[kernel-hardening] Getting started

[kernel-hardening] Getting started

[Eddie Kovsky]

Hi

I'm interested in helping out with this project.

I have a few small patches in the kernel. I just finished the Eudyptula
Challenge and I'm looking for places where I can continue to contribute.

I've been reading the list for several months now. I think I have a general
understanding of the development process. Is there a specific TODO item I
could start off with?

Eddie

Re: [kernel-hardening] Getting started

[Vaishali Thakkar]

On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
> Hi

Hi,

> I'm interested in helping out with this project.
>
> I have a few small patches in the kernel. I just finished the Eudyptula
> Challenge and I'm looking for places where I can continue to contribute.
>
> I've been reading the list for several months now. I think I have a general
> understanding of the development process. Is there a specific TODO item I
> could start off with?

Here, is one TODO list:

https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Although I think few people are already working on some of these things.
May be you can also check the archives of a mailing list.

> Eddie
>

Re: [kernel-hardening] Getting started

[Kees Cook]

On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
<vaishali.thakkar@oracle.com> wrote:
> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>
>> Hi
>
>
> Hi,
>
>> I'm interested in helping out with this project.
>>
>> I have a few small patches in the kernel. I just finished the Eudyptula
>> Challenge and I'm looking for places where I can continue to contribute.

Hi! Welcome to the list. :)

>> I've been reading the list for several months now. I think I have a
>> general
>> understanding of the development process. Is there a specific TODO item I
>> could start off with?

What areas of the kernel are you the most familiar with, and/or what
things are you interested in working on? That could help me tailor
some suggestions.

> Here, is one TODO list:
>
> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>
> Although I think few people are already working on some of these things.
> May be you can also check the archives of a mailing list.

The list is a bit terse (it's mostly been a brain dump as things come
up), but yeah, if you see something there and want to know more, just
ask. I'm happy to expand on any of them.

Thanks!

-Kees

-- 
Kees Cook
Pixel Security

Re: [kernel-hardening] Getting started

[Eddie Kovsky]

On 01/30/17, Kees Cook wrote:
> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
> <vaishali.thakkar@oracle.com> wrote:
> > On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
> >
> >> I'm interested in helping out with this project.
> >>
> >> I have a few small patches in the kernel. I just finished the Eudyptula
> >> Challenge and I'm looking for places where I can continue to contribute.
> 
> Hi! Welcome to the list. :)
> 
> >> I've been reading the list for several months now. I think I have a
> >> general
> >> understanding of the development process. Is there a specific TODO item I
> >> could start off with?
> 
> What areas of the kernel are you the most familiar with, and/or what
> things are you interested in working on? That could help me tailor
> some suggestions.
> 
> > Here, is one TODO list:
> >
> > https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
> >
> > Although I think few people are already working on some of these things.
> > May be you can also check the archives of a mailing list.
> 
> The list is a bit terse (it's mostly been a brain dump as things come
> up), but yeah, if you see something there and want to know more, just
> ask. I'm happy to expand on any of them.
> 

I noticed there's been some activity recently with HARDENED_USERCOPY.
And I looked over how mm/usercopy.c was merged in from the grsecurity
patch. I'm curious about this TODO item:

     Identify and extend HARDENED_USERCOPY to other usercopy functions
     (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user,
     csum_and_copy_to_user, csum_partial_copy_nocheck?)

It doesn't look like anyone is working on this task right now. But it's not
obvious (to me) what needs to happen to make progress with this. Would this
be a good task to start off with?

Thanks

Eddie

> Thanks!
> 
> -Kees
> 
> -- 
> Kees Cook
> Pixel Security

Re: [kernel-hardening] Getting started

[Vaishali Thakkar]

On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote:
> On 01/30/17, Kees Cook wrote:
>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
>> <vaishali.thakkar@oracle.com> wrote:
>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>>
>>>> I'm interested in helping out with this project.
>>>>
>>>> I have a few small patches in the kernel. I just finished the Eudyptula
>>>> Challenge and I'm looking for places where I can continue to contribute.
>>
>> Hi! Welcome to the list. :)
>>
>>>> I've been reading the list for several months now. I think I have a
>>>> general
>>>> understanding of the development process. Is there a specific TODO item I
>>>> could start off with?
>>
>> What areas of the kernel are you the most familiar with, and/or what
>> things are you interested in working on? That could help me tailor
>> some suggestions.
>>
>>> Here, is one TODO list:
>>>
>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>>>
>>> Although I think few people are already working on some of these things.
>>> May be you can also check the archives of a mailing list.
>>
>> The list is a bit terse (it's mostly been a brain dump as things come
>> up), but yeah, if you see something there and want to know more, just
>> ask. I'm happy to expand on any of them.
>>
>
> I noticed there's been some activity recently with HARDENED_USERCOPY.
> And I looked over how mm/usercopy.c was merged in from the grsecurity
> patch. I'm curious about this TODO item:
>
>      Identify and extend HARDENED_USERCOPY to other usercopy functions
>      (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user,
>      csum_and_copy_to_user, csum_partial_copy_nocheck?)
>
> It doesn't look like anyone is working on this task right now. But it's not
> obvious (to me) what needs to happen to make progress with this. Would this
> be a good task to start off with?

Hi,

You may want to read this thread:
https://patchwork.kernel.org/patch/9409557/

Kees, may be we should remove this item from the TODO list?

> Thanks
>
> Eddie
>
>> Thanks!
>>
>> -Kees
>>
>> --
>> Kees Cook
>> Pixel Security

Re: [kernel-hardening] Getting started

[Kees Cook]

On Thu, Feb 2, 2017 at 8:28 PM, Vaishali Thakkar
<vaishali.thakkar@oracle.com> wrote:
> On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote:
>>
>> On 01/30/17, Kees Cook wrote:
>>>
>>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
>>> <vaishali.thakkar@oracle.com> wrote:
>>>>
>>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>>>
>>>>> I'm interested in helping out with this project.
>>>>>
>>>>> I have a few small patches in the kernel. I just finished the Eudyptula
>>>>> Challenge and I'm looking for places where I can continue to
>>>>> contribute.
>>>
>>>
>>> Hi! Welcome to the list. :)
>>>
>>>>> I've been reading the list for several months now. I think I have a
>>>>> general
>>>>> understanding of the development process. Is there a specific TODO item
>>>>> I
>>>>> could start off with?
>>>
>>>
>>> What areas of the kernel are you the most familiar with, and/or what
>>> things are you interested in working on? That could help me tailor
>>> some suggestions.
>>>
>>>> Here, is one TODO list:
>>>>
>>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>>>>
>>>> Although I think few people are already working on some of these things.
>>>> May be you can also check the archives of a mailing list.
>>>
>>>
>>> The list is a bit terse (it's mostly been a brain dump as things come
>>> up), but yeah, if you see something there and want to know more, just
>>> ask. I'm happy to expand on any of them.
>>>
>>
>> I noticed there's been some activity recently with HARDENED_USERCOPY.
>> And I looked over how mm/usercopy.c was merged in from the grsecurity
>> patch. I'm curious about this TODO item:
>>
>>      Identify and extend HARDENED_USERCOPY to other usercopy functions
>>      (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user,
>>      csum_and_copy_to_user, csum_partial_copy_nocheck?)
>>
>> It doesn't look like anyone is working on this task right now. But it's
>> not
>> obvious (to me) what needs to happen to make progress with this. Would
>> this
>> be a good task to start off with?
>
>
> Hi,
>
> You may want to read this thread:
> https://patchwork.kernel.org/patch/9409557/
>
> Kees, may be we should remove this item from the TODO list?

Hm, yeah, or rename it to "find any other APIs that look like
copy_to/from_user()". I think Mark already looked through these. Were
there any remaining?

As for a thing to work about how about this:
- provide mechanism to check for ro_after_init memory areas, and
reject structures not marked ro_after_init in vmbus_register()

The idea here would be to provide a mechanism functions can call to
verify that their arguments are const or ro_after_init. I think it'd
look a lot like the stuff in kernel/extable.c like
kernel_text_address(), but it'd need to ask "is this variable in the
rodata section? (Which is complicated by dealing with module rodata
sections.)

Then vmbus_register() could be modified to require that its arguments
are const or ro_after_init.

-Kees

-- 
Kees Cook
Pixel Security

Re: [kernel-hardening] Getting started

[Vaishali Thakkar]

On Saturday 04 February 2017 05:43 AM, Kees Cook wrote:
> On Thu, Feb 2, 2017 at 8:28 PM, Vaishali Thakkar
> <vaishali.thakkar@oracle.com> wrote:
>> On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote:
>>>
>>> On 01/30/17, Kees Cook wrote:
>>>>
>>>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
>>>> <vaishali.thakkar@oracle.com> wrote:
>>>>>
>>>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>>>>
>>>>>> I'm interested in helping out with this project.
>>>>>>
>>>>>> I have a few small patches in the kernel. I just finished the Eudyptula
>>>>>> Challenge and I'm looking for places where I can continue to
>>>>>> contribute.
>>>>
>>>>
>>>> Hi! Welcome to the list. :)
>>>>
>>>>>> I've been reading the list for several months now. I think I have a
>>>>>> general
>>>>>> understanding of the development process. Is there a specific TODO item
>>>>>> I
>>>>>> could start off with?
>>>>
>>>>
>>>> What areas of the kernel are you the most familiar with, and/or what
>>>> things are you interested in working on? That could help me tailor
>>>> some suggestions.
>>>>
>>>>> Here, is one TODO list:
>>>>>
>>>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>>>>>
>>>>> Although I think few people are already working on some of these things.
>>>>> May be you can also check the archives of a mailing list.
>>>>
>>>>
>>>> The list is a bit terse (it's mostly been a brain dump as things come
>>>> up), but yeah, if you see something there and want to know more, just
>>>> ask. I'm happy to expand on any of them.
>>>>
>>>
>>> I noticed there's been some activity recently with HARDENED_USERCOPY.
>>> And I looked over how mm/usercopy.c was merged in from the grsecurity
>>> patch. I'm curious about this TODO item:
>>>
>>>      Identify and extend HARDENED_USERCOPY to other usercopy functions
>>>      (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user,
>>>      csum_and_copy_to_user, csum_partial_copy_nocheck?)
>>>
>>> It doesn't look like anyone is working on this task right now. But it's
>>> not
>>> obvious (to me) what needs to happen to make progress with this. Would
>>> this
>>> be a good task to start off with?
>>
>>
>> Hi,
>>
>> You may want to read this thread:
>> https://patchwork.kernel.org/patch/9409557/
>>
>> Kees, may be we should remove this item from the TODO list?
>
> Hm, yeah, or rename it to "find any other APIs that look like
> copy_to/from_user()". I think Mark already looked through these. Were
> there any remaining?

AFAIK, no. May be get_user, put_user. But I guess it makes sense to
change them after uaccess unification work.

Previously I found few API functions but they were eventually calling
copy_from_user.

> As for a thing to work about how about this:
> - provide mechanism to check for ro_after_init memory areas, and
> reject structures not marked ro_after_init in vmbus_register()
>
> The idea here would be to provide a mechanism functions can call to
> verify that their arguments are const or ro_after_init. I think it'd
> look a lot like the stuff in kernel/extable.c like
> kernel_text_address(), but it'd need to ask "is this variable in the
> rodata section? (Which is complicated by dealing with module rodata
> sections.)
>
> Then vmbus_register() could be modified to require that its arguments
> are const or ro_after_init.
>
> -Kees
>

Re: [kernel-hardening] Getting started

[Djalal Harouni]

On Mon, Jan 30, 2017 at 10:44 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
> <vaishali.thakkar@oracle.com> wrote:
>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>>
>>> Hi
>>
>>
>> Hi,
>>
>>> I'm interested in helping out with this project.
>>>
>>> I have a few small patches in the kernel. I just finished the Eudyptula
>>> Challenge and I'm looking for places where I can continue to contribute.
>
> Hi! Welcome to the list. :)
>
>>> I've been reading the list for several months now. I think I have a
>>> general
>>> understanding of the development process. Is there a specific TODO item I
>>> could start off with?
>
> What areas of the kernel are you the most familiar with, and/or what
> things are you interested in working on? That could help me tailor
> some suggestions.
>
>> Here, is one TODO list:
>>
>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>>
>> Although I think few people are already working on some of these things.
>> May be you can also check the archives of a mailing list.
>
> The list is a bit terse (it's mostly been a brain dump as things come
> up), but yeah, if you see something there and want to know more, just
> ask. I'm happy to expand on any of them.

In that context, could you please Kees update the kernsec.org wiki
about GRKERNSEC_MODHARDEN and Timgad module [1] (name may change...),
the proposed solution supports both a global sysctl and a per
processes/container settings.

Thank you!

[1] http://www.openwall.com/lists/kernel-hardening/2017/02/02/21

-- 
tixxdz

Re: [kernel-hardening] Getting started

[Kees Cook]

On Wed, Feb 8, 2017 at 11:06 PM, Djalal Harouni <tixxdz@gmail.com> wrote:
> On Mon, Jan 30, 2017 at 10:44 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar
>> <vaishali.thakkar@oracle.com> wrote:
>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote:
>>>>
>>>> Hi
>>>
>>>
>>> Hi,
>>>
>>>> I'm interested in helping out with this project.
>>>>
>>>> I have a few small patches in the kernel. I just finished the Eudyptula
>>>> Challenge and I'm looking for places where I can continue to contribute.
>>
>> Hi! Welcome to the list. :)
>>
>>>> I've been reading the list for several months now. I think I have a
>>>> general
>>>> understanding of the development process. Is there a specific TODO item I
>>>> could start off with?
>>
>> What areas of the kernel are you the most familiar with, and/or what
>> things are you interested in working on? That could help me tailor
>> some suggestions.
>>
>>> Here, is one TODO list:
>>>
>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>>>
>>> Although I think few people are already working on some of these things.
>>> May be you can also check the archives of a mailing list.
>>
>> The list is a bit terse (it's mostly been a brain dump as things come
>> up), but yeah, if you see something there and want to know more, just
>> ask. I'm happy to expand on any of them.
>
> In that context, could you please Kees update the kernsec.org wiki
> about GRKERNSEC_MODHARDEN and Timgad module [1] (name may change...),
> the proposed solution supports both a global sysctl and a per
> processes/container settings.
>
> Thank you!
>
> [1] http://www.openwall.com/lists/kernel-hardening/2017/02/02/21

Sure! I added it to the TODO items list, since it doesn't overlap well
with the existing Bug/Exploit categories.

Thanks!

-Kees

-- 
Kees Cook
Pixel Security