From: Daniel Micay <danielmicay@gmail.com>
To: kernel-hardening@lists.openwall.com, PaX Team <pageexec@freemail.hu>
Cc: "AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Mark Rutland <mark.rutland@arm.com>,
park jinbum <jinb.park7@gmail.com>
Subject: Re: [kernel-hardening] Introduction
Date: Fri, 13 Jan 2017 16:57:01 -0500 [thread overview]
Message-ID: <1484344621.3381.2.camel@gmail.com> (raw)
In-Reply-To: <CAGXu5jJt7Kc9eH+=a11=ewem1E0GDo4+tu48OWGQ67Tu7fJfLA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3011 bytes --]
On Fri, 2017-01-13 at 11:06 -0800, Kees Cook wrote:
> On Fri, Jan 13, 2017 at 10:51 AM, PaX Team <pageexec@freemail.hu>
> wrote:
> > On 13 Jan 2017 at 9:54, Kees Cook wrote:
> >
> > > PaX Team, the heuristic for STRUCTLEAK appears to be "does the
> > > struct
> > > contain anything marked __user". Is this actually a meaningful
> > > information exposure case? It seems like there are a lot more
> > > cases
> > > for exposures where there is nothing marked __user. Is that the
> > > meaning of "much smaller coverage" compared to STACKLEAK in the
> > > Kconfig?
> >
> > STRUCTLEAK was written in response to a particular bug a few years
> > ago
> > where we didn't want to give the bug away but still wanted to fix it
> > during the embargo. the struct in question could be matched by this
> > heuristics, matching everything else (however little of it) is
> > really
> > just a free side effect. could coverage be improved? of course but
> > that
> > would take a whole lot more work (manual markups and/or data flow
> > analysis
> > in LTO mode).
>
> Out of curiosity, do you remember which bug? I'd be curious to compare
> it against others. It seems like adding structleak to upstream still
> has value, even if the coverage isn't as complete as stackleak.
There's the performance-oblivious approach of zeroing all locals early
in the compiler pipeline and relying on compiler optimizations to remove
it when it's not required. They're already pretty good at doing it.
There can be a scale of aggressiveness for a feature like this, with
very conservative heuristics on one end (like analysis to propagate from
copy_to_user) and no heuristics at all for the other. It would be
interesting to measure that to figure out the worst case performance
scenario, particularly if it's possible to narrow down areas where it
hurts and then work out some simple heuristics to reduce the cost. Maybe
most of the cost can be alleviated by not doing arrays or by having a
size limit, etc. Maybe there are only a few areas where it really hurts
and they could be marked. Need to test before conclusions about
heuristics can be drawn.
I'm doing it for Android's userspace via Clang. It's usually very cheap
and actually costs less than SSP for most code. The top of the stack is
inherently hot data and since it's not adding branches, the main cost is
probably code size. There are some cases where it can really hurt due to
arrays on the stack, but the kernel doesn't have as many of those
particularly with large arrays. I haven't implemented it for GCC so I
haven't had a chance to try it with the kernel yet. I expect it to be
more than cheap enough for my needs though.
If nothing else, it could be a useful way to uncover bugs via the option
of a non-zero byte value for debug builds rather than the production
oriented zeroing. AFAIK, the kernel doesn't have anything to do that on
the stack, and I haven't had much luck with MSan in userspace anyway.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 866 bytes --]
next prev parent reply other threads:[~2017-01-13 21:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-12 15:06 [kernel-hardening] Introduction park jinbum
2017-01-12 16:06 ` Mark Rutland
2017-01-13 8:23 ` AKASHI, Takahiro
2017-01-13 17:54 ` Kees Cook
2017-01-13 18:51 ` PaX Team
2017-01-13 19:06 ` Kees Cook
2017-01-13 19:26 ` Kees Cook
2017-01-13 20:38 ` Kees Cook
2017-01-13 23:09 ` PaX Team
2017-01-13 23:15 ` Kees Cook
2017-01-14 10:10 ` PaX Team
2017-01-17 17:32 ` Kees Cook
2017-01-17 18:43 ` PaX Team
2017-01-13 20:35 ` PaX Team
2017-01-13 21:57 ` Daniel Micay [this message]
2017-01-13 22:04 ` Kees Cook
-- strict thread matches above, loose matches on Subject: below --
2017-01-24 0:06 Jessica Frazelle
2017-01-25 19:37 ` Kees Cook
2017-01-26 4:12 ` Jessica Frazelle
2017-01-26 21:42 ` Kees Cook
2017-01-27 19:14 ` Jessica Frazelle
2017-01-30 20:02 ` Kees Cook
2015-12-17 23:34 Leibowitz, Michael
2015-12-18 0:36 ` Kees Cook
2015-12-18 0:48 ` Daniel Micay
2015-12-18 16:54 ` Schaufler, Casey
2015-12-18 21:11 ` Kees Cook
2015-12-18 1:00 ` Solar Designer
2015-12-18 2:42 ` David Windsor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1484344621.3381.2.camel@gmail.com \
--to=danielmicay@gmail.com \
--cc=jinb.park7@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=mark.rutland@arm.com \
--cc=pageexec@freemail.hu \
--cc=takahiro.akashi@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.