[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrUxfPBawXNvKZgOnxhkaesw-b4PqCFUZbkRdaaqpjqnPQ@mail.gmail.com>
Date: Tue, 29 Mar 2016 14:29:00 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Scott Bauer <sbauer@....utah.edu>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>, X86 ML <x86@...nel.org>,
Andi Kleen <ak@...ux.intel.com>,
Ingo Molnar <mingo@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>, wmealing@...hat.com,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies
On Tue, Mar 29, 2016 at 12:53 PM, Scott Bauer <sbauer@....utah.edu> wrote:
> Sigreturn-oriented programming is a new attack vector in userland
> where an attacker crafts a fake signal frame on the stack and calls
> sigreturn. The kernel will extract the fake signal frame, which
> contains attacker controlled "saved" registers. The kernel will then
> transfer control to the attacker controlled userland instruction pointer.
>
> To prevent SROP attacks the kernel needs to know or be able to dervive
> whether a sigreturn it is processing is in response to a legitimate
> signal the kernel previously delivered.
>
> Further information and test code can be found in Documentation/security
> and this excellent article:
> http://lwn.net/Articles/676803/
>
> These patches implement the necessary changes to generate a cookie
> which will be placed above signal frame upon signal delivery to userland.
> The cookie is generated using a per-process random value xor'd with
> the address where the cookie will be stored on the stack.
>
> Upon a sigreturn the kernel will extract the cookie from userland,
> recalculate what the original cookie should be and verify that the two
> do not differ. If the two differ the kernel will terminate the process
> with a SIGSEGV.
>
> This prevents SROP by adding a value that the attacker cannot guess,
> but the kernel can verify. Therefore an attacker cannot use sigreturn as
> a method to control the flow of a process.
>
Has anyone verified that this doesn't break CRIU cross-machine (or
cross-boot) migration and that this doesn't break dosemu? You're
changing the ABI here.
--Andy
>
> Version changes:
>
> v3->v4
> Removed ambiguous __user annotation, added Documentation
> and test code.
>
> v2->v3
> Changed cookie calculation from using restored regs->sp to
> using frame pointer from before restoration.
>
> v1->v2
> Miscellaneous nits and code cleanup.
>
> Scott Bauer (4):
> SROP Mitigation: Architecture independent code for signal cookies
> x86: SROP Mitigation: Implement Signal Cookies
> Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP.
> Documentation: SROP Mitigation: Add documentation for SROP cookies
>
>
> Documentation/security/srop-cookies.txt | 203 ++++++++++++++++++++++++++++++++
> arch/x86/ia32/ia32_signal.c | 65 +++++++++-
> arch/x86/include/asm/fpu/signal.h | 2 +
> arch/x86/kernel/fpu/signal.c | 10 ++
> arch/x86/kernel/signal.c | 83 +++++++++++--
> fs/exec.c | 3 +
> include/linux/sched.h | 7 ++
> include/linux/signal.h | 3 +
> kernel/signal.c | 49 ++++++++
> kernel/sysctl.c | 8 ++
> 10 files changed, 418 insertions(+), 15 deletions(-)
>
--
Andy Lutomirski
AMA Capital Management, LLC
Powered by blists - more mailing lists