[kwlug-disc] System security
Chris Frey
cdfrey at foursquare.net
Wed Sep 14 00:14:39 EDT 2022
On Tue, Sep 13, 2022 at 09:57:19AM -0400, Mikalai Birukou via kwlug-disc wrote:
> Virtualization as a security measure is mostly placing memory barriers.
> DefCon loves talks about escape from vm's memory. All those row hammer,
> meltdown and spectre type bugs are about looking at and messing with other's
> memory.
>
> Is this a correct overall view?
I'm going to have to catch up on the dicussion I missed, but I would say
yes.
> If so, can we say that it is paramount feature of system to ensure memory
> boundaries between processes?
Yes, these days. Sadly sabotaged by hardware issues. There were some
fairly useful systems in the past that didn't have memory protection,
like DOS, but those days are past.
> The second aspect is what capabilities/permission are given to processes,
> and can user control them. Flashlight program shouldn't get to read my tax
> returns. Memory enforcement keeps snakes separated. Capabilities/permissions
> let user adjust each snake's compartment. But without memory enforcement
> capabilities/permissions can sooner or later be overcome.
>
> Is this second statement correct?
Yep. Doesn't matter if the filesystem stops reading your private ssh key
if it can be read straight out of ram.
- Chris
More information about the kwlug-disc
mailing list