<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Talking cross purposes here ; I am merely pointing out WHY it's a problem in the routing world.<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">I also have coloured books from my past, they mostly involve bad 80's Children's TV series tie ins and 'between the lines' style instructions.<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">-Joel<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 5 January 2018 at 11:09, <a href="mailto:dpreed@deepplum.com">dpreed@deepplum.com</a> <span dir="ltr"><<a href="mailto:dpreed@deepplum.com" target="_blank">dpreed@deepplum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font face="arial" size="2"><p style="margin:0;padding:0;font-family:arial;font-size:10pt">I don't disagree that anyone who can run code in the hypervisor itself can attack the guest instances.</p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt">But that has nothing to do with KALSR or Meltdown or Sceptre. That's just bad security design - the rule is "the principle of least privilege", which comes from the 1970's work on secure operating systems.</p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt">I should point out here that I was one of the researchers that helped develop the original multi-level security systems then. Those "colored books" come from us.</p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;font-family:arial;font-size:10pt"><span class="">-----Original Message-----<br>From: "Joel Wirāmu Pauling" <<a href="mailto:joel@aenertia.net" target="_blank">joel@aenertia.net</a>><br></span></p><div><div class="h5">Sent: Thursday, January 4, 2018 5:00pm<br>To: "<a href="mailto:dpreed@deepplum.com" target="_blank">dpreed@deepplum.com</a>" <<a href="mailto:dpreed@deepplum.com" target="_blank">dpreed@deepplum.com</a>><br>Cc: "Jonathan Morton" <<a href="mailto:chromatix99@gmail.com" target="_blank">chromatix99@gmail.com</a>>, <a href="mailto:cerowrt-devel@lists.bufferbloat.net" target="_blank">cerowrt-devel@lists.<wbr>bufferbloat.net</a><br>Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?<br><br></div></div><p></p><div><div class="h5">
<div id="m_7256725204751639043SafeStyles1515103516">
<div dir="ltr">
<div class="gmail_default" style="font-family:verdana,sans-serif">SRIOV ports and Vendor NIC optimizations wrt Latencies.<br><br></div>
<div class="gmail_default" style="font-family:verdana,sans-serif">Whilst these heavy hitting NVF appliances tend to be large and span multiple compute hosts (and therefore are the only tenannts on those computes) - this isn't always the case. <br><br></div>
<div class="gmail_default" style="font-family:verdana,sans-serif">It's a problem in that if you can get onto the hypervisor even as an unprivileged user you can read out guest stores. .... Big Problem. </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 5 January 2018 at 10:57, <a href="mailto:dpreed@deepplum.com" target="_blank">dpreed@deepplum.com</a> <span dir="ltr"><<a href="mailto:dpreed@deepplum.com" target="_blank">dpreed@deepplum.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">Hmm... protection datacentres tend to require lower latencies than can be achieved running on hypervisors.</p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">Which doesn't mean that some datacenters don't do that.</p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">As far as NFV is concerned, Meltdown only breaks security if a userspace application is running on a machine where another user has data running through kernel address space. NFV environments don't tend to run NFV in userspace under an OS that has kernel data in the page tables that are reachable from CR3.</p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">The key issue in Meltdown is that CR3 is not changed between userspace and kernelspace. Which means that the memory access pipeline in userspace can use a kernelspace address (what Intel calls a "linear" address) without a check that the pagetables enable userspace access. The check happens after the speculative execution of the memory access.</p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">I repeat this, because many pseudo-experts who love to be quoted in the press as saying "be afraid, be very afraid" are saying a lot of nonsense about Meltdown and Sceptre. It seems to be an echo chamber effect - the papers were released yesterday afternoon, but in a rush to get "quoted", all the wannabe-quoted people are saying things that are just plain NOT TRUE.</p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt"> </p>
<p style="margin:0;padding:0;margin:0;padding:0;font-family:arial;font-size:10pt">-----Original Message-----<br>From: "Joel Wirāmu Pauling" <<a href="mailto:joel@aenertia.net" target="_blank">joel@aenertia.net</a>><br>Sent: Thursday, January 4, 2018 4:44pm<br>To: "Jonathan Morton" <<a href="mailto:chromatix99@gmail.com" target="_blank">chromatix99@gmail.com</a>><br>Cc: <a href="mailto:cerowrt-devel@lists.bufferbloat.net" target="_blank">cerowrt-devel@lists.<wbr>bufferbloat.net</a><br>Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?<br><br></p>
<div>
<div class="m_7256725204751639043h5">
<div id="m_7256725204751639043m_7253036564387560496SafeStyles1515102439">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 5 January 2018 at 01:09, Jonathan Morton <span dir="ltr"><<a href="mailto:chromatix99@gmail.com" target="_blank">chromatix99@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br> I don't think we need to worry about it too much in a router context. Virtual server folks, OTOH...<br>
<div class="m_7256725204751639043m_7253036564387560496HOEnZb">
<div class="m_7256725204751639043m_7253036564387560496h5"><br> - Jonathan Morton<br><br></div>
</div>
</blockquote>
<div>
<div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">Disagree - The Router is pretty much synonymous with NFV</div>
<div class="gmail_default" style="font-family:verdana,sans-serif;display:inline">; I run my lede instances at home on hypervisors - and this is definitely the norm in Datacentres now. We need to work through this quite carefully. </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div></div></div></font></blockquote></div><br></div>