Kernel Address Space Isolation Is Still Being Explored For Better Security
1 - 2 min read
Nov 04, 2019
IBM developers and others continue exploring the potential for address space isolation in the Linux kernel to reduce the risk of leaking sensitive data in attacks like L1 Terminal Fault (L1TF), MDS, and other vulnerabilities. Though this does increase the complexity of the kernel code and the performance hit is still to be evaluated. Learn more in an interesting Phoronix article:
Mike Rapoport and James Bottomley presented at this week's Open-Source Summit Europe in France on Address Space Isolation within the kernel compared to the current structure of the kernel using a single address space. The still in-progress A.S.I. patches could allow for certain kernel contexts like the Kernel-based Virtual Machine (KVM) to have a separate address space to reduce the exposure of sensitive data.
Kernel Address Space Isolation was proposed earlier this year but its impact is still to be fully evaluated in terms of the impact on code complexity and overall security benefits as well as performance. As such, this functionality isn't coming to a near-term kernel release but those wanting to find out more can do so via this PDF slide deck from the presentation.
The link for this article located at Phoronix is no longer available.
Related Articles
1 - 0 min read
RunC Container Escape Flaws Grant Attackers Host Access
1 - 0 min read
Critical Glibc Flaws Put Major Linux Distros at Risk
1 - 0 min read
Hackers' Backdoor: Warning of New Linux Kernel Vulnerability
