[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solo5 security features

To: Thomas Gazagnaire <thomas@xxxxxxxxxxxxxx>, mirageos-devel <mirageos-devel@xxxxxxxxxxxxxxxxxxxx>, solo5@xxxxxxxxxxxxx
From: Takayuki Imada <takayuki.imada@xxxxxxxxx>
Date: Fri, 5 Jan 2024 22:11:44 +0900
Delivery-date: Fri, 05 Jan 2024 13:12:05 +0000
List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

Hi Thomas,

Is this worth mentioning?
  - System call filtering (by seccomp): 
https://github.com/Solo5/solo5/blob/master/tenders/spt/spt_core.c#L318 -> only 
spt

Kind regards,

--
Takayuki Imada


On 2024/01/03 5:29, Thomas Gazagnaire wrote:

Hey there,

Do we have an up-to-date table of the defense-in-depth security features 
enforced by solo5 on the different targets?

So far I found:
- W^X: https://github.com/Solo5/solo5/issues/303 -> not sure exactly where this 
is enforced nowadays. The tests in https://github.com/Solo5/solo5/pull/363/files 
seems to say that this only works on spt?
- heap canaries: https://github.com/mirage/ocaml-solo5/issues/48 -> all targets?
- Unmap zero page: https://github.com/Solo5/solo5/issues/296 -> seems to be 
enforced on all targets?
- Stack protector: https://github.com/Solo5/solo5/issues/293 and 
https://github.com/Solo5/solo5/pull/294 -> seems to be enforced for all targets?
- ASLR: https://github.com/Solo5/solo5/pull/310 -> only spt ? As we have 
https://github.com/Solo5/solo5/issues/304 for the  hvt TODO's

Anything else worth mentioning?

Best,
Thomas

References:
- Solo5 security features
  - From: Thomas Gazagnaire

Prev by Date: Solo5 security features
Next by Date: Re: Solo5 security features
Previous by thread: Solo5 security features
Next by thread: Re: Solo5 security features
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.