Re: [Security] proactive defense: using read-only memory, RO/NX modules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: Kees Cook <kees.cook@canonical.com>,
	matthieu castet <castet.matthieu@free.fr>
Cc: Siarhei Liakh <sliakh.lkml@gmail.com>,
	Rusty Russell <rusty@rustcorp.com.au>,
	linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Arjan van de Ven <arjan@infradead.org>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [Security] proactive defense: using read-only memory, RO/NX modules
Date: Wed, 10 Nov 2010 10:04:15 +0100	[thread overview]
Message-ID: <20101110090415.GC8370@elte.hu> (raw)
In-Reply-To: <20101108214228.GQ5876@outflux.net>


* Kees Cook <kees.cook@canonical.com> wrote:

> Hi,
> 
> On Mon, Nov 08, 2010 at 07:13:24AM +0100, Ingo Molnar wrote:
> > * Kees Cook <kees.cook@canonical.com> wrote:
> > > While Dan Rosenberg is working to make things harder to locate potential targets 
> > > in the kernel through fixing kernel address leaks[1], I'd like to approach a 
> > > related proactive security measure: enforcing read-only memory for things that 
> > > would make good targets.
> > 
> > Nice! IMHO we need more of that. (If the readonly section gets big enough in 
> > practice we could perhaps even mark it large-page in the future. It could serve as 
> > an allocator to module code as well - that would probably be a speedup even for 
> > modules.)
> 
> Well, I can try to extract and send what PaX does, but it seems relatively
> incompatible with the existing system that uses set_kernel_text_rw() and
> friends.
> 
> > > - Modules need to be correctly marked RO/NX. This patch exists[3], but is
> > >   not in mainline. It needs to be in mainline.
> > [...]
> > >
> > > [3] http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commitdiff;h=65187d24fa3ef60f691f847c792e8eaca7e19251
> > 
> > The reason the RO/NX patch from Siarhei Liakh is not upstream yet is rather mundane: 
> > it introduced regressions - it caused boot crashes on one of my testboxes.
> > 
> > But there is no fundamental reason why it shouldnt be upstream. We can push it 
> > upstream if the crashes are resolved and if it gets an Ack from Rusty or Linus 
> > for the module bits.
> 
> Oh, well, yes, that's a good reason. :) Where was this covered? I'd like to help 
> get it reproduced and ironed out.

Matthieu Castet seems to have dusted off those patches and submitted two of them in 
this mail:

  Subject: [RFC] reworked NX protection for kernel data

Matthieu, are you still interested in this topic?

The original, broken patches were these -tip commits:

 1e858c081af5: x86, mm: RO/NX protection for loadable kernel modules
 18c60ddc9eff: x86, mm: NX protection for kernel data
 c226a2feba21: x86, mm: Set first MB as RW+NX
 b29d530510d4: x86, mm: Correcting improper large page preservation

I reported one of the crashes in:

  Subject: Re: [tip:x86/mm] x86, mm: Set first MB as RW+NX

on lkml.

Thanks,

	Ingo

next prev parent reply	other threads:[~2010-11-10  9:04 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-07 19:35 [Security] proactive defense: using read-only memory Kees Cook
2010-11-08  6:13 ` [Security] proactive defense: using read-only memory, RO/NX modules Ingo Molnar
2010-11-08 10:03   ` Alan Cox
2010-11-08 21:42   ` Kees Cook
2010-11-10  9:04     ` Ingo Molnar [this message]
2010-11-11  6:56       ` Kees Cook
2010-11-11  9:07         ` Ingo Molnar
2010-11-13 19:59       ` matthieu castet
2010-11-14  9:56         ` Ingo Molnar
2010-11-17 10:00 ` [Security] proactive defense: using read-only memory Pavel Machek
2010-11-17 22:14   ` Kees Cook
2011-01-02  9:09     ` Pavel Machek
2010-11-18  0:12   ` Valdis.Kletnieks

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101110090415.GC8370@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@infradead.org \
    --cc=castet.matthieu@free.fr \
    --cc=hpa@zytor.com \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=sliakh.lkml@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.