| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8fc285a3-92af-47e1-a405-0adf573c57aa@arm.com> Date: Mon, 9 Dec 2024 13:57:09 +0100 From: Kevin Brodsky <kevin.brodsky@....com> To: Jann Horn <jannh@...gle.com> Cc: linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org, aruna.ramakrishna@...cle.com, broonie@...nel.org, catalin.marinas@....com, dave.hansen@...ux.intel.com, jeffxu@...omium.org, joey.gouly@....com, kees@...nel.org, maz@...nel.org, pierre.langlois@....com, qperret@...gle.com, ryan.roberts@....com, will@...nel.org, linux-arm-kernel@...ts.infradead.org, x86@...nel.org Subject: Re: [RFC PATCH 00/16] pkeys-based page table hardening On 06/12/2024 20:14, Jann Horn wrote: > On Fri, Dec 6, 2024 at 11:13 AM Kevin Brodsky <kevin.brodsky@....com> wrote: >> [...] >> >> Page tables were chosen as they are a popular (and critical) target for >> attacks, but there are of course many others - this is only a starting >> point (see section "Further use-cases"). It has become more and more >> common for accesses to such target data to be mediated by a hypervisor >> in vendor kernels; the hope is that kpkeys can provide much of that >> protection in a simpler manner. No benchmarking has been performed at >> this stage, but the runtime overhead should also be lower (though likely >> not negligible). > Yeah, it isn't great that vendor kernels contain such invasive changes... > > I guess one difference between this approach and a hypervisor-based > approach is that a hypervisor that uses a second layer of page tables > can also prevent access through aliasing mappings, while pkeys only > prevent access through a specific mapping? (Like if an attacker > managed to add a page that is mapped into userspace to a page > allocator freelist, allocate this page as a page table, and use the > userspace mapping to write into this page table. But I guess whether > that is an issue depends on the threat model.) Yes, that's correct. If an attacker is able to modify page tables then kpkeys are easily defeated. (kpkeys_hardened_pgtables does mitigate precisely that, though.) On the topic of aliases, it's worth noting that this isn't an issue with page table pages (only the linear mapping is used), but if we wanted to assigning a pkey to vmalloc areas we'd also have to amend the linear mapping. >> [...] >> >> # Threat model >> >> The proposed scheme aims at mitigating data-only attacks (e.g. >> use-after-free/cross-cache attacks). In other words, it is assumed that >> control flow is not corrupted, and that the attacker does not achieve >> arbitrary code execution. Nothing prevents the pkey register from being >> set to its most permissive state - the assumption is that the register >> is only modified on legitimate code paths. > Is the threat model that the attacker has already achieved full > read/write access to unprotected kernel data and should be stopped > from gaining write access to protected data? Or is the threat model > that the attacker has achieved some limited corruption, and this > series is intended to make it harder to either gain write access to > protected data or achieve full read/write access to unprotected data? The assumption is that the attacker has acquired a write primitive that could potentially allow corrupting any kernel data. The objective is to make it harder to exploit that primitive by making critical data immune to it. Nothing stops the attacker to turn to another (unprotected) target, but this is no different from hypervisor-based protection - the hope is that removing the low-hanging fruits makes it too difficult to build a complete exploit chain. - Kevin
Powered by blists - more mailing lists