Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

No, that's not what he means. He's saying that an external file system should have a sandboxed filesystem driver, so that exploiting a bug inside it doesn't immediately grant complete control over the entire system and at least requires privesc to escape (likely via the kernel).

Replying to

Try reading the overview in events.linuxfoundation.org/wp-content/upl. Finding a Linux kernel vulnerability is not hard. Literally hundreds of bugs are found by syszkiller every month and many are not fixed. Most are memory corruption. There are simply too many to even fix all discovered bugs.

Replying to

yes, we don't need to debate the question "can people write memory safe code in C" the answer is overwhelmingly obvious to almost all of us

This Tweet was deleted by the Tweet author. Learn more

Replying to

Victor what is your interpretation of the results presented in the syzkaller slide deck?

This Tweet was deleted by the Tweet author. Learn more

Replying to

ok! so then would it be fair to say that you don't believe these bugs reflect any sort of shortcoming in the C language, but rather they all stem from ineptitude or a refusal to follow best practices?

This Tweet was deleted by the Tweet author. Learn more

Replying to

Separately from using a memory safe language for most of the code, device drivers usually do not need to run in a privileged context. They can be run in an isolated process with the IOMMU containing the hardware. Exploiting a network driver shouldn't compromise a whole system.

7:41 PM · Apr 17, 2019Twitter Web Client

Replying to

A kernel designed with security and robustness in mind isn't going to make the same architecture and tooling decisions as the Linux kernel. It's the equivalent to putting the entirety of userspace into a single process with no security boundaries, and no memory safe languages.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Even before IOMMU existed, the programming model of letting drivers setup DMA themselves rather than going through a safe public interface that could have imposed IOMMU on them with no source-level changes was bad design.