From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B6F1C433E0 for ; Tue, 11 Aug 2020 13:08:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 831672076C for ; Tue, 11 Aug 2020 13:08:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728701AbgHKNIl (ORCPT ); Tue, 11 Aug 2020 09:08:41 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:41556 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728557AbgHKNIk (ORCPT ); Tue, 11 Aug 2020 09:08:40 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id C95DF1C0BD8; Tue, 11 Aug 2020 15:08:37 +0200 (CEST) Date: Tue, 11 Aug 2020 15:08:37 +0200 From: Pavel Machek To: "Madhavan T. Venkataraman" Cc: Mark Rutland , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, oleg@redhat.com, x86@kernel.org Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor Message-ID: <20200811130837.hi6wllv6g67j5wds@duo.ucw.cz> References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <20200731180955.GC67415@C02TD0UTHF1T.local> <6236adf7-4bed-534e-0956-fddab4fd96b6@linux.microsoft.com> <20200804143018.GB7440@C02TD0UTHF1T.local> <20200808221748.GA1020@bug> <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yvr4rtdsyfwruwtq" Content-Disposition: inline In-Reply-To: <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --yvr4rtdsyfwruwtq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > >> Thanks for the lively discussion. I have tried to answer some of the > >> comments below. > >=20 > >>> There are options today, e.g. > >>> > >>> a) If the restriction is only per-alias, you can have distinct aliases > >>> where one is writable and another is executable, and you can make = it > >>> hard to find the relationship between the two. > >>> > >>> b) If the restriction is only temporal, you can write instructions in= to > >>> an RW- buffer, transition the buffer to R--, verify the buffer > >>> contents, then transition it to --X. > >>> > >>> c) You can have two processes A and B where A generates instrucitons = into > >>> a buffer that (only) B can execute (where B may be restricted from > >>> making syscalls like write, mprotect, etc). > >> > >> The general principle of the mitigation is W^X. I would argue that > >> the above options are violations of the W^X principle. If they are > >> allowed today, they must be fixed. And they will be. So, we cannot > >> rely on them. > >=20 > > Would you mind describing your threat model? > >=20 > > Because I believe you are using model different from everyone else. > >=20 > > In particular, I don't believe b) is a problem or should be fixed. >=20 > It is a problem because a kernel that implements W^X properly > will not allow it. It has no idea what has been done in userland. > It has no idea that the user has checked and verified the buffer > contents after transitioning the page to R--. No, it is not a problem. W^X is designed to protect from attackers doing buffer overflows, not attackers doing arbitrary syscalls. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --yvr4rtdsyfwruwtq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCXzKYVQAKCRAw5/Bqldv6 8ukgAJ9NvrVhKohEnNz0+UYVlo/02QCYaACgiTn7V4hdsKUqG2xCfqc/g1HOnV4= =VFJ2 -----END PGP SIGNATURE----- --yvr4rtdsyfwruwtq-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B19B8C433E1 for ; Tue, 11 Aug 2020 13:10:37 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7C760206DC for ; Tue, 11 Aug 2020 13:10:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="VWKW3JkP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7C760206DC Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ucw.cz Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: In-Reply-To:MIME-Version:References:Message-ID:Subject:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=loxAYVtblgV1J4SA7DJs4igkEZelT/q7hadCR2guW5o=; b=VWKW3JkP7HNzy9cQLSzqni0XM BjlgQ3PPuDkSNgHwic8ZmXRtufEZeuhC3WcYrn9VqQyywZ2038SJraLAU+x1a/SdADfJZGhtJWzky O4Oq8WGuBpch0whRO9NPa5a2aHXK0ZmmzYWYvWn++aovptdpw3QuOneDmqDvSQTiHwR6NClwPinVn h0R6fupF+1exhk/1MQkuwLJdwp1KreQE81M1amkl3HU46Rv8C9mZ5V2dUX5SzsN16NUNRN3h13h5i nO3F8SYma/FXjglddh9Gjvy8Wr5MiHuwcXTzZLPIaJbF8IvB3fWXTFIm3lJJAcpt/soO7ezVZlVPj zCuEMqNuQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k5U1F-00077c-AS; Tue, 11 Aug 2020 13:08:45 +0000 Received: from jabberwock.ucw.cz ([46.255.230.98]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1k5U1B-00076Q-FE for linux-arm-kernel@lists.infradead.org; Tue, 11 Aug 2020 13:08:42 +0000 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id C95DF1C0BD8; Tue, 11 Aug 2020 15:08:37 +0200 (CEST) Date: Tue, 11 Aug 2020 15:08:37 +0200 From: Pavel Machek To: "Madhavan T. Venkataraman" Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor Message-ID: <20200811130837.hi6wllv6g67j5wds@duo.ucw.cz> References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <20200731180955.GC67415@C02TD0UTHF1T.local> <6236adf7-4bed-534e-0956-fddab4fd96b6@linux.microsoft.com> <20200804143018.GB7440@C02TD0UTHF1T.local> <20200808221748.GA1020@bug> <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> MIME-Version: 1.0 In-Reply-To: <6cca8eac-f767-b891-dc92-eaa7504a0e8b@linux.microsoft.com> User-Agent: NeoMutt/20180716 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200811_090841_651844_F6FD8021 X-CRM114-Status: GOOD ( 20.78 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, oleg@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-arm-kernel@lists.infradead.org Content-Type: multipart/mixed; boundary="===============4673859845530004306==" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org --===============4673859845530004306== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yvr4rtdsyfwruwtq" Content-Disposition: inline --yvr4rtdsyfwruwtq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > >> Thanks for the lively discussion. I have tried to answer some of the > >> comments below. > >=20 > >>> There are options today, e.g. > >>> > >>> a) If the restriction is only per-alias, you can have distinct aliases > >>> where one is writable and another is executable, and you can make = it > >>> hard to find the relationship between the two. > >>> > >>> b) If the restriction is only temporal, you can write instructions in= to > >>> an RW- buffer, transition the buffer to R--, verify the buffer > >>> contents, then transition it to --X. > >>> > >>> c) You can have two processes A and B where A generates instrucitons = into > >>> a buffer that (only) B can execute (where B may be restricted from > >>> making syscalls like write, mprotect, etc). > >> > >> The general principle of the mitigation is W^X. I would argue that > >> the above options are violations of the W^X principle. If they are > >> allowed today, they must be fixed. And they will be. So, we cannot > >> rely on them. > >=20 > > Would you mind describing your threat model? > >=20 > > Because I believe you are using model different from everyone else. > >=20 > > In particular, I don't believe b) is a problem or should be fixed. >=20 > It is a problem because a kernel that implements W^X properly > will not allow it. It has no idea what has been done in userland. > It has no idea that the user has checked and verified the buffer > contents after transitioning the page to R--. No, it is not a problem. W^X is designed to protect from attackers doing buffer overflows, not attackers doing arbitrary syscalls. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --yvr4rtdsyfwruwtq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCXzKYVQAKCRAw5/Bqldv6 8ukgAJ9NvrVhKohEnNz0+UYVlo/02QCYaACgiTn7V4hdsKUqG2xCfqc/g1HOnV4= =VFJ2 -----END PGP SIGNATURE----- --yvr4rtdsyfwruwtq-- --===============4673859845530004306== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel --===============4673859845530004306==--