Christine Lemmer-Webber1d ago

Significant raise of reports (on the Linux Kernel Mailing List) https://lwn.net/Articles/1065620/

Here's something I think we all will have to contend with, whether you're an AIgen enthusiast or not: attacking is easier than defending, and these things don't get tired and they *are* very good at finding exploits. None of us will be able to ignore that, and we will probably have to listen to real genuine reports from them, even if we reject AIgen input.

However, I don't think that's actually the right solution, and I don't think it's sustainable. 🧵

Significant raise of reports [LWN.net]

Show threadChristine Lemmer-Webber1d ago

The fact of the matter is, most vulnerabilities fall under extremely common patterns, with known solutions:

- Confused deputies: capability security can fix/contain this in many cases, more on that later
- Injection attacks: primarily caused by string templating, using structured templating also fixes this (quasiquote, functional combinators, etc)
- Memory vulnerabilities: solved by memory-safe languages, and yes that includes Rust, but it also includes Python, Scheme/Lisp, etc etc etc

There are other serious vulnerabilities, such as incorrectly written or used cryptography, and others from there, but my primary point is: most damage can be either avoided in the first place or contained (especially in terms of capability security for containment)

And... patching AIgen patches is going to get tough and tiring... (cotd...)

Show threadChristine Lemmer-Webber1d ago

I don't think human reviewers are going to be able to keep up with the number of vulnerabilities we're seeing appear. I really don't. Humans won't be able to review at scale, and I also think that there's serious risks for blindly accepting AIgen patches, which for critical infrastructure could also be a path to *inserting new* vulnerabilities.

We need to attack this systemically.

I have more to say. More later. But that's the gist for now.

Show threadlinear cannon1d ago
@cwebber we need microkernel based operating systems with capability-based security enforcement, isolation of components from each other as a baseline assumption, and formal verification of the whole thing at both the code and spec level, and we need all of this quite urgently
Show threadティージェーグレェ22h ago
(se)L4 I think fits such criteria? It is already widely deployed (e.g. Apple's Secure Enclave).

Problematically? I don't think any of the L4 kernels were "self hosting" last I checked? Maybe that has changed.

BS such as that, would have received failing grades in the 1980s.

Alas, we live in a different era now, where cross compiling is de rigueur even if it is awful in practice.

If I had a wish granting fairy or whatever? I would totally task someone(s) to make the L4 microkernel family self-hosting, so it doesn't need a Linux to boot strap.

CC: @[email protected]
Show threadlinear cannon22h ago
@[email protected] @cwebber yes, see further downthread
Show threadlinear cannon
@[email protected] @cwebber and go learn about Genode / SculptOS
Apr 2 at 9:55pmWeb