BEGIN:VCALENDAR
VERSION:2.0
X-WR-CALNAME:lssna2026
X-WR-CALDESC:Event Calendar
METHOD:PUBLISH
CALSCALE:GREGORIAN
PRODID:-//Sched.com Linux Security Summit North America 2026//EN
X-WR-TIMEZONE:UTC
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T123000Z
DTEND:20260521T220000Z
SUMMARY:Registration & Badge Pick-up
DESCRIPTION:\n
CATEGORIES:REGISTRATION
LOCATION:Ballroom Lobby - Level 1\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:ba940d801dcea4686476421fdcce87ef
URL:http://lssna2026.sched.com/event/ba940d801dcea4686476421fdcce87ef
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T140000Z
DTEND:20260521T140500Z
SUMMARY:Welcome & Opening Remarks - James Morris\, Microsoft
DESCRIPTION:\n
CATEGORIES:OPENING REMARKS
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:cf36644fe9b159c26c3850d3cee5a4d6
URL:http://lssna2026.sched.com/event/cf36644fe9b159c26c3850d3cee5a4d6
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T140500Z
DTEND:20260521T143500Z
SUMMARY:Secure Hibernation in a Locked Down World - Matthew Garrett\, NVIDIA
DESCRIPTION:The Lockdown LSM is intended to ensure the integrity of all code in kernel space. Hibernation is a technology that allows the entire contents of RAM to be stored to disk and then later restored. What stops an attacker modifying the contents of the hibernation image\, or providing their own hibernation image that contains malicious code\, violating the design goals of Lockdown? The answer at the moment is "Lockdown disables hibernation"\, and everyone agrees that this is a bad answer. Let's fix that. \n \n This presentation will describe the design and implementation of a patchset that allows hibernation images to be secured using hardware-backed keys\, tied to system state in a way that prevents them being extracted and used to sign a malicious image. It will cover some of the corner cases and describe future work that would enable additional behavioural guarantees that are not part of the initial implementation. We will then discuss whether this is the right way of solving the problem\, what alternatives there might be\, and whether any of this is worth t at all.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:9a425f2ebd4c98b95049218423050740
URL:http://lssna2026.sched.com/event/9a425f2ebd4c98b95049218423050740
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T144000Z
DTEND:20260521T151000Z
SUMMARY:Container Escape Paths Nobody Monitors: Abusing Linux Debug Interfaces - Nikunj Doshi\, PDT Corp.
DESCRIPTION:Linux containers rely on namespaces\, capabilities\, and seccomp profiles to enforce isolation. However\, several powerful debugging and observability interfaces remain accessible in many deployments and are rarely audited from a security perspective.\n \nThis talk explores how Linux debugging mechanisms such as ptrace\, perf\, and tracing interfaces interact with container isolation boundaries. While these tools are designed for diagnostics and performance analysis\, misconfigured access to them can expose unexpected attack surfaces that enable information leakage\, privilege escalation\, or container escape.\n\n Through practical demonstrations\, we examine how these interfaces can be abused in real environments and why many monitoring tools unintentionally weaken isolation guarantees. The session also presents practical hardening strategies\, including capability minimization\, runtime policy enforcement\, and safer observability deployments for production systems.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:c504063d9e04961bc793ddc42e0287f5
URL:http://lssna2026.sched.com/event/c504063d9e04961bc793ddc42e0287f5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T151000Z
DTEND:20260521T154000Z
SUMMARY:Break
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:b5f583c540ce24e4da1116e85594c1ce
URL:http://lssna2026.sched.com/event/b5f583c540ce24e4da1116e85594c1ce
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T154000Z
DTEND:20260522T042500Z
SUMMARY:Defending the Branch: PAC\, BTI & GCS on Linux - Bill Roberts\, ARM Ltd
DESCRIPTION:As computing systems evolve\, memory-safety exploits such as return-oriented programming (ROP) and jump-oriented programming (JOP) remain a serious threat. These attacks manipulate control flow within valid address space\, reusing existing code “gadgets” to achieve the attackers desired results. Arm AArch64 provides architectural defenses against these attacks through Pointer Authentication Codes (PAC)\, Guarded Control Stack (GCS)\, and Branch Target Identification (BTI). \n \n This talk explains how these technologies work and\, more importantly\, what Linux developers\, distributions\, packagers\, and toolchains must do to deploy them correctly. We cover the AArch64 Linux ABI implications\, including requirements for hand-written assembly\, use of BTI and PAC instructions\, and PAC key management. We dive into real-world toolchain and language impacts\, including changes to C code generation\, C++ exception unwinding\, DWARF metadata updates\, and use of Arm's hint space instructions. Attendees will also learn common pitfalls\, debugging challenges\, and deployment trade-offs observed in practice. \n \n By the end of this session\, participants will understand how to deploy PAC\, GCS\, and BTI across Linux.
CATEGORIES:REFEREED PRESENTATION: 45 MINUTES IN LENGTH
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:1e79a86a4dd0b44c6a6c78f8e5e548dd
URL:http://lssna2026.sched.com/event/1e79a86a4dd0b44c6a6c78f8e5e548dd
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T163000Z
DTEND:20260521T170000Z
SUMMARY:A Technical Deep Dive Into Intel CET Implementation in Linux - Jay Tharwani\, NetApp Inc.
DESCRIPTION:Intel Control-Flow Enforcement Technology (CET) represents a milestone in hardware-assisted exploit mitigation\, providing silicon-level defenses against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). This session provides a deep-dive analysis of the two pillars of CET—Indirect Branch Tracking (IBT) and Shadow Stacks (SHSTK)—and their integration into the Linux kernel. \n \n We trace the implementation journey from the initial merge of IBT in Linux 5.18 to the arrival of userspace Shadow Stacks in Linux 6.6. The session explores the microarchitectural mechanics of the #CP (Control Protection) fault and how the kernel manages shadow stack allocations\, signal frame tokens\, and context switching. \n \n Key topics include: \n \n Forward-Edge Integrity: How IBT uses the ENDBR opcode to restrict indirect branch targets. \n \n Backward-Edge Defense: A deep look at hardware-enforced Shadow Stacks and the management of the Shadow Stack Pointer (SSP). \n \n The Kernel Interface: Leveraging arch_prctl(2) for application opt-in and the role of GLIBC_TUNABLES in production environments. \n \n Edge Cases: Handling complex control flows like setjmp/longjmp\, JIT engines\, and signal restorers.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:72b34838dc1accd2cffdc38279b2a365
URL:http://lssna2026.sched.com/event/72b34838dc1accd2cffdc38279b2a365
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T170000Z
DTEND:20260521T181500Z
SUMMARY:Lunch
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:abc41e6dfd3a9e7ee496e2879145cbd7
URL:http://lssna2026.sched.com/event/abc41e6dfd3a9e7ee496e2879145cbd7
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T181500Z
DTEND:20260521T184500Z
SUMMARY:StageX: Rebuilding Trust Through Multi-Signed\, Full-Source Bootstrapped\, and Reproducible Builds - Danny Grove\, Manifest Cyber & Lance Vick\, Distrust
DESCRIPTION:Most Linux distributions trust individual maintainers with complete package control\, creating critical supply chain vulnerabilities. StageX rebuilds this trust model from scratch with a radically different approach: no single person or computer can compromise the system. \n StageX requires fully bit-for-bit reproducible builds verified and signed by multiple independent parties before release. Built from 181 bytes of machine code\, StageX bootstraps modern toolchains that can be used in container-native and static contexts. \n This talk demonstrates StageX's approach to full-source bootstrapping\, bit-for-bit reproducibility and multi-party verification\; contrasts it with other reproducible build efforts like NixOS/Guix\, and shows how its container-native design provides practical security guarantees. You'll learn how to implement these approaches in your own infrastructure to build software from toolchain to deployment.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:c62811178b57f105860bda6a4aa99581
URL:http://lssna2026.sched.com/event/c62811178b57f105860bda6a4aa99581
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T185000Z
DTEND:20260521T193500Z
SUMMARY:Modernizing Kernel Cryptography: From Complex APIs To Streamlined Libraries - Eric Biggers\, Google
DESCRIPTION:The Linux kernel's cryptography framework has long been a source of frustration for developers. Its complex and abstract API is often a poor fit for modern algorithms and hardware. Using it correctly is quite difficult\, and its performance is suboptimal due to the required dynamic memory allocations\, indirect calls\, and other API overhead. \n \n This talk presents recent progress in supporting more algorithms via straightforward library APIs\, including hash functions\, MACs\, and CRCs. We will explore how various kernel subsystems have been refactored to use these libraries\, simplifying their code and improving performance. \n \n Finally\, I will also cover best practices for adding new kernel features that use cryptography\, the adoption of modern practices in the crypto library such as KUnit testing\, and new features in the crypto library such as support for the SHAKE extendable-output functions and ML-DSA post-quantum signatures.
CATEGORIES:REFEREED PRESENTATION: 45 MINUTES IN LENGTH
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:ec6f3d4dacb2ee48c962252b4f2a2cb5
URL:http://lssna2026.sched.com/event/ec6f3d4dacb2ee48c962252b4f2a2cb5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T193500Z
DTEND:20260521T200000Z
SUMMARY:Break
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:e514b1c08ebacdded7ec57458b33e996
URL:http://lssna2026.sched.com/event/e514b1c08ebacdded7ec57458b33e996
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260521T200000Z
DTEND:20260521T210000Z
SUMMARY:BoF Session - Topic To Be Announced Onsite
DESCRIPTION:\n
CATEGORIES:BOF SESSIONS
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:10ab54c550d0f358fc861c3b39680a5b
URL:http://lssna2026.sched.com/event/10ab54c550d0f358fc861c3b39680a5b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T130000Z
DTEND:20260522T213000Z
SUMMARY:Registration & Badge Pick-up
DESCRIPTION:\n
CATEGORIES:REGISTRATION
LOCATION:Ballroom Lobby - Level 1\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:5757a0649a05f827ff51590550343636
URL:http://lssna2026.sched.com/event/5757a0649a05f827ff51590550343636
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T140000Z
DTEND:20260522T140500Z
SUMMARY:Welcome Back & Remarks - James Morris\, Microsoft
DESCRIPTION:\n
CATEGORIES:OPENING REMARKS
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:f4a173d863d6c314d7570c434e0bc9c2
URL:http://lssna2026.sched.com/event/f4a173d863d6c314d7570c434e0bc9c2
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T140500Z
DTEND:20260522T145000Z
SUMMARY:Hornet LSM - Blaise Boscaccy\, Microsoft
DESCRIPTION:Hornet LSM addresses a longstanding trust gap in the eBPF ecosystem by enabling strong integrity guarantees for eBPF programs and maps in locked-down production environments. While eBPF has become a powerful foundation for observability\, networking\, and security\, safely deploying it in hardened systems remains a challenge. In this talk\, we present the architecture\, implementation\, and practical usage of Hornet LSM\, an in-kernel\, composable Linux Security Module designed to complement existing upstream mechanisms. We will explore how Hornet enables verification and auditing of eBPF programs and maps\, allowing operators to confidently leverage eBPF while maintaining a strong security posture. The session will also examine the current upstream eBPF security model\, discuss its strengths and limitations\, and show how Hornet builds upon and extends these foundations without imposing policy. Attendees will leave with a clear understanding of how Hornet LSM can be integrated into hardened production systems to safely unlock the full potential of eBPF.
CATEGORIES:REFEREED PRESENTATION: 45 MINUTES IN LENGTH
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:bd516f4d5a8438f4a0953cc366a9bdaf
URL:http://lssna2026.sched.com/event/bd516f4d5a8438f4a0953cc366a9bdaf
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T145500Z
DTEND:20260522T154000Z
SUMMARY:Bringing Object Delegation To AppArmor - John Johansen\, Canonical
DESCRIPTION:AppArmor has traditionally used a more static type enforcement style policy\, where all object accesses must be explicitly allowed within the a subjects profile. However this can result in policy that has overly broad access rights to cover all the potential accesses the application may do. Object capabilities allow passing objects to a subject such that the object carries the opening tasks access rights. This allows extending a subject access permissions dynamically. Allowing for smaller more dynamic policy\, but while loosing some of the advantages of the more static type enforcement policy. This presentation will discuss how AppArmor is bringing bounded object delegation to its policy\, and the the affects it has on how this can change how policy is authored.
CATEGORIES:REFEREED PRESENTATION: 45 MINUTES IN LENGTH
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:7de6df53c7c5036cc946994ec513c3ca
URL:http://lssna2026.sched.com/event/7de6df53c7c5036cc946994ec513c3ca
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T154000Z
DTEND:20260522T160500Z
SUMMARY:Break
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:a8c804c182923b83ee983bf639489135
URL:http://lssna2026.sched.com/event/a8c804c182923b83ee983bf639489135
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T160500Z
DTEND:20260522T173500Z
SUMMARY:Hackathon
DESCRIPTION:\n
CATEGORIES:HACKATHONS
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:8b5f64dc070c5b0494f61bfa0294f955
URL:http://lssna2026.sched.com/event/8b5f64dc070c5b0494f61bfa0294f955
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T173500Z
DTEND:20260522T185000Z
SUMMARY:Lunch
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:d1fea13b15740496d879c881f8a3f229
URL:http://lssna2026.sched.com/event/d1fea13b15740496d879c881f8a3f229
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T185000Z
DTEND:20260522T192000Z
SUMMARY:CrackAppArmor Retrospective - John Johansen\, Canonical
DESCRIPTION:This presentation will look at the recent CrackArmor vulnerability and provide a retrospective\, and lessons learned.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:2a538d54052c98af7cb0d75982b49f4d
URL:http://lssna2026.sched.com/event/2a538d54052c98af7cb0d75982b49f4d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T192500Z
DTEND:20260522T195500Z
SUMMARY:Bridging BPF LSM and the Linux Audit Subsystem - Frederick Lawler\, Cloudflare
DESCRIPTION:BPF LSM has become a cornerstone for fine-grained security enforcement\, yet it often operates in isolation from the kernel's primary reporting mechanism: the Linux Audit Subsystem. This disconnection creates a visibility gap where programmable security policies cannot easily communicate events through standard\, compliance-ready audit channels. \n \n This session explores the value of exposing the Linux Audit Subsystem to BPF LSM programs via kfuncs. By allowing BPF-based security modules to emit formal audit records\, we can bridge the gap between flexible\, high-performance enforcement and the standardized logging required for incident response and regulatory compliance. We will discuss the operational implications of this integration\, highlighting how it enables BPF to function as a first-class citizen within the existing enterprise security stack\, providing both the power of programmable enforcement and the transparency of traditional auditing.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:2dcda4870b6719dde47f92cc6463c9ea
URL:http://lssna2026.sched.com/event/2dcda4870b6719dde47f92cc6463c9ea
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T195500Z
DTEND:20260522T202000Z
SUMMARY:Break
DESCRIPTION:\n
CATEGORIES:BREAKS & NETWORKING
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:10776ff19ded084e17efb9a567244b3a
URL:http://lssna2026.sched.com/event/10776ff19ded084e17efb9a567244b3a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T202000Z
DTEND:20260522T205000Z
SUMMARY:eBPF in 2026: How Attackers Abuse It and How Defenders Can Secure Linux and Kubernetes - Advait Patel\, Broadcom
DESCRIPTION:eBPF has become one of the most powerful security building blocks in Linux\, yet that same power makes it a high-value target. This session is a technical deep dive into emerging eBPF threat patterns we’re seeing across modern fleets: privilege escalation paths that hinge on BPF/JIT behavior\, abuse of tracing hooks for stealthy data access\, and ways attackers hide activity by tampering with observability pipelines. Then we flip to defense: concrete kernel and distro hardening moves that actually change the risk profile (unprivileged BPF controls\, JIT hardening settings\, capability boundaries\, LSM integration\, and runtime guardrails). I’ll include short\, readable kernel-level snippets and user-space examples using standard BPF tooling so you can reproduce the behaviors in a lab and validate mitigations. The goal is practical: leave with a checklist you can apply to production Linux systems and a mental model for what "safe eBPF" looks like going forward.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:894a83e1c52a5103c7df97d934033ba6
URL:http://lssna2026.sched.com/event/894a83e1c52a5103c7df97d934033ba6
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260529T010218Z
DTSTART:20260522T205000Z
DTEND:20260522T212000Z
SUMMARY:Exploring Function-Level Code Metrics and Developer Attributes for Linux Kernel Vulnerabilities - Yan Sun\, University of Minnesota
DESCRIPTION:In recent years\, the number of documented Linux kernel CVEs has increased substantially\, following the kernel’s designation as an official CVE Numbering Authority in 2024. This transition improves access to ground-truth kernel CVEs and their corresponding patches\, creating new opportunities for empirical studies of kernel vulnerabilities at scale. \n \n To better understand the characteristics of kernel vulnerabilities\, we collect vulnerability-fixing commits (VFCs) and vulnerability-inducing commits (VICs) associated with kernel CVEs over the past 10 years. We then perform a metrics-based analysis that examines function-level code metrics and developer attributes between VFCs and VICs. \n \n This session presents features associated with VICs. In particular\, we find that authors of VICs are generally less active and have lower code familiarity at the file\, subdirectory\, and kernel levels. In addition\, we observe a higher representation of maintainers among VICs. The session also discusses vulnerability distributions across our CVE dataset. Finally\, we outline how our research can inform bug discovery practices and support the development of vulnerability detection tools in the kernel.
CATEGORIES:SHORT TOPIC: 30 MINUTES IN TOTAL
LOCATION:101A+B\, Minneapolis\, MN\, USA
SEQUENCE:0
UID:3f31381c32803da01127cd79981594de
URL:http://lssna2026.sched.com/event/3f31381c32803da01127cd79981594de
END:VEVENT
END:VCALENDAR