From: Mike Rapoport <rppt@linux.ibm.com>
To: lsf-pc@lists.linux-foundation.org
Cc: linux-mm@kvack.org,
James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [LSF/MM TOPIC] Address space isolation inside the kernel
Date: Thu, 7 Feb 2019 09:24:22 +0200 [thread overview]
Message-ID: <20190207072421.GA9120@rapoport-lnx> (raw)
(Joint proposal with James Bottomley)
Address space isolation has been used to protect the kernel from the
userspace and userspace programs from each other since the invention of
the virtual memory.
Assuming that kernel bugs and therefore vulnerabilities are inevitable
it might be worth isolating parts of the kernel to minimize damage
that these vulnerabilities can cause.
There is already ongoing work in a similar direction, like XPFO [1] and
temporary mappings proposed for the kernel text poking [2].
We have several vague ideas how we can take this even further and make
different parts of kernel run in different address spaces:
* Remove most of the kernel mappings from the syscall entry and add a
trampoline when the syscall processing needs to call the "core
kernel".
* Make the parts of the kernel that execute in a namespace use their
own mappings for the namespace private data
* Extend EXPORT_SYMBOL to include a trampoline so that the code
running in modules won't map the entire kernel
* Execute BFP programs in a dedicated address space
These are very general possible directions. We are exploring some of
them now to understand if the security value is worth the complexity
and the performance impact.
We believe it would be helpful to discuss the general idea of address
space isolation inside the kernel, both from the technical aspect of
how it can be achieved simply and efficiently and from the isolation
aspect of what actual security guarantees it usefully provides.
[1] https://lore.kernel.org/lkml/cover.1547153058.git.khalid.aziz@oracle.com/
[2] https://lore.kernel.org/lkml/20190129003422.9328-4-rick.p.edgecombe@intel.com/
--
Sincerely yours,
Mike.
next reply other threads:[~2019-02-07 7:24 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 7:24 Mike Rapoport [this message]
2019-02-14 19:21 ` [LSF/MM TOPIC] Address space isolation inside the kernel Kees Cook
[not found] ` <CA+VK+GOpjXQ2-CLZt6zrW6m-=WpWpvcrXGSJ-723tRDMeAeHmg@mail.gmail.com>
2019-02-16 11:13 ` Paul Turner
2019-04-25 20:47 ` Jonathan Adams
2019-04-25 21:56 ` James Bottomley
2019-04-25 22:25 ` Paul Turner
2019-04-25 22:31 ` [Lsf-pc] " Alexei Starovoitov
2019-04-25 22:40 ` Paul Turner
2019-02-16 12:19 ` Balbir Singh
2019-02-16 16:30 ` James Bottomley
2019-02-17 8:01 ` Balbir Singh
2019-02-17 16:43 ` James Bottomley
2019-02-17 19:34 ` Matthew Wilcox
2019-02-17 20:09 ` James Bottomley
2019-02-17 21:54 ` Balbir Singh
2019-02-17 22:01 ` Balbir Singh
2019-02-17 22:20 ` [Lsf-pc] " James Bottomley
2019-02-18 11:15 ` Balbir Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190207072421.GA9120@rapoport-lnx \
--to=rppt@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-mm@kvack.org \
--cc=lsf-pc@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).