* BPF ISA Security Considerations section
@ 2024-04-20 16:08 dthaler1968
2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com
` (2 more replies)
0 siblings, 3 replies; 29+ messages in thread
From: dthaler1968 @ 2024-04-20 16:08 UTC (permalink / raw)
To: bpf, bpf
Per https://authors.ietf.org/en/required-content#security-considerations,
the BPF ISA draft is required to have a Security Considerations section
before
it can become an RFC.
Below is strawman text that tries to strike a balance between discussing
security issues and solutions vs keeping details out of scope that belong in
other
documents like the "verifier expectations and building blocks for allowing
safe
execution of untrusted BPF programs" document that is a separate item on the
IETF WG charter.
Proposed text:
> Security Considerations
>
> BPF programs could use BPF instructions to do malicious things with
memory,
> CPU, networking, or other system resources. This is not fundamentally
different
> from any other type of software that may run on a device. Execution
environments
> should be carefully designed to only run BPF programs that are trusted or
verified,
> and sandboxing and privilege level separation are key strategies for
limiting
> security and abuse impact. For example, BPF verifiers are well-known and
widely
> deployed and are responsible for ensuring that BPF programs will terminate
> within a reasonable time, only interact with memory in safe ways, and
adhere to
> platform-specified API contracts. The details are out of scope of this
document
> (but see [LINUX] and [PREVAIL]), but this level of verification can often
provide a
> stronger level of security assurance than for other software and operating
system
> code.
>
> Executing programs using the BPF instruction set also requires either an
interpreter
> or a JIT compiler to translate them to hardware processor native
instructions. In
> general, interpreters are considered a source of insecurity (e.g., gadgets
susceptible
> to side-channel attacks due to speculative execution) and are not
recommended.
>
> Informative References:
>
> [LINUX] "eBPF verifier",
https://www.kernel.org/doc/html/latest/bpf/verifier.html
>
> [PREVAIL] Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska,
Jorge
> A. Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. "Simple and
Precise
> Static Analysis of Untrusted Linux Kernel Extensions." In Proceedings
of the 40th
> ACM SIGPLAN Conference on Programming Language Design and
Implementation,
> pp. 1069-1084. 2019.
>
https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-St
atic-Analysis-of-Untrusted-Linux-Kernel-Extensions
Dave
^ permalink raw reply [flat|nested] 29+ messages in thread* [Bpf] BPF ISA Security Considerations section 2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968 @ 2024-04-20 16:08 ` dthaler1968=40googlemail.com 2024-04-21 16:51 ` David Vernet 2024-04-22 19:01 ` Watson Ladd 2 siblings, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-20 16:08 UTC (permalink / raw) To: bpf, bpf Per https://authors.ietf.org/en/required-content#security-considerations, the BPF ISA draft is required to have a Security Considerations section before it can become an RFC. Below is strawman text that tries to strike a balance between discussing security issues and solutions vs keeping details out of scope that belong in other documents like the "verifier expectations and building blocks for allowing safe execution of untrusted BPF programs" document that is a separate item on the IETF WG charter. Proposed text: > Security Considerations > > BPF programs could use BPF instructions to do malicious things with memory, > CPU, networking, or other system resources. This is not fundamentally different > from any other type of software that may run on a device. Execution environments > should be carefully designed to only run BPF programs that are trusted or verified, > and sandboxing and privilege level separation are key strategies for limiting > security and abuse impact. For example, BPF verifiers are well-known and widely > deployed and are responsible for ensuring that BPF programs will terminate > within a reasonable time, only interact with memory in safe ways, and adhere to > platform-specified API contracts. The details are out of scope of this document > (but see [LINUX] and [PREVAIL]), but this level of verification can often provide a > stronger level of security assurance than for other software and operating system > code. > > Executing programs using the BPF instruction set also requires either an interpreter > or a JIT compiler to translate them to hardware processor native instructions. In > general, interpreters are considered a source of insecurity (e.g., gadgets susceptible > to side-channel attacks due to speculative execution) and are not recommended. > > Informative References: > > [LINUX] "eBPF verifier", https://www.kernel.org/doc/html/latest/bpf/verifier.html > > [PREVAIL] Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge > A. Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. "Simple and Precise > Static Analysis of Untrusted Linux Kernel Extensions." In Proceedings of the 40th > ACM SIGPLAN Conference on Programming Language Design and Implementation, > pp. 1069-1084. 2019. > https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-St atic-Analysis-of-Untrusted-Linux-Kernel-Extensions Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: BPF ISA Security Considerations section 2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968 2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com @ 2024-04-21 16:51 ` David Vernet 2024-04-21 16:51 ` [Bpf] " David Vernet 2024-04-21 17:20 ` dthaler1968 2024-04-22 19:01 ` Watson Ladd 2 siblings, 2 replies; 29+ messages in thread From: David Vernet @ 2024-04-21 16:51 UTC (permalink / raw) To: dthaler1968; +Cc: bpf, bpf [-- Attachment #1: Type: text/plain, Size: 2356 bytes --] On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com wrote: > Per > https://authors.ietf.org/en/required-content#security-considerations, > the BPF ISA draft is required to have a Security Considerations > section before it can become an RFC. > > Below is strawman text that tries to strike a balance between > discussing security issues and solutions vs keeping details out of > scope that belong in other documents like the "verifier expectations > and building blocks for allowing safe execution of untrusted BPF > programs" document that is a separate item on the IETF WG charter. > > Proposed text: Hi Dave, Thanks for writing this up. Overall it looks great, just had one comment below. > > Security Considerations > > > > BPF programs could use BPF instructions to do malicious things with > > memory, CPU, networking, or other system resources. This is not > > fundamentally different from any other type of software that may run on a device. Execution > > environments should be carefully designed to only run BPF programs > > that are trusted or verified, and sandboxing and privilege level > > separation are key strategies for limiting security and abuse > > impact. For example, BPF verifiers are well-known and widely > > deployed and are responsible for ensuring that BPF programs will > > terminate within a reasonable time, only interact with memory in > > safe ways, and adhere to platform-specified API contracts. The > > details are out of scope of this document (but see [LINUX] and > > [PREVAIL]), but this level of verification can often provide a > > stronger level of security assurance than for other software and > > operating system code. > > > > Executing programs using the BPF instruction set also requires > > either an interpreter or a JIT compiler to translate them to > > hardware processor native instructions. In general, interpreters are > > considered a source of insecurity (e.g., gadgets susceptible to > > side-channel attacks due to speculative execution) and are not > > recommended. Do we need to say that it's not recommended to use JIT engines? Given that this is explaining how BPF programs are executed, to me it reads a bit as saying, "It's not recommended to use BPF." Is it not sufficient to just explain the risks? Thanks, David [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-21 16:51 ` David Vernet @ 2024-04-21 16:51 ` David Vernet 2024-04-21 17:20 ` dthaler1968 1 sibling, 0 replies; 29+ messages in thread From: David Vernet @ 2024-04-21 16:51 UTC (permalink / raw) To: dthaler1968; +Cc: bpf, bpf [-- Attachment #1.1: Type: text/plain, Size: 2356 bytes --] On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com wrote: > Per > https://authors.ietf.org/en/required-content#security-considerations, > the BPF ISA draft is required to have a Security Considerations > section before it can become an RFC. > > Below is strawman text that tries to strike a balance between > discussing security issues and solutions vs keeping details out of > scope that belong in other documents like the "verifier expectations > and building blocks for allowing safe execution of untrusted BPF > programs" document that is a separate item on the IETF WG charter. > > Proposed text: Hi Dave, Thanks for writing this up. Overall it looks great, just had one comment below. > > Security Considerations > > > > BPF programs could use BPF instructions to do malicious things with > > memory, CPU, networking, or other system resources. This is not > > fundamentally different from any other type of software that may run on a device. Execution > > environments should be carefully designed to only run BPF programs > > that are trusted or verified, and sandboxing and privilege level > > separation are key strategies for limiting security and abuse > > impact. For example, BPF verifiers are well-known and widely > > deployed and are responsible for ensuring that BPF programs will > > terminate within a reasonable time, only interact with memory in > > safe ways, and adhere to platform-specified API contracts. The > > details are out of scope of this document (but see [LINUX] and > > [PREVAIL]), but this level of verification can often provide a > > stronger level of security assurance than for other software and > > operating system code. > > > > Executing programs using the BPF instruction set also requires > > either an interpreter or a JIT compiler to translate them to > > hardware processor native instructions. In general, interpreters are > > considered a source of insecurity (e.g., gadgets susceptible to > > side-channel attacks due to speculative execution) and are not > > recommended. Do we need to say that it's not recommended to use JIT engines? Given that this is explaining how BPF programs are executed, to me it reads a bit as saying, "It's not recommended to use BPF." Is it not sufficient to just explain the risks? Thanks, David [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] [-- Attachment #2: Type: text/plain, Size: 76 bytes --] -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: BPF ISA Security Considerations section 2024-04-21 16:51 ` David Vernet 2024-04-21 16:51 ` [Bpf] " David Vernet @ 2024-04-21 17:20 ` dthaler1968 2024-04-21 17:20 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 18:37 ` dthaler1968 1 sibling, 2 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-21 17:20 UTC (permalink / raw) To: 'David Vernet'; +Cc: bpf, bpf > -----Original Message----- > From: David Vernet <void@manifault.com> > Sent: Sunday, April 21, 2024 9:52 AM > To: dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: BPF ISA Security Considerations section > > On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com wrote: > > Per > > https://authors.ietf.org/en/required-content#security-considerations, > > the BPF ISA draft is required to have a Security Considerations > > section before it can become an RFC. > > > > Below is strawman text that tries to strike a balance between > > discussing security issues and solutions vs keeping details out of > > scope that belong in other documents like the "verifier expectations > > and building blocks for allowing safe execution of untrusted BPF > > programs" document that is a separate item on the IETF WG charter. > > > > Proposed text: > > Hi Dave, > > Thanks for writing this up. Overall it looks great, just had one comment below. > > > > Security Considerations > > > > > > BPF programs could use BPF instructions to do malicious things with > > > memory, CPU, networking, or other system resources. This is not > > > fundamentally different from any other type of software that may > > > run on a device. Execution environments should be carefully designed > > > to only run BPF programs that are trusted or verified, and > > > sandboxing and privilege level separation are key strategies for > > > limiting security and abuse impact. For example, BPF verifiers are > > > well-known and widely deployed and are responsible for ensuring that > > > BPF programs will terminate within a reasonable time, only interact > > > with memory in safe ways, and adhere to platform-specified API > > > contracts. The details are out of scope of this document (but see > > > [LINUX] and [PREVAIL]), but this level of verification can often > > > provide a stronger level of security assurance than for other > > > software and operating system code. > > > > > > Executing programs using the BPF instruction set also requires > > > either an interpreter or a JIT compiler to translate them to > > > hardware processor native instructions. In general, interpreters are > > > considered a source of insecurity (e.g., gadgets susceptible to > > > side-channel attacks due to speculative execution) and are not > > > recommended. > > Do we need to say that it's not recommended to use JIT engines? Given that this is > explaining how BPF programs are executed, to me it reads a bit as saying, "It's not > recommended to use BPF." Is it not sufficient to just explain the risks? It says it's not recommended to use interpreters. I couldn't tell if your comment was a typo, did you mean interpreters or JIT engines? It should read as saying it's recommended to use a JIT engine rather than an interpreter. Do you have a suggested alternate wording? Dave ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-21 17:20 ` dthaler1968 @ 2024-04-21 17:20 ` dthaler1968=40googlemail.com 2024-04-22 18:37 ` dthaler1968 1 sibling, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-21 17:20 UTC (permalink / raw) To: 'David Vernet'; +Cc: bpf, bpf > -----Original Message----- > From: David Vernet <void@manifault.com> > Sent: Sunday, April 21, 2024 9:52 AM > To: dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: BPF ISA Security Considerations section > > On Sat, Apr 20, 2024 at 09:08:56AM -0700, dthaler1968@googlemail.com wrote: > > Per > > https://authors.ietf.org/en/required-content#security-considerations, > > the BPF ISA draft is required to have a Security Considerations > > section before it can become an RFC. > > > > Below is strawman text that tries to strike a balance between > > discussing security issues and solutions vs keeping details out of > > scope that belong in other documents like the "verifier expectations > > and building blocks for allowing safe execution of untrusted BPF > > programs" document that is a separate item on the IETF WG charter. > > > > Proposed text: > > Hi Dave, > > Thanks for writing this up. Overall it looks great, just had one comment below. > > > > Security Considerations > > > > > > BPF programs could use BPF instructions to do malicious things with > > > memory, CPU, networking, or other system resources. This is not > > > fundamentally different from any other type of software that may > > > run on a device. Execution environments should be carefully designed > > > to only run BPF programs that are trusted or verified, and > > > sandboxing and privilege level separation are key strategies for > > > limiting security and abuse impact. For example, BPF verifiers are > > > well-known and widely deployed and are responsible for ensuring that > > > BPF programs will terminate within a reasonable time, only interact > > > with memory in safe ways, and adhere to platform-specified API > > > contracts. The details are out of scope of this document (but see > > > [LINUX] and [PREVAIL]), but this level of verification can often > > > provide a stronger level of security assurance than for other > > > software and operating system code. > > > > > > Executing programs using the BPF instruction set also requires > > > either an interpreter or a JIT compiler to translate them to > > > hardware processor native instructions. In general, interpreters are > > > considered a source of insecurity (e.g., gadgets susceptible to > > > side-channel attacks due to speculative execution) and are not > > > recommended. > > Do we need to say that it's not recommended to use JIT engines? Given that this is > explaining how BPF programs are executed, to me it reads a bit as saying, "It's not > recommended to use BPF." Is it not sufficient to just explain the risks? It says it's not recommended to use interpreters. I couldn't tell if your comment was a typo, did you mean interpreters or JIT engines? It should read as saying it's recommended to use a JIT engine rather than an interpreter. Do you have a suggested alternate wording? Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: BPF ISA Security Considerations section 2024-04-21 17:20 ` dthaler1968 2024-04-21 17:20 ` [Bpf] " dthaler1968=40googlemail.com @ 2024-04-22 18:37 ` dthaler1968 2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com ` (2 more replies) 1 sibling, 3 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-22 18:37 UTC (permalink / raw) To: dthaler1968, 'David Vernet'; +Cc: bpf, bpf David Vernet <void@manifault.com> wrote: > > Thanks for writing this up. Overall it looks great, just had one > > comment > below. > > > > > > Security Considerations > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > with memory, CPU, networking, or other system resources. This is > > > > not fundamentally different from any other type of software that > > > > may run on a device. Execution environments should be carefully > > > > designed to only run BPF programs that are trusted or verified, > > > > and sandboxing and privilege level separation are key strategies > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > are well-known and widely deployed and are responsible for > > > > ensuring that BPF programs will terminate within a reasonable > > > > time, only interact with memory in safe ways, and adhere to > > > > platform-specified API contracts. The details are out of scope of > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > verification can often provide a stronger level of security > > > > assurance than for other software and operating system code. > > > > > > > > Executing programs using the BPF instruction set also requires > > > > either an interpreter or a JIT compiler to translate them to > > > > hardware processor native instructions. In general, interpreters > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > to side-channel attacks due to speculative execution) and are not > > > > recommended. > > > > Do we need to say that it's not recommended to use JIT engines? Given > > that > this is > > explaining how BPF programs are executed, to me it reads a bit as > > saying, > "It's not > > recommended to use BPF." Is it not sufficient to just explain the risks? > > It says it's not recommended to use interpreters. > I couldn't tell if your comment was a typo, did you mean interpreters or JIT > engines? > It should read as saying it's recommended to use a JIT engine rather than an > interpreter. > > Do you have a suggested alternate wording? How about: OLD: In general, interpreters are considered a OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) OLD: and are not recommended. NEW: In general, interpreters are considered a NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) NEW: so use of a JIT compiler is recommended instead. Dave ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 18:37 ` dthaler1968 @ 2024-04-22 18:37 ` dthaler1968=40googlemail.com 2024-04-22 18:49 ` Watson Ladd 2024-04-22 19:34 ` David Vernet 2 siblings, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-22 18:37 UTC (permalink / raw) To: dthaler1968, 'David Vernet'; +Cc: bpf, bpf David Vernet <void@manifault.com> wrote: > > Thanks for writing this up. Overall it looks great, just had one > > comment > below. > > > > > > Security Considerations > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > with memory, CPU, networking, or other system resources. This is > > > > not fundamentally different from any other type of software that > > > > may run on a device. Execution environments should be carefully > > > > designed to only run BPF programs that are trusted or verified, > > > > and sandboxing and privilege level separation are key strategies > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > are well-known and widely deployed and are responsible for > > > > ensuring that BPF programs will terminate within a reasonable > > > > time, only interact with memory in safe ways, and adhere to > > > > platform-specified API contracts. The details are out of scope of > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > verification can often provide a stronger level of security > > > > assurance than for other software and operating system code. > > > > > > > > Executing programs using the BPF instruction set also requires > > > > either an interpreter or a JIT compiler to translate them to > > > > hardware processor native instructions. In general, interpreters > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > to side-channel attacks due to speculative execution) and are not > > > > recommended. > > > > Do we need to say that it's not recommended to use JIT engines? Given > > that > this is > > explaining how BPF programs are executed, to me it reads a bit as > > saying, > "It's not > > recommended to use BPF." Is it not sufficient to just explain the risks? > > It says it's not recommended to use interpreters. > I couldn't tell if your comment was a typo, did you mean interpreters or JIT > engines? > It should read as saying it's recommended to use a JIT engine rather than an > interpreter. > > Do you have a suggested alternate wording? How about: OLD: In general, interpreters are considered a OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) OLD: and are not recommended. NEW: In general, interpreters are considered a NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) NEW: so use of a JIT compiler is recommended instead. Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 18:37 ` dthaler1968 2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com @ 2024-04-22 18:49 ` Watson Ladd 2024-04-22 18:49 ` Watson Ladd 2024-04-22 19:34 ` David Vernet 2 siblings, 1 reply; 29+ messages in thread From: Watson Ladd @ 2024-04-22 18:49 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: dthaler1968, David Vernet, bpf, bpf On Mon, Apr 22, 2024 at 11:38 AM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > David Vernet <void@manifault.com> wrote: > > > Thanks for writing this up. Overall it looks great, just had one > > > comment > > below. > > > > > > > > Security Considerations > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > with memory, CPU, networking, or other system resources. This is > > > > > not fundamentally different from any other type of software that > > > > > may run on a device. Execution environments should be carefully > > > > > designed to only run BPF programs that are trusted or verified, > > > > > and sandboxing and privilege level separation are key strategies > > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > > are well-known and widely deployed and are responsible for > > > > > ensuring that BPF programs will terminate within a reasonable > > > > > time, only interact with memory in safe ways, and adhere to > > > > > platform-specified API contracts. The details are out of scope of > > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > > verification can often provide a stronger level of security > > > > > assurance than for other software and operating system code. > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > either an interpreter or a JIT compiler to translate them to > > > > > hardware processor native instructions. In general, interpreters > > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > > to side-channel attacks due to speculative execution) and are not > > > > > recommended. > > > > > > Do we need to say that it's not recommended to use JIT engines? Given > > > that > > this is > > > explaining how BPF programs are executed, to me it reads a bit as > > > saying, > > "It's not > > > recommended to use BPF." Is it not sufficient to just explain the risks? > > > > It says it's not recommended to use interpreters. > > I couldn't tell if your comment was a typo, did you mean interpreters or > JIT > > engines? > > It should read as saying it's recommended to use a JIT engine rather than > an > > interpreter. > > > > Do you have a suggested alternate wording? > > How about: > > OLD: In general, interpreters are considered a > OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > OLD: and are not recommended. > > NEW: In general, interpreters are considered a > NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > NEW: so use of a JIT compiler is recommended instead. I am very confused about the substance of this recommendation. I've also got other comments, but will put those in separate reply. Simply put JITs aren't magic. Whether a bounds check is put in by a compiler or an interpreter executes it directly, it can still be speculatively bypassed. If anything JITs may simplify the matter compared to interpreters as the execution path maps more closely to the BPF executed, and the BPF will have tighter control of paths and layout if e.g. it is injecting branches to fool the CPU later. There's a wide range of execution technologies that go under the name JIT and interpreter, from threaded code to complete compilation to trace based compilation with bailouts to even more complex schemes. All of them have Specter issues. Sincerely, Watson Ladd > > Dave > > -- > Bpf mailing list > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 18:49 ` Watson Ladd @ 2024-04-22 18:49 ` Watson Ladd 0 siblings, 0 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-22 18:49 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: dthaler1968, David Vernet, bpf, bpf On Mon, Apr 22, 2024 at 11:38 AM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > David Vernet <void@manifault.com> wrote: > > > Thanks for writing this up. Overall it looks great, just had one > > > comment > > below. > > > > > > > > Security Considerations > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > with memory, CPU, networking, or other system resources. This is > > > > > not fundamentally different from any other type of software that > > > > > may run on a device. Execution environments should be carefully > > > > > designed to only run BPF programs that are trusted or verified, > > > > > and sandboxing and privilege level separation are key strategies > > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > > are well-known and widely deployed and are responsible for > > > > > ensuring that BPF programs will terminate within a reasonable > > > > > time, only interact with memory in safe ways, and adhere to > > > > > platform-specified API contracts. The details are out of scope of > > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > > verification can often provide a stronger level of security > > > > > assurance than for other software and operating system code. > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > either an interpreter or a JIT compiler to translate them to > > > > > hardware processor native instructions. In general, interpreters > > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > > to side-channel attacks due to speculative execution) and are not > > > > > recommended. > > > > > > Do we need to say that it's not recommended to use JIT engines? Given > > > that > > this is > > > explaining how BPF programs are executed, to me it reads a bit as > > > saying, > > "It's not > > > recommended to use BPF." Is it not sufficient to just explain the risks? > > > > It says it's not recommended to use interpreters. > > I couldn't tell if your comment was a typo, did you mean interpreters or > JIT > > engines? > > It should read as saying it's recommended to use a JIT engine rather than > an > > interpreter. > > > > Do you have a suggested alternate wording? > > How about: > > OLD: In general, interpreters are considered a > OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > OLD: and are not recommended. > > NEW: In general, interpreters are considered a > NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > NEW: so use of a JIT compiler is recommended instead. I am very confused about the substance of this recommendation. I've also got other comments, but will put those in separate reply. Simply put JITs aren't magic. Whether a bounds check is put in by a compiler or an interpreter executes it directly, it can still be speculatively bypassed. If anything JITs may simplify the matter compared to interpreters as the execution path maps more closely to the BPF executed, and the BPF will have tighter control of paths and layout if e.g. it is injecting branches to fool the CPU later. There's a wide range of execution technologies that go under the name JIT and interpreter, from threaded code to complete compilation to trace based compilation with bailouts to even more complex schemes. All of them have Specter issues. Sincerely, Watson Ladd > > Dave > > -- > Bpf mailing list > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: BPF ISA Security Considerations section 2024-04-22 18:37 ` dthaler1968 2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 18:49 ` Watson Ladd @ 2024-04-22 19:34 ` David Vernet 2024-04-22 19:34 ` [Bpf] " David Vernet 2024-04-22 20:26 ` dthaler1968 2 siblings, 2 replies; 29+ messages in thread From: David Vernet @ 2024-04-22 19:34 UTC (permalink / raw) To: dthaler1968; +Cc: bpf, bpf [-- Attachment #1: Type: text/plain, Size: 3738 bytes --] On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com wrote: > David Vernet <void@manifault.com> wrote: > > > Thanks for writing this up. Overall it looks great, just had one > > > comment > > below. > > > > > > > > Security Considerations > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > with memory, CPU, networking, or other system resources. This is > > > > > not fundamentally different from any other type of software that > > > > > may run on a device. Execution environments should be carefully > > > > > designed to only run BPF programs that are trusted or verified, > > > > > and sandboxing and privilege level separation are key strategies > > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > > are well-known and widely deployed and are responsible for > > > > > ensuring that BPF programs will terminate within a reasonable > > > > > time, only interact with memory in safe ways, and adhere to > > > > > platform-specified API contracts. The details are out of scope of > > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > > verification can often provide a stronger level of security > > > > > assurance than for other software and operating system code. > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > either an interpreter or a JIT compiler to translate them to > > > > > hardware processor native instructions. In general, interpreters > > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > > to side-channel attacks due to speculative execution) and are not > > > > > recommended. > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > Given that this is explaining how BPF programs are executed, to me > > > it reads a bit as saying, "It's not recommended to use BPF." Is it > > > not sufficient to just explain the risks? > > > > It says it's not recommended to use interpreters. I couldn't tell > > if your comment was a typo, did you mean interpreters or JIT > > engines? It should read as saying it's recommended to use a JIT > > engine rather than an interpreter. Sorry, yes, I meant to say interpreters. What I really meant though is that discussing the safety of JIT engines vs. interpreters seems a bit out of scope for this Security Considerations section. It's not as though JIT is a foolproof method in and of itself. > > Do you have a suggested alternate wording? How about this: Executing programs using the BPF instruction set also requires either an interpreter or a JIT compiler to translate them to hardware processor native instructions. In general, interpreters and JIT engines can be a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution, or W^X mappings), and should be audited carefully for vulnerabilities. > How about: > > OLD: In general, interpreters are considered a > OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > OLD: and are not recommended. > > NEW: In general, interpreters are considered a > NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > NEW: so use of a JIT compiler is recommended instead. This is fine too. My only worry is that there have also been plenty of vulnerabilities exploited against JIT engines as well, so it might be more prudent to just warn the reader of the risks of interpreters/JITs in general as opposed to prescribing one over the other. What do you think? Thanks, David [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 19:34 ` David Vernet @ 2024-04-22 19:34 ` David Vernet 2024-04-22 20:26 ` dthaler1968 1 sibling, 0 replies; 29+ messages in thread From: David Vernet @ 2024-04-22 19:34 UTC (permalink / raw) To: dthaler1968; +Cc: bpf, bpf [-- Attachment #1.1: Type: text/plain, Size: 3738 bytes --] On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com wrote: > David Vernet <void@manifault.com> wrote: > > > Thanks for writing this up. Overall it looks great, just had one > > > comment > > below. > > > > > > > > Security Considerations > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > with memory, CPU, networking, or other system resources. This is > > > > > not fundamentally different from any other type of software that > > > > > may run on a device. Execution environments should be carefully > > > > > designed to only run BPF programs that are trusted or verified, > > > > > and sandboxing and privilege level separation are key strategies > > > > > for limiting security and abuse impact. For example, BPF verifiers > > > > > are well-known and widely deployed and are responsible for > > > > > ensuring that BPF programs will terminate within a reasonable > > > > > time, only interact with memory in safe ways, and adhere to > > > > > platform-specified API contracts. The details are out of scope of > > > > > this document (but see [LINUX] and [PREVAIL]), but this level of > > > > > verification can often provide a stronger level of security > > > > > assurance than for other software and operating system code. > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > either an interpreter or a JIT compiler to translate them to > > > > > hardware processor native instructions. In general, interpreters > > > > > are considered a source of insecurity (e.g., gadgets susceptible > > > > > to side-channel attacks due to speculative execution) and are not > > > > > recommended. > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > Given that this is explaining how BPF programs are executed, to me > > > it reads a bit as saying, "It's not recommended to use BPF." Is it > > > not sufficient to just explain the risks? > > > > It says it's not recommended to use interpreters. I couldn't tell > > if your comment was a typo, did you mean interpreters or JIT > > engines? It should read as saying it's recommended to use a JIT > > engine rather than an interpreter. Sorry, yes, I meant to say interpreters. What I really meant though is that discussing the safety of JIT engines vs. interpreters seems a bit out of scope for this Security Considerations section. It's not as though JIT is a foolproof method in and of itself. > > Do you have a suggested alternate wording? How about this: Executing programs using the BPF instruction set also requires either an interpreter or a JIT compiler to translate them to hardware processor native instructions. In general, interpreters and JIT engines can be a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution, or W^X mappings), and should be audited carefully for vulnerabilities. > How about: > > OLD: In general, interpreters are considered a > OLD: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > OLD: and are not recommended. > > NEW: In general, interpreters are considered a > NEW: source of insecurity (e.g., gadgets susceptible to side-channel attacks > due to speculative execution) > NEW: so use of a JIT compiler is recommended instead. This is fine too. My only worry is that there have also been plenty of vulnerabilities exploited against JIT engines as well, so it might be more prudent to just warn the reader of the risks of interpreters/JITs in general as opposed to prescribing one over the other. What do you think? Thanks, David [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] [-- Attachment #2: Type: text/plain, Size: 76 bytes --] -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: BPF ISA Security Considerations section 2024-04-22 19:34 ` David Vernet 2024-04-22 19:34 ` [Bpf] " David Vernet @ 2024-04-22 20:26 ` dthaler1968 2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 20:32 ` dthaler1968 1 sibling, 2 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-22 20:26 UTC (permalink / raw) To: 'David Vernet', dthaler1968; +Cc: bpf, bpf > -----Original Message----- > From: David Vernet <void@manifault.com> > Sent: Monday, April 22, 2024 12:35 PM > To: dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: BPF ISA Security Considerations section > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com wrote: > > David Vernet <void@manifault.com> wrote: > > > > Thanks for writing this up. Overall it looks great, just had one > > > > comment > > > below. > > > > > > > > > > Security Considerations > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > > with memory, CPU, networking, or other system resources. This > > > > > > is not fundamentally different from any other type of > > > > > > software that may run on a device. Execution environments > > > > > > should be carefully designed to only run BPF programs that are > > > > > > trusted or verified, and sandboxing and privilege level > > > > > > separation are key strategies for limiting security and abuse > > > > > > impact. For example, BPF verifiers are well-known and widely > > > > > > deployed and are responsible for ensuring that BPF programs > > > > > > will terminate within a reasonable time, only interact with > > > > > > memory in safe ways, and adhere to platform-specified API > > > > > > contracts. The details are out of scope of this document (but > > > > > > see [LINUX] and [PREVAIL]), but this level of verification can > > > > > > often provide a stronger level of security assurance than for other software > and operating system code. > > > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > > either an interpreter or a JIT compiler to translate them to > > > > > > hardware processor native instructions. In general, > > > > > > interpreters are considered a source of insecurity (e.g., > > > > > > gadgets susceptible to side-channel attacks due to speculative > > > > > > execution) and are not recommended. > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > Given that this is explaining how BPF programs are executed, to me > > > > it reads a bit as saying, "It's not recommended to use BPF." Is it > > > > not sufficient to just explain the risks? > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > if your comment was a typo, did you mean interpreters or JIT > > > engines? It should read as saying it's recommended to use a JIT > > > engine rather than an interpreter. > > Sorry, yes, I meant to say interpreters. What I really meant though is that discussing > the safety of JIT engines vs. interpreters seems a bit out of scope for this Security > Considerations section. It's not as though JIT is a foolproof method in and of itself. > > > > Do you have a suggested alternate wording? > > How about this: > > Executing programs using the BPF instruction set also requires either an interpreter > or a JIT compiler to translate them to hardware processor native instructions. In > general, interpreters and JIT engines can be a source of insecurity (e.g., gadgets > susceptible to side-channel attacks due to speculative execution, or W^X mappings), > and should be audited carefully for vulnerabilities. I've had security researchers tell me that using an interpreter in the same address space as other confidential data is inherently a vulnerability, i.e., no one can prove that it's not a side channel attack waiting to happen and all evidence is that it cannot be protected. Only an interpreter in a separate address space from any secrets can be safe in that respect. So I believe just saying that interpreters "should be audited carefully for vulnerabilities" would not pass security muster by such folks. > > How about: > > > > OLD: In general, interpreters are considered a > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > attacks due to speculative execution) > > OLD: and are not recommended. > > > > NEW: In general, interpreters are considered a > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > attacks due to speculative execution) > > NEW: so use of a JIT compiler is recommended instead. > > This is fine too. My only worry is that there have also been plenty of vulnerabilities > exploited against JIT engines as well, so it might be more prudent to just warn the > reader of the risks of interpreters/JITs in general as opposed to prescribing one over > the other. > > What do you think? I think the "should be audited carefully for vulnerabilities" phrase would apply to JITs for sure. However it would also apply to any non-BPF code in a privileged context such as a kernel, so it would seem odd to call it out here and not in all other RFCs that would apply to kernel code (e.g., TCP/IP). But if others really want that, we could certainly say that. Dave ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 20:26 ` dthaler1968 @ 2024-04-22 20:26 ` dthaler1968=40googlemail.com 2024-04-22 20:32 ` dthaler1968 1 sibling, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-22 20:26 UTC (permalink / raw) To: 'David Vernet', dthaler1968; +Cc: bpf, bpf > -----Original Message----- > From: David Vernet <void@manifault.com> > Sent: Monday, April 22, 2024 12:35 PM > To: dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: BPF ISA Security Considerations section > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com wrote: > > David Vernet <void@manifault.com> wrote: > > > > Thanks for writing this up. Overall it looks great, just had one > > > > comment > > > below. > > > > > > > > > > Security Considerations > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious things > > > > > > with memory, CPU, networking, or other system resources. This > > > > > > is not fundamentally different from any other type of > > > > > > software that may run on a device. Execution environments > > > > > > should be carefully designed to only run BPF programs that are > > > > > > trusted or verified, and sandboxing and privilege level > > > > > > separation are key strategies for limiting security and abuse > > > > > > impact. For example, BPF verifiers are well-known and widely > > > > > > deployed and are responsible for ensuring that BPF programs > > > > > > will terminate within a reasonable time, only interact with > > > > > > memory in safe ways, and adhere to platform-specified API > > > > > > contracts. The details are out of scope of this document (but > > > > > > see [LINUX] and [PREVAIL]), but this level of verification can > > > > > > often provide a stronger level of security assurance than for other software > and operating system code. > > > > > > > > > > > > Executing programs using the BPF instruction set also requires > > > > > > either an interpreter or a JIT compiler to translate them to > > > > > > hardware processor native instructions. In general, > > > > > > interpreters are considered a source of insecurity (e.g., > > > > > > gadgets susceptible to side-channel attacks due to speculative > > > > > > execution) and are not recommended. > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > Given that this is explaining how BPF programs are executed, to me > > > > it reads a bit as saying, "It's not recommended to use BPF." Is it > > > > not sufficient to just explain the risks? > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > if your comment was a typo, did you mean interpreters or JIT > > > engines? It should read as saying it's recommended to use a JIT > > > engine rather than an interpreter. > > Sorry, yes, I meant to say interpreters. What I really meant though is that discussing > the safety of JIT engines vs. interpreters seems a bit out of scope for this Security > Considerations section. It's not as though JIT is a foolproof method in and of itself. > > > > Do you have a suggested alternate wording? > > How about this: > > Executing programs using the BPF instruction set also requires either an interpreter > or a JIT compiler to translate them to hardware processor native instructions. In > general, interpreters and JIT engines can be a source of insecurity (e.g., gadgets > susceptible to side-channel attacks due to speculative execution, or W^X mappings), > and should be audited carefully for vulnerabilities. I've had security researchers tell me that using an interpreter in the same address space as other confidential data is inherently a vulnerability, i.e., no one can prove that it's not a side channel attack waiting to happen and all evidence is that it cannot be protected. Only an interpreter in a separate address space from any secrets can be safe in that respect. So I believe just saying that interpreters "should be audited carefully for vulnerabilities" would not pass security muster by such folks. > > How about: > > > > OLD: In general, interpreters are considered a > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > attacks due to speculative execution) > > OLD: and are not recommended. > > > > NEW: In general, interpreters are considered a > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > attacks due to speculative execution) > > NEW: so use of a JIT compiler is recommended instead. > > This is fine too. My only worry is that there have also been plenty of vulnerabilities > exploited against JIT engines as well, so it might be more prudent to just warn the > reader of the risks of interpreters/JITs in general as opposed to prescribing one over > the other. > > What do you think? I think the "should be audited carefully for vulnerabilities" phrase would apply to JITs for sure. However it would also apply to any non-BPF code in a privileged context such as a kernel, so it would seem odd to call it out here and not in all other RFCs that would apply to kernel code (e.g., TCP/IP). But if others really want that, we could certainly say that. Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: BPF ISA Security Considerations section 2024-04-22 20:26 ` dthaler1968 2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com @ 2024-04-22 20:32 ` dthaler1968 2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-23 0:19 ` Watson Ladd 1 sibling, 2 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-22 20:32 UTC (permalink / raw) To: dthaler1968, 'David Vernet'; +Cc: bpf, bpf > -----Original Message----- > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> > Sent: Monday, April 22, 2024 1:26 PM > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: RE: BPF ISA Security Considerations section > > > -----Original Message----- > > From: David Vernet <void@manifault.com> > > Sent: Monday, April 22, 2024 12:35 PM > > To: dthaler1968@googlemail.com > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > Subject: Re: BPF ISA Security Considerations section > > > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com > wrote: > > > David Vernet <void@manifault.com> wrote: > > > > > Thanks for writing this up. Overall it looks great, just had one > > > > > comment > > > > below. > > > > > > > > > > > > Security Considerations > > > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious > > > > > > > things with memory, CPU, networking, or other system > > > > > > > resources. This is not fundamentally different from any > > > > > > > other type of software that may run on a device. Execution > > > > > > > environments should be carefully designed to only run BPF > > > > > > > programs that are trusted or verified, and sandboxing and > > > > > > > privilege level separation are key strategies for limiting > > > > > > > security and abuse impact. For example, BPF verifiers are > > > > > > > well-known and widely deployed and are responsible for > > > > > > > ensuring that BPF programs will terminate within a > > > > > > > reasonable time, only interact with memory in safe ways, and > > > > > > > adhere to platform-specified API contracts. The details are > > > > > > > out of scope of this document (but see [LINUX] and > > > > > > > [PREVAIL]), but this level of verification can often provide > > > > > > > a stronger level of security assurance than for > other software > > and operating system code. > > > > > > > > > > > > > > Executing programs using the BPF instruction set also > > > > > > > requires either an interpreter or a JIT compiler to > > > > > > > translate them to hardware processor native instructions. In > > > > > > > general, interpreters are considered a source of insecurity > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to > > > > > > > speculative > > > > > > > execution) and are not recommended. > > > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > > Given that this is explaining how BPF programs are executed, to > > > > > me it reads a bit as saying, "It's not recommended to use BPF." > > > > > Is it not sufficient to just explain the risks? > > > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > > if your comment was a typo, did you mean interpreters or JIT > > > > engines? It should read as saying it's recommended to use a JIT > > > > engine rather than an interpreter. > > > > Sorry, yes, I meant to say interpreters. What I really meant though is > that discussing > > the safety of JIT engines vs. interpreters seems a bit out of scope > > for > this Security > > Considerations section. It's not as though JIT is a foolproof method > > in > and of itself. > > > > > > Do you have a suggested alternate wording? > > > > How about this: > > > > Executing programs using the BPF instruction set also requires either > > an > interpreter > > or a JIT compiler to translate them to hardware processor native > instructions. In > > general, interpreters and JIT engines can be a source of insecurity > > (e.g., > gadgets > > susceptible to side-channel attacks due to speculative execution, or > > W^X > mappings), > > and should be audited carefully for vulnerabilities. > > I've had security researchers tell me that using an interpreter in the same address > space as other confidential data is inherently a vulnerability, i.e., no one can prove > that it's not a side channel attack waiting to happen and all evidence is that it cannot > be protected. Only an interpreter in a separate address space from any secrets can > be safe in that respect. So I believe just saying that interpreters "should be audited > carefully for vulnerabilities" would not pass security muster by such folks. > > > > How about: > > > > > > OLD: In general, interpreters are considered a > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > > attacks due to speculative execution) > > > OLD: and are not recommended. > > > > > > NEW: In general, interpreters are considered a > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > > attacks due to speculative execution) > > > NEW: so use of a JIT compiler is recommended instead. > > > > This is fine too. My only worry is that there have also been plenty of > vulnerabilities > > exploited against JIT engines as well, so it might be more prudent to > > just > warn the > > reader of the risks of interpreters/JITs in general as opposed to > prescribing one over > > the other. > > > > What do you think? > > I think the "should be audited carefully for vulnerabilities" phrase would apply to JITs > for sure. However it would also apply to any non-BPF code in a privileged context > such as a kernel, so it would seem odd to call it out here and not in all other RFCs > that would apply to kernel code (e.g., TCP/IP). But if others really want that, we > could certainly say that. Updated proposed text, based on David's and Watson's feedback: Executing programs using the BPF instruction set also requires either an interpreter or a JIT compiler to translate them to hardware processor native instructions. In general, interpreters are considered a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution, or W^X mappings) whenever one is used in the same memory address space as data with confidentiality concerns. As such, use of a JIT compiler is recommended instead. JIT compilers should be audited carefully for vulnerabilities to ensure that JIT compilation of a trusted and verified BPF program does not introduce vulnerabilities. Dave ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 20:32 ` dthaler1968 @ 2024-04-22 20:32 ` dthaler1968=40googlemail.com 2024-04-23 0:19 ` Watson Ladd 1 sibling, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-22 20:32 UTC (permalink / raw) To: dthaler1968, 'David Vernet'; +Cc: bpf, bpf > -----Original Message----- > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> > Sent: Monday, April 22, 2024 1:26 PM > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: RE: BPF ISA Security Considerations section > > > -----Original Message----- > > From: David Vernet <void@manifault.com> > > Sent: Monday, April 22, 2024 12:35 PM > > To: dthaler1968@googlemail.com > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > Subject: Re: BPF ISA Security Considerations section > > > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com > wrote: > > > David Vernet <void@manifault.com> wrote: > > > > > Thanks for writing this up. Overall it looks great, just had one > > > > > comment > > > > below. > > > > > > > > > > > > Security Considerations > > > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious > > > > > > > things with memory, CPU, networking, or other system > > > > > > > resources. This is not fundamentally different from any > > > > > > > other type of software that may run on a device. Execution > > > > > > > environments should be carefully designed to only run BPF > > > > > > > programs that are trusted or verified, and sandboxing and > > > > > > > privilege level separation are key strategies for limiting > > > > > > > security and abuse impact. For example, BPF verifiers are > > > > > > > well-known and widely deployed and are responsible for > > > > > > > ensuring that BPF programs will terminate within a > > > > > > > reasonable time, only interact with memory in safe ways, and > > > > > > > adhere to platform-specified API contracts. The details are > > > > > > > out of scope of this document (but see [LINUX] and > > > > > > > [PREVAIL]), but this level of verification can often provide > > > > > > > a stronger level of security assurance than for > other software > > and operating system code. > > > > > > > > > > > > > > Executing programs using the BPF instruction set also > > > > > > > requires either an interpreter or a JIT compiler to > > > > > > > translate them to hardware processor native instructions. In > > > > > > > general, interpreters are considered a source of insecurity > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to > > > > > > > speculative > > > > > > > execution) and are not recommended. > > > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > > Given that this is explaining how BPF programs are executed, to > > > > > me it reads a bit as saying, "It's not recommended to use BPF." > > > > > Is it not sufficient to just explain the risks? > > > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > > if your comment was a typo, did you mean interpreters or JIT > > > > engines? It should read as saying it's recommended to use a JIT > > > > engine rather than an interpreter. > > > > Sorry, yes, I meant to say interpreters. What I really meant though is > that discussing > > the safety of JIT engines vs. interpreters seems a bit out of scope > > for > this Security > > Considerations section. It's not as though JIT is a foolproof method > > in > and of itself. > > > > > > Do you have a suggested alternate wording? > > > > How about this: > > > > Executing programs using the BPF instruction set also requires either > > an > interpreter > > or a JIT compiler to translate them to hardware processor native > instructions. In > > general, interpreters and JIT engines can be a source of insecurity > > (e.g., > gadgets > > susceptible to side-channel attacks due to speculative execution, or > > W^X > mappings), > > and should be audited carefully for vulnerabilities. > > I've had security researchers tell me that using an interpreter in the same address > space as other confidential data is inherently a vulnerability, i.e., no one can prove > that it's not a side channel attack waiting to happen and all evidence is that it cannot > be protected. Only an interpreter in a separate address space from any secrets can > be safe in that respect. So I believe just saying that interpreters "should be audited > carefully for vulnerabilities" would not pass security muster by such folks. > > > > How about: > > > > > > OLD: In general, interpreters are considered a > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > > attacks due to speculative execution) > > > OLD: and are not recommended. > > > > > > NEW: In general, interpreters are considered a > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > > attacks due to speculative execution) > > > NEW: so use of a JIT compiler is recommended instead. > > > > This is fine too. My only worry is that there have also been plenty of > vulnerabilities > > exploited against JIT engines as well, so it might be more prudent to > > just > warn the > > reader of the risks of interpreters/JITs in general as opposed to > prescribing one over > > the other. > > > > What do you think? > > I think the "should be audited carefully for vulnerabilities" phrase would apply to JITs > for sure. However it would also apply to any non-BPF code in a privileged context > such as a kernel, so it would seem odd to call it out here and not in all other RFCs > that would apply to kernel code (e.g., TCP/IP). But if others really want that, we > could certainly say that. Updated proposed text, based on David's and Watson's feedback: Executing programs using the BPF instruction set also requires either an interpreter or a JIT compiler to translate them to hardware processor native instructions. In general, interpreters are considered a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution, or W^X mappings) whenever one is used in the same memory address space as data with confidentiality concerns. As such, use of a JIT compiler is recommended instead. JIT compilers should be audited carefully for vulnerabilities to ensure that JIT compilation of a trusted and verified BPF program does not introduce vulnerabilities. Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 20:32 ` dthaler1968 2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com @ 2024-04-23 0:19 ` Watson Ladd 2024-04-23 0:19 ` Watson Ladd ` (2 more replies) 1 sibling, 3 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-23 0:19 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: dthaler1968, David Vernet, bpf, bpf On Mon, Apr 22, 2024 at 1:32 PM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > > -----Original Message----- > > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> > > Sent: Monday, April 22, 2024 1:26 PM > > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > Subject: RE: BPF ISA Security Considerations section > > > > > -----Original Message----- > > > From: David Vernet <void@manifault.com> > > > Sent: Monday, April 22, 2024 12:35 PM > > > To: dthaler1968@googlemail.com > > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > > Subject: Re: BPF ISA Security Considerations section > > > > > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com > > wrote: > > > > David Vernet <void@manifault.com> wrote: > > > > > > Thanks for writing this up. Overall it looks great, just had one > > > > > > comment > > > > > below. > > > > > > > > > > > > > > Security Considerations > > > > > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious > > > > > > > > things with memory, CPU, networking, or other system > > > > > > > > resources. This is not fundamentally different from any > > > > > > > > other type of software that may run on a device. Execution > > > > > > > > environments should be carefully designed to only run BPF > > > > > > > > programs that are trusted or verified, and sandboxing and > > > > > > > > privilege level separation are key strategies for limiting > > > > > > > > security and abuse impact. For example, BPF verifiers are > > > > > > > > well-known and widely deployed and are responsible for > > > > > > > > ensuring that BPF programs will terminate within a > > > > > > > > reasonable time, only interact with memory in safe ways, and > > > > > > > > adhere to platform-specified API contracts. The details are > > > > > > > > out of scope of this document (but see [LINUX] and > > > > > > > > [PREVAIL]), but this level of verification can often provide > > > > > > > > a stronger level of security assurance than for > > other software > > > and operating system code. > > > > > > > > > > > > > > > > Executing programs using the BPF instruction set also > > > > > > > > requires either an interpreter or a JIT compiler to > > > > > > > > translate them to hardware processor native instructions. In > > > > > > > > general, interpreters are considered a source of insecurity > > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to > > > > > > > > speculative > > > > > > > > execution) and are not recommended. > > > > > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > > > Given that this is explaining how BPF programs are executed, to > > > > > > me it reads a bit as saying, "It's not recommended to use BPF." > > > > > > Is it not sufficient to just explain the risks? > > > > > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > > > if your comment was a typo, did you mean interpreters or JIT > > > > > engines? It should read as saying it's recommended to use a JIT > > > > > engine rather than an interpreter. > > > > > > Sorry, yes, I meant to say interpreters. What I really meant though is > > that discussing > > > the safety of JIT engines vs. interpreters seems a bit out of scope > > > for > > this Security > > > Considerations section. It's not as though JIT is a foolproof method > > > in > > and of itself. > > > > > > > > Do you have a suggested alternate wording? > > > > > > How about this: > > > > > > Executing programs using the BPF instruction set also requires either > > > an > > interpreter > > > or a JIT compiler to translate them to hardware processor native > > instructions. In > > > general, interpreters and JIT engines can be a source of insecurity > > > (e.g., > > gadgets > > > susceptible to side-channel attacks due to speculative execution, or > > > W^X > > mappings), > > > and should be audited carefully for vulnerabilities. > > > > I've had security researchers tell me that using an interpreter in the > same address > > space as other confidential data is inherently a vulnerability, i.e., no > one can prove > > that it's not a side channel attack waiting to happen and all evidence is > that it cannot > > be protected. Only an interpreter in a separate address space from any > secrets can > > be safe in that respect. So I believe just saying that interpreters > "should be audited > > carefully for vulnerabilities" would not pass security muster by such > folks. > > > > > > How about: > > > > > > > > OLD: In general, interpreters are considered a > > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > > > attacks due to speculative execution) > > > > OLD: and are not recommended. > > > > > > > > NEW: In general, interpreters are considered a > > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > > > attacks due to speculative execution) > > > > NEW: so use of a JIT compiler is recommended instead. > > > > > > This is fine too. My only worry is that there have also been plenty of > > vulnerabilities > > > exploited against JIT engines as well, so it might be more prudent to > > > just > > warn the > > > reader of the risks of interpreters/JITs in general as opposed to > > prescribing one over > > > the other. > > > > > > What do you think? > > > > I think the "should be audited carefully for vulnerabilities" phrase would > apply to JITs > > for sure. However it would also apply to any non-BPF code in a privileged > context > > such as a kernel, so it would seem odd to call it out here and not in all > other RFCs > > that would apply to kernel code (e.g., TCP/IP). But if others really want > that, we > > could certainly say that. > > Updated proposed text, based on David's and Watson's feedback: > > Executing programs using the BPF instruction set also requires either an > interpreter or a JIT compiler > to translate them to hardware processor native instructions. In general, > interpreters are considered a > source of insecurity (e.g., gadgets susceptible to side-channel attacks due > to speculative execution, > or W^X mappings) whenever one is used in the same memory address space as > data with confidentiality > concerns. As such, use of a JIT compiler is recommended instead. JIT > compilers should be audited > carefully for vulnerabilities to ensure that JIT compilation of a trusted > and verified BPF program > does not introduce vulnerabilities. But W^X mappings are for JIT (and avoidable by writing, then remapping and executing), not interpreters. How about we just say "Executing the program requires an interpreter or JIT compiler in the same memory space as the system being probed or extended. This creates risks of transient execution attacks that can reveal data with confidentiality concerns. Methods for avoiding these attacks are under active research and frequently depend on microarchitectural details." Sincerely, Watson > > Dave > > -- > Bpf mailing list > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-23 0:19 ` Watson Ladd @ 2024-04-23 0:19 ` Watson Ladd 2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett 2024-04-23 17:59 ` [Bpf] " dthaler1968 2 siblings, 0 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-23 0:19 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: dthaler1968, David Vernet, bpf, bpf On Mon, Apr 22, 2024 at 1:32 PM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > > -----Original Message----- > > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> > > Sent: Monday, April 22, 2024 1:26 PM > > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > Subject: RE: BPF ISA Security Considerations section > > > > > -----Original Message----- > > > From: David Vernet <void@manifault.com> > > > Sent: Monday, April 22, 2024 12:35 PM > > > To: dthaler1968@googlemail.com > > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > > Subject: Re: BPF ISA Security Considerations section > > > > > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com > > wrote: > > > > David Vernet <void@manifault.com> wrote: > > > > > > Thanks for writing this up. Overall it looks great, just had one > > > > > > comment > > > > > below. > > > > > > > > > > > > > > Security Considerations > > > > > > > > > > > > > > > > BPF programs could use BPF instructions to do malicious > > > > > > > > things with memory, CPU, networking, or other system > > > > > > > > resources. This is not fundamentally different from any > > > > > > > > other type of software that may run on a device. Execution > > > > > > > > environments should be carefully designed to only run BPF > > > > > > > > programs that are trusted or verified, and sandboxing and > > > > > > > > privilege level separation are key strategies for limiting > > > > > > > > security and abuse impact. For example, BPF verifiers are > > > > > > > > well-known and widely deployed and are responsible for > > > > > > > > ensuring that BPF programs will terminate within a > > > > > > > > reasonable time, only interact with memory in safe ways, and > > > > > > > > adhere to platform-specified API contracts. The details are > > > > > > > > out of scope of this document (but see [LINUX] and > > > > > > > > [PREVAIL]), but this level of verification can often provide > > > > > > > > a stronger level of security assurance than for > > other software > > > and operating system code. > > > > > > > > > > > > > > > > Executing programs using the BPF instruction set also > > > > > > > > requires either an interpreter or a JIT compiler to > > > > > > > > translate them to hardware processor native instructions. In > > > > > > > > general, interpreters are considered a source of insecurity > > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to > > > > > > > > speculative > > > > > > > > execution) and are not recommended. > > > > > > > > > > > > Do we need to say that it's not recommended to use JIT engines? > > > > > > Given that this is explaining how BPF programs are executed, to > > > > > > me it reads a bit as saying, "It's not recommended to use BPF." > > > > > > Is it not sufficient to just explain the risks? > > > > > > > > > > It says it's not recommended to use interpreters. I couldn't tell > > > > > if your comment was a typo, did you mean interpreters or JIT > > > > > engines? It should read as saying it's recommended to use a JIT > > > > > engine rather than an interpreter. > > > > > > Sorry, yes, I meant to say interpreters. What I really meant though is > > that discussing > > > the safety of JIT engines vs. interpreters seems a bit out of scope > > > for > > this Security > > > Considerations section. It's not as though JIT is a foolproof method > > > in > > and of itself. > > > > > > > > Do you have a suggested alternate wording? > > > > > > How about this: > > > > > > Executing programs using the BPF instruction set also requires either > > > an > > interpreter > > > or a JIT compiler to translate them to hardware processor native > > instructions. In > > > general, interpreters and JIT engines can be a source of insecurity > > > (e.g., > > gadgets > > > susceptible to side-channel attacks due to speculative execution, or > > > W^X > > mappings), > > > and should be audited carefully for vulnerabilities. > > > > I've had security researchers tell me that using an interpreter in the > same address > > space as other confidential data is inherently a vulnerability, i.e., no > one can prove > > that it's not a side channel attack waiting to happen and all evidence is > that it cannot > > be protected. Only an interpreter in a separate address space from any > secrets can > > be safe in that respect. So I believe just saying that interpreters > "should be audited > > carefully for vulnerabilities" would not pass security muster by such > folks. > > > > > > How about: > > > > > > > > OLD: In general, interpreters are considered a > > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel > > > > attacks due to speculative execution) > > > > OLD: and are not recommended. > > > > > > > > NEW: In general, interpreters are considered a > > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel > > > > attacks due to speculative execution) > > > > NEW: so use of a JIT compiler is recommended instead. > > > > > > This is fine too. My only worry is that there have also been plenty of > > vulnerabilities > > > exploited against JIT engines as well, so it might be more prudent to > > > just > > warn the > > > reader of the risks of interpreters/JITs in general as opposed to > > prescribing one over > > > the other. > > > > > > What do you think? > > > > I think the "should be audited carefully for vulnerabilities" phrase would > apply to JITs > > for sure. However it would also apply to any non-BPF code in a privileged > context > > such as a kernel, so it would seem odd to call it out here and not in all > other RFCs > > that would apply to kernel code (e.g., TCP/IP). But if others really want > that, we > > could certainly say that. > > Updated proposed text, based on David's and Watson's feedback: > > Executing programs using the BPF instruction set also requires either an > interpreter or a JIT compiler > to translate them to hardware processor native instructions. In general, > interpreters are considered a > source of insecurity (e.g., gadgets susceptible to side-channel attacks due > to speculative execution, > or W^X mappings) whenever one is used in the same memory address space as > data with confidentiality > concerns. As such, use of a JIT compiler is recommended instead. JIT > compilers should be audited > carefully for vulnerabilities to ensure that JIT compilation of a trusted > and verified BPF program > does not introduce vulnerabilities. But W^X mappings are for JIT (and avoidable by writing, then remapping and executing), not interpreters. How about we just say "Executing the program requires an interpreter or JIT compiler in the same memory space as the system being probed or extended. This creates risks of transient execution attacks that can reveal data with confidentiality concerns. Methods for avoiding these attacks are under active research and frequently depend on microarchitectural details." Sincerely, Watson > > Dave > > -- > Bpf mailing list > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [EXTERNAL] Re: [Bpf] BPF ISA Security Considerations section 2024-04-23 0:19 ` Watson Ladd 2024-04-23 0:19 ` Watson Ladd @ 2024-04-23 16:00 ` Alan Jowett 2024-04-23 16:00 ` [Bpf] [EXTERNAL] " Alan Jowett 2024-04-23 17:59 ` [Bpf] " dthaler1968 2 siblings, 1 reply; 29+ messages in thread From: Alan Jowett @ 2024-04-23 16:00 UTC (permalink / raw) To: Watson Ladd, dthaler1968=40googlemail.com@dmarc.ietf.org Cc: dthaler1968@googlemail.com, David Vernet, bpf@ietf.org, bpf@vger.kernel.org >From: Bpf <bpf-bounces@ietf.org> on behalf of Watson Ladd <watsonbladd@gmail.com> >Sent: Monday, April 22, 2024 5:19 PM >To: dthaler1968=40googlemail.com@dmarc.ietf.org <dthaler1968=40googlemail.com@dmarc.ietf.org> >Cc: dthaler1968@googlemail.com <dthaler1968@googlemail.com>; David Vernet <void@manifault.com>; bpf@ietf.org <bpf@ietf.org>; bpf@vger.kernel.org <bpf@vger.kernel.org> >Subject: [EXTERNAL] Re: [Bpf] BPF ISA Security Considerations section > >On Mon, Apr 22, 2024 at 1:32 PM ><dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: >> >> > -----Original Message----- >> > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> >> > Sent: Monday, April 22, 2024 1:26 PM >> > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com >> > Cc: bpf@ietf.org; bpf@vger.kernel.org >> > Subject: RE: BPF ISA Security Considerations section >> > >> > > -----Original Message----- >> > > From: David Vernet <void@manifault.com> >> > > Sent: Monday, April 22, 2024 12:35 PM >> > > To: dthaler1968@googlemail.com >> > > Cc: bpf@ietf.org; bpf@vger.kernel.org >> > > Subject: Re: BPF ISA Security Considerations section >> > > >> > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com >> > wrote: >> > > > David Vernet <void@manifault.com> wrote: >> > > > > > Thanks for writing this up. Overall it looks great, just had one >> > > > > > comment >> > > > > below. >> > > > > > >> > > > > > > > Security Considerations >> > > > > > > > >> > > > > > > > BPF programs could use BPF instructions to do malicious >> > > > > > > > things with memory, CPU, networking, or other system >> > > > > > > > resources. This is not fundamentally different from any >> > > > > > > > other type of software that may run on a device. Execution >> > > > > > > > environments should be carefully designed to only run BPF >> > > > > > > > programs that are trusted or verified, and sandboxing and >> > > > > > > > privilege level separation are key strategies for limiting >> > > > > > > > security and abuse impact. For example, BPF verifiers are >> > > > > > > > well-known and widely deployed and are responsible for >> > > > > > > > ensuring that BPF programs will terminate within a >> > > > > > > > reasonable time, only interact with memory in safe ways, and >> > > > > > > > adhere to platform-specified API contracts. The details are >> > > > > > > > out of scope of this document (but see [LINUX] and >> > > > > > > > [PREVAIL]), but this level of verification can often provide >> > > > > > > > a stronger level of security assurance than for >> > other software >> > > and operating system code. >> > > > > > > > >> > > > > > > > Executing programs using the BPF instruction set also >> > > > > > > > requires either an interpreter or a JIT compiler to >> > > > > > > > translate them to hardware processor native instructions. In >> > > > > > > > general, interpreters are considered a source of insecurity >> > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to >> > > > > > > > speculative >> > > > > > > > execution) and are not recommended. >> > > > > > >> > > > > > Do we need to say that it's not recommended to use JIT engines? >> > > > > > Given that this is explaining how BPF programs are executed, to >> > > > > > me it reads a bit as saying, "It's not recommended to use BPF." >> > > > > > Is it not sufficient to just explain the risks? >> > > > > >> > > > > It says it's not recommended to use interpreters. I couldn't tell >> > > > > if your comment was a typo, did you mean interpreters or JIT >> > > > > engines? It should read as saying it's recommended to use a JIT >> > > > > engine rather than an interpreter. >> > > >> > > Sorry, yes, I meant to say interpreters. What I really meant though is >> > that discussing >> > > the safety of JIT engines vs. interpreters seems a bit out of scope >> > > for >> > this Security >> > > Considerations section. It's not as though JIT is a foolproof method >> > > in >> > and of itself. >> > > >> > > > > Do you have a suggested alternate wording? >> > > >> > > How about this: >> > > >> > > Executing programs using the BPF instruction set also requires either >> > > an >> > interpreter >> > > or a JIT compiler to translate them to hardware processor native >> > instructions. In >> > > general, interpreters and JIT engines can be a source of insecurity >> > > (e.g., >> > gadgets >> > > susceptible to side-channel attacks due to speculative execution, or >> > > W^X >> > mappings), >> > > and should be audited carefully for vulnerabilities. >> > >> > I've had security researchers tell me that using an interpreter in the >> same address >> > space as other confidential data is inherently a vulnerability, i.e., no >> one can prove >> > that it's not a side channel attack waiting to happen and all evidence is >> that it cannot >> > be protected. Only an interpreter in a separate address space from any >> secrets can >> > be safe in that respect. So I believe just saying that interpreters >> "should be audited >> > carefully for vulnerabilities" would not pass security muster by such >> folks. >> > >> > > > How about: >> > > > >> > > > OLD: In general, interpreters are considered a >> > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel >> > > > attacks due to speculative execution) >> > > > OLD: and are not recommended. >> > > > >> > > > NEW: In general, interpreters are considered a >> > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel >> > > > attacks due to speculative execution) >> > > > NEW: so use of a JIT compiler is recommended instead. >> > > >> > > This is fine too. My only worry is that there have also been plenty of >> > vulnerabilities >> > > exploited against JIT engines as well, so it might be more prudent to >> > > just >> > warn the >> > > reader of the risks of interpreters/JITs in general as opposed to >> > prescribing one over >> > > the other. >> > > >> > > What do you think? >> > >> > I think the "should be audited carefully for vulnerabilities" phrase would >> apply to JITs >> > for sure. However it would also apply to any non-BPF code in a privileged >> context >> > such as a kernel, so it would seem odd to call it out here and not in all >> other RFCs >> > that would apply to kernel code (e.g., TCP/IP). But if others really want >> that, we >> > could certainly say that. >> >> Updated proposed text, based on David's and Watson's feedback: >> >> Executing programs using the BPF instruction set also requires either an >> interpreter or a JIT compiler >> to translate them to hardware processor native instructions. In general, >> interpreters are considered a >> source of insecurity (e.g., gadgets susceptible to side-channel attacks due >> to speculative execution, >> or W^X mappings) whenever one is used in the same memory address space as >> data with confidentiality >> concerns. As such, use of a JIT compiler is recommended instead. JIT >> compilers should be audited >> carefully for vulnerabilities to ensure that JIT compilation of a trusted >> and verified BPF program >> does not introduce vulnerabilities. > >But W^X mappings are for JIT (and avoidable by writing, then remapping >and executing), not interpreters. How about we just say "Executing the >program requires an interpreter or JIT compiler in the same memory >space as the system being probed or extended. This creates risks of >transient execution attacks that can reveal data with confidentiality >concerns. Methods for avoiding these attacks are under active research >and frequently depend on microarchitectural details." Is it strictly true that BPF implies either JIT or interpreter? The eBPF for Windows project does ahead of time compilation (AOT), through a process of translating each BPF instruction into an equivalent C statement and then passing it through a C compiler to produce side-channel aware code (and also permit post verification optimization). I believe interpreter or JIT are implementation details and not intrinsic to the ISA. Regards, Alan Jowett > >Sincerely, >Watson >> >> Dave >> >> -- >> Bpf mailing list >> Bpf@ietf.org >> https://www.ietf.org/mailman/listinfo/bpf > > > >-- >Astra mortemque praestare gradatim > >-- >Bpf mailing list >Bpf@ietf.org >https://www.ietf.org/mailman/listinfo/bpf > ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] [EXTERNAL] Re: BPF ISA Security Considerations section 2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett @ 2024-04-23 16:00 ` Alan Jowett 0 siblings, 0 replies; 29+ messages in thread From: Alan Jowett @ 2024-04-23 16:00 UTC (permalink / raw) To: Watson Ladd, dthaler1968=40googlemail.com@dmarc.ietf.org Cc: dthaler1968@googlemail.com, David Vernet, bpf@ietf.org, bpf@vger.kernel.org >From: Bpf <bpf-bounces@ietf.org> on behalf of Watson Ladd <watsonbladd@gmail.com> >Sent: Monday, April 22, 2024 5:19 PM >To: dthaler1968=40googlemail.com@dmarc.ietf.org <dthaler1968=40googlemail.com@dmarc.ietf.org> >Cc: dthaler1968@googlemail.com <dthaler1968@googlemail.com>; David Vernet <void@manifault.com>; bpf@ietf.org <bpf@ietf.org>; bpf@vger.kernel.org <bpf@vger.kernel.org> >Subject: [EXTERNAL] Re: [Bpf] BPF ISA Security Considerations section > >On Mon, Apr 22, 2024 at 1:32 PM ><dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: >> >> > -----Original Message----- >> > From: dthaler1968@googlemail.com <dthaler1968@googlemail.com> >> > Sent: Monday, April 22, 2024 1:26 PM >> > To: 'David Vernet' <void@manifault.com>; dthaler1968@googlemail.com >> > Cc: bpf@ietf.org; bpf@vger.kernel.org >> > Subject: RE: BPF ISA Security Considerations section >> > >> > > -----Original Message----- >> > > From: David Vernet <void@manifault.com> >> > > Sent: Monday, April 22, 2024 12:35 PM >> > > To: dthaler1968@googlemail.com >> > > Cc: bpf@ietf.org; bpf@vger.kernel.org >> > > Subject: Re: BPF ISA Security Considerations section >> > > >> > > On Mon, Apr 22, 2024 at 11:37:48AM -0700, dthaler1968@googlemail.com >> > wrote: >> > > > David Vernet <void@manifault.com> wrote: >> > > > > > Thanks for writing this up. Overall it looks great, just had one >> > > > > > comment >> > > > > below. >> > > > > > >> > > > > > > > Security Considerations >> > > > > > > > >> > > > > > > > BPF programs could use BPF instructions to do malicious >> > > > > > > > things with memory, CPU, networking, or other system >> > > > > > > > resources. This is not fundamentally different from any >> > > > > > > > other type of software that may run on a device. Execution >> > > > > > > > environments should be carefully designed to only run BPF >> > > > > > > > programs that are trusted or verified, and sandboxing and >> > > > > > > > privilege level separation are key strategies for limiting >> > > > > > > > security and abuse impact. For example, BPF verifiers are >> > > > > > > > well-known and widely deployed and are responsible for >> > > > > > > > ensuring that BPF programs will terminate within a >> > > > > > > > reasonable time, only interact with memory in safe ways, and >> > > > > > > > adhere to platform-specified API contracts. The details are >> > > > > > > > out of scope of this document (but see [LINUX] and >> > > > > > > > [PREVAIL]), but this level of verification can often provide >> > > > > > > > a stronger level of security assurance than for >> > other software >> > > and operating system code. >> > > > > > > > >> > > > > > > > Executing programs using the BPF instruction set also >> > > > > > > > requires either an interpreter or a JIT compiler to >> > > > > > > > translate them to hardware processor native instructions. In >> > > > > > > > general, interpreters are considered a source of insecurity >> > > > > > > > (e.g., gadgets susceptible to side-channel attacks due to >> > > > > > > > speculative >> > > > > > > > execution) and are not recommended. >> > > > > > >> > > > > > Do we need to say that it's not recommended to use JIT engines? >> > > > > > Given that this is explaining how BPF programs are executed, to >> > > > > > me it reads a bit as saying, "It's not recommended to use BPF." >> > > > > > Is it not sufficient to just explain the risks? >> > > > > >> > > > > It says it's not recommended to use interpreters. I couldn't tell >> > > > > if your comment was a typo, did you mean interpreters or JIT >> > > > > engines? It should read as saying it's recommended to use a JIT >> > > > > engine rather than an interpreter. >> > > >> > > Sorry, yes, I meant to say interpreters. What I really meant though is >> > that discussing >> > > the safety of JIT engines vs. interpreters seems a bit out of scope >> > > for >> > this Security >> > > Considerations section. It's not as though JIT is a foolproof method >> > > in >> > and of itself. >> > > >> > > > > Do you have a suggested alternate wording? >> > > >> > > How about this: >> > > >> > > Executing programs using the BPF instruction set also requires either >> > > an >> > interpreter >> > > or a JIT compiler to translate them to hardware processor native >> > instructions. In >> > > general, interpreters and JIT engines can be a source of insecurity >> > > (e.g., >> > gadgets >> > > susceptible to side-channel attacks due to speculative execution, or >> > > W^X >> > mappings), >> > > and should be audited carefully for vulnerabilities. >> > >> > I've had security researchers tell me that using an interpreter in the >> same address >> > space as other confidential data is inherently a vulnerability, i.e., no >> one can prove >> > that it's not a side channel attack waiting to happen and all evidence is >> that it cannot >> > be protected. Only an interpreter in a separate address space from any >> secrets can >> > be safe in that respect. So I believe just saying that interpreters >> "should be audited >> > carefully for vulnerabilities" would not pass security muster by such >> folks. >> > >> > > > How about: >> > > > >> > > > OLD: In general, interpreters are considered a >> > > > OLD: source of insecurity (e.g., gadgets susceptible to side-channel >> > > > attacks due to speculative execution) >> > > > OLD: and are not recommended. >> > > > >> > > > NEW: In general, interpreters are considered a >> > > > NEW: source of insecurity (e.g., gadgets susceptible to side-channel >> > > > attacks due to speculative execution) >> > > > NEW: so use of a JIT compiler is recommended instead. >> > > >> > > This is fine too. My only worry is that there have also been plenty of >> > vulnerabilities >> > > exploited against JIT engines as well, so it might be more prudent to >> > > just >> > warn the >> > > reader of the risks of interpreters/JITs in general as opposed to >> > prescribing one over >> > > the other. >> > > >> > > What do you think? >> > >> > I think the "should be audited carefully for vulnerabilities" phrase would >> apply to JITs >> > for sure. However it would also apply to any non-BPF code in a privileged >> context >> > such as a kernel, so it would seem odd to call it out here and not in all >> other RFCs >> > that would apply to kernel code (e.g., TCP/IP). But if others really want >> that, we >> > could certainly say that. >> >> Updated proposed text, based on David's and Watson's feedback: >> >> Executing programs using the BPF instruction set also requires either an >> interpreter or a JIT compiler >> to translate them to hardware processor native instructions. In general, >> interpreters are considered a >> source of insecurity (e.g., gadgets susceptible to side-channel attacks due >> to speculative execution, >> or W^X mappings) whenever one is used in the same memory address space as >> data with confidentiality >> concerns. As such, use of a JIT compiler is recommended instead. JIT >> compilers should be audited >> carefully for vulnerabilities to ensure that JIT compilation of a trusted >> and verified BPF program >> does not introduce vulnerabilities. > >But W^X mappings are for JIT (and avoidable by writing, then remapping >and executing), not interpreters. How about we just say "Executing the >program requires an interpreter or JIT compiler in the same memory >space as the system being probed or extended. This creates risks of >transient execution attacks that can reveal data with confidentiality >concerns. Methods for avoiding these attacks are under active research >and frequently depend on microarchitectural details." Is it strictly true that BPF implies either JIT or interpreter? The eBPF for Windows project does ahead of time compilation (AOT), through a process of translating each BPF instruction into an equivalent C statement and then passing it through a C compiler to produce side-channel aware code (and also permit post verification optimization). I believe interpreter or JIT are implementation details and not intrinsic to the ISA. Regards, Alan Jowett > >Sincerely, >Watson >> >> Dave >> >> -- >> Bpf mailing list >> Bpf@ietf.org >> https://www.ietf.org/mailman/listinfo/bpf > > > >-- >Astra mortemque praestare gradatim > >-- >Bpf mailing list >Bpf@ietf.org >https://www.ietf.org/mailman/listinfo/bpf > -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: [Bpf] BPF ISA Security Considerations section 2024-04-23 0:19 ` Watson Ladd 2024-04-23 0:19 ` Watson Ladd 2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett @ 2024-04-23 17:59 ` dthaler1968 2024-04-23 17:59 ` dthaler1968=40googlemail.com 2024-04-23 19:59 ` David Vernet 2 siblings, 2 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-23 17:59 UTC (permalink / raw) To: 'Watson Ladd', 'Alan Jowett' Cc: 'David Vernet', bpf, bpf Thanks Watson and Alan for continued feedback. Watson wrote: > But W^X mappings are for JIT (and avoidable by writing, then remapping and > executing), not interpreters. Removed W^X phrase. > How about we just say "Executing the program requires > an interpreter or JIT compiler in the same memory space as the system being > probed or extended. Execution does not require that the interpreter or JIT compiler is in the same memory space, even if that is the most common implementation. (And Alan's point also applies here that compilation might or might not be JIT per se.) Below is the latest strawman after taking the latest feedback into account... -Dave Security Considerations ======================= BPF programs could use BPF instructions to do malicious things with memory, CPU, networking, or other system resources. This is not fundamentally different from any other type of software that may run on a device. Execution environments should be carefully designed to only run BPF programs that are trusted and verified, and sandboxing and privilege level separation are key strategies for limiting security and abuse impact. For example, BPF verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs will terminate within a reasonable time, only interact with memory in safe ways, and adhere to platform-specified API contracts. This level of verification can often provide a stronger level of security assurance than for other software and operating system code. While the details are out of scope of this document, `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations and building blocks for allowing safe execution of untrusted BPF programs. Executing programs using the BPF instruction set also requires either an interpreter or a compiler to translate them to hardware processor native instructions. In general, interpreters are considered a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) whenever one is used in the same memory address space as data with confidentiality concerns. As such, use of a compiler is recommended instead. Compilers should be audited carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program to native processor instructions does not introduce vulnerabilities. Exposing functionality via BPF extends the interface between the component executing the BPF program and the component submitting it. Careful consideration of what functionality is exposed and how that impacts the security properties desired is required. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-23 17:59 ` [Bpf] " dthaler1968 @ 2024-04-23 17:59 ` dthaler1968=40googlemail.com 2024-04-23 19:59 ` David Vernet 1 sibling, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-23 17:59 UTC (permalink / raw) To: 'Watson Ladd', 'Alan Jowett' Cc: 'David Vernet', bpf, bpf Thanks Watson and Alan for continued feedback. Watson wrote: > But W^X mappings are for JIT (and avoidable by writing, then remapping and > executing), not interpreters. Removed W^X phrase. > How about we just say "Executing the program requires > an interpreter or JIT compiler in the same memory space as the system being > probed or extended. Execution does not require that the interpreter or JIT compiler is in the same memory space, even if that is the most common implementation. (And Alan's point also applies here that compilation might or might not be JIT per se.) Below is the latest strawman after taking the latest feedback into account... -Dave Security Considerations ======================= BPF programs could use BPF instructions to do malicious things with memory, CPU, networking, or other system resources. This is not fundamentally different from any other type of software that may run on a device. Execution environments should be carefully designed to only run BPF programs that are trusted and verified, and sandboxing and privilege level separation are key strategies for limiting security and abuse impact. For example, BPF verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs will terminate within a reasonable time, only interact with memory in safe ways, and adhere to platform-specified API contracts. This level of verification can often provide a stronger level of security assurance than for other software and operating system code. While the details are out of scope of this document, `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations and building blocks for allowing safe execution of untrusted BPF programs. Executing programs using the BPF instruction set also requires either an interpreter or a compiler to translate them to hardware processor native instructions. In general, interpreters are considered a source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) whenever one is used in the same memory address space as data with confidentiality concerns. As such, use of a compiler is recommended instead. Compilers should be audited carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program to native processor instructions does not introduce vulnerabilities. Exposing functionality via BPF extends the interface between the component executing the BPF program and the component submitting it. Careful consideration of what functionality is exposed and how that impacts the security properties desired is required. -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-23 17:59 ` [Bpf] " dthaler1968 2024-04-23 17:59 ` dthaler1968=40googlemail.com @ 2024-04-23 19:59 ` David Vernet 2024-04-23 19:59 ` David Vernet 1 sibling, 1 reply; 29+ messages in thread From: David Vernet @ 2024-04-23 19:59 UTC (permalink / raw) To: dthaler1968; +Cc: 'Watson Ladd', 'Alan Jowett', bpf, bpf [-- Attachment #1: Type: text/plain, Size: 3186 bytes --] On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote: > Thanks Watson and Alan for continued feedback. > > Watson wrote: > > But W^X mappings are for JIT (and avoidable by writing, then remapping and > > executing), not interpreters. > > Removed W^X phrase. > > > How about we just say "Executing the program requires > > an interpreter or JIT compiler in the same memory space as the system being > > probed or extended. > > Execution does not require that the interpreter or JIT compiler is in the same > memory space, even if that is the most common implementation. (And Alan's > point also applies here that compilation might or might not be JIT per se.) > > Below is the latest strawman after taking the latest feedback into account... > > -Dave > > > Security Considerations > ======================= > > BPF programs could use BPF instructions to do malicious things with memory, CPU, networking, > or other system resources. This is not fundamentally different from any other type of > software that may run on a device. Execution environments should be carefully designed > to only run BPF programs that are trusted and verified, and sandboxing and privilege level > separation are key strategies for limiting security and abuse impact. For example, BPF > verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs > will terminate within a reasonable time, only interact with memory in safe ways, and adhere to > platform-specified API contracts. This level of verification can often provide a stronger level > of security assurance than for other software and operating system code. > While the details are out of scope of this document, > `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and > `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations > and building blocks for allowing safe execution of untrusted BPF programs. > > Executing programs using the BPF instruction set also requires either an interpreter or a compiler > to translate them to hardware processor native instructions. In general, interpreters are considered a > source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) > whenever one is used in the same memory address space as data with confidentiality > concerns. As such, use of a compiler is recommended instead. Compilers should be audited > carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program > to native processor instructions does not introduce vulnerabilities. > > Exposing functionality via BPF extends the interface between the component executing the BPF program and the > component submitting it. Careful consideration of what functionality is exposed and how > that impacts the security properties desired is required. LGTM [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-23 19:59 ` David Vernet @ 2024-04-23 19:59 ` David Vernet 0 siblings, 0 replies; 29+ messages in thread From: David Vernet @ 2024-04-23 19:59 UTC (permalink / raw) To: dthaler1968; +Cc: 'Watson Ladd', 'Alan Jowett', bpf, bpf [-- Attachment #1.1: Type: text/plain, Size: 3186 bytes --] On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote: > Thanks Watson and Alan for continued feedback. > > Watson wrote: > > But W^X mappings are for JIT (and avoidable by writing, then remapping and > > executing), not interpreters. > > Removed W^X phrase. > > > How about we just say "Executing the program requires > > an interpreter or JIT compiler in the same memory space as the system being > > probed or extended. > > Execution does not require that the interpreter or JIT compiler is in the same > memory space, even if that is the most common implementation. (And Alan's > point also applies here that compilation might or might not be JIT per se.) > > Below is the latest strawman after taking the latest feedback into account... > > -Dave > > > Security Considerations > ======================= > > BPF programs could use BPF instructions to do malicious things with memory, CPU, networking, > or other system resources. This is not fundamentally different from any other type of > software that may run on a device. Execution environments should be carefully designed > to only run BPF programs that are trusted and verified, and sandboxing and privilege level > separation are key strategies for limiting security and abuse impact. For example, BPF > verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs > will terminate within a reasonable time, only interact with memory in safe ways, and adhere to > platform-specified API contracts. This level of verification can often provide a stronger level > of security assurance than for other software and operating system code. > While the details are out of scope of this document, > `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and > `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations > and building blocks for allowing safe execution of untrusted BPF programs. > > Executing programs using the BPF instruction set also requires either an interpreter or a compiler > to translate them to hardware processor native instructions. In general, interpreters are considered a > source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution) > whenever one is used in the same memory address space as data with confidentiality > concerns. As such, use of a compiler is recommended instead. Compilers should be audited > carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program > to native processor instructions does not introduce vulnerabilities. > > Exposing functionality via BPF extends the interface between the component executing the BPF program and the > component submitting it. Careful consideration of what functionality is exposed and how > that impacts the security properties desired is required. LGTM [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] [-- Attachment #2: Type: text/plain, Size: 76 bytes --] -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968 2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-21 16:51 ` David Vernet @ 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:05 ` dthaler1968 2 siblings, 2 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-22 19:01 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: bpf, bpf On Sat, Apr 20, 2024 at 9:09 AM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > Per https://authors.ietf.org/en/required-content#security-considerations, > the BPF ISA draft is required to have a Security Considerations section > before > it can become an RFC. > > Below is strawman text that tries to strike a balance between discussing > security issues and solutions vs keeping details out of scope that belong in > other > documents like the "verifier expectations and building blocks for allowing > safe > execution of untrusted BPF programs" document that is a separate item on the > IETF WG charter. > > Proposed text: > > > Security Considerations > > > > BPF programs could use BPF instructions to do malicious things with > memory, > > CPU, networking, or other system resources. This is not fundamentally > different > > from any other type of software that may run on a device. Execution > environments > > should be carefully designed to only run BPF programs that are trusted or > verified, > > and sandboxing and privilege level separation are key strategies for > limiting > > security and abuse impact. For example, BPF verifiers are well-known and > widely > > deployed and are responsible for ensuring that BPF programs will terminate > > within a reasonable time, only interact with memory in safe ways, and > adhere to > > platform-specified API contracts. The details are out of scope of this > document > > (but see [LINUX] and [PREVAIL]), but this level of verification can often > provide a > > stronger level of security assurance than for other software and operating > system > > code. I would put a reference to the other deliverable to say more. If we think that's suboptimal for publication strategy, maybe we can be more generic about it. Often BPF programs are executed on the other side of a reliability boundary, e.g. if you execute a BPF filter saying drop all on your network card, have fun. This isn't different from firewalls and the like, but it's a new risk that people aren't expecting. I think we might also need to call out that BPF security assurance requires careful design and thought about what is exposed via BPF. Sincerely, Watson > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 19:01 ` Watson Ladd @ 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:05 ` dthaler1968 1 sibling, 0 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-22 19:01 UTC (permalink / raw) To: dthaler1968=40googlemail.com; +Cc: bpf, bpf On Sat, Apr 20, 2024 at 9:09 AM <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > Per https://authors.ietf.org/en/required-content#security-considerations, > the BPF ISA draft is required to have a Security Considerations section > before > it can become an RFC. > > Below is strawman text that tries to strike a balance between discussing > security issues and solutions vs keeping details out of scope that belong in > other > documents like the "verifier expectations and building blocks for allowing > safe > execution of untrusted BPF programs" document that is a separate item on the > IETF WG charter. > > Proposed text: > > > Security Considerations > > > > BPF programs could use BPF instructions to do malicious things with > memory, > > CPU, networking, or other system resources. This is not fundamentally > different > > from any other type of software that may run on a device. Execution > environments > > should be carefully designed to only run BPF programs that are trusted or > verified, > > and sandboxing and privilege level separation are key strategies for > limiting > > security and abuse impact. For example, BPF verifiers are well-known and > widely > > deployed and are responsible for ensuring that BPF programs will terminate > > within a reasonable time, only interact with memory in safe ways, and > adhere to > > platform-specified API contracts. The details are out of scope of this > document > > (but see [LINUX] and [PREVAIL]), but this level of verification can often > provide a > > stronger level of security assurance than for other software and operating > system > > code. I would put a reference to the other deliverable to say more. If we think that's suboptimal for publication strategy, maybe we can be more generic about it. Often BPF programs are executed on the other side of a reliability boundary, e.g. if you execute a BPF filter saying drop all on your network card, have fun. This isn't different from firewalls and the like, but it's a new risk that people aren't expecting. I think we might also need to call out that BPF security assurance requires careful design and thought about what is exposed via BPF. Sincerely, Watson > Bpf@ietf.org > https://www.ietf.org/mailman/listinfo/bpf -- Astra mortemque praestare gradatim -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: [Bpf] BPF ISA Security Considerations section 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:01 ` Watson Ladd @ 2024-04-22 19:05 ` dthaler1968 2024-04-22 19:05 ` dthaler1968=40googlemail.com 2024-04-23 1:01 ` Watson Ladd 1 sibling, 2 replies; 29+ messages in thread From: dthaler1968 @ 2024-04-22 19:05 UTC (permalink / raw) To: 'Watson Ladd'; +Cc: bpf, bpf > -----Original Message----- > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Monday, April 22, 2024 12:02 PM > To: dthaler1968=40googlemail.com@dmarc.ietf.org > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: [Bpf] BPF ISA Security Considerations section > > On Sat, Apr 20, 2024 at 9:09 AM > <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > > > Per > > https://authors.ietf.org/en/required-content#security-considerations, > > the BPF ISA draft is required to have a Security Considerations > > section before it can become an RFC. > > > > Below is strawman text that tries to strike a balance between > > discussing security issues and solutions vs keeping details out of > > scope that belong in other documents like the "verifier expectations > > and building blocks for allowing safe execution of untrusted BPF > > programs" document that is a separate item on the IETF WG charter. > > > > Proposed text: > > > > > Security Considerations > > > > > > BPF programs could use BPF instructions to do malicious things with > > memory, > > > CPU, networking, or other system resources. This is not > > > fundamentally > > different > > > from any other type of software that may run on a device. Execution > > environments > > > should be carefully designed to only run BPF programs that are > > > trusted or > > verified, > > > and sandboxing and privilege level separation are key strategies for > > limiting > > > security and abuse impact. For example, BPF verifiers are well-known > > > and > > widely > > > deployed and are responsible for ensuring that BPF programs will > > > terminate within a reasonable time, only interact with memory in > > > safe ways, and > > adhere to > > > platform-specified API contracts. The details are out of scope of > > > this > > document > > > (but see [LINUX] and [PREVAIL]), but this level of verification can > > > often > > provide a > > > stronger level of security assurance than for other software and > > > operating > > system > > > code. > > I would put a reference to the other deliverable to say more. If we think that's > suboptimal for publication strategy, maybe we can be more generic about it. There's nothing that can be referenced yet. One can only say it's left for future work, would you prefer that? > Often BPF programs are executed on the other side of a reliability boundary, e.g. if > you execute a BPF filter saying drop all on your network card, have fun. This isn't > different from firewalls and the like, but it's a new risk that people aren't expecting. I > think we might also need to call out that BPF security assurance requires careful > design and thought about what is exposed via BPF. > > Sincerely, > Watson Do you have proposed text? Dave ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 19:05 ` dthaler1968 @ 2024-04-22 19:05 ` dthaler1968=40googlemail.com 2024-04-23 1:01 ` Watson Ladd 1 sibling, 0 replies; 29+ messages in thread From: dthaler1968=40googlemail.com @ 2024-04-22 19:05 UTC (permalink / raw) To: 'Watson Ladd'; +Cc: bpf, bpf > -----Original Message----- > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Monday, April 22, 2024 12:02 PM > To: dthaler1968=40googlemail.com@dmarc.ietf.org > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: [Bpf] BPF ISA Security Considerations section > > On Sat, Apr 20, 2024 at 9:09 AM > <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > > > Per > > https://authors.ietf.org/en/required-content#security-considerations, > > the BPF ISA draft is required to have a Security Considerations > > section before it can become an RFC. > > > > Below is strawman text that tries to strike a balance between > > discussing security issues and solutions vs keeping details out of > > scope that belong in other documents like the "verifier expectations > > and building blocks for allowing safe execution of untrusted BPF > > programs" document that is a separate item on the IETF WG charter. > > > > Proposed text: > > > > > Security Considerations > > > > > > BPF programs could use BPF instructions to do malicious things with > > memory, > > > CPU, networking, or other system resources. This is not > > > fundamentally > > different > > > from any other type of software that may run on a device. Execution > > environments > > > should be carefully designed to only run BPF programs that are > > > trusted or > > verified, > > > and sandboxing and privilege level separation are key strategies for > > limiting > > > security and abuse impact. For example, BPF verifiers are well-known > > > and > > widely > > > deployed and are responsible for ensuring that BPF programs will > > > terminate within a reasonable time, only interact with memory in > > > safe ways, and > > adhere to > > > platform-specified API contracts. The details are out of scope of > > > this > > document > > > (but see [LINUX] and [PREVAIL]), but this level of verification can > > > often > > provide a > > > stronger level of security assurance than for other software and > > > operating > > system > > > code. > > I would put a reference to the other deliverable to say more. If we think that's > suboptimal for publication strategy, maybe we can be more generic about it. There's nothing that can be referenced yet. One can only say it's left for future work, would you prefer that? > Often BPF programs are executed on the other side of a reliability boundary, e.g. if > you execute a BPF filter saying drop all on your network card, have fun. This isn't > different from firewalls and the like, but it's a new risk that people aren't expecting. I > think we might also need to call out that BPF security assurance requires careful > design and thought about what is exposed via BPF. > > Sincerely, > Watson Do you have proposed text? Dave -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [Bpf] BPF ISA Security Considerations section 2024-04-22 19:05 ` dthaler1968 2024-04-22 19:05 ` dthaler1968=40googlemail.com @ 2024-04-23 1:01 ` Watson Ladd 1 sibling, 0 replies; 29+ messages in thread From: Watson Ladd @ 2024-04-23 1:01 UTC (permalink / raw) To: Dave Thaler; +Cc: bpf, bpf [-- Attachment #1.1: Type: text/plain, Size: 3602 bytes --] On Mon, Apr 22, 2024 at 12:06 PM <dthaler1968@googlemail.com> wrote: > > > -----Original Message----- > > From: Watson Ladd <watsonbladd@gmail.com> > > Sent: Monday, April 22, 2024 12:02 PM > > To: dthaler1968=40googlemail.com@dmarc.ietf.org > > Cc: bpf@ietf.org; bpf@vger.kernel.org > > Subject: Re: [Bpf] BPF ISA Security Considerations section > > > > On Sat, Apr 20, 2024 at 9:09 AM > > <dthaler1968=40googlemail.com@dmarc.ietf.org> wrote: > > > > > > Per > > > https://authors.ietf.org/en/required-content#security-considerations, > > > the BPF ISA draft is required to have a Security Considerations > > > section before it can become an RFC. > > > > > > Below is strawman text that tries to strike a balance between > > > discussing security issues and solutions vs keeping details out of > > > scope that belong in other documents like the "verifier expectations > > > and building blocks for allowing safe execution of untrusted BPF > > > programs" document that is a separate item on the IETF WG charter. > > > > > > Proposed text: > > > > > > > Security Considerations > > > > > > > > BPF programs could use BPF instructions to do malicious things with > > > memory, > > > > CPU, networking, or other system resources. This is not > > > > fundamentally > > > different > > > > from any other type of software that may run on a device. Execution > > > environments > > > > should be carefully designed to only run BPF programs that are > > > > trusted or > > > verified, > > > > and sandboxing and privilege level separation are key strategies for > > > limiting > > > > security and abuse impact. For example, BPF verifiers are well-known > > > > and > > > widely > > > > deployed and are responsible for ensuring that BPF programs will > > > > terminate within a reasonable time, only interact with memory in > > > > safe ways, and > > > adhere to > > > > platform-specified API contracts. The details are out of scope of > > > > this > > > document > > > > (but see [LINUX] and [PREVAIL]), but this level of verification can > > > > often > > > provide a > > > > stronger level of security assurance than for other software and > > > > operating > > > system > > > > code. > > > > I would put a reference to the other deliverable to say more. If we think that's > > suboptimal for publication strategy, maybe we can be more generic about it. > > There's nothing that can be referenced yet. One can only say it's left for future work, > would you prefer that? I think keeping the existing references while saying "Future work will address this consideration" is best. Let's give the reader something they can use. > > > Often BPF programs are executed on the other side of a reliability boundary, e.g. if > > you execute a BPF filter saying drop all on your network card, have fun. This isn't > > different from firewalls and the like, but it's a new risk that people aren't expecting. I > > think we might also need to call out that BPF security assurance requires careful > > design and thought about what is exposed via BPF. > > > > Sincerely, > > Watson > > Do you have proposed text? "Exposing functionality via BPF extends the interface between the component executing the BPF and the component submitting it. Careful consideration of what functionality is supposed to be exposed and how that impacts the security properties desired is required." Does this work? Not sure if we have a good example of this causing problems. > > Dave > -- Astra mortemque praestare gradatim [-- Attachment #1.2: Type: text/html, Size: 5300 bytes --] [-- Attachment #2: Type: text/plain, Size: 76 bytes --] -- Bpf mailing list Bpf@ietf.org https://www.ietf.org/mailman/listinfo/bpf ^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2024-04-23 19:59 UTC | newest] Thread overview: 29+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968 2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-21 16:51 ` David Vernet 2024-04-21 16:51 ` [Bpf] " David Vernet 2024-04-21 17:20 ` dthaler1968 2024-04-21 17:20 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 18:37 ` dthaler1968 2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 18:49 ` Watson Ladd 2024-04-22 18:49 ` Watson Ladd 2024-04-22 19:34 ` David Vernet 2024-04-22 19:34 ` [Bpf] " David Vernet 2024-04-22 20:26 ` dthaler1968 2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-22 20:32 ` dthaler1968 2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com 2024-04-23 0:19 ` Watson Ladd 2024-04-23 0:19 ` Watson Ladd 2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett 2024-04-23 16:00 ` [Bpf] [EXTERNAL] " Alan Jowett 2024-04-23 17:59 ` [Bpf] " dthaler1968 2024-04-23 17:59 ` dthaler1968=40googlemail.com 2024-04-23 19:59 ` David Vernet 2024-04-23 19:59 ` David Vernet 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:01 ` Watson Ladd 2024-04-22 19:05 ` dthaler1968 2024-04-22 19:05 ` dthaler1968=40googlemail.com 2024-04-23 1:01 ` Watson Ladd
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox