| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6cc985bb-6aed-4fb7-0ef2-43aad2717095@oracle.com>
Date: Wed, 24 Oct 2018 16:30:42 +0530
From: Khalid Aziz <khalid.aziz@...cle.com>
To: "Stecklina, Julian" <jsteckli@...zon.de>
Cc: "juerg.haefliger@....com" <juerg.haefliger@....com>,
"deepa.srinivasan@...cle.com" <deepa.srinivasan@...cle.com>,
"jmattson@...gle.com" <jmattson@...gle.com>,
"andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>,
"Woodhouse, David" <dwmw@...zon.co.uk>,
"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"boris.ostrovsky@...cle.com" <boris.ostrovsky@...cle.com>,
"pradeep.vincent@...cle.com" <pradeep.vincent@...cle.com>,
"konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"kanth.ghatraju@...cle.com" <kanth.ghatraju@...cle.com>,
"joao.m.martins@...cle.com" <joao.m.martins@...cle.com>,
"liran.alon@...cle.com" <liran.alon@...cle.com>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"keescook@...gle.com" <keescook@...gle.com>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
"chris.hyser@...cle.com" <chris.hyser@...cle.com>,
"tyhicks@...onical.com" <tyhicks@...onical.com>,
"john.haxby@...cle.com" <john.haxby@...cle.com>,
"jcm@...hat.com" <jcm@...hat.com>
Subject: Re: Redoing eXclusive Page Frame Ownership (XPFO) with isolated CPUs
in mind (for KVM to isolate its guests per CPU)
On 10/15/2018 01:37 PM, Khalid Aziz wrote:
> On 09/24/2018 08:45 AM, Stecklina, Julian wrote:
>> I didn't test the version with TLB flushes, because it's clear that the
>> overhead is so bad that no one wants to use this.
>
> I don't think we can ignore the vulnerability caused by not flushing
> stale TLB entries. On a mostly idle system, TLB entries hang around long
> enough to make it fairly easy to exploit this. I was able to use the
> additional test in lkdtm module added by this patch series to
> successfully read pages unmapped from physmap by just waiting for system
> to become idle. A rogue program can simply monitor system load and mount
> its attack using ret2dir exploit when system is mostly idle. This brings
> us back to the prohibitive cost of TLB flushes. If we are unmapping a
> page from physmap every time the page is allocated to userspace, we are
> forced to incur the cost of TLB flushes in some way. Work Tycho was
> doing to implement Dave's suggestion can help here. Once Tycho has
> something working, I can measure overhead on my test machine. Tycho, I
> can help with your implementation if you need.
I looked at Tycho's last patch with batch update from
<https://lkml.org/lkml/2017/11/9/951>. I ported it on top of Julian's
patches and got it working well enough to gather performance numbers.
Here is what I see for system times on a machine with dual Xeon E5-2630
and 256GB of memory when running "make -j30 all" on 4.18.6 kernel
(percentages are relative to base 4.19-rc8 kernel without xpfo):
Base 4.19-rc8 913.84s
4.19-rc8 + xpfo, no TLB flush 1027.985s (+12.5%)
4.19-rc8 + batch update, no TLB flush 970.39s (+6.2%)
4.19-rc8 + xpfo, TLB flush 8458.449s (+825.6%)
4.19-rc8 + batch update, TLB flush 4665.659s (+410.6%)
Batch update is significant improvement but we are starting so far
behind baseline, it is still a huge slow down.
--
Khalid
Powered by blists - more mailing lists