All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Andi Kleen <ak@linux.intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Petr Mladek <pmladek@suse.com>,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
	Arnd Bergmann <arnd@arndb.de>, Jiri Slaby <jslaby@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] kconfig: Add kernel config option for fuzz testing.
Date: Tue, 17 Dec 2019 10:52:06 -0500	[thread overview]
Message-ID: <20191217155206.GA824812@mit.edu> (raw)
In-Reply-To: <CACT4Y+ZLaR=GR2nssb_buGC0ULNpQW6jvX0p8NAE-vReDY5fPA@mail.gmail.com>

On Tue, Dec 17, 2019 at 09:36:43AM +0100, Dmitry Vyukov wrote:
> Yes, what Tetsuo says. Only syscall numbers and top-level arguments to
> syscalls are easy to filter out. When indirect memory is passed to
> kernel or (fd,ioctl) pairs are involved it boils down to solving the
> halting problem.

I disagree that it's equivalent to solving the halting problem.
Otherwise, we couldn't filter in the kernel.  Let's think about ways
we can solve this.  One is to simply do what valgrind does; this
handles even self-modifying code, since you're essentially running an
x86-to-x86 emulator, and then you find an attempted trap to the
kernel, you can transfer control to a program which vets the arguments
to the system call.

Another approach might be to do this filtering in an BPF hook
installed at syscall entry.  Technically this is being done in the
kernel, but the advantage of this approach is that the BPF program can
be distributed alongside Syzkaller, and it can be Syzkaller-specific.
That way when we need to add a new blacklist entry, it can be done
without needing to wait for a kernel patch.

And note that there may *always* be some ioctls which we will need to
suppress.  For example, an attempt to send a SANITIZE ERASE to a
storage device; or an attempt to freeze the root file system, etc.
And I'm not sure all of these are ones that we can prevent by using
the lockdown setting.  There may very well be some commands that a
legitamate system administrator might want to execute that will, when
executed in the wrong circumstances causes the system to crash.  But
so long as it doesn't violate the trusted boot semantics which are the
whole point of lockdown, we would need to allow them.

So I suspect that some kind of filtering which is Syzkaller specific
is going to be inevitably needed, if you want to throw random binary
code and see what causes problem, and you insist on allowing these
random binary bits to be run as root.  Trying to prevent root from
being able to kill or self-DOS a machine goes way beyond any of our
current security mechanisms, and is something which is only really
needed by Fuzzers.  Personally, I suspect some kind of BPF filtering
is probably your best bet, since it will a bit more architecturally
portable than using some kind of Valgrind-like approach.  (Although
Valgrind *does* most of the architectures that I suspect we're going
to care about.)

						- Ted

  parent reply	other threads:[~2019-12-17 15:54 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-16  9:59 [PATCH] kconfig: Add kernel config option for fuzz testing Tetsuo Handa
2019-12-16 11:46 ` Greg Kroah-Hartman
2019-12-16 15:35   ` Tetsuo Handa
2019-12-16 16:31     ` Greg Kroah-Hartman
2019-12-16 20:18     ` Theodore Y. Ts'o
2019-12-16 21:06       ` Tetsuo Handa
2019-12-17  8:36         ` Dmitry Vyukov
2019-12-17  8:53           ` Dmitry Vyukov
2020-01-02 19:57             ` Matthew Garrett
2020-02-18 10:54               ` Tetsuo Handa
2020-02-27 22:10                 ` Tetsuo Handa
2020-02-27 22:15                   ` Matthew Garrett
2019-12-17 15:52           ` Theodore Y. Ts'o [this message]
2019-12-19 17:43             ` Dmitry Vyukov
2019-12-19 21:18               ` Theodore Y. Ts'o
2019-12-18 10:29           ` Tetsuo Handa
2019-12-19 17:21             ` Dmitry Vyukov
2019-12-16 18:34 ` Andi Kleen
2019-12-16 18:47   ` Greg Kroah-Hartman
2019-12-17  5:12 ` Sergey Senozhatsky
2019-12-17  7:54   ` Dmitry Vyukov
2019-12-17  8:24     ` Sergey Senozhatsky
2019-12-17  8:38       ` Dmitry Vyukov
2019-12-17  5:42 ` Masahiro Yamada
2019-12-17  8:41 ` Dmitry Vyukov
2019-12-17 12:54   ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191217155206.GA824812@mit.edu \
    --to=tytso@mit.edu \
    --cc=ak@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=dvyukov@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jslaby@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=sergey.senozhatsky@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.