From: Jonathan Adams <jwadams@google.com>
To: Paul Turner <pjt@google.com>
Cc: lsf-pc@lists.linux-foundation.org, linux-mm@kvack.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Mike Rapoport <rppt@linux.ibm.com>
Subject: Re: [LSF/MM TOPIC] Address space isolation inside the kernel
Date: Thu, 25 Apr 2019 13:47:46 -0700 [thread overview]
Message-ID: <CA+VK+GOOv4Vpfv+yMwHGwyf_a5tvcY9_0naGR=LgzxTFbDkBnQ@mail.gmail.com> (raw)
In-Reply-To: <CAPM31RKpR0EZoeXZMXciTxvjBEeu3Jf3ks4Dn9gERxXghoB67w@mail.gmail.com>
It looks like the MM track isn't full, and I think this topic is an
important thing to discuss.
Cheers,
- Jonathan
On Sat, Feb 16, 2019 at 3:14 AM Paul Turner <pjt@google.com> wrote:
>
> I wanted to second the proposal for address space isolation.
>
> We have some new techniques to introduce her also, built around some new ideas using page-faults that we believe are interesting.
>
> To wit, page faults uniquely allow us to fork speculative and non-speculative execution as we can control the retired path within the fault itself (which as it turns out, will obviously never be executed speculatively).
>
> This lets us provide isolation against variant1 gadgets, as well as guarantee what data may or may not be cache present for the purposes of L1TF and Meltdown mitigation.
>
> I'm not sure whether or not I'll be able to attend (I have a newborn and there's a lot of other scheduling I'm trying to work out). But Jonathan Adams (cc'd) has been working on this and can speak to it. We also have some write-ups to publish independently of this.
>
> Thanks,
>
> - Paul
>
>> (Joint proposal with James Bottomley)
>>
>> Address space isolation has been used to protect the kernel from the
>> userspace and userspace programs from each other since the invention of
>> the virtual memory.
>>
>> Assuming that kernel bugs and therefore vulnerabilities are inevitable
>> it might be worth isolating parts of the kernel to minimize damage
>> that these vulnerabilities can cause.
>>
>> There is already ongoing work in a similar direction, like XPFO [1] and
>> temporary mappings proposed for the kernel text poking [2].
>>
>> We have several vague ideas how we can take this even further and make
>> different parts of kernel run in different address spaces:
>> * Remove most of the kernel mappings from the syscall entry and add a
>> trampoline when the syscall processing needs to call the "core
>> kernel".
>> * Make the parts of the kernel that execute in a namespace use their
>> own mappings for the namespace private data
>> * Extend EXPORT_SYMBOL to include a trampoline so that the code
>> running in modules won't map the entire kernel
>> * Execute BFP programs in a dedicated address space
>>
>> These are very general possible directions. We are exploring some of
>> them now to understand if the security value is worth the complexity
>> and the performance impact.
>>
>> We believe it would be helpful to discuss the general idea of address
>> space isolation inside the kernel, both from the technical aspect of
>> how it can be achieved simply and efficiently and from the isolation
>> aspect of what actual security guarantees it usefully provides.
>>
>> [1] https://lore.kernel.org/lkml/cover.1547153058.git.khalid.aziz@oracle.com/
>> [2] https://lore.kernel.org/lkml/20190129003422.9328-4-rick.p.edgecombe@intel.com/
>>
>> --
>> Sincerely yours,
>> Mike.
next prev parent reply other threads:[~2019-04-25 20:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 7:24 Mike Rapoport
2019-02-14 19:21 ` Kees Cook
[not found] ` <CA+VK+GOpjXQ2-CLZt6zrW6m-=WpWpvcrXGSJ-723tRDMeAeHmg@mail.gmail.com>
2019-02-16 11:13 ` Paul Turner
2019-04-25 20:47 ` Jonathan Adams [this message]
2019-04-25 21:56 ` James Bottomley
2019-04-25 22:25 ` Paul Turner
2019-04-25 22:31 ` [Lsf-pc] " Alexei Starovoitov
2019-04-25 22:40 ` Paul Turner
2019-02-16 12:19 ` Balbir Singh
2019-02-16 16:30 ` James Bottomley
2019-02-17 8:01 ` Balbir Singh
2019-02-17 16:43 ` James Bottomley
2019-02-17 19:34 ` Matthew Wilcox
2019-02-17 20:09 ` James Bottomley
2019-02-17 21:54 ` Balbir Singh
2019-02-17 22:01 ` Balbir Singh
2019-02-17 22:20 ` [Lsf-pc] " James Bottomley
2019-02-18 11:15 ` Balbir Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+VK+GOOv4Vpfv+yMwHGwyf_a5tvcY9_0naGR=LgzxTFbDkBnQ@mail.gmail.com' \
--to=jwadams@google.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=linux-mm@kvack.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=pjt@google.com \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox