[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jLLFg78iG2LBwwNQesi4Tir-4wBXLHg=HOAPa-+Lr7GXQ@mail.gmail.com>
Date: Tue, 11 Apr 2017 09:30:58 -0700
From: Kees Cook <keescook@...omium.org>
To: Christoph Lameter <cl@...ux.com>
Cc: Michal Hocko <mhocko@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm: Add additional consistency check
On Tue, Apr 11, 2017 at 9:23 AM, Christoph Lameter <cl@...ux.com> wrote:
> On Tue, 11 Apr 2017, Kees Cook wrote:
>
>> It seems that enabling the debug checks comes with a non-trivial
>> performance impact. I'd like to see consistency checks by default so
>> we can handle intentional heap corruption attacks better. This check
>> isn't expensive...
>
> Its in a very hot code and frequently used code path.
Yeah, absolutely. All the more reason to make sure the kernel can't be
attacked through it. :) As with the automotive industry analogy[1]
from Konstantin, we need to make sure Linux not only run fast and
efficiently, but also fails gracefully by default.
> Note also that these checks can be enabled and disabled at runtime for
> each slab cache.
Correct, but my understanding is that enabling them through the debug
system ends up being much more expensive than this smaller check. The
debug code is fairly comprehensive, but it's not been designed for
efficient attack detection, etc.
-Kees
[1] http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists