FS drivers do not belong in privileged contexts. The FS driver for an untrusted FS should be executing in a context where it can do nothing worse than store or retrieve wrong data.
Conversation
This Tweet was deleted by the Tweet author. Learn more
No, that's not what he means. He's saying that an external file system should have a sandboxed filesystem driver, so that exploiting a bug inside it doesn't immediately grant complete control over the entire system and at least requires privesc to escape (likely via the kernel).
1
4
Try reading the overview in events.linuxfoundation.org/wp-content/upl. Finding a Linux kernel vulnerability is not hard. Literally hundreds of bugs are found by syszkiller every month and many are not fixed. Most are memory corruption. There are simply too many to even fix all discovered bugs.
2
5
yes, we don't need to debate the question "can people write memory safe code in C" the answer is overwhelmingly obvious to almost all of us
3
1
18
It would be hard enough to make a microkernel secure if it was 50k lines of Rust with only 4k lines of unsafe code with potential memory corruption, let alone millions of lines of trusted C full of memory corruption from all kinds of trivial mistakes / oversights. It's a joke.
1
4
17
Just want to point out that seL4 is about 10K lines of C and is formally verified to use no UB, no OOB array access, no crashes, etc... Not trying to defend C but there are ways to make anything safe if you care enough. The problem is people don’t care.
3
1
8
Sure, but at that point it's not C. It's a subset of C that was verified via proofs. Those proofs are an extension to the language. Similarly, you can define a general purpose subset of C with annotations for ownership, lifetimes, etc. letting you write memory safe code.
2
1
Sure it's C. You can do a lot of idiotic things with C. You can do a lot of idiotic things with most languages. You shouldn't do them.
1
There are ways to write C that are both completely idiomatic and amenable to static analysis, correctness proofs, etc. Doing so does not make it a weird and esoteric language that no longer resembles C. It makes it a much more readable and friendly language.
2
1
It does require having a whole bunch of annotations and it is hardly compatible with existing C code. It substantially restricts how you are able to write the code and the code needs to be specifically written for it. Otherwise, you still have memory corruption bugs.
Memory corruption bugs are almost entirely either simple overflows or a result of complex protocols for object lifetime and ownership. If you completely refrain from the latter, the problem of avoiding them is very tractable.