From: Kees Cook <keescook@chromium.org>
To: Christoph Lameter <cl@linux.com>
Cc: Rik van Riel <riel@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Ingo Molnar <mingo@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
Andy Lutomirski <luto@kernel.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Tejun Heo <tj@kernel.org>, Daniel Mack <daniel@zonque.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Helge Deller <deller@gmx.de>, Linux-MM <linux-mm@kvack.org>,
Tycho Andersen <tycho@docker.com>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation
Date: Fri, 7 Jul 2017 09:51:07 -0700 [thread overview]
Message-ID: <CAGXu5jLmU2vrP2ftQd=EvC7-OEzV+Nm7zYEf=6C0kZuoUEBXvA@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1707070844100.11769@east.gentwo.org>
On Fri, Jul 7, 2017 at 6:50 AM, Christoph Lameter <cl@linux.com> wrote:
> On Thu, 6 Jul 2017, Kees Cook wrote:
>
>> Right. This is about blocking the escalation of attack capability. For
>> slab object overflow flaws, there are mainly two exploitation methods:
>> adjacent allocated object overwrite and adjacent freed object
>> overwrite (i.e. a freelist pointer overwrite). The first attack
>> depends heavily on which slab cache (and therefore which structures)
>> has been exposed by the bug. It's a very narrow and specific attack
>> method. The freelist attack is entirely general purpose since it
>> provides a reliable way to gain arbitrary write capabilities.
>> Protecting against that attack greatly narrows the options for an
>> attacker which makes attacks more expensive to create and possibly
>> less reliable (and reliability is crucial to successful attacks).
>
>
> The simplest thing here is to vary the location of the freelist pointer.
> That way you cannot hit the freepointer in a deterministic way
>
> The freepointer is put at offset 0 right now. But you could put it
> anywhere in the object.
>
> Index: linux/mm/slub.c
> ===================================================================
> --- linux.orig/mm/slub.c
> +++ linux/mm/slub.c
> @@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
> */
> s->offset = size;
> size += sizeof(void *);
> - }
> + } else
> + s->offset = s->size / sizeof(void *) * <insert random chance logic here>
>
> #ifdef CONFIG_SLUB_DEBUG
> if (flags & SLAB_STORE_USER)
I wouldn't mind having both mitigations, but this alone is still open
to spraying attacks. As long as an attacker's overflow can span an
entire object, they can still hit the freelist pointer (which is
especially true with small objects). With the XOR obfuscation they
have to know where the pointer is stored (usually not available since
they have only been able to arrange "next object is unallocated"
without knowing _where_ it is allocated) and the random number (stored
separately in the cache).
If we also added a >0 offset, that would make things even less
deterministic. Though I wonder if it would make the performance impact
higher. The XOR patch right now is very light.
Yet another option would be to moving the freelist pointer over by
sizeof(void *) and adding a canary to be checked at offset 0, but that
involves additional memory fetches and doesn't protect against a bad
array index attack (rather than a linear overflow). So, I still think
the XOR patch is the right first step. Would could further harden it,
but I think it's the place to start.
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Christoph Lameter <cl@linux.com>
Cc: Rik van Riel <riel@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Ingo Molnar <mingo@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
Andy Lutomirski <luto@kernel.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Tejun Heo <tj@kernel.org>, Daniel Mack <daniel@zonque.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Helge Deller <deller@gmx.de>, Linux-MM <linux-mm@kvack.org>,
Tycho Andersen <tycho@docker.com>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation
Date: Fri, 7 Jul 2017 09:51:07 -0700 [thread overview]
Message-ID: <CAGXu5jLmU2vrP2ftQd=EvC7-OEzV+Nm7zYEf=6C0kZuoUEBXvA@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1707070844100.11769@east.gentwo.org>
On Fri, Jul 7, 2017 at 6:50 AM, Christoph Lameter <cl@linux.com> wrote:
> On Thu, 6 Jul 2017, Kees Cook wrote:
>
>> Right. This is about blocking the escalation of attack capability. For
>> slab object overflow flaws, there are mainly two exploitation methods:
>> adjacent allocated object overwrite and adjacent freed object
>> overwrite (i.e. a freelist pointer overwrite). The first attack
>> depends heavily on which slab cache (and therefore which structures)
>> has been exposed by the bug. It's a very narrow and specific attack
>> method. The freelist attack is entirely general purpose since it
>> provides a reliable way to gain arbitrary write capabilities.
>> Protecting against that attack greatly narrows the options for an
>> attacker which makes attacks more expensive to create and possibly
>> less reliable (and reliability is crucial to successful attacks).
>
>
> The simplest thing here is to vary the location of the freelist pointer.
> That way you cannot hit the freepointer in a deterministic way
>
> The freepointer is put at offset 0 right now. But you could put it
> anywhere in the object.
>
> Index: linux/mm/slub.c
> ===================================================================
> --- linux.orig/mm/slub.c
> +++ linux/mm/slub.c
> @@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
> */
> s->offset = size;
> size += sizeof(void *);
> - }
> + } else
> + s->offset = s->size / sizeof(void *) * <insert random chance logic here>
>
> #ifdef CONFIG_SLUB_DEBUG
> if (flags & SLAB_STORE_USER)
I wouldn't mind having both mitigations, but this alone is still open
to spraying attacks. As long as an attacker's overflow can span an
entire object, they can still hit the freelist pointer (which is
especially true with small objects). With the XOR obfuscation they
have to know where the pointer is stored (usually not available since
they have only been able to arrange "next object is unallocated"
without knowing _where_ it is allocated) and the random number (stored
separately in the cache).
If we also added a >0 offset, that would make things even less
deterministic. Though I wonder if it would make the performance impact
higher. The XOR patch right now is very light.
Yet another option would be to moving the freelist pointer over by
sizeof(void *) and adding a canary to be checked at offset 0, but that
involves additional memory fetches and doesn't protect against a bad
array index attack (rather than a linear overflow). So, I still think
the XOR patch is the right first step. Would could further harden it,
but I think it's the place to start.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Christoph Lameter <cl@linux.com>
Cc: Rik van Riel <riel@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Ingo Molnar <mingo@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
Andy Lutomirski <luto@kernel.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Tejun Heo <tj@kernel.org>, Daniel Mack <daniel@zonque.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Helge Deller <deller@gmx.de>, Linux-MM <linux-mm@kvack.org>,
Tycho Andersen <tycho@docker.com>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation
Date: Fri, 7 Jul 2017 09:51:07 -0700 [thread overview]
Message-ID: <CAGXu5jLmU2vrP2ftQd=EvC7-OEzV+Nm7zYEf=6C0kZuoUEBXvA@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.20.1707070844100.11769@east.gentwo.org>
On Fri, Jul 7, 2017 at 6:50 AM, Christoph Lameter <cl@linux.com> wrote:
> On Thu, 6 Jul 2017, Kees Cook wrote:
>
>> Right. This is about blocking the escalation of attack capability. For
>> slab object overflow flaws, there are mainly two exploitation methods:
>> adjacent allocated object overwrite and adjacent freed object
>> overwrite (i.e. a freelist pointer overwrite). The first attack
>> depends heavily on which slab cache (and therefore which structures)
>> has been exposed by the bug. It's a very narrow and specific attack
>> method. The freelist attack is entirely general purpose since it
>> provides a reliable way to gain arbitrary write capabilities.
>> Protecting against that attack greatly narrows the options for an
>> attacker which makes attacks more expensive to create and possibly
>> less reliable (and reliability is crucial to successful attacks).
>
>
> The simplest thing here is to vary the location of the freelist pointer.
> That way you cannot hit the freepointer in a deterministic way
>
> The freepointer is put at offset 0 right now. But you could put it
> anywhere in the object.
>
> Index: linux/mm/slub.c
> ===================================================================
> --- linux.orig/mm/slub.c
> +++ linux/mm/slub.c
> @@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
> */
> s->offset = size;
> size += sizeof(void *);
> - }
> + } else
> + s->offset = s->size / sizeof(void *) * <insert random chance logic here>
>
> #ifdef CONFIG_SLUB_DEBUG
> if (flags & SLAB_STORE_USER)
I wouldn't mind having both mitigations, but this alone is still open
to spraying attacks. As long as an attacker's overflow can span an
entire object, they can still hit the freelist pointer (which is
especially true with small objects). With the XOR obfuscation they
have to know where the pointer is stored (usually not available since
they have only been able to arrange "next object is unallocated"
without knowing _where_ it is allocated) and the random number (stored
separately in the cache).
If we also added a >0 offset, that would make things even less
deterministic. Though I wonder if it would make the performance impact
higher. The XOR patch right now is very light.
Yet another option would be to moving the freelist pointer over by
sizeof(void *) and adding a canary to be checked at offset 0, but that
involves additional memory fetches and doesn't protect against a bad
array index attack (rather than a linear overflow). So, I still think
the XOR patch is the right first step. Would could further harden it,
but I think it's the place to start.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-07-07 16:51 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-06 0:27 [PATCH v3] mm: Add SLUB free list pointer obfuscation Kees Cook
2017-07-06 0:27 ` [kernel-hardening] " Kees Cook
2017-07-06 0:27 ` Kees Cook
2017-07-06 13:43 ` Christoph Lameter
2017-07-06 13:43 ` [kernel-hardening] " Christoph Lameter
2017-07-06 13:43 ` Christoph Lameter
2017-07-06 15:48 ` Kees Cook
2017-07-06 15:48 ` [kernel-hardening] " Kees Cook
2017-07-06 15:48 ` Kees Cook
2017-07-06 15:55 ` Christoph Lameter
2017-07-06 15:55 ` [kernel-hardening] " Christoph Lameter
2017-07-06 15:55 ` Christoph Lameter
2017-07-06 16:16 ` [kernel-hardening] " Daniel Micay
2017-07-06 16:16 ` Daniel Micay
2017-07-06 16:16 ` Daniel Micay
2017-07-06 17:53 ` Rik van Riel
2017-07-06 17:53 ` [kernel-hardening] " Rik van Riel
2017-07-06 17:53 ` Rik van Riel
2017-07-06 18:50 ` Kees Cook
2017-07-06 18:50 ` [kernel-hardening] " Kees Cook
2017-07-06 18:50 ` Kees Cook
2017-07-07 13:50 ` Christoph Lameter
2017-07-07 13:50 ` [kernel-hardening] " Christoph Lameter
2017-07-07 13:50 ` Christoph Lameter
2017-07-07 16:51 ` Kees Cook [this message]
2017-07-07 16:51 ` [kernel-hardening] " Kees Cook
2017-07-07 16:51 ` Kees Cook
2017-07-07 17:06 ` Christoph Lameter
2017-07-07 17:06 ` [kernel-hardening] " Christoph Lameter
2017-07-07 17:06 ` Christoph Lameter
2017-07-07 18:43 ` Kees Cook
2017-07-07 18:43 ` [kernel-hardening] " Kees Cook
2017-07-07 18:43 ` Kees Cook
2017-07-24 21:17 ` [v3] " Alexander Popov
2017-07-24 21:17 ` [kernel-hardening] " Alexander Popov
2017-07-24 21:17 ` Alexander Popov
2017-07-25 9:42 ` Alexander Popov
2017-07-25 9:42 ` [kernel-hardening] " Alexander Popov
2017-07-25 9:42 ` Alexander Popov
2017-07-26 0:21 ` Kees Cook
2017-07-26 0:21 ` [kernel-hardening] " Kees Cook
2017-07-26 0:21 ` Kees Cook
2017-07-26 14:08 ` Christopher Lameter
2017-07-26 14:08 ` [kernel-hardening] " Christopher Lameter
2017-07-26 14:08 ` Christopher Lameter
2017-07-26 16:20 ` Kees Cook
2017-07-26 16:20 ` [kernel-hardening] " Kees Cook
2017-07-26 16:20 ` Kees Cook
2017-07-26 16:55 ` Christopher Lameter
2017-07-26 16:55 ` [kernel-hardening] " Christopher Lameter
2017-07-26 16:55 ` Christopher Lameter
2017-07-26 17:13 ` Kees Cook
2017-07-26 17:13 ` [kernel-hardening] " Kees Cook
2017-07-26 17:13 ` Kees Cook
2017-07-27 15:15 ` Christopher Lameter
2017-07-27 15:15 ` [kernel-hardening] " Christopher Lameter
2017-07-27 15:15 ` Christopher Lameter
2017-07-27 22:48 ` Alexander Popov
2017-07-27 22:48 ` [kernel-hardening] " Alexander Popov
2017-07-27 22:48 ` Alexander Popov
2017-07-27 23:53 ` Christopher Lameter
2017-07-27 23:53 ` [kernel-hardening] " Christopher Lameter
2017-07-27 23:53 ` Christopher Lameter
2017-07-31 20:17 ` Alexander Popov
2017-07-31 20:17 ` [kernel-hardening] " Alexander Popov
2017-07-31 20:17 ` Alexander Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jLmU2vrP2ftQd=EvC7-OEzV+Nm7zYEf=6C0kZuoUEBXvA@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=bigeasy@linutronix.de \
--cc=cl@linux.com \
--cc=daniel@zonque.org \
--cc=deller@gmx.de \
--cc=iamjoonsoo.kim@lge.com \
--cc=josh@joshtriplett.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penberg@kernel.org \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=tj@kernel.org \
--cc=tycho@docker.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.