Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <a44361cf-869d-fc0b-bf34-384a01785c87@linux.intel.com>
Date: Mon, 11 Feb 2019 16:43:54 +0300
From: Alexey Budankov <alexey.budankov@...ux.intel.com>
To: Jonatan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...nel.org>,
 Peter Zijlstra <peterz@...radead.org>
Cc: Jann Horn <jannh@...gle.com>, Arnaldo Carvalho de Melo <acme@...nel.org>,
 Jiri Olsa <jolsa@...hat.com>, Namhyung Kim <namhyung@...nel.org>,
 Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
 Andi Kleen <ak@...ux.intel.com>, Mark Rutland <mark.rutland@....com>,
 Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
 linux-kernel <linux-kernel@...r.kernel.org>
Subject: [PATCH v3 2/4] perf-security: document collected perf_events/Perf
 data categories


Document and categorize system and performance data into groups that
can be captured by perf_events/Perf and explicitly indicate the group
that can contain process sensitive data.

Signed-off-by: Alexey Budankov <alexey.budankov@...ux.intel.com>
---
 Documentation/admin-guide/perf-security.rst | 32 +++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst
index bac599e3c55f..8772d44a5912 100644
--- a/Documentation/admin-guide/perf-security.rst
+++ b/Documentation/admin-guide/perf-security.rst
@@ -11,8 +11,34 @@ impose a considerable risk of leaking sensitive data accessed by monitored
 processes. The data leakage is possible both in scenarios of direct usage of
 perf_events system call API [2]_ and over data files generated by Perf tool user
 mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that
-perf_events performance monitoring units (PMU) [2]_ collect and expose for
-performance analysis. Having that said perf_events/Perf performance monitoring
+perf_events performance monitoring units (PMU) [2]_ and Perf collect and expose
+for performance analysis. Collected system and performance data may be split into
+several categories:
+
+1. System hardware and software configuration data, for example: a CPU model and
+   its cache configuration, an amount of available memory and its topology, used
+   kernel and Perf versions, performance monitoring setup including experiment
+   time, events configuration, Perf command line parameters, etc.
+
+2. User and kernel module paths and their load addresses with sizes, process and
+   thread names with their PIDs and TIDs, timestamps for captured hardware and
+   software events.
+
+3. Content of kernel software counters (e.g., for context switches, page faults,
+   CPU migrations), architectural hardware performance counters (PMC) [8]_ and
+   machine specific registers (MSR) [9]_ that provide execution metrics for
+   various monitored parts of the system (e.g., memory controller (IMC), interconnect
+   (QPI/UPI) or peripheral (PCIe) uncore counters) without direct attribution to any
+   execution context state.
+
+4. Content of architectural execution context registers (e.g., RIP, RSP, RBP on
+   x86_64), process user and kernel space memory addresses and data, content of
+   various architectural MSRs that capture data from this category.
+
+Data that belong to the fourth category can potentially contain sensitive process
+data. If PMUs in some monitoring modes capture values of execution context registers
+or data from process memory then access to such monitoring capabilities requires
+to be ordered and secured properly. So, perf_events/Perf performance monitoring
 is the subject for security access control management [5]_ .
 
 perf_events/Perf access control
@@ -134,6 +160,8 @@ Bibliography
 .. [5] `<https://www.kernel.org/doc/html/latest/security/credentials.html>`_
 .. [6] `<http://man7.org/linux/man-pages/man7/capabilities.7.html>`_
 .. [7] `<http://man7.org/linux/man-pages/man2/ptrace.2.html>`_
+.. [8] `<https://en.wikipedia.org/wiki/Hardware_performance_counter>`_
+.. [9] `<https://en.wikipedia.org/wiki/Model-specific_register>`_
 .. [11] `<http://man7.org/linux/man-pages/man2/getrlimit.2.html>`_
 .. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.