By: Michael S (already5chosen.delete@this.yahoo.com), March 18, 2021 3:47 am
Room: Moderated Discussions
Brendan (btrotter.delete@this.gmail.com) on March 17, 2021 10:56 pm wrote:
> Linus Torvalds (torvalds.delete@this.linux-foundation.org) on March 17, 2021 10:30 am wrote:
> > Doug S (foo.delete@this.bar.bar) on March 17, 2021 9:30 am wrote:
> > >
> > > While everyone agrees that the performance hit of microkernels is real, for applications where
> > > security is paramount it is totally worth it.
> >
> > Bah, you're just parroting the usual party line that had absolutely no basis
> > in reality and when you look into the details, doesn't actually hold up.
> >
> > It's all theory and handwaving and just repeating the same old FUD that was never actually really relevant.
> >
> > If you actually want security - and this isn't some theory, this is how people actually do it
> > - you implement physically separate systems, and you make the secure side much simpler, and
> > you do code review like there is no tomorrow. Ie automotive, automation, things like that.
> >
> > Yes, the secure side might have a very small kernel, because it might be some special
> > automotive grade electronics that might not even have a real MMU on it. But that's not
> > what people mean when they talk about microkernels in the sense of "compared to monolithic".
> > That kernel is simply not even comparable from a capability standpoint.
> >
> > So if there is some correlation between extremely secure systems and microkernels, it's
> > exactly that: a correlation, not causation. You minimize the loads, you minimize the
> > hardware, and you might end up with a microkernel as a result. But it's not more secure
> > because of the microkernel, it's more secure because you did that minimalism.
> >
> > So even the security argument is actually mostly just complete garbage. Even if you
> > were to use a microkernel (I'm sure it happens - but often mainly because of hardware
> > limitations), it's just not a real and comparable general purpose system.
> >
> > The real security comes from limiting the load, not the use microkernels, in other words. Often together
> > with simplifying the hardware too, because complex hardware is fundamentally more fragile (you mention
> > spectre etc, which is kind of relevant to the whole bedtime story about how secure microkernels are,
> > but it's bigger than that - in extreme cases it's about rad-hardening etc too).
> >
> > In extreme cases you don't just separate the loads, you actually replicate the secure side and
> > do multiple independent implementations and things like that. It's very very rare because it's
> > so expensive and complex to do, but security and reliability go hand in hand in many ways.
> >
> > And yes, simplifying the load very much also works with
> > monolithic kernels. It's not even unusual. Sometimes
> > you really want the advantage of a more unified system, so you partition the hardware (depending on how
> > sensitive you are to security concerns, either physically separate or just by cores or possibly even by
> > just virtualization) and you just make the secure side run much more limited and controlled loads.
> For "performance is the only thing that matters", the communication between user-space
> and kernel is too expensive and it's much better to (e.g.) build a messed up SASOS by
> dynamically linking everything (web browser, database, cron, ...) into kernel space (and
> forget about things like spectre patches and file system permissions and...).
> For "security is the only thing that matters", yes, you want to air-gap separate systems.
> In this case you can still use the same "dynamically link everything into kernel space" because
> the security doesn't depend on the separation between kernel and user-space anymore.
> Almost everything is a compromise between these extremes. For a hypothetical (likely non-linear) scale;
> maybe we can say that monolithic kernels are centered around the "66% performance 33% security" part
> of the scale and micro-kernels are around the "33% performance 66% security" part of the scale.

I would think that in world where variations of timing sub-channel became the hottest (at least from PR perspective, probably less so in real world) security issue, uKernel-based designs should be considered more vulnerable rather than less vulnerable.
Under uKernel, attacker's requests are more likely to be serviced by the same CPU core as victim of attack, to use the same memory areas, etc...

Or consider something like Meltdown. Under monolithic kernel it was patched with relative ease and with moderate performance impact. Under uKernel, I'd imaging that it would be far more painful because performance of protection domain switch is much more critical.

< Previous Post in ThreadNext Post in Thread >
TopicPosted ByDate
x86 - why unite when you can fragment?anonymou52021/03/12 06:16 PM
  x86 - why unite when you can fragment?Linus Torvalds2021/03/13 01:18 PM
    x86 - why unite when you can fragment?Jon Masters2021/03/13 07:25 PM
      x86 - why unite when you can fragment?Jon Masters2021/03/13 07:44 PM
        x86 - why unite when you can fragment?Yuhong Bao2021/03/13 08:49 PM
        x86 - why unite when you can fragment?tt2021/03/20 09:30 AM
    x86 - why unite when you can fragment?Andrey2021/03/14 04:15 PM
      x86 - why unite when you can fragment?Linus Torvalds2021/03/14 04:58 PM
        x86 - why unite when you can fragment?anonymou52021/03/14 05:31 PM
          x86 - why unite when you can fragment?anon22021/03/14 08:07 PM
        Microkernel?Anon2021/03/14 11:49 PM
          Microkernel?none2021/03/15 12:37 AM
            Microkernel?Anon2021/03/15 01:56 AM
          Microkernel?anon22021/03/15 01:58 AM
            Microkernel?Simon Farnsworth2021/03/15 03:12 AM
              Microkernel?anon22021/03/15 04:53 AM
                Microkernel?Simon Farnsworth2021/03/15 06:56 AM
                  Microkernel?iz2021/03/15 08:10 AM
                    Microkernel?Anon2021/03/15 09:05 AM
                      Microkernel?iz2021/03/16 01:25 AM
                        Microkernel?Andrey2021/03/16 02:54 AM
                          Microkernel?iz2021/03/16 08:36 AM
                            Microkernel?Andrey2021/03/16 10:06 AM
                              Microkernel?anonymou52021/03/16 11:44 AM
                              Microkernel?iz2021/03/21 02:58 AM
                                Microkernel?Andrey2021/03/21 09:34 AM
                  Microkernel?anon22021/03/15 08:31 AM
                    Microkernel?Simon Farnsworth2021/03/16 04:42 AM
            Microkernel?Gabriele Svelto2021/03/15 03:21 AM
              Microkernel?anon22021/03/15 04:56 AM
                Microkernel?Gabriele Svelto2021/03/15 10:41 AM
                  Microkernel?anon22021/03/15 08:00 PM
                    Microkernel?Gabriele Svelto2021/03/16 07:23 AM
                      Microkernel?anon22021/03/16 05:13 PM
                        Microkernel?anon22021/03/16 05:16 PM
                    Microkernel?Gian-Carlo Pascutto2021/03/16 01:40 PM
                      Microkernel?anon22021/03/16 05:53 PM
                        Microkernel?Linus Torvalds2021/03/16 07:25 PM
                          Microkernel?Doug S2021/03/17 09:30 AM
                            Microkernel?Linus Torvalds2021/03/17 10:30 AM
                              Microkernel?Brendan2021/03/17 10:56 PM
                                Microkernel?Michael S2021/03/18 03:47 AM
                                  Microkernel?Brendan2021/03/18 09:07 AM
                              Microkernel?Jose2021/03/18 09:35 AM
                            Microkernel?zArchJon2021/03/18 05:42 PM
                          TransputerRichardC2021/03/17 09:47 AM
                          Microkernel?dmcq2021/03/17 11:15 AM
                            Microkernel?Linus Torvalds2021/03/17 11:59 AM
                              Microkernel?dmcq2021/03/17 12:38 PM
                              Microkernel?Adrian2021/03/17 01:00 PM
                              Microkernel?Ana R. Riano2021/03/18 04:33 AM
                              Microkernel?2021/04/30 04:52 PM
                          Microkernel?NvaxPlus2021/03/17 11:48 AM
                            Microkernel?Michael S2021/03/18 03:32 AM
                              Microkernel?Adrian2021/03/18 04:12 AM
                                Microkernel?dmcq2021/03/18 06:30 AM
                                  Microkernel?dmcq2021/03/18 06:55 AM
                                  Microkernel?Adrian2021/03/18 08:35 AM
                                    Microkernel?---2021/03/18 09:49 AM
                                    Microkernel?dmcq2021/03/18 10:59 AM
                                      Microkernel?dmcq2021/03/18 04:09 PM
                              Microkernel?---2021/03/18 09:27 AM
                          Microkernel?Kalle A. Sandström2021/03/20 06:34 AM
                            Microkernel?---2021/03/20 08:35 AM
                            Microkernel?anon22021/03/21 05:29 PM
            Microkernel?dmcq2021/03/15 04:06 AM
              Microkernel?anon22021/03/15 04:59 AM
                Microkernel?dmcq2021/03/15 11:51 AM
                  Microkernel?anon22021/03/15 08:31 PM
                    Microkernel?dmcq2021/03/16 09:17 AM
                      Microkernel?Jukka Larja2021/03/16 11:22 AM
                        Microkernel?dmcq2021/03/16 04:06 PM
                          Microkernel?Jukka Larja2021/03/17 03:42 AM
                            Microkernel?dmcq2021/03/17 07:00 AM
                      Microkernel?anon22021/03/16 05:26 PM
                    Microkernel?---2021/03/16 10:07 AM
            Microkernel?-.-2021/03/15 08:15 PM
              Microkernel?anon22021/03/15 09:18 PM
                Microkernel?Foo_2021/03/16 03:37 AM
                  Read the thread (NT)anon22021/03/16 05:27 PM
                    Already did (NT)Foo_2021/03/17 02:55 AM
                      Already didanon22021/03/17 03:46 AM
                        Already didEtienne Lorrain2021/03/18 02:31 AM
                Microkernel?-.-2021/03/17 05:04 AM
                  Microkernel?Gabriele Svelto2021/03/17 08:53 AM
                    Microkernel?-.-2021/03/17 02:43 PM
              Microkernel?dmcq2021/03/16 08:40 AM
        x86 - why unite when you can fragment?Konrad Schwarz2021/03/17 10:19 AM
    x86 - why unite when you can fragment?anonon2021/03/15 07:37 AM
Reply to this Topic
Body: No Text
How do you spell avocado?