Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1116601yba; Fri, 26 Apr 2019 14:27:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwQkBxoVugL6aW/2Q+MnLeOf4hPLZP5EWFSFj7lErQfhyqjvHLZeYfGhuClz/ndj2BOFQjx X-Received: by 2002:a63:e304:: with SMTP id f4mr45770407pgh.374.1556314065802; Fri, 26 Apr 2019 14:27:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556314065; cv=none; d=google.com; s=arc-20160816; b=Vvmh60oiq4/5/MYIx4Zv8S/qFXYwTdzEL+8pRxO7fHnTXf+XKlVEQZssUrOyVIPvOo GFZuXfjtqE3ovjz4cAfap2zOKzi/XqPqP8SLLRuef8jyNppKJ68+sGG8n4vg5Ij2Voe5 hKBZHDsmko3FoJArlEVx+SL2OTNKQ9x/z4/9vjIMY+h+YEMLeYAP/+x9tgKoamd93GNU lE38UCaDupUDvTZ1dQGDUuc/YgAHwTGI5D2azHrF6OwC6L5A10HJcaHlRo95lm0Zig1T TX+6txjc1nGVZc2Ofqxr2VuWB+6aNSxIzyYhWYbLzxgyZDBJ3CGdPNOJJKHd4UdlfIIF bT0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=VEK4EQKY+lHbgrInTqADydnKPftbhoL1fL3jVGMPkWw=; b=JfWNz20ltaGqry8yOrzkK9nlCHKn8Duer705pvLbRjC80hXi7tC3AfqTnBk0cUtICw /4s0i4Cgdqad1VZaMxizFKkP3ANebJLTRYlG6e6NKiPfaSluZ+fgWy75vYiFImIZJH5R bznDcs2Y4wVsqDhdBCEhhWibtLRZy2i7c24KoQe8K8/IsbXNqxaYmIfYNimprF6JKCjG JdKlM82vnmeXLMDfLeiO8kcmStdifSLoMVoB2ikxPHiQY6LCYBzSph2WkThlvro5EZJ9 tXqX3S9lMTnYx/gUFwNv66EP8xKophaMp6aBmabTc9rmUINRzwejiQ046ctVHlvpFX6p 0l0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KFqBx7lJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4si12662269pgb.466.2019.04.26.14.27.30; Fri, 26 Apr 2019 14:27:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KFqBx7lJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726871AbfDZV0l (ORCPT + 99 others); Fri, 26 Apr 2019 17:26:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:33412 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726691AbfDZV0l (ORCPT ); Fri, 26 Apr 2019 17:26:41 -0400 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 99BE0208CA for ; Fri, 26 Apr 2019 21:26:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556313999; bh=D0t+02sSwcut5ajzNNivlJU0Ro11fXksLOee2pRrCfg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=KFqBx7lJ2xW/ZYaXv2tmORF55+e/veZZXqQxhZIbRAnePpvb1GCT5XYj1AD/huJEH iI1AgObnyI+W19QqZRYgfw/E6RYOX1P5dY0hC8gkxHhdUxRWBGcXxbO5JlStPsGXIr OWZIvKE14i9KB8xnl8JGYbKLum/88xqqSVfwjhAE= Received: by mail-wm1-f42.google.com with SMTP id o25so5420527wmf.5 for ; Fri, 26 Apr 2019 14:26:39 -0700 (PDT) X-Gm-Message-State: APjAAAUbCYI6NXtEemxfo0XG4tYoe/n6EPoCERIwGeUEuyKixKJiCyKn ZBDwwglh2F8CKkfclYfI+x4FwHSLFRWyLth23j0epA== X-Received: by 2002:a05:600c:211a:: with SMTP id u26mr9839645wml.74.1556313998090; Fri, 26 Apr 2019 14:26:38 -0700 (PDT) MIME-Version: 1.0 References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> <1556228754-12996-3-git-send-email-rppt@linux.ibm.com> <20190426083144.GA126896@gmail.com> <20190426095802.GA35515@gmail.com> In-Reply-To: <20190426095802.GA35515@gmail.com> From: Andy Lutomirski Date: Fri, 26 Apr 2019 14:26:26 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation To: Ingo Molnar Cc: Mike Rapoport , LKML , Alexandre Chartre , Andy Lutomirski , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , James Bottomley , Jonathan Adams , Kees Cook , Paul Turner , Peter Zijlstra , Thomas Gleixner , Linux-MM , LSM List , X86 ML , Linus Torvalds , Peter Zijlstra , Andrew Morton Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 26, 2019, at 2:58 AM, Ingo Molnar wrote: > > > * Ingo Molnar wrote: > >> I really don't like it where this is going. In a couple of years I >> really want to be able to think of PTI as a bad dream that is mostly >> over fortunately. >> >> I have the feeling that compiler level protection that avoids >> corrupting the stack in the first place is going to be lower overhead, >> and would work in a much broader range of environments. Do we have >> analysis of what the compiler would have to do to prevent most ROP >> attacks, and what the runtime cost of that is? >> >> I mean, C# and Java programs aren't able to corrupt the stack as long >> as the language runtime is corect. Has to be possible, right? > > So if such security feature is offered then I'm afraid distros would be > strongly inclined to enable it - saying 'yes' to a kernel feature that > can keep your product off CVE advisories is a strong force. > > To phrase the argument in a bit more controversial form: > > If the price of Linux using an insecure C runtime is to slow down > system calls with immense PTI-alike runtime costs, then wouldn't it be > the right technical decision to write the kernel in a language runtime > that doesn't allow stack overflows and such? > > I.e. if having Linux in C ends up being slower than having it in Java, > then what's the performance argument in favor of using C to begin with? > ;-) > > And no, I'm not arguing for Java or C#, but I am arguing for a saner > version of C. > > IMO three are three credible choices: 1. C with fairly strong CFI protection. Grsecurity has his (supposedly =E2=80=94 there=E2=80=99s a distinct lack of source code available), and cl= ang is gradually working on it. 2. A safe language for parts of the kernel, e.g. drivers and maybe eventually filesystems. Rust is probably the only credible candidate. Actually creating a decent Rust wrapper around the core kernel facilities would be quite a bit of work. Things like sysfs would be interesting in Rust, since AFAIK few or even no drivers actually get the locking fully correct. This means that naive users of the API cannot port directly to safe Rust, because all the races won't compile :) 3. A sandbox for parts of the kernel, e.g. drivers. The obvious candidates are eBPF and WASM. #2 will give very good performance. #3 gives potentially stronger protection against a sandboxed component corrupting the kernel overall, but it gives much weaker protection against a sandboxed component corrupting itself. In an ideal world, we could do #2 *and* #3. Drivers could, for example, be written in a language like Rust, compiled to WASM, and run in the kernel.