[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1a7c9989-fb98-20f7-c0d9-2261aa50d967@linux.microsoft.com>
Date: Wed, 23 Sep 2020 18:53:21 -0500
From: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com>
To: Florian Weimer <fweimer@...hat.com>,
Solar Designer <solar@...nwall.com>
Cc: Pavel Machek <pavel@....cz>, kernel-hardening@...ts.openwall.com,
linux-api@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, oleg@...hat.com,
x86@...nel.org, luto@...nel.org, David.Laight@...LAB.COM,
mark.rutland@....com, mic@...ikod.net,
Rich Felker <dalias@...c.org>
Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor
On 9/23/20 9:39 AM, Florian Weimer wrote:
> * Solar Designer:
>
>> While I share my opinion here, I don't mean that to block Madhavan's
>> work. I'd rather defer to people more knowledgeable in current userland
>> and ABI issues/limitations and plans on dealing with those, especially
>> to Florian Weimer. I haven't seen Florian say anything specific for or
>> against Madhavan's proposal, and I'd like to. (Have I missed that?)
>
> There was a previous discussion, where I provided feedback (not much
> different from the feedback here, given that the mechanism is mostly the
> same).
>
> I think it's unnecessary for the libffi use case. Precompiled code can
> be loaded from disk because the libffi trampolines are so regular. On
> most architectures, it's not even the code that's patched, but some of
> the data driving it, which happens to be located on the same page due to
> a libffi quirk.
>
> The libffi use case is a bit strange anyway: its trampolines are
> type-generic, and the per-call adjustment is data-driven. This means
> that once you have libffi in the process, you have a generic
> data-to-function-call mechanism available that can be abused (it's even
> fully CET compatible in recent versions). And then you need to look at
> the processes that use libffi. A lot of them contain bytecode
> interpreters, and those enable data-driven arbitrary code execution as
> well. I know that there are efforts under way to harden Python, but
> it's going to be tough to get to the point where things are still
> difficult for an attacker once they have the ability to make mprotect
> calls.
>
> It was pointed out to me that libffi is doing things wrong, and the
> trampolines should not be type-generic, but generated so that they match
> the function being called. That is, the marshal/unmarshal code would be
> open-coded in the trampoline, rather than using some generic mechanism
> plus run-time dispatch on data tables describing the function type.
> That is a very different design (and typically used by compilers (JIT or
> not JIT) to implement native calls). Mapping some code page with a
> repeating pattern would no longer work to defeat anti-JIT measures
> because it's closer to real JIT. I don't know if kernel support could
> make sense in this context, but it would be a completely different
> patch.
>
> Thanks,
> Florian
>
Hi Florian,
I am making myself familiar with anti-JIT measures before I can respond
to this comment. Bear with me. I will also respond to the above
libffi comment.
Madhavan
Powered by blists - more mailing lists