[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47B4AAB8.106.FEA5232@pageexec.freemail.hu>
Date: Thu, 14 Feb 2008 20:55:20 +0200
From: pageexec@...email.hu
To: Ingo Molnar <mingo@...e.hu>
CC: Sam Ravnborg <sam@...nborg.org>,
Arjan van de Ven <arjan@...radead.org>,
linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org,
Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>
Subject: Re: [x86.git#mm] stack protector fixes, vmsplice exploit
On 14 Feb 2008 at 20:00, Ingo Molnar wrote:
> > the best practical defense against leaking the canary is to change its
> > value on every syscall but it has some performance impact in
> > microbenchmarks.
>
> yeah, that's not really practical (especially as it would deplete our
> entropy pool pretty fast would could in some circumstances introduce a
> higher risk to the system than the risk of a canary leaking).
you don't necessarily have to use the heavy-handed ip id code as it
is used now, random32 is plenty good here.
> I think we can avoid the leakage across tasks by being careful during
> context-switch time: never calling with the old canary still in the PDA.
> I think this should be fairly easy as we'd just have to load the new
> pdaptr in the switch_to() assembly code.
i don't think you have to worry about cross-task leaking at all, a
hypothetical exploit is happy to learn its own canary and that's
actually easier than learning some other task's canary by virtue
of bugs that leak uninitialized struct padding and stuff...
really, the best defense is to reduce the useful lifetime of any
leaked canary, and you can't get better than syscall granularity
without disproportional effort and impact elsewhere (and i'm sure
some would find even this disproportional ;).
> TODO: perhaps all vsyscall functions need to move into separate .o
> files. (probably academic as the functions affected by that tend to be
> very simple and do not deal with anything overflowable.)
yeah, i wasn't suggesting it for its security value, more like for
'full coverage'. if such a separation isn't useful otherwise (no idea
if not having the .vsyscall* code along with related kernel code would be
confusing for the reader for example), i'd say this isn't important.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists