| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 May 2011 14:17:45 +0200 From: Ingo Molnar <mingo@...e.hu> To: Andi Kleen <andi@...stfloor.org> Cc: Dave Jones <davej@...hat.com>, Stephane Eranian <eranian@...gle.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Arnaldo Carvalho de Melo <acme@...hat.com>, LKML <linux-kernel@...r.kernel.org>, "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Arjan van de Ven <arjan@...radead.org> Subject: Re: [BUG] perf: bogus correlation of kernel symbols * Andi Kleen <andi@...stfloor.org> wrote: > > The x86 kernel is relocatable, so slightly randomizing the position of the > > kernel would be feasible with no overhead on the vast majority of exising > > distro installs, with just an updated kernel. > > Problem is that we don't have a source of secure randomness early on when the > relocation would need to happen. That's indeed a problem but not a fundamental one: we can read out the current time (RTC CMOS is always available on most systems), mix it with the current cycle counter value and PRNG mix it. It could only be recovered if the attacker is local to that box, guesses the precise cycle count on that specific hardware (and hardware has small thermal variations) and knows the precise boot time to the second as present in the RTC. Note that the amount of randomization would be small to begin with: if we have only 3 bits of randomization and can thus make ~90% of kernel exploit attempts crash statistically then we have most of the advantages already. [ For the really paranoid we could add a new flag to the boot protocol and embedd a random seed in the bzImage. This could be re-set upon installation of a new kernel package, so on the next reboot the system gains a unique seed. Or we could add a boot parameter to seed things and cut this particular boot parameter from all output like /proc/cmdline or the syslog command line parameters printout. /etc/grub.conf is already inaccessible to unprivileged userspace on most distros so the parameter is hidden. ] So it's a solvable problem. > You could either pass it as an option, but that option would be right now too > exposed, or just use kexec and boot twice. > > But all of this has drawbacks. > > > When exposing randomized RIPs to user-space we could recalculate all RIPs back > > to the 0xffffffff80000000 base, so oopses would have the usual non-randomized > > form: > > This would be very confusing because the register and stack contents > would have the non relocated addresses. Well, kernel crashes can expose security relevant details anyway so they better be hidden from unprivileged attackers anyway, the important thing is to properly decode the symbols. We can keep the rest of the oops in its raw form (and thus expose the seed to a privileged user - which we'd do anyway), being dependable is important for oopses. > I bet it would cause a lot of similar problems as the current %kP madness, > just more subtle ones. Well, did you expect me to react to your claim of 'subtle issues'? If yes (which i assume) then why didn't you outline what you meant with that in more detail, why are you forcing me to ask you what you mean precisely? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists