February 4, 2020

229 words 2 mins read

Address Space Separation Inside the Linux Kernel

Address Space Separation Inside the Linux Kernel

Address space isolation has been used to protect the kernel and userspace programs from each other since the invention of the virtual memory. Assuming that kernel bugs and therefore exploits are inevi …

Talk Title Address Space Separation Inside the Linux Kernel
Speakers Mike Rapoport (Researcher, IBM)
Conference Open Source Summit + ELC Europe
Conf Tag
Location Lyon, France
Date Oct 27-Nov 1, 2019
URL Talk Page
Slides Talk Slides
Video

Address space isolation has been used to protect the kernel and userspace programs from each other since the invention of the virtual memory. Assuming that kernel bugs and therefore exploits are inevitableit might be worth isolating parts of the kernel to minimize the damage that these exploits can cause.Mike is going to present a mechanism for “system call isolation” that allows running a system call with largely reduced page tables and provides the kernel with the ability to inspect the memory accesses and verify their safety based on a pre-defined policy.Another topic is assigning an address spaces to the Linux namespaces. For instance, by keeping all the objects in a network namespace private, we can achieve levels of isolation equivalent to running a separated network stack.This idea has already been posted to the linux kernel email list as aset of RFC patches so we’ll discuss both the current state of the patchset as well as potential future enhancements.

comments powered by Disqus