lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69cfbf60-2583-1bdc-3313-3b1ab72968e0@intel.com>
Date:   Wed, 24 Aug 2022 09:28:17 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Stephen Röttger <sroettger@...gle.com>,
        Andy Lutomirski <luto@...nel.org>
Cc:     Kees Cook <keescook@...omium.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Jann Horn <jannh@...gle.com>
Subject: Re: PKU usage improvements for threads

On 8/24/22 01:51, Stephen Röttger wrote:
>>> Yeah, that's something for which our defenses are quite weak.  But, it
>>> also calls for a very generic mm/ solution and not something specific at
>>> all to pkeys.
> We were also thinking about if this should be a more generic feature instead of
> being tied to pkeys. I.e. the doc above has an alternative proposal to introduce
> something like a memory seal/unseal syscall.
> I was personally leaning towards using pkeys for this for a few reasons:
> * intuitively it would make sense to me to extend PKEY_DISABLE_ACCESS
>   to also mean disable all changes to the memory, not just the data.

It would make some sense, but we can't do it with the existing
PKEY_DISABLE_ACCESS ABI.  It would surely break existing users if they
couldn't munmap() memory that was PKEY_DISABLE_ACCESS.

But, making it part of the mprotect() ABI wouldn't be the worst thing in
the world.  Since we have a pkey_mprotect(), any mprotect()-based
mechanism could even reuse the existing pkey syscalls.

I do agree with Andy, though, that I'm not quite sure what the attack
model is here.  If an attacker can make arbitrary system calls, surely
protecting one little altstack VMA isn't doing to help much.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ