On 1/27/23 6:25 AM, Reshetova, Elena wrote: > >> On Fri, Jan 27, 2023 at 08:52:22AM +0000, Reshetova, Elena wrote: >>>> On Wed, Jan 25, 2023 at 03:29:07PM +0000, Reshetova, Elena wrote: >>>>> And this is a very special aspect of 'hardening' since it is about hardening a >>>> kernel >>>>> under different threat model/assumptions. >>>> >>>> I am not sure it's that special in that hardening IMHO is not a specific >>>> threat model or a set of assumptions. IIUC it's just something that >>>> helps reduce severity of vulnerabilities. Similarly, one can use the CC >>>> hardware in a variety of ways I guess. And one way is just that - >>>> hardening linux such that ability to corrupt guest memory does not >>>> automatically escalate into guest code execution. >>> >>> I am not sure if I fully follow you on this. I do agree that it is in principle >>> the same 'hardening' that we have been doing in Linux for decades just >>> applied to a new attack surface, host <-> guest, vs userspace <->kernel. >> >> Sorry about being unclear this is not the type of hardening I meant >> really. The "hardening" you meant is preventing kernel vulnerabilities, >> right? This is what we've been doing for decades. >> But I meant slightly newer things like e.g. KASLR or indeed ASLR generally - >> we are trying to reduce a chance a vulnerability causes random >> code execution as opposed to a DOS. To think in these terms you do not >> need to think about attack surfaces - in the system including >> a hypervisor, guest supervisor and guest userspace hiding >> one component from others is helpful even if they share >> a privelege level. > > Do you mean that the fact that CoCo guest has memory encrypted > can help even in non-CoCo scenarios? I am sorry, I still seem not to be able > to grasp your idea fully. When the privilege level is shared, there is no > incentive to perform privilege escalation attacks across components, > so why hide them from each other? Data protection? But I don’t think you > are talking about this? I do agree that KASLR is stronger when you remove > the possibility to read the memory (make sure kernel code is execute only) > you are trying to attack, but again not sure if you mean this. > >> >> >> >>> Interfaces have changed, but the types of vulnerabilities, etc are the same. >>> The attacker model is somewhat different because we have >>> different expectations on what host/hypervisor should be able to do >>> to the guest (following business reasons and use-cases), versus what we >>> expect normal userspace being able to "do" towards kernel. The host and >>> hypervisor still has a lot of control over the guest (ability to start/stop it, >>> manage its resources, etc). But the reasons behind this doesn’t come >>> from the fact that security CoCo HW not being able to support this stricter >>> security model (it cannot now indeed, but this is a design decision), but >>> from the fact that it is important for Cloud service providers to retain that >>> level of control over their infrastructure. >> >> Surely they need ability to control resource usage, not ability to execute DOS >> attacks. Current hardware just does not have ability to allow the former >> without the later. > > I don’t see why it cannot be added to HW if requirement comes. However, I think > in cloud provider world being able to control resources equals to being able > to deny these resources when required, so being able to denial of service its clients > is kind of build-in expectation that everyone just agrees on. > Just a thought, but I wouldn't discard availability guarantees like that at some point. As a client I would certainly like it, and if it's good for business... >> >>>> >>>> If you put it this way, you get to participate in a well understood >>>> problem space instead of constantly saying "yes but CC is special". And >>>> further, you will now talk about features as opposed to fixing bugs. >>>> Which will stop annoying people who currently seem annoyed by the >>>> implication that their code is buggy simply because it does not cache in >>>> memory all data read from hardware. Finally, you then don't really need >>>> to explain why e.g. DoS is not a problem but info leak is a problem - when >>>> for many users it's actually the reverse - the reason is not that it's >>>> not part of a threat model - which then makes you work hard to define >>>> the threat model - but simply that CC hardware does not support this >>>> kind of hardening. >>> >>> But this won't be correct statement, because it is not limitation of HW, but the >>> threat and business model that Confidential Computing exists in. I am not >>> aware of a single cloud provider who would be willing to use the HW that >>> takes the full control of their infrastructure and running confidential guests, >>> leaving them with no mechanisms to control the load balancing, enforce >>> resource usage, etc. So, given that nobody needs/willing to use such HW, >>> such HW simply doesn’t exist. >>> >>> So, I would still say that the model we operate in CoCo usecases is somewhat >>> special, but I do agree that given that we list a couple of these special >> assumptions >>> (over which ones we have no control or ability to influence, none of us are >> business >>> people), then the rest becomes just careful enumeration of attack surface >> interfaces >>> and break up of potential mitigations. >>> >>> Best Regards, >>> Elena. >>> >> >> I'd say each business has a slightly different business model, no? >> Finding common ground is what helps us share code ... > > Fully agree, and a good discussion with everyone willing to listen and cooperate > can go a long way into defining the best implementation. > > Best Regards, > Elena. Thanks for sharing the threat model with the list! Carlos