Announcement

**rene** · 16 June 2023, 06:35 AM

This YouTuber mentioned a couple of time the sheer number of vulnerabilities in their OpenSource podcasts: https://www.youtube.com/watch?v=o9kLjDUtduI

**MorrisS.** · 16 June 2023, 07:31 AM

IO_uring is not safe?

**Chewi** · 16 June 2023, 07:35 AM

Probably not inherently unsafe, just newer and less hardened.

**archkde** · 16 June 2023, 09:00 AM

One of the biggest problems of io_uring that is only touched in the article is that it's impossible to apply fine-grained seccomp filters to it. It's basically all or nothing, because the actual functionality is opaque to BPF.

**zcansi** · 16 June 2023, 09:17 AM

io_uring is both a large new attack surface, and hooking into other parts of the kernel in pretty novel ways. It's not inherently less secure but it's replacing a lot of code that has had a lot of years to have the bugs shaken out.

Also as someone mentioned it doesn't have support for BPF sandboxing but there's no fundamental reason that can't be added. It will just take some careful work to get the API right.

**peppercats** · 16 June 2023, 11:01 AM

Google has paid out around 1 million USD worth of IO_uring vulnerabilities from its rewards program.

can someone remind me how much google makes a year?

perhaps the real issue is they haven't paid enough for the return they get

**kylew77** · 16 June 2023, 11:18 AM

You know OpenBSD gets made fun of a lot whenever Michael benchmarks it for coming in dead last for not having features like IO_uring BUT because they are less aggressive in performance optimizations they are more secure. I've found OpenBSD to be plenty fast enough for web browsing, coding, and other tasks on an 8 core ZEN 2 processor. It feels about the same speed as Windows 10 did on it if not faster. I haven't tried Linux on this particular machine. Only pinch point is I can't figure out how to get the audio to work!

**RejectModernity** · 16 June 2023, 12:47 PM

Originally posted by kylew77 View Post

You know OpenBSD gets made fun of a lot whenever Michael benchmarks it for coming in dead last for not having features like IO_uring BUT because they are less aggressive in performance optimizations they are more secure. I've found OpenBSD to be plenty fast enough for web browsing, coding, and other tasks on an 8 core ZEN 2 processor. It feels about the same speed as Windows 10 did on it if not faster. I haven't tried Linux on this particular machine. Only pinch point is I can't figure out how to get the audio to work!

It's not more secure, it's just no one gives a damn about it. No one uses it in the wild so no hackers are interested in hacking it.

**dylanmtaylor** · 16 June 2023, 01:00 PM

Originally posted by peppercats View Post

can someone remind me how much google makes a year?

perhaps the real issue is they haven't paid enough for the return they get

In 2022, Google generated over $282 billion in revenue. This was an increase of 9.78% from 2021.

Announcement

Google Limiting IO_uring Use Due To Security Vulnerabilities

Google Limiting IO_uring Use Due To Security Vulnerabilities

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment