From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id CB5013B2A4 for ; Thu, 4 Jan 2018 17:15:22 -0500 (EST) Received: by mail-qt0-x232.google.com with SMTP id d4so3693480qtj.5 for ; Thu, 04 Jan 2018 14:15:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=FiKIBVoiEC1pVmi7cE1LN/i19BYfa5k6xAOXnEra2pY=; b=l9V1uKZw0yOYafgY5CfeRUil7twx5sU+45hStqnGUdL3s/lUBqOsMdI881e5wFfz+v bIDjbZWIujOOlHny3sSVOKqtGz2cdtXBnsVC9hlr2/Wz8Mq+FWRiIQrMzMaea6lcchr7 uOb21pxGc1xtNiUwTtqj+DT/4lzykakE2x/MjsVs14VaWP/nJIaD6Hp1zKTwo1Djyt68 Tn5oqNXAu8LoZ68n7s+gBWjJPy5ARB/31id3LFwLpEcQ6VsAEsgxbeVw/NShKmius3mf nxLRraYtcY1ksQZMmjLjHuXSBXS7AzDEUe+YxRor7lN8f4sOtldTDwJOjmDa9mLe3x9Z cyFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=FiKIBVoiEC1pVmi7cE1LN/i19BYfa5k6xAOXnEra2pY=; b=C9b3ipTe+38Ne+dD76qHMHVj7l4wO2QCnsM+EHX+Ae0YznQUI/I1D1RE16RkdSAXk3 +DQrItZw4IfSB5nlYFIGoK0/yhsQSwFBJWUQGkfOcv+HpICErUCXP+sgQT/ST8Ll0jnr BXY3mn2F1dJCPhsXgjBp1k8HOIQ4WFdNu4iY50cVBOWzft6m+f/Ghb4aAwIbQWO3OEBF 25QaD1cgx5q5f+zi7HoJKQrHiM+AgW1ht2GKSg4u1eRfYv/eazMzVww7erl2EwCQ9P7v J92FhOhy0WiepdDZiHgiyb2QjlO57yfgNVw3ug0XdzSE4eouNBxBBZRRNklfxESwxJf5 rXxg== X-Gm-Message-State: AKwxytfzx4dvg4BoLWj4AjaZiciEbvsEtdaJERhEHkghY/xvV6lIFaFd JVNuwu4olCnwJv/XdPTxcJqWXrdeDHSQ9jfqYbk= X-Google-Smtp-Source: ACJfBou40qAGLZOdgUSqPzzaQxeTrYrhZaWXPzrA/a2edpX8VQbgz2fCQBOqZXifVV0QJQLqyO56xv+GlPq/LGjYfaE= X-Received: by 10.200.47.188 with SMTP id l57mr1480594qta.277.1515104122287; Thu, 04 Jan 2018 14:15:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.193.93 with HTTP; Thu, 4 Jan 2018 14:15:21 -0800 (PST) In-Reply-To: <1515103759.340132151@apps.rackspace.com> References: <1515103048.715224709@apps.rackspace.com> <1515103759.340132151@apps.rackspace.com> From: Dave Taht Date: Thu, 4 Jan 2018 14:15:21 -0800 Message-ID: To: "dpreed@deepplum.com" Cc: =?UTF-8?Q?Joel_Wir=C4=81mu_Pauling?= , Jonathan Morton , cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 22:15:22 -0000 On Thu, Jan 4, 2018 at 2:09 PM, dpreed@deepplum.com w= rote: > I don't disagree that anyone who can run code in the hypervisor itself ca= n > attack the guest instances. > > > > But that has nothing to do with KALSR or Meltdown or Sceptre. That's just > bad security design - the rule is "the principle of least privilege", whi= ch > comes from the 1970's work on secure operating systems. > > > > I should point out here that I was one of the researchers that helped > develop the original multi-level security systems then. Those "colored > books" come from us. You are one of the few remaining that have written those. Back when I read those (in 1990 or so, SCO was trying for at least a c1 rating), I felt they were impossible to implement without hardware support, which led to my early interest in capabilities based architectures. Sadly the need for speed trumped all security concerns in the decades since. There are undoubtably sordid tales we both could tell here. https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria > > > -----Original Message----- > From: "Joel Wir=C4=81mu Pauling" > > Sent: Thursday, January 4, 2018 5:00pm > To: "dpreed@deepplum.com" > Cc: "Jonathan Morton" , > cerowrt-devel@lists.bufferbloat.net > Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arche= s > than x86? > > SRIOV ports and Vendor NIC optimizations wrt Latencies. > > Whilst these heavy hitting NVF appliances tend to be large and span multi= ple > compute hosts (and therefore are the only tenannts on those computes) - t= his > isn't always the case. > > It's a problem in that if you can get onto the hypervisor even as an > unprivileged user you can read out guest stores. .... Big Problem. > > On 5 January 2018 at 10:57, dpreed@deepplum.com wro= te: >> >> Hmm... protection datacentres tend to require lower latencies than can b= e >> achieved running on hypervisors. >> >> >> >> Which doesn't mean that some datacenters don't do that. >> >> >> >> As far as NFV is concerned, Meltdown only breaks security if a userspace >> application is running on a machine where another user has data running >> through kernel address space. NFV environments don't tend to run NFV in >> userspace under an OS that has kernel data in the page tables that are >> reachable from CR3. >> >> >> >> The key issue in Meltdown is that CR3 is not changed between userspace a= nd >> kernelspace. Which means that the memory access pipeline in userspace ca= n >> use a kernelspace address (what Intel calls a "linear" address) without = a >> check that the pagetables enable userspace access. The check happens aft= er >> the speculative execution of the memory access. >> >> >> >> I repeat this, because many pseudo-experts who love to be quoted in the >> press as saying "be afraid, be very afraid" are saying a lot of nonsense >> about Meltdown and Sceptre. It seems to be an echo chamber effect - the >> papers were released yesterday afternoon, but in a rush to get "quoted",= all >> the wannabe-quoted people are saying things that are just plain NOT TRUE= . >> >> >> >> >> >> -----Original Message----- >> From: "Joel Wir=C4=81mu Pauling" >> Sent: Thursday, January 4, 2018 4:44pm >> To: "Jonathan Morton" >> Cc: cerowrt-devel@lists.bufferbloat.net >> Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arch= es >> than x86? >> >> >> On 5 January 2018 at 01:09, Jonathan Morton wrot= e: >>> >>> >>> >>> I don't think we need to worry about it too much in a router context. >>> Virtual server folks, OTOH... >>> >>> - Jonathan Morton >>> >> Disagree - The Router is pretty much synonymous with NFV >> >> ; I run my lede instances at home on hypervisors - and this is definitel= y >> the norm in Datacentres now. We need to work through this quite carefull= y. > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=C3=A4ht CEO, TekLibre, LLC http://www.teklibre.com Tel: 1-669-226-2619