| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4DDE2F73.2020006@redhat.com> Date: Thu, 26 May 2011 13:46:11 +0300 From: Avi Kivity <avi@...hat.com> To: Ingo Molnar <mingo@...e.hu> CC: Gleb Natapov <gleb@...hat.com>, Pekka Enberg <penberg@...nel.org>, James Morris <jmorris@...ei.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Kees Cook <kees.cook@...onical.com>, Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>, Will Drewry <wad@...omium.org>, Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org, Chris Wright <chrisw@...s-sol.org>, Pekka Enberg <penberg@...helsinki.fi> Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On 05/26/2011 01:38 PM, Ingo Molnar wrote: > * Gleb Natapov<gleb@...hat.com> wrote: > > > On Thu, May 26, 2011 at 11:57:51AM +0300, Pekka Enberg wrote: > > > Hi Avi, > > > > > > On Thu, May 26, 2011 at 11:49 AM, Avi Kivity<avi@...hat.com> wrote: > > > > > > > You mean each thread will have a different security context? I > > > > don't see the point. All threads share all of memory so it > > > > would be trivial for one thread to exploit another and gain all > > > > of its privileges. > > > > > > So how would that happen? I'm assuming that once the security > > > context has been set up for a thread, you're not able to change > > > it after that. You'd be able to exploit other threads through > > > shared memory but how would you gain privileges? > > > > By tricking other threads to execute code for you. Just replace > > return address on the other's thread stack. > > That kind of exploit is not possible if the worker pool consists of > processes - which would be rather easy to achieve with tools/kvm/. > > In that model each process has its own stack, not accessible to other > worker processes. They'd only share the guest RAM image and some > (minimal) global state. > > This way the individual devices are (optionally) isolated from each > other. In a way this is a microkernel done right ;-) It's really hard to achieve, since devices have global interactions. For example a PCI device can change the memory layout when a BAR is programmed. So you would have a lot of message passing going on (not at runtime, so no huge impact on performance). The programming model is very different. Note that message passing is in fact quite a good way to model hardware, since what different devices actually do is pass messages to each other. I expect if done this way, the device model would be better than what we have today. But it's not an easy step away from threads. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists