Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jKM_gThfVoTxPE8vX-9GhBMd+ZYbwky5jUKJNevYxd50Q@mail.gmail.com>
Date: Thu, 20 Jul 2017 15:53:25 -0700
From: Kees Cook <keescook@...omium.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...hat.com>, 
	Christoph Hellwig <hch@...radead.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Jann Horn <jannh@...gle.com>, 
	Eric Biggers <ebiggers3@...il.com>, Elena Reshetova <elena.reshetova@...el.com>, 
	Hans Liljestrand <ishkamiel@...il.com>, Greg KH <gregkh@...uxfoundation.org>, 
	Alexey Dobriyan <adobriyan@...il.com>, "Serge E. Hallyn" <serge@...lyn.com>, arozansk@...hat.com, 
	Davidlohr Bueso <dave@...olabs.net>, Manfred Spraul <manfred@...orfullife.com>, 
	"axboe@...nel.dk" <axboe@...nel.dk>, James Bottomley <James.Bottomley@...senpartnership.com>, 
	"x86@...nel.org" <x86@...nel.org>, Arnd Bergmann <arnd@...db.de>, "David S. Miller" <davem@...emloft.net>, 
	Rik van Riel <riel@...hat.com>, LKML <linux-kernel@...r.kernel.org>, 
	linux-arch <linux-arch@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH v6 0/2] x86: Implement fast refcount overflow protection

On Thu, Jul 20, 2017 at 10:15 AM, Kees Cook <keescook@...omium.org> wrote:
> On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar <mingo@...nel.org> wrote:
>> Could you please also create a tabulated quick-comparison of the three variants,
>> of all key properties, about behavior, feature and tradeoff differences?
>>
>> Something like:
>>
>>                                 !ARCH_HAS_REFCOUNT      ARCH_HAS_REFCOUNT=y     REFCOUNT_FULL=y
>>
>> avg fast path instructions:     5                       3                       10
>> behavior on overflow:           unsafe, silent          safe,   verbose         safe,   verbose
>> behavior on underflow:          unsafe, silent          unsafe, verbose         unsafe, verbose
>> ...
>>
>> etc. - note that this table is just a quick mockup with wild guesses. (Please add
>> more comparisons of other aspects as well.)
>>
>> Such a comparison would make it easier for arch, subsystem and distribution
>> maintainers to decide on which variant to use/enable.
>
> Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that
> clean. The differences between -full and -fast are pretty subtle, but
> I think I can describe it using the updated LKDTM tests I've written
> to compare the two. There are conditions that -fast doesn't catch, but
> those cases aren't actually useful for the overflow defense.
>
> As for "avg fast path instructions", do you mean the resulting
> assembly for each refcount API function? I think it's going to look
> something like "1   2   45", but I'll write it up.

So, doing a worst-case timing of a loop of inc() to INT_MAX and then
dec_and_test() back to zero, I see this out of perf:

atomic
25255.114805      task-clock (msec)
 82249267387      cycles
 11208720041      instructions

refcount-fast
25259.577583      task-clock (msec)
 82211446892      cycles
 15486246572      instructions

refcount-full
44625.923432      task-clock (msec)
144814735193      cycles
105937495952      instructions

I'll still summarize all this in the v7 series, but I think that
really clarifies the differences: 1.5x more instructions in -fast, but
nearly identical cycles and clock. Using -full sees a large change (as
expected).

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.