include reverse engineering, vulnerability analysis... Read More →

Thursday June 26, 2025 1:40pm - 2:25pm MDT
Room BBB 3G+3H

Refereed Presentation

2:30pm MDT

Putting Together a Secure Virtualization and Containerization Platform - Stéphane Graber, Zabbly

Thursday June 26, 2025 2:30pm - 3:15pm MDT

Incus is a project providing a private cloud platform that can be used by anyone from running on a simple laptop, Raspberry Pi to being run on thousands of servers in the datacenter.

The project began like most, making source code releases which found their way packaged in distros.

Over time, we developed tooling to automate deployment of those packages, allowing for more consistent deployments.
Unfortunately, this tooling still assumed quite a bit of familiarity with Linux distributions and configuration.

What we really wanted was a way to get reliable, identical deployments that could be used both by very large scale users running thousands of servers as well as by regular users at home who just want a working reliable virtualization platform.

This led to the development of Incus OS. A Debian based OS image made using systemd's mkosi, using a Secure Boot signed bootloader and Unified Kernel Image, TPM measurements throughout the boot process, an immutable OS image (using dm-verity) and full disk encryption for the data at rest based on TPM register state.

In this talk, we'll be diving into the design decisions behind Incus OS and look at its implementation.

Speakers

Stéphane Graber

Incus maintainer, Zabbly

Stéphane is the project leader of the Linux Containers project, a long term open source contributor and conference organizer.He's the owner of Zabbly who provides support and development services on top of Incus.He's also co-founder and CTO of FuturFusion, another Incus related business... Read More →

Thursday June 26, 2025 2:30pm - 3:15pm MDT
Room BBB 3G+3H

Refereed Presentation

3:15pm MDT

Break + Networking

Thursday June 26, 2025 3:15pm - 3:45pm MDT

BBB 3G+3H Foyer

Thursday June 26, 2025 3:15pm - 3:45pm MDT
BBB 3G+3H Foyer

Registration / Breaks

3:40pm MDT

Getting on the Same (Virtual Memory) Page: A Roundtable on Data-only Attack Mitigations - Maxwell Bland, Motorola (Lenovo)

Thursday June 26, 2025 3:40pm - 4:10pm MDT

This session is a short, open discussion on strategies and mechanisms for mitigating malicious modifications to structures in the data and bss segments as well as the heap of the kernel. We will overview case studies for how these attacks work across various types of CVEs, as well as existing protections, from those requiring new hardware (ARM MTE, TMDFI), to those working with existing hardware (ARM POE + kpkeys, HVCI/Heki-style enforcement systems), to software approaches (compiler-enforced data-flow, allocator restrictions, data layout randomization). We will then turn to an open discussion session of the benefits and drawbacks of offered protections, to (1) identify just how difficult we can make it for attackers using current mechanisms, (2) pinpoint precise gaps to focus in on for future work, and (3) come up with solutions to the harder problems involved, such as determining what is a "valid" write.

Refs.
https://lore.kernel.org/all/uqgb234tm4svoz2yvbamzal2srxnjnwrj2coiimvuz5bzblbia@pfabobbxo2jf/
https://lore.kernel.org/all/a32cjyekuecoowzbitc2xykilvpu6l3jjtityp7x5hw7xbiysp@5l2lptwmqiug/
https://www.usenix.org/system/files/usenixsecurity24-johannesmeyer.pdf

Speakers

Maxwell Bland

Security Researcher, Motorola (Lenovo)

Maxwell is a security researcher at Motorola working on hypervisor-enforced kernel protection systems for Android phones, motivated by his empirical study of mobile device malware and OS exploit PoC's. Prior to joining Motorola, Maxwell received his doctorate from UIUC, where he worked... Read More →

Thursday June 26, 2025 3:40pm - 4:10pm MDT
Room BBB 3G+3H

Short Topic

4:15pm MDT

Integrating Confidential Computing Into Cloud Infrastructure: Challenges and Opportunities - Carlos Bilbao, DigitalOcean

Thursday June 26, 2025 4:15pm - 4:45pm MDT

As confidential computing (CoCo) tech matures, integrating it into the cloud presents both technical challenges and opportunities. Specifically, the deployment of CoCo in a multi-tenant cloud infrastructure involves technical hurdles, such as remote boot and attestation, the impact on product aspects like provisioning time and live migration, tool compatibility, and constraints in fleet observability and debugging -- such as root cause analysis of guest kernel crashes (with customer permission).

In our previous presentation at LSS, we discussed the disconnect between CoCo efforts and the broader Linux kernel community. Since then, the desire to harden guest VMs against confidentiality threats has grown stronger, and a key question now is how to integrate CoCo into the cloud. Drawing from my professional experience, I’d like to spark and guide a discussion on the practical steps required to achieve this.

Speakers

Carlos Bilbao

Sr. Systems Engineer, DigitalOcean

Carlos Bilbao, PhD., is a Linux kernel engineer interested in confidential computing, virtualization, and resource management research. He contributed to the development of the first threat model for confidential computing in virtual environments, which was accepted into the kernel... Read More →

Thursday June 26, 2025 4:15pm - 4:45pm MDT
Room BBB 3G+3H

Short Topic

4:50pm MDT

BoF Session

Thursday June 26, 2025 4:50pm - 5:50pm MDT

Thursday June 26, 2025 4:50pm - 5:50pm MDT
Room BBB 3G+3H

BoF Sessions

8:00am MDT

Registration + Badge Pick-up

Friday June 27, 2025 8:00am - 4:45pm MDT

BBB 3G+3H Foyer

Friday June 27, 2025 8:00am - 4:45pm MDT
BBB 3G+3H Foyer

Registration / Breaks

9:00am MDT

Welcome Back + Remarks - James Morris

Friday June 27, 2025 9:00am - 9:05am MDT

Friday June 27, 2025 9:00am - 9:05am MDT
Room BBB 3G+3H

Opening / Closing Remarks

9:05am MDT

The State and Direction of LSM Stacking - Casey Schaufler, The Smack Project

Friday June 27, 2025 9:05am - 9:50am MDT

The Linux Security Module (LSM) infrastructure has a limited ability to support multiple concurrent security policies. Expanding this capability to eventually encompass supporting arbitrary combination of modules is an ongoing activity. This talk will cover the current state of LSM stacking and the pending proposed changes. It will include a discussion of the limitations imposed when multiple modules have expectation on networking resources, how audit filtering is impacted and the implications for integrity. Opportunities for development of supporting features in parallel with the infrastructure changes will be presented.

Speakers

Casey Schaufler

Founder, The Smack Project

Casey Schaufler founded the Smack project in 2006 after an especially heated debate with the SELinux developers on a topic now long forgotten. He has been developing secure operating systems since the late 1980's, starting the system that became Trusted Solaris and architecting Trusted... Read More →

Friday June 27, 2025 9:05am - 9:50am MDT
Room BBB 3G+3H

Refereed Presentation

9:55am MDT

Binding TDISP & Platform Attestation Reports for Confidential VMs - Anna Trikalinou, Microsoft Corporation

Friday June 27, 2025 9:55am - 10:40am MDT

TEE Device Interface Security Protocol (TDISP) is an industry standard that defines how to:
a) Establish trust between a Confidential VM (CVM) and a device, through attestation,
b) Secure the interconnect between the host and the device, and
c) Securely attach/detach a device interface to/from a CVM.

The main benefit of a CVM using a TDISP device vs a non-TDISP device is that the former is more performant, while still maintaining the confidentiality and integrity guarantees that Confidential Computing provides. Hence, TDISP plays a crucial part in making CVMs more performant, less expensive and, thus, easier to adopt.

An issue that currently exists with TDISP is that there is no standard way to prove that a TDISP attestation report and a platform attestation report originated from the same CVM. As a result, an attacker could replay an old TDISP attestation report with a CVM that doesn't have that TDISP device and cause a relying party to disclose secrets that wouldn't otherwise.

In this talk we would like to holistically explore this issue, the intended use cases and, finally, discuss a proposed solution using TPM NVIndex.

Speakers

Anna Trikalinou

Sr Security Engineer, Microsoft Corporation

Anna is a Sr Security Engineer in Microsoft working on Emerging Technologies for Azure. Her interests include Confidential Computing, Secure I/O and Virtualization. She obtained her PhD in Computer Science from Wright State University.

Friday June 27, 2025 9:55am - 10:40am MDT
Room BBB 3G+3H

Refereed Presentation

10:40am MDT

Break + Networking

Friday June 27, 2025 10:40am - 11:05am MDT

BBB 3G+3H Foyer

Friday June 27, 2025 10:40am - 11:05am MDT
BBB 3G+3H Foyer

Registration / Breaks

11:05am MDT

SELinux All the Way Down: Namespaces for SELinux - Stephen Smalley, National Security Agency

Friday June 27, 2025 11:05am - 11:50am MDT

At present, SELinux only supports defining and enforcing a single system-wide security policy. As a result, for Linux containers, SELinux is generally only used to provide coarse-grained sandboxing and isolation of entire containers, and Linux distributions cannot effectively leverage SELinux from within a container. With the increasing trend toward containerized applications and cloud-native container workloads, there is a growing need for SELinux to better support containers. SELinux namespaces are a proposed feature enhancement that are intended to enable per-container security policies, i.e. each SELinux namespace can load its own policy, while remaining confined by its parent (and other ancestor) policies. SELinux namespaces bring benefits for Linux developers and users by enabling full use of SELinux within containers, whether or not the host OS uses SELinux itself. In this talk we present the background, design, implementation, performance, and residual challenges associated with the work to bring SELinux namespaces to the mainline Linux kernel.

Speakers

Stephen Smalley

Subject Matter Expert, Cybersecurity Trust Mechanisms, National Security Agency

Stephen Smalley is a senior researcher in the Laboratory for Advanced Cybersecurity Research at the National Security Agency, where he provides subject matter expertise and technical leadership of research in platform trust architectures and mechanisms. Previously he led the development... Read More →

Friday June 27, 2025 11:05am - 11:50am MDT
Room BBB 3G+3H

Refereed Presentation

11:55am MDT

Handling New Syscalls in Seccomp Filters - Tom Hromatka, Oracle Corporate & Paul Moore, Microsoft

Friday June 27, 2025 11:55am - 12:25pm MDT

Currently libseccomp can be used to build two categories of filters - an "allow" list and a "deny" list.

- In an allow list, the user specifies the syscalls to be allowed (read, write, etc.), and all other syscalls are denied by default
- In a deny list, the user specifies the syscalls that are deemed too powerful or dangerous and explicitly blocks them. All other syscalls are allowed by default

Both of these filters have a significant shortcoming when the system is updated to a newer kernel with new syscalls. Allow lists will block new syscalls, and this could lead to containers failing to run. Deny lists will allow new syscalls (even if they're dangerous) which could provide an attack vector for malicious applications.

We, the libseccomp developers, have proposed a solution for the above problem.
https://github.com/seccomp/libseccomp/pull/457

Our goal for this talk is a discussion between the libseccomp developers and the LSS audience. How are attendees solving this problem today? Does the proposed functionality and API meet their needs and offer a better solution? What other suggestions might the attendees have regarding kernel version based syscall filtering?

Speakers

Tom Hromatka

Software Engineer, Oracle Corporation

Tom Hromatka has worked in a wide variety of software engineering fields since 2002 and is currently focusing on resource management at Oracle. He is a Linux kernel contributor and maintains the libseccomp, libcgroup, and adaptived userspace libraries.

Paul Moore

Principal Software Engineer, Microsoft

Paul Moore has been involved in various Linux platform security efforts since 2004 at Hewlett-Packard, Red Hat, Cisco, and Microsoft. He currently maintains the Linux Security Module (LSM) layer as well as the SELinux, audit, and labeled networking subsystems in the Linux Kernel... Read More →

Friday June 27, 2025 11:55am - 12:25pm MDT
Room BBB 3G+3H

Short Topic

12:25pm MDT

Lunch Break

Friday June 27, 2025 12:25pm - 1:40pm MDT

BBB 3G+3H Foyer

Friday June 27, 2025 12:25pm - 1:40pm MDT
BBB 3G+3H Foyer

Registration / Breaks

1:40pm MDT

SymBisect: Accurate Bisection for Fuzzer-Exposed Linux Vulnerabilities - Zheng Zhang, Meta

Friday June 27, 2025 1:40pm - 2:25pm MDT

The popularity of fuzzing has led to its tight integration
into the software development process as a routine part
of the build and test, i.e., continuous fuzzing. This has
resulted in a substantial increase in the reporting of bugs
in open-source software, including the Linux kernel. To
keep up with the volume of bugs, it is crucial to automatically analyze the bugs to assist developers and maintain-
ers. Bug bisection, i.e., locating the commit that introduced a vulnerability, is one such analysis that can reveal
the range of affected software versions and help bug prioritization and patching. However, existing automated
solutions fall short in a number of ways: most of them either (1) directly run the same PoC on older software ver-
sions without adapting to changes in bug-triggering conditions and are prone to broken dynamic environments
or (2) require patches that may not be available when
the bug is discovered. In this work, we take a different approach to looking for evidence of fuzzer-exposed
vulnerabilities by looking for the underlying bug logic.
In this way, we can perform bug bisection much more
precisely and accurately.

Speakers

zheng zhang

Research Scientist, Meta

Zheng Zhang is a research scientist at Meta. He earned a Ph.D. in Computer Science from UCR. His research interests focus on vulnerability detection, with a particular emphasis on vulnerabilities in popular open-source systems like Linux, including zero-day vulnerabilities and N-day... Read More →

Friday June 27, 2025 1:40pm - 2:25pm MDT
Room BBB 3G+3H

Refereed Presentation

2:30pm MDT

Layered Attestation of a Cross-Domain System - Perry Alexander, University of Kansas

Friday June 27, 2025 2:30pm - 3:15pm MDT

This talk will present an empirical study of layered attestation for a cross-domain system. The presentation will overview how we boot the system into a trusted state and extend trust to a runtime.

Using IMA and TPM 2.0 we boot a verified attestation manager into a measured state where it may access its signing key. We prove the key can be used only if the right attestation system makes a request in a good state. Thus, a signature's presence on evidence strongly binds that evidence to the attestation manger.

Once booted, the attestation manger measures and appraises the cross-domain system according to a Copland attestation protocol. It calls LKIM and checks SELinux policy to ensure the underlying Linux system is in a good state. Then it measures CDS components and configurations for runtime appraisal.

We then discuss formal verification and empirical study of the attestation system. Specifically, why should trust the link from boot to runtime and the signing key's signature. We then discuss empirical studies that simulate various attacks illustrating design choices, assumptions and limitations.

Note: Co-authors are - Will Thomas, Logan Schmalz, Adam Petz and Sarah Scott

Speakers

Perry Alexander

Dr. Perry Alexander, University of Kansas

Dr. Perry Alexander is The AT&T Foundation Distinguished Professor of Electrical Engineering and Computer Science and Director of the Institute for Information Sciences at The University of Kansas. His research interests include system-level modeling, formal verification, language... Read More →

Friday June 27, 2025 2:30pm - 3:15pm MDT
Room BBB 3G+3H

Refereed Presentation

3:15pm MDT

Break + Networking

Friday June 27, 2025 3:15pm - 3:40pm MDT

BBB 3G+3H Foyer

Friday June 27, 2025 3:15pm - 3:40pm MDT
BBB 3G+3H Foyer

Registration / Breaks

3:40pm MDT

eBPF as an Active Security Enforcement Layer Stop DNS Data Breaches : Beyond Passive Observability - Vedang Parasnis, University of Washington

Friday June 27, 2025 3:40pm - 4:25pm MDT

DNS remains a primary attack vector for data exfiltration and Command-and-Control (C2) operations, exploiting its inherent security flaws to bypass traditional defenses. This session presents a real-time, kernel-integrated security framework that actively prevents DNS-based data exfiltration using eBPF over Traffic Control (TC) scalable for large-scale distributed environments. Unlike passive detection approaches relying on anomalies, this solution dynamically intercepts DNS traffic at the kernel level, leveraging Deep Packet Inspection (DPI) and real-time lexical analysis to identify and block malicious requests before they leave the endpoint.

The framework also terminates C2 channels instantaneously, prevents DNS exfiltration over arbitrary transport ports, and dynamically blacklists domains across enterprise resolvers. With deep Linux kernel integration, it ensures minimal data loss, enhanced observability, and resilience against evolving threats. This session will explore the technical architecture, performance benchmarks, and deployment strategies to secure enterprise networks against modern DNS-based attacks.

Speakers

vedang parasnis

Graduate Research Student, University of Washington

I am an independent research student at the University of Washington, a Cloud Platform intern at Intel, and upcoming cloud engineer for intel My research primarily focuses on leveraging the Linux kernel network stack, deep learning, and distributed systems to design endpoint security... Read More →

Friday June 27, 2025 3:40pm - 4:25pm MDT
Room BBB 3G+3H

Refereed Presentation

4:25pm MDT

Closing Remarks

Friday June 27, 2025 4:25pm - 4:30pm MDT

Friday June 27, 2025 4:25pm - 4:30pm MDT
Room BBB 3G+3H

Opening / Closing Remarks