linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Thomas Garnier <thgarnie@google.com>
To: "H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@suse.de>,
	Andy Lutomirski <luto@kernel.org>,
	Thomas Garnier <thgarnie@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Kees Cook <keescook@chromium.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Kefeng Wang <wangkefeng.wang@huawei.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Matt Fleming <matt@codeblueprint.co.uk>,
	Toshi Kani <toshi.kani@hpe.com>,
	Alexander Kuleshov <kuleshovmail@gmail.com>,
	Alexander Popov <alpopov@ptsecurity.com>,
	Joerg Roedel <jroedel@suse.de>, Dave Young <dyoung@redhat.com>,
	Baoquan He <bhe@redhat.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Mark Salter <msalter@redhat.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: x86@kernel.org, LKML <linux-kernel@vger.kernel.org>,
	linux-doc@vger.kernel.org, Greg Thelen <gthelen@google.com>,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v5 0/4] x86, boot: KASLR memory randomization
Date: Mon, 16 May 2016 11:25:12 -0700	[thread overview]
Message-ID: <CAJcbSZGFweiOPu8UxU0Fyx5X1d26OTO9kQ1JVxG5WZT8XbTCAQ@mail.gmail.com> (raw)
In-Reply-To: <1463081300-11127-1-git-send-email-thgarnie@google.com>

Any feedback on the patch? Ingo? Kees?

Kees mentioned he will take care of the build warning on the KASLR
refactor (the function is not used right now).

Thanks,
Thomas

On Thu, May 12, 2016 at 12:28 PM, Thomas Garnier <thgarnie@google.com> wrote:
> This is PATCH v5 for KASLR memory implementation for x86_64.
>
> Recent changes:
>     Add performance information on commit.
>     Add details on PUD alignment.
>     Add information on testing against the KASLR bypass exploit.
>     Rebase on next-20160511 and merge recent KASLR changes.
>     Integrate feedback from Kees.
>
> ***Background:
> The current implementation of KASLR randomizes only the base address of
> the kernel and its modules. Research was published showing that static
> memory can be overwitten to elevate privileges bypassing KASLR.
>
> In more details:
>
>    The physical memory mapping holds most allocations from boot and heap
>    allocators. Knowning the base address and physical memory size, an
>    attacker can deduce the PDE virtual address for the vDSO memory page.
>    This attack was demonstrated at CanSecWest 2016, in the "Getting
>    Physical Extreme Abuse of Intel Based Paged Systems"
>    https://goo.gl/ANpWdV (see second part of the presentation). The
>    exploits used against Linux worked successfuly against 4.6+ but fail
>    with KASLR memory enabled (https://goo.gl/iTtXMJ). Similar research
>    was done at Google leading to this patch proposal. Variants exists to
>    overwrite /proc or /sys objects ACLs leading to elevation of privileges.
>    These variants were tested against 4.6+.
>
> This set of patches randomizes base address and padding of three
> major memory sections (physical memory mapping, vmalloc & vmemmap).
> It mitigates exploits relying on predictable kernel addresses. This
> feature can be enabled with the CONFIG_RANDOMIZE_MEMORY option.
>
> Padding for the memory hotplug support is managed by
> CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING. The default value is 10
> terabytes.
>
> The patches were tested on qemu & physical machines. Xen compatibility was
> also verified. Multiple reboots were used to verify entropy for each
> memory section.
>
> ***Problems that needed solving:
>  - The three target memory sections are never at the same place between
>    boots.
>  - The physical memory mapping can use a virtual address not aligned on
>    the PGD page table.
>  - Have good entropy early at boot before get_random_bytes is available.
>  - Add optional padding for memory hotplug compatibility.
>
> ***Parts:
>  - The first part prepares for the KASLR memory randomization by
>    refactoring entropy functions used by the current implementation and
>    support PUD level virtual addresses for physical mapping.
>    (Patches 01-02)
>  - The second part implements the KASLR memory randomization for all
>    sections mentioned.
>    (Patch 03)
>  - The third part adds support for memory hotplug by adding an option to
>    define the padding used between the physical memory mapping section
>    and the others.
>    (Patch 04)
>
> Performance data:
>
> Kernbench shows almost no difference (-+ less than 1%):
>
> Before:
>
> Average Optimal load -j 12 Run (std deviation):
> Elapsed Time 102.63 (1.2695)
> User Time 1034.89 (1.18115)
> System Time 87.056 (0.456416)
> Percent CPU 1092.9 (13.892)
> Context Switches 199805 (3455.33)
> Sleeps 97907.8 (900.636)
>
> After:
>
> Average Optimal load -j 12 Run (std deviation):
> Elapsed Time 102.489 (1.10636)
> User Time 1034.86 (1.36053)
> System Time 87.764 (0.49345)
> Percent CPU 1095 (12.7715)
> Context Switches 199036 (4298.1)
> Sleeps 97681.6 (1031.11)
>
> Hackbench shows 0% difference on average (hackbench 90
> repeated 10 times):
>
> attemp,before,after
> 1,0.076,0.069
> 2,0.072,0.069
> 3,0.066,0.066
> 4,0.066,0.068
> 5,0.066,0.067
> 6,0.066,0.069
> 7,0.067,0.066
> 8,0.063,0.067
> 9,0.067,0.065
> 10,0.068,0.071
> average,0.0677,0.0677
>
> Thanks!
>

  parent reply	other threads:[~2016-05-16 18:25 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-12 19:28 [PATCH v5 0/4] x86, boot: KASLR memory randomization Thomas Garnier
2016-05-12 19:28 ` [PATCH v5 1/4] x86, boot: Refactor KASLR entropy functions Thomas Garnier
2016-05-12 20:18   ` kbuild test robot
2016-05-12 19:28 ` [PATCH v5 2/4] x86, boot: PUD VA support for physical mapping (x86_64) Thomas Garnier
2016-05-12 19:28 ` [PATCH v5 3/4] x86, boot: Implement ASLR for kernel memory sections (x86_64) Thomas Garnier
2016-05-12 19:28 ` [PATCH v5 4/4] x86, boot: Memory hotplug support for KASLR memory randomization Thomas Garnier
2016-05-16 18:25 ` Thomas Garnier [this message]
2016-05-17  8:15   ` [PATCH v5 0/4] x86, boot: " Kees Cook
2016-05-17 19:32     ` Kees Cook
2016-05-17 19:33 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJcbSZGFweiOPu8UxU0Fyx5X1d26OTO9kQ1JVxG5WZT8XbTCAQ@mail.gmail.com \
    --to=thgarnie@google.com \
    --cc=alpopov@ptsecurity.com \
    --cc=bhe@redhat.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=bp@suse.de \
    --cc=corbet@lwn.net \
    --cc=dan.j.williams@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=dvyukov@google.com \
    --cc=dyoung@redhat.com \
    --cc=gthelen@google.com \
    --cc=hpa@zytor.com \
    --cc=jroedel@suse.de \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=kuleshovmail@gmail.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=matt@codeblueprint.co.uk \
    --cc=mingo@redhat.com \
    --cc=msalter@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=tglx@linutronix.de \
    --cc=toshi.kani@hpe.com \
    --cc=wangkefeng.wang@huawei.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).