From: David Vernet <void@manifault.com>
To: dthaler1968@googlemail.com
Cc: 'Watson Ladd' <watsonbladd@gmail.com>,
'Alan Jowett' <Alan.Jowett@microsoft.com>,
bpf@ietf.org, bpf@vger.kernel.org
Subject: Re: [Bpf] BPF ISA Security Considerations section
Date: Tue, 23 Apr 2024 14:59:09 -0500 [thread overview]
Message-ID: <20240423195909.GA89547@maniforge> (raw)
In-Reply-To: <1b5f01da95a7$f1a684b0$d4f38e10$@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3186 bytes --]
On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote:
> Thanks Watson and Alan for continued feedback.
>
> Watson wrote:
> > But W^X mappings are for JIT (and avoidable by writing, then remapping and
> > executing), not interpreters.
>
> Removed W^X phrase.
>
> > How about we just say "Executing the program requires
> > an interpreter or JIT compiler in the same memory space as the system being
> > probed or extended.
>
> Execution does not require that the interpreter or JIT compiler is in the same
> memory space, even if that is the most common implementation. (And Alan's
> point also applies here that compilation might or might not be JIT per se.)
>
> Below is the latest strawman after taking the latest feedback into account...
>
> -Dave
>
>
> Security Considerations
> =======================
>
> BPF programs could use BPF instructions to do malicious things with memory, CPU, networking,
> or other system resources. This is not fundamentally different from any other type of
> software that may run on a device. Execution environments should be carefully designed
> to only run BPF programs that are trusted and verified, and sandboxing and privilege level
> separation are key strategies for limiting security and abuse impact. For example, BPF
> verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs
> will terminate within a reasonable time, only interact with memory in safe ways, and adhere to
> platform-specified API contracts. This level of verification can often provide a stronger level
> of security assurance than for other software and operating system code.
> While the details are out of scope of this document,
> `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and
> `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations
> and building blocks for allowing safe execution of untrusted BPF programs.
>
> Executing programs using the BPF instruction set also requires either an interpreter or a compiler
> to translate them to hardware processor native instructions. In general, interpreters are considered a
> source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution)
> whenever one is used in the same memory address space as data with confidentiality
> concerns. As such, use of a compiler is recommended instead. Compilers should be audited
> carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program
> to native processor instructions does not introduce vulnerabilities.
>
> Exposing functionality via BPF extends the interface between the component executing the BPF program and the
> component submitting it. Careful consideration of what functionality is exposed and how
> that impacts the security properties desired is required.
LGTM
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Vernet <void@manifault.com>
To: dthaler1968@googlemail.com
Cc: 'Watson Ladd' <watsonbladd@gmail.com>,
'Alan Jowett' <Alan.Jowett@microsoft.com>,
bpf@ietf.org, bpf@vger.kernel.org
Subject: Re: [Bpf] BPF ISA Security Considerations section
Date: Tue, 23 Apr 2024 14:59:09 -0500 [thread overview]
Message-ID: <20240423195909.GA89547@maniforge> (raw)
Message-ID: <20240423195909.CR4JgdTu3VmEO30DKlkzPWCmIQESzjC3YVVBXWs9onc@z> (raw)
In-Reply-To: <1b5f01da95a7$f1a684b0$d4f38e10$@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3186 bytes --]
On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote:
> Thanks Watson and Alan for continued feedback.
>
> Watson wrote:
> > But W^X mappings are for JIT (and avoidable by writing, then remapping and
> > executing), not interpreters.
>
> Removed W^X phrase.
>
> > How about we just say "Executing the program requires
> > an interpreter or JIT compiler in the same memory space as the system being
> > probed or extended.
>
> Execution does not require that the interpreter or JIT compiler is in the same
> memory space, even if that is the most common implementation. (And Alan's
> point also applies here that compilation might or might not be JIT per se.)
>
> Below is the latest strawman after taking the latest feedback into account...
>
> -Dave
>
>
> Security Considerations
> =======================
>
> BPF programs could use BPF instructions to do malicious things with memory, CPU, networking,
> or other system resources. This is not fundamentally different from any other type of
> software that may run on a device. Execution environments should be carefully designed
> to only run BPF programs that are trusted and verified, and sandboxing and privilege level
> separation are key strategies for limiting security and abuse impact. For example, BPF
> verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs
> will terminate within a reasonable time, only interact with memory in safe ways, and adhere to
> platform-specified API contracts. This level of verification can often provide a stronger level
> of security assurance than for other software and operating system code.
> While the details are out of scope of this document,
> `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and
> `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations
> and building blocks for allowing safe execution of untrusted BPF programs.
>
> Executing programs using the BPF instruction set also requires either an interpreter or a compiler
> to translate them to hardware processor native instructions. In general, interpreters are considered a
> source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution)
> whenever one is used in the same memory address space as data with confidentiality
> concerns. As such, use of a compiler is recommended instead. Compilers should be audited
> carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program
> to native processor instructions does not introduce vulnerabilities.
>
> Exposing functionality via BPF extends the interface between the component executing the BPF program and the
> component submitting it. Careful consideration of what functionality is exposed and how
> that impacts the security properties desired is required.
LGTM
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 76 bytes --]
--
Bpf mailing list
Bpf@ietf.org
https://www.ietf.org/mailman/listinfo/bpf
next prev parent reply other threads:[~2024-04-23 19:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968
2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-21 16:51 ` David Vernet
2024-04-21 16:51 ` [Bpf] " David Vernet
2024-04-21 17:20 ` dthaler1968
2024-04-21 17:20 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 18:37 ` dthaler1968
2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 18:49 ` Watson Ladd
2024-04-22 18:49 ` Watson Ladd
2024-04-22 19:34 ` David Vernet
2024-04-22 19:34 ` [Bpf] " David Vernet
2024-04-22 20:26 ` dthaler1968
2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 20:32 ` dthaler1968
2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-23 0:19 ` Watson Ladd
2024-04-23 0:19 ` Watson Ladd
2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett
2024-04-23 16:00 ` [Bpf] [EXTERNAL] " Alan Jowett
2024-04-23 17:59 ` [Bpf] " dthaler1968
2024-04-23 17:59 ` dthaler1968=40googlemail.com
2024-04-23 19:59 ` David Vernet [this message]
2024-04-23 19:59 ` David Vernet
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:05 ` dthaler1968
2024-04-22 19:05 ` dthaler1968=40googlemail.com
2024-04-23 1:01 ` Watson Ladd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240423195909.GA89547@maniforge \
--to=void@manifault.com \
--cc=Alan.Jowett@microsoft.com \
--cc=bpf@ietf.org \
--cc=bpf@vger.kernel.org \
--cc=dthaler1968@googlemail.com \
--cc=watsonbladd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.