lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20110527063706.GC9260@elte.hu>
Date:	Fri, 27 May 2011 08:37:06 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Eric Dumazet <eric.dumazet@...il.com>,
	Dan Rosenberg <drosenberg@...curity.com>
Cc:	David Miller <davem@...emloft.net>, kees.cook@...onical.com,
	joe@...ches.com, akpm@...ux-foundation.org, netdev@...r.kernel.org,
	drosenberg@...curity.com, a.p.zijlstra@...llo.nl,
	eparis@...isplace.org, eugeneteo@...nel.org, jmorris@...ei.org,
	tgraf@...radead.org
Subject: Re: [patch 1/1] net: convert %p usage to %pK


* Eric Dumazet <eric.dumazet@...il.com> wrote:

> Le jeudi 26 mai 2011 à 22:44 -0400, David Miller a écrit :
> > From: Kees Cook <kees.cook@...onical.com>
> > Date: Thu, 26 May 2011 17:14:49 -0700
> > > 
> > > We got this dropped from the /proc view; why can't we do the same for
> > > this netlink interface?
> > 
> > Because it's not only an opaque "output" blob, it's also an input key
> > for lookups which the user can trigger.
> 
> Yes, we wan add a layer to obfuscate the real pointers. We dont 
> trust values given by user, only match them.
> 
> Either we use a XOR with a boot time random value (but let the NULL 
> cookie being the NULL one), or we generate an unique 64bit socket 
> id for the cookie (and keep a 64bit cookie in all sockets, 
> increasing ram usage)

FYI, Dan Rosenberg is currently working on a kernel image 
randomization feature, see this lkml thread:

   [RFC][PATCH] Randomize kernel base address on boot

That will come with an easy vsprintf method to 'unrandomize' IPs. 

( this will be used to display a real-looking /proc/kallsyms and all 
  IPs that the kernel passes to user-space (via perf, etc.) will be 
  unrandomized as well, protecting the randomization seed. )

Once that code goes upstream the networking code could rather simply 
use it to 'randomize' these real data pointers as well. (Assuming you 
never ever pass in zero, that would expose the secret seed.)

The only worry would be statistical analysis performed by local 
attackers: by creating and closing enough sockets on a busy system 
you can over time cover almost all ranges of RAM, so if you can 
observe a pattern of 'over the address space limit' addresses at the 
top or the bottom of the address space you can estimate the random 
seed to within 4-5 bits realistically, maybe even more.

The upper and lower limit of the address space (big holes are useful 
too) can be calculated rather precisely based on RAM size, the 
identity of the system and the kernel version.

So maybe networking real-pointer randomization should be separate 
from kernel IP randomization after all.

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ