Check out the new USENIX Web site.
2005 USENIX Annual Technical Conference


Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday) |
All in One File | By Instructor
Monday, April 11, 2005
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

See Part 1, S1, for the description of the first day of this tutorial.

Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.

The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.

Exercises include:

  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • Tracking down DoS floods
  • Cfengine configuration
  • Vulnerability scanning with nessus

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

M2 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems, and Charlie Kaufman, Microsoft
9:00 a.m.–5:00 p.m.

Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • HTTP, HTTPs
    • Cookies

Radia Perlman (M2) is a Distinguished Engineer at Sun Microsystems. She is knownRadia Perlman for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and co-author of Network Security: Private Communication in a Public World, two of the top ten networking reference books, according to Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Charlie Kaufman (M2) is Security Architect for the Common Language Runtime group at Charlie Kaufman Microsoft. He is editor of the new Internet Key Exchange (IKEv2) protocol for the IPsec working group of IETF. He has contributed to a number of IETF standards efforts, including chairing the Web Transaction Security WG and serving as a member of the Internet Architecture Board (IAB). He served on the National Academy of Sciences expert panel that wrote the book Trust in Cyberspace. He was previously a Distinguished Engineer at IBM, where he was Chief Security Architect for Lotus Notes and Domino, and before that Network Security Architect for Digital. He holds over 25 patents in the fields of computer security and computer networking. He is coauthor of Network Security: Private Communication in a Public World (Prentice Hall, 2002).

M3 Advanced Solaris System Administration Topics UPDATED!
Peter Baer Galvin, Corporate Technologies, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: UNIX administrators who need more knowledge of Solaris administration, especially the next-generation features of Solaris 10.

We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. This tutorial has been updated to include Solaris 10 and several other new topics.

Topics include:

  • Installing and upgrading
    • Planning your installation, filesystem layout, post-installation steps
    • Installing (and removing) patches and packages
  • Advanced features of Solaris
    • Filesystems and their uses
    • The /proc filesystem and commands
    • ZFS
  • The Kernel
    • Kernel and performance tuning: new features, adding devices, tuning, debugging commands
    • DTrace
  • Enhancing Solaris
    • Virtual IP: configuration and uses
    • Performance: how to track down and resolve bottlenecks
    • Tools: useful free tools, tool use strategies
    • Security: locking down Solaris, system modifications, tools, zones, privileges
    • Resource management: fair share scheduler
    • Resources and references

Peter Baer Galvin (S8, M3, T3) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, Peter Baer Galvin and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.

M4 Perl for System Administration: The Power and the Praxis
David N. Blank-Edelman, Northeastern University
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators with at least advanced-beginner to intermediate Perl skills, who would like to make their jobs easier and less stressful in times of sysadmin crisis.

Perl was originally created to help with system administration, so it is a wonder there isn't more instructional material available to help people in our field use Perl to their advantage. This tutorial hopes to begin to remedy this situation by presenting six solid hours of instruction on using Perl for system administration.

The morning section, based on the instructor's O'Reilly book, will concentrate on the power of Perl for sysadmin tasks. This jam-packed survey will take a multi-platform look at using Perl in cutting-edge and old-standby system administration domains.

Topics include:

  • Secure Perl scripting
  • Dealing with files and filesystems
    • Source control
    • XML
    • Databases
    • Log files
  • Dealing with SQL databases via DBI and ODBC
  • Email as a sysadmin tool (including spam analysis)
  • Network directory services: NIS, DNS, LDAP, ADSI
  • Network management: SNMP and WBEM
In the afternoon, we'll look at ways to use short Perl programs to solve time-critical sysadmin problems. Focusing on a set of battle stories, we'll discuss various approaches to dealing with crises with the help of Perl.

You'll walk away from this class with Perl approaches and techniques that can help you solve your daily system administration problems. You'll have new ideas for writing small Perl programs to get you out of big sysadmin pinches. On top of all this, you are likely to have deepened your knowledge of Perl.

David N. Blank-Edelman (S11, M4) is the Director of Technology at the Northeastern University College of David N. Blank-EdelmanComputer and Information Science and the author of the O'Reilly book Perl for System Administration. He has spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology Group, and the MIT Media Laboratory. He has given several successful invited talks off the beaten path at LISA and is the LISA '05 Program Chair.

M5 Inside the Linux Kernel (Updated for Version 2.6)

Theodore Ts'o, IBM
9:00 a.m.–5:00 p.m.

Who should attend: Application programmers and kernel developers. You should be reasonably familiar with C programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.

This tutorial will give you an introduction to the structure of the Linux kernel, the basic features it provides, and the most important algorithms it employs.

The Linux kernel aims to achieve conformance with existing standards and compatibility with existing operating systems; however, it is not a reworking of existing UNIX kernel code. The Linux kernel was written from scratch to provide both standard and novel features, and it takes advantage of the best practice of existing UNIX kernel designs.

Although the material will focus on the latest release version of the Linux kernel (v. 2.6), it will also address aspects of the development kernel codebase (v. 2.7) where its substance differs from 2.6. It will not contain any detailed examination of the source code but will, rather, offer an overview and roadmap of the kernel's design and functionality.

Topics include:

  • How the kernel is organized (scheduler, virtual memory system, filesystem layers, device driver layers, networking stacks)
    • The interface between each module and the rest of the kernel
    • Kernel support functions and algorithms used by each module
    • How modules provide for multiple implementations of similar functionality
  • Ground rules of kernel programming (races, deadlock conditions)
  • Implementation and properties of the most important algorithms
    • Portability
    • Performance
    • Functionality
  • Comparison between Linux and UNIX kernels, with emphasis on differences in algorithms
  • Details of the Linux scheduler
    • Its VM system
    • The ext2fs filesystem
  • The requirements for portability between architectures

Theodore Ts'o (M5) has been a Linux kernel developer since almost the very beginnings of Linux: heTheodore Ts'o implemented POSIX job control in the 0.10 Linux kernel. He is the maintainer and author of the Linux COM serial port driver and the Comtrol Rocketport driver, and he architected and implemented Linux's tty layer. Outside of the kernel, he is the maintainer of the e2fsck filesystem consistency checker. Ted is currently employed by IBM Linux Technology Center.

M6 VoIP Principles and Practice NEW!
Heison Chak, SOMA Networks
9:00 a.m.–5:00 p.m.

Who should attend: Managers and system administrators involved in the evaluation, design, implementation, and deployment of VoIP infrastructures. Participants do not need prior exposure to VoIP but should be familiar with network principles. Attendees will come away from this tutorial with a foundation in VoIP enabling strategic and cost-effective VoIP deployments in a varierty of environments.

This tutorial will cover VoIP principles, and their interaction and interface with the PSTN and IP networks. While CODECs, protocols, quality, and some IETF standards are being discussed, this tutorial is also filled with practical examples. Asterisk, which is open-source PBX software, will be used to demonstrate some of the unique features of VoIP.

Topics include:

  • Toll bypass
  • Interactive Voice Response System
  • Text-to-speech applications
  • Analog telephone adapter provisioning
  • Call detail recording and blacklisting
  • Echo training
Heison Chak (M6) is a system and network administrator who works for Heison Chak SOMA Networks, focusing on network management and performance analysis of data and voice networks. Heison has been an active member of the Asterisk community. He started delivering tutorials at USENIX conferences and contributing articles to ;login: in 2004.

M7 Seven Habits of the Highly Effective System Administrator NEW!
Mike Ciavarella, University of Melbourne, and Lee Damon, University of Washington
9:00 a.m.–5:00 p.m.

Who should attend: Junior system administrators with anywhere from little to 3+ years of experience in computer system administration. We will focus on enabling the junior system administrator to "do it right the first time." Some topics will use UNIX-specific tools as examples, but the class is applicable to any sysadmin and any OS. Most of the material covered is "the other 90%" of system administration—things every sysadmin needs to do and to know, but which aren't details of specific technical implementation.

We aim to accelerate the experience curve for junior system administrators by teaching them the time-honored tricks (and effective coping strategies) that experienced administrators take for granted and which are necessary for successful growth of both the administrator and the site.

The class covers many of the best practices that senior administrators have long incorporated into their work. We will touch on tools you should use, as well as tools you should try to avoid. We will touch on things that come up frequently, as well as those which happen only once or twice a year. We will look at a basic security approach.

Topics include:

Mike Ciavarella (S7, S12, M7) has been producing and editing technical documentation sinceMike Ciavarella he naively agreed to write application manuals for his first employer in the early 1980s. He has been a technical editor for MacMillan Press and has been teaching system administrators about documentation for the past eight years. Mike has an Honours Degree in Science from the University of Melbourne. After a number of years working as Senior Partner and head of the Security Practice for Cybersource Pty Ltd, Mike returned to his alma mater, the University of Melbourne. He now divides his time between teaching software engineering, providing expert testimony in computer security matters, and trying to complete a Doctorate. In his ever-diminishing spare time, Mike is a caffeine addict and photographer.

Lee Damon (M7, T8) has a B.S. in Speech Communication from Oregon State University.Lee Damon He has been a UNIX system administrator since 1985 and has been active in SAGE since its inception. He assisted in developing a mixed AIX/SunOS environment at IBM Watson Research and has developed mixed environments for Gulfstream Aerospace and QUALCOMM. He is currently leading the development effort for the Nikola project at the University of Washington Electrical Engineering Department. He is past chair of the SAGE Ethics and Policies Working Groups.

M8 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (M8) is Chief Security Officer at Tenable Security, Inc., and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.
?Need help? Use our Contacts page.

Last changed: 31 March 2005 ch