From: dthaler1968@googlemail.com
To: "'David Vernet'" <void@manifault.com>
Cc: <bpf@ietf.org>, <bpf@vger.kernel.org>
Subject: RE: BPF ISA Security Considerations section
Date: Sun, 21 Apr 2024 10:20:24 -0700 [thread overview]
Message-ID: <109c01da9410$331ae880$9950b980$@gmail.com> (raw)
In-Reply-To: <20240421165134.GA9215@maniforge>
> -----Original Message-----
> From: David Vernet <void@manifault.com>
> Sent: Sunday, April 21, 2024 9:52 AM
> To: dthaler1968@googlemail.com
> Cc: bpf@ietf.org; bpf@vger.kernel.org
> Subject: Re: BPF ISA Security Considerations section
>
> On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com
wrote:
> > Per
> > https://authors.ietf.org/en/required-content#security-considerations,
> > the BPF ISA draft is required to have a Security Considerations
> > section before it can become an RFC.
> >
> > Below is strawman text that tries to strike a balance between
> > discussing security issues and solutions vs keeping details out of
> > scope that belong in other documents like the "verifier expectations
> > and building blocks for allowing safe execution of untrusted BPF
> > programs" document that is a separate item on the IETF WG charter.
> >
> > Proposed text:
>
> Hi Dave,
>
> Thanks for writing this up. Overall it looks great, just had one comment
below.
>
> > > Security Considerations
> > >
> > > BPF programs could use BPF instructions to do malicious things with
> > > memory, CPU, networking, or other system resources. This is not
> > > fundamentally different from any other type of software that may
> > > run on a device. Execution environments should be carefully designed
> > > to only run BPF programs that are trusted or verified, and
> > > sandboxing and privilege level separation are key strategies for
> > > limiting security and abuse impact. For example, BPF verifiers are
> > > well-known and widely deployed and are responsible for ensuring that
> > > BPF programs will terminate within a reasonable time, only interact
> > > with memory in safe ways, and adhere to platform-specified API
> > > contracts. The details are out of scope of this document (but see
> > > [LINUX] and [PREVAIL]), but this level of verification can often
> > > provide a stronger level of security assurance than for other
> > > software and operating system code.
> > >
> > > Executing programs using the BPF instruction set also requires
> > > either an interpreter or a JIT compiler to translate them to
> > > hardware processor native instructions. In general, interpreters are
> > > considered a source of insecurity (e.g., gadgets susceptible to
> > > side-channel attacks due to speculative execution) and are not
> > > recommended.
>
> Do we need to say that it's not recommended to use JIT engines? Given that
this is
> explaining how BPF programs are executed, to me it reads a bit as saying,
"It's not
> recommended to use BPF." Is it not sufficient to just explain the risks?
It says it's not recommended to use interpreters.
I couldn't tell if your comment was a typo, did you mean interpreters or JIT
engines?
It should read as saying it's recommended to use a JIT engine rather than an
interpreter.
Do you have a suggested alternate wording?
Dave
WARNING: multiple messages have this Message-ID (diff)
From: dthaler1968=40googlemail.com@dmarc.ietf.org
To: "'David Vernet'" <void@manifault.com>
Cc: <bpf@ietf.org>, <bpf@vger.kernel.org>
Subject: Re: [Bpf] BPF ISA Security Considerations section
Date: Sun, 21 Apr 2024 10:20:24 -0700 [thread overview]
Message-ID: <109c01da9410$331ae880$9950b980$@gmail.com> (raw)
Message-ID: <20240421172024._7iHoiB6qjRGTg2OdE51qdT_TN15HJs7-ix67zHa9X8@z> (raw)
In-Reply-To: <20240421165134.GA9215@maniforge>
> -----Original Message-----
> From: David Vernet <void@manifault.com>
> Sent: Sunday, April 21, 2024 9:52 AM
> To: dthaler1968@googlemail.com
> Cc: bpf@ietf.org; bpf@vger.kernel.org
> Subject: Re: BPF ISA Security Considerations section
>
> On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com
wrote:
> > Per
> > https://authors.ietf.org/en/required-content#security-considerations,
> > the BPF ISA draft is required to have a Security Considerations
> > section before it can become an RFC.
> >
> > Below is strawman text that tries to strike a balance between
> > discussing security issues and solutions vs keeping details out of
> > scope that belong in other documents like the "verifier expectations
> > and building blocks for allowing safe execution of untrusted BPF
> > programs" document that is a separate item on the IETF WG charter.
> >
> > Proposed text:
>
> Hi Dave,
>
> Thanks for writing this up. Overall it looks great, just had one comment
below.
>
> > > Security Considerations
> > >
> > > BPF programs could use BPF instructions to do malicious things with
> > > memory, CPU, networking, or other system resources. This is not
> > > fundamentally different from any other type of software that may
> > > run on a device. Execution environments should be carefully designed
> > > to only run BPF programs that are trusted or verified, and
> > > sandboxing and privilege level separation are key strategies for
> > > limiting security and abuse impact. For example, BPF verifiers are
> > > well-known and widely deployed and are responsible for ensuring that
> > > BPF programs will terminate within a reasonable time, only interact
> > > with memory in safe ways, and adhere to platform-specified API
> > > contracts. The details are out of scope of this document (but see
> > > [LINUX] and [PREVAIL]), but this level of verification can often
> > > provide a stronger level of security assurance than for other
> > > software and operating system code.
> > >
> > > Executing programs using the BPF instruction set also requires
> > > either an interpreter or a JIT compiler to translate them to
> > > hardware processor native instructions. In general, interpreters are
> > > considered a source of insecurity (e.g., gadgets susceptible to
> > > side-channel attacks due to speculative execution) and are not
> > > recommended.
>
> Do we need to say that it's not recommended to use JIT engines? Given that
this is
> explaining how BPF programs are executed, to me it reads a bit as saying,
"It's not
> recommended to use BPF." Is it not sufficient to just explain the risks?
It says it's not recommended to use interpreters.
I couldn't tell if your comment was a typo, did you mean interpreters or JIT
engines?
It should read as saying it's recommended to use a JIT engine rather than an
interpreter.
Do you have a suggested alternate wording?
Dave
--
Bpf mailing list
Bpf@ietf.org
https://www.ietf.org/mailman/listinfo/bpf
next prev parent reply other threads:[~2024-04-21 17:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968
2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-21 16:51 ` David Vernet
2024-04-21 16:51 ` [Bpf] " David Vernet
2024-04-21 17:20 ` dthaler1968 [this message]
2024-04-21 17:20 ` dthaler1968=40googlemail.com
2024-04-22 18:37 ` dthaler1968
2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 18:49 ` Watson Ladd
2024-04-22 18:49 ` Watson Ladd
2024-04-22 19:34 ` David Vernet
2024-04-22 19:34 ` [Bpf] " David Vernet
2024-04-22 20:26 ` dthaler1968
2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 20:32 ` dthaler1968
2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-23 0:19 ` Watson Ladd
2024-04-23 0:19 ` Watson Ladd
2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett
2024-04-23 16:00 ` [Bpf] [EXTERNAL] " Alan Jowett
2024-04-23 17:59 ` [Bpf] " dthaler1968
2024-04-23 17:59 ` dthaler1968=40googlemail.com
2024-04-23 19:59 ` David Vernet
2024-04-23 19:59 ` David Vernet
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:05 ` dthaler1968
2024-04-22 19:05 ` dthaler1968=40googlemail.com
2024-04-23 1:01 ` Watson Ladd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='109c01da9410$331ae880$9950b980$@gmail.com' \
--to=dthaler1968@googlemail.com \
--cc=bpf@ietf.org \
--cc=bpf@vger.kernel.org \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox