Announcement

Collapse
No announcement yet.

GNU Binutils Begins Landing eBPF Support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • oiaohm
    replied
    Originally posted by jpg44 View Post
    eBPF should be in my opinion Turing Complete
    eBPF is not Turing complete because something Turing complete can in fact run for ever with no way of working out when it will stop. 90%+ of a kernel made for real-time is required not to be Turing Complete.

    Linux kernel is coming a full blown real-time kernel.

    So the reality is most of the Linux kernel needs to be Turing incomplete what really does make Rust, C++ and C wrong languages to write most of the kernel in.

    Leave a comment:


  • jpg44
    replied
    Originally posted by HadrienG View Post
    I'm feeling a bit uneasy about the concept of injecting arbitrary code in the kernel like this.

    I know that the eBPF VM is supposed to only allow safe code paths to execute. But VM-based security has been attempted before, and JS / JVM / CLR implementations are still major CVE magnets to this day. Give the security community a compiler with special permissions, and suddenly compiler bugs become interesting ^^'

    Then again, as long as injecting BPF is subjected to similar user permissions as loading kernel modules, I suppose it does not fundamentally change the threat model.
    As you said, a root user can already load arbitrary code into the kernel with a kernel module. eBPF introduces no further vulnerability in this regard. Obviously you would only want eBPF code loaded by root not by other users. With that restriction, it does not add increased danger. That being said eBNF could be made to be safer than a kernel module by, a subsystem that uses it I would hope could

    eBPF should be in my opinion Turing Complete and the purpose of this is to facilitate being able to implement highly customizable filter mechanisms that can be loaded into the kernel. This can replace existing VMs in the kernel and allow the same VM to be re-used by different subsystems, avoiding duplication, for instance, for use with implementing system call filters, sandboxing, packet filters, and a new backend for iptables and nftables. nftables was going to have its own VM but it does not really make sense for every kernel subsystem that wants to have loadable bytecode to have its own VM when different subsystems can use the same VM infrastructure. The subsystems can configure the VM to their needs, including restricting it to a subset.

    Leave a comment:


  • RahulSundaram
    replied
    Originally posted by Konstantin A. View Post
    From https://en.wikipedia.org/wiki/Berkeley_Packet_Filter :

    "Spectre attack may leverage Linux kernel eBPF JIT compiler to extract data from other kernel processes and allow user-space to read it."

    Source: https://googleprojectzero.blogspot.c...with-side.html
    It is not ebpf or nothing. It is ebpf or kernel modules which can do anything it wants to. Sandboxing or filtering mechanisms are never going to be fully secure but hardening it ahead of time or even fixing any issues known is far more easier than allowing full arbitrary code to run on the kernel.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by Konstantin A. View Post
    From https://en.wikipedia.org/wiki/Berkeley_Packet_Filter :

    "Spectre attack may leverage Linux kernel eBPF JIT compiler to extract data from other kernel processes and allow user-space to read it."

    Source: https://googleprojectzero.blogspot.c...with-side.html
    https://lwn.net/Articles/743265/
    Do note that is being addressed kernel side. Did not require changing the bytecode send to kernel. Yes 2 days after work on fixing that appeared.

    Of course eBPF is not perfect. Yes this is one of the rare CVEs that happened. CPU hardware bug makes loading kernel modules trouble as well.

    Nothing is a 100 percent secure. eBPF is not the worst option.

    Leave a comment:


  • q2dg
    replied
    I don't like GAS. Do you know if NASM will follow this path? I've haven't heard anything about this. Thanks

    Leave a comment:


  • Konstantin A.
    replied
    From https://en.wikipedia.org/wiki/Berkeley_Packet_Filter :

    "Spectre attack may leverage Linux kernel eBPF JIT compiler to extract data from other kernel processes and allow user-space to read it."

    Source: https://googleprojectzero.blogspot.c...with-side.html

    Leave a comment:


  • HadrienG
    replied
    Thanks for these clarifications ! I agree that this all puts some extra weight behind the "BPF is secure" assertion.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by HadrienG View Post
    I know that the eBPF VM is supposed to only allow safe code paths to execute. But VM-based security has been attempted before, and JS / JVM / CLR implementations are still major CVE magnets to this day. Give the security community a compiler with special permissions, and suddenly compiler bugs become interesting ^^'
    This is something you miss. BPF stands for https://en.wikipedia.org/wiki/Berkeley_Packet_Filter yes it first is designed 1992. Almost as old as Linux. Its one of oldest bytecode languages with just in time. With over 2 decades of JIT the CVE count is insanely low for eBPF/BPF.

    As pininety said eBPF and is parent BPF are intentionally not turing complete. JS, JVM, CLR.... are turing complete.

    Originally posted by HadrienG View Post
    Then again, as long as injecting BPF is subjected to similar user permissions as loading kernel modules, I suppose it does not fundamentally change the threat model.
    Really there is lower security thread from loading eBPF into kernel vs loading a kernel module. Remember kernel module can do what ever. Where eBPF has to be approved by the in kernel compiler and it has rules that forbid full turing completeness.

    eBPF has been used for IR remotes and other things in the Linux kernel for a while. Result has been a massive reduction in security faults due to IR device drivers. The stricter language of eBPF compare to C in fact can reduce security faults.

    Leave a comment:


  • pininety
    replied
    Originally posted by HadrienG View Post
    I'm feeling a bit uneasy about the concept of injecting arbitrary code in the kernel like this.

    I know that the eBPF VM is supposed to only allow safe code paths to execute. But VM-based security has been attempted before, and JS / JVM / CLR implementations are still major CVE magnets to this day. Give the security community a compiler with special permissions, and suddenly compiler bugs become interesting ^^'

    Then again, as long as injecting BPF is subjected to similar user permissions as loading kernel modules, I suppose it does not fundamentally change the threat model.
    Is it really arbitrary thought? AFAIK it is not turing complete, only allows jumps forward, not backwards and so on. Also these checks are on the kernel side after compiling afaik. What I could see is CPU bugs showing up but compiler bugs? Not so much.

    Leave a comment:


  • HadrienG
    replied
    I'm feeling a bit uneasy about the concept of injecting arbitrary code in the kernel like this.

    I know that the eBPF VM is supposed to only allow safe code paths to execute. But VM-based security has been attempted before, and JS / JVM / CLR implementations are still major CVE magnets to this day. Give the security community a compiler with special permissions, and suddenly compiler bugs become interesting ^^'

    Then again, as long as injecting BPF is subjected to similar user permissions as loading kernel modules, I suppose it does not fundamentally change the threat model.

    Leave a comment:

Working...
X