Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrUxfPBawXNvKZgOnxhkaesw-b4PqCFUZbkRdaaqpjqnPQ@mail.gmail.com>
Date: Tue, 29 Mar 2016 14:29:00 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Scott Bauer <sbauer@....utah.edu>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, X86 ML <x86@...nel.org>, 
	Andi Kleen <ak@...ux.intel.com>, Ingo Molnar <mingo@...hat.com>, 
	Thomas Gleixner <tglx@...utronix.de>, wmealing@...hat.com, 
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies

On Tue, Mar 29, 2016 at 12:53 PM, Scott Bauer <sbauer@....utah.edu> wrote:
> Sigreturn-oriented programming is a new attack vector in userland
> where an attacker crafts a fake signal frame on the stack and calls
> sigreturn. The kernel will extract the fake signal frame, which
> contains attacker controlled "saved" registers. The kernel will then
> transfer control to the attacker controlled userland instruction pointer.
>
> To prevent SROP attacks the kernel needs to know or be able to dervive
> whether a sigreturn it is processing is in response to a legitimate
> signal the kernel previously delivered.
>
> Further information and test code can be found in Documentation/security
> and this excellent article:
> http://lwn.net/Articles/676803/
>
> These patches implement the necessary changes to generate a cookie
> which will be placed above signal frame upon signal delivery to userland.
> The cookie is generated using a per-process random value xor'd with
> the address where the cookie will be stored on the stack.
>
> Upon a sigreturn the kernel will extract the cookie from userland,
> recalculate what the original cookie should be and verify that the two
> do not differ. If the two differ the kernel will terminate the process
> with a SIGSEGV.
>
> This prevents SROP by adding a value that the attacker cannot guess,
> but the kernel can verify. Therefore an attacker cannot use sigreturn as
> a method to control the flow of a process.
>

Has anyone verified that this doesn't break CRIU cross-machine (or
cross-boot) migration and that this doesn't break dosemu?  You're
changing the ABI here.

--Andy

>
> Version changes:
>
> v3->v4
>         Removed ambiguous __user annotation, added Documentation
>         and test code.
>
> v2->v3
>         Changed cookie calculation from using restored regs->sp to
>         using frame pointer from before restoration.
>
> v1->v2
>         Miscellaneous nits and code cleanup.
>
> Scott Bauer (4):
>       SROP Mitigation: Architecture independent code for signal cookies
>       x86: SROP Mitigation: Implement Signal Cookies
>       Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP.
>       Documentation: SROP Mitigation: Add documentation for SROP cookies
>
>
>  Documentation/security/srop-cookies.txt | 203 ++++++++++++++++++++++++++++++++
>  arch/x86/ia32/ia32_signal.c             |  65 +++++++++-
>  arch/x86/include/asm/fpu/signal.h       |   2 +
>  arch/x86/kernel/fpu/signal.c            |  10 ++
>  arch/x86/kernel/signal.c                |  83 +++++++++++--
>  fs/exec.c                               |   3 +
>  include/linux/sched.h                   |   7 ++
>  include/linux/signal.h                  |   3 +
>  kernel/signal.c                         |  49 ++++++++
>  kernel/sysctl.c                         |   8 ++
>  10 files changed, 418 insertions(+), 15 deletions(-)
>



-- 
Andy Lutomirski
AMA Capital Management, LLC

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.