Most active commenters
  • transpute(3)

Linux Kernel Defence Map – Security Hardening Concepts

(github.com)
158 points transpute | 21 comments | 05 Apr 25 22:16 UTC | HN request time: 1.566s | source | bottom
1. nine_k ◴[09 Apr 25 03:26 UTC] No.43628626[source]
The number of defenses is pretty impressive. The number of out-of-tree and commercial defenses is also impressive. The amount dedicated to specifics of C (UB, bounds checks, use-after-free) is relatively small.

It would be interesting to compare to, say, OpenBSD, with its apparently numerous security and defense-in-depth features.

replies(1): >>43632766 #
2. acje ◴[09 Apr 25 05:43 UTC] No.43629223[source]
I find it inspiring that we are getting to where we are dealing with models that classify vulnerabilities at a systems level. However I also think we are kind of barking up the wrong three. There is IMHO something wrong with the current strategy of scaling up the von Neumann architecture. It leads to fragile software partitioning, noisy neighbors and both slow and sometimes unintended communication through shared memory. I’ve tried to lay this out in detail here https://lnkd.in/dRNSYPWC
replies(2): >>43629492 #>>43629804 #
3. simonask ◴[09 Apr 25 06:45 UTC] No.43629492[source]
I think your take is interesting, but your article does not go into details with ideas about how to address these problems at the architectural level. Would you like to elaborate?
replies(1): >>43629793 #
4. acje ◴[09 Apr 25 07:44 UTC] No.43629793{3}[source]
There is some elaboration in part four of the series. A fifth part on actor model, gaps and surfaces is in the works. Part four https://lnkd.in/dEVabpkN
5. transpute ◴[09 Apr 25 07:47 UTC] No.43629804[source]
Have you looked at Barrelfish (2011) from Microsoft Research and ETH Zurich?

https://www.microsoft.com/en-us/research/blog/barrelfish-exp...

> “In the next five to 10 years,” Barham predicts, “there are going to be many varieties of multicore machines. There are going to be a small number of each type of machine, and you won’t be able to afford to spend two years rewriting an operating system to work on each new machine that comes out. Trying to write the OS so it can be installed on a completely new computer it’s never seen before, measure things, and think about the best way to optimize itself on this computer—that’s quite a different approach to making an operating system for a single, specific multiprocessor.” The problem, the researchers say, stems from the use of a shared-memory kernel with data structures protected by locks. The Barrelfish project opts instead for a distributed system in which each unit communicates explicitly.

Public development stopped in March 2020, https://github.com/BarrelfishOS/barrelfish & https://barrelfish.org

replies(3): >>43631351 #>>43633064 #>>43640163 #
6. chenhoey1211 ◴[09 Apr 25 08:07 UTC] No.43629915[source]
Really solid conceptual map — not just for kernel devs, but also useful if you're working in Rust, Zig, or any low-level system code.

Has anyone come across a similar visual breakdown for Wasm runtimes, especially around sandboxing and isolation models?

7. nand_gate ◴[09 Apr 25 12:34 UTC] No.43631351{3}[source]
Vapourware, what they post (microkernels) is nothing new.

As far as a barrel CPUs to replace SMT... crickets

replies(2): >>43641418 #>>43641454 #
8. anthonyryan1 ◴[09 Apr 25 13:04 UTC] No.43631590[source]
This is by the author of the very helpful kernel-hardening-checker: https://github.com/a13xp0p0v/kernel-hardening-checker

An interesting tool for analyzing your personal kernel config file and pointing out areas for security improvement. It's more comprehensive than KSPP (https://kspp.github.io/) but sometimes goes a little too far, suggesting disabling kernel features you may actively use.

Definitely worth trying!

replies(1): >>43640134 #
9. Sponge5 ◴[09 Apr 25 14:09 UTC] No.43632342[source]
> This map describes kernel security hardening. It doesn't cover cutting attack surface.

For those wondering why SECCOMP is ommited.

10. zie ◴[09 Apr 25 14:48 UTC] No.43632766[source]
> It would be interesting to compare to, say, OpenBSD, with its apparently numerous security and defense-in-depth features.

I'm not sure that would be a very fair comparison. A lot of OpenBSD security comes from just skipping giant swaths of stuff. Advanced filesystems are non-existent, Bluetooth is non-existent, etc.

I haven't done a count lately, but I would guess the Linux Kernel alone is larger than the OpenBSD base system. It's simplicity is a huge security feature. Provided you don't need some of those features.

I'm not saying this as an OpenBSD hater or anything, I run OpenBSD on at least one machine.

11. _huayra_ ◴[09 Apr 25 15:13 UTC] No.43633064{3}[source]
Mothy Roscoe, the Barrelfish PI, gave a really great talk at ATC 2021 [0]. A lot of OS research is basically "here's a clever way we bypassed Linux to touch hardware directly", but his argument is that the "VAX model" of hardware that Linux still uses has ossified, and CPU manufacturers have to build complexity to support that.

Concretely, there are a lot of things that are getting more "NOC-y" (network-on-chip). I'm not an OS expert, but deal with a lot of forthcoming features from hardware vendors at my current role. Most are abstracted as some sorta PCI device that does a little "mailbox protocol" to get some values (perhaps directly, perhaps read out of memory upon success). Examples are HSMP from AMD and OOBMSM from Intel. In both, the OS doesn't directly configure a setting, but asks some other chunk of code (provided by the CPU vendor) to configure the setting. Mothy's argument is that that is an architectural failure, and we should create OSes that can deal with this NOC-y heterogeneous architecture.

Even if one disagrees with Mothy's premise, this is a banger of a talk, well worth watching and easy to understand.

[0] https://www.usenix.org/conference/atc21/presentation/fri-key...

replies(1): >>43646692 #
12. hart_russell ◴[09 Apr 25 17:50 UTC] No.43635072[source]
Do these settings persist if I update the kernel on my ubuntu server?
13. egberts1 ◴[10 Apr 25 02:42 UTC] No.43640134[source]
This is the way.

Close all avenues, then only open what you exactly need.

replies(1): >>43646607 #
14. egberts1 ◴[10 Apr 25 02:47 UTC] No.43640163{3}[source]
Reminds me of Minix OS by Andrew Tannenbaum.

Anyone remember the debate between microkernel vs monolithic kernel?

https://en.m.wikipedia.org/wiki/Tanenbaum%E2%80%93Torvalds_d...

replies(1): >>43646729 #
15. pjmlp ◴[10 Apr 25 07:03 UTC] No.43641418{4}[source]
It is on most mainstream computers, even though it is the way in most high integrity computing deployments.
16. transpute ◴[10 Apr 25 07:08 UTC] No.43641454{4}[source]
10 years of shipped code for multiple platforms (x86, ARMv7, ARMv8) is not varporware. Based on software experience with existing platforms, they have created an open hardware RISC-V core which requires custom software to achieve energy effiency with improved performance, https://spectrum.ieee.org/snitch-riscv-processor-6x-faster

> Snitch proved to be 3.5 times more energy efficient and up to six times faster than the others.. "While we could already demonstrate a very energy-efficient and versatile 8-core Snitch cluster configuration in silicon, there are exciting opportunities ahead in building computing platforms scalable to thousands of Snitch cores, even spreading over multiple chiplets," says Zaruba, noting that his team is currently working towards this goal.

https://github.com/pulp-platform/snitch

replies(1): >>43676906 #
17. anon6362 ◴[10 Apr 25 18:12 UTC] No.43646607{3}[source]
By default, Linux has way, way too much functionality, insufficient testing and proof of security correctness, and not enough security controls.
18. vacuity ◴[10 Apr 25 18:20 UTC] No.43646692{4}[source]
He is right. The point of the operating system is to, well, operate the system. Hardware, firmware, software engineers should work together to make good systems. Political and social barriers are not an excuse for poor products delivered to end users.
19. vacuity ◴[10 Apr 25 18:24 UTC] No.43646729{4}[source]
In fact, Barrelfish is based on running a microkernel per core, and makes good use of this design to better adapt to hardware diversity.

I understand why Linux develops everything in one place. This makes it far easier to manage. However, it is far more difficult to configure and specialize kernels. (Saw a paper where core operations of default Linux had gotten slower over the years, requiring reconfiguration.) Or to badly paraphrase Ingo Molnar: aim for one of two ideals in operating system design: the one that's easiest for developers to change/maintain and the one that maximizes performance.

20. nand_gate ◴[14 Apr 25 00:18 UTC] No.43676906{5}[source]
Interesting, thanks!