Address Space Separation Inside the Linux Kernel
Address space isolation has been used to protect the kernel and userspace programs from each other since the invention of the virtual memory. Assuming that kernel bugs and therefore exploits are inevi …
| Talk Title | Address Space Separation Inside the Linux Kernel |
| Speakers | Mike Rapoport (Researcher, IBM) |
| Conference | Open Source Summit + ELC Europe |
| Conf Tag | |
| Location | Lyon, France |
| Date | Oct 27-Nov 1, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Address space isolation has been used to protect the kernel and userspace programs from each other since the invention of the virtual memory. Assuming that kernel bugs and therefore exploits are inevitableit might be worth isolating parts of the kernel to minimize the damage that these exploits can cause.Mike is going to present a mechanism for “system call isolation” that allows running a system call with largely reduced page tables and provides the kernel with the ability to inspect the memory accesses and verify their safety based on a pre-defined policy.Another topic is assigning an address spaces to the Linux namespaces. For instance, by keeping all the objects in a network namespace private, we can achieve levels of isolation equivalent to running a separated network stack.This idea has already been posted to the linux kernel email list as aset of RFC patches so we’ll discuss both the current state of the patchset as well as potential future enhancements.
