From: Igor Stoppa <igor.stoppa@huawei.com>
To: Boris Lukashev <blukashev@sempervictus.com>
Cc: Christopher Lameter <cl@linux.com>,
Matthew Wilcox <willy@infradead.org>,
Jann Horn <jannh@google.com>, Jerome Glisse <jglisse@redhat.com>,
Kees Cook <keescook@chromium.org>,
Michal Hocko <mhocko@kernel.org>,
Laura Abbott <labbott@redhat.com>,
Christoph Hellwig <hch@infradead.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory
Date: Sat, 3 Feb 2018 22:32:48 +0200 [thread overview]
Message-ID: <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> (raw)
In-Reply-To: <CAFUG7CfrCpcbwgf5ixMC5EZZgiVVVp1NXhDHK1UoJJcC08R2qQ@mail.gmail.com>
On 03/02/18 22:12, Boris Lukashev wrote:
> Regarding the notion of validated protected memory, is there a method
> by which the resulting checksum could be used in a lookup
> table/function to resolve the location of the protected data?
What I have in mind is a checksum at page/vmap_area level, so there
would be no 1:1 mapping between a specific allocation and the checksum.
An extreme case would be the one where an allocation crosses one or more
page boundaries, while the checksum refers to a (partially) overlapping
memory area.
Code accessing a pool could perform one (relatively expensive)
validation. But still something that would require a more sophisticated
attack, to subvert.
> Effectively a hash table of protected allocations, with a benefit of
> dedup since any data matching the same key would be the same data
> (multiple identical cred structs being pushed around). Should leave
> the resolver address/csum in recent memory to check against, right?
I see where you are trying to land, but I do not see how it would work
without a further intermediate step.
pmalloc dishes out virtual memory addresses, when called.
It doesn't know what the user of the allocation will put in it.
The user, otoh, has the direct address of the memory it got.
What you are suggesting, if I have understood it correctly, is that,
when the pool is protected, the addresses already given out, will become
traps that get resolved through a lookup table that is built based on
the content of each allocation.
That seems to generate a lot of overhead, not to mention the fact that
it might not play very well with the MMU.
If I misunderstood, then I'd need a step by step description of what
happens, because it's not clear to me how else the data would be
accessed if not through the address that was obtained when pmalloc was
invoked.
--
igor
WARNING: multiple messages have this Message-ID (diff)
From: igor.stoppa@huawei.com (Igor Stoppa)
To: linux-security-module@vger.kernel.org
Subject: [kernel-hardening] [PATCH 4/6] Protectable Memory
Date: Sat, 3 Feb 2018 22:32:48 +0200 [thread overview]
Message-ID: <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> (raw)
In-Reply-To: <CAFUG7CfrCpcbwgf5ixMC5EZZgiVVVp1NXhDHK1UoJJcC08R2qQ@mail.gmail.com>
On 03/02/18 22:12, Boris Lukashev wrote:
> Regarding the notion of validated protected memory, is there a method
> by which the resulting checksum could be used in a lookup
> table/function to resolve the location of the protected data?
What I have in mind is a checksum at page/vmap_area level, so there
would be no 1:1 mapping between a specific allocation and the checksum.
An extreme case would be the one where an allocation crosses one or more
page boundaries, while the checksum refers to a (partially) overlapping
memory area.
Code accessing a pool could perform one (relatively expensive)
validation. But still something that would require a more sophisticated
attack, to subvert.
> Effectively a hash table of protected allocations, with a benefit of
> dedup since any data matching the same key would be the same data
> (multiple identical cred structs being pushed around). Should leave
> the resolver address/csum in recent memory to check against, right?
I see where you are trying to land, but I do not see how it would work
without a further intermediate step.
pmalloc dishes out virtual memory addresses, when called.
It doesn't know what the user of the allocation will put in it.
The user, otoh, has the direct address of the memory it got.
What you are suggesting, if I have understood it correctly, is that,
when the pool is protected, the addresses already given out, will become
traps that get resolved through a lookup table that is built based on
the content of each allocation.
That seems to generate a lot of overhead, not to mention the fact that
it might not play very well with the MMU.
If I misunderstood, then I'd need a step by step description of what
happens, because it's not clear to me how else the data would be
accessed if not through the address that was obtained when pmalloc was
invoked.
--
igor
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: Boris Lukashev <blukashev@sempervictus.com>
Cc: Christopher Lameter <cl@linux.com>,
Matthew Wilcox <willy@infradead.org>,
Jann Horn <jannh@google.com>, Jerome Glisse <jglisse@redhat.com>,
Kees Cook <keescook@chromium.org>,
Michal Hocko <mhocko@kernel.org>,
Laura Abbott <labbott@redhat.com>,
Christoph Hellwig <hch@infradead.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory
Date: Sat, 3 Feb 2018 22:32:48 +0200 [thread overview]
Message-ID: <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> (raw)
In-Reply-To: <CAFUG7CfrCpcbwgf5ixMC5EZZgiVVVp1NXhDHK1UoJJcC08R2qQ@mail.gmail.com>
On 03/02/18 22:12, Boris Lukashev wrote:
> Regarding the notion of validated protected memory, is there a method
> by which the resulting checksum could be used in a lookup
> table/function to resolve the location of the protected data?
What I have in mind is a checksum at page/vmap_area level, so there
would be no 1:1 mapping between a specific allocation and the checksum.
An extreme case would be the one where an allocation crosses one or more
page boundaries, while the checksum refers to a (partially) overlapping
memory area.
Code accessing a pool could perform one (relatively expensive)
validation. But still something that would require a more sophisticated
attack, to subvert.
> Effectively a hash table of protected allocations, with a benefit of
> dedup since any data matching the same key would be the same data
> (multiple identical cred structs being pushed around). Should leave
> the resolver address/csum in recent memory to check against, right?
I see where you are trying to land, but I do not see how it would work
without a further intermediate step.
pmalloc dishes out virtual memory addresses, when called.
It doesn't know what the user of the allocation will put in it.
The user, otoh, has the direct address of the memory it got.
What you are suggesting, if I have understood it correctly, is that,
when the pool is protected, the addresses already given out, will become
traps that get resolved through a lookup table that is built based on
the content of each allocation.
That seems to generate a lot of overhead, not to mention the fact that
it might not play very well with the MMU.
If I misunderstood, then I'd need a step by step description of what
happens, because it's not clear to me how else the data would be
accessed if not through the address that was obtained when pmalloc was
invoked.
--
igor
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-02-03 20:32 UTC|newest]
Thread overview: 171+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-24 17:56 [kernel-hardening] [RFC PATCH v11 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 1/6] genalloc: track beginning of allocations Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 2/6] genalloc: selftest Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 3/6] struct page: add field for vm_struct Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 4/6] Protectable Memory Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 19:10 ` [kernel-hardening] " Jann Horn
2018-01-24 19:10 ` Jann Horn
2018-01-24 19:10 ` Jann Horn
2018-01-25 11:59 ` Igor Stoppa
2018-01-25 11:59 ` Igor Stoppa
2018-01-25 11:59 ` Igor Stoppa
2018-01-25 11:59 ` Igor Stoppa
2018-01-25 15:14 ` Boris Lukashev
2018-01-25 15:14 ` Boris Lukashev
2018-01-25 15:14 ` Boris Lukashev
2018-01-25 15:38 ` Jerome Glisse
2018-01-25 15:38 ` Jerome Glisse
2018-01-25 15:38 ` Jerome Glisse
2018-01-26 12:28 ` Igor Stoppa
2018-01-26 12:28 ` Igor Stoppa
2018-01-26 12:28 ` Igor Stoppa
2018-01-26 16:36 ` Boris Lukashev
2018-01-26 16:36 ` Boris Lukashev
2018-01-26 16:36 ` Boris Lukashev
2018-01-30 13:46 ` Igor Stoppa
2018-01-30 13:46 ` Igor Stoppa
2018-01-30 13:46 ` Igor Stoppa
2018-01-26 5:35 ` Matthew Wilcox
2018-01-26 5:35 ` Matthew Wilcox
2018-01-26 5:35 ` Matthew Wilcox
2018-01-26 11:46 ` Igor Stoppa
2018-01-26 11:46 ` Igor Stoppa
2018-01-26 11:46 ` Igor Stoppa
2018-01-26 11:46 ` Igor Stoppa
2018-02-02 18:39 ` Christopher Lameter
2018-02-02 18:39 ` Christopher Lameter
2018-02-02 18:39 ` Christopher Lameter
2018-02-03 15:38 ` Igor Stoppa
2018-02-03 15:38 ` Igor Stoppa
2018-02-03 15:38 ` Igor Stoppa
2018-02-03 15:38 ` Igor Stoppa
2018-02-03 19:57 ` Igor Stoppa
2018-02-03 19:57 ` Igor Stoppa
2018-02-03 19:57 ` Igor Stoppa
2018-02-03 19:57 ` Igor Stoppa
2018-02-03 20:12 ` Boris Lukashev
2018-02-03 20:12 ` Boris Lukashev
2018-02-03 20:12 ` Boris Lukashev
2018-02-03 20:32 ` Igor Stoppa [this message]
2018-02-03 20:32 ` Igor Stoppa
2018-02-03 20:32 ` Igor Stoppa
2018-02-03 22:29 ` Boris Lukashev
2018-02-03 22:29 ` Boris Lukashev
2018-02-03 22:29 ` Boris Lukashev
2018-02-04 15:05 ` Igor Stoppa
2018-02-04 15:05 ` Igor Stoppa
2018-02-04 15:05 ` Igor Stoppa
2018-02-12 23:27 ` Kees Cook
2018-02-12 23:27 ` Kees Cook
2018-02-12 23:27 ` Kees Cook
2018-02-13 0:40 ` Laura Abbott
2018-02-13 0:40 ` Laura Abbott
2018-02-13 0:40 ` Laura Abbott
2018-02-13 1:25 ` Kees Cook
2018-02-13 1:25 ` Kees Cook
2018-02-13 1:25 ` Kees Cook
2018-02-13 3:39 ` Jann Horn
2018-02-13 3:39 ` Jann Horn
2018-02-13 3:39 ` Jann Horn
2018-02-13 16:09 ` Laura Abbott
2018-02-13 16:09 ` Laura Abbott
2018-02-13 16:09 ` Laura Abbott
2018-02-13 21:43 ` Kees Cook
2018-02-13 21:43 ` Kees Cook
2018-02-13 21:43 ` Kees Cook
2018-02-14 19:06 ` arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) Laura Abbott
2018-02-14 19:06 ` Laura Abbott
2018-02-14 19:06 ` Laura Abbott
2018-02-14 19:06 ` Laura Abbott
2018-02-14 19:28 ` Ard Biesheuvel
2018-02-14 19:28 ` Ard Biesheuvel
2018-02-14 19:28 ` Ard Biesheuvel
2018-02-14 19:28 ` Ard Biesheuvel
2018-02-14 20:13 ` Laura Abbott
2018-02-14 20:13 ` Laura Abbott
2018-02-14 20:13 ` Laura Abbott
2018-02-14 20:13 ` Laura Abbott
2018-02-14 19:29 ` Kees Cook
2018-02-14 19:29 ` Kees Cook
2018-02-14 19:29 ` Kees Cook
2018-02-14 19:29 ` Kees Cook
2018-02-14 19:35 ` Kees Cook
2018-02-14 19:35 ` Kees Cook
2018-02-14 19:35 ` Kees Cook
2018-02-14 19:35 ` Kees Cook
2018-02-20 16:28 ` Igor Stoppa
2018-02-20 16:28 ` Igor Stoppa
2018-02-20 16:28 ` Igor Stoppa
2018-02-20 16:28 ` Igor Stoppa
2018-02-21 22:22 ` Kees Cook
2018-02-21 22:22 ` Kees Cook
2018-02-21 22:22 ` Kees Cook
2018-02-21 22:22 ` Kees Cook
2018-02-14 19:48 ` Kees Cook
2018-02-14 19:48 ` Kees Cook
2018-02-14 19:48 ` Kees Cook
2018-02-14 19:48 ` Kees Cook
2018-02-14 22:13 ` Tycho Andersen
2018-02-14 22:13 ` Tycho Andersen
2018-02-14 22:13 ` Tycho Andersen
2018-02-14 22:13 ` Tycho Andersen
2018-02-14 22:27 ` Kees Cook
2018-02-14 22:27 ` Kees Cook
2018-02-14 22:27 ` Kees Cook
2018-02-14 22:27 ` Kees Cook
2018-02-13 15:20 ` [kernel-hardening] [PATCH 4/6] Protectable Memory Igor Stoppa
2018-02-13 15:20 ` Igor Stoppa
2018-02-13 15:20 ` Igor Stoppa
2018-02-13 15:20 ` Igor Stoppa
2018-02-13 15:20 ` [kernel-hardening] " Igor Stoppa
[not found] ` <5a83024c.64369d0a.a1e94.cdd6SMTPIN_ADDED_BROKEN@mx.google.com>
2018-02-13 18:10 ` Laura Abbott
2018-02-13 18:10 ` Laura Abbott
2018-02-13 18:10 ` Laura Abbott
2018-02-20 17:16 ` Igor Stoppa
2018-02-20 17:16 ` Igor Stoppa
2018-02-20 17:16 ` Igor Stoppa
2018-02-21 22:37 ` Kees Cook
2018-02-21 22:37 ` Kees Cook
2018-02-21 22:37 ` Kees Cook
2018-02-05 15:40 ` Christopher Lameter
2018-02-05 15:40 ` Christopher Lameter
2018-02-05 15:40 ` Christopher Lameter
2018-02-09 11:17 ` Igor Stoppa
2018-02-09 11:17 ` Igor Stoppa
2018-02-09 11:17 ` Igor Stoppa
2018-02-09 11:17 ` Igor Stoppa
2018-01-26 19:41 ` [kernel-hardening] " Igor Stoppa
2018-01-26 19:41 ` Igor Stoppa
2018-01-26 19:41 ` Igor Stoppa
2018-01-26 19:41 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 5/6] Documentation for Pmalloc Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 19:14 ` [kernel-hardening] " Ralph Campbell
2018-01-24 19:14 ` Ralph Campbell
2018-01-24 19:14 ` Ralph Campbell
2018-01-24 19:14 ` Ralph Campbell
2018-01-25 7:53 ` [kernel-hardening] " Igor Stoppa
2018-01-25 7:53 ` Igor Stoppa
2018-01-25 7:53 ` Igor Stoppa
2018-01-25 7:53 ` Igor Stoppa
2018-01-24 17:56 ` [kernel-hardening] [PATCH 6/6] Pmalloc: self-test Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
2018-01-24 17:56 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=blukashev@sempervictus.com \
--cc=cl@linux.com \
--cc=hch@infradead.org \
--cc=jannh@google.com \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.