Hacker News new | ask | show | jobs
by snvzz 1135 days ago
There's easily thousands of such bugs hidden in the kernel.

Reminder the kernel has over ten million LoCs, or megabytes of object code.

Perhaps we should start thinking about whether it is a good idea to run something this large in supervisor mode, with full privileges.

I wouldn't say it is sensible in a world where seL4 exists.
7 comments
akvadrako 1135 days ago
It won't make that big of a difference. If you exploit the networking layer you could intercept any local traffic, which will mostly be unencrypted, and communicate with outside attackers. You are probably owned by that point unless you treated localhost as untrusted.

It's like why it doesn't matter if you are running as root or not. The user account has access to whats important, like a database or keychain.

link
0cf8612b2e1e 1135 days ago
Microkernel does seem the only sensible path forward. Even if the kernel is slowly rustified, going to be playing security whack-a-mole for a long time.
link
anonymousiam 1135 days ago
Back in the day when the micro-kernel/monolith flamewars were raging, the arguments for monolith were about improved performance and lower memory usage. I haven't seen much discussion on this topic for years, but at least those two arguments have not aged well.
link
pjmlp 1135 days ago
Mostly because the cloud is based on microkernel like approach regardless of the kernel.

Hypervisors, userspace drivers, containers, language runtime sandboxes, bytecode deployments, driver and kernel sandboxes (safe kernel / driver guard),container only distributions,...

link
aflag 1135 days ago
Why not? It isn't clear to me why monolithic kernel wouldn't still have better performance.
link
pjmlp 1135 days ago
It doesn't matter with layers hypervisors, virtualization, containers and sandboxes running on top.

All mitigations to achieve microkernel like capabilities.

link
aflag 1135 days ago
Hm, if you're making the underlying hardware slower, don't you want the kernel to be even faster though?

VMs are much more than micro kernels. It's about allowing the user to install whatever they want in their machine. Containers are just a userland abstraction. Not sure where the link to microkernels is there.

link
pjmlp 1135 days ago
Not when using hypervisor type 1.
link
mananaysiempre 1135 days ago
Spectre and friends seem to have killed Liedtke’s fast synchronous IPC, unfortunately. Of course, there’s still asynchronous IPC, exokernels (perhaps the closest thing to today’s containers), and so on.
link
CorbetL 1135 days ago
Linux may eventually become a microkernel with most IPC done via io_uring, but it may take 20 years to reach this state.
link
touisteur 1135 days ago
Right now it seems microvms are the way. Build an extremely minimal tailored kernel+userland for network-facing components. If you don't have nf_tables built-in (and it's not loadable because not present) this vulnerability isn't a problem. I mean, right now to use it one would have to chain it with a RCE on your userland app (or on the kernel but just skip the nf_tables step then...). Then one would have to escape the VM, then if you're using firecracker or crosvm, you'll have to break seccomp. Still imaginable, but by then I guess the next kernel (or userland app) fix release is already available :-) and you're already rebooting your microvm.

If you can CI/CD in minutes a reduced kernel+app and reboot in 100ms your network-facing thing (be it nginx or haproxy) you might just take latest vanilla anyway...

link
ttarr 1135 days ago
Care to elaborate plz?

How would we go about GPUs, NCs, and many kinds of drivers?

link
galangalalgol 1135 days ago
For rack servers you could probably get away with a number of microkernel os today. Desktop has clear options in that regard, but you are giving up op n source.
link
userbinator 1135 days ago
Alternatively, perhaps we should start thinking about whether it is a good idea to have multiple users of different privilege sharing the same hardware.
link
gizmo686 1135 days ago
"User" in a modern Linux system is just a weird name for "security domain". Many programs run as their own user to limit their ability to attack the rest of the system if they get compromised; and limit the ability of a different compromised component from attacking them.

My desktop, on which I am the only person with an account, has 49 "users", of which 11 are actively running a process.

At work, every daemon we run has a dedicated user.

On android, every app runs as its own user.

link
thfuran 1135 days ago
What's the alternative, just running all code at ring 0?
link
Aerbil313 1135 days ago
https://www.theseus-os.com/
link
userbinator 1135 days ago
IMHO rings 0 + 3 with protections against bugs, and not deliberate malice, is probably the sweet spot.
link
travis729 1135 days ago
I’ve been thinking this recently as well.
link
saagarjha 1135 days ago
Who's going to make seL4 perform comparably to Linux?
link
snvzz 1135 days ago
Why would we need to slow seL4 down?
link
saagarjha 1135 days ago
I'm not really in the mood for trolling.
link
snvzz 1135 days ago
The name-calling is uncalled for.

To elaborate, seL4 claims to be the fastest kernel around[0], a claim that remains unchallenged.

To put it into context, the difference in IPC speed is such that you'd need an order of magnitude more IPC for a multiserver system based on seL4 to actually be slower than Linux.

A multiserver design would imply increased IPC use, but not an order of magnitude.

0. https://trustworthy.systems/projects/seL4/

link
camgunz 1135 days ago
Sorry I'm pretty naive to this space. I didn't immediately see any performance info on that page save for this paper [0] which shows seL4 competitive with NetBSD, but far from Linux. Is there something else I should look at?

[0]: https://trustworthy.systems/publications/full_text/Elphinsto...

link
b112 1135 days ago
The name-calling is uncalled for.

From an observer on the sidelines: there was no namecalling.

He said you trolled, not that you ate a troll. The distinction is important.

Even the best of us troll, sometimes. (Not claiming you did btw, just that there was no name calling.)

link
saagarjha 1135 days ago
No, it doesn’t. Here’s the full quote from their website:

> seL4 is the world’s fastest operating system kernel designed for security and safety

Linux is arguably not designed for security and safety but it blows seL4 out of the water when it comes to performance. There’s a reason it only gets used in contexts where security is critical; I would have expected that you would be aware of this considering you were the one who is promoting it.

link
snvzz 1134 days ago
>but it blows seL4 out of the water when it comes to performance.

Citation needed.

And by that I mean actual benchmarks of Linux doing the few tasks seL4 does, such as IPC or context switching, faster than seL4.

link
arp242 1135 days ago
> To elaborate, seL4 claims to be the fastest kernel around[0], a claim that remains unchallenged.

Can I run Firefox or PostgreSQL on seL4? Or another real-world program of comparable complexity? And how does the performance of that compare to Linux or BSD?

That's really the only benchmark that matters; it's not hard to be fast if your kernel is simple, but simple is often also less useful. Terry Davis claimed TempleOS was faster than Linux, and in some ways he was right too. But TempleOS is also much more limited than Linux and, in the end, not all that useful – even Terry ran it inside a VM.

I've heard these sort of claims about seL4 before, and I've tried to look up some more detailed information about seL4 before, and I've never really found anything convincing on the topic beyond "TempleOS can do loads more context switches than Linux!" type stuff.

link
phendrenad2 1135 days ago
Actually over 30 million LOC
link
unixhero 1135 days ago
Well it is the kernel.
link
Gigachad 1135 days ago
We really need to be moving faster on migrating Linux to a safer language which prevents these kinds of issues.
link