lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110527181724.GA6485@elte.hu>
Date:	Fri, 27 May 2011 20:17:24 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Dan Rosenberg <drosenberg@...curity.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>, Tony Luck <tony.luck@...il.com>,
	linux-kernel@...r.kernel.org, davej@...hat.com,
	kees.cook@...onical.com, davem@...emloft.net, eranian@...gle.com,
	adobriyan@...il.com, penberg@...nel.org, hpa@...or.com,
	Arjan van de Ven <arjan@...radead.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Valdis.Kletnieks@...edu, pageexec@...email.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot


* Linus Torvalds <torvalds@...ux-foundation.org> wrote:

> On Fri, May 27, 2011 at 10:46 AM, Ingo Molnar <mingo@...e.hu> wrote:
> >
> > If i understood you correctly you suggest randomizing the image 
> > by shifting the symbols in it around. The boot loader would still 
> > load an 'image' where it always loads it - just that image itself 
> > is randomized internally somewhat, right?
> 
> You snipped the other part of my email you responded to:
> 
>   For chrissake - you're doing the same thing. The only question is
>   "when" (and the fact that if you do it at install-time, you can do a
>   fancier job of it)
> 
> ie the fact that if you do it at install-time, you have the option of
> being much more fancy about it.
> 
> So sure, the install time option *can* do more. It doesn't *have* 
> to do more.
> 
> But being able to do a better job of randomization is *better*. Ok? 
> It doesn't mean you have to, but you have more options to do things 
> if you want to.
> 
> IOW, there is absolutely zero difference between doing it at 
> install-time or run-time, but the install-time one is (a) likely 
> easier and (b) certainly more flexible. But both of them do the 
> exact same thing, and require the exact same support in things like 
> /proc/kallsyms.
> 
> Of course, if we end up doing something really fancy (which the 
> install-time option allows), that obviously does mean that the 
> remapping by %pK thing for kallsyms needs to be much smarter too.
> 
> But at %pK time, you can *afford* to do that kind of things. At 
> boot-time, before you're even loaded and have a hard time even 
> parsing the e820 maps? Yeah, you're not going to do anything smart 
> there, I can tell you.

Ok, you are right, we could patch in all the things into the image at 
install time to be able to 'derandomize' symbols and still be able to 
provide them.

[ One worry i have is that distro logic is to go for the simplest 
  route: which is to randomize the symbols by padding the beginning 
  or the end of the kernel image a bit, but don't bother making %pK 
  smart or fancy. This means that /proc/kallsyms will be restricted 
  (maybe even turned off completely, because it's now broken) and a 
  'real' System.map put, only readable to root. This still 'allows'
  tooling, in a full SystemTap and Oprofile usability fashion. ]

Anyway, this strikes off the second item from my list. Meanwhile i 
also found two other usecases which i added to the head of the list:

 - Boot time dynamic randomization allows randomization of 'mass 
   install' systems, where the same image is used, to still be 
   randomized: for example a million phones all with the same Flash 
   ROM image and no 'install' performed at all on them.

   With static randomization these systems will all have the same
   kernel addresses.

 - Boot time dynamic randomization allows read-only systems to still 
   be randomized: for example internet cafes that use some popular 
   pre-packaged kiosk-mode live-DVD. They probably wont bother 
   randomizing and relinking the ISOs per machine and burning per 
   machine DVDs ...

 - A root exploit will still not give away the location of the
   kernel (assuming module loading has been disabled after bootup),
   so a rootkit cannot be installed 'silently' on the system, into
   RAM only, evading most offline-storage-checking tools.

   With static linking this is not possible: reading the kernel image
   as root trivially exposes the kernel's location.

 - Crash & reboot & retry brute force exploits get harder: if one
   attempt at an exploit causes a crash and a reboot, the kernel
   addresses are different after the reboot so the attempt has to be
   retried without the advantage of any prior history.

   With static linking this kind of exploit is somewhat easier: every
   crash gives a permanent proof that the guessed RIP offet was
   wrong, so history can be used on subsequent retries.

 - It gives a way to go one step further in secure server lockdown:
   where even root with full access to all storage has no way to
   break into the kernel. Reboots, module loading and kexec can be
   controlled, ioperm() and iopl() can be restricted. If those are
   taken away then even if a root exploit allows the attacker to
   overwrite the kernel image, a reboot has to be waited for and if
   reboots do sanity checks [based on immutable storage] of the
   system then the exploit can be found.

   With static linking this is not possible: reading the kernel image
   as root trivially exposes the kernel's location.

Thanks,

	Ingo

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ