Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5j+9yKyUG-4YqK5Vo4kvV7P3vNAr_B4XkXuoishGEyY_Ag@mail.gmail.com>
Date: Wed, 21 Feb 2018 14:37:11 -0800
From: Kees Cook <keescook@...omium.org>
To: Igor Stoppa <igor.stoppa@...wei.com>
Cc: Laura Abbott <labbott@...hat.com>, Boris Lukashev <blukashev@...pervictus.com>, 
	Christopher Lameter <cl@...ux.com>, Matthew Wilcox <willy@...radead.org>, Jann Horn <jannh@...gle.com>, 
	Jerome Glisse <jglisse@...hat.com>, Michal Hocko <mhocko@...nel.org>, 
	Christoph Hellwig <hch@...radead.org>, 
	linux-security-module <linux-security-module@...r.kernel.org>, Linux-MM <linux-mm@...ck.org>, 
	kernel list <linux-kernel@...r.kernel.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 4/6] Protectable Memory

On Tue, Feb 20, 2018 at 9:16 AM, Igor Stoppa <igor.stoppa@...wei.com> wrote:
>
>
> On 13/02/18 20:10, Laura Abbott wrote:
>> On 02/13/2018 07:20 AM, Igor Stoppa wrote:
>>> Why alterations of page properties are not considered a risk and the physmap is?
>>> And how would it be easier (i suppose) to attack the latter?
>>
>> Alterations are certainly a risk but with the physmap the
>> mapping is already there. Find the address and you have
>> access vs. needing to actually modify the properties
>> then do the access. I could also be complete off base
>> on my threat model here so please correct me if I'm
>> wrong.
>
> It's difficult for me to comment on this without knowing *how* the
> attack would be performed, in your model.
>
> Ex: my expectation is that the attacked has R/W access to kernel data
> and has knowledge of the location of static variables.
>
> This is not just a guess, but a real-life scenario, found in attacks
> that, among other things, are capable of disabling SELinux, to proceed
> toward gaining full root capability.
>
> At that point, I think that variables which are allocated dynamically,
> in vmalloc address space, are harder to locate, because of the virtual
> mapping and the randomness of the address chosen (this I have not
> confirmed yet, but I suppose there is some randomness in picking the
> address to assign to a certain allocation request to vmalloc, otherwise,
> it could be added).

Machine-to-machine runtime variation certainly affects the mapping
location, but for early boot allocations, these become surprisingly
deterministic, especially across similar hardware/memory layouts (both
the virtmap and physmap locations). However, using
CONFIG_RANDOMIZE_MEMORY makes it MUCH more difficult. (Note that
RANDOMIZE_BASE on arm64 effectively includes RANDOMIZE_MEMORY, as it
uses the entropy for multiple base offsets, including the physmap,
IIRC.)

>> I think your other summaries are good points though
>> and should go in the cover letter.
>
> Ok, I'm just afraid it risks becoming a lengthy dissertation :-)

It's rare to have anyone say "your commit log is too long". :)

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.