OIDC Loginproxy by toe

Description

Reverse proxies can be a useful option to separate authentication logic from application logic. SUSE and openSUSE use "loginproxies" as an authentication layer in front of several services.

Currently, loginproxies exist which support LDAP authentication or SAML authentication.

Goals

The goal of this Hack Week project is, to create another loginproxy which supports OpenID Connect authentication which can then act as a drop-in replacement for the existing LDAP or SAML loginproxies.

Testing is intended to focus on the integration with OIDC IDPs from Okta, KanIDM and Authentik.

Resources

• #122254: Migrate away from login proxies to SSO

---

VulnHeap by r1chard-lyu

Description

The VulnHeap project is dedicated to the in-depth analysis and exploitation of vulnerabilities within heap memory management. It focuses on understanding the intricate workflow of heap allocation, chunk structures, and bin management, which are essential to identifying and mitigating security risks.

Goals

• Familiarize with heap
  • Heap workflow
  • Chunk and bin structure
  • Vulnerabilities
• Vulnerability
  • Use after free (UAF)
  • Heap overflow
  • Double free
• Use Docker to create a vulnerable environment and apply techniques to exploit it

Resources

• https://heap-exploitation.dhavalkapil.com/divingintoglibc_heap
• https://raw.githubusercontent.com/cloudburst/libheap/master/heap.png
• https://github.com/shellphish/how2heap?tab=readme-ov-file

---

Migrate from Docker to Podman by tjyrinki_suse

Description

I'd like to continue my former work on containerization of several domains on a single server by changing from Docker containers to Podman containers. That will need an OS upgrade as well as Podman is not available in that old server version.

Goals

• Update OS.
• Migrate from Docker to Podman.
• Keep everything functional, including the existing "meanwhile done" additional Docker container that is actually being used already.
• Keep everything at least as secure as currently. One of the reasons of having the containers is to isolate risks related to services open to public Internet.
• Try to enable the Podman use in production.
• At minimum, learn about all of these topics.
• Optionally, improve Ansible side of things as well...

Resources

A search engine is one's friend. Migrating from Docker to Podman, and from docker-compose to podman-compose.

---

Model checking the BPF verifier by shunghsiyu

Project Description

BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).

One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.

For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.

Goal for this Hackweek

Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.

Resources

• Formal Methods for the Informal Engineer: Tutorial #1 - The Z3 Theorem Prover and its accompanying notebook is a great introduction into Z3
  • Has a section specifically on model checking
• Software Verification and Analysis Using Z3 a great example of using Z3 for model checking
• Sound, Precise, and Fast Abstract Interpretation with Tristate Numbers - existing work that use formal verification to prove that the multiplication helper used for value tracking work as intended
• [PATCH v5 net-next 00/12] bpf: rewrite value tracking in verifier - initial patch set that adds tristate number to the verifier

---

CVE portal for SUSE Rancher products by gmacedo

Description

Currently it's a bit difficult for users to quickly see the list of CVEs affecting images in Rancher, RKE2, Harvester and Longhorn releases. Users need to individually look for each CVE in the SUSE CVE database page - https://www.suse.com/security/cve/ . This is not optimal, because those CVE pages are a bit hard to read and contain data for all SLE and BCI products too, making it difficult to easily see only the CVEs affecting the latest release of Rancher, for example. We understand that certain costumers are only looking for CVE data for Rancher and not SLE or BCI.

Goals

The objective is to create a simple to read and navigate page that contains only CVE data related to Rancher, RKE2, Harvester and Longhorn, where it's easy to search by a CVE ID, an image name or a release version. The page should also provide the raw data as an exportable CSV file.

It must be an MVP with the minimal amount of effort/time invested, but still providing great value to our users and saving the wasted time that the Rancher Security team needs to spend by manually sharing such data. It might not be long lived, as it can be replaced in 2-3 years with a better SUSE wide solution.

Resources

• The page must be simple and easy to read.
• The UI/UX must be as straightforward as possible with minimal visual noise.
• The content must be created automatically from the raw data that we already have internally.
• It must be updated automatically on a daily basis and on ad-hoc runs (when needed).
• The CVE status must be aligned with VEX.
• The raw data must be exportable as CSV file.
• Ideally it will be written in Go or pure Shell script with basic HTML and no external dependencies in CSS or JS.

---

Contributing to Linux Kernel security by pperego

Description

A couple of weeks ago, I found this blog post by Gustavo Silva, a Linux Kernel contributor.

I always strived to start again into hacking the Linux Kernel, so I asked Coverity scan dashboard access and I want to contribute to Linux Kernel by fixing some minor issues.

I want also to create a Linux Kernel fuzzing lab using qemu and syzkaller

Goals

1. Fix at least 2 security bugs
2. Create the fuzzing lab and having it running

Resources

The dashboard

The serie of blog posts by Gustavo Silva inspiring this project.

An email with some quick "where to start" instructions The patchset philosophy

---

Fix RSpec tests in order to replace the ruby-ldap rubygem in OBS by enavarro_suse

Description

"LDAP mode is not official supported by OBS!". See: config/options.yml.example#L100-L102

However, there is an RSpec file which tests LDAP mode in OBS. These tests use the ruby-ldap rubygem, mocking the results returned by a LDAP server.

The ruby-ldap rubygem seems no longer maintaned, and also prevents from updating to a more recent Ruby version. A good alternative is to replace it with the net-ldap rubygem.

Before replacing the ruby-ldap rubygem, we should modify the tests so the don't mock the responses of a LDAP server. Instead, we should modify the tests and run them against a real LDAP server.

Goals

Goals of this project:

• Modify the RSpec tests and run them against a real LDAP server
• Replace the net-ldap rubygem with the ruby-ldap rubygem

Achieving the above mentioned goals will:

• Permit upgrading OBS from Ruby 3.1 to Ruby 3.2
• Make a step towards officially supporting LDAP in OBS.

Resources

• Replace ruby-ldap rubygem with net-ldap

---

OIDC Loginproxy by toe

Description

Reverse proxies can be a useful option to separate authentication logic from application logic. SUSE and openSUSE use "loginproxies" as an authentication layer in front of several services.

Currently, loginproxies exist which support LDAP authentication or SAML authentication.

Goals

The goal of this Hack Week project is, to create another loginproxy which supports OpenID Connect authentication which can then act as a drop-in replacement for the existing LDAP or SAML loginproxies.

Testing is intended to focus on the integration with OIDC IDPs from Okta, KanIDM and Authentik.

Resources

• #122254: Migrate away from login proxies to SSO

---

Setup Kanidm as OIDC provider on Kubernetes by jkuzilek

Description

I am planning to upgrade my homelab Kubernetes cluster to the next level and need an OIDC provider for my services, including K8s itself.

Goals

• Successfully configure and deploy Kanidm on homelab cluster
• Integrate with K8s auth
• Integrate with other services (Envoy Gateway, Container Registry, future deployment of Forgejo?)

Resources

• https://kanidm.github.io/kanidm/stable/

---

Hack on isotest-ng - a rust port of isotovideo (os-autoinst aka testrunner of openQA) by szarate

Description

Some time ago, I managed to convince ByteOtter to hack something that resembles isotovideo but in Rust, not because I believe that Perl is dead, but more because there are certain limitations in the perl code (how it was written), and its always hard to add new functionalities when they are about implementing a new backend, or fixing bugs (Along with people complaining that Perl is dead, and that they don't like it)

In reality, I wanted to see if this could be done, and ByteOtter proved that it could be, while doing an amazing job at hacking a vnc console, and helping me understand better what RuPerl needs to work.

I plan to keep working on this for the next few years, and while I don't aim for feature completion or replacing isotovideo tih isotest-ng (name in progress), I do plan to be able to use it on a daily basis, using specialized tooling with interfaces, instead of reimplementing everything in the backend

Todo

• Add make targets for testability, e.g "spawn qemu and type"
• Add image search matching algorithm
• Add a Null test distribution provider
• Add a Perl Test Distribution Provider
• Fix unittests https://github.com/os-autoinst/isotest-ng/issues/5
• Research OpenTofu how to add new hypervisors/baremetal to OpenTofu
• Add an interface to openQA cli

Goals

• Implement at least one of the above, prepare proposals for GSoC
• Boot a system via it's BMC

Resources

See https://github.com/os-autoinst/isotest-ng

---

Hacking on sched_ext by flonnegren

Description

Sched_ext upstream has some interesting issues open for grabs:

• core event counters
• topology: Use cpumasks

Goals

Send patches to sched_ext upstream

Also set up perfetto to trace some of the example schedulers.

Resources

https://github.com/sched-ext/scx

---

Implement a CLI tool for Trento - trentoctl by nkopliku

Description

Implement a trentoctl CLI for interacting with a trento installation

Goals

• learn rust
• implement an initial trentoctl tool to enhance trento automation
• have fun

Resources

trento rust. TUIs listed on this other hackweek project Hack on rich terminal user interfaces

---

SMB3 Server written entirely in Rust by dmulder

Description

Given the number of bugs frequently discovered in the Samba code caused by memory issues, it makes sense to re-write the smbd service purely in Rust code. Meanwhile, it would be wise to abandon backwards compatibility here with insecure protocol versions, and simply implement the SMB3 spec.

Goals

Get a simple server up and running and get it merged into upstream Samba (which now has Rust build support).

Resources

---

Better diff'ing experience by MSirringhaus

Description

For diff-ing directories, I usually like to use meld, but it struggles a lot with large trees. Experiment with writing a TUI meld-clone for diffing directories and files

Goals

Get first prototype going of a TUI that can show

• diffs of text-files
• diffs of directories.

Stretch goals

• Themes
• Filters (no whitespace, etc.)
• Live config changes (Show/hide line numbers, etc.)

---