undefined | Better HN

0 pointsdelusional10mo ago0 comments

> it's just sort of understood that a kernel LPE is going to break containers.

I think it's generally understood that any sort of kernel LPE can potentially (and therefore is generally considered to) lead to breaking all security boundaries on the local machine, since the kernel contains no internal security boundaries. That includes both containers, but also everything else such a user separation, hardware virtualization controlled by the local kernel, and kernel private secrets.

0 comments

zrm10mo ago

A large proportion of LPE vulnerabilities are in the nature of "perform a syscall to pass specially crafted data to the kernel and trigger a kernel bug". For containers, the kernel is the host kernel and now the host is compromised. For VMs, the kernel is the guest kernel and now the guest is compromised, but not the host. That's a much narrower compromise and in security models where root on the guest is already expected to be attacker-controlled, isn't even a vulnerability.

Veserv10mo ago

VM sandbox escape is just "perform a hypercall/trap to pass specially crafted data to the hypervisor and trigger a hypervisor bug". For virtual machines, the hypervisor is the privileged host and now the host is compromised.

There is no inherent advantage to virtualization, the only thing that matters is the security and robustness of the privileged host.

The only reason there is any advantage in common use is that the Linux Kernel is a security abomination designed for default-shared/allow services that people are now trying to kludge into providing multiplexed services. But even that advantage is minor in comparison to modern, commonplace threat actors who can spend millions to tens of millions of dollars finding security vulnerabilities in core functions and services.

You need privileged manager code that a highly skilled team of 10 with 3 years to pound on it can not find any vulnerabilities in to reach the minimum bar to be secure against prevailing threat actors, let alone near-future threat actors.

zrm9mo ago

The syscall interface has a lot more attack surface than the hypercall interface. If you want to run existing applications, you have to implement the existing syscall interface.

The advantage to virtualization is that the syscall interface is being implemented by the guest kernel at a lower privilege level instead of the host kernel at a higher privilege level.

tptacek9mo ago

If this were true, it would be easy to support the claim with evidence. What were the last three Linux LPEs that could be used in a realistic scenario (an attacker with shell, root, full control of guest kernel) to compromise a KVM host? There are dozens of published LPEs every year, so this should be easy for you.

1 more reply

tptacek10mo ago

Yes, what they just said here. ^^ ^^

transpute10mo ago

> hardware virtualization controlled by the local kernel

In some architectures, kernel LPE does not break platform (L0/EL2) virtualization, https://news.ycombinator.com/item?id=44141164

  L0/EL2  L1/EL1                   

  pKVM    KVM                  
  AX      Hyper-V / Xen / ESX

tptacek10mo ago

Most Linux kernel LPEs --- in fact, the overwhelming majority of them --- don't threaten KVM hosts when exploited in KVM guests.

billywhizz9mo ago

is there anything good written up on this?

1 more reply

j / k navigate · click thread line to collapse

0 comments

zrm10mo ago

Veserv10mo ago

There is no inherent advantage to virtualization, the only thing that matters is the security and robustness of the privileged host.

zrm9mo ago

The syscall interface has a lot more attack surface than the hypercall interface. If you want to run existing applications, you have to implement the existing syscall interface.

The advantage to virtualization is that the syscall interface is being implemented by the guest kernel at a lower privilege level instead of the host kernel at a higher privilege level.

tptacek9mo ago

1 more reply

tptacek10mo ago

Yes, what they just said here. ^^ ^^

transpute10mo ago

> hardware virtualization controlled by the local kernel

In some architectures, kernel LPE does not break platform (L0/EL2) virtualization, https://news.ycombinator.com/item?id=44141164

  L0/EL2  L1/EL1                   

  pKVM    KVM                  
  AX      Hyper-V / Xen / ESX

tptacek10mo ago

Most Linux kernel LPEs --- in fact, the overwhelming majority of them --- don't threaten KVM hosts when exploited in KVM guests.

billywhizz9mo ago

is there anything good written up on this?

1 more reply

j / k navigate · click thread line to collapse