From: Igor Stoppa <igor.stoppa@huawei.com>
To: Kees Cook <keescook@google.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 1/1] Sealable memory support
Date: Thu, 1 Jun 2017 00:22:20 +0300 [thread overview]
Message-ID: <ea8ecd33-8126-6c75-a0b3-675a8c76fac6@huawei.com> (raw)
In-Reply-To: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com>
On 28/05/17 21:23, Kees Cook wrote:
> On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
[...]
>> If the CPU1 were to forcibly halt anything that can race with it, then
>> it would be sure that there was no interference.
>
> Correct. This is actually what ARM does for doing kernel memory
> writing when poking stuff for kprobes, etc. It's rather dramatic,
> though. :)
ok
>> A reactive approach could be, instead, to re-validate the content after
>> the sealing, assuming that it is possible.
>
> I would prefer to avoid this, as that allows an attacker to still have
> made the changes (which could even result in them then disabling the
> re-validation during the attack).
ok
[...]
>> If you are talking about an attacker, rather than protection against
>> accidental overwrites, how hashing can be enough?
>> Couldn't the attacker compromise that too?
>
> In theory, yes, though the goal was to dedicate a register to the
> hash, which would make it hard/impossible for an attacker to reach.
> (The BPF JIT situation is just an example of this kind of race,
> though. I'm still in favor of reducing the write window to init-time
> from full run-time.)
It looks like some compromise is needed between reliability and
performance ...
[...]
> I would expect other people would NAK using "stop all other CPUs"
> approach. Better to have the CPU-local writes.
ok, that could be a feature for the follow-up?
[...]
> Yeah, I don't have any better idea for names. :)
still clinging to smalloc for now, how about pmalloc,
as "protected malloc"?
> We might be talking past each-other. Right now, the LSM is marked with
> __ro_after_init, which will make all the list structures, entries, etc
> read-only already. There is one case where this is not true, and
> that's for CONFIG_SECURITY_WRITABLE_HOOKS for
> CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
> SELinux.
On this I'll just shut up and provide the patch. It seems easier :-)
> Are you talking about the SELinux policy installed during
> early boot? Which things did you want to use smalloc() on?
The policy DB.
And of course the policy cache has to go, as in: it must be possible to
disable it completely, in favor of re-evaluating the policies, when needed.
I'm pretty sure that it is absolutely needed in certain cases, but in
others I think the re-evaluation is negligible in comparison to the
overall duration of the use cases affected.
So it should be ok to let the system integrator gauge speed (if any) vs
resilience, by enablying/disabling the SE Linux policy cache.
>>> It seems like smalloc pools could also be refcounted?
>
> I meant things that point into an smalloc() pool could keep a refcount
> and when nothing was pointing into it, it could be destroyed. (i.e.
> using refcount garbage collection instead of explicit destruction.)
ok, but it depends on the level of paranoia that we are talking about.
Counting smalloc vs sfree is easy.
Verifying that the free invocations are actually aligned with previous
allocations is a bit more onerous.
Validating that the free is done from the same entity that invoked the
smalloc might be hard.
>> And what for?
>
> It might be easier to reason about later if allocations get complex.
> It's certainly not required for the first version of this.
good :-)
more clarifications are needed
[...]
> I don't really have an opinion on this. It might be more readable with
> a named structure?
Eventually I got rid of the macro.
The structure is intentionally unnamed to stress the grouping, without
adding a layer of indirection. But maybe it could be removed. I need to
test it.
>> One more thing: how should I tie this allocator to the rest?
>> I have verified that is seems to work with both SLUB and SLAB.
>> Can I make it depend on either of them being enabled?
>
> It seems totally unrelated. The only relationship I see would be
> interaction with hardened usercopy. In a perfect world, none of the
> smalloc pools would be allowed to be copied to/from userspace, which
> would make integration really easy: if smalloc_pool(ptr) return NOPE;
> :P
I went down the harder path and implemented the check.
>> Should it be optionally enabled?
>> What to default to, if it's not enabled? vmalloc?
>
> I don't see any reason to make it optional.
great \o/
So now I'm back to the LSM use case.
It shouldn't take too long.
--
thanks, igor
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: Kees Cook <keescook@google.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 1/1] Sealable memory support
Date: Thu, 1 Jun 2017 00:22:20 +0300 [thread overview]
Message-ID: <ea8ecd33-8126-6c75-a0b3-675a8c76fac6@huawei.com> (raw)
In-Reply-To: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com>
On 28/05/17 21:23, Kees Cook wrote:
> On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
[...]
>> If the CPU1 were to forcibly halt anything that can race with it, then
>> it would be sure that there was no interference.
>
> Correct. This is actually what ARM does for doing kernel memory
> writing when poking stuff for kprobes, etc. It's rather dramatic,
> though. :)
ok
>> A reactive approach could be, instead, to re-validate the content after
>> the sealing, assuming that it is possible.
>
> I would prefer to avoid this, as that allows an attacker to still have
> made the changes (which could even result in them then disabling the
> re-validation during the attack).
ok
[...]
>> If you are talking about an attacker, rather than protection against
>> accidental overwrites, how hashing can be enough?
>> Couldn't the attacker compromise that too?
>
> In theory, yes, though the goal was to dedicate a register to the
> hash, which would make it hard/impossible for an attacker to reach.
> (The BPF JIT situation is just an example of this kind of race,
> though. I'm still in favor of reducing the write window to init-time
> from full run-time.)
It looks like some compromise is needed between reliability and
performance ...
[...]
> I would expect other people would NAK using "stop all other CPUs"
> approach. Better to have the CPU-local writes.
ok, that could be a feature for the follow-up?
[...]
> Yeah, I don't have any better idea for names. :)
still clinging to smalloc for now, how about pmalloc,
as "protected malloc"?
> We might be talking past each-other. Right now, the LSM is marked with
> __ro_after_init, which will make all the list structures, entries, etc
> read-only already. There is one case where this is not true, and
> that's for CONFIG_SECURITY_WRITABLE_HOOKS for
> CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
> SELinux.
On this I'll just shut up and provide the patch. It seems easier :-)
> Are you talking about the SELinux policy installed during
> early boot? Which things did you want to use smalloc() on?
The policy DB.
And of course the policy cache has to go, as in: it must be possible to
disable it completely, in favor of re-evaluating the policies, when needed.
I'm pretty sure that it is absolutely needed in certain cases, but in
others I think the re-evaluation is negligible in comparison to the
overall duration of the use cases affected.
So it should be ok to let the system integrator gauge speed (if any) vs
resilience, by enablying/disabling the SE Linux policy cache.
>>> It seems like smalloc pools could also be refcounted?
>
> I meant things that point into an smalloc() pool could keep a refcount
> and when nothing was pointing into it, it could be destroyed. (i.e.
> using refcount garbage collection instead of explicit destruction.)
ok, but it depends on the level of paranoia that we are talking about.
Counting smalloc vs sfree is easy.
Verifying that the free invocations are actually aligned with previous
allocations is a bit more onerous.
Validating that the free is done from the same entity that invoked the
smalloc might be hard.
>> And what for?
>
> It might be easier to reason about later if allocations get complex.
> It's certainly not required for the first version of this.
good :-)
more clarifications are needed
[...]
> I don't really have an opinion on this. It might be more readable with
> a named structure?
Eventually I got rid of the macro.
The structure is intentionally unnamed to stress the grouping, without
adding a layer of indirection. But maybe it could be removed. I need to
test it.
>> One more thing: how should I tie this allocator to the rest?
>> I have verified that is seems to work with both SLUB and SLAB.
>> Can I make it depend on either of them being enabled?
>
> It seems totally unrelated. The only relationship I see would be
> interaction with hardened usercopy. In a perfect world, none of the
> smalloc pools would be allowed to be copied to/from userspace, which
> would make integration really easy: if smalloc_pool(ptr) return NOPE;
> :P
I went down the harder path and implemented the check.
>> Should it be optionally enabled?
>> What to default to, if it's not enabled? vmalloc?
>
> I don't see any reason to make it optional.
great \o/
So now I'm back to the LSM use case.
It shouldn't take too long.
--
thanks, igor
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: Kees Cook <keescook@google.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Michal Hocko <mhocko@kernel.org>,
Dave Hansen <dave.hansen@intel.com>,
Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Daniel Micay <danielmicay@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: [kernel-hardening] Re: [PATCH 1/1] Sealable memory support
Date: Thu, 1 Jun 2017 00:22:20 +0300 [thread overview]
Message-ID: <ea8ecd33-8126-6c75-a0b3-675a8c76fac6@huawei.com> (raw)
In-Reply-To: <CAGXu5jKEmEzAFssmBu2=kJvXikTZ12CF4f8gQy+7UBh8F24PAw@mail.gmail.com>
On 28/05/17 21:23, Kees Cook wrote:
> On Wed, May 24, 2017 at 10:45 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
[...]
>> If the CPU1 were to forcibly halt anything that can race with it, then
>> it would be sure that there was no interference.
>
> Correct. This is actually what ARM does for doing kernel memory
> writing when poking stuff for kprobes, etc. It's rather dramatic,
> though. :)
ok
>> A reactive approach could be, instead, to re-validate the content after
>> the sealing, assuming that it is possible.
>
> I would prefer to avoid this, as that allows an attacker to still have
> made the changes (which could even result in them then disabling the
> re-validation during the attack).
ok
[...]
>> If you are talking about an attacker, rather than protection against
>> accidental overwrites, how hashing can be enough?
>> Couldn't the attacker compromise that too?
>
> In theory, yes, though the goal was to dedicate a register to the
> hash, which would make it hard/impossible for an attacker to reach.
> (The BPF JIT situation is just an example of this kind of race,
> though. I'm still in favor of reducing the write window to init-time
> from full run-time.)
It looks like some compromise is needed between reliability and
performance ...
[...]
> I would expect other people would NAK using "stop all other CPUs"
> approach. Better to have the CPU-local writes.
ok, that could be a feature for the follow-up?
[...]
> Yeah, I don't have any better idea for names. :)
still clinging to smalloc for now, how about pmalloc,
as "protected malloc"?
> We might be talking past each-other. Right now, the LSM is marked with
> __ro_after_init, which will make all the list structures, entries, etc
> read-only already. There is one case where this is not true, and
> that's for CONFIG_SECURITY_WRITABLE_HOOKS for
> CONFIG_SECURITY_SELINUX_DISABLE, which wants to do run-time removal of
> SELinux.
On this I'll just shut up and provide the patch. It seems easier :-)
> Are you talking about the SELinux policy installed during
> early boot? Which things did you want to use smalloc() on?
The policy DB.
And of course the policy cache has to go, as in: it must be possible to
disable it completely, in favor of re-evaluating the policies, when needed.
I'm pretty sure that it is absolutely needed in certain cases, but in
others I think the re-evaluation is negligible in comparison to the
overall duration of the use cases affected.
So it should be ok to let the system integrator gauge speed (if any) vs
resilience, by enablying/disabling the SE Linux policy cache.
>>> It seems like smalloc pools could also be refcounted?
>
> I meant things that point into an smalloc() pool could keep a refcount
> and when nothing was pointing into it, it could be destroyed. (i.e.
> using refcount garbage collection instead of explicit destruction.)
ok, but it depends on the level of paranoia that we are talking about.
Counting smalloc vs sfree is easy.
Verifying that the free invocations are actually aligned with previous
allocations is a bit more onerous.
Validating that the free is done from the same entity that invoked the
smalloc might be hard.
>> And what for?
>
> It might be easier to reason about later if allocations get complex.
> It's certainly not required for the first version of this.
good :-)
more clarifications are needed
[...]
> I don't really have an opinion on this. It might be more readable with
> a named structure?
Eventually I got rid of the macro.
The structure is intentionally unnamed to stress the grouping, without
adding a layer of indirection. But maybe it could be removed. I need to
test it.
>> One more thing: how should I tie this allocator to the rest?
>> I have verified that is seems to work with both SLUB and SLAB.
>> Can I make it depend on either of them being enabled?
>
> It seems totally unrelated. The only relationship I see would be
> interaction with hardened usercopy. In a perfect world, none of the
> smalloc pools would be allowed to be copied to/from userspace, which
> would make integration really easy: if smalloc_pool(ptr) return NOPE;
> :P
I went down the harder path and implemented the check.
>> Should it be optionally enabled?
>> What to default to, if it's not enabled? vmalloc?
>
> I don't see any reason to make it optional.
great \o/
So now I'm back to the LSM use case.
It shouldn't take too long.
--
thanks, igor
next prev parent reply other threads:[~2017-05-31 21:24 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 10:38 [RFC v3]mm: ro protection for data allocated dynamically Igor Stoppa
2017-05-19 10:38 ` [kernel-hardening] " Igor Stoppa
2017-05-19 10:38 ` Igor Stoppa
2017-05-19 10:38 ` [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-19 10:38 ` [kernel-hardening] " Igor Stoppa
2017-05-19 10:38 ` Igor Stoppa
2017-05-20 8:51 ` [kernel-hardening] " Greg KH
2017-05-20 8:51 ` Greg KH
2017-05-21 11:14 ` [PATCH] LSM: Make security_hook_heads a local variable Tetsuo Handa
2017-05-21 11:14 ` [kernel-hardening] " Tetsuo Handa
2017-05-21 11:14 ` Tetsuo Handa
2017-05-21 11:14 ` Tetsuo Handa
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 14:03 ` [kernel-hardening] " Christoph Hellwig
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 15:09 ` [kernel-hardening] " Casey Schaufler
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 15:09 ` Casey Schaufler
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 19:50 ` [kernel-hardening] " Igor Stoppa
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:32 ` [kernel-hardening] " Casey Schaufler
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 20:43 ` [kernel-hardening] " Tetsuo Handa
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 19:45 ` [kernel-hardening] [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-22 19:45 ` Igor Stoppa
2017-05-22 19:45 ` Igor Stoppa
2017-05-22 21:38 ` Kees Cook
2017-05-22 21:38 ` [kernel-hardening] " Kees Cook
2017-05-22 21:38 ` Kees Cook
2017-05-23 9:43 ` Igor Stoppa
2017-05-23 9:43 ` [kernel-hardening] " Igor Stoppa
2017-05-23 9:43 ` Igor Stoppa
2017-05-23 20:11 ` Kees Cook
2017-05-23 20:11 ` [kernel-hardening] " Kees Cook
2017-05-23 20:11 ` Kees Cook
2017-05-24 17:45 ` Igor Stoppa
2017-05-24 17:45 ` [kernel-hardening] " Igor Stoppa
2017-05-24 17:45 ` Igor Stoppa
2017-05-28 18:23 ` Kees Cook
2017-05-28 18:23 ` [kernel-hardening] " Kees Cook
2017-05-28 18:23 ` Kees Cook
2017-05-28 18:56 ` [kernel-hardening] " Boris Lukashev
2017-05-28 18:56 ` Boris Lukashev
2017-05-28 18:56 ` Boris Lukashev
2017-05-28 21:32 ` Kees Cook
2017-05-28 21:32 ` Kees Cook
2017-05-28 21:32 ` Kees Cook
2017-05-29 6:04 ` Boris Lukashev
2017-05-29 6:04 ` Boris Lukashev
2017-05-29 6:04 ` Boris Lukashev
2017-05-31 21:22 ` Igor Stoppa [this message]
2017-05-31 21:22 ` Igor Stoppa
2017-05-31 21:22 ` Igor Stoppa
2017-05-31 13:55 ` kbuild test robot
2017-05-31 13:55 ` [kernel-hardening] " kbuild test robot
2017-05-31 13:55 ` kbuild test robot
2017-06-04 2:18 ` kbuild test robot
2017-06-04 2:18 ` [kernel-hardening] " kbuild test robot
2017-06-04 2:18 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea8ecd33-8126-6c75-a0b3-675a8c76fac6@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=casey@schaufler-ca.com \
--cc=danielmicay@gmail.com \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.