lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1291283693.2871.48.camel@edumazet-laptop>
Date:	Thu, 02 Dec 2010 10:54:53 +0100
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Changli Gao <xiaosuo@...il.com>
Cc:	David Miller <davem@...emloft.net>, hagen@...u.net,
	wirelesser@...il.com, netdev@...r.kernel.org,
	Dan Rosenberg <drosenberg@...curity.com>
Subject: Re: [PATCH net-next-2.6] filter: add a security check at install
 time

Le jeudi 02 décembre 2010 à 17:10 +0800, Changli Gao a écrit :
> On Thu, Dec 2, 2010 at 5:00 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> > Le jeudi 02 décembre 2010 à 09:53 +0100, Eric Dumazet a écrit :
> >> Le jeudi 02 décembre 2010 à 16:11 +0800, Changli Gao a écrit :
> >>
> >> > It seems correct to me now.
> >> >
> >> > Acked-by: Changli Gao <xiaosuo@...il.com>
> >> >
> >>
> >> Thanks for reviewing Changli.
> >>
> >> Now I am thinking about not denying the filter installation, but change
> >> the problematic LOAD M(1)  and LOADX M(1)  by LOADI #0 (BPF_S_LD_IMM
> >> K=0) and LOADIX #0 (BPF_S_LDX_IMM K=0)
> 
> Oops. We were wrong. The RAM of BPF machine is initialized to 0. So
> loading from a cell, in which no value is stored before, is valid. So
> we can't prevent the following instructions.
> 

It was not 'initialized to 0', thats the point of previous patches.



> jeq jt jf

> jt:
> store m[0]
> jf:
> load m[0]
> 
> After applying your patch, the third instruction will be replaced with
> load 0. It is wrong for the jt branch. So NACK.
> 
> 

But this is _exactly_ the case we want to deny (or protect)

We want to : 

- Accept valid programs generated by libpcap current and future
optimizers. Show me a real sample.

A valid program doesnt mix stores/loads like you tried.

Memories are used because of limited instruction and register (A, X)
set.

- Make sure a malicious or stupid or buggy program doesnt read garbage
from stack.

After optimizer, your program should read (no memory load/stores)

RET #0


To let your 'program' run, we could add temporary state saying :

Memory K has a known value m(k), or an unknown one.
Register A has a known value a, or an unkown one.
Register X has a known value x, or an unkown one.

And be able to "optimize" stupid "jeq jt jf" tests if value of A is
known, since we know the result of test (only one branch will be taken)

I am not sure its worth it, really, since all instruction set should be
taken into account to maintain this state. (implement kind of an
optimizer in kernel)

It's probably better to spend time in userland optimizer, and a JIT
compiler...

(By the way, I believe FreeBSD has the security problem Dan reported to
us)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ