From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Brad Spengler <spender@grsecurity.net>,
PaX Team <pageexec@freemail.hu>,
Casey Schaufler <casey@schaufler-ca.com>,
Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
x86@kernel.org, Ingo Molnar <mingo@redhat.com>
Subject: Re: [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook
Date: Tue, 13 Jun 2017 09:41:29 +0200 [thread overview]
Message-ID: <CAJHCu1K00Xx=2ZqXjmRxp-8dze7HGtiN6cFvP4mTWapr3jSkRQ@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1706121929430.1911@nanos>
2017-06-12 19:32 GMT+02:00 Thomas Gleixner <tglx@linutronix.de>:
> That explains, what you could do with it, but it completely lacks any
> rationale WHY this is desired and good behaviour and how that is a security
> feature.
You are right, I could have been more descriptive.
This is not a security feature "per se", it's a way to soften some
unwanted side-effects of restrictive security features.
In particular I'm trying to introduce a feature that will prevent
the runtime creation of executable code in user-space programs:
it's something like the PaX's MPROTECT feature.
This hook is used to implement what PaX call "trampoline
emulation" that, in practice, allow for some specific code
sequences to be executed even if they are in non executable memory.
This may look like a bad thing at first, but you have to consider
that:
- This allows for "memory restriction" features to stay on even
when they should be turned off. And, even if this emulation
makes the feature less effective, it's still better than having
it turned off completely
- The only code sequences emulated are trampolines used to make
function calls. In many cases, when you have the chance to
make arbitrary memory writes, you can already manipulate the
control flow of the program by overwriting function pointers or
return values. So, in many cases, the "trampoline emulation"
doesn't introduce new exploit vectors.
- It's a feature that can be turned on only if needed, on a per
executable file basis.
Thank your for taking the time to review this.
WARNING: multiple messages have this Message-ID (diff)
From: s.mesoraca16@gmail.com (Salvatore Mesoraca)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook
Date: Tue, 13 Jun 2017 09:41:29 +0200 [thread overview]
Message-ID: <CAJHCu1K00Xx=2ZqXjmRxp-8dze7HGtiN6cFvP4mTWapr3jSkRQ@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1706121929430.1911@nanos>
2017-06-12 19:32 GMT+02:00 Thomas Gleixner <tglx@linutronix.de>:
> That explains, what you could do with it, but it completely lacks any
> rationale WHY this is desired and good behaviour and how that is a security
> feature.
You are right, I could have been more descriptive.
This is not a security feature "per se", it's a way to soften some
unwanted side-effects of restrictive security features.
In particular I'm trying to introduce a feature that will prevent
the runtime creation of executable code in user-space programs:
it's something like the PaX's MPROTECT feature.
This hook is used to implement what PaX call "trampoline
emulation" that, in practice, allow for some specific code
sequences to be executed even if they are in non executable memory.
This may look like a bad thing at first, but you have to consider
that:
- This allows for "memory restriction" features to stay on even
when they should be turned off. And, even if this emulation
makes the feature less effective, it's still better than having
it turned off completely
- The only code sequences emulated are trampolines used to make
function calls. In many cases, when you have the chance to
make arbitrary memory writes, you can already manipulate the
control flow of the program by overwriting function pointers or
return values. So, in many cases, the "trampoline emulation"
doesn't introduce new exploit vectors.
- It's a feature that can be turned on only if needed, on a per
executable file basis.
Thank your for taking the time to review this.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Brad Spengler <spender@grsecurity.net>,
PaX Team <pageexec@freemail.hu>,
Casey Schaufler <casey@schaufler-ca.com>,
Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
x86@kernel.org, Ingo Molnar <mingo@redhat.com>
Subject: [kernel-hardening] Re: [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook
Date: Tue, 13 Jun 2017 09:41:29 +0200 [thread overview]
Message-ID: <CAJHCu1K00Xx=2ZqXjmRxp-8dze7HGtiN6cFvP4mTWapr3jSkRQ@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1706121929430.1911@nanos>
2017-06-12 19:32 GMT+02:00 Thomas Gleixner <tglx@linutronix.de>:
> That explains, what you could do with it, but it completely lacks any
> rationale WHY this is desired and good behaviour and how that is a security
> feature.
You are right, I could have been more descriptive.
This is not a security feature "per se", it's a way to soften some
unwanted side-effects of restrictive security features.
In particular I'm trying to introduce a feature that will prevent
the runtime creation of executable code in user-space programs:
it's something like the PaX's MPROTECT feature.
This hook is used to implement what PaX call "trampoline
emulation" that, in practice, allow for some specific code
sequences to be executed even if they are in non executable memory.
This may look like a bad thing at first, but you have to consider
that:
- This allows for "memory restriction" features to stay on even
when they should be turned off. And, even if this emulation
makes the feature less effective, it's still better than having
it turned off completely
- The only code sequences emulated are trampolines used to make
function calls. In many cases, when you have the chance to
make arbitrary memory writes, you can already manipulate the
control flow of the program by overwriting function pointers or
return values. So, in many cases, the "trampoline emulation"
doesn't introduce new exploit vectors.
- It's a feature that can be turned on only if needed, on a per
executable file basis.
Thank your for taking the time to review this.
next prev parent reply other threads:[~2017-06-13 7:41 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 16:56 [PATCH 00/11] S.A.R.A. a new stacked LSM Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 01/11] S.A.R.A. Documentation Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 17:49 ` [kernel-hardening] " Jann Horn
2017-06-12 17:49 ` Jann Horn
2017-06-13 7:43 ` Salvatore Mesoraca
2017-06-13 7:43 ` Salvatore Mesoraca
2017-06-27 22:51 ` Kees Cook
2017-06-27 22:51 ` [kernel-hardening] " Kees Cook
2017-06-27 22:51 ` Kees Cook
2017-06-27 22:54 ` Kees Cook
2017-06-27 22:54 ` [kernel-hardening] " Kees Cook
2017-06-27 22:54 ` Kees Cook
2017-07-04 10:12 ` Salvatore Mesoraca
2017-07-04 10:12 ` [kernel-hardening] " Salvatore Mesoraca
2017-07-04 10:12 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 02/11] S.A.R.A. framework creation Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 03/11] Creation of "usb_device_auth" LSM hook Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 17:35 ` Krzysztof Opasiak
2017-06-12 17:35 ` [kernel-hardening] " Krzysztof Opasiak
2017-06-12 17:35 ` Krzysztof Opasiak
2017-06-13 7:47 ` Salvatore Mesoraca
2017-06-13 7:47 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:47 ` Salvatore Mesoraca
2017-06-12 19:38 ` Greg Kroah-Hartman
2017-06-12 19:38 ` [kernel-hardening] " Greg Kroah-Hartman
2017-06-12 19:38 ` Greg Kroah-Hartman
2017-06-13 7:50 ` Salvatore Mesoraca
2017-06-13 7:50 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:50 ` Salvatore Mesoraca
2017-06-12 21:31 ` Casey Schaufler
2017-06-12 21:31 ` [kernel-hardening] " Casey Schaufler
2017-06-12 21:31 ` Casey Schaufler
2017-06-13 7:51 ` Salvatore Mesoraca
2017-06-13 7:51 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:51 ` Salvatore Mesoraca
2017-06-13 1:15 ` kbuild test robot
2017-06-13 1:15 ` [kernel-hardening] " kbuild test robot
2017-06-13 1:15 ` kbuild test robot
2017-06-13 3:11 ` kbuild test robot
2017-06-13 3:11 ` [kernel-hardening] " kbuild test robot
2017-06-13 3:11 ` kbuild test robot
2017-06-12 16:56 ` [PATCH 04/11] S.A.R.A. USB Filtering Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-20 7:07 ` Pavel Machek
2017-06-20 7:07 ` [kernel-hardening] " Pavel Machek
2017-06-20 7:53 ` Salvatore Mesoraca
2017-06-20 7:53 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-20 7:53 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 05/11] Creation of "check_vmflags" LSM hook Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 21:31 ` Casey Schaufler
2017-06-12 21:31 ` [kernel-hardening] " Casey Schaufler
2017-06-12 21:31 ` Casey Schaufler
2017-06-12 21:31 ` Casey Schaufler
2017-06-13 7:55 ` Salvatore Mesoraca
2017-06-13 7:55 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:55 ` Salvatore Mesoraca
2017-06-13 7:55 ` Salvatore Mesoraca
2017-06-13 6:34 ` Christoph Hellwig
2017-06-13 6:34 ` [kernel-hardening] " Christoph Hellwig
2017-06-13 6:34 ` Christoph Hellwig
2017-06-13 6:34 ` Christoph Hellwig
2017-06-13 7:52 ` Salvatore Mesoraca
2017-06-13 7:52 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:52 ` Salvatore Mesoraca
2017-06-13 7:52 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 06/11] S.A.R.A. cred blob management Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 07/11] S.A.R.A. WX Protection Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 17:32 ` Thomas Gleixner
2017-06-12 17:32 ` [kernel-hardening] " Thomas Gleixner
2017-06-12 17:32 ` Thomas Gleixner
2017-06-13 7:41 ` Salvatore Mesoraca [this message]
2017-06-13 7:41 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-13 7:41 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 09/11] Trampoline emulation Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-13 0:02 ` kbuild test robot
2017-06-13 0:02 ` [kernel-hardening] " kbuild test robot
2017-06-13 0:02 ` kbuild test robot
2017-06-12 16:56 ` [PATCH 10/11] Allowing for stacking procattr support in S.A.R.A Salvatore Mesoraca
2017-06-12 16:56 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:56 ` Salvatore Mesoraca
2017-06-12 16:57 ` [PATCH 11/11] S.A.R.A. WX Protection procattr interface Salvatore Mesoraca
2017-06-12 16:57 ` [kernel-hardening] " Salvatore Mesoraca
2017-06-12 16:57 ` Salvatore Mesoraca
2017-07-09 19:35 ` [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM Mickaël Salaün
2017-07-10 7:59 ` Salvatore Mesoraca
2017-07-10 7:59 ` Salvatore Mesoraca
2017-07-10 23:40 ` Mickaël Salaün
2017-07-11 16:58 ` Salvatore Mesoraca
2017-07-11 16:58 ` Salvatore Mesoraca
2017-07-11 17:49 ` Matt Brown
2017-07-11 17:49 ` Matt Brown
2017-07-11 19:31 ` Mimi Zohar
2017-07-11 19:31 ` Mimi Zohar
2017-07-13 12:39 ` Matt Brown
2017-07-13 12:39 ` Matt Brown
2017-07-13 15:19 ` Mimi Zohar
2017-07-13 15:19 ` Mimi Zohar
2017-07-13 19:51 ` Serge E. Hallyn
2017-07-13 19:51 ` Serge E. Hallyn
2017-07-13 22:33 ` Matt Brown
2017-07-13 22:33 ` Matt Brown
2017-07-24 0:58 ` Casey Schaufler
2017-07-24 0:58 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJHCu1K00Xx=2ZqXjmRxp-8dze7HGtiN6cFvP4mTWapr3jSkRQ@mail.gmail.com' \
--to=s.mesoraca16@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pageexec@freemail.hu \
--cc=serge@hallyn.com \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.