From: "Theodore Ts'o" <tytso@mit.edu>
To: David Laight <David.Laight@ACULAB.COM>
Cc: "'Reshetova, Elena'" <elena.reshetova@intel.com>,
"'Peter Zijlstra'" <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
"luto@kernel.org" <luto@kernel.org>,
"luto@amacapital.net" <luto@amacapital.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jpoimboe@redhat.com" <jpoimboe@redhat.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"jannh@google.com" <jannh@google.com>,
"Perla, Enrico" <enrico.perla@intel.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"bp@alien8.de" <bp@alien8.de>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Date: Wed, 17 Apr 2019 11:15:55 -0400 [thread overview]
Message-ID: <20190417151555.GG4686@mit.edu> (raw)
In-Reply-To: <9cf586757eb44f2c8f167abf078da921@AcuMS.aculab.com>
On Wed, Apr 17, 2019 at 09:28:35AM +0000, David Laight wrote:
>
> If you can guarantee back to back requests on the PRNG then it is probably
> possible to recalculate its state from 'bits of state'/5 calls.
> Depend on the PRNG this might be computationally expensive.
> For some PRNG it will be absolutely trivial.
> ...
> Stirring in a little bit of entropy doesn't help much either.
> The entropy bits are effectively initial state bits.
> Add 4 in with each request and 128 outputs gives 640 linear
> equations in the (128 + 4 * 128) unknowns - still solvable.
This is basically a scenario where the attacker has already taken
control of Ring 3 execution and the question is how hard is it for
them to perform privilege escalation attack to ring 0, right? I'm
sure the security folks will think I'm defeatist, but my personal rule
of thumb is if the attacker has ring 3 control, you've already lost
--- I figure there are so many zero days that getting ring 0 control
is a foregone conclusion. :-(
So that basically means if we want to protect against this, we're
going to do something which involves Real Crypto (tm). Whether that's
RDRAND, or using Chacha20, etc., or something that has some attack
resistance, such as "half MD5", etc., but emminently crackable by
brute force, is essentially a overhead vs. security argument, and what
it is we are willing to pay.
- Ted
next prev parent reply other threads:[~2019-04-17 15:17 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 6:09 [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Elena Reshetova
2019-04-15 7:25 ` Ingo Molnar
2019-04-15 8:44 ` Reshetova, Elena
2019-04-16 7:34 ` Ingo Molnar
2019-04-16 11:10 ` Reshetova, Elena
2019-04-16 12:08 ` Peter Zijlstra
2019-04-16 12:45 ` David Laight
2019-04-16 15:43 ` Theodore Ts'o
2019-04-16 16:07 ` Peter Zijlstra
2019-04-16 16:47 ` Reshetova, Elena
2019-04-17 9:28 ` David Laight
2019-04-17 15:15 ` Theodore Ts'o [this message]
2019-04-17 15:40 ` Kees Cook
2019-04-17 15:53 ` David Laight
2019-04-24 11:42 ` Reshetova, Elena
2019-04-24 13:33 ` David Laight
2019-04-25 11:23 ` Reshetova, Elena
2019-04-26 11:33 ` Reshetova, Elena
2019-04-26 14:01 ` Theodore Ts'o
2019-04-26 17:44 ` Eric Biggers
2019-04-26 18:02 ` Theodore Ts'o
2019-04-27 13:59 ` Andy Lutomirski
2019-04-29 8:04 ` Reshetova, Elena
2019-04-26 18:34 ` Andy Lutomirski
2019-04-29 7:46 ` Reshetova, Elena
2019-04-29 16:08 ` Andy Lutomirski
2019-04-30 17:51 ` Reshetova, Elena
2019-04-30 18:01 ` Kees Cook
2019-05-01 8:23 ` David Laight
2019-05-02 8:07 ` Reshetova, Elena
2019-05-01 8:41 ` David Laight
2019-05-01 23:33 ` Andy Lutomirski
2019-05-02 8:15 ` Reshetova, Elena
2019-05-02 9:23 ` David Laight
2019-05-02 14:47 ` Andy Lutomirski
2019-05-02 15:08 ` Ingo Molnar
2019-05-02 16:32 ` Andy Lutomirski
2019-05-02 16:43 ` Ingo Molnar
2019-05-03 16:40 ` Andy Lutomirski
2019-05-02 16:34 ` David Laight
2019-05-02 16:45 ` Ingo Molnar
2019-05-03 16:17 ` Reshetova, Elena
2019-05-03 16:40 ` David Laight
2019-05-03 19:10 ` Linus Torvalds
2019-05-06 6:47 ` Reshetova, Elena
2019-05-06 7:01 ` Reshetova, Elena
2019-05-08 11:18 ` Reshetova, Elena
2019-05-08 11:32 ` Ingo Molnar
2019-05-08 13:22 ` Reshetova, Elena
2019-05-09 5:59 ` Ingo Molnar
2019-05-09 7:01 ` Reshetova, Elena
2019-05-09 8:43 ` Ingo Molnar
2019-05-11 22:45 ` Andy Lutomirski
2019-05-12 0:12 ` Kees Cook
2019-05-12 8:02 ` Ingo Molnar
2019-05-12 14:33 ` Kees Cook
2019-05-28 12:28 ` Reshetova, Elena
2019-05-28 13:33 ` Theodore Ts'o
2019-05-29 10:13 ` Reshetova, Elena
2019-05-29 10:51 ` David Laight
2019-05-29 18:35 ` Kees Cook
2019-05-29 18:37 ` Kees Cook
2019-07-29 11:41 ` Reshetova, Elena
2019-07-30 18:07 ` Kees Cook
2019-08-01 6:35 ` Reshetova, Elena
2019-05-09 7:03 ` Reshetova, Elena
2019-05-06 7:32 ` Reshetova, Elena
2019-04-29 7:49 ` Reshetova, Elena
2019-04-26 17:37 ` Edgecombe, Rick P
2019-04-17 6:24 ` Ingo Molnar
2019-04-16 18:19 ` Reshetova, Elena
[not found] <20190408061358.21288-1-elena.reshetova@intel.com>
2019-04-08 12:49 ` Josh Poimboeuf
2019-04-08 13:30 ` Reshetova, Elena
2019-04-08 16:21 ` Kees Cook
2019-04-10 8:26 ` Ingo Molnar
2019-04-10 9:00 ` Reshetova, Elena
2019-04-10 10:17 ` Ingo Molnar
2019-04-10 10:24 ` Reshetova, Elena
2019-04-10 14:52 ` Andy Lutomirski
2019-04-12 5:36 ` Reshetova, Elena
2019-04-12 21:16 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190417151555.GG4686@mit.edu \
--to=tytso@mit.edu \
--cc=David.Laight@ACULAB.COM \
--cc=bp@alien8.de \
--cc=daniel@iogearbox.net \
--cc=elena.reshetova@intel.com \
--cc=enrico.perla@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).