lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAF=yD-KciJUH6Mi_oE2rqfOPWTLvEAdinos64fL=0+dEA=_gFQ@mail.gmail.com>
Date:   Mon, 20 Aug 2018 10:13:42 -0400
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     liu.song.a23@...il.com
Cc:     Petar Penkov <ppenkov@...gle.com>,
        Petar Penkov <peterpenkov96@...il.com>,
        Network Development <netdev@...r.kernel.org>,
        David Miller <davem@...emloft.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        simon.horman@...ronome.com, Willem de Bruijn <willemb@...gle.com>
Subject: Re: [bpf-next RFC 1/3] flow_dissector: implements flow dissector BPF hook

On Mon, Aug 20, 2018 at 1:47 AM Song Liu <liu.song.a23@...il.com> wrote:
>
> On Thu, Aug 16, 2018 at 4:14 PM, Petar Penkov <ppenkov@...gle.com> wrote:
> > On Thu, Aug 16, 2018 at 3:40 PM, Song Liu <liu.song.a23@...il.com> wrote:
> >>
> >> On Thu, Aug 16, 2018 at 9:44 AM, Petar Penkov <peterpenkov96@...il.com> wrote:
> >> > From: Petar Penkov <ppenkov@...gle.com>
> >> >
> >> > Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
> >> > attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
> >> > path. The BPF program is kept as a global variable so it is
> >> > accessible to all flow dissectors.
> >> >
> >> > Signed-off-by: Petar Penkov <ppenkov@...gle.com>
> >> > Signed-off-by: Willem de Bruijn <willemb@...gle.com>

> >> > @@ -658,6 +698,42 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
> >> >                                               FLOW_DISSECTOR_KEY_BASIC,
> >> >                                               target_container);
> >> >
> >> > +       rcu_read_lock();
> >> > +       attached = rcu_dereference(flow_dissector_prog);
> >> > +       if (attached) {
> >> > +               /* Note that even though the const qualifier is discarded
> >> > +                * throughout the execution of the BPF program, all changes(the
> >> > +                * control block) are reverted after the BPF program returns.
> >> > +                * Therefore, __skb_flow_dissect does not alter the skb.
> >> > +                */
> >> > +               struct bpf_flow_dissect_cb *cb;
> >> > +               u8 cb_saved[BPF_SKB_CB_LEN];
> >> > +               u32 result;
> >> > +
> >> > +               cb = (struct bpf_flow_dissect_cb *)(bpf_skb_cb((struct sk_buff *)skb));
> >> > +
> >> > +               /* Save Control Block */
> >> > +               memcpy(cb_saved, cb, sizeof(cb_saved));
> >> > +               memset(cb, 0, sizeof(cb_saved));
> >> > +
> >> > +               /* Pass parameters to the BPF program */
> >> > +               cb->nhoff = nhoff;
> >> > +               cb->target_container = target_container;
> >> > +               cb->flow_dissector = flow_dissector;
> >> > +
> >> > +               bpf_compute_data_pointers((struct sk_buff *)skb);
> >> > +               result = BPF_PROG_RUN(attached, skb);
> >> > +
> >> > +               /* Restore state */
> >> > +               memcpy(cb, cb_saved, sizeof(cb_saved));
> >> > +
> >> > +               key_control->thoff = min_t(u16, key_control->thoff,
> >> > +                                          skb ? skb->len : hlen);
> >> > +               rcu_read_unlock();
> >> > +               return result == BPF_OK;
> >> > +       }
> >>
> >> If the BPF program cannot handle certain protocol, shall we fall back
> >> to the built-in logic? Otherwise, all BPF programs need to have some
> >> code for all protocols.
> >>
> >> Song
> >
> > I believe that if we fall back to the built-in logic we lose all security
> > guarantees from BPF and this is why the code does not support
> > fall back.
> >
> > Petar
>
> I am not really sure we are on the same page. I am proposing 3
> different return values from BPF_PROG_RUN(), and they should be
> handled as
>
> 1. result == BPF_OK                      => return true;
> 2. result == BPF_DROP                 => return false;
> 3. result == something else            => fall back.
>
> Does this proposal make any sense?
>
> Thanks,
> Song

It certainly makes sense. We debated it initially, as well.

In the short term, it allows for simpler BPF programs, as they can
off-load some protocols to the C implementation.

But the RFC patchset already implements most protocols in BPF.
I had not expected that when we started out.

Eventually, I think it is preferable to just deprecate the C
implementation. Which is not possible if we make this opt-out
a part of the BPF flow dissector interface.

There is also the lesser issue that a buggy BPF program might
accidentally pass the third value and unknowing open itself up
to the large attack surface. Without this option, the security
audit is much simpler.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ