I get that there are some use cases where performance really matters to the point where kernel network stack and drivers make a difference (high-throughput and/or low-latency services running on servers, high-performance routers...), but that should not be the default for everyone.
For over a decade our computers have gotten faster marginally, but our software has gotten slower at a greater rate.
You can barely navigate the web now with a new low end computer (that isn't a Chromebook). Most on this site won't care though because our machines cost $2,000+ and the web is Fine(tm); many folk aren't buying anything over $300 though.
2) These are memory bugs, so the introduction of Rust into the kernel could help us here potentially, no need for an architectural revolution.
We're talking about network stacks and network drivers, not web browsers. Migrating the network stack from the kernel to a user-land process is not going to measurably slow down web browsers, especially on modern systems with gigabytes of RAM, multiple cores, IOMMUs and whatnots.
> These are memory bugs, so the introduction of Rust into the kernel could help us here potentially, no need for an architectural revolution.
That would require rewriting the network stack and network drivers in Rust (driver code is much more likely to have bugs than the rest of the kernel) for this to be effective, otherwise you'll still have a lot of C code in the network path. I'd argue that this would be a bigger architectural revolution than porting the existing code and running it in user-land. MINIX3 went through such a change when drivers were removed from the kernel (can't find the publication about it right now) and they only required reasonably small changes when porting these to user-land, there were not rewritten from scratch.
But this is not just about memory safety, Rust code can still be vulnerable in many other ways (memory leaks, unsafe blocks, wrong assumptions, incorrect algorithm implementation, buggy/compromised toolchains...). Code running inside the trusted computing base of a system is a liability, enforcing privilege separation and principle of least authority reduces it.
The operators of websites that derive most of their revenue from advertising are going to run their sites at whatever level users will tolerate. Where network drivers are faster they'll either cram in more ad tracking, or won't bother optimizing their existing trackers. If users stop accessing sites because they're too slow to load, operators will either cut down on ad tracking, or more likely, put some effort into optimizing the performance of their ad trackers.
Rust is itself something of an architectural revolution. I believe network drivers in userspace is already a thing, and eBPF may also have a role here. All of this is worth exploring. This is what progress in Linux looks like.
You can barely navigate the web now with almost any computer. I have a high-end laptop and opening a few tabs from various sites on the Internet will cause the CPU usage and fan speed to spike. Just for a few tabs! Obviously not all sites do this, but the web has become a framework of advertising monstrosity and I can barely navigate and consume much of today's web content without enabling Reader Mode.
The short-term effect may be a slight improvement, but it's a treadmill and the next wave of web crapware will more than nullify it.
If a microkernel architecture with worse performance got established on all mainstream devices, the experience would be worse in the short term but in the medium term, the crapware would have to adapt so that it again becomes just barely usable as it is today.
The problem is that the short-term gains create an incentive for users to buy/use the marginally faster hardware or kernel, which then forces everyone else to follow suit.
Ok, we could make it optional, i.e. additional security for those who wish it (on top of other things we could do, like the things you mentioned but which aren't a panacea too).
See eg https://talawah.io/blog/linux-kernel-vs-dpdk-http-performanc...
No. I want the kernel to have as much functionality as possible. I have some zero dependency freestanding software that I boot Linux directly into. I really don't want to have to maintain additional user space in the form of C libraries. If I need to manage wifi connections, I should be able to make some system calls and be done with it without having to link to anything else.
Anything related to hardware belongs in the kernel so that all software can access it via Linux's amazing language agnostic system interface. If there are security problems, then that process should be improved without screwing up the interface by replacing it with user space C libraries. We have enough of that in the graphics stack.
And even worse, because kernel still have to distribute data to other userland program, you actually need another round trip so the impact need to multiply by two.
Do you have benchmarks that show the impact of switching to userspace on a typical, loaded desktop system with all kinds of workloads? Or are you just guessing?
This publication (http://www.minix3.org/docs/jorrit-herder/asci06.pdf) claims that MINIX3 could saturate a 1 Gb/s Ethernet link with an user-space network stack, with separate processes for the stack and the driver, on a rusty 32-bit micro-kernel that can't do SMP. In 2006.
Oh hell no! User-land driver can barely handle WiFi 4 speeds (72Mbps), with terrible CPU performance (1000's of context switches and interrupts per second).
For WiFi 5 (ac), WiFi 6 (ac), you need heavy WiFi firmware involvement, multiple DMA queues and kernel driver, and even with all that it requires special care to reach target performance. There is no chance in hell to reach that kind of performance in user-land.
1. Date of year has nothing to do with doing things correctly, ever.
2. Ironically, pulling it out of the kernel and running it in user-land will probably bring about more bugs and issues. I would much rather we just fix the problem where it is, and leave it at that, instead of potentially introducing new problems, like backdoors and exploits in the software provided. Not saying it WOULD happen, but the potential for it alone is just not worth the risk in my honest opinion. Let's just fix the right way, and be done with it.
I’m on board so long as there is a choice. Routers with crappy hardware need as much help as possible. Also tangentially this is why the current darling of VPN tech, WireGuard, is implemented in kernel not userspace.
"WEINBERG'S SECOND LAW: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization."
So someone else should have done it for you by now?
Be the change you want to see in the world.
I'm sure you have an excuse for not doing it personally. Just as I'm sure the person who you've mentally assigned responsibility has at least as good of an excuse too.
I have made dozens of commits to MINIX3, including a brand-new ISO 9660 file system implementation (https://github.com/Stichting-MINIX-Research-Foundation/minix...).
I have made more than a hundred commits to SerenityOS (https://github.com/SerenityOS/serenity/commits?author=boricj).
Just because I deplore the general state of security in mainstream operating systems doesn't mean that I demand that someone else does something about it for free.
I'm not paid to fix security bugs in the Linux kernel, do you expect me to fix these myself for free just because you want to? No one is entitled to my own free time spent hacking on random stuff.
[1] https://blog.cloudflare.com/how-to-achieve-low-latency/ - 30-45 microseconds on plain 10G ethernet - faster ethernet probably wouldn't improve much on this
[2] https://eli.thegreenplace.net/2018/measuring-context-switchi...
The problem is that drivers are exploitable in the first place, so the solution is that we should make them not exploitable (using Rust, or a better language than Rust that fixes some of its problems) and try to preserve our performance that is rapidly being stolen away by bloated userspace software, rather than just shrug our shoulders and say "oh well, I guess that drivers are just intrinsically insecure".
As I understood the issues, this will probably lot's of "fun". You can broadcast the pcap files with any monitor mode capable wifi router. Luckily it's 5.1+ so most devices run very old vendor patched kernels and are probably not affected but at least for causing havoc this is really bad. As one issue is using beacon frames just a scan for networks should be enough for a crash. So you can at least crash and maybe exploit any device running recent Linux that scans for wifi networks.
I'm not sure how it's possible to do over the air remote code execution but I guess people are working on this.
DoSing is now "easy" as you say, just send those frames and a Linux computer that is currently listening to the network (e.g. scanning for networks) and thus processes the Beacon frames will at least crash. It might be the case that some wifi chips will filter those invalid frames or crash themselves, that depends on the actual hardware / firmware.
The victim must not be connected to a malicious AP or similar, so there is no requirement for tricking a user into something.
RCE is not trivial at all, but due to the nature of the different faults, might be possible. Therefore, see e.g. Mathy Vanhoef who discovered several impressive Wifi vulnerabilities in the past:
Beware that your WiFi password will be forgotten every VM reboot (but there is a workaround on the forums).
But it sure looks like it was a wise idea to spend the resources on isolating network hardware!
Seems like a pretty major vulnerability that affects tons of devices.
And some are obviously correct... But others would require a lot more understanding of the code to be sure they're correct.
Someone should go through this with a keen eye to check the fixes are actually correct, and aren't just making the fuzzer stop alerting while leaving a more subtle vulnerability open.
Edit: Looks like GCC removed the warning because it was unreliable. Clang and MSVC seem to be in better shape. https://gcc.gnu.org/legacy-ml/gcc-help/2011-05/msg00360.html
That is an odd position when -Wstringop-overflow also highly depends on the optimizer (and will frequently generate false positives!) but not only remains in GCC but is enabled by default (even without any -Wall/-Wextra).
Things like this are why its pays to compile your project with as many compilers as possible (as well as static analysis tools).
ArchLinux seems to also have it patched in 6.0.1-arch2-1 though[0].
Updating my own comment (too late to edit), that release is now out with the fixes. The full set of stable releases with these fixes is: 6.0.2, 5.19.16, 5.15.74, 5.10.148, and 5.4.218 (source: https://lwn.net/Articles/911272/).
So is this for public/open Wifi networks only? Or is it for any wireless network where you do not control the gateway?
https://lwn.net/Articles/911071/
>> anybody who uses WiFi on untrusted networks
> It's actually worse than that - you just have to be scanning (though one of the issues requires P2P functionality to be enabled).
> So basically it's just
>> anybody who uses WiFi
> unfortunately.
And:
> Sorry, it took me longer than expected but I just posted PoCs + logs here: https://www.openwall.com/lists/oss-security/2022/10/13/5
> Most of the vulnerabilities were introduced in 5.1/5.2.
It's worse than that - android kernels process beacon frames even if wifi is disabled.
So you should be worried about this if you have an android 11/12 phone, even if you don't use wifi.
Linux desktop/laptop users should be worried if they have wifi enabled, even if not connected to a network.
Though that may not be a generally used name as yet.
Keep using unsafe langs.
What will be there in next week? CVE in Chromium?
At this point betting sites should add category for that kind of games.
I do wonder what people of future will think about this:
"So they had research indicating that a lot of issues were related to memory, had technology which significantly reduces this issue, but they still kept doin mess for years?"
https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe...
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...
https://www.chromium.org/Home/chromium-security/memory-safet...
Memory issues and JIT (browsers) are two things that are responsible for disgusting amount of security issues
You cannot rewrite the entirety of the Linux kernel in another language overnight. You'd have years at least until it becomes production-ready. Not to mention the performance and memory use will be worse.
Certainly the situation can and should be better, but adopting this "it's so easy, how does nobody see it?" attitude helps no one.
The linux kernel in particular is perhaps the single most important piece of software on the planet. And we vulns like this all the time. Hundreds per year. And there's billions more lines of C and C++ out there handling all sorts of untrusted input.
The path off C and C++ is complicated as shit. Interop with Rust is messy and there aren't effective tools for automatic translation. Carbon is barely a language at this point (they don't even have a compiler) and doesn't yet provide safety. The story for the other alternative languages isn't any better. But I really wish the industry was throwing billions at this across dozens of major companies and open source organizations.
How much?
(If you don't have a subscription, the article will become freely available to everyone on Oct 27th.)
tl;dr, it doesn't do anything interesting yet, but the infrastructure is getting there, and starting the process of evolving the kernel to using a safe language.
