From: Mark Rutland <mark.rutland@arm.com>
To: kernel-hardening@lists.openwall.com
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-x86_64@vger.kernel.org, juerg.haefliger@hpe.com,
vpk@cs.columbia.edu
Subject: Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Date: Wed, 14 Sep 2016 10:36:34 +0100 [thread overview]
Message-ID: <20160914093634.GB13121@leverpostej> (raw)
In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com>
Hi,
On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote:
> This patch series adds support for XPFO which protects against 'ret2dir'
> kernel attacks. The basic idea is to enforce exclusive ownership of page
> frames by either the kernel or userspace, unless explicitly requested by
> the kernel. Whenever a page destined for userspace is allocated, it is
> unmapped from physmap (the kernel's page table). When such a page is
> reclaimed from userspace, it is mapped back to physmap.
> Known issues/limitations:
> - Only supports x86-64 (for now)
> - Only supports 4k pages (for now)
> - There are most likely some legitimate uses cases where the kernel needs
> to access userspace which need to be made XPFO-aware
> - Performance penalty
>
> Reference paper by the original patch authors:
> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is
non-executable on x86_64 (as it does for arm64)?
For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so).
Assuming that implies a lack of execute permission for x86_64, that
should provide a similar level of protection against erroneously
branching to addresses in the linear map, without the complexity and
overhead of mapping/unmapping pages.
So to me it looks like this approach may only be useful for
architectures without page-granular execute permission controls.
Is this also intended to protect against erroneous *data* accesses to
the linear map?
Am I missing something?
Thanks,
Mark.
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: kernel-hardening@lists.openwall.com
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-x86_64@vger.kernel.org, juerg.haefliger@hpe.com,
vpk@cs.columbia.edu
Subject: Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Date: Wed, 14 Sep 2016 10:36:34 +0100 [thread overview]
Message-ID: <20160914093634.GB13121@leverpostej> (raw)
In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com>
Hi,
On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote:
> This patch series adds support for XPFO which protects against 'ret2dir'
> kernel attacks. The basic idea is to enforce exclusive ownership of page
> frames by either the kernel or userspace, unless explicitly requested by
> the kernel. Whenever a page destined for userspace is allocated, it is
> unmapped from physmap (the kernel's page table). When such a page is
> reclaimed from userspace, it is mapped back to physmap.
> Known issues/limitations:
> - Only supports x86-64 (for now)
> - Only supports 4k pages (for now)
> - There are most likely some legitimate uses cases where the kernel needs
> to access userspace which need to be made XPFO-aware
> - Performance penalty
>
> Reference paper by the original patch authors:
> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is
non-executable on x86_64 (as it does for arm64)?
For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so).
Assuming that implies a lack of execute permission for x86_64, that
should provide a similar level of protection against erroneously
branching to addresses in the linear map, without the complexity and
overhead of mapping/unmapping pages.
So to me it looks like this approach may only be useful for
architectures without page-granular execute permission controls.
Is this also intended to protect against erroneous *data* accesses to
the linear map?
Am I missing something?
Thanks,
Mark.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-09-14 9:36 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-26 14:21 [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-02-26 14:21 ` Juerg Haefliger
2016-03-01 1:31 ` Laura Abbott
2016-03-01 1:31 ` Laura Abbott
2016-03-21 8:37 ` Juerg Haefliger
2016-03-21 8:37 ` Juerg Haefliger
2016-03-28 19:29 ` Laura Abbott
2016-03-28 19:29 ` Laura Abbott
2016-03-01 2:10 ` Balbir Singh
2016-03-01 2:10 ` Balbir Singh
2016-03-21 8:44 ` Juerg Haefliger
2016-03-21 8:44 ` Juerg Haefliger
2016-04-01 0:21 ` Balbir Singh
2016-04-01 0:21 ` Balbir Singh
2016-09-02 11:39 ` [RFC PATCH v2 0/3] " Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 1/3] " Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 20:39 ` Dave Hansen
2016-09-02 20:39 ` [kernel-hardening] " Dave Hansen
2016-09-02 20:39 ` Dave Hansen
2016-09-05 11:54 ` Juerg Haefliger
2016-09-05 11:54 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-14 7:18 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:18 ` Juerg Haefliger
2016-09-14 7:18 ` [RFC PATCH v2 1/3] " Juerg Haefliger
2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:18 ` Juerg Haefliger
2016-09-14 7:19 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:19 ` Juerg Haefliger
2016-09-14 14:33 ` [kernel-hardening] " Dave Hansen
2016-09-14 14:33 ` Dave Hansen
2016-09-14 14:40 ` Juerg Haefliger
2016-09-14 14:48 ` Dave Hansen
2016-09-14 14:48 ` Dave Hansen
2016-09-21 5:32 ` Juerg Haefliger
2016-09-14 7:19 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger
2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:19 ` Juerg Haefliger
2016-09-14 7:33 ` Christoph Hellwig
2016-09-14 7:33 ` [kernel-hardening] " Christoph Hellwig
2016-09-14 7:33 ` Christoph Hellwig
2016-09-14 7:23 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-09-14 7:23 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 9:36 ` Mark Rutland [this message]
2016-09-14 9:36 ` [kernel-hardening] " Mark Rutland
2016-09-14 9:49 ` Mark Rutland
2016-09-14 9:49 ` Mark Rutland
2016-11-04 14:45 ` [RFC PATCH v3 0/2] " Juerg Haefliger
2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
2016-11-04 14:45 ` [RFC PATCH v3 1/2] " Juerg Haefliger
2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
2016-11-04 14:50 ` Christoph Hellwig
2016-11-04 14:50 ` [kernel-hardening] " Christoph Hellwig
2016-11-04 14:50 ` Christoph Hellwig
2016-11-10 5:53 ` [kernel-hardening] " ZhaoJunmin Zhao(Junmin)
2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin)
2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin)
2016-11-10 19:11 ` Kees Cook
2016-11-10 19:11 ` [kernel-hardening] " Kees Cook
2016-11-10 19:11 ` Kees Cook
2016-11-15 11:15 ` Juerg Haefliger
2016-11-15 11:15 ` [kernel-hardening] " Juerg Haefliger
2016-11-15 11:15 ` Juerg Haefliger
2016-11-10 19:24 ` Kees Cook
2016-11-10 19:24 ` [kernel-hardening] " Kees Cook
2016-11-10 19:24 ` Kees Cook
2016-11-15 11:18 ` Juerg Haefliger
2016-11-15 11:18 ` [kernel-hardening] " Juerg Haefliger
2016-11-15 11:18 ` Juerg Haefliger
2016-11-24 10:56 ` AKASHI Takahiro
2016-11-24 10:56 ` [kernel-hardening] " AKASHI Takahiro
2016-11-24 10:56 ` AKASHI Takahiro
2016-11-28 11:15 ` Juerg Haefliger
2016-11-28 11:15 ` [kernel-hardening] " Juerg Haefliger
2016-12-09 9:02 ` AKASHI Takahiro
2016-12-09 9:02 ` [kernel-hardening] " AKASHI Takahiro
2016-12-09 9:02 ` AKASHI Takahiro
2016-11-04 14:45 ` [RFC PATCH v3 2/2] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160914093634.GB13121@leverpostej \
--to=mark.rutland@arm.com \
--cc=juerg.haefliger@hpe.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=vpk@cs.columbia.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.