[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <56c2e0f0-361c-91f1-611f-37c6ea4c823f@iaik.tugraz.at>
Date: Mon, 8 May 2017 15:23:59 +0200
From: Daniel Gruss <daniel.gruss@...k.tugraz.at>
To: Thomas Garnier <thgarnie@...gle.com>
CC: kernel list <linux-kernel@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
"clementine.maurice@...k.tugraz.at"
<clementine.maurice@...k.tugraz.at>,
"moritz.lipp@...k.tugraz.at" <moritz.lipp@...k.tugraz.at>,
Michael Schwarz <michael.schwarz@...k.tugraz.at>,
Richard Fellner <richard.fellner@...dent.tugraz.at>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Ingo Molnar <mingo@...nel.org>,
"anders.fogh@...ta-adan.de" <anders.fogh@...ta-adan.de>
Subject: Re: [kernel-hardening] [RFC, PATCH] x86_64: KAISER - do not map
kernel in user mode
On 05.05.2017 10:23, Daniel Gruss wrote:
>> - How this approach prevent the hardware attacks you mentioned? You
>> still have to keep a part of _text in the pagetable and an attacker
>> could discover it no? (and deduce the kernel base address).
>
> These parts are moved to a different section (.user_mapped) which is at a possibly predictable location - the location
> of the randomized parts of the kernel is independent of the location of .user_mapped.
> The code/data footprint for .user_mapped is quite small, helping to reduce or eliminate the attack surface...
We just discussed that in our group again: although we experimented with this part, it's not yet included in the patch.
The solution we sketched is, as I wrote, we map the required (per-thread) variables in the user CR3 to a fixed location
in memory. During the context switch, only this fixed part remains mapped but not the randomized pages. This is not a
lot of work, because it's just mapping a few more pages and fixing a 1 or 2 lines in the context switch.
Powered by blists - more mailing lists