From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751883AbdDHHde (ORCPT ); Sat, 8 Apr 2017 03:33:34 -0400 Received: from mail-yw0-f193.google.com ([209.85.161.193]:33869 "EHLO mail-yw0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbdDHHd3 (ORCPT ); Sat, 8 Apr 2017 03:33:29 -0400 MIME-Version: 1.0 In-Reply-To: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> From: Daniel Micay Date: Sat, 8 Apr 2017 03:33:27 -0400 Message-ID: Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() To: Andy Lutomirski Cc: Mathias Krause , Thomas Gleixner , Kees Cook , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , PaX Team , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > grsecurity and PaX are great projects. They have a lot of good ideas, > and they're put together quite nicely. The upstream kernel should > *not* do things differently from they way they are in grsecurity/PaX > just because it wants to be different. Conversely, the upstream > kernel should not do things the same way as PaX just to be more like > PaX. > > Keep in mind that the upstream kernel and grsecurity/PaX operate under > different constraints. The upstream kernel tries to keep itself clean > and to make tree-wide updates rather that keeping compatibility stuff > around. PaX and grsecurity presumably want to retain some degree of > simplicity when porting to newer upstream versions. > > In the context of virtually mapped stacks / KSTACKOVERFLOW, this > naturally leads to different solutions. The upstream kernel had a > bunch of buggy drivers that played badly with virtually mapped stacks. > grsecurity sensibly went for the approach where the buggy drivers kept > working. The upstream kernel went for the approach of fixing the > drivers rather than keeping a compatibility workaround. Different > constraints, different solutions. Sure, but nothing is currently landed right now and the PaX implementation is a known quantity with a lot of testing. The submitted code is aimed at rare writes to globals, but this feature is more than that and design decisions shouldn't be based on just the short term. Kees is sensibly landing features by submitting them a little bit at a time, but a negative side effect of that is too much focus on just the initial proposed usage. As a downstream that's going to be making heavy use of mainline security features as a base due to PaX and grsecurity becoming commercial only private patches (*because* of upstream and the companies involved), I hope things go in the right direction i.e. not weaker/slower implementations than PaX. For example, while USERCOPY isn't entirely landed upstream (missing slab whitelisting and user offset/size), it's the base for the full feature and is going to get more testing. On the other hand, refcount_t and the slab/page sanitization work is 100% useless if you're willing to incorporate the changes to do it without needless performance loss and complexity. PAN emulation on 64-bit ARM was fresh ground while on ARMv7 a weaker implementation was used for no better reason than clashing egos. The upstream virtual mapped stacks will probably be perfectly good, but I just find it to be such a waste of time and effort to reinvent it and retread the same ground in terms of finding the bugs. I actually care a lot more about 64-bit ARM support than I do x86, but using a portable API for pax_open_kernel (for the simple uses at least) is separate from choosing the underlying implementation. There might not be a great way to do it on the architectures I care about but that doesn't need to hinder x86. It's really not that much code... A weaker/slower implementation for x86 also encourages the same elsewhere. > In the case of rare writes or pax_open_kernel [1] or whatever we want > to call it, CR3 would work without arch-specific code, and CR0 would > not. That's an argument for CR3 that would need to be countered by > something. (Sure, avoiding leaks either way might need arch changes. > OTOH, a *randomized* CR3-based approach might not have as much of a > leak issue to begin with.) By randomized do you mean just ASLR? Even if the window of opportunity to exploit it is small, it's really not the same and this has a lot more use than just rare writes to small global variables. I wouldn't consider stack ASLR to be a replacement for making them readable/writable only by the current thread either (required for race-free return CFI on x86, at least without not using actual returns). > [1] Contrary to popular belief, I don't sit around reading grsecurity > code or config options, so I really don't know what this thing is > called. Lots of the features aren't actually named. Maybe this could be considered part of KERNEXEC but I don't think it is. From mboxrd@z Thu Jan 1 00:00:00 1970 From: danielmicay@gmail.com (Daniel Micay) Date: Sat, 8 Apr 2017 03:33:27 -0400 Subject: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() In-Reply-To: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> Message-ID: To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org > grsecurity and PaX are great projects. They have a lot of good ideas, > and they're put together quite nicely. The upstream kernel should > *not* do things differently from they way they are in grsecurity/PaX > just because it wants to be different. Conversely, the upstream > kernel should not do things the same way as PaX just to be more like > PaX. > > Keep in mind that the upstream kernel and grsecurity/PaX operate under > different constraints. The upstream kernel tries to keep itself clean > and to make tree-wide updates rather that keeping compatibility stuff > around. PaX and grsecurity presumably want to retain some degree of > simplicity when porting to newer upstream versions. > > In the context of virtually mapped stacks / KSTACKOVERFLOW, this > naturally leads to different solutions. The upstream kernel had a > bunch of buggy drivers that played badly with virtually mapped stacks. > grsecurity sensibly went for the approach where the buggy drivers kept > working. The upstream kernel went for the approach of fixing the > drivers rather than keeping a compatibility workaround. Different > constraints, different solutions. Sure, but nothing is currently landed right now and the PaX implementation is a known quantity with a lot of testing. The submitted code is aimed at rare writes to globals, but this feature is more than that and design decisions shouldn't be based on just the short term. Kees is sensibly landing features by submitting them a little bit at a time, but a negative side effect of that is too much focus on just the initial proposed usage. As a downstream that's going to be making heavy use of mainline security features as a base due to PaX and grsecurity becoming commercial only private patches (*because* of upstream and the companies involved), I hope things go in the right direction i.e. not weaker/slower implementations than PaX. For example, while USERCOPY isn't entirely landed upstream (missing slab whitelisting and user offset/size), it's the base for the full feature and is going to get more testing. On the other hand, refcount_t and the slab/page sanitization work is 100% useless if you're willing to incorporate the changes to do it without needless performance loss and complexity. PAN emulation on 64-bit ARM was fresh ground while on ARMv7 a weaker implementation was used for no better reason than clashing egos. The upstream virtual mapped stacks will probably be perfectly good, but I just find it to be such a waste of time and effort to reinvent it and retread the same ground in terms of finding the bugs. I actually care a lot more about 64-bit ARM support than I do x86, but using a portable API for pax_open_kernel (for the simple uses at least) is separate from choosing the underlying implementation. There might not be a great way to do it on the architectures I care about but that doesn't need to hinder x86. It's really not that much code... A weaker/slower implementation for x86 also encourages the same elsewhere. > In the case of rare writes or pax_open_kernel [1] or whatever we want > to call it, CR3 would work without arch-specific code, and CR0 would > not. That's an argument for CR3 that would need to be countered by > something. (Sure, avoiding leaks either way might need arch changes. > OTOH, a *randomized* CR3-based approach might not have as much of a > leak issue to begin with.) By randomized do you mean just ASLR? Even if the window of opportunity to exploit it is small, it's really not the same and this has a lot more use than just rare writes to small global variables. I wouldn't consider stack ASLR to be a replacement for making them readable/writable only by the current thread either (required for race-free return CFI on x86, at least without not using actual returns). > [1] Contrary to popular belief, I don't sit around reading grsecurity > code or config options, so I really don't know what this thing is > called. Lots of the features aren't actually named. Maybe this could be considered part of KERNEXEC but I don't think it is. From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> From: Daniel Micay Date: Sat, 8 Apr 2017 03:33:27 -0400 Message-ID: Content-Type: text/plain; charset=UTF-8 Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() To: Andy Lutomirski Cc: Mathias Krause , Thomas Gleixner , Kees Cook , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , PaX Team , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra List-ID: > grsecurity and PaX are great projects. They have a lot of good ideas, > and they're put together quite nicely. The upstream kernel should > *not* do things differently from they way they are in grsecurity/PaX > just because it wants to be different. Conversely, the upstream > kernel should not do things the same way as PaX just to be more like > PaX. > > Keep in mind that the upstream kernel and grsecurity/PaX operate under > different constraints. The upstream kernel tries to keep itself clean > and to make tree-wide updates rather that keeping compatibility stuff > around. PaX and grsecurity presumably want to retain some degree of > simplicity when porting to newer upstream versions. > > In the context of virtually mapped stacks / KSTACKOVERFLOW, this > naturally leads to different solutions. The upstream kernel had a > bunch of buggy drivers that played badly with virtually mapped stacks. > grsecurity sensibly went for the approach where the buggy drivers kept > working. The upstream kernel went for the approach of fixing the > drivers rather than keeping a compatibility workaround. Different > constraints, different solutions. Sure, but nothing is currently landed right now and the PaX implementation is a known quantity with a lot of testing. The submitted code is aimed at rare writes to globals, but this feature is more than that and design decisions shouldn't be based on just the short term. Kees is sensibly landing features by submitting them a little bit at a time, but a negative side effect of that is too much focus on just the initial proposed usage. As a downstream that's going to be making heavy use of mainline security features as a base due to PaX and grsecurity becoming commercial only private patches (*because* of upstream and the companies involved), I hope things go in the right direction i.e. not weaker/slower implementations than PaX. For example, while USERCOPY isn't entirely landed upstream (missing slab whitelisting and user offset/size), it's the base for the full feature and is going to get more testing. On the other hand, refcount_t and the slab/page sanitization work is 100% useless if you're willing to incorporate the changes to do it without needless performance loss and complexity. PAN emulation on 64-bit ARM was fresh ground while on ARMv7 a weaker implementation was used for no better reason than clashing egos. The upstream virtual mapped stacks will probably be perfectly good, but I just find it to be such a waste of time and effort to reinvent it and retread the same ground in terms of finding the bugs. I actually care a lot more about 64-bit ARM support than I do x86, but using a portable API for pax_open_kernel (for the simple uses at least) is separate from choosing the underlying implementation. There might not be a great way to do it on the architectures I care about but that doesn't need to hinder x86. It's really not that much code... A weaker/slower implementation for x86 also encourages the same elsewhere. > In the case of rare writes or pax_open_kernel [1] or whatever we want > to call it, CR3 would work without arch-specific code, and CR0 would > not. That's an argument for CR3 that would need to be countered by > something. (Sure, avoiding leaks either way might need arch changes. > OTOH, a *randomized* CR3-based approach might not have as much of a > leak issue to begin with.) By randomized do you mean just ASLR? Even if the window of opportunity to exploit it is small, it's really not the same and this has a lot more use than just rare writes to small global variables. I wouldn't consider stack ASLR to be a replacement for making them readable/writable only by the current thread either (required for race-free return CFI on x86, at least without not using actual returns). > [1] Contrary to popular belief, I don't sit around reading grsecurity > code or config options, so I really don't know what this thing is > called. Lots of the features aren't actually named. Maybe this could be considered part of KERNEXEC but I don't think it is.