Explore the design and implementation of a new kernel hardening strategy that compartmentalizes the Linux kernel using Intel Protection Keys for Supervisor (PKS) in this 50-minute conference talk. Delve into the importance of kernel compartmentalization in mitigating memory errors and transient execution attacks. Learn how PKS can limit memory access in critical regions, reducing the attack surface and providing robust protection against vulnerabilities. Examine the challenges of implementation, focusing on PKS eBPF isolation and its mitigations. Gain insights into how this approach aligns with ongoing efforts in Address-space Isolation (ASI). Understand the potential impact of this security feature on hindering exploits from eBPF and third-party kernel modules, while maintaining compatibility and lightweight implementation.
Overview
Syllabus
Intro
Why compartmentalize?
Transient execution attacks Spectre & friends
Memory Protection Keys: PKU/PKS
PKS in-depth
Challenges
PKS eBPF isolation
eBPF mitigations
ASI: Address Space Isolation
Conclusion
Taught by
Linux Foundation
