| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <A6EF11A5-9048-41ED-B4B9-71C1F50578F1@vu.nl>
Date: Mon, 26 Sep 2022 17:11:29 +0000
From: "Koschel, J. (Jakob)" <j.koschel@...nl>
To: Kees Cook <keescook@...omium.org>
CC: David Malcolm <dmalcolm@...hat.com>,
"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>
Subject: Re: -fanalyzer thoughts
Hi,
> On 14. Sep 2022, at 14:43, Kees Cook <keescook@...omium.org> wrote:
>
> Hi!
>
> [...]
>
>
> The question I had was if you had seen this LPC presentation:
> https://lpc.events/event/16/contributions/1211/
> "How I started chasing speculative type confusion bugs in the kernel and
> ended up with 'real' ones"
>
> The authors used Clang's "Data Flow Sanitizer" and built a working
> taint/sink system that seems like it could be used for MUCH more analysis
> than just what they were looking it (as they hint at too).
> https://clang.llvm.org/docs/DataFlowSanitizer.html
> https://github.com/vusec/kdfsan-linux/commit/45614ee1a3a0d7b98c5cecb1b747184279bc615c
>
> I wonder if DFSan could be ported to GCC? It seems to overlap logically
> with some of the -fanalyzer work, but I don't know the internals for
> either, so I likely have no idea what I'm talking about. ;)
I'm not sure how much dynamic and static taint analysis would actually
share but I bet there are a few things that they would still have in common.
David, your talk on static taint analysis with GCC in the kernel was
really great!
I think the attributes you were talking about to mark
e.g. user controlled input (syscall inputs & user copies) is something
any taint analysis would benefit from! We added custom markers for this
in our linux repo fork but if they would be upstreamed any type of
taint analysis tool could benefit from them (GCC & CLANG: static &
dynamic analysis, or something completely else).
DFSan has max 256 taint labels if I remember correctly.
I believe this was also mentioned by someone in the audience:
Different taint labels, for example, for MSR reads, syscall arguments
& network input would definitely be useful instead of a generic __tainted
argument.
>
>
> Related, I wonder if LTO builds would help with -fanalyzer's control
> flow analysis? (DFSan requires LTO.) Getting the kernel built with LTO
> under GCC seems to be an on-going project, but no pull requests have
> been sent lately:
> https://git.kernel.org/pub/scm/linux/kernel/git/jirislaby/linux.git/log/?h=lto
> Maybe poking them from your side might help that get landed? I think
> people are interested in having LTO for the kernel for the performance
> gains it can provide.
I *think* DFSan (like Asan) does not depend on LTO, it can also run at
compile time. In our project LTO was helpful because it was simply
easier to run LLVM passes at that stage and we didn't have to
recompile when adjusting our passes (only relink).
Regardless seeing LTO also with GCC would be really great :)
>
> The second-to-last slide in my presentation (in the "bonus slides"
> section) has slightly more context about LTO and the kernel:
> https://lpc.events/event/16/contributions/1173/
> https://outflux.net/slides/2022/lpc/features.pdf
>
> Thanks!
>
> -Kees
>
> --
> Kees Cook
Btw this is the paper [1] I was mentioning that looked at an attack vector
on the hardware - OS boundary. It might have some interesting pointers
on what could be tainted except for system call arguments.
- Jakob
[1] https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf
Powered by blists - more mailing lists