The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly

signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization (currently English and Architecture 13 13 API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 23 Content trust for image

RBAC: admin, developer, guest – AD/LDAP integration • Policy based image replication • Vulnerability Scanning • Notary • Web UI • Audit and logs • Restful API for integration • Lightweight and easy Replication Job Services Notary client Remote Harbor Instance Notary Registry V2 Vulnerability Scanning Admin Service Harbor users and partners (selected) 12 Image replication (synchronization) Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 21 Content trust for image

Harbor���� 6 x x Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ��������� • ������� • �������� ���� ���� ����

Harbor���� 6 x x Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ��������� • ������� • �������� ���� ���� ����

Based on content trust • Based on vulnerability • Based on RBAC Main Features （ Cont. ） 7 Vulnerability Scanning • Kinds of scanning policies • Elaborate scanning report Content Trust • Digital signature API Routing API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value

capabilities to compress, migrate, or swap out those pages. User-Mode Module • Memory scanning triggers memory page scanning and collects results. • Hot and cold tiering classifies memory access results into Technical White Paper Innovation Projects CVE Manager Infrastructure SIG | Security Committee Vulnerability management integrates processes, tools, and mechanisms of the openEuler community to detect, collect The vulnerability response process is available across the openEuler LTS and its branch versions. See the following flowchart. Vulnerability Handling Process Disclosure scope SC Vulnerability status

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 Documentation, Release 6.5.1 5.22 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.23 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 @kevin-bates • @virejdasani 5.21 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.22 6.1.4 • Fix broken links to

:3000 info: (yuidoc): Starting YUIDoc@0.3.45 using YUI@3.9.1 with NodeJS@0.10.15 info: (yuidoc): Scanning for yuidoc.json file. info: (yuidoc): Starting YUIDoc with the following options: info: (yuidoc): (yuidoc): { port: 3000, nocode: false, paths: [ '.' ], server: true, outdir: './out' } info: (yuidoc): Scanning for yuidoc.json file. info: (server): Starting server: http://127.0.0.1:3000 and browse http://127 @kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to