From: David Vernet <void@manifault.com>
To: dthaler1968@googlemail.com
Cc: 'Watson Ladd' <watsonbladd@gmail.com>,
'Alan Jowett' <Alan.Jowett@microsoft.com>,
bpf@ietf.org, bpf@vger.kernel.org
Subject: Re: [Bpf] BPF ISA Security Considerations section
Date: Tue, 23 Apr 2024 14:59:09 -0500 [thread overview]
Message-ID: <20240423195909.GA89547@maniforge> (raw)
In-Reply-To: <1b5f01da95a7$f1a684b0$d4f38e10$@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3186 bytes --]
On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote:
> Thanks Watson and Alan for continued feedback.
>
> Watson wrote:
> > But W^X mappings are for JIT (and avoidable by writing, then remapping and
> > executing), not interpreters.
>
> Removed W^X phrase.
>
> > How about we just say "Executing the program requires
> > an interpreter or JIT compiler in the same memory space as the system being
> > probed or extended.
>
> Execution does not require that the interpreter or JIT compiler is in the same
> memory space, even if that is the most common implementation. (And Alan's
> point also applies here that compilation might or might not be JIT per se.)
>
> Below is the latest strawman after taking the latest feedback into account...
>
> -Dave
>
>
> Security Considerations
> =======================
>
> BPF programs could use BPF instructions to do malicious things with memory, CPU, networking,
> or other system resources. This is not fundamentally different from any other type of
> software that may run on a device. Execution environments should be carefully designed
> to only run BPF programs that are trusted and verified, and sandboxing and privilege level
> separation are key strategies for limiting security and abuse impact. For example, BPF
> verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs
> will terminate within a reasonable time, only interact with memory in safe ways, and adhere to
> platform-specified API contracts. This level of verification can often provide a stronger level
> of security assurance than for other software and operating system code.
> While the details are out of scope of this document,
> `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and
> `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations
> and building blocks for allowing safe execution of untrusted BPF programs.
>
> Executing programs using the BPF instruction set also requires either an interpreter or a compiler
> to translate them to hardware processor native instructions. In general, interpreters are considered a
> source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution)
> whenever one is used in the same memory address space as data with confidentiality
> concerns. As such, use of a compiler is recommended instead. Compilers should be audited
> carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program
> to native processor instructions does not introduce vulnerabilities.
>
> Exposing functionality via BPF extends the interface between the component executing the BPF program and the
> component submitting it. Careful consideration of what functionality is exposed and how
> that impacts the security properties desired is required.
LGTM
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Vernet <void@manifault.com>
To: dthaler1968@googlemail.com
Cc: 'Watson Ladd' <watsonbladd@gmail.com>,
'Alan Jowett' <Alan.Jowett@microsoft.com>,
bpf@ietf.org, bpf@vger.kernel.org
Subject: Re: [Bpf] BPF ISA Security Considerations section
Date: Tue, 23 Apr 2024 14:59:09 -0500 [thread overview]
Message-ID: <20240423195909.GA89547@maniforge> (raw)
Message-ID: <20240423195909.CR4JgdTu3VmEO30DKlkzPWCmIQESzjC3YVVBXWs9onc@z> (raw)
In-Reply-To: <1b5f01da95a7$f1a684b0$d4f38e10$@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3186 bytes --]
On Tue, Apr 23, 2024 at 10:59:09AM -0700, dthaler1968@googlemail.com wrote:
> Thanks Watson and Alan for continued feedback.
>
> Watson wrote:
> > But W^X mappings are for JIT (and avoidable by writing, then remapping and
> > executing), not interpreters.
>
> Removed W^X phrase.
>
> > How about we just say "Executing the program requires
> > an interpreter or JIT compiler in the same memory space as the system being
> > probed or extended.
>
> Execution does not require that the interpreter or JIT compiler is in the same
> memory space, even if that is the most common implementation. (And Alan's
> point also applies here that compilation might or might not be JIT per se.)
>
> Below is the latest strawman after taking the latest feedback into account...
>
> -Dave
>
>
> Security Considerations
> =======================
>
> BPF programs could use BPF instructions to do malicious things with memory, CPU, networking,
> or other system resources. This is not fundamentally different from any other type of
> software that may run on a device. Execution environments should be carefully designed
> to only run BPF programs that are trusted and verified, and sandboxing and privilege level
> separation are key strategies for limiting security and abuse impact. For example, BPF
> verifiers are well-known and widely deployed and are responsible for ensuring that BPF programs
> will terminate within a reasonable time, only interact with memory in safe ways, and adhere to
> platform-specified API contracts. This level of verification can often provide a stronger level
> of security assurance than for other software and operating system code.
> While the details are out of scope of this document,
> `Linux <https://www.kernel.org/doc/html/latest/bpf/verifier.html>`_ and
> `PREVAIL <https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-Static-Analysis-of-Untrusted-Linux-K Kernel-Extensions>`_ do provide many details. Future IETF work will document verifier expectations
> and building blocks for allowing safe execution of untrusted BPF programs.
>
> Executing programs using the BPF instruction set also requires either an interpreter or a compiler
> to translate them to hardware processor native instructions. In general, interpreters are considered a
> source of insecurity (e.g., gadgets susceptible to side-channel attacks due to speculative execution)
> whenever one is used in the same memory address space as data with confidentiality
> concerns. As such, use of a compiler is recommended instead. Compilers should be audited
> carefully for vulnerabilities to ensure that compilation of a trusted and verified BPF program
> to native processor instructions does not introduce vulnerabilities.
>
> Exposing functionality via BPF extends the interface between the component executing the BPF program and the
> component submitting it. Careful consideration of what functionality is exposed and how
> that impacts the security properties desired is required.
LGTM
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 76 bytes --]
--
Bpf mailing list
Bpf@ietf.org
https://www.ietf.org/mailman/listinfo/bpf
next prev parent reply other threads:[~2024-04-23 19:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-20 16:08 BPF ISA Security Considerations section dthaler1968
2024-04-20 16:08 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-21 16:51 ` David Vernet
2024-04-21 16:51 ` [Bpf] " David Vernet
2024-04-21 17:20 ` dthaler1968
2024-04-21 17:20 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 18:37 ` dthaler1968
2024-04-22 18:37 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 18:49 ` Watson Ladd
2024-04-22 18:49 ` Watson Ladd
2024-04-22 19:34 ` David Vernet
2024-04-22 19:34 ` [Bpf] " David Vernet
2024-04-22 20:26 ` dthaler1968
2024-04-22 20:26 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-22 20:32 ` dthaler1968
2024-04-22 20:32 ` [Bpf] " dthaler1968=40googlemail.com
2024-04-23 0:19 ` Watson Ladd
2024-04-23 0:19 ` Watson Ladd
2024-04-23 16:00 ` [EXTERNAL] " Alan Jowett
2024-04-23 16:00 ` [Bpf] [EXTERNAL] " Alan Jowett
2024-04-23 17:59 ` [Bpf] " dthaler1968
2024-04-23 17:59 ` dthaler1968=40googlemail.com
2024-04-23 19:59 ` David Vernet [this message]
2024-04-23 19:59 ` David Vernet
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:01 ` Watson Ladd
2024-04-22 19:05 ` dthaler1968
2024-04-22 19:05 ` dthaler1968=40googlemail.com
2024-04-23 1:01 ` Watson Ladd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240423195909.GA89547@maniforge \
--to=void@manifault.com \
--cc=Alan.Jowett@microsoft.com \
--cc=bpf@ietf.org \
--cc=bpf@vger.kernel.org \
--cc=dthaler1968@googlemail.com \
--cc=watsonbladd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox