lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150507211118.5f765fc6@lxorguk.ukuu.org.uk>
Date:	Thu, 7 May 2015 21:11:18 +0100
From:	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Dave Hansen <dave@...1.net>, linux-kernel@...r.kernel.org,
	x86@...nel.org
Subject: Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys

On Thu, 7 May 2015 21:26:20 +0200
Ingo Molnar <mingo@...nel.org> wrote:

> 
> * One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk> wrote:
> 
> > > We could keep heap metadata as R/O and only make it R/W inside of 
> > > malloc() itself to catch corruption more quickly.
> > 
> > If you implement multiple malloc pools you can chop up lots of 
> > stuff.
> 
> I'd say that a 64-bit address space is large enough to hide buffers in 
> from accidental corruption, without any runtime page protection 
> flipping overhead?

I'd say no. And from actual real world demand for PK the answer is also
no. It's already a problem with very large data sets. Worse still in many
cases its a problem that nobody is actually measuring or doing much about
(because mprotect on many gigabytes of data is expensive).

> > In library land it isn't just stuff like malloc, you can use it as a 
> > debug weapon to protect library private data from naughty 
> > application code.
> > 
> > There are some other debug uses when catching faults - fast ways to 
> > do range access breakpoints for example.
> 
> I think libraries are happy enough to work without bugs - apps digging 
> around in library data are in a "you keep all the broken pieces" 
> situation, why would a library want to slow down every good citizen 
> down with extra protection flipping/unflipping accesses?

For debugging, when the library maintained data is sensitive or
something you don't want corupted, or because the user puts security
first. Protection keys are an awful lot faster than mprotect. You've got
no synchronization and shootdowns to do just a CPU register to load to
indicate which mask of keys you are happy with. That really changes what
it is useful for, because it's cheap. It means you can happily do stuff
like

	while(data_blocks) {
		allow_key_and_source_access();
		do_crypto_func();
		revoke_key_and_source_access();
		do_network_io();  /* Can't accidentally leak keys or
					input */
	}


> Also, will apps/libraries bother if it's not a standard API and if it 
> only runs on very fresh CPUs?

In time I think yes.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ