From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.9 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF426C4727D for ; Wed, 23 Sep 2020 18:32:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8BFB1235F7 for ; Wed, 23 Sep 2020 18:32:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="IEKAOv4C" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726763AbgIWScl (ORCPT ); Wed, 23 Sep 2020 14:32:41 -0400 Received: from linux.microsoft.com ([13.77.154.182]:41288 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726650AbgIWScl (ORCPT ); Wed, 23 Sep 2020 14:32:41 -0400 Received: from [192.168.254.38] (unknown [47.187.206.220]) by linux.microsoft.com (Postfix) with ESMTPSA id C2FCF20B7179; Wed, 23 Sep 2020 11:32:39 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C2FCF20B7179 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1600885960; bh=eYamxZ/9KfLziSqDZDGqyg7y9XmLAhhecaK/mPCYbeo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=IEKAOv4CAGnJC0ocS9BKbEqfbu3dCVuW/cFUdHjlI4t7pPCt2gifpPrQEZh/AH9+R 6V0pnvqh/QE35boMAi5/Gc9Y99hTzFFKdtBE5V31AAbiKRFLHnNCgM4e8sTkn1d/mq KWb62hF+OUSGnVGFx0w0M2JxeTlKiQXTMnTJ7lkA= Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor To: Pavel Machek Cc: kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, oleg@redhat.com, x86@kernel.org, luto@kernel.org, David.Laight@ACULAB.COM, fweimer@redhat.com, mark.rutland@arm.com, mic@digikod.net References: <210d7cd762d5307c2aa1676705b392bd445f1baa> <20200922215326.4603-1-madvenka@linux.microsoft.com> <20200923081426.GA30279@amd> From: "Madhavan T. Venkataraman" Message-ID: <8daf09c0-1651-143b-c57c-433c850605c3@linux.microsoft.com> Date: Wed, 23 Sep 2020 13:32:38 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200923081426.GA30279@amd> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ... >> The W^X implementation today is not complete. There exist many user level >> tricks that can be used to load and execute dynamic code. E.g., >> >> - Load the code into a file and map the file with R-X. >> >> - Load the code in an RW- page. Change the permissions to R--. Then, >> change the permissions to R-X. >> >> - Load the code in an RW- page. Remap the page with R-X to get a separate >> mapping to the same underlying physical page. >> >> IMO, these are all security holes as an attacker can exploit them to inject >> his own code. > > IMO, you are smoking crack^H^H very seriously misunderstanding what > W^X is supposed to protect from. > > W^X is not supposed to protect you from attackers that can already do > system calls. So loading code into a file then mapping the file as R-X > is in no way security hole in W^X. > > If you want to provide protection from attackers that _can_ do system > calls, fine, but please don't talk about W^X and please specify what > types of attacks you want to prevent and why that's good thing. > There are two things here - the idea behind W^X and the current realization of that idea in actual implementation. The idea behind W^X, as I understand, is to prevent a user from loading arbitrary code into a page and getting it to execute. If the user code contains a vulnerability, an attacker can exploit it to potentially inject his own code and get it to execute. This cannot be denied. >From that perspective, all of the above tricks I have mentioned are tricks that user code can use to load arbitrary code into a page and get it to execute. Now, I don't want the discussion to be stuck in a mere name. If what I am suggesting needs a name other than "W^X" in the opinion of the reviewers, that is fine with me. But I don't believe there is any disagreement that the above user tricks are security holes. Madhavan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB119C2D0A8 for ; Wed, 23 Sep 2020 18:34:25 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 67C2A2193E for ; Wed, 23 Sep 2020 18:34:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="qjoDsGjl"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="IEKAOv4C" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 67C2A2193E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=k1xoRHCpDbR31ps/VPhhf2OB1o494xjfiAdXxx1AO/4=; b=qjoDsGjl6LBbnIBPpQwJJI6PO g8mjPJjMWwlpP8ZmpCYWwQvQQ9WtRmDR9xfu2RUnDX0QJDH4afapd0Cz8Q8pCULNmfpBTuHMqWYVJ A8YhwoCIUKerm0e6KrluGjdOMqOydoGVEEUnuxM41oc8PRUg3wpSOACJpaIK8zTast5uCUVeoR4fb OxnpRit8AG+P68dObxriT/kMPgkLFls6PLer8stWqnL7OVa5x0WM5vOkP8H/iGerwh21phw7sued7 3K4GUTxEhx6Yy0SqRc31Qg5jdnoM0yXXtXBVH6PM6Sdo83HIGs6fXiKcnnZ7A320gJwNDEiVSZ2vN zYL7dvHkA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kL9ZO-0001eC-2r; Wed, 23 Sep 2020 18:32:46 +0000 Received: from linux.microsoft.com ([13.77.154.182]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kL9ZL-0001dE-DO for linux-arm-kernel@lists.infradead.org; Wed, 23 Sep 2020 18:32:44 +0000 Received: from [192.168.254.38] (unknown [47.187.206.220]) by linux.microsoft.com (Postfix) with ESMTPSA id C2FCF20B7179; Wed, 23 Sep 2020 11:32:39 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C2FCF20B7179 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1600885960; bh=eYamxZ/9KfLziSqDZDGqyg7y9XmLAhhecaK/mPCYbeo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=IEKAOv4CAGnJC0ocS9BKbEqfbu3dCVuW/cFUdHjlI4t7pPCt2gifpPrQEZh/AH9+R 6V0pnvqh/QE35boMAi5/Gc9Y99hTzFFKdtBE5V31AAbiKRFLHnNCgM4e8sTkn1d/mq KWb62hF+OUSGnVGFx0w0M2JxeTlKiQXTMnTJ7lkA= Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor To: Pavel Machek References: <210d7cd762d5307c2aa1676705b392bd445f1baa> <20200922215326.4603-1-madvenka@linux.microsoft.com> <20200923081426.GA30279@amd> From: "Madhavan T. Venkataraman" Message-ID: <8daf09c0-1651-143b-c57c-433c850605c3@linux.microsoft.com> Date: Wed, 23 Sep 2020 13:32:38 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200923081426.GA30279@amd> Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200923_143243_540092_88C6977A X-CRM114-Status: GOOD ( 18.28 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: fweimer@redhat.com, mark.rutland@arm.com, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, oleg@redhat.com, mic@digikod.net, linux-security-module@vger.kernel.org, David.Laight@ACULAB.COM, luto@kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org ... >> The W^X implementation today is not complete. There exist many user level >> tricks that can be used to load and execute dynamic code. E.g., >> >> - Load the code into a file and map the file with R-X. >> >> - Load the code in an RW- page. Change the permissions to R--. Then, >> change the permissions to R-X. >> >> - Load the code in an RW- page. Remap the page with R-X to get a separate >> mapping to the same underlying physical page. >> >> IMO, these are all security holes as an attacker can exploit them to inject >> his own code. > > IMO, you are smoking crack^H^H very seriously misunderstanding what > W^X is supposed to protect from. > > W^X is not supposed to protect you from attackers that can already do > system calls. So loading code into a file then mapping the file as R-X > is in no way security hole in W^X. > > If you want to provide protection from attackers that _can_ do system > calls, fine, but please don't talk about W^X and please specify what > types of attacks you want to prevent and why that's good thing. > There are two things here - the idea behind W^X and the current realization of that idea in actual implementation. The idea behind W^X, as I understand, is to prevent a user from loading arbitrary code into a page and getting it to execute. If the user code contains a vulnerability, an attacker can exploit it to potentially inject his own code and get it to execute. This cannot be denied. >From that perspective, all of the above tricks I have mentioned are tricks that user code can use to load arbitrary code into a page and get it to execute. Now, I don't want the discussion to be stuck in a mere name. If what I am suggesting needs a name other than "W^X" in the opinion of the reviewers, that is fine with me. But I don't believe there is any disagreement that the above user tricks are security holes. Madhavan _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel