lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <DB7PR02MB39792DF9294085D0BE1676E6BB5A0@DB7PR02MB3979.eurprd02.prod.outlook.com>
Date:   Wed, 11 Dec 2019 17:04:55 +0000
From:   Mircea CIRJALIU - MELIU <mcirjaliu@...defender.com>
To:     "Kirill A. Shutemov" <kirill@...temov.name>
CC:     "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Jerome Glisse <jglisse@...hat.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        "aarcange@...hat.com" <aarcange@...hat.com>
Subject: RE: [RFC PATCH v1 1/4] mm/remote_mapping: mirror a process address
 space

> On Wed, Dec 11, 2019 at 09:29:17AM +0000, Mircea CIRJALIU - MELIU wrote:
> > Use a device to inspect another process address space via page table
> mirroring.
> > Give this device a source process PID via an ioctl(), then use mmap()
> > to analyze the source process address space like an ordinary file.
> > Process address space mirroring is limited to anon VMAs.
> > The device mirrors page tables on demand (faults) and invalidates them
> > by listening to MMU notifier events.
> 
> It's way to brief to justify the new interface. Use cases? Why current
> intefaces are not enough?

Its main purpose is virtual machine instrospection.
Could also be used for security software, debuggers, etc.

It gains direct access to another process address space by mirroring its page
tables to the local process address space.
The main difference from ptrace is zero-copy read/write.

The use case looks like this:
	fd = open("/dev/mirror-proc", O_RDWR);

	/* hook on process 1234 */
	ioctl(fd, REMOTE_PROC_MAP, 1234);

	addr = mmap(NULL, length, PROT_READ | PROT_WRITE, MAP_SHARED, fd, offset);
	/* operate on memory of process 1234 */
	munmap(addr, length);

The address space mirroring is done in a VMA with VM_PFNMAP attributes.
The PFNs are installed in the fault handlers and invalidated via MMU notifier.
So no page management structures are involved.

Observe that the introspector process can mmap() very large regions from 
the source process address space, sometimes involving holes. If no page is
found at a given address, the introspector gets a SIGBUS.

> 
> There's nothing in the description that would convince me to look at the
> code.
> 
> --
>  Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ