From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Balbir Singh <bsingharora@gmail.com>, Mike Rapoport <rppt@linux.ibm.com>
Cc: lsf-pc@lists.linux-foundation.org, linux-mm@kvack.org
Subject: Re: [LSF/MM TOPIC] Address space isolation inside the kernel
Date: Sat, 16 Feb 2019 08:30:16 -0800 [thread overview]
Message-ID: <1550334616.3131.10.camel@HansenPartnership.com> (raw)
In-Reply-To: <20190216121950.GB31125@350D>
On Sat, 2019-02-16 at 23:19 +1100, Balbir Singh wrote:
> On Thu, Feb 07, 2019 at 09:24:22AM +0200, Mike Rapoport wrote:
> > (Joint proposal with James Bottomley)
> >
> > Address space isolation has been used to protect the kernel from
> > the userspace and userspace programs from each other since the
> > invention of the virtual memory.
> >
> > Assuming that kernel bugs and therefore vulnerabilities are
> > inevitable it might be worth isolating parts of the kernel to
> > minimize damage that these vulnerabilities can cause.
> >
>
> Is Address Space limited to user space and kernel space, where does
> the hypervisor fit into the picture?
It doesn't really. The work is driven by the Nabla HAP measure
https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers/
Although the results are spectacular (building a container that's
measurably more secure than a hypervisor based system), they come at
the price of emulating a lot of the kernel and thus damaging the
precise resource control advantage containers have. The idea then is
to render parts of the kernel syscall interface safe enough that they
have a security profile equivalent to the emulated one and can thus be
called directly instead of being emulated, hoping to restore most of
the container resource management properties.
In theory, I suppose it would buy you protection from things like the
kata containers host breach:
https://nabla-containers.github.io/2018/11/28/fs/
> > There is already ongoing work in a similar direction, like XPFO [1]
> > and temporary mappings proposed for the kernel text poking [2].
> >
> > We have several vague ideas how we can take this even further and
> > make different parts of kernel run in different address spaces:
> > * Remove most of the kernel mappings from the syscall entry and add
> > a
> > trampoline when the syscall processing needs to call the "core
> > kernel".
> > * Make the parts of the kernel that execute in a namespace use
> > their
> > own mappings for the namespace private data
>
> Is the key reason for removing mappings -- to remove the processor
> from speculating data/text from those mappings? SMAP/SMEP provides
> a level of isolation from access and execution
Not really, it's to reduce the exploitability of the code path and
limit the exposure of data which can be compromised when you're
exploited.
> For namespaces, does allocating the right memory protection key
> work? At some point we'll need to recycle the keys
I don't think anyone mentioned memory keys and namespaces ... I take it
you're thinking of SEV/MKTME? The idea being to shield one container's
execution from another using memory encryption? We've speculated it's
possible but the actual mechanism we were looking at is tagging pages
to namespaces (essentially using the mount namspace and tags on the
page cache) so the kernel would refuse to map a page into the wrong
namespace. This approach doesn't seem to be as promising as the
separated address space one because the security properties are harder
to measure.
James
> It'll be an interesting discussion and I'd love to attend if invited
>
> Balbir Singh.
>
next prev parent reply other threads:[~2019-02-16 16:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 7:24 [LSF/MM TOPIC] Address space isolation inside the kernel Mike Rapoport
2019-02-14 19:21 ` Kees Cook
[not found] ` <CA+VK+GOpjXQ2-CLZt6zrW6m-=WpWpvcrXGSJ-723tRDMeAeHmg@mail.gmail.com>
2019-02-16 11:13 ` Paul Turner
2019-04-25 20:47 ` Jonathan Adams
2019-04-25 21:56 ` James Bottomley
2019-04-25 22:25 ` Paul Turner
2019-04-25 22:31 ` [Lsf-pc] " Alexei Starovoitov
2019-04-25 22:40 ` Paul Turner
2019-02-16 12:19 ` Balbir Singh
2019-02-16 16:30 ` James Bottomley [this message]
2019-02-17 8:01 ` Balbir Singh
2019-02-17 16:43 ` James Bottomley
2019-02-17 19:34 ` Matthew Wilcox
2019-02-17 20:09 ` James Bottomley
2019-02-17 21:54 ` Balbir Singh
2019-02-17 22:01 ` Balbir Singh
2019-02-17 22:20 ` [Lsf-pc] " James Bottomley
2019-02-18 11:15 ` Balbir Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1550334616.3131.10.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=bsingharora@gmail.com \
--cc=linux-mm@kvack.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).