| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Feb 2008 20:55:20 +0200 From: pageexec@...email.hu To: Ingo Molnar <mingo@...e.hu> CC: Sam Ravnborg <sam@...nborg.org>, Arjan van de Ven <arjan@...radead.org>, linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [x86.git#mm] stack protector fixes, vmsplice exploit On 14 Feb 2008 at 20:00, Ingo Molnar wrote: > > the best practical defense against leaking the canary is to change its > > value on every syscall but it has some performance impact in > > microbenchmarks. > > yeah, that's not really practical (especially as it would deplete our > entropy pool pretty fast would could in some circumstances introduce a > higher risk to the system than the risk of a canary leaking). you don't necessarily have to use the heavy-handed ip id code as it is used now, random32 is plenty good here. > I think we can avoid the leakage across tasks by being careful during > context-switch time: never calling with the old canary still in the PDA. > I think this should be fairly easy as we'd just have to load the new > pdaptr in the switch_to() assembly code. i don't think you have to worry about cross-task leaking at all, a hypothetical exploit is happy to learn its own canary and that's actually easier than learning some other task's canary by virtue of bugs that leak uninitialized struct padding and stuff... really, the best defense is to reduce the useful lifetime of any leaked canary, and you can't get better than syscall granularity without disproportional effort and impact elsewhere (and i'm sure some would find even this disproportional ;). > TODO: perhaps all vsyscall functions need to move into separate .o > files. (probably academic as the functions affected by that tend to be > very simple and do not deal with anything overflowable.) yeah, i wasn't suggesting it for its security value, more like for 'full coverage'. if such a separation isn't useful otherwise (no idea if not having the .vsyscall* code along with related kernel code would be confusing for the reader for example), i'd say this isn't important. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists