1. 12
  1.  

  2. 7

    What I find fascinating about this is that the tendency has been for more and more things to move to pure software. But Linux containers are insecure so Intel is trying to use this as an opportunity to utilize their hardware more. Securing containers can be done in software, see FreeBSD Jails and Solaris Zones. I’m also skeptical that all the gore that exists in hardware virtualization is so much more secure than the software solutions. There is a lot of complexity there that I suspect just hasn’t been explored deeply by security experts rather than necessarily being outright more secure.

    1. 3

      We’ve reached complexity levels where the only way forward is fully formal, from beginning to end. Intel is not even remotely equipped for this; their idea of “formal methods” seems to be exhaustive or partial random testing of individual components. This obviously doesn’t scale or provide any real guarantees.

      It doesn’t even remotely work for security, because hackers are way smarter than this and are using actual formal methods to find exploits that an unaugmented human or random testing wouldn’t find in a million years. AFAIK, no one has done this yet on reverse engineered hardware because extracting a full netlist from a CPU is too hard, but if someone were to leak Intel’s hardware designs it would be quite feasible that a competent party would beat intel at finding an exploit somewhere in the unmanageably complicated design.

      1. 2

        AFAIK, no one has done this yet on reverse engineered hardware because extracting a full netlist from a CPU is too hard

        “Well, actually”, I saw an article about this recently. I’ll dig it up…

        http://blog.dragonsector.pl/2017/10/pwn2win-2017-shift-register.html

        That took some digging :)

      2. 3

        Linux containers are insecure

        Well, theoretically, correctly configured Linux namespaces should provide the same isolation as FreeBSD jails. Someone at Google is trying to make a tool that configures them correctly. But Jails are way more time-tested still, and they offer less opportunity for mistakes by being more all-in-one than make-your-own.

        I’m also skeptical that all the gore that exists in hardware virtualization is so much more secure than the software solutions

        The primary argument for HW virtualization seems to be that hypervisors have massively less code than Unix-like kernels. Less interfaces, simpler code, less attack surface.

        I’m sure something like NOVA is indeed more secure, but that’s not what anyone actually runs. In the last couple years, I’ve seen prgmr reboot my VPS’s host to patch Xen vulnerabilities several times, but I don’t remember any critical FreeBSD kernel security advisories :)

      3. 2

        This might be a stupid question but are the required Intel virtualization extensions supported on AMD ryzen CPUs?

        1. 4

          AMD has equivalents to the Intel virtualization extensions, but it’s a separate instruction set, so software needs to support it. As probably won’t surprise anyone, Intel® Clear Containers only support the Intel version.

        2. 1

          Sounds like a heavier-weight version of what high-security was doing in 2003-2005 with solutions such as Turaya and L4Linux:

          http://www.perseus-os.org/content/pages/Architecture.htm

          https://os.inf.tu-dresden.de/papers_ps/nizza.pdf

          The TUDOS demo that combined L4 with L4Linux, a user-mode version of Linux, let one load VM’s instantly in one click. That kind of work got modified by Green Hills and Lynx for use with unmodified OS’s such as Windows with Intel VT. The kernels and trusted software were kept deliberately small with some of them mathematically verified against security spec with covert channel suppression where possible. Most were proprietary, though, so I don’t which used KVM, Qemu, etc. I think they made their own. NOVA did Seoul VMM. Genode is using VirtualBox in contained partitions so that’s too heavy but has user-mode Linux and native on microkernel if wanting light stuff.

          Anyway, they’ve taken quite a long time to get back to lightweight, secure containers on Intel architecture. Still looks weaker than what small teams and industry were doing over a decade ago. They can still learn. Sirrix at least is applying Turaya with secunet using Muen separation kernel to their work.