lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52A28945.1080904@hitachi.com>
Date:	Sat, 07 Dec 2013 11:34:45 +0900
From:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
To:	"Frank Ch. Eigler" <fche@...hat.com>
Cc:	Ingo Molnar <mingo@...nel.org>,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	Sandeepa Prabhu <sandeepa.prabhu@...aro.org>, x86@...nel.org,
	lkml <linux-kernel@...r.kernel.org>,
	"Steven Rostedt (Red Hat)" <rostedt@...dmis.org>,
	systemtap@...rceware.org, "David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH -tip v4 0/6] kprobes: introduce NOKPROBE_SYMBOL() and
 fixes crash bugs

(2013/12/07 10:32), Frank Ch. Eigler wrote:
> Hi -
> 
> On Sat, Dec 07, 2013 at 08:19:13AM +0900, Masami Hiramatsu wrote:
> 
>> [...]
>>> Would you plan to limit kprobes (or just the perf-probe frontend) to
>>> only function-entries also?
> 
>> Exactly, yes :). Currently I have a patch for kprobe-tracer
>> implementation (not only for perf-probe, but doesn't limit kprobes
>> itself).
> 
> Interesting option.  It sounds like a restrictive expedient that could
> result in kprobes never being made sufficiently robust.

the raw-kprobes users like systemtap can also implement its own
whitelist. :) ftrace-based whitelist is only useful for ftrace/perf.
Anyway, the list is open via debugfs as available_filter_functions.

>>> If not, and if intra-function statement-granularity kprobes remain
>>> allowed within a function-granularity whitelist, then you might
>>> still have those "quantitative" problems.
> 
>> Yes, but as far as I've tested, the performance overhead is not
>> high, especially as far as putting kprobes at the entry of those
>> functions because of ftrace-based optimization.
> 
> (Would that also make CONFIG_KPROBE_EVENT require KPROBES_ON_FTRACE?)

Ah, no but a good point. at least the whitelist requires
CONFIG_FUNCTION_TRACER.

>>> Even worse, kprobes robustness problems can bite even with a small
>>> whitelist, unless you can test the countless subset selections
>>> cartesian-product the aggrevating factors (like other tracing
>>> facilities being in use at the same time, limited memory, high irq
>>> rates, debugging sessions, architectures, whatever).
>>
>> And also, what script will run on each probe, right? :)
> 
> In the perf-probe world, the closest analogue could be varying the
> contextual data that's being extracted (stack traces, parameters, ...).

Yes, it should be verified before accessing it (and already done).

>>>> [...]  For the long term solution, I think we can introduce some
>>>> kind of performance gatekeeper as systemtap does. Counting the
>>>> miss-hit rate per second and if it go over a threshold, disable next
>>>> miss-hit (or most miss-hit) probe (as OOM killer does).
>>>
>>> That would make sense, but again it would not help deal with kprobes
>>> robustness (in the kernel-crashing rather than kernel-slowdown sense).
>>
>> Why would you think so? Is there any hidden path for calling kprobes
>> mechanism?? The kernel crash problem just comes from bugs, not the
>> quantitative issue.
> 
> I don't think we're disagreeing.  A performance-gatekeeper in
> perf-probe or nearby would be useful (and manage the kprobe-quantity
> problem).  It would not be sufficient to prevent the kernel-crashing
> bugs.

Right. Ah, I just meant that we'd better add those features, not
replacing the blacklist. And the blacklist should be maintained
anyway. :)

Thank you,

-- 
Masami HIRAMATSU
IT Management Research Dept. Linux Technology Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@...achi.com


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ