| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Apr 2016 11:21:11 +1100 From: Balbir Singh <bsingharora@...il.com> To: Juerg Haefliger <juerg.haefliger@....com> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, linux-mm <linux-mm@...ck.org>, vpk@...brown.edu Subject: Re: [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) On Mon, Mar 21, 2016 at 7:44 PM, Juerg Haefliger <juerg.haefliger@....com> wrote: > Hi Balbir, > > Apologies for the slow reply. > No problem, I lost this in my inbox as well due to the reply latency. > > On 03/01/2016 03:10 AM, Balbir Singh wrote: >> >> >> On 27/02/16 01:21, Juerg Haefliger wrote: >>> This patch adds support for XPFO which protects against 'ret2dir' kernel >>> attacks. The basic idea is to enforce exclusive ownership of page frames >>> by either the kernel or userland, unless explicitly requested by the >>> kernel. Whenever a page destined for userland is allocated, it is >>> unmapped from physmap. When such a page is reclaimed from userland, it is >>> mapped back to physmap. >> physmap == xen physmap? Please clarify > > No, it's not XEN related. I might have the terminology wrong. Physmap is what > the original authors used for describing <quote> a large, contiguous virtual > memory region inside kernel address space that contains a direct mapping of part > or all (depending on the architecture) physical memory. </quote> > Thanks for clarifying > >>> Mapping/unmapping from physmap is accomplished by modifying the PTE >>> permission bits to allow/disallow access to the page. >>> >>> Additional fields are added to the page struct for XPFO housekeeping. >>> Specifically a flags field to distinguish user vs. kernel pages, a >>> reference counter to track physmap map/unmap operations and a lock to >>> protect the XPFO fields. >>> >>> Known issues/limitations: >>> - Only supported on x86-64. >> Is it due to lack of porting or a design limitation? > > Lack of porting. Support for other architectures will come later. > OK > >>> - Only supports 4k pages. >>> - Adds additional data to the page struct. >>> - There are most likely some additional and legitimate uses cases where >>> the kernel needs to access userspace. Those need to be identified and >>> made XPFO-aware. >> Why not build an audit mode for it? > > Can you elaborate what you mean by this? > What I meant is when the kernel needs to access userspace and XPFO is not aware of it and is going to block it, write to a log/trace buffer so that it can be audited for correctness > >>> - There's a performance impact if XPFO is turned on. Per the paper >>> referenced below it's in the 1-3% ballpark. More performance testing >>> wouldn't hurt. What tests to run though? >>> >>> Reference paper by the original patch authors: >>> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf >>> >>> Suggested-by: Vasileios P. Kemerlis <vpk@...brown.edu> >>> Signed-off-by: Juerg Haefliger <juerg.haefliger@....com> >> This patch needs to be broken down into smaller patches - a series > > Agreed. > I think it will be good to describe what is XPFO aware 1. How are device mmap'd shared between kernel/user covered? 2. How is copy_from/to_user covered? 3. How is vdso covered? 4. More... Balbir Singh.
Powered by blists - more mailing lists