From: Dan Rosenberg <drosenberg@vsecurity.com>
To: Ingo Molnar <mingo@elte.hu>
Cc: linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
torvalds@linux-foundation.org, adobriyan@gmail.com,
penberg@kernel.org
Subject: Re: [BUG] perf: bogus correlation of kernel symbols
Date: Mon, 16 May 2011 12:14:12 -0400 [thread overview]
Message-ID: <1305562452.1818.10.camel@dan> (raw)
In-Reply-To: <20110516153527.GC21107@elte.hu>
On Mon, 2011-05-16 at 17:35 +0200, Ingo Molnar wrote:
> Agreed, it would be a very useful feature.
>
> I'd suggest to implement it along the lines of:
>
> - First check whether grsecurity or PAX has this implemented already via the
> relocation facility - they are pretty good at being paranoid so i'd be
> surprised if they didnt think of this already! :-)
>
> - If not then have a look at CONFIG_RELOCATABLE and to relocate the kernel
> binary intentionally via a hardcoded parameter. Just see whether you can do
> it and whether it works as you expect it. Check /proc/kallsyms changing
> after your patch. Enjoy the kernel still working ;-)
>
> - Then promote it to a boot parameter - this way you'll be able to tell
> whether there's any hidden build-time assumptions about relocation position.
> (there really shouldnt be any given that kexec works just fine - but i'd
> suggest this step just in case.)
>
> - Then promote that hack to be a randomized parameter. Marvel at a different,
> randomized /proc/kallsyms output at every bootup and enjoy the still working
> kernel!
>
> - Then look at all RIP outputs (thanks to your prior efforts they are now
> mostly concentrated in the vprints code!) and reverse apply the random
> offset before it's exported into user-space. wchan, etc. Marvel at the
> constant /proc/kallsyms output, fully knowing that the *real* addresses
> are randomized.
>
> - Please do not forget to transfer perf RIPs and callchains and marvel at the
> well working 'perf top' output.
>
> At that point the feature will be highly useful already IMO. Remaining work
> will be to think through and close down all remaining avenues of RIP leakage.
>
> At this point kptr_restrict will be a lot less relevant - the symbols will
> expose offsets (so it's not totally unhelpful to attackers) but not the real
> absolute addresses.
>
> Unless i'm missing some particularly difficult roadblock, which is possible.
>
> If you try this then please keep us posted at every step above, even if your
> patches are not fully working and useful yet. Maybe some other
> details/ideas/suggestions will arise at that point.
>
Thanks for the detailed response. I will attempt to go down this road,
and will keep people posted with my progress.
-Dan
> Thanks,
>
> Ingo
next prev parent reply other threads:[~2011-05-16 16:14 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1305292059.1949.0.camel@dan>
2011-05-13 13:29 ` [BUG] perf: bogus correlation of kernel symbols Dan Rosenberg
2011-05-16 15:35 ` Ingo Molnar
2011-05-16 16:14 ` Dan Rosenberg [this message]
2011-05-20 0:56 ` Dan Rosenberg
2011-05-20 12:07 ` Ingo Molnar
2011-05-20 12:54 ` Dan Rosenberg
2011-05-20 13:11 ` Ingo Molnar
2011-05-20 17:41 ` Dan Rosenberg
2011-05-20 18:14 ` Linus Torvalds
2011-05-20 18:27 ` Kees Cook
2011-05-20 18:34 ` Dan Rosenberg
2011-05-20 18:42 ` Ingo Molnar
2011-05-20 18:28 ` Ingo Molnar
2011-05-22 6:11 ` david
2011-05-20 18:35 ` Ingo Molnar
2011-05-22 18:45 ` Dan Rosenberg
[not found] ` <BANLkTik1SK_kWVvGsKk0SqdByQ5-0b5nFg@mail.gmail.com>
2011-05-23 0:25 ` Dan Rosenberg
2011-05-23 0:37 ` H. Peter Anvin
2011-05-23 10:49 ` Ingo Molnar
2011-05-23 19:02 ` Ray Lee
2011-05-23 19:35 ` Ingo Molnar
2011-05-24 1:59 ` Valdis.Kletnieks
2011-05-24 4:06 ` Ingo Molnar
2011-05-12 14:48 Stephane Eranian
2011-05-12 18:06 ` David Miller
2011-05-12 18:37 ` Dave Jones
2011-05-12 19:01 ` David Miller
2011-05-12 19:58 ` Pekka Enberg
2011-05-13 6:12 ` Kees Cook
2011-05-13 6:24 ` Pekka Enberg
2011-05-12 20:24 ` Alexey Dobriyan
2011-05-12 21:06 ` Ingo Molnar
2011-05-12 20:31 ` Linus Torvalds
2011-05-12 20:43 ` David Miller
2011-05-12 21:07 ` Stephane Eranian
2011-05-12 21:30 ` Stephane Eranian
2011-05-12 21:35 ` Ingo Molnar
2011-05-12 21:38 ` Stephane Eranian
2011-05-12 21:50 ` Ingo Molnar
2011-05-12 21:56 ` Stephane Eranian
2011-05-12 22:00 ` Ingo Molnar
2011-05-12 22:07 ` Dave Jones
2011-05-12 22:15 ` Stephane Eranian
2011-05-13 9:01 ` Ingo Molnar
2011-05-13 8:57 ` Ingo Molnar
2011-05-13 16:23 ` Andi Kleen
2011-05-17 12:17 ` Ingo Molnar
2011-05-12 21:36 ` Ingo Molnar
2011-05-12 21:41 ` Stephane Eranian
2011-05-12 21:54 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1305562452.1818.10.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=adobriyan@gmail.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eranian@google.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=penberg@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.