All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: 'Kees Cook' <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Jann Horn <jannh@google.com>,
	"Perla, Enrico" <enrico.perla@intel.com>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>,
	"Peter Zijlstra" <peterz@infradead.org>,
	Greg KH <gregkh@linuxfoundation.org>
Subject: RE: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Date: Fri, 29 Mar 2019 07:50:05 +0000	[thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4C203E8@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <CAGXu5jLBP-95aEF2refYimAJ=ea42C_3Ywb+1dZAaVR1rbmP9Q@mail.gmail.com>

> On Thu, Mar 28, 2019 at 9:29 AM Andy Lutomirski <luto@amacapital.net> wrote:
> > Doesn’t this just leak some of the canary to user code through side channels?
> 
> Erf, yes, good point. Let's just use prandom and be done with it.

And here I have some numbers on this. Actually prandom turned out to be pretty
fast, even when called every syscall. See the numbers below:

1) lmbench: ./lat_syscall -N 1000000 null
    base:                                              Simple syscall: 0.1774 microseconds
    random_offset (prandom_u32() every syscall):     Simple syscall: 0.1822 microseconds
    random_offset (prandom_u32() every 4th syscall): Simple syscall: 0.1844 microseconds

2)  Andy's tests, misc-tests: ./timing_test_64 10M sys_enosys
    base:                                              10000000 loops in 1.62224s = 162.22 nsec / loop
    random_offset (prandom_u32() every syscall):     10000000 loops in 1.64660s = 166.26 nsec / loop
    random_offset (prandom_u32() every 4th syscall): 10000000 loops in 3.51315s = 169.30 nsec / loop

The second case is when prandom is called only once in 4 syscalls and unused random
bits are preserved in a per-cpu buffer. As you can see it is actually slower (modulo my maybe not
so optimized code in prandom, see below) vs. calling it every time, so I would vote for actually calling it every time and saving
on the hassle and also avoid additional code in prandom.

And below is what I was calling instead of prandom_u32() to preserve random bits
(net_rand_state_buffer is a new per-cpu buffer I added to save random bits):
And I didn't include the check for bytes >= sizeof(u32) since this was 
just poc to test the base speed, but for generic case it would be needed.

+void prandom_bytes_preserve(void *buf, size_t bytes)
+{
+    u32 *buffer = &get_cpu_var(net_rand_state_buffer);
+    u8 *ptr = buf;
+
+    if (!(*buffer)) {
+        struct rnd_state *state = &get_cpu_var(net_rand_state);
+        if (bytes > 0) {
+            *buffer = prandom_u32_state(state);
+            do {
+                *ptr++ = (u8) *buffer;
+                bytes--;
+                *buffer >>= BITS_PER_BYTE;
+            } while (bytes > 0);
+        }
+        put_cpu_var(net_rand_state);
+        put_cpu_var(net_rand_state_buffer);
+    } else {
+        if (bytes > 0) {
+            do {
+                *ptr++ = (u8) *buffer;
+                bytes--;
+                *buffer >>= BITS_PER_BYTE;
+            } while (bytes > 0);
+        }
+        put_cpu_var(net_rand_state_buffer);
+    }
+}

I will send the first version of patch (calling prandom_u32() every time)
shortly if anyone wants to double check performance implications. 

Best Regards,
Elena.

  reply	other threads:[~2019-03-29  7:52 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-18  9:41 [RFC PATCH] x86/entry/64: randomize kernel stack offset upon syscall Elena Reshetova
2019-03-18 20:15 ` Andy Lutomirski
2019-03-18 21:07   ` Kees Cook
2019-03-26 10:35     ` Reshetova, Elena
2019-03-27  4:31       ` Andy Lutomirski
2019-03-28 15:45         ` Kees Cook
2019-03-28 16:29           ` Andy Lutomirski
2019-03-28 16:47             ` Kees Cook
2019-03-29  7:50               ` Reshetova, Elena [this message]
2019-03-18 23:31   ` Josh Poimboeuf
2019-03-20 12:10     ` Reshetova, Elena
2019-03-20 11:12   ` David Laight
2019-03-20 14:51     ` Andy Lutomirski
2019-03-20 12:04   ` Reshetova, Elena
2019-03-20  7:27 Elena Reshetova
2019-03-20  7:29 ` Reshetova, Elena
2019-03-29  8:13 Elena Reshetova
2019-04-03 21:17 ` Kees Cook
2019-04-04 11:41   ` Reshetova, Elena
2019-04-04 17:03     ` Kees Cook
2019-04-05 10:14       ` Reshetova, Elena
2019-04-05 13:14         ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2236FBA76BA1254E88B949DDB74E612BA4C203E8@IRSMSX102.ger.corp.intel.com \
    --to=elena.reshetova@intel.com \
    --cc=bp@alien8.de \
    --cc=enrico.perla@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jannh@google.com \
    --cc=jpoimboe@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.