From: Kees Cook <keescook@chromium.org> To: Ingo Molnar <mingo@kernel.org> Cc: Kees Cook <keescook@chromium.org>, Thomas Garnier <thgarnie@google.com>, Andy Lutomirski <luto@kernel.org>, x86@kernel.org, Borislav Petkov <bp@suse.de>, Baoquan He <bhe@redhat.com>, Yinghai Lu <yinghai@kernel.org>, Juergen Gross <jgross@suse.com>, Matt Fleming <matt@codeblueprint.co.uk>, Toshi Kani <toshi.kani@hpe.com>, Andrew Morton <akpm@linux-foundation.org>, Dan Williams <dan.j.williams@intel.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, Xiao Guangrong <guangrong.xiao@linux.intel.com>, Martin Schwidefsky <schwidefsky@de.ibm.com>, "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>, Alexander Kuleshov <kuleshovmail@gmail.com>, Alexander Popov <alpopov@ptsecurity.com>, Dave Young <dyoung@redhat.com>, Joerg Roedel <jroedel@suse.de>, Lv Zheng <lv.zheng@intel.com>, Mark Salter <msalter@redhat.com>, Dmitry Vyukov <dvyukov@google.com>, Stephen Smalley <sds@tycho.nsa.gov>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Christian Borntraeger <borntraeger@de.ibm.com>, Jan Beulich <JBeulich@suse.com>, linux-kernel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH v7 0/9] x86/mm: memory area address KASLR Date: Tue, 21 Jun 2016 17:46:57 -0700 [thread overview] Message-ID: <1466556426-32664-1-git-send-email-keescook@chromium.org> (raw) This is v7 of Thomas Garnier's KASLR for memory areas (physical memory mapping, vmalloc, vmemmap). It expects to be applied on top of the x86/boot tip. The current implementation of KASLR randomizes only the base address of the kernel and its modules. Research was published showing that static memory addresses can be found and used in exploits, effectively ignoring base address KASLR: The physical memory mapping holds most allocations from boot and heap allocators. Knowning the base address and physical memory size, an attacker can deduce the PDE virtual address for the vDSO memory page. This attack was demonstrated at CanSecWest 2016, in the "Getting Physical: Extreme Abuse of Intel Based Paged Systems" https://goo.gl/ANpWdV (see second part of the presentation). The exploits used against Linux worked successfuly against 4.6+ but fail with KASLR memory enabled (https://goo.gl/iTtXMJ). Similar research was done at Google leading to this patch proposal. Variants exists to overwrite /proc or /sys objects ACLs leading to elevation of privileges. These variants were tested against 4.6+. This set of patches randomizes the base address and padding of three major memory sections (physical memory mapping, vmalloc, and vmemmap). It mitigates exploits relying on predictable kernel addresses in these areas. This feature can be enabled with the CONFIG_RANDOMIZE_MEMORY option. (This CONFIG, along with CONFIG_RANDOMIZE may be renamed in the future, but stands for now as other architectures continue to implement KASLR.) Padding for the memory hotplug support is managed by CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING. The default value is 10 terabytes. The patches were tested on qemu & physical machines. Xen compatibility was also verified. Multiple reboots were used to verify entropy for each memory section. Notable problems that needed solving: - The three target memory sections need to not be at the same place across reboots. - The physical memory mapping can use a virtual address not aligned on the PGD page table. - Reasonable entropy is needed early at boot before get_random_bytes() is available. - Memory hotplug needs KASLR padding. Patches: - 1: refactor KASLR functions (moves them from boot/compressed/ into lib/) - 2: clarifies the variables used for physical mapping. - 3: PUD virtual address support for physical mapping. - 4: split out the trampoline PGD - 5: KASLR memory infrastructure code - 6: randomize base of physical mapping region - 7: randomize base of vmalloc region - 8: randomize base of vmemmap region - 9: provide memory hotplug padding support There is no measurable performance impact: - Kernbench shows almost no difference (-+ less than 1%). - Hackbench shows 0% difference on average (hackbench 90 repeated 10 times).
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Ingo Molnar <mingo@kernel.org> Cc: Kees Cook <keescook@chromium.org>, Thomas Garnier <thgarnie@google.com>, Andy Lutomirski <luto@kernel.org>, x86@kernel.org, Borislav Petkov <bp@suse.de>, Baoquan He <bhe@redhat.com>, Yinghai Lu <yinghai@kernel.org>, Juergen Gross <jgross@suse.com>, Matt Fleming <matt@codeblueprint.co.uk>, Toshi Kani <toshi.kani@hpe.com>, Andrew Morton <akpm@linux-foundation.org>, Dan Williams <dan.j.williams@intel.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, Xiao Guangrong <guangrong.xiao@linux.intel.com>, Martin Schwidefsky <schwidefsky@de.ibm.com>, "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>, Alexander Kuleshov <kuleshovmail@gmail.com>, Alexander Popov <alpopov@ptsecurity.com>, Dave Young <dyoung@redhat.com>, Joerg Roedel <jroedel@suse.de>, Lv Zheng <lv.zheng@intel.com>, Mark Salter <msalter@redhat.com>, Dmitry Vyukov <dvyukov@google.com>, Stephen Smalley <sds@tycho.nsa.gov>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Christian Borntraeger <borntraeger@de.ibm.com>, Jan Beulich <JBeulich@suse.com>, linux-kernel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>, linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR Date: Tue, 21 Jun 2016 17:46:57 -0700 [thread overview] Message-ID: <1466556426-32664-1-git-send-email-keescook@chromium.org> (raw) This is v7 of Thomas Garnier's KASLR for memory areas (physical memory mapping, vmalloc, vmemmap). It expects to be applied on top of the x86/boot tip. The current implementation of KASLR randomizes only the base address of the kernel and its modules. Research was published showing that static memory addresses can be found and used in exploits, effectively ignoring base address KASLR: The physical memory mapping holds most allocations from boot and heap allocators. Knowning the base address and physical memory size, an attacker can deduce the PDE virtual address for the vDSO memory page. This attack was demonstrated at CanSecWest 2016, in the "Getting Physical: Extreme Abuse of Intel Based Paged Systems" https://goo.gl/ANpWdV (see second part of the presentation). The exploits used against Linux worked successfuly against 4.6+ but fail with KASLR memory enabled (https://goo.gl/iTtXMJ). Similar research was done at Google leading to this patch proposal. Variants exists to overwrite /proc or /sys objects ACLs leading to elevation of privileges. These variants were tested against 4.6+. This set of patches randomizes the base address and padding of three major memory sections (physical memory mapping, vmalloc, and vmemmap). It mitigates exploits relying on predictable kernel addresses in these areas. This feature can be enabled with the CONFIG_RANDOMIZE_MEMORY option. (This CONFIG, along with CONFIG_RANDOMIZE may be renamed in the future, but stands for now as other architectures continue to implement KASLR.) Padding for the memory hotplug support is managed by CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING. The default value is 10 terabytes. The patches were tested on qemu & physical machines. Xen compatibility was also verified. Multiple reboots were used to verify entropy for each memory section. Notable problems that needed solving: - The three target memory sections need to not be at the same place across reboots. - The physical memory mapping can use a virtual address not aligned on the PGD page table. - Reasonable entropy is needed early at boot before get_random_bytes() is available. - Memory hotplug needs KASLR padding. Patches: - 1: refactor KASLR functions (moves them from boot/compressed/ into lib/) - 2: clarifies the variables used for physical mapping. - 3: PUD virtual address support for physical mapping. - 4: split out the trampoline PGD - 5: KASLR memory infrastructure code - 6: randomize base of physical mapping region - 7: randomize base of vmalloc region - 8: randomize base of vmemmap region - 9: provide memory hotplug padding support There is no measurable performance impact: - Kernbench shows almost no difference (-+ less than 1%). - Hackbench shows 0% difference on average (hackbench 90 repeated 10 times).
next reply other threads:[~2016-06-22 0:49 UTC|newest] Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-06-22 0:46 Kees Cook [this message] 2016-06-22 0:46 ` [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR Kees Cook 2016-06-22 0:46 ` [PATCH v7 1/9] x86/mm: Refactor KASLR entropy functions Kees Cook 2016-06-22 0:46 ` [kernel-hardening] " Kees Cook 2016-07-08 20:33 ` [tip:x86/boot] " tip-bot for Thomas Garnier 2016-06-22 0:46 ` [PATCH v7 2/9] x86/mm: Update physical mapping variable names (x86_64) Kees Cook 2016-06-22 0:46 ` [kernel-hardening] " Kees Cook 2016-07-08 20:34 ` [tip:x86/boot] x86/mm: Update physical mapping variable names tip-bot for Thomas Garnier 2016-06-22 0:47 ` [PATCH v7 3/9] x86/mm: PUD VA support for physical mapping (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:34 ` [tip:x86/boot] x86/mm: Add PUD VA support for physical mapping tip-bot for Thomas Garnier 2016-06-22 0:47 ` [PATCH v7 4/9] x86/mm: Separate variable for trampoline PGD (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:35 ` [tip:x86/boot] x86/mm: Separate variable for trampoline PGD tip-bot for Thomas Garnier 2016-06-22 0:47 ` [PATCH v7 5/9] x86/mm: Implement ASLR for kernel memory regions (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:35 ` [tip:x86/boot] x86/mm: Implement ASLR for kernel memory regions tip-bot for Thomas Garnier 2016-06-22 0:47 ` [PATCH v7 6/9] x86/mm: Enable KASLR for physical mapping memory region (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:35 ` [tip:x86/boot] x86/mm: Enable KASLR for physical mapping memory regions tip-bot for Thomas Garnier 2016-08-14 4:25 ` Brian Gerst 2016-08-14 23:26 ` Baoquan He 2016-08-16 11:31 ` Brian Gerst 2016-08-16 13:42 ` Borislav Petkov 2016-08-16 13:49 ` Borislav Petkov 2016-08-16 15:54 ` Borislav Petkov 2016-08-16 17:50 ` Borislav Petkov 2016-08-16 19:49 ` Kees Cook 2016-08-16 21:01 ` Borislav Petkov 2016-08-17 0:31 ` Brian Gerst 2016-08-17 9:11 ` Borislav Petkov 2016-08-17 10:19 ` Ingo Molnar 2016-08-17 11:33 ` Borislav Petkov 2016-08-18 10:49 ` [tip:x86/urgent] x86/microcode/AMD: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y tip-bot for Borislav Petkov 2016-06-22 0:47 ` [PATCH v7 7/9] x86/mm: Enable KASLR for vmalloc memory region (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:36 ` [tip:x86/boot] x86/mm: Enable KASLR for vmalloc memory regions tip-bot for Thomas Garnier 2016-06-22 0:47 ` [PATCH v7 8/9] x86/mm: Enable KASLR for vmemmap memory region (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-06-22 0:47 ` [PATCH v7 9/9] x86/mm: Memory hotplug support for KASLR memory randomization (x86_64) Kees Cook 2016-06-22 0:47 ` [kernel-hardening] " Kees Cook 2016-07-08 20:36 ` [tip:x86/boot] x86/mm: Add memory hotplug support for KASLR memory randomization tip-bot for Thomas Garnier 2016-06-22 12:47 ` [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR Jason Cooper 2016-06-22 15:59 ` Thomas Garnier 2016-06-22 17:05 ` Kees Cook 2016-06-22 17:05 ` Kees Cook 2016-06-23 19:33 ` Jason Cooper 2016-06-23 19:33 ` Jason Cooper 2016-06-23 19:45 ` Sandy Harris 2016-06-23 19:59 ` Kees Cook 2016-06-23 19:59 ` Kees Cook 2016-06-23 20:19 ` Jason Cooper 2016-06-23 20:16 ` Jason Cooper 2016-06-23 19:58 ` Kees Cook 2016-06-23 19:58 ` Kees Cook 2016-06-23 20:05 ` Ard Biesheuvel 2016-06-23 20:05 ` Ard Biesheuvel 2016-06-24 1:11 ` Jason Cooper 2016-06-24 1:11 ` Jason Cooper 2016-06-24 10:54 ` Ard Biesheuvel 2016-06-24 10:54 ` Ard Biesheuvel 2016-06-24 16:02 ` devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR" Jason Cooper 2016-06-24 16:02 ` [kernel-hardening] " Jason Cooper 2016-06-24 19:04 ` Kees Cook 2016-06-24 19:04 ` [kernel-hardening] " Kees Cook 2016-06-24 20:40 ` Andy Lutomirski 2016-06-24 20:40 ` [kernel-hardening] " Andy Lutomirski 2016-06-30 21:48 ` Jason Cooper 2016-06-30 21:48 ` [kernel-hardening] " Jason Cooper 2016-06-30 21:56 ` Thomas Garnier 2016-06-30 21:48 ` Jason Cooper 2016-06-30 21:48 ` [kernel-hardening] " Jason Cooper 2016-07-07 22:24 ` [PATCH v7 0/9] x86/mm: memory area address KASLR Kees Cook 2016-07-07 22:24 ` [kernel-hardening] " Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1466556426-32664-1-git-send-email-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=JBeulich@suse.com \ --cc=akpm@linux-foundation.org \ --cc=alpopov@ptsecurity.com \ --cc=aneesh.kumar@linux.vnet.ibm.com \ --cc=bhe@redhat.com \ --cc=boris.ostrovsky@oracle.com \ --cc=borntraeger@de.ibm.com \ --cc=bp@suse.de \ --cc=corbet@lwn.net \ --cc=dan.j.williams@intel.com \ --cc=dave.hansen@linux.intel.com \ --cc=dvyukov@google.com \ --cc=dyoung@redhat.com \ --cc=guangrong.xiao@linux.intel.com \ --cc=jgross@suse.com \ --cc=jroedel@suse.de \ --cc=kernel-hardening@lists.openwall.com \ --cc=kirill.shutemov@linux.intel.com \ --cc=kuleshovmail@gmail.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@kernel.org \ --cc=lv.zheng@intel.com \ --cc=matt@codeblueprint.co.uk \ --cc=mingo@kernel.org \ --cc=msalter@redhat.com \ --cc=schwidefsky@de.ibm.com \ --cc=sds@tycho.nsa.gov \ --cc=thgarnie@google.com \ --cc=toshi.kani@hpe.com \ --cc=x86@kernel.org \ --cc=yinghai@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.