From: Ilya Smith <blackzert@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Daniel Micay <danielmicay@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Michal Hocko <mhocko@suse.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
Hugh Dickins <hughd@google.com>, Helge Deller <deller@gmx.de>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Mon, 5 Mar 2018 23:20:31 +0300 [thread overview]
Message-ID: <4CB48994-60BF-4329-B6CE-0613EE1F7417@gmail.com> (raw)
In-Reply-To: <20180305194728.GB10418@bombadil.infradead.org>
> On 5 Mar 2018, at 22:47, Matthew Wilcox <willy@infradead.org> wrote:
>>>> - the entropy you provide is like 16 bit, that is really not so hard to brute
>>>
>>> It's 16 bits per mapping. I think that'll make enough attacks harder
>>> to be worthwhile.
>>
>> Well yes, its ok, sorry. I just would like to have 32 bit entropy maximum some day :)
>
> We could put 32 bits of padding into the prot argument on 64-bit systems
> (and obviously you need a 64-bit address space to use that many bits). The
> thing is that you can't then put anything else into those pages (without
> using MAP_FIXED).
>
This one sounds good to me. In my approach it is possible to map there, but ok.
>>>> - if you unmap/remap one page inside region, field vma_guard will show head
>>>> or tail pages for vma, not both; kernel don’t know how to handle it
>>>
>>> There are no head pages. The guard pages are only placed after the real end.
>>
>> Ok, we have MG where G = vm_guard, right? so when you do vm_split,
>> you may come to situation - m1g1m2G, how to handle it? I mean when M is
>> split with only one page inside this region. How to handle it?
>
> I thought I covered that in my earlier email. Using one letter per page,
> and a five-page mapping with two guard pages: MMMMMGG. Now unmap the
> fourth page, and the VMA gets split into two. You get: MMMGMGG.
>
I was just interesting, it’s not the issue to me. Now its clear, thanks.
>>> I can't agree with that. The user has plenty of opportunities to get
>>> randomness; from /dev/random is the easiest, but you could also do timing
>>> attacks on your own cachelines, for example.
>>
>> I think the usual case to use randomization for any mmap or not use it at all
>> for whole process. So here I think would be nice to have some variable
>> changeable with sysctl (root only) and ioctl (for greedy processes).
>
> I think this functionality can just as well live inside libc as in
> the kernel.
>
Good news for them :)
>> Well, let me summary:
>> My approach chose random gap inside gap range with following strings:
>>
>> + addr = get_random_long() % ((high - low) >> PAGE_SHIFT);
>> + addr = low + (addr << PAGE_SHIFT);
>>
>> Could be improved limiting maximum possible entropy in this shift.
>> To prevent situation when attacker may massage allocations and
>> predict chosen address, I randomly choose memory region. I’m still
>> like my idea, but not going to push it anymore, since you have yours now.
>>
>> Your idea just provide random non-mappable and non-accessable offset
>> from best-fit region. This consumes memory (1GB gap if random value
>> is 0xffff). But it works and should work faster and should resolve the issue.
>
> umm ... 64k * 4k is a 256MB gap, not 1GB. And it consumes address space,
> not memory.
>
hmm, yes… I found 8 bits somewhere.. 256MB should be enough for everyone.
>> My point was that current implementation need to be changed and you
>> have your own approach for that. :)
>> Lets keep mine in the mind till better times (or worse?) ;)
>> Will you finish your approach and upstream it?
>
> I'm just putting it out there for discussion. If people think this is
> the right approach, then I'm happy to finish it off. If the consensus
> is that we should randomly pick addresses instead, I'm happy if your
> approach gets merged.
So now, its time to call for people? Sorry, I’m new here.
Thanks,
Ilya
WARNING: multiple messages have this Message-ID (diff)
From: Ilya Smith <blackzert@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Daniel Micay <danielmicay@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Michal Hocko <mhocko@suse.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
Hugh Dickins <hughd@google.com>, Helge Deller <deller@gmx.de>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Mon, 5 Mar 2018 23:20:31 +0300 [thread overview]
Message-ID: <4CB48994-60BF-4329-B6CE-0613EE1F7417@gmail.com> (raw)
In-Reply-To: <20180305194728.GB10418@bombadil.infradead.org>
> On 5 Mar 2018, at 22:47, Matthew Wilcox <willy@infradead.org> wrote:
>>>> - the entropy you provide is like 16 bit, that is really not so hard to brute
>>>
>>> It's 16 bits per mapping. I think that'll make enough attacks harder
>>> to be worthwhile.
>>
>> Well yes, its ok, sorry. I just would like to have 32 bit entropy maximum some day :)
>
> We could put 32 bits of padding into the prot argument on 64-bit systems
> (and obviously you need a 64-bit address space to use that many bits). The
> thing is that you can't then put anything else into those pages (without
> using MAP_FIXED).
>
This one sounds good to me. In my approach it is possible to map there, but ok.
>>>> - if you unmap/remap one page inside region, field vma_guard will show head
>>>> or tail pages for vma, not both; kernel don’t know how to handle it
>>>
>>> There are no head pages. The guard pages are only placed after the real end.
>>
>> Ok, we have MG where G = vm_guard, right? so when you do vm_split,
>> you may come to situation - m1g1m2G, how to handle it? I mean when M is
>> split with only one page inside this region. How to handle it?
>
> I thought I covered that in my earlier email. Using one letter per page,
> and a five-page mapping with two guard pages: MMMMMGG. Now unmap the
> fourth page, and the VMA gets split into two. You get: MMMGMGG.
>
I was just interesting, it’s not the issue to me. Now its clear, thanks.
>>> I can't agree with that. The user has plenty of opportunities to get
>>> randomness; from /dev/random is the easiest, but you could also do timing
>>> attacks on your own cachelines, for example.
>>
>> I think the usual case to use randomization for any mmap or not use it at all
>> for whole process. So here I think would be nice to have some variable
>> changeable with sysctl (root only) and ioctl (for greedy processes).
>
> I think this functionality can just as well live inside libc as in
> the kernel.
>
Good news for them :)
>> Well, let me summary:
>> My approach chose random gap inside gap range with following strings:
>>
>> + addr = get_random_long() % ((high - low) >> PAGE_SHIFT);
>> + addr = low + (addr << PAGE_SHIFT);
>>
>> Could be improved limiting maximum possible entropy in this shift.
>> To prevent situation when attacker may massage allocations and
>> predict chosen address, I randomly choose memory region. I’m still
>> like my idea, but not going to push it anymore, since you have yours now.
>>
>> Your idea just provide random non-mappable and non-accessable offset
>> from best-fit region. This consumes memory (1GB gap if random value
>> is 0xffff). But it works and should work faster and should resolve the issue.
>
> umm ... 64k * 4k is a 256MB gap, not 1GB. And it consumes address space,
> not memory.
>
hmm, yes… I found 8 bits somewhere.. 256MB should be enough for everyone.
>> My point was that current implementation need to be changed and you
>> have your own approach for that. :)
>> Lets keep mine in the mind till better times (or worse?) ;)
>> Will you finish your approach and upstream it?
>
> I'm just putting it out there for discussion. If people think this is
> the right approach, then I'm happy to finish it off. If the consensus
> is that we should randomly pick addresses instead, I'm happy if your
> approach gets merged.
So now, its time to call for people? Sorry, I’m new here.
Thanks,
Ilya
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-03-05 20:20 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 13:13 [RFC PATCH] Randomization of address chosen by mmap Ilya Smith
2018-02-27 13:13 ` Ilya Smith
2018-02-27 20:52 ` Kees Cook
2018-02-27 20:52 ` Kees Cook
2018-02-27 21:31 ` lazytyped
2018-02-27 21:31 ` lazytyped
2018-02-28 17:13 ` Ilya Smith
2018-02-28 17:13 ` Ilya Smith
2018-02-28 18:33 ` Matthew Wilcox
2018-02-28 18:33 ` Matthew Wilcox
2018-02-28 21:02 ` Daniel Micay
2018-02-28 21:02 ` Daniel Micay
2018-03-03 13:58 ` Ilya Smith
2018-03-03 13:58 ` Ilya Smith
2018-03-03 21:00 ` Daniel Micay
2018-03-03 21:00 ` Daniel Micay
2018-03-04 3:47 ` Matthew Wilcox
2018-03-04 3:47 ` Matthew Wilcox
2018-03-04 20:56 ` Matthew Wilcox
2018-03-04 20:56 ` Matthew Wilcox
2018-03-05 13:09 ` Ilya Smith
2018-03-05 13:09 ` Ilya Smith
2018-03-05 14:23 ` Daniel Micay
2018-03-05 14:23 ` Daniel Micay
2018-03-05 16:05 ` Ilya Smith
2018-03-05 16:05 ` Ilya Smith
2018-03-05 16:23 ` Matthew Wilcox
2018-03-05 16:23 ` Matthew Wilcox
2018-03-05 19:27 ` Ilya Smith
2018-03-05 19:27 ` Ilya Smith
2018-03-05 19:47 ` Matthew Wilcox
2018-03-05 19:47 ` Matthew Wilcox
2018-03-05 20:20 ` Ilya Smith [this message]
2018-03-05 20:20 ` Ilya Smith
2018-03-02 20:30 ` Ilya Smith
2018-03-02 20:30 ` Ilya Smith
2018-03-02 20:48 ` Matthew Wilcox
2018-03-02 20:48 ` Matthew Wilcox
2018-03-03 15:13 ` Ilya Smith
2018-03-03 15:13 ` Ilya Smith
2018-02-28 19:54 ` Kees Cook
2018-02-28 19:54 ` Kees Cook
2018-03-01 13:52 ` Ilya Smith
2018-03-01 13:52 ` Ilya Smith
2018-03-02 7:17 ` 097eb0af45: kernel_BUG_at_mm/hugetlb.c kernel test robot
2018-03-02 7:17 ` kernel test robot
2018-03-02 7:17 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CB48994-60BF-4329-B6CE-0613EE1F7417@gmail.com \
--to=blackzert@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=danielmicay@gmail.com \
--cc=deller@gmx.de \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.