From: Ingo Molnar <mingo@elte.hu>
To: Kees Cook <kees.cook@canonical.com>,
Siarhei Liakh <sliakh.lkml@gmail.com>,
Rusty Russell <rusty@rustcorp.com.au>
Cc: linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Arjan van de Ven <arjan@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [Security] proactive defense: using read-only memory, RO/NX modules
Date: Mon, 8 Nov 2010 07:13:24 +0100 [thread overview]
Message-ID: <20101108061324.GA30540@elte.hu> (raw)
In-Reply-To: <20101107193520.GO5327@outflux.net>
* Kees Cook <kees.cook@canonical.com> wrote:
> Hi,
>
> While Dan Rosenberg is working to make things harder to locate potential targets
> in the kernel through fixing kernel address leaks[1], I'd like to approach a
> related proactive security measure: enforcing read-only memory for things that
> would make good targets.
Nice! IMHO we need more of that. (If the readonly section gets big enough in
practice we could perhaps even mark it large-page in the future. It could serve as
an allocator to module code as well - that would probably be a speedup even for
modules.)
> [...]
>
> The proposal is simple: as much of the kernel should be read-only as possible,
> most especially function pointers and other execution control points, which are
> the easiest target to exploit when an arbitrary kernel memory write becomes
> available[2] to an attacker. There has been past work to "const"ify function
> pointer tables, and this should continue. However, there are a few things that
> need further attention:
>
> - Modules need to be correctly marked RO/NX. This patch exists[3], but is
> not in mainline. It needs to be in mainline.
[...]
>
> [3] http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commitdiff;h=65187d24fa3ef60f691f847c792e8eaca7e19251
The reason the RO/NX patch from Siarhei Liakh is not upstream yet is rather mundane:
it introduced regressions - it caused boot crashes on one of my testboxes.
But there is no fundamental reason why it shouldnt be upstream. We can push it
upstream if the crashes are resolved and if it gets an Ack from Rusty or Linus for
the module bits.
Siarhei, what's the status of your RO/NX changes?
Thanks,
Ingo
next prev parent reply other threads:[~2010-11-08 6:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-07 19:35 [Security] proactive defense: using read-only memory Kees Cook
2010-11-08 6:13 ` Ingo Molnar [this message]
2010-11-08 10:03 ` [Security] proactive defense: using read-only memory, RO/NX modules Alan Cox
2010-11-08 21:42 ` Kees Cook
2010-11-10 9:04 ` Ingo Molnar
2010-11-11 6:56 ` Kees Cook
2010-11-11 9:07 ` Ingo Molnar
2010-11-13 19:59 ` matthieu castet
2010-11-14 9:56 ` Ingo Molnar
2010-11-17 10:00 ` [Security] proactive defense: using read-only memory Pavel Machek
2010-11-17 22:14 ` Kees Cook
2011-01-02 9:09 ` Pavel Machek
2010-11-18 0:12 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101108061324.GA30540@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=hpa@zytor.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=sliakh.lkml@gmail.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).