Linux Security Summit North America 2026: Full Schedule

May 21 - 22 | Minneapolis, Minnesota
View More Details & Registration
Note: The schedule is subject to change.

The Sched app lets you build your schedule, but it is not a substitute for event registration. You must be registered for Linux Security Summit North America 2026 to participate in the sessions. If you have not registered but would like to join us, please visit the event registration page to purchase a ticket.

9:00am CDT

Welcome & Opening Remarks - James Morris, Microsoft

Thursday May 21, 2026 9:00am - 9:05am CDT

101A+B

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

Thursday May 21, 2026 9:00am - 9:05am CDT
101A+B

Opening Remarks

9:05am CDT

Secure Hibernation in a Locked Down World - Matthew Garrett, NVIDIA

Thursday May 21, 2026 9:05am - 9:35am CDT

101A+B

The Lockdown LSM is intended to ensure the integrity of all code in kernel space. Hibernation is a technology that allows the entire contents of RAM to be stored to disk and then later restored. What stops an attacker modifying the contents of the hibernation image, or providing their own hibernation image that contains malicious code, violating the design goals of Lockdown? The answer at the moment is "Lockdown disables hibernation", and everyone agrees that this is a bad answer. Let's fix that.

This presentation will describe the design and implementation of a patchset that allows hibernation images to be secured using hardware-backed keys, tied to system state in a way that prevents them being extracted and used to sign a malicious image. It will cover some of the corner cases and describe future work that would enable additional behavioural guarantees that are not part of the initial implementation. We will then discuss whether this is the right way of solving the problem, what alternatives there might be, and whether any of this is worth t at all.

Speakers

Matthew Garrett

Principal Security Developer, NVIDIA

Matthew is an abyss domain expert, and has a long list of recommendations of which portions of the abyss are best to gaze into. He has worked on security throughout most of the stack, from hardware to firmware to kernels to desktop applications and pretty much everything else.

Secure Hibernation in a Lockdown World pdf

Thursday May 21, 2026 9:05am - 9:35am CDT
101A+B

Short Topic: 30 minutes in total

Slides Attached Yes

9:40am CDT

Container Escape Paths Nobody Monitors: Abusing Linux Debug Interfaces - Nikunj Doshi, PDT Corp.

Thursday May 21, 2026 9:40am - 10:10am CDT

101A+B

Linux containers rely on namespaces, capabilities, and seccomp profiles to enforce isolation. However, several powerful debugging and observability interfaces remain accessible in many deployments and are rarely audited from a security perspective.

This talk explores how Linux debugging mechanisms such as ptrace, perf, and tracing interfaces interact with container isolation boundaries. While these tools are designed for diagnostics and performance analysis, misconfigured access to them can expose unexpected attack surfaces that enable information leakage, privilege escalation, or container escape.

Through practical demonstrations, we examine how these interfaces can be abused in real environments and why many monitoring tools unintentionally weaken isolation guarantees. The session also presents practical hardening strategies, including capability minimization, runtime policy enforcement, and safer observability deployments for production systems.

Speakers

Nikunj Doshi

Lead DevOps Engineer, PDT Corp

Making Solution simpler and accessible. Nikunj Doshi is an accomplished IT Architect with over 10+ years of professional experience and more than a decade of deep specialization in Open Source technologies, Cloud Architecture, Artificial Intelligence, and Cybersecurity. His career... Read More →

Thursday May 21, 2026 9:40am - 10:10am CDT
101A+B

Short Topic: 30 minutes in total

10:10am CDT

Break

Thursday May 21, 2026 10:10am - 10:40am CDT

101A+B

Thursday May 21, 2026 10:10am - 10:40am CDT
101A+B

Breaks & Networking

10:40am CDT

Defending the Branch: PAC, BTI & GCS on Linux - Bill Roberts, ARM Ltd

Thursday May 21, 2026 10:40am - 11:25pm CDT

101A+B

As computing systems evolve, memory-safety exploits such as return-oriented programming (ROP) and jump-oriented programming (JOP) remain a serious threat. These attacks manipulate control flow within valid address space, reusing existing code “gadgets” to achieve the attackers desired results. Arm AArch64 provides architectural defenses against these attacks through Pointer Authentication Codes (PAC), Guarded Control Stack (GCS), and Branch Target Identification (BTI).

This talk explains how these technologies work and, more importantly, what Linux developers, distributions, packagers, and toolchains must do to deploy them correctly. We cover the AArch64 Linux ABI implications, including requirements for hand-written assembly, use of BTI and PAC instructions, and PAC key management. We dive into real-world toolchain and language impacts, including changes to C code generation, C++ exception unwinding, DWARF metadata updates, and use of Arm's hint space instructions. Attendees will also learn common pitfalls, debugging challenges, and deployment trade-offs observed in practice.

By the end of this session, participants will understand how to deploy PAC, GCS, and BTI across Linux.

Speakers

Bill Roberts

Principal Software Engineer, ARM Ltd

Bill is a software engineer with an eclectic background in various mobile development platforms, operating systems and security technologies. He is the author of "Exploring SE for Android" and is a maintainer of the tpm2-software stack. Bill is currently working on Fedora Linux.

pac bti gcs public may 2026 pdf

Thursday May 21, 2026 10:40am - 11:25pm CDT
101A+B

Refereed Presentation: 45 minutes in length

Slides Attached Yes

11:30am CDT

A Technical Deep Dive Into Intel CET Implementation in Linux - Jay Tharwani, NetApp Inc.

Thursday May 21, 2026 11:30am - 12:00pm CDT

101A+B

Intel Control-Flow Enforcement Technology (CET) represents a milestone in hardware-assisted exploit mitigation, providing silicon-level defenses against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). This session provides a deep-dive analysis of the two pillars of CET—Indirect Branch Tracking (IBT) and Shadow Stacks (SHSTK)—and their integration into the Linux kernel.

We trace the implementation journey from the initial merge of IBT in Linux 5.18 to the arrival of userspace Shadow Stacks in Linux 6.6. The session explores the microarchitectural mechanics of the #CP (Control Protection) fault and how the kernel manages shadow stack allocations, signal frame tokens, and context switching.

Key topics include:

Forward-Edge Integrity: How IBT uses the ENDBR opcode to restrict indirect branch targets.

Backward-Edge Defense: A deep look at hardware-enforced Shadow Stacks and the management of the Shadow Stack Pointer (SSP).

The Kernel Interface: Leveraging arch_prctl(2) for application opt-in and the role of GLIBC_TUNABLES in production environments.

Edge Cases: Handling complex control flows like setjmp/longjmp, JIT engines, and signal restorers.

Speakers

Jay Tharwani

System Software Engineer at NetApp, NetApp Inc.

I am a systems software engineer working at the intersection of operating systems, virtualization, and CPU architecture. I have nearly a decade of experience building low-level system software and cloud infrastructure at Intel and Oracle, and I an currently a Member of Technical Staff... Read More →

Intel CET Linux Summit NA 2026 pdf

Thursday May 21, 2026 11:30am - 12:00pm CDT
101A+B

Short Topic: 30 minutes in total

Slides Attached Yes

12:00pm CDT

Lunch

Thursday May 21, 2026 12:00pm - 1:15pm CDT

101A+B

Thursday May 21, 2026 12:00pm - 1:15pm CDT
101A+B

Breaks & Networking

1:15pm CDT

StageX: Rebuilding Trust Through Multi-Signed, Full-Source Bootstrapped, and Reproducible Builds - Danny Grove, Manifest Cyber & Lance Vick, Distrust

Thursday May 21, 2026 1:15pm - 1:45pm CDT

101A+B

Most Linux distributions trust individual maintainers with complete package control, creating critical supply chain vulnerabilities. StageX rebuilds this trust model from scratch with a radically different approach: no single person or computer can compromise the system.
StageX requires fully bit-for-bit reproducible builds verified and signed by multiple independent parties before release. Built from 181 bytes of machine code, StageX bootstraps modern toolchains that can be used in container-native and static contexts.
This talk demonstrates StageX's approach to full-source bootstrapping, bit-for-bit reproducibility and multi-party verification; contrasts it with other reproducible build efforts like NixOS/Guix, and shows how its container-native design provides practical security guarantees. You'll learn how to implement these approaches in your own infrastructure to build software from toolchain to deployment.

Speakers

Lance Vick

Security Engineer, Distrust

Danny Grove

Lead Infrastructure Engineer, Manifest Cyber

Software and Infrastructure Engineer with 16 years of experience across the web stack. Co-Founder of Hashbang, a decentralized hackerspace. Owner at DR Grove Software LLC and Lead Infrastructure Engineer at Manifest Cyber. Cyborg. Specializes in containerization, building other peoples... Read More →

lss na 2026 pdf

Thursday May 21, 2026 1:15pm - 1:45pm CDT
101A+B

Short Topic: 30 minutes in total

Slides Attached Yes

1:50pm CDT

Modernizing Kernel Cryptography: From Complex APIs To Streamlined Libraries - Eric Biggers, Google

Thursday May 21, 2026 1:50pm - 2:35pm CDT

101A+B

The Linux kernel's cryptography framework has long been a source of frustration for developers. Its complex and abstract API is often a poor fit for modern algorithms and hardware. Using it correctly is quite difficult, and its performance is suboptimal due to the required dynamic memory allocations, indirect calls, and other API overhead.

This talk presents recent progress in supporting more algorithms via straightforward library APIs, including hash functions, MACs, and CRCs. We will explore how various kernel subsystems have been refactored to use these libraries, simplifying their code and improving performance.

Finally, I will also cover best practices for adding new kernel features that use cryptography, the adoption of modern practices in the crypto library such as KUnit testing, and new features in the crypto library such as support for the SHAKE extendable-output functions and ML-DSA post-quantum signatures.

Speakers

Eric Biggers

Software Engineer, Google

Eric has been contributing to the Linux kernel since 2014 and is a maintainer of the cryptography library, CRC library, fscrypt, and fsverity in the upstream Linux kernel. He also contributes to other cryptography-focused kernel features such as dm-verity and blk-crypto (inline storage... Read More →

Linux Security Summit Modernizing Kernel Cryptography pdf

Thursday May 21, 2026 1:50pm - 2:35pm CDT
101A+B

Refereed Presentation: 45 minutes in length

Slides Attached Yes

2:35pm CDT

Break

Thursday May 21, 2026 2:35pm - 3:00pm CDT

101A+B

Thursday May 21, 2026 2:35pm - 3:00pm CDT
101A+B

Breaks & Networking

3:00pm CDT

BoF Session - Topic To Be Announced Onsite

Thursday May 21, 2026 3:00pm - 4:00pm CDT

101A+B

Thursday May 21, 2026 3:00pm - 4:00pm CDT
101A+B

BoF Sessions

9:00am CDT

Welcome Back & Remarks - James Morris, Microsoft

Friday May 22, 2026 9:00am - 9:05am CDT

101A+B

Speakers

James Morris

Linux Kernel & Security Manager, Microsoft

Friday May 22, 2026 9:00am - 9:05am CDT
101A+B

Opening Remarks

9:05am CDT

Hornet LSM - Blaise Boscaccy, Microsoft

Friday May 22, 2026 9:05am - 9:50am CDT

101A+B

Hornet LSM addresses a longstanding trust gap in the eBPF ecosystem by enabling strong integrity guarantees for eBPF programs and maps in locked-down production environments. While eBPF has become a powerful foundation for observability, networking, and security, safely deploying it in hardened systems remains a challenge.
In this talk, we present the architecture, implementation, and practical usage of Hornet LSM, an in-kernel, composable Linux Security Module designed to complement existing upstream mechanisms. We will explore how Hornet enables verification and auditing of eBPF programs and maps, allowing operators to confidently leverage eBPF while maintaining a strong security posture.
The session will also examine the current upstream eBPF security model, discuss its strengths and limitations, and show how Hornet builds upon and extends these foundations without imposing policy. Attendees will leave with a clear understanding of how Hornet LSM can be integrated into hardened production systems to safely unlock the full potential of eBPF.

Speakers

Blaise Boscaccy

Senior Software Engineer, Microsoft

Blaise Boscaccy is a Technical Lead at Microsoft, where he focuses on Linux kernel security, reliability and system integrity for Azure. Prior to Microsoft, he worked at a defense contractor contributing to a range of security-focused initiatives and was a member of the Ksplice team... Read More →

Friday May 22, 2026 9:05am - 9:50am CDT
101A+B

Refereed Presentation: 45 minutes in length

9:55am CDT

Bringing Object Delegation To AppArmor - John Johansen, Canonical

Friday May 22, 2026 9:55am - 10:40am CDT

101A+B

AppArmor has traditionally used a more static type enforcement style policy, where all object accesses must be explicitly allowed within the a subjects profile. However this can result in policy that has overly broad access rights to cover all the potential accesses the application may do.

Object capabilities allow passing objects to a subject such that the object carries the opening tasks access rights. This allows extending a subject access permissions dynamically. Allowing for smaller more dynamic policy, but while loosing some of the advantages of the more static type enforcement policy.

This presentation will discuss how AppArmor is bringing bounded object delegation to its policy, and the the affects it has on how this can change how policy is authored.

Speakers

John Johansen

Security Engineer, Canonical

John Johansen began working with open source software in the late 80s and began playing with Linux in 93. He completed a masters in mathematics at the University of Waterloo and the began working for Immunix doing compiler hardening, and then AppArmor. After Immunix was acquired by... Read More →

Friday May 22, 2026 9:55am - 10:40am CDT
101A+B

Refereed Presentation: 45 minutes in length

10:40am CDT

Break

Friday May 22, 2026 10:40am - 11:05am CDT

101A+B

Friday May 22, 2026 10:40am - 11:05am CDT
101A+B

Breaks & Networking

11:05am CDT

Hackathon

Friday May 22, 2026 11:05am - 12:35pm CDT

101A+B

Friday May 22, 2026 11:05am - 12:35pm CDT
101A+B

Hackathons

12:35pm CDT

Lunch

Friday May 22, 2026 12:35pm - 1:50pm CDT

101A+B

Friday May 22, 2026 12:35pm - 1:50pm CDT
101A+B

Breaks & Networking

1:50pm CDT

CrackAppArmor Retrospective - John Johansen, Canonical

Friday May 22, 2026 1:50pm - 2:20pm CDT

101A+B

This presentation will look at the recent CrackArmor vulnerability and provide a retrospective, and lessons learned.

Speakers

John Johansen

Security Engineer, Canonical

Friday May 22, 2026 1:50pm - 2:20pm CDT
101A+B

Short Topic: 30 minutes in total

2:25pm CDT

Bridging BPF LSM and the Linux Audit Subsystem - Frederick Lawler, Cloudflare

Friday May 22, 2026 2:25pm - 2:55pm CDT

101A+B

BPF LSM has become a cornerstone for fine-grained security enforcement, yet it often operates in isolation from the kernel's primary reporting mechanism: the Linux Audit Subsystem. This disconnection creates a visibility gap where programmable security policies cannot easily communicate events through standard, compliance-ready audit channels.

This session explores the value of exposing the Linux Audit Subsystem to BPF LSM programs via kfuncs. By allowing BPF-based security modules to emit formal audit records, we can bridge the gap between flexible, high-performance enforcement and the standardized logging required for incident response and regulatory compliance. We will discuss the operational implications of this integration, highlighting how it enables BPF to function as a first-class citizen within the existing enterprise security stack, providing both the power of programmable enforcement and the transparency of traditional auditing.

Speakers

Frederick Lawler

Systems Engineer, Cloudflare

Fred is a backend web developer turned kernel developer. He previously focused on the PCIe subsystem since 2018 as a hobbyist. Now he works for Cloudflare on the Linux team with a focus on securing systems and production reliability.

LSS BPF LSM Audit pdf

Friday May 22, 2026 2:25pm - 2:55pm CDT
101A+B

Short Topic: 30 minutes in total

Slides Attached Yes

2:55pm CDT

Break

Friday May 22, 2026 2:55pm - 3:20pm CDT

101A+B

Friday May 22, 2026 2:55pm - 3:20pm CDT
101A+B

Breaks & Networking

3:20pm CDT

eBPF in 2026: How Attackers Abuse It and How Defenders Can Secure Linux and Kubernetes - Advait Patel, Broadcom

Friday May 22, 2026 3:20pm - 3:50pm CDT

101A+B

eBPF has become one of the most powerful security building blocks in Linux, yet that same power makes it a high-value target. This session is a technical deep dive into emerging eBPF threat patterns we’re seeing across modern fleets: privilege escalation paths that hinge on BPF/JIT behavior, abuse of tracing hooks for stealthy data access, and ways attackers hide activity by tampering with observability pipelines. Then we flip to defense: concrete kernel and distro hardening moves that actually change the risk profile (unprivileged BPF controls, JIT hardening settings, capability boundaries, LSM integration, and runtime guardrails). I’ll include short, readable kernel-level snippets and user-space examples using standard BPF tooling so you can reproduce the behaviors in a lab and validate mitigations. The goal is practical: leave with a checklist you can apply to production Linux systems and a mental model for what "safe eBPF" looks like going forward.

Speakers

Advait Patel

Senior Site Reliability Engineer, Broadcom

Advait Patel is a Senior Site Reliability Engineer at Broadcom and the creator of DockSec, an open-source, AI-powered Docker security analyzer. With over 8+ years of experience in cloud-native security, DevSecOps, and secure software supply chains, he is passionate about building... Read More →

Friday May 22, 2026 3:20pm - 3:50pm CDT
101A+B

Short Topic: 30 minutes in total

3:50pm CDT

Exploring Function-Level Code Metrics and Developer Attributes for Linux Kernel Vulnerabilities - Yan Sun, University of Minnesota

Friday May 22, 2026 3:50pm - 4:20pm CDT

101A+B

In recent years, the number of documented Linux kernel CVEs has increased substantially, following the kernel’s designation as an official CVE Numbering Authority in 2024. This transition improves access to ground-truth kernel CVEs and their corresponding patches, creating new opportunities for empirical studies of kernel vulnerabilities at scale.

To better understand the characteristics of kernel vulnerabilities, we collect vulnerability-fixing commits (VFCs) and vulnerability-inducing commits (VICs) associated with kernel CVEs over the past 10 years. We then perform a metrics-based analysis that examines function-level code metrics and developer attributes between VFCs and VICs.

This session presents features associated with VICs. In particular, we find that authors of VICs are generally less active and have lower code familiarity at the file, subdirectory, and kernel levels. In addition, we observe a higher representation of maintainers among VICs. The session also discusses vulnerability distributions across our CVE dataset. Finally, we outline how our research can inform bug discovery practices and support the development of vulnerability detection tools in the kernel.

Speakers

Yan Sun

Graduate Student, University of Minnesota

Yan is a master’s student in Computer Science at the University of Minnesota. She is interested in open-source development and improving security for open-source systems. Her current research focuses on characterizing vulnerability-inducing patterns in the Linux kernel, with the... Read More →

code and developer analysis linux vulnerabilities pdf

Friday May 22, 2026 3:50pm - 4:20pm CDT
101A+B

Short Topic: 30 minutes in total

Slides Attached Yes

9:00am CDT

9:05am CDT

9:40am CDT

10:10am CDT

10:40am CDT

11:30am CDT

12:00pm CDT

1:15pm CDT

1:50pm CDT

2:35pm CDT

3:00pm CDT

9:00am CDT

9:05am CDT

9:55am CDT

10:40am CDT

11:05am CDT

12:35pm CDT

1:50pm CDT

2:25pm CDT

2:55pm CDT

3:20pm CDT

3:50pm CDT

Get help with the event