linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@google.com>
To: Boris Lukashev <blukashev@sempervictus.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Michal Hocko <mhocko@kernel.org>,
	Dave Hansen <dave.hansen@intel.com>,
	Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Daniel Micay <danielmicay@gmail.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	James Morris <james.l.morris@oracle.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [kernel-hardening] Re: [PATCH 1/1] Sealable memory support
Date: Sun, 28 May 2017 14:32:24 -0700	[thread overview]
Message-ID: <CAGXu5j++h=a57hNAR-23NMcjXeysqbtHmc1P=K94-D4VNgVSYg@mail.gmail.com> (raw)
In-Reply-To: <CAFUG7Cen=g4PbDHmkNOqDdTOWWDEx_UTS2gk75_ub=63DQqpJA@mail.gmail.com>

On Sun, May 28, 2017 at 11:56 AM, Boris Lukashev
<blukashev@sempervictus.com> wrote:
> So what about a middle ground where CoW semantics are used to enforce
> the state of these allocations as RO, but provide a strictly
> controlled pathway to read the RO data, copy and modify it, then write
> and seal into a new allocation. Successful return from this process
> should permit the page table to change the pointer to where the object
> now resides, and initiate freeing of the original memory so long as a
> refcount is kept for accesses. That way, sealable memory is sealed,
> and any consumers reading it will be using the original ptr to the
> original smalloc region. Attackers who do manage to change the

This could be another way to do it, yeah, and it helps that smalloc()
is built on vmalloc(). It'd require some careful design, but it could
be a way forward after this initial sealed-after-init version goes in.

> Lastly, my meager understanding is that PAX set the entire kernel as
> RO, and implemented writeable access via pax_open/close. How were they
> fighting against race conditions, and what is the benefit of specific
> regions being allocated this way as opposed to the RO-all-the-things
> approach which makes writes a specialized set of operations?

My understanding is that PaX's KERNEXEC with the constification plugin
moves a substantial portion of the kernel's .data section
(effectively) into the .rodata section. It's not the "entire" kernel.
(Well, depending on how you count. The .text section is already
read-only upstream.) PaX, as far as I know, provided no dynamic memory
allocation protections, like smalloc() would provide.

-Kees

-- 
Kees Cook
Pixel Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

  reply	other threads:[~2017-05-28 21:32 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-19 10:38 [RFC v3]mm: ro protection for data allocated dynamically Igor Stoppa
2017-05-19 10:38 ` [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-20  8:51   ` [kernel-hardening] " Greg KH
2017-05-21 11:14     ` [PATCH] LSM: Make security_hook_heads a local variable Tetsuo Handa
2017-05-22 14:03       ` Christoph Hellwig
2017-05-22 15:09         ` Casey Schaufler
2017-05-22 19:50           ` Igor Stoppa
2017-05-22 20:32             ` Casey Schaufler
2017-05-22 20:43               ` Tetsuo Handa
2017-05-22 19:45     ` [kernel-hardening] [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-22 21:38   ` Kees Cook
2017-05-23  9:43     ` Igor Stoppa
2017-05-23 20:11       ` Kees Cook
2017-05-24 17:45         ` Igor Stoppa
2017-05-28 18:23           ` Kees Cook
2017-05-28 18:56             ` [kernel-hardening] " Boris Lukashev
2017-05-28 21:32               ` Kees Cook [this message]
2017-05-29  6:04                 ` Boris Lukashev
2017-05-31 21:22             ` Igor Stoppa
2017-05-31 13:55   ` kbuild test robot
2017-06-04  2:18   ` kbuild test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5j++h=a57hNAR-23NMcjXeysqbtHmc1P=K94-D4VNgVSYg@mail.gmail.com' \
    --to=keescook@google.com \
    --cc=blukashev@sempervictus.com \
    --cc=casey@schaufler-ca.com \
    --cc=danielmicay@gmail.com \
    --cc=dave.hansen@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=igor.stoppa@huawei.com \
    --cc=james.l.morris@oracle.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@kernel.org \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).