| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 May 2009 21:36:01 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Arjan van de Ven <arjan@...radead.org> Cc: Alan Cox <alan@...rguk.ukuu.org.uk>, "Larry H." <research@...reption.com>, Ingo Molnar <mingo@...e.hu>, Rik van Riel <riel@...hat.com>, linux-kernel@...r.kernel.org, Linus Torvalds <torvalds@...l.org>, linux-mm@...ck.org, Ingo Molnar <mingo@...hat.com>, pageexec@...email.hu Subject: Re: [patch 0/5] Support for sanitization flag in low-level page allocator On Sat, 2009-05-23 at 08:56 -0700, Arjan van de Ven wrote: > On Sat, 23 May 2009 09:09:10 +0100 > Alan Cox <alan@...rguk.ukuu.org.uk> wrote: > > > > Enabling SLAB poisoning by default will be a bad idea > > > > Why ? > > > > > I looked for unused/re-usable flags too, but found none. It's > > > interesting to see SLUB and SLOB have their own page flags. Did > > > anybody oppose those when they were proposed? > > > > Certainly they were looked at - but the memory allocator is right at > > the core of the system rather than an add on. > > > > > > Ditto - which is why I'm coming from the position of an "if we > > > > free it clear it" option. If you need that kind of security the > > > > cost should be more than acceptable - especially with modern > > > > processors that can do cache bypass on the clears. > > > > > > Are you proposing that we should simply remove the confidential > > > flags and just stick to the unconditional sanitization when the > > > boot option is enabled? If positive, it will make things more > > > simple and definitely is better than nothing. I would have (still) > > > preferred the other old approach to be merged, but whatever works > > > at this point. > > > > I am because > > - its easy to merge > > - its non controversial > > - it meets the security good practice and means we don't miss any > > alloc/free cases > > - it avoid providing flags to help a trojan identify "interesting" > > data to acquire > > - modern cpu memory clearing can be very cheap > > ... and if we zero on free, we don't need to zero on allocate. > While this is a little controversial, it does mean that at least part of > the cost is just time-shifted, which means it'll not be TOO bad > hopefully... zero on allocate has the advantage of cache hotness, we're going to use the memory, why else allocate it. zero on free only causes extra cache evictions for no gain. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists