undefined | Better HN

0 pointssnvzz8mo ago0 comments

>You can get the exact same bug in a microkernel

Absolutely. And yet, it is that much easier to keep a tiny codebase bug-free.

And only that tiny codebase has to run with supervisor privileges.

0 comments

Of course a tiny microkernel code base won't have NFS bugs. It doesn't implement NFS. The bug will instead be in the NFS process/daemon/service/… which considering it's an fs service won't exactly be unprivileged either, even if only by returning maliciously corrupted contents. (e.g. a SUID root file that should not exist.)

And, sure, a microkernel could have better security properties. However, (1) this has no connection at all to this specific bug, and (2) the Linux kernel seems to be doing reasonably well on security properties; or rather the industry seems to have decided it's sufficiently secure, even if not perfect.

snvzzOP8mo ago

Not only is the damage contained, but it is also much easier to protect an isolated NFS server.

For instance, instead of being able to read/write/jump literally anywhere in memory, it would only have capabilities to the resources it needs.

And these capabilities would be enforced strictly, by the bug-free microkernel. The likes of seL4 even have formal proof of correctness.

eqvinox8mo ago

And you are still making these arguments on the discussion of a bug that they have absolutely no bearing on. If Linux were written with the same exact development history, but as a microkernel, the exact same bug could (and likely would) exist in the NFS client component. The impact is spurious unavailability of service, and would be the same on a microkernel; it is not exploitable for memory corruption. And any file system service, by its function, will be in a position of relative privilege, even if less so on a microkernel.

Your arguments are likely valid, with other bugs. Please take them there. Wedging this discussion in here just makes you look like a proselytizing zealot.

j / k navigate · click thread line to collapse

0 comments

eqvinox8mo ago

snvzzOP8mo ago

Not only is the damage contained, but it is also much easier to protect an isolated NFS server.

For instance, instead of being able to read/write/jump literally anywhere in memory, it would only have capabilities to the resources it needs.

And these capabilities would be enforced strictly, by the bug-free microkernel. The likes of seL4 even have formal proof of correctness.

eqvinox8mo ago

Your arguments are likely valid, with other bugs. Please take them there. Wedging this discussion in here just makes you look like a proselytizing zealot.

j / k navigate · click thread line to collapse