From: Kees Cook <keescook@chromium.org>
To: Colin Vidal <colin@cvidal.org>, Andy Lutomirski <luto@kernel.org>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] self introduction
Date: Mon, 10 Oct 2016 13:57:29 -0700 [thread overview]
Message-ID: <CAGXu5jK9ZNr+AbVxfAns7PGEiw9NQ5zOp_EG_9dG7i+oeYwyCg@mail.gmail.com> (raw)
In-Reply-To: <1476016472.2329.38.camel@cvidal.org>
On Sun, Oct 9, 2016 at 5:34 AM, Colin Vidal <colin@cvidal.org> wrote:
> My name is Colin Vidal. I am currently a PhD student in computer
> science. My researches consist on building a dedicated specific
> language on top of JavaScript in order to handle asynchronous events in
> a synchronous style. Hence, with a direct relation between the control
> flow and the instruction flow.
>
> Beside my researches, I am taking up the Eudyptula Challenge (task 15
> submitted). It helps me to have a global view of the kernel
> (organization, tree, some features), but it is not enough to get
> involved in serious development. Therefore, I am looking for task I can
> accomplish to be involved into real kernel development!
Hi! Welcome to the fun! :)
I see there's already a thread getting into the HARDENED_ATOMIC
effort, though I thought I might bring up some other areas too, in
case they entice you as well. You've got some background in control
flow -- have you spent much time in compiler internals? The recent
addition of the gcc plugin infrastructure means there's a much wider
ability for the kernel to do compiler tricks now. Two things that come
to mind for CFI when looking at the existing PaX/Grsecurity gcc
plugins are the kernexec plugin (which, AIUI, is mainly a weak form of
SMEP emulation on x86, using simple CFI to keep the high bit set on
all kernel function calls) which I think would be easy to extract as a
stand-alone plugin:
https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/scripts/gcc-plugins/kernexec_plugin.c
And at the other end of the spectrum is the RAP plugin (which does a
portion of PaX's full RAP, though there appear to be some non-trivial
kernel changes need to support it, e.g. per-cpu PGD):
https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
> I still don't have yet a narrow idea about where I can begin. I like
> though the idea of kernel self protection. For instance, I find the VM-
> mapped stack to be really interesting, but I think it is an overkill as
> a beginning, and a lot of work have already been done on it. On the
> architecture point-of-view, I have a preference of x86 since I only
> have this hardware for now, but I can work on ARM and others with QEMU
> too.
A piece missing from vmap-stack (I think) is having guard pages at
_both_ ends of the kernel stack. Andy Lutomirski surely knows better
than I do, but I'm hoping he's working on looking at PCID-based SMAP
emulation. (Hi Andy!) :)
-Kees
--
Kees Cook
Nexus Security
next prev parent reply other threads:[~2016-10-10 20:57 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-09 12:34 [kernel-hardening] self introduction Colin Vidal
2016-10-09 14:04 ` David Windsor
2016-10-09 19:09 ` Colin Vidal
2016-10-09 19:37 ` Jann Horn
2016-10-10 6:02 ` Reshetova, Elena
2016-10-10 16:01 ` Colin Vidal
2016-10-10 17:01 ` Reshetova, Elena
2016-10-10 21:05 ` Kees Cook
2016-10-12 3:19 ` Gengjia Chen
2016-10-12 22:31 ` Kees Cook
2016-10-13 11:14 ` Gengjia Chen
2016-10-13 18:50 ` Kees Cook
2016-10-17 11:57 ` Gengjia Chen
2016-10-17 20:15 ` Kees Cook
2016-10-18 11:52 ` Gengjia Chen
2016-10-18 21:21 ` Kees Cook
2016-10-12 8:25 ` Colin Vidal
2016-10-12 22:35 ` Kees Cook
2016-10-13 13:54 ` Reshetova, Elena
2016-10-13 18:53 ` Kees Cook
2016-10-13 19:26 ` Hans Liljestrand
2016-10-10 20:57 ` Kees Cook [this message]
2016-10-12 8:27 ` Colin Vidal
2016-10-12 22:40 ` Kees Cook
2016-10-14 18:32 ` Andy Lutomirski
-- strict thread matches above, loose matches on Subject: below --
2015-12-09 17:21 [kernel-hardening] Self Introduction David Brown
2015-12-09 22:19 ` Kees Cook
2015-12-10 0:00 ` David Brown
2015-12-10 0:14 ` Kees Cook
2015-12-10 0:26 ` David Brown
2015-12-10 0:41 ` Kees Cook
2015-12-10 17:14 ` Stephen Smalley
2015-12-10 17:49 ` Kees Cook
2015-12-10 17:55 ` Daniel Micay
2015-12-10 18:42 ` Kees Cook
2015-12-10 19:07 ` Daniel Micay
2015-12-10 19:23 ` Kees Cook
2015-12-10 19:38 ` Schaufler, Casey
2015-12-10 19:45 ` Kees Cook
2015-12-11 17:54 ` Valdis.Kletnieks
2015-12-11 18:44 ` Kees Cook
2015-12-12 11:40 ` Heiko Carstens
2015-12-10 22:38 ` PaX Team
2015-12-10 23:04 ` Daniel Micay
2015-12-10 18:42 ` Catalin Marinas
2015-12-10 18:47 ` Kees Cook
2015-12-10 23:52 ` Kees Cook
2015-12-11 1:04 ` David Brown
2016-01-11 18:33 ` David Brown
2016-01-12 19:31 ` Kees Cook
2016-01-13 11:29 ` Catalin Marinas
2016-01-13 11:31 ` Catalin Marinas
2016-01-14 1:04 ` Ben Hutchings
2016-01-14 11:11 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jK9ZNr+AbVxfAns7PGEiw9NQ5zOp_EG_9dG7i+oeYwyCg@mail.gmail.com \
--to=keescook@chromium.org \
--cc=colin@cvidal.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=luto@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.