lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5c222541-4add-2ca6-90a1-faf11e0b5319@huaweicloud.com>
Date:   Sun, 25 Jun 2023 20:01:07 +0800
From:   "GONG, Ruiqi" <gongruiqi@...weicloud.com>
To:     Kees Cook <keescook@...omium.org>, Vlastimil Babka <vbabka@...e.cz>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        David Rientjes <rientjes@...gle.com>,
        Pekka Enberg <penberg@...nel.org>,
        Christoph Lameter <cl@...ux.com>, Tejun Heo <tj@...nel.org>,
        Dennis Zhou <dennis@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Marco Elver <elver@...gle.com>, Jann Horn <jannh@...gle.com>,
        Roman Gushchin <roman.gushchin@...ux.dev>,
        Hyeonggon Yoo <42.hyeyoo@...il.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Alexander Lobakin <aleksander.lobakin@...el.com>,
        Pedro Falcato <pedro.falcato@...il.com>,
        Paul Moore <paul@...l-moore.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E . Hallyn" <serge@...lyn.com>,
        Wang Weiyang <wangweiyang2@...wei.com>,
        Xiu Jianfeng <xiujianfeng@...wei.com>, linux-mm@...ck.org,
        linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
        gongruiqi1@...wei.com
Subject: Re: [PATCH v3 1/1] Randomized slab caches for kmalloc()



On 2023/06/23 4:10, Kees Cook wrote:
> On Thu, Jun 22, 2023 at 03:56:04PM +0200, Vlastimil Babka wrote:
>> On 6/16/23 13:18, GONG, Ruiqi wrote:
>>> index a3c95338cd3a..6150e9a946a7 100644
>>> --- a/mm/Kconfig
>>> +++ b/mm/Kconfig
>>> @@ -337,6 +337,55 @@ config SLUB_CPU_PARTIAL
>>>  	  which requires the taking of locks that may cause latency spikes.
>>>  	  Typically one would choose no for a realtime system.
>>>  
>>> +config RANDOM_KMALLOC_CACHES
>>> +	default n
>>> +	depends on SLUB
>>> +	bool "Random slab caches for normal kmalloc"
>>> +	help
>>> +	  A hardening feature that creates multiple copies of slab caches for
>>> +	  normal kmalloc allocation and makes kmalloc randomly pick one based
>>> +	  on code address, which makes the attackers unable to spray vulnerable
>>> +	  memory objects on the heap for exploiting memory vulnerabilities.
>>> +
>>> +choice
>>> +	prompt "Number of random slab caches copies"
>>> +	depends on RANDOM_KMALLOC_CACHES
>>> +	default RANDOM_KMALLOC_CACHES_16
>>> +	help
>>> +	  The number of copies of random slab caches. Bigger value makes the
>>> +	  potentially vulnerable memory object less likely to collide with
>>> +	  objects allocated from other subsystems or modules.
>>
>> When I read this, without further knowledge, why would I select anything
>> else than the largest value? It should mention memory overhead maybe?
> 
> Yeah, good idea.
> 

No problem. Will add some text about memory overhead into the help
paragraph of RANDOM_KMALLOC_CACHES.

>> Also would anyone really select only "2" and thus limit the collision
>> probability to 50% and not less? "4" also seems quite low for the given
>> purpose? Could we just pick and hardcode 8 or 16 and avoid the selection, at
>> least until there's some more experience with the whole approach?
> 
> I assume it was for doing performance (speed or space) analysis for
> people interested in tuning it. The default is 16, which is what most
> folks will end up with. i.e. I'm not sure I see a benefit to dropping 2
> and 4, since I imagine people will either want the highest value (16),
> or the ability to do a full comparison of each setting.
> 
> Regardless, I would be fine if we dropped 2 and 4, since I am focused on
> the maximum number (16) of hash buckets. :)
> 

It's true that 2 and 4 don't make much sense from the hardening
perspective, and I added them only to cover all possible choices. And
since the overhead difference between 8 and 16 is small, I will hardcode
16 and drop all other options in the next version.

> -Kees
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ