From: Kees Cook <keescook@chromium.org> To: kernel-hardening@lists.openwall.com Cc: Kees Cook <keescook@chromium.org>, Laura Abbott <labbott@redhat.com>, x86@kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 00/20] Introduce struct layout randomization plugin Date: Fri, 26 May 2017 13:17:04 -0700 [thread overview] Message-ID: <1495829844-69341-1-git-send-email-keescook@chromium.org> (raw) This series brings grsecurity's structure layout randomization plugin to upstream. The plugin randomizes the layout of selected structures at compile time, as a probabilistic defense against attacks that need to know the layout of structures within the kernel. This is most useful for "in-house" kernel builds where the neither the randomization seed nor other build artifacts are made available to an attacker. While less useful for distribution kernels (where the randomization seed must be exposed for third party kernel module builds), it still has some value there since now all kernel builds would need to be tracked by an attacker. One requirement of the plugin is that randomized structures must use designated initializers. Many of these have been landing already as I've been sending them over the past couple months, but there are still some stragglers, which are included here. Another area to address are places where randomized structures are cast to other structures, since there may be implicit positional details that need to be addressed. Luckily, there are only a few of these false positives, and they have been worked around either by adjusting the source (e.g. correctly using ERR_CAST() or container_of()) or whitelisting them in the plugin. Some of these fixes have landed already, again with stragglers included here. The plugin selects structures in two ways: manually marked with the new __randomize_layout annotation, or automatically when a structure is found to consist entirely of function pointers (which can be opted out of with the new __no_randomize_layout annotation). A structure that is especially sensitive and regularly abused in exploits is task_struct, but randomizing it requires some special handling due to some fields needing to be at the start and end. To deal with this, an internal anonymous struct is used to mark the portion that will be randomized. I'd love feedback on whether I should bite the bullet and perform indenting or violate indenting rules to avoid a massive white-space change. Also is the problem that older GCC seems to balk at its use, which I have not figured out yet. As already mentioned, the bulk of this feature and annotations are ported over from grsecurity. The implementation is almost entirely identical to the original code written by the PaX Team and Brad Spengler. The changes are an addition of improved designated initializer markings, a whitelisting mechanism, many false positive fixes, and a different approach to handling the task_struct randomization. I've been doing boot tests with instrumentation showing successfully changing offsets within the task_struct, which ran overnight without problems. So far, the 0day builder hasn't alerted on anything either. This series is based on next-20170525. I intend to push patches 1 through 18 into linux-next if there are no objections. The task_struct change needs some more attention, and I continue to wait on ACPICA to take the changes in the final patch. Patches are: [PATCH 01/20] NFS: Avoid cross-structure casting Fix to use ERR_CAST() [PATCH 02/20] gcc-plugins: Detail c-common.h location for GCC 4.6 Update documentation about GCC 4.6 version file locations. [PATCH 03/20] compiler: Add __designated_init annotation Introduce annotation for designated initializers. [PATCH 04/20] gcc-plugins: Add the randstruct plugin The plugin itself, with struct auto-detection disabled. [PATCH 05/20] randstruct: Whitelist struct security_hook_heads cast [PATCH 06/20] randstruct: Whitelist UNIXCB cast [PATCH 07/20] randstruct: Whitelist big_key path struct overloading [PATCH 08/20] randstruct: Whitelist NIU struct page overloading Whitelist a number of false positives that do not have trivial source corrections to be made. [PATCH 09/20] randstruct: Mark various structs for randomization Adds the manual annotation for structures to randomize. [PATCH 10/20] randstruct: opt-out externally exposed function pointer Opt out of some externally-exposed structs that would be otherwise automatically randomized. [PATCH 11/20] randstruct: Disable randomization of ACPICA structs Opt out of ACPICA randomization. [PATCH 12/20] sgi-xp: Use designated initializers [PATCH 13/20] drm/amdgpu: Use designated initializers [PATCH 14/20] drm/amd/powerplay: Use designated initializers [PATCH 15/20] mtk-vcodec: Use designated initializers The remaining designated initializer fixes for automatic struct randomization. [PATCH 16/20] ntfs: Use ERR_CAST() to avoid cross-structure cast [PATCH 17/20] ocfs2: Use ERR_CAST() to avoid cross-structure cast The remaining cast fixes for automatic struct randomization. [PATCH 18/20] randstruct: Enable function pointer struct detection Enables automatic struct randomization. [PATCH 19/20] [RFC] task_struct: Allow randomized layout Tricky anonymous struct within task_struct... [PATCH 20/20] ACPICA: Use designated initializers Proposed upstream ACPICA solution for designated initializers... Testing/feedback appreciated! -Kees
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: kernel-hardening@lists.openwall.com Cc: Kees Cook <keescook@chromium.org>, Laura Abbott <labbott@redhat.com>, x86@kernel.org, linux-kernel@vger.kernel.org Subject: [kernel-hardening] [PATCH v2 00/20] Introduce struct layout randomization plugin Date: Fri, 26 May 2017 13:17:04 -0700 [thread overview] Message-ID: <1495829844-69341-1-git-send-email-keescook@chromium.org> (raw) This series brings grsecurity's structure layout randomization plugin to upstream. The plugin randomizes the layout of selected structures at compile time, as a probabilistic defense against attacks that need to know the layout of structures within the kernel. This is most useful for "in-house" kernel builds where the neither the randomization seed nor other build artifacts are made available to an attacker. While less useful for distribution kernels (where the randomization seed must be exposed for third party kernel module builds), it still has some value there since now all kernel builds would need to be tracked by an attacker. One requirement of the plugin is that randomized structures must use designated initializers. Many of these have been landing already as I've been sending them over the past couple months, but there are still some stragglers, which are included here. Another area to address are places where randomized structures are cast to other structures, since there may be implicit positional details that need to be addressed. Luckily, there are only a few of these false positives, and they have been worked around either by adjusting the source (e.g. correctly using ERR_CAST() or container_of()) or whitelisting them in the plugin. Some of these fixes have landed already, again with stragglers included here. The plugin selects structures in two ways: manually marked with the new __randomize_layout annotation, or automatically when a structure is found to consist entirely of function pointers (which can be opted out of with the new __no_randomize_layout annotation). A structure that is especially sensitive and regularly abused in exploits is task_struct, but randomizing it requires some special handling due to some fields needing to be at the start and end. To deal with this, an internal anonymous struct is used to mark the portion that will be randomized. I'd love feedback on whether I should bite the bullet and perform indenting or violate indenting rules to avoid a massive white-space change. Also is the problem that older GCC seems to balk at its use, which I have not figured out yet. As already mentioned, the bulk of this feature and annotations are ported over from grsecurity. The implementation is almost entirely identical to the original code written by the PaX Team and Brad Spengler. The changes are an addition of improved designated initializer markings, a whitelisting mechanism, many false positive fixes, and a different approach to handling the task_struct randomization. I've been doing boot tests with instrumentation showing successfully changing offsets within the task_struct, which ran overnight without problems. So far, the 0day builder hasn't alerted on anything either. This series is based on next-20170525. I intend to push patches 1 through 18 into linux-next if there are no objections. The task_struct change needs some more attention, and I continue to wait on ACPICA to take the changes in the final patch. Patches are: [PATCH 01/20] NFS: Avoid cross-structure casting Fix to use ERR_CAST() [PATCH 02/20] gcc-plugins: Detail c-common.h location for GCC 4.6 Update documentation about GCC 4.6 version file locations. [PATCH 03/20] compiler: Add __designated_init annotation Introduce annotation for designated initializers. [PATCH 04/20] gcc-plugins: Add the randstruct plugin The plugin itself, with struct auto-detection disabled. [PATCH 05/20] randstruct: Whitelist struct security_hook_heads cast [PATCH 06/20] randstruct: Whitelist UNIXCB cast [PATCH 07/20] randstruct: Whitelist big_key path struct overloading [PATCH 08/20] randstruct: Whitelist NIU struct page overloading Whitelist a number of false positives that do not have trivial source corrections to be made. [PATCH 09/20] randstruct: Mark various structs for randomization Adds the manual annotation for structures to randomize. [PATCH 10/20] randstruct: opt-out externally exposed function pointer Opt out of some externally-exposed structs that would be otherwise automatically randomized. [PATCH 11/20] randstruct: Disable randomization of ACPICA structs Opt out of ACPICA randomization. [PATCH 12/20] sgi-xp: Use designated initializers [PATCH 13/20] drm/amdgpu: Use designated initializers [PATCH 14/20] drm/amd/powerplay: Use designated initializers [PATCH 15/20] mtk-vcodec: Use designated initializers The remaining designated initializer fixes for automatic struct randomization. [PATCH 16/20] ntfs: Use ERR_CAST() to avoid cross-structure cast [PATCH 17/20] ocfs2: Use ERR_CAST() to avoid cross-structure cast The remaining cast fixes for automatic struct randomization. [PATCH 18/20] randstruct: Enable function pointer struct detection Enables automatic struct randomization. [PATCH 19/20] [RFC] task_struct: Allow randomized layout Tricky anonymous struct within task_struct... [PATCH 20/20] ACPICA: Use designated initializers Proposed upstream ACPICA solution for designated initializers... Testing/feedback appreciated! -Kees
next reply other threads:[~2017-05-27 1:10 UTC|newest] Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-05-26 20:17 Kees Cook [this message] 2017-05-26 20:17 ` [kernel-hardening] [PATCH v2 00/20] Introduce struct layout randomization plugin Kees Cook 2017-05-26 20:17 ` [PATCH v2 01/20] NFS: Avoid cross-structure casting Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-28 7:53 ` Christoph Hellwig 2017-05-28 7:53 ` [kernel-hardening] " Christoph Hellwig 2017-05-28 16:55 ` Kees Cook 2017-05-28 16:55 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 02/20] gcc-plugins: Detail c-common.h location for GCC 4.6 Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 03/20] compiler: Add __designated_init annotation Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 04/20] gcc-plugins: Add the randstruct plugin Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-06-29 22:08 ` Arnd Bergmann 2017-06-29 22:08 ` [kernel-hardening] " Arnd Bergmann 2017-06-29 22:53 ` Kees Cook 2017-06-29 22:53 ` [kernel-hardening] " Kees Cook 2017-06-30 0:04 ` Kees Cook 2017-06-30 0:04 ` [kernel-hardening] " Kees Cook 2017-06-30 7:35 ` Arnd Bergmann 2017-06-30 7:35 ` [kernel-hardening] " Arnd Bergmann 2017-06-30 7:55 ` Ard Biesheuvel 2017-06-30 7:55 ` [kernel-hardening] " Ard Biesheuvel 2017-06-30 8:27 ` Arnd Bergmann 2017-06-30 8:27 ` [kernel-hardening] " Arnd Bergmann 2017-06-30 14:41 ` Kees Cook 2017-06-30 14:41 ` [kernel-hardening] " Kees Cook 2017-06-30 15:22 ` Arnd Bergmann 2017-06-30 15:22 ` [kernel-hardening] " Arnd Bergmann 2017-05-26 20:17 ` [PATCH v2 05/20] randstruct: Whitelist struct security_hook_heads cast Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-27 8:41 ` Christoph Hellwig 2017-05-27 8:41 ` [kernel-hardening] " Christoph Hellwig 2017-05-27 20:09 ` Kees Cook 2017-05-27 20:09 ` [kernel-hardening] " Kees Cook 2017-05-27 20:09 ` Kees Cook 2017-05-27 22:04 ` Tetsuo Handa 2017-05-27 22:04 ` [kernel-hardening] " Tetsuo Handa 2017-05-27 22:04 ` Tetsuo Handa 2017-05-28 0:43 ` [kernel-hardening] " Kees Cook 2017-05-28 0:43 ` Kees Cook 2017-05-28 0:43 ` Kees Cook 2017-05-30 10:34 ` James Morris 2017-05-30 10:34 ` [kernel-hardening] " James Morris 2017-05-30 10:34 ` James Morris 2017-05-26 20:17 ` [PATCH v2 06/20] randstruct: Whitelist UNIXCB cast Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:20 ` Kees Cook 2017-05-26 20:20 ` [kernel-hardening] " Kees Cook 2017-05-28 7:56 ` Christoph Hellwig 2017-05-28 7:56 ` [kernel-hardening] " Christoph Hellwig 2017-05-26 20:17 ` [PATCH v2 07/20] randstruct: Whitelist big_key path struct overloading Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-28 8:12 ` Christoph Hellwig 2017-05-28 8:12 ` [kernel-hardening] " Christoph Hellwig 2017-05-28 16:59 ` Kees Cook 2017-05-28 16:59 ` [kernel-hardening] " Kees Cook 2017-06-19 19:24 ` Kees Cook 2017-06-19 19:24 ` [kernel-hardening] " Kees Cook 2017-09-07 7:20 ` Christoph Hellwig 2017-09-07 7:20 ` [kernel-hardening] " Christoph Hellwig 2017-09-07 22:55 ` Kees Cook 2017-09-07 22:55 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 08/20] randstruct: Whitelist NIU struct page overloading Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-28 8:15 ` Christoph Hellwig 2017-05-28 8:15 ` [kernel-hardening] " Christoph Hellwig 2017-05-28 17:35 ` Kees Cook 2017-05-28 17:35 ` [kernel-hardening] " Kees Cook 2017-05-28 17:35 ` Kees Cook 2017-05-28 17:37 ` Kees Cook 2017-05-28 17:37 ` [kernel-hardening] " Kees Cook 2017-05-28 17:37 ` Kees Cook 2017-05-26 20:17 ` [PATCH v2 09/20] randstruct: Mark various structs for randomization Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 10/20] randstruct: opt-out externally exposed function pointer structs Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 11/20] randstruct: Disable randomization of ACPICA structs Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-27 8:42 ` Christoph Hellwig 2017-05-27 8:42 ` [kernel-hardening] " Christoph Hellwig 2017-05-27 20:03 ` Kees Cook 2017-05-27 20:03 ` [kernel-hardening] " Kees Cook 2017-05-28 4:55 ` Christoph Hellwig 2017-05-28 4:55 ` [kernel-hardening] " Christoph Hellwig 2017-05-26 20:17 ` [PATCH v2 12/20] sgi-xp: Use designated initializers Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-27 8:44 ` Christoph Hellwig 2017-05-27 8:44 ` [kernel-hardening] " Christoph Hellwig 2017-05-26 20:17 ` [PATCH v2 13/20] drm/amdgpu: " Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 14/20] drm/amd/powerplay: " Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-27 8:47 ` Christoph Hellwig 2017-05-27 8:47 ` [kernel-hardening] " Christoph Hellwig 2017-05-27 20:10 ` Kees Cook 2017-05-27 20:10 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 15/20] mtk-vcodec: " Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 16/20] ntfs: Use ERR_CAST() to avoid cross-structure cast Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 17/20] ocfs2: " Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 18/20] randstruct: Enable function pointer struct detection Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 19/20] [RFC] task_struct: Allow randomized layout Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-26 20:23 ` Linus Torvalds 2017-05-26 20:23 ` [kernel-hardening] " Linus Torvalds 2017-05-26 20:32 ` Kees Cook 2017-05-26 20:32 ` [kernel-hardening] " Kees Cook 2017-05-26 20:17 ` [PATCH v2 20/20] ACPICA: Use designated initializers Kees Cook 2017-05-26 20:17 ` [kernel-hardening] " Kees Cook 2017-05-28 7:45 ` Christoph Hellwig 2017-05-28 7:45 ` [kernel-hardening] " Christoph Hellwig
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1495829844-69341-1-git-send-email-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=labbott@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.