From: Daniel Micay <danielmicay@gmail.com>
To: kernel-hardening@lists.openwall.com,
Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: abhiram@cs.utah.edu
Subject: Re: [kernel-hardening] Re: [RFC PATCH 1/2] SROP Mitigation: Architecture independent code for signal cookies
Date: Tue, 02 Feb 2016 04:15:59 -0500 [thread overview]
Message-ID: <1454404559.31183.10.camel@gmail.com> (raw)
In-Reply-To: <56AFE7EE.30100@eng.utah.edu>
[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]
> Maybe secret is a bad term. It's supposed to be something userland
> can't guess
> without doing a bunch of tricks. It's essentially supposed to work
> like a stack
> canary to protect against stack based buffer overflows. If someone
> can leak the
> stack canary in a stack based overflow, then do the overflow they can
> overcome
> stack canaries as a mitigation. The same is true here. If someone can
> generate a
> signal, leak the signal cookie, then leak the address of the signal
> cookie, then
> undo the hash, then they can beat this mitigation. But we're arguing
> if someone
> can do everything we've said above they have already have nearly full
> control of
> a userland process and they won't really need SROP.
>
> Essentially the signal cookie is just a way for the kernel to know if
> the
> sigreturn it's handling is in response to a legitimate signal that
> the kernel
> previously delivered without having to save a ton of state in
> current, or
> elsewhere.
Stack canary checking has a tiny performance budget though. It would be
interesting to know how SipHash fared in a case like this. It could be
specialized for fixed-size keys and potentially used elsewhere. Seems
like it would be more than fast enough.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-02-02 9:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1453622354-50686-1-git-send-email-sbauer@eng.utah.edu>
2016-01-24 7:59 ` [kernel-hardening] [RFC PATCH 1/2] SROP Mitigation: Architecture independent code for signal cookies Scott Bauer
2016-01-28 23:25 ` Kees Cook
2016-01-29 21:26 ` Scotty Bauer
2016-02-01 22:42 ` [kernel-hardening] " Rasmus Villemoes
2016-02-01 23:19 ` Scotty Bauer
2016-02-02 9:15 ` Daniel Micay [this message]
2016-01-24 7:59 ` [kernel-hardening] [RFC PATCH 2/2] x86: SROP mitigation: implement " Scott Bauer
2016-01-28 23:31 ` Kees Cook
2016-01-30 14:34 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454404559.31183.10.camel@gmail.com \
--to=danielmicay@gmail.com \
--cc=abhiram@cs.utah.edu \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux@rasmusvillemoes.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.