lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1243539361.6645.80.camel@laptop>
Date:	Thu, 28 May 2009 21:36:01 +0200
From:	Peter Zijlstra <peterz@...radead.org>
To:	Arjan van de Ven <arjan@...radead.org>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>,
	"Larry H." <research@...reption.com>, Ingo Molnar <mingo@...e.hu>,
	Rik van Riel <riel@...hat.com>, linux-kernel@...r.kernel.org,
	Linus Torvalds <torvalds@...l.org>, linux-mm@...ck.org,
	Ingo Molnar <mingo@...hat.com>, pageexec@...email.hu
Subject: Re: [patch 0/5] Support for sanitization flag in low-level page
 allocator

On Sat, 2009-05-23 at 08:56 -0700, Arjan van de Ven wrote:
> On Sat, 23 May 2009 09:09:10 +0100
> Alan Cox <alan@...rguk.ukuu.org.uk> wrote:
> 
> > > Enabling SLAB poisoning by default will be a bad idea
> > 
> > Why ?
> > 
> > > I looked for unused/re-usable flags too, but found none. It's
> > > interesting to see SLUB and SLOB have their own page flags. Did
> > > anybody oppose those when they were proposed? 
> > 
> > Certainly they were looked at - but the memory allocator is right at
> > the core of the system rather than an add on.
> > 
> > > > Ditto - which is why I'm coming from the position of an "if we
> > > > free it clear it" option. If you need that kind of security the
> > > > cost should be more than acceptable - especially with modern
> > > > processors that can do cache bypass on the clears.
> > > 
> > > Are you proposing that we should simply remove the confidential
> > > flags and just stick to the unconditional sanitization when the
> > > boot option is enabled? If positive, it will make things more
> > > simple and definitely is better than nothing. I would have (still)
> > > preferred the other old approach to be merged, but whatever works
> > > at this point.
> > 
> > I am because
> > - its easy to merge
> > - its non controversial
> > - it meets the security good practice and means we don't miss any
> >   alloc/free cases
> > - it avoid providing flags to help a trojan identify "interesting"
> > data to acquire
> > - modern cpu memory clearing can be very cheap
> 
> ... and if we zero on free, we don't need to zero on allocate.
> While this is a little controversial, it does mean that at least part of
> the cost is just time-shifted, which means it'll not be TOO bad
> hopefully...

zero on allocate has the advantage of cache hotness, we're going to use
the memory, why else allocate it.

zero on free only causes extra cache evictions for no gain.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ