On Fri, Mar 2, 2018 at 6:42 AM, Heiko Baums <li...@baums-on-web.de> wrote:
> Am Thu, 1 Mar 2018 21:45:46 -0500
> schrieb Rich Freeman <ri...@gentoo.org>:
>> If they did move netfilter to userspace, then it would
> most likely be more insecure because a userspace process can be easier
> bypassed, killed, hacked or whatever. That's a lot harder with the
> kernel if not impossible.

It is actually the opposite.  The whole appeal of microkernels is that
they can potentially be a lot more robust.

Consider something like netfilter.  The code in netfilter is exposed
to unfiltered network traffic.  If it contains a bug then a remote
attacker might be able to run arbitrary code in kernel space, where
there is no separation of privs.  That code can access everything on
the machine.

On the other hand, if netfilter were implemented in userspace such as
via a microkernel, then if it contained a bug the remote attacker
would be able to MITM all network traffic on the machine, but that
would be the extent of the access they have.  Granted, it still
wouldn't be ideal because it probably would include local traffic that
might not be encrypted (think localhost traffic and socket
connections/etc).  Then again, depending on the implementation
different interfaces or connections might run in separate processes in
which case a remote attacker might only be able to MITM his own
connection.  The process running the netfilter code doesn't need
anything other than a pipe back to the kernel to receive packets and
send packets back, so it can run with minimal privs otherwise.

The fact that there are convenient command-line utilities to kill a
process does not mean that they are less secure/robust than kernel
modules.  Generally you have to be running as root to kill a process
with a different UID, and bugs that allow this to be exploited are
treated as severe by the kernel team (and in a microkernel they would
be very severe since it is one of the few things the kernel actually
does, and since the kernel doesn't do much the things it does do get
more attention).  If you are root, then you can also mess with the
kernel if you want to.  You might not know how to do it, but messing
with kernel processes certainly isn't impossible, as is crashing your

This is why the Linux maintainers actually prefer to move stuff to
userspace when it makes sense.  They're not looking to transition to a
microkernel, but a lot of the boot-time mounting logic and devfs/etc
logic has gone away in favor of initramfs and udev.  This allows for
alternate implementations, and it helps cut down on the complexity of
kernel code.

And of course if this is done it is done correctly, and not as some
kind of userspace hack on top of an OS to add features that it lacks.


Reply via email to