| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 May 2015 20:48:14 +0200 From: Vlastimil Babka <vbabka@...e.cz> To: Dave Hansen <dave@...1.net>, Ingo Molnar <mingo@...nel.org> CC: linux-kernel@...r.kernel.org, x86@...nel.org Subject: Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys On 05/07/2015 08:09 PM, Dave Hansen wrote: > On 05/07/2015 10:57 AM, Ingo Molnar wrote: >>>> There are two new instructions (RDPKRU/WRPKRU) for reading and >>>> writing to the new register. The feature is only available in >>>> 64-bit mode, even though there is theoretically space in the PAE >>>> PTEs. These permissions are enforced on data access only and have >>>> no effect on instruction fetches. >> So I'm wondering what the primary usecases are for this feature? >> Could you outline applications/workloads/libraries that would >> benefit from this? > > There are lots of things that folks would _like_ to mprotect(), but end > up not being feasible because of the overhead of going and mucking with > thousands of PTEs and shooting down remote TLBs every time you want to > change protections. > > Data structures like logs or journals that are only written to in very > limited code paths, but that you want to protect from "stray" writes. > > Maybe even a database where a query operation will never need to write > to memory, but an insert would. You could keep the data R/O during the > entire operation except when an insert is actually in progress. It > narrows the window where data might be corrupted. This becomes even > more valuable if a stray write to memory is guaranteed to hit storage... > like with persistent memory. > > Someone mentioned to me that valgrind does lots of mprotect()s and might > benefit from this. > > We could keep heap metadata as R/O and only make it R/W inside of > malloc() itself to catch corruption more quickly. But that metadata is typically within the same page as the data itself (for small objects at least), no? > More crazy ideas welcome. :) Since you asked :) I wonder if the usefulness could be extended by making it possible for a thread to revoke its access to WRPKRU (it's not privileged, right?). Then I could imagine some extra security for sandbox/bytecode/JIT code so it doesn't interfere with the runtime. But since it doesn't block instruction fetches, then maybe it wouldn't make much difference... > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists