Re: [LSF/MM TOPIC] Address space isolation inside the kernel

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Balbir Singh <bsingharora@gmail.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>,
	lsf-pc@lists.linux-foundation.org,  linux-mm@kvack.org
Subject: Re: [LSF/MM TOPIC] Address space isolation inside the kernel
Date: Sun, 17 Feb 2019 08:43:01 -0800	[thread overview]
Message-ID: <1550421781.2809.2.camel@HansenPartnership.com> (raw)
In-Reply-To: <20190217080146.GF31125@350D>

On Sun, 2019-02-17 at 19:01 +1100, Balbir Singh wrote:
> On Sat, Feb 16, 2019 at 08:30:16AM -0800, James Bottomley wrote:
> > On Sat, 2019-02-16 at 23:19 +1100, Balbir Singh wrote:
> > > On Thu, Feb 07, 2019 at 09:24:22AM +0200, Mike Rapoport wrote:
> > > > (Joint proposal with James Bottomley)
> > > > 
> > > > Address space isolation has been used to protect the kernel
> > > > from the userspace and userspace programs from each other since
> > > > the invention of the virtual memory.
> > > > 
> > > > Assuming that kernel bugs and therefore vulnerabilities are
> > > > inevitable it might be worth isolating parts of the kernel to
> > > > minimize damage that these vulnerabilities can cause.
> > > > 
> > > 
> > > Is Address Space limited to user space and kernel space, where
> > > does the hypervisor fit into the picture?
> > 
> > It doesn't really.  The work is driven by the Nabla HAP measure
> > 
> > https://blog.hansenpartnership.com/measuring-the-horizontal-attack-
> > profile-of-nabla-containers/
> > 
> > Although the results are spectacular (building a container that's
> > measurably more secure than a hypervisor based system), they come
> > at the price of emulating a lot of the kernel and thus damaging the
> > precise resource control advantage containers have.  The idea then
> > is to render parts of the kernel syscall interface safe enough that
> > they have a security profile equivalent to the emulated one and can
> > thus be called directly instead of being emulated, hoping to
> > restore most of the container resource management properties.
> > 
> > In theory, I suppose it would buy you protection from things like
> > the kata containers host breach:
> > 
> > https://nabla-containers.github.io/2018/11/28/fs/
> > 
> 
> Thanks, so it's largely to prevent escaping the container namespace.
> Since the topic thread was generic, I thought I'd ask

Actually, that's not quite it either.  The motivation is certainly
container security but the current thrust of the work is generic kernel
security ... the rising tide principle.

James

next prev parent reply	other threads:[~2019-02-17 16:43 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-07  7:24 Mike Rapoport
2019-02-14 19:21 ` Kees Cook
     [not found] ` <CA+VK+GOpjXQ2-CLZt6zrW6m-=WpWpvcrXGSJ-723tRDMeAeHmg@mail.gmail.com>
2019-02-16 11:13   ` Paul Turner
2019-04-25 20:47     ` Jonathan Adams
2019-04-25 21:56       ` James Bottomley
2019-04-25 22:25         ` Paul Turner
2019-04-25 22:31           ` [Lsf-pc] " Alexei Starovoitov
2019-04-25 22:40             ` Paul Turner
2019-02-16 12:19 ` Balbir Singh
2019-02-16 16:30   ` James Bottomley
2019-02-17  8:01     ` Balbir Singh
2019-02-17 16:43       ` James Bottomley [this message]
2019-02-17 19:34     ` Matthew Wilcox
2019-02-17 20:09       ` James Bottomley
2019-02-17 21:54         ` Balbir Singh
2019-02-17 22:01         ` Balbir Singh
2019-02-17 22:20           ` [Lsf-pc] " James Bottomley
2019-02-18 11:15             ` Balbir Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1550421781.2809.2.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=bsingharora@gmail.com \
    --cc=linux-mm@kvack.org \
    --cc=lsf-pc@lists.linux-foundation.org \
    --cc=rppt@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox