Address Space Isolation For The Linux Kernel Is Still A Big Challenge In 2020

Written by Michael Larabel in Linux Security on 10 February 2020 at 07:29 AM EST. 11 Comments
LINUX SECURITY
While there are many new features in the forthcoming Linux 5.6 kernel, the ongoing Address Space Isolation support is not one of them.

The Kernel Address Space Isolation support has been going on for a while now to improve kernel security and prevent data leaks from situations like Hyper Threading attacks. Kernel Address Space Isolation as implied by the name is about isolating the address spaces used by different areas of the kernel and is of increasing importance since L1TF / Foreshadow came to light. KASI can also help in isolating KVM for better protection in the cloud with helping to fend off guest-to-host attacks and some guest-to-guest attack vectors.

We've seen rounds of Kernel Address Space Isolation revisions over the months and from different parties involved. In 2020, this work is still ongoing and doesn't appear to be ready for mainlining in the near-term.


IBM's Mike Rapoport and longtime kernel developer James Bottomley talked about Address Space Isolation for Linux earlier this month at FOSDEM. While this work can help reduce the attack surface of the system, the complexity relative to security benefits still needs to be evaluated beyond the major challenges involved in this low-level kernel address space code rework.

Those wanting to learn more can see the PDF slide deck and WebM video recording of the FOSDEM 2020 talk.

We'll see where this work leads in 2020 and what new prominent security vulnerabilities may come in the meantime.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week