Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20161007154008.GB15400@twin.jikos.cz>
Date: Fri, 7 Oct 2016 17:40:08 +0200
From: David Sterba <dave@...os.cz>
To: kernel-hardening@...ts.openwall.com
Cc: spender@...ecurity.net, keescook@...omium.org, re.emese@...il.com,
        pageexec@...email.hu, michael.leibowitz@...el.com
Subject: Re: [RFC 0/3] Add struct randomization plugin

Hi,

On Thu, May 05, 2016 at 10:21:06AM -0700, Michael Leibowitz wrote:
> This patch set ports over grsecurity's structure randomization
> feature.  The plugin is largely unchanged from grsecurity, with some
> porting to go over Emese Revfy's v7 patch set for gcc plugin
> infrastructure.  This is an RFC.
> 
> Although this set of changes does not directly make exploitation
> harder, when a number of structures are randomized, it will make it
> difficult to splat many relevant structures without knowing the exact
> build of the kernel the target is using.  While for one structure,
> there are limited number of guesses required, in aggregate, this can
> be a large obstacle for exploitation.
> 
> Patch 3 is a grab bag that probably needs to be broken up, although
> I'm not sure of the best way to do so.  Breaking by subsystem would
> seem to make an unwieldy patch set.
> 
> Known TODO that is not addressed as part of this patch set:
>   * tag security relevant structures for randomization
>   * add checkpatch checking for non-C99 initialization
>   * automated testing of randomization
>   * better description and examples of exploits effectively mitigated
>     by this feature
> 
> Tagging of structures to be randomized will come in subsequent series
> of patches.

may I ask what's the status of this patchset? As 4.8 now contains the
plugin infrastructure, which I really like to see happening, we could
add the remaining plugins. I'm specifically interested in the struct
layout randomization.

In your initial RFC, the patch 3/3 touches a lot of subsystems, which
means potentially dealing with many maintainers. As the patch is a
prerequsite for unmodified randstrcut plugin, I think this would stall
the inclusion for a long time.

The plugin detects "structs with function pointers only" and
automatically adds the randomization. I suggest to start without this
particular feature, and avoid dependency on patch 3/3.

Only the explicit randomize_layout attributes would actually do
something. That way the patches could be submitted separately, with it's
own reasoning. See the grsecruity patch for examples.

This is not perfect compared to the full featured plugin but I think the
proposed way is better than waiting until all issues from patch 3/3 are
fixed.

I'm willing to help and push things forward, but as you've submitted the
patches I'm asking first.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.