From: Ingo Molnar <mingo@kernel.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Mike Rapoport <rppt@linux.ibm.com>,
LKML <linux-kernel@vger.kernel.org>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Jonathan Adams <jwadams@google.com>,
Kees Cook <keescook@chromium.org>, Paul Turner <pjt@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Linux-MM <linux-mm@kvack.org>,
LSM List <linux-security-module@vger.kernel.org>,
X86 ML <x86@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation
Date: Sat, 27 Apr 2019 10:47:52 +0200 [thread overview]
Message-ID: <20190427084752.GA99668@gmail.com> (raw)
In-Reply-To: <CALCETrV3xZdaMn_MQ5V5nORJbcAeMmpc=gq1=M9cmC_=tKVL3A@mail.gmail.com>
* Andy Lutomirski <luto@kernel.org> wrote:
> > On Apr 26, 2019, at 2:58 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >
> >
> > * Ingo Molnar <mingo@kernel.org> wrote:
> >
> >> I really don't like it where this is going. In a couple of years I
> >> really want to be able to think of PTI as a bad dream that is mostly
> >> over fortunately.
> >>
> >> I have the feeling that compiler level protection that avoids
> >> corrupting the stack in the first place is going to be lower overhead,
> >> and would work in a much broader range of environments. Do we have
> >> analysis of what the compiler would have to do to prevent most ROP
> >> attacks, and what the runtime cost of that is?
> >>
> >> I mean, C# and Java programs aren't able to corrupt the stack as long
> >> as the language runtime is corect. Has to be possible, right?
> >
> > So if such security feature is offered then I'm afraid distros would be
> > strongly inclined to enable it - saying 'yes' to a kernel feature that
> > can keep your product off CVE advisories is a strong force.
> >
> > To phrase the argument in a bit more controversial form:
> >
> > If the price of Linux using an insecure C runtime is to slow down
> > system calls with immense PTI-alike runtime costs, then wouldn't it be
> > the right technical decision to write the kernel in a language runtime
> > that doesn't allow stack overflows and such?
> >
> > I.e. if having Linux in C ends up being slower than having it in Java,
> > then what's the performance argument in favor of using C to begin with?
> > ;-)
> >
> > And no, I'm not arguing for Java or C#, but I am arguing for a saner
> > version of C.
> >
> >
>
> IMO three are three credible choices:
>
> 1. C with fairly strong CFI protection. Grsecurity has this (supposedly
> — there’s a distinct lack of source code available), and clang is
> gradually working on it.
>
> 2. A safe language for parts of the kernel, e.g. drivers and maybe
> eventually filesystems. Rust is probably the only credible candidate.
> Actually creating a decent Rust wrapper around the core kernel
> facilities would be quite a bit of work. Things like sysfs would be
> interesting in Rust, since AFAIK few or even no drivers actually get
> the locking fully correct. This means that naive users of the API
> cannot port directly to safe Rust, because all the races won't compile
> :)
>
> 3. A sandbox for parts of the kernel, e.g. drivers. The obvious
> candidates are eBPF and WASM.
>
> #2 will give very good performance. #3 gives potentially stronger
> protection against a sandboxed component corrupting the kernel overall,
> but it gives much weaker protection against a sandboxed component
> corrupting itself.
>
> In an ideal world, we could do #2 *and* #3. Drivers could, for
> example, be written in a language like Rust, compiled to WASM, and run
> in the kernel.
So why not go for #1, which would still outperform #2/#3, right? Do we
know what it would take, roughly, and how the runtime overhead looks
like?
Thanks,
Ingo
next prev parent reply other threads:[~2019-04-27 8:48 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-25 21:45 [RFC PATCH 0/7] x86: introduce system calls addess space isolation Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 1/7] x86/cpufeatures: add X86_FEATURE_SCI Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation Mike Rapoport
2019-04-26 7:49 ` Peter Zijlstra
2019-04-28 5:45 ` Mike Rapoport
2019-04-26 8:31 ` Ingo Molnar
2019-04-26 9:58 ` Ingo Molnar
2019-04-26 21:26 ` Andy Lutomirski
2019-04-26 21:26 ` Andy Lutomirski
2019-04-27 8:47 ` Ingo Molnar [this message]
2019-04-27 10:46 ` Ingo Molnar
2019-04-29 18:26 ` James Morris
2019-04-29 18:43 ` Andy Lutomirski
2019-04-29 18:43 ` Andy Lutomirski
2019-04-29 18:46 ` Andy Lutomirski
2019-04-29 18:46 ` Andy Lutomirski
2019-04-30 5:03 ` Ingo Molnar
2019-04-30 9:38 ` Peter Zijlstra
2019-04-30 11:05 ` Ingo Molnar
2019-05-02 11:35 ` Robert O'Callahan
2019-05-02 11:35 ` Robert O'Callahan
2019-05-02 15:20 ` Ingo Molnar
2019-05-02 21:07 ` Robert O'Callahan
2019-05-02 21:07 ` Robert O'Callahan
2019-04-26 14:44 ` James Bottomley
2019-04-26 14:44 ` James Bottomley
2019-04-26 14:46 ` Dave Hansen
2019-04-26 14:57 ` James Bottomley
2019-04-26 14:57 ` James Bottomley
2019-04-26 15:07 ` Andy Lutomirski
2019-04-26 15:19 ` James Bottomley
2019-04-26 15:19 ` James Bottomley
2019-04-26 17:40 ` Andy Lutomirski
2019-04-26 18:49 ` James Bottomley
2019-04-26 18:49 ` James Bottomley
2019-04-26 19:22 ` Andy Lutomirski
2019-04-25 21:45 ` [RFC PATCH 3/7] x86/entry/64: add infrastructure for switching to isolated syscall context Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 4/7] x86/sci: hook up isolated system call entry and exit Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 5/7] x86/mm/fault: hook up SCI verification Mike Rapoport
2019-04-26 7:42 ` Peter Zijlstra
2019-04-28 5:47 ` Mike Rapoport
2019-04-30 16:44 ` Andy Lutomirski
2019-04-30 16:44 ` Andy Lutomirski
2019-05-01 5:39 ` Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 6/7] security: enable system call isolation in kernel config Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 7/7] sci: add example system calls to exercse SCI Mike Rapoport
2019-04-26 0:30 ` [RFC PATCH 0/7] x86: introduce system calls addess space isolation Andy Lutomirski
2019-04-26 0:30 ` Andy Lutomirski
2019-04-26 8:07 ` Jiri Kosina
2019-04-28 6:01 ` Mike Rapoport
2019-04-26 14:41 ` Dave Hansen
2019-04-28 6:08 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190427084752.GA99668@gmail.com \
--to=mingo@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=alexandre.chartre@oracle.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jwadams@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rppt@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.