| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Mar 2015 23:49:39 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Dave Hansen <dave.hansen@...el.com> Cc: Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>, Theodore Ts'o <tytso@....edu>, Oleg Nesterov <oleg@...hat.com>, LKML <linux-kernel@...r.kernel.org>, Dave Hansen <dave.hansen@...ux.intel.com> Subject: Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface Dave Hansen <dave.hansen@...el.com> writes: > On 03/09/2015 05:03 PM, Kees Cook wrote: >> On Mon, Mar 9, 2015 at 4:43 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >>> A 1 to 1 blinding function like integer multiplication mudulo 2^32 by an >>> appropriate random number ought to keep from revealing page numbers or >>> page ajacencies while not requiring any changes in userspace. >>> >>> That way the revealed pfn and the physcial pfn would be different but >>> you could still use pagemap for it's intended purpose. >> >> If this could be done in a way where it was sufficiently hard to >> expose the random number, we should absolutely do this. > > We would need something which is both reversible (so that the given > offsets can still be used in /proc/kpagemap) and also hard to do a > known-plaintext-type attack on it. > > Transparent huge pages are a place where userspace knows the > relationship between 512 adjacent physical addresses. That represents a > good chunk of known data. Surely there are more of these kinds of things. > > Right now, for instance, the ways in which a series of sequential > allocations come out of the page allocator are fairly deterministic. We > would also need to do some kind of allocator randomization to ensure > that userspace couldn't make good guesses about the physical addresses > of things coming out of the allocator. > > Or, we just be sure and turn the darn thing off. :) Yes. If we are worried about something a big off switch is fine. As for a one-to-one transform that is resitant to plain text attacks I think that is the definition of a cypher. That is we should just use AES or something well know to encrypt the pafe frame numbers if we want to hide them. I don't know if the block mode of AES would be a problem or not. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists