Garrett: Linux Container Security

define extremely ;). a recent real life use case (smtp+clamav at 100Mbps) saw an impact of <16% on opteron but their kernel also included two other performance killer features, SANITIZE and STACKLEAK.

> On Broadwell, though, kernel.org kernels do more or less the same thing at little cost.

SMAP is strictly less than UDEREF but it can be massaged into something more useful with some extra work.

> I expect that this will make exploits harder to write, but not impossible, and we'll see a variety of new techniques to exploit kernel bugs.

this has been the case for a decade now on PaX and the only ways to exploit such kernels bugs is ret2libc (which is dead too already) and data-only attacks (which is a tough problem to solve for the kernel).

> At least NULL pointer dereferences will finally stop being exploitable.

UDEREF is about much more than just mere NULL derefs (even vanilla closed that route down for non-privileged processes a few years ago).

> Hmm. Has anyone ever tried using PCID to do something like UDEREF at lower cost?

how about PaX/UDEREF? for over a year now ;).