From: Josh Triplett <josh@joshtriplett.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Josh Armour <jarmour@google.com>,
Greg KH <gregkh@linuxfoundation.org>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] security-related TODO items?
Date: Fri, 20 Jan 2017 17:47:02 -0800 [thread overview]
Message-ID: <20170121014702.nqpbthe63emb7jxv@jtriplet-mobl2.jf.intel.com> (raw)
In-Reply-To: <CALCETrVKDAzcS62wTjDOGuRUNec_a-=8iEa7QQ62V83Ce2nk=A@mail.gmail.com>
On Fri, Jan 20, 2017 at 04:14:25PM -0800, Andy Lutomirski wrote:
> This is not easy at all, but: how about rewriting execve() so that the
> actual binary format parsers run in user mode?
I really like that idea. And not just the binary format parsers;
everything except the "do what would happen on exec" transition within
the kernel (the bits documented in execve(2) as changing/resetting on
execve, other than those bits trivially doable in userspace).
(One potential challenge: this still has to handle setuid binaries
safely.)
I can think of other syscalls where a userspace implementation would
make sense, as well, if it can run with reasonable performance. For
instance, imagine moving compatibility syscalls, x32 syscalls, or
deprecated syscalls into userspace, such that if a process found a way
to compromise that layer, it couldn't compromise any other process.
- Josh Triplett
next prev parent reply other threads:[~2017-01-21 2:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-20 22:38 Kees Cook
2017-01-21 0:14 ` Andy Lutomirski
2017-01-21 0:26 ` Kees Cook
2017-01-21 1:10 ` Matthew Wilcox
2017-01-21 1:47 ` Josh Triplett [this message]
2017-01-23 10:02 ` Alexey Dobriyan
2017-01-23 10:48 ` David Howells
2017-01-23 20:10 ` Andy Lutomirski
[not found] ` <c1822e5b-9352-c1ab-ee98-e492ef6e156a@I-love.SAKURA.ne.jp>
2017-01-24 20:58 ` Andy Lutomirski
2017-01-23 20:36 ` David Howells
2017-01-23 20:59 ` Matthew Wilcox
2017-01-23 21:53 ` Andy Lutomirski
2017-01-23 23:26 ` Greg Ungerer
2017-01-23 20:15 ` Christoph Hellwig
2017-01-24 2:38 ` Andy Lutomirski
2017-01-24 10:03 ` Eric W. Biederman
2017-01-24 21:00 ` Andy Lutomirski
2017-01-24 21:55 ` Eric W. Biederman
2017-01-24 10:38 ` Alexey Dobriyan
[not found] ` <CAEiveUcTQK84qFNpYoET-cpSXJe0KYtnYQtp0uTPz=z0tc3W9A@mail.gmail.com>
2017-03-07 16:25 ` Andy Lutomirski
2017-02-02 21:12 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170121014702.nqpbthe63emb7jxv@jtriplet-mobl2.jf.intel.com \
--to=josh@joshtriplett.org \
--cc=gregkh@linuxfoundation.org \
--cc=jarmour@google.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox