* [cip-dev] Security from kernel's point of view
@ 2021-02-21 8:40 Pavel Machek
0 siblings, 0 replies; only message in thread
From: Pavel Machek @ 2021-02-21 8:40 UTC (permalink / raw)
[-- Attachment #1.1: Type: text/plain, Size: 2438 bytes --]
I put this together... it may be useful for someone to understand what
the issues are. I guess I'd like to know from security team if they
find it useful, and from kernel people if I'm missing something or if
there are errors...
Good and bad ideas w.r.t. kernel and security
Kernel tries to provid many security guarantees at different
levels. Still, some things are easier to guarantee than others, and
some security barriers are really important, while others... not so
Kernel should be secure against remote attackers.
And it reasonably is, when not, we get it fixed with high priority.
Kernel should protect itself and other users against local, non-priviledged users.
Tries, but attack surface is big.
People don't care about DoS attacks much.
=> Running untrusted code is a bad idea. Forkbomb is few characters in sh.
Fast, out-of-order CPUs leak user data via timing side-channels. Those
CPUs should not process sensitive data. JITs can be used to extract the data.
We can try to work around the problems and apply vendor-provided
workarounds, but there are likely more problems in future. Similar
bugs are hidden in CPU microarchitectures, and in particular
Spectre workarounds are whack-a-mole and thus incomplete.
Hyperthreading makes those attacks easier.
=> Use suitable CPUs to process sensitive data.
Filesystems are complex, robustness against malformed filesystems is hard.
Some filesystems try to be robust against filesystems corruption,
and some don't even do that. Some perform checks during mount, but
that means that malicious device can work around them.
=> Don't mount untrusted filesystems. If you have to, use simple and
common filesystem. VFAT might be good choice.
Kernel should protect itself against local users with CAP_XX.
Yes, there's capability system, and in theory capabilities should be separated.
=> Don't rely on that. Noone else does.
Some systems try to protect themselves against people with physical access.
Laws of physics says it is impossible, but people can still try to
make it more costly for the "attacker".
=> Please don't rely on that.
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
Links: You receive all messages sent to this group.
View/Reply Online (#6187): https://lists.cip-project.org/g/cip-dev/message/6187
Mute This Topic: https://lists.cip-project.org/mt/80797148/4520388
Group Owner: email@example.com
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [firstname.lastname@example.org]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-21 8:40 [cip-dev] Security from kernel's point of view Pavel Machek
CIP-dev Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/cip-dev/0 cip-dev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 cip-dev cip-dev/ https://lore.kernel.org/cip-dev \
Example config snippet for mirrors
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git