kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Igor Stoppa <igor.stoppa@gmail.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
	Ahmed Soliman <ahmedsoliman@mena.vt.edu>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>,
	Linux-MM <linux-mm@kvack.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH v4 00/12] hardening: statically allocated protected memory
Date: Mon, 11 Feb 2019 16:09:10 -0800	[thread overview]
Message-ID: <CAGXu5j+n3ky2dOe4F+VyneQsM4VJbGPUw+DO55NkxxPhKzKHag@mail.gmail.com> (raw)
In-Reply-To: <cover.1549927666.git.igor.stoppa@huawei.com>

On Mon, Feb 11, 2019 at 3:28 PM Igor Stoppa <igor.stoppa@gmail.com> wrote:
> at last I'm able to resume work on the memory protection patchset I've
> proposed some time ago. This version should address comments received so
> far and introduce support for arm64. Details below.

Cool!

> Patch-set implementing write-rare memory protection for statically
> allocated data.

It seems like this could be expanded in the future to cover dynamic
memory too (i.e. just a separate base range in the mm).

> Its purpose is to keep write protected the kernel data which is seldom
> modified, especially if altering it can be exploited during an attack.
>
> There is no read overhead, however writing requires special operations that
> are probably unsuitable for often-changing data.
> The use is opt-in, by applying the modifier __wr_after_init to a variable
> declaration.
>
> As the name implies, the write protection kicks in only after init() is
> completed; before that moment, the data is modifiable in the usual way.
>
> Current Limitations:
> * supports only data which is allocated statically, at build time.
> * supports only x86_64 and arm64;other architectures need to provide own
>   backend

It looked like only the memset() needed architecture support. Is there
a reason for not being able to implement memset() in terms of an
inefficient put_user() loop instead? That would eliminate the need for
per-arch support, yes?

> - I've added a simple example: the protection of ima_policy_flags

You'd also looked at SELinux too, yes? What other things could be
targeted for protection? (It seems we can't yet protect page tables
themselves with this...)

> - the x86_64 user space address range is double the size of the kernel
>   address space, so it's possible to randomize the beginning of the
>   mapping of the kernel address space, but on arm64 they have the same
>   size, so it's not possible to do the same

Only the wr_rare section needs mapping, though, yes?

> - I'm not sure if it's correct, since it doesn't seem to be that common in
>   kernel sources, but instead of using #defines for overriding default
>   function calls, I'm using "weak" for the default functions.

The tradition is to use #defines for easier readability, but "weak"
continues to be a thing. *shrug*

This will be a nice addition to protect more of the kernel's static
data from write-what-where attacks. :)

-- 
Kees Cook

  parent reply	other threads:[~2019-02-12  0:09 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-11 23:27 [RFC PATCH v4 00/12] hardening: statically allocated protected memory Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 01/12] __wr_after_init: Core and default arch Igor Stoppa
2019-02-12  2:39   ` Matthew Wilcox
2019-02-12  7:20     ` Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 02/12] __wr_after_init: x86_64: memset_user() Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 03/12] __wr_after_init: x86_64: randomize mapping offset Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 04/12] __wr_after_init: x86_64: enable Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 05/12] __wr_after_init: arm64: memset_user() Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 06/12] __wr_after_init: arm64: enable Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 07/12] __wr_after_init: Documentation: self-protection Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 08/12] __wr_after_init: lkdtm test Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 09/12] __wr_after_init: rodata_test: refactor tests Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 10/12] __wr_after_init: rodata_test: test __wr_after_init Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 11/12] __wr_after_init: test write rare functionality Igor Stoppa
2019-02-11 23:27 ` [RFC PATCH v4 12/12] IMA: turn ima_policy_flags into __wr_after_init Igor Stoppa
2019-02-12  0:09 ` Kees Cook [this message]
2019-02-12  0:37   ` [RFC PATCH v4 00/12] hardening: statically allocated protected memory Igor Stoppa
2019-02-12  0:46     ` Kees Cook
2019-02-12  1:08       ` igor.stoppa
2019-02-12  1:26         ` Kees Cook
2019-02-12  7:09           ` Igor Stoppa
2019-02-12 22:39             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5j+n3ky2dOe4F+VyneQsM4VJbGPUw+DO55NkxxPhKzKHag@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=ahmedsoliman@mena.vt.edu \
    --cc=igor.stoppa@gmail.com \
    --cc=igor.stoppa@huawei.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).