From: Andy Lutomirski <luto@kernel.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: "Solar Designer" <solar@openwall.com>,
"Pavel Machek" <pavel@ucw.cz>,
"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>,
"Linux API" <linux-api@vger.kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
"Linux FS Devel" <linux-fsdevel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>, "X86 ML" <x86@kernel.org>,
"Andrew Lutomirski" <luto@kernel.org>,
"David Laight" <David.Laight@aculab.com>,
"Mark Rutland" <mark.rutland@arm.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Rich Felker" <dalias@libc.org>
Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor
Date: Wed, 23 Sep 2020 11:09:29 -0700 [thread overview]
Message-ID: <CALCETrUqct4tDrjTSzJG4+=+cEaaDbZ+Mx=LAUdQjVV=CruUcw@mail.gmail.com> (raw)
In-Reply-To: <87wo0ko8v0.fsf@oldenburg2.str.redhat.com>
On Wed, Sep 23, 2020 at 7:39 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Solar Designer:
>
> > While I share my opinion here, I don't mean that to block Madhavan's
> > work. I'd rather defer to people more knowledgeable in current userland
> > and ABI issues/limitations and plans on dealing with those, especially
> > to Florian Weimer. I haven't seen Florian say anything specific for or
> > against Madhavan's proposal, and I'd like to. (Have I missed that?)
>
> There was a previous discussion, where I provided feedback (not much
> different from the feedback here, given that the mechanism is mostly the
> same).
>
> I think it's unnecessary for the libffi use case. Precompiled code can
> be loaded from disk because the libffi trampolines are so regular. On
> most architectures, it's not even the code that's patched, but some of
> the data driving it, which happens to be located on the same page due to
> a libffi quirk.
>
> The libffi use case is a bit strange anyway: its trampolines are
> type-generic, and the per-call adjustment is data-driven. This means
> that once you have libffi in the process, you have a generic
> data-to-function-call mechanism available that can be abused (it's even
> fully CET compatible in recent versions). And then you need to look at
> the processes that use libffi. A lot of them contain bytecode
> interpreters, and those enable data-driven arbitrary code execution as
> well. I know that there are efforts under way to harden Python, but
> it's going to be tough to get to the point where things are still
> difficult for an attacker once they have the ability to make mprotect
> calls.
>
> It was pointed out to me that libffi is doing things wrong, and the
> trampolines should not be type-generic, but generated so that they match
> the function being called. That is, the marshal/unmarshal code would be
> open-coded in the trampoline, rather than using some generic mechanism
> plus run-time dispatch on data tables describing the function type.
> That is a very different design (and typically used by compilers (JIT or
> not JIT) to implement native calls). Mapping some code page with a
> repeating pattern would no longer work to defeat anti-JIT measures
> because it's closer to real JIT. I don't know if kernel support could
> make sense in this context, but it would be a completely different
> patch.
I would very much like to see a well-designed kernel facility for
helping userspace do JIT in a safer manner, but designing such a thing
is likely to be distinctly nontrivial. To throw a half-backed idea
out there, suppose a program could pre-declare a list of JIT
verifiers:
static bool ffi_trampoline_verifier(void *target_address, size_t
target_size, void *source_data, void *context);
struct jit_verifier {
.magic = 0xMAGIC_HERE,
.verifier = ffi_trampoline_verifier,
} my_verifier __attribute((section("something special here?)));
and then a system call something like:
instantiate_jit_code(target, source, size, &my_verifier, context);
The idea being that even an attacker that can force a call to
instantiate_jit_code() can only create code that passes verification
by one of the pre-declared verifiers in the process.
next prev parent reply other threads:[~2020-09-23 18:09 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <210d7cd762d5307c2aa1676705b392bd445f1baa>
2020-09-16 15:08 ` [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor madvenka
2020-09-16 15:08 ` [PATCH v2 1/4] [RFC] fs/trampfd: Implement the trampoline file descriptor API madvenka
2020-09-16 15:08 ` [PATCH v2 2/4] [RFC] x86/trampfd: Provide support for the trampoline file descriptor madvenka
2020-09-16 15:08 ` [PATCH v2 3/4] [RFC] arm64/trampfd: " madvenka
2020-09-16 15:08 ` [PATCH v2 4/4] [RFC] arm/trampfd: " madvenka
2020-09-17 1:04 ` [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor Florian Weimer
2020-09-17 15:36 ` Madhavan T. Venkataraman
2020-09-17 15:57 ` Madhavan T. Venkataraman
2020-09-17 16:01 ` Florian Weimer
2020-09-23 1:46 ` Arvind Sankar
2020-09-23 9:11 ` Arvind Sankar
2020-09-23 19:17 ` Madhavan T. Venkataraman
2020-09-23 19:51 ` Arvind Sankar
2020-09-23 23:51 ` Madhavan T. Venkataraman
2020-09-24 20:23 ` Madhavan T. Venkataraman
2020-09-24 20:52 ` Florian Weimer
2020-09-25 22:22 ` Madhavan T. Venkataraman
2020-09-27 18:25 ` Madhavan T. Venkataraman
2020-09-24 22:13 ` Pavel Machek
2020-09-24 23:43 ` Arvind Sankar
2020-09-25 22:44 ` Madhavan T. Venkataraman
2020-09-26 15:55 ` Arvind Sankar
2020-09-27 17:59 ` Madhavan T. Venkataraman
2020-09-22 21:53 ` madvenka
2020-09-22 21:53 ` [PATCH v2 1/4] [RFC] fs/trampfd: Implement the trampoline file descriptor API madvenka
2020-09-22 21:53 ` [PATCH v2 2/4] [RFC] x86/trampfd: Provide support for the trampoline file descriptor madvenka
2020-09-22 21:53 ` [PATCH v2 3/4] [RFC] arm64/trampfd: " madvenka
2020-09-22 21:53 ` [PATCH v2 4/4] [RFC] arm/trampfd: " madvenka
2020-09-22 21:54 ` [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor Madhavan T. Venkataraman
2020-09-23 8:14 ` Pavel Machek
2020-09-23 9:14 ` Solar Designer
2020-09-23 14:11 ` Solar Designer
2020-09-23 15:18 ` Pavel Machek
2020-09-23 18:00 ` Solar Designer
2020-09-23 18:21 ` Solar Designer
2020-09-23 14:39 ` Florian Weimer
2020-09-23 18:09 ` Andy Lutomirski [this message]
2020-09-23 18:11 ` Solar Designer
2020-09-23 18:49 ` Arvind Sankar
2020-09-23 23:53 ` Madhavan T. Venkataraman
2020-09-23 19:41 ` Madhavan T. Venkataraman
2020-09-23 18:10 ` James Morris
2020-09-23 18:32 ` Madhavan T. Venkataraman
2020-09-23 8:42 ` Pavel Machek
2020-09-23 18:56 ` Madhavan T. Venkataraman
2020-09-23 20:51 ` Pavel Machek
2020-09-23 23:04 ` Madhavan T. Venkataraman
2020-09-24 16:44 ` Mickaël Salaün
2020-09-24 22:05 ` Pavel Machek
2020-09-25 10:12 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrUqct4tDrjTSzJG4+=+cEaaDbZ+Mx=LAUdQjVV=CruUcw@mail.gmail.com' \
--to=luto@kernel.org \
--cc=David.Laight@aculab.com \
--cc=dalias@libc.org \
--cc=fweimer@redhat.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=mark.rutland@arm.com \
--cc=mic@digikod.net \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=solar@openwall.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).