|
Message-ID: <2236FBA76BA1254E88B949DDB74E612B41B2AF5E@IRSMSX102.ger.corp.intel.com>
Date: Tue, 24 May 2016 07:21:56 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: "kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>
CC: Daniel Borkmann <daniel@...earbox.net>, Kees Cook <keescook@...omium.org>
Subject: RE: Re: BPF JIT spray attack - proof of concept
code for modern kernel
>> I have tried the poc on virtual machine with Ubuntu with 4.4 upstream
>> kernel and it works quite well. It can still in some cases completely
>> stall the machine that reboot is required, but it does reach its root
>> goal in most of the cases.
>>
>> Also, please note that similarly as 2012 poc code, this is not a real
>> exploit because it requires an “insecure ko” kernel module to
>> actually make a jump, but it illustrates the need for further JIT
>> hardening that Daniel is currently working now on.
>
> This is great! Thanks for updating this research. It strongly helps
> illustrate why instruction blinding is an important defense. I'm
> looking forward to Daniel's work landing.
>Just to follow up on this: the eBPF JIT blinding code has landed in Linus's tree (which should ultimately appear in v4.7)!
>See the commits in and around:
>http://git.kernel.org/linus/4f3446bb809f20ad56cadf712e6006815ae7a8f9
>If a system already sets the bpf_jit_enable sysctl to 1 (0 is the kernel default), the new bpf_jit_harden sysctl can be 0 (off, the current kernel default, which will hopefully change in the future), 1 (unprivileged users get JIT blinding), or 2 (all users get JIT blinding).
>As always, there's a few more things to do AIUI, if anyone has time and interest:
>- we need a blinding test added (either to lib/test_bpf.c or elsewhere)
>- remaining archs (ARM, MIPS, PowerPC, Sparc) cBPF JIT needs to either be converted to eBPF or have blinding added directly (the latter is easier, the former is better all around). i.e. if an arch defines bpf_jit_enable, but doesn't call bpf_int_jit_compile(), it needs the eBPF JIT. If it does, but doesn't call >bpf_jit_blind_constants(), it's not blinding eBPF.
>Thanks for all the attention on this!
And I would like to emphasis the fact that Daniel did a great job in such a short time. This case really shows to us how great things can go, if instead of being sceptical and build barriers, maintainers come to help and just make it happen!
Best Regards,
Elena.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (7586 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.