[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111116054427.GA14827@count0.beaverton.ibm.com>
Date: Tue, 15 Nov 2011 21:44:27 -0800
From: Matt Helsley <matthltc@...ibm.com>
To: Pavel Emelyanov <xemul@...allels.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
Glauber Costa <glommer@...allels.com>,
Andi Kleen <andi@...stfloor.org>, Tejun Heo <tj@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Matt Helsley <matthltc@...ibm.com>
Subject: Re: [PATCH 0/4] Checkpoint/Restore: Show in proc IDs of objects that
can be shared between tasks
On Tue, Nov 15, 2011 at 03:35:58PM +0400, Pavel Emelyanov wrote:
> While doing the checkpoint-restore in the userspace one need to determine
> whether various kernel objects (like mm_struct-s of file_struct-s) are shared
> between tasks and restore this state.
>
> The 2nd step can for now be solved by using respective CLONE_XXX flags and
> the unshare syscall, while there's currently no ways for solving the 1st one.
>
> One of the ways for checking whether two tasks share e.g. an mm_struct is to
> provide some mm_struct ID of a task to its proc file. The best from the
> performance point of view ID is the object address in the kernel, but showing
> them to the userspace is not good for performance reasons.
(I think you meant "not good for security reasons."...)
> The previous attempt to solve this was to generate an ID for slab/slub and then
> mix it up with the object index on the slab page. This attempt wasn't met
> warmly by slab maintainers, so here's the 2nd approach.
>
> The object address is XOR-ed with a "random" value of the same size and then
> shown in proc. Providing this poison is not leaked into the userspace then
> ID seem to be safe.
Really? There's no way to quickly derive the random number from known
allocation patterns and thereby break the obfuscation scheme?
To start we can note that the low N bits are directly exposed in the ID
of anything that requires 2^N-byte alignment.
I think it's really a question of whether the high order bits can be derived.
And of course the random number only needs to be derived once per boot
before it reveals the address of everything with an ID.
Some wild speculation:
I bet you could use some cpu affinity, mem policy, slab info, mmap
tricks, etc. to derive more low bits of the random number. You can probably
get even more when you consider objects that don't fit evenly in slabs.
Speaking of slabs, is there some way to use the fact that nearby slab objects
will share their high ID bits? If any of the ID-bearing objects allocated via
kmalloc then inducing memory pressure and/or watching for buddy allocator
merge/splits might reveal more low bits...
Cheers,
-Matt Helsley
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists