Threads for iggle

  1. 6

    I really wish systemd didn’t insist on being PID 1. Then it would be the perfect answer to “how do I run multiple processes in a single container?”

    1. 7

      Yes, you don’t know what you are missing until you’ve used an init system that supports arbitrary recursion, like the Genode init.

      1. 3

        If you’d like, could you say a little more about what value you’ve found in that sort of thing?

        1. 12

          In Genode the init component basically enforces security policies, so you can create a tree of subinits that are successively more locked down, and there isn’t any escape hatch to escalate privilege. File-system and networking is in userspace, so managed by init, and you can arbitrarily namespace networking and file-systems by isolating instances in different inits.

          1. 4

            This means the same process manager can be used on a per-project level. You could write your systemd units for development, which would be pretty close to those for the system.

        2. 3

          What semantics of systemd do you think are better suited inside containers than other (perhaps less opinionated) supervisor inits?

          1. 4

            Familiarity, and the ability to write daemons for both in-container and out-of-container use.

            1. 2

              And being able to use existing software which expects to be launched by systemd!

          2. 3

            It’s also worth noting that podman just has a ‘–systemd=true|false|always’ flag that allows this behaviour.

            1. 1

              From the RHEL containers manual (emphasis mine):

              The UBI init images, named ubi-init, contain the systemd initialization system, making them useful for building images in which you want to run systemd services, such as a web server or file server. […]

              Because the ubi8-init image builds on top of the ubi8 image, their contents are mostly the same. However, there are a few critical differences:

              ubi8-init:

              • CMD is set to /sbin/init to start the systemd Init service by default
              • includes ps and process related commands (procps-ng package)
              • sets SIGRTMIN+3 as the StopSignal, as systemd in ubi8-init ignores normal signals to exit (SIGTERM and SIGKILL), but will terminate if it receives SIGRTMIN+3

              ubi8/ubi-init in the Red Hat Container Catalog. Red Hat’s UBI images are free for everyone. I am not affiliated with Red Hat.

              1. 1

                …I am affiliated with Red Hat and didn’t know this.

                Whoops. Thank you!

            1. 2

              I have had multiple Ubikeys for a long time as I am a frequent international traveler, and am afraid of Google locking me out suddenly. Having a Ubikey gives me peace of mind, but it losing the key can be a headache, as I need to buy another costly key, log into every service that uses the key, remove it, and add a new key. With this project (I hope, I haven’t tested), I may be able to simply gpg encrypt my fidokey and keep it safe in my computer rather than having to worry about my ubikeys.

              1. 3

                It’s a really interesting tradeoff. Nominally the value prop of the Yubikey is that it’s a separate physical device so that you know that “even if someone were to steal my laptop and have unfettered access to my password manager, they still wouldn’t be able to access these services”

                But the flip side is definitely a concern too… if I lose my (physical) keychain, I won’t be able to access these services either.

                In my own experience, I have had a laptop stolen but haven’t ever had my keys stolen nor have I lost my keys for any length of time. My wife, though, has the opposite experience.

                1. 1

                  I mean no, that’s not a good reason to use a Yubikey at all. It’s about having a smartcard that performs cryptographic operations for you without exposing the keys. Of course using it as a second authentication factor is a specific use case of that, also providing multidevice access as a side-effect of being a separate device. More to the point, compromising a device cannot leak the keys for further attack vectors.

              1. 3

                I’ve recently wondered whether there is merit to the idea of taking the crypto acceleration instructions in most normal CPU’s and turning them into a dedicated co-processor, maybe also with some dedicated RAM. Not really for performance reasons, but rather for isolation; I’m imagining a single, in-order core with basically a single algorithm programmed into it and no bus, clock, or anything else shared with the main CPU. You can then prove that the co-processor always runs at a fixed rate for given input, know for a fact that nothing else is doing anything that can tamper with its performance (since it’s a single execution thread dedicated to a particular calculation, ideally one that is in-order), and it would (hopefully) be easier to control the side-channels one can observe from it. The main processor would not be able to ask the coprocessor about its clock rate, load/store latency, power usage, or anything else that could leak info about what it’s doing. Maybe you could even have multiple coprocessors to aid throughput, multiplexed by the OS; another process might be able to tell that you’re using a crypto coprocessor, but nothing else apart from “started using it” and “stopped using it”.

                Then the rest of our programs could go off and use whatever optimizations hardware wants to implement, while the time-sensitive parts get their own dedicated sandbox.

                1. 2

                  I think a “I’m doing crypto now” mode could be more useful (fixed clocks, fixed memory access times, fixed operation times). Might slow down some algorithms, but is guaranteed to not have any timing side-channels (and maybe no power side-channels?). Would be annoying to handle this in kernel though (what do you do if a process put a core into this mode and got preempted? Do you keep that mode on? Do you turn it off and turn it back on when putting the process back on? Do you only allow mode change in the kernel to be accessed by a syscall?)

                  1. 1

                    A lot of these assurances would be provided by executing your crypto with the help of a trusted execution environment or straight up a hardware security module.

                    1. 1

                      Tempting, but may be costly.

                      If you want something generic capable of implementing many primitives, you may require quite a bit of silicone even if the pathologically straight-line code we see in crypto does not benefit from out of order execution or even a cache hierarchy. You’ll still need sizeable ALUs, and efficient multiplication (an array of 64->128 multipliers would be awfully nice), and a form of SIMD to feed all those units.

                      If however you want something cheap yet fast, you’ll probably need to settle on some hardware friendly primitive like Keccak. Asymmetric crypto may still be a problem though, except perhaps if we use a binary field elliptic curve (about which I’ve heard security is not as settled as it is for prime field curves). The biggest problem is it’s quite inflexible.

                      Unless the world comes crashing down, I don’t see hardware vendors proposing either alternative. Except for some niches, but then we already have FPGA or even ASIC implementations in specific places.

                    1. 2

                      Did this get taken down for some reason? I had to hit the wayback machine to read it.

                      It mainly seems useful as background for understanding future attacks, as opposed to being of immediate pragmatic interest, but it was a very interesting read from that perspective.

                      1. 1

                        The paper is scheduled to appear in ISCA ’22, which is not until June. I’m guessing publishing the paper on their site might conflict with the submission guidelines of the conference.

                      1. 2

                        This is somewhat confusing authentication with device binding. It’s easier and more convenient to separate these into layers.

                        JWTs allow for authenticating requests and enriching them with information from IDPs such as scopes and roles without requiring coordination. If your concern is that device being compromised to the point of breaking the transport layer encryption, there are ways to bind that token to devices such as additionally signing the requests with e.g. a hardware token or certificates from a TEE.

                        1. 35

                          I guess I’ll be the one to say it… Learn a LISP. Doesn’t matter which one, though I would recommend Clojure.

                          If you want to get away from the C-style imperative programming, LISP is quite far away. But it contains many ideas that C-style languages have been trying to emulate for decades with mixed success. I think that this footnote in the Structure and Interpretation of Computer Programming (chapter 3 #27) explains what is meaningful about LISP and the LISP way of doing things more succinctly than any other explanation I have seen (funny that it’s just a footnote).

                          For Clojure itself there is a good number of resources, many of which listed here. The first on that list Clojure Distilled provides a great introduction to the language, and Clojure for the Brave and True provides a much fuller guide.

                          However I am cheating a little, since most LISPs including Clojure are dynamically typed, and I initially considered this a weak point of the language. However it is my opinion that they LISP syntax and methodology provide the best experience of dynamically typed programming there is, and Clojure provides many facilities such as pre/post conditions, spec, and TypedClojure.

                          1. 5

                            Lisp is a good suggestion, despite not fitting all the criteria. I personally would recommend going for either Common Lisp (SBCL) or Scheme (Racket) to start with though. Clojure for the Brave and True isn’t a bad book, but I think that A Gentle Introduction to Symbolic Computation or The Little Schemer followed by SICP provides a much nicer path for a beginner, and then if one feels that switching to Clojure would be advantageous they can do so after the fact.

                            Obviously this is just personal opinion, but that’s my experience (I don’t use Clojure much though, and started to learn it after experience with both Common Lisp and Scheme).

                            1. 3

                              This Introduction to Clojure was posted a year ago and was a really good (relatively) short-form induction for me.

                              1. 2

                                Any reason for recommending Clojure over more traditional suggestions CL or Scheme (including concrete implementations)?

                              1. 5

                                Thank you very much for the writeup, I might actually make the jump now, I was very hesitant to use all the docker all-in-one solutions.

                                Unlike SPF and DKIM, DMARC doesn’t really do anything

                                This is technically not true, as far as I know, as it changes the behaviour of DKIM and SPF if you have it enabled. For example, pure SPF will only check the sending envelope for a valid sender but ignore the <FROM:> header, which is actually what the user gets to see. With DMARC enabled, this behaviour is extended.

                                https://media.ccc.de/v/36c3-10730-email_authentication_for_penetration_testers

                                1. 2

                                  DMARC in fact does so much that mailing lists have to change their behavior.

                                  I still don’t fscking understand whether setting p=reject would be okay with (e.g. freebsd.org, freedesktop.org) mailing lists or whether that would send all mail forwarded from me by the mailing lists (in case of freebsd.org at least, with the list’s added “signature” and me in From) to trash/spam everywhere.

                                  1. 1

                                    Glad to hear that!

                                    And I’ll update the DMARC section, thanks.

                                  1. 2

                                    For example, we’ll generate a key pair where the public key starts with “iPho” to denote that it’s a key pair to be used on the iPhone client.

                                    I have no real understanding of ECC but it doesn’t really seem like a good idea to limit the keyspace for something that could be solved by commenting a configfile.

                                    1. 1

                                      It’s not limiting the keyspace since all the keys are randomly generated and the vanity address generator simply filters down the list to ones that match the vanity characters. The benefit is that the public key is self-documenting removing need for explicit commenting in the config file.

                                    1. 4

                                      But in a life surrounded by bells and flashing lights I can find the time to be present with those I care about.

                                      I like turning on greyscale in the accessibility options on my phone. Most bells and whistles are muted and I can concentrate on what I’m actually reading. It also greatly diminishes the time I spend on it.

                                      1. 2

                                        I have been building a lot of infrastructure on bare metal at work. After working out all kinds of trade offs for our requirements based mostly on documentation and skimming code, I am dying to do a deep dive on the internals.

                                        I am currently reading through the Kubernetes Developer Guide and I finally want to get involved on some Open Source work. I’m looking at RKE, Moby and maybe Heketi (I’d like to see a Snapshot Class for GlusterFS Storage at some point). “Building Microservices” from Sam Newman seems very interesting to me as well, as I’m very sceptical about performance costs of communication.

                                        On a more personal note, I’m finally getting back to dedicating a more regular schedule to improving my Karate.

                                        1. 8

                                          All events will be recorded and live streamed at https://media.ccc.de/

                                          1. 2

                                            To add to this, if you want to join or organize your own public viewing, check on the event wiki under Congress Everywhere