From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Garnier <thgarnie@google.com>,
Andy Lutomirski <luto@kernel.org>,
"x86@kernel.org" <x86@kernel.org>, Borislav Petkov <bp@suse.de>,
Baoquan He <bhe@redhat.com>, Yinghai Lu <yinghai@kernel.org>,
Juergen Gross <jgross@suse.com>,
Matt Fleming <matt@codeblueprint.co.uk>,
Toshi Kani <toshi.kani@hpe.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Xiao Guangrong <guangrong.xiao@linux.intel.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Alexander Kuleshov <kuleshovmail@gmail.com>,
Alexander Popov <alpopov@ptsecurity.com>,
Dave Young <dyoung@redhat.com>, Joerg Roedel <jroedel@suse.de>,
Lv Zheng <lv.zheng@intel.com>, Mark Salter <msalter@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Jan Beulich <JBeulich@suse.com>,
LKML <linux-kernel@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v7 0/9] x86/mm: memory area address KASLR
Date: Thu, 7 Jul 2016 18:24:36 -0400 [thread overview]
Message-ID: <CAGXu5jLkq-mRMZ_NtXf6M_4YPrMWVEV3U-iF1qt49LRXPTrxEA@mail.gmail.com> (raw)
In-Reply-To: <1466556426-32664-1-git-send-email-keescook@chromium.org>
On Tue, Jun 21, 2016 at 8:46 PM, Kees Cook <keescook@chromium.org> wrote:
> This is v7 of Thomas Garnier's KASLR for memory areas (physical memory
> mapping, vmalloc, vmemmap). It expects to be applied on top of the
> x86/boot tip.
>
> The current implementation of KASLR randomizes only the base address of
> the kernel and its modules. Research was published showing that static
> memory addresses can be found and used in exploits, effectively ignoring
> base address KASLR:
>
> The physical memory mapping holds most allocations from boot and
> heap allocators. Knowning the base address and physical memory
> size, an attacker can deduce the PDE virtual address for the vDSO
> memory page. This attack was demonstrated at CanSecWest 2016, in
> the "Getting Physical: Extreme Abuse of Intel Based Paged Systems"
> https://goo.gl/ANpWdV (see second part of the presentation). The
> exploits used against Linux worked successfuly against 4.6+ but fail
> with KASLR memory enabled (https://goo.gl/iTtXMJ). Similar research
> was done at Google leading to this patch proposal. Variants exists
> to overwrite /proc or /sys objects ACLs leading to elevation of
> privileges. These variants were tested against 4.6+.
>
> This set of patches randomizes the base address and padding of three
> major memory sections (physical memory mapping, vmalloc, and vmemmap).
> It mitigates exploits relying on predictable kernel addresses in these
> areas. This feature can be enabled with the CONFIG_RANDOMIZE_MEMORY
> option. (This CONFIG, along with CONFIG_RANDOMIZE may be renamed in
> the future, but stands for now as other architectures continue to
> implement KASLR.)
>
> Padding for the memory hotplug support is managed by
> CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING. The default value is 10
> terabytes.
>
> The patches were tested on qemu & physical machines. Xen compatibility was
> also verified. Multiple reboots were used to verify entropy for each
> memory section.
>
> Notable problems that needed solving:
> - The three target memory sections need to not be at the same place
> across reboots.
> - The physical memory mapping can use a virtual address not aligned on
> the PGD page table.
> - Reasonable entropy is needed early at boot before get_random_bytes()
> is available.
> - Memory hotplug needs KASLR padding.
>
> Patches:
> - 1: refactor KASLR functions (moves them from boot/compressed/ into lib/)
> - 2: clarifies the variables used for physical mapping.
> - 3: PUD virtual address support for physical mapping.
> - 4: split out the trampoline PGD
> - 5: KASLR memory infrastructure code
> - 6: randomize base of physical mapping region
> - 7: randomize base of vmalloc region
> - 8: randomize base of vmemmap region
> - 9: provide memory hotplug padding support
>
> There is no measurable performance impact:
>
> - Kernbench shows almost no difference (-+ less than 1%).
> - Hackbench shows 0% difference on average (hackbench 90 repeated 10 times).
Hi again,
Just a friendly ping -- I'd love to get this into -tip for wider testing.
Thanks!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
prev parent reply other threads:[~2016-07-07 22:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 0:46 [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR Kees Cook
2016-06-22 0:46 ` [kernel-hardening] [PATCH v7 1/9] x86/mm: Refactor KASLR entropy functions Kees Cook
2016-06-22 0:46 ` [kernel-hardening] [PATCH v7 2/9] x86/mm: Update physical mapping variable names (x86_64) Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 3/9] x86/mm: PUD VA support for physical mapping (x86_64) Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 4/9] x86/mm: Separate variable for trampoline PGD (x86_64) Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 5/9] x86/mm: Implement ASLR for kernel memory regions (x86_64) Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 6/9] x86/mm: Enable KASLR for physical mapping memory region (x86_64) Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 7/9] x86/mm: Enable KASLR for vmalloc " Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 8/9] x86/mm: Enable KASLR for vmemmap " Kees Cook
2016-06-22 0:47 ` [kernel-hardening] [PATCH v7 9/9] x86/mm: Memory hotplug support for KASLR memory randomization (x86_64) Kees Cook
2016-06-22 12:47 ` [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR Jason Cooper
2016-06-22 15:59 ` Thomas Garnier
2016-06-22 17:05 ` Kees Cook
2016-06-23 19:33 ` Jason Cooper
2016-06-23 19:45 ` Sandy Harris
2016-06-23 19:59 ` Kees Cook
2016-06-23 20:19 ` Jason Cooper
2016-06-23 20:16 ` Jason Cooper
2016-06-23 19:58 ` Kees Cook
2016-06-23 20:05 ` Ard Biesheuvel
2016-06-24 1:11 ` Jason Cooper
2016-06-24 10:54 ` Ard Biesheuvel
2016-06-24 16:02 ` [kernel-hardening] devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR" Jason Cooper
2016-06-24 19:04 ` [kernel-hardening] " Kees Cook
2016-06-24 20:40 ` Andy Lutomirski
2016-06-30 21:48 ` Jason Cooper
2016-06-30 21:56 ` Thomas Garnier
2016-06-30 21:48 ` Jason Cooper
2016-07-07 22:24 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jLkq-mRMZ_NtXf6M_4YPrMWVEV3U-iF1qt49LRXPTrxEA@mail.gmail.com \
--to=keescook@chromium.org \
--cc=JBeulich@suse.com \
--cc=akpm@linux-foundation.org \
--cc=alpopov@ptsecurity.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=bhe@redhat.com \
--cc=boris.ostrovsky@oracle.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=dyoung@redhat.com \
--cc=guangrong.xiao@linux.intel.com \
--cc=jgross@suse.com \
--cc=jroedel@suse.de \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kuleshovmail@gmail.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=lv.zheng@intel.com \
--cc=matt@codeblueprint.co.uk \
--cc=mingo@kernel.org \
--cc=msalter@redhat.com \
--cc=schwidefsky@de.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=thgarnie@google.com \
--cc=toshi.kani@hpe.com \
--cc=x86@kernel.org \
--cc=yinghai@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).