lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 22 Jan 2019 16:34:18 +0200
From:   Julian Stecklina <jsteckli@...zon.de>
To:     Kees Cook <keescook@...omium.org>
Cc:     Greg KH <gregkh@...uxfoundation.org>,
        Andi Kleen <ak@...ux.intel.com>,
        LKML <linux-kernel@...r.kernel.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Liran Alon <liran.alon@...cle.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        X86 ML <x86@...nel.org>,
        Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [RFC] x86/speculation: add L1 Terminal Fault / Foreshadow demo

Kees Cook <keescook@...omium.org> writes:

> On Tue, Jan 22, 2019 at 8:15 AM Greg KH <gregkh@...uxfoundation.org> wrote:
>>
>> On Mon, Jan 21, 2019 at 10:36:18AM -0800, Andi Kleen wrote:
>> > > +   /* Check the start address: needs to be page-aligned.. */
>> > > +-  if (start & ~PAGE_MASK)
>> > > ++  if (start & ~PAGE_MASK) {
>> > > ++
>> > > ++          /*
>> > > ++           * XXX Hack
>> > > ++           *
>> > > ++           * We re-use this error case to show case a cache load gadget:
>> > > ++           * There is a mispredicted branch, which leads to prefetching
>> > > ++           * the cache with attacker controlled data.
>> > > ++           */
>> > > ++          asm volatile (
>> >
>> > Obviously that can never be added to a standard kernel.
>>
>> No, that's why it is a patch, right?

Yes, this is obviously only for experimenting.

>> People want to test things, it's nice to have a way to easily do
>> this.
>
> What about adding something like it to drivers/misc/lkdtm/ instead?
>
> It's not a "production" module, but it regularly get built for selftest builds.

For people who want to test L1TF hardening patches in the kernel (e.g.
XPFO) it's certainly nice to not have to manually patch the kernel to add
an easy to reach cache load gadget. It's also nice if you quickly want
to test whether a random Intel CPU has this vulnerability.

The cache load gadget as it is right now is mostly to show a reasonably
realistic scenario of speculatively executed code fetching memory into
the L1 cache. I didn't want to make this a completely crafted example
where I just literally execute a prefetch instruction.

But what I could do is add a bit of code in lkdtm that exposes a debugfs
file with this functionality.

Thoughts?

Julian

Powered by blists - more mailing lists