Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <573B399F.40602@infradead.org>
Date: Tue, 17 May 2016 08:32:47 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Kees Cook <keescook@...omium.org>, Jonathan Corbet <corbet@....net>
Cc: linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
 kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] doc: self-protection: provide initial details

On 05/16/16 19:27, Kees Cook wrote:
> This document attempts to codify the intent around kernel self-protection
> along with discussion of both existing and desired technologies, with
> attention given to the rationale behind them, and the expectations of
> their usage.
> 
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  Documentation/security/self-protection.txt | 261 +++++++++++++++++++++++++++++
>  1 file changed, 261 insertions(+)
>  create mode 100644 Documentation/security/self-protection.txt
> 
> diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt
> new file mode 100644
> index 000000000000..33ad7183a074
> --- /dev/null
> +++ b/Documentation/security/self-protection.txt
> @@ -0,0 +1,261 @@

[snip]

> +
> +The goals for successful self-protection systems would be to that they

                                                    would be that they

> +are effective, on by default, require no opt-in by developers, have no
> +performance impact, do not impede kernel debugging, and have tests. It
> +is uncommon that all these goals can be met, but it is worth explicitly
> +mentioning them, since these aspects need to be explored, dealt with,
> +and/or accepted.
> +
> +
> +
> +What remains are variables that are updated rarely (e.g. GDT). These
> +will need another infrastructure (similar to the temporary exceptions
> +made to kernel code mentioned above) that allow them to spend the rest
> +of their lifetime read-only. (For example, when being updated, only the
> +CPU thread performing the update would be given uninterruptable write

                                                   uninterruptible

> +access to the memory.)

(add to spelling.txt ?)

> +
> +

> +
> +
> +To protect against even privileged users, systems may need to either
> +disable module loading entirely (e.g. monolithic kernel builds or
> +modules_disabled sysctl), or provide signed modules (e.g.
> +CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
> +oot load arbitrary kernel code via the module loader interface.

spell out 'oot'

> +
> +
> +## Preventing Leaks
> +
> +Since the location of sensitive structures are the primary target for

                                              is
or
              locations                       are

> +attacks, it is important to defend against leaks of both kernel memory
> +addresses and kernel memory contents (since they may contain kernel
> +addresses or other sensitive things like canary values).
> +


Nice job.
Reviewed-by: Randy Dunlap <rdunlap@...radead.org>

Thanks.

-- 
~Randy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.