Announcement

Collapse
No announcement yet.

KAISER Getting Ready To Better Protect The Linux Kernel

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KAISER Getting Ready To Better Protect The Linux Kernel

    Phoronix: KAISER Getting Ready To Better Protect The Linux Kernel

    Recently a number of patches have been floating around the kernel mailing list for prepping "KAISER" in what will likely be merged come Linux 4.16. KAISER is a new security feature for the Linux kernel...

    http://www.phoronix.com/scan.php?pag...x-Preparations

  • #2
    How exactly does beer protect the linux kernel? Does it make the developers more productive?

    Comment


    • #3
      Read the article for an answer?

      Comment


      • #4
        Why is Linux eco-system so focused only on protection of kernel and system (libraries, executable,...)? The most precious thing for user are user's data, which are located under user's home, and they are freely accessible to any application executed by that user.

        Damage can be caused by single mistake of an user, when the user runs a malicious application. We all run 3rd party applications, ie. steam, games, mining tools, and any other tools. We can't really see, what everything 3rd party app does, and it could be (contain) malware without our knownledge.

        All private data could be exploited/lost in a second. It's nice, that system is safe, but that doesn't make my data safe.

        Comment


        • #5
          Originally posted by kravemir View Post
          Why is Linux eco-system so focused only on protection of kernel and system (libraries, executable,...)? The most precious thing for user are user's data, which are located under user's home, and they are freely accessible to any application executed by that user.

          Damage can be caused by single mistake of an user, when the user runs a malicious application. We all run 3rd party applications, ie. steam, games, mining tools, and any other tools. We can't really see, what everything 3rd party app does, and it could be (contain) malware without our knownledge.

          All private data could be exploited/lost in a second. It's nice, that system is safe, but that doesn't make my data safe.
          There is a focus on that too. That's why there is AppArmor, SELinux, containers, virtualization, Flatpak, namespaces, Docker, etc.

          Comment


          • #6
            eydee - the white paper on their github site is informative. " KAISER uses a shadow address space paging structure to separate kernel space and user space. The lower half of the shadow address space is synchronized between both paging structures. Thus, multiple threads work in parallel on the two address spaces if they are in user space or kernel space respectively. KAISER eliminates the usage of global bits in order to avoid explicit TLB flushes upon context switches. Furthermore, it exploits optimizations in current hardware that allow switching address spaces without performing a full TLB flush. Hence, the performance impact of KAISER is only 0.28%. KAISER reduces the number of overlapping pages between user and kernel address space to the absolute minimum required to run on modern x86 systems. We evaluate all microarchitectural side-channel attacks on kernel address information that are applicable to recent Intel architectures. We show that KAISER successfully eliminates the leakage in all cases."

            But that performance impact is based on only 3 benchmarks. And this won't protect against BTB (Branch Target Buffer) attacks either. If you read section 5 'future work' in the white paper, you can see that they also require modern processors. How modern? I didn't read the patches to find out what ops they are using but i have a feeling this won't be enabled in most kernels for quite some time, even if their proof of concept is mainlined.

            Comment


            • #7
              Originally posted by eydee View Post
              How exactly does beer protect the linux kernel? Does it make the developers more productive?
              yeah, given that Kaiser is one of the worst beers in Austria

              Comment


              • #8
                Originally posted by eydee View Post
                How exactly does beer protect the linux kernel? Does it make the developers more productive?
                Ever heard of the Ballmer Peak?

                Comment


                • #9
                  Originally posted by uid313 View Post

                  There is a focus on that too. That's why there is AppArmor, SELinux, containers, virtualization, Flatpak, namespaces, Docker, etc.
                  Good, that there's focus on that too.

                  So, consider following scenario. I'm a self employed, and produce custom metal parts, and I've got few cheap machines which support only specific custom file formats, and customers deliver their designs in various custom formats. For most of these formats there's no "really trustworthy" application. And, I've got to try many of them, to check whether they are doing what I need. But, one of them installed some exploit, and my data was encrypted/destroyed/stolen after some time,..

                  How does any of these tools would have protected me against such malware?

                  Take in consideration, that I'm lame user in that scenario, and I can't manage virtual machines, complex configurations, and so on... I'm only capable to decide, whether I want to give a permission to do something to certain application. But, I have to be asked for it. Or, at least, I can be asked to write a list of paths, which this application can access.

                  Also, I can't afford expensive IT technician to maintain my software, and do consultations about every application I want to try/test.

                  Similar scenario would apply for other small industries.
                  Last edited by kravemir; 11-27-2017, 09:44 AM.

                  Comment


                  • #10
                    And who will protect KAISER from Gavrilo? Austrians again want war!

                    Comment

                    Working...
                    X