From: Ingo Molnar <mingo@elte.hu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>,
linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
adobriyan@gmail.com, penberg@kernel.org
Subject: Re: [BUG] perf: bogus correlation of kernel symbols
Date: Fri, 20 May 2011 20:28:38 +0200 [thread overview]
Message-ID: <20110520182838.GA12765@elte.hu> (raw)
In-Reply-To: <BANLkTinCnqrzMyoSzS04fCAqks1bd9Y8=g@mail.gmail.com>
* Linus Torvalds <torvalds@linux-foundation.org> wrote:
> There's a *big* detail that makes it hard: there's only a few bits of
> randomness we can add to the address. The kernel base address ends up having
> various fundamental limitations (cacheline alignment for the code, and we
> have several segments that require page alignment), so you really can't
> realistically do more than something like 8-12 bits of address randomization.
Yeah, i tried to address this issue in my first mail: basically just a few bits
would already make a big difference in practice: even a *single* bit of
randomness makes an exploit crash 50% of the time - at which point the attack
stops being stealth.
8 bits would be a lot.
So i think this is really realistic, even if a brute force, networked attack
can successfully attack 1 out of 256, 512 or 1024 boxes. Even for the worm cas
the networked attack would not scale very well.
> Regardless, the virtual mapping trick (independently of whether it's
> read-only or not) can be used to avoid exposing the *actual* address of the
> IDT of the kernel, and would hide the kernel load address details. However,
> it does make traps slightly slower, if they cannot use the 1:1 mapping with
> large pages for the IDT access and thus cause more TLB pressure. Of course,
> in many situations we probably end up not having large pages for the kernel
> anyway, so..
We could put per CPU IDTs into the percpu area if that improves performance.
This might help on NUMA: on NUMA only one node has the IDT local, the others
will take a remote DRAM access every time they miss the IDT - and the IDT could
easily be missed if there are no IRQs or traps for a long time (say CPU-bound
user-space processing).
There may also be cases where an implicit locked access is generated to the
IDT?
Thanks,
Ingo
next prev parent reply other threads:[~2011-05-20 18:28 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1305292059.1949.0.camel@dan>
2011-05-13 13:29 ` [BUG] perf: bogus correlation of kernel symbols Dan Rosenberg
2011-05-16 15:35 ` Ingo Molnar
2011-05-16 16:14 ` Dan Rosenberg
2011-05-20 0:56 ` Dan Rosenberg
2011-05-20 12:07 ` Ingo Molnar
2011-05-20 12:54 ` Dan Rosenberg
2011-05-20 13:11 ` Ingo Molnar
2011-05-20 17:41 ` Dan Rosenberg
2011-05-20 18:14 ` Linus Torvalds
2011-05-20 18:27 ` Kees Cook
2011-05-20 18:34 ` Dan Rosenberg
2011-05-20 18:42 ` Ingo Molnar
2011-05-20 18:28 ` Ingo Molnar [this message]
2011-05-22 6:11 ` david
2011-05-20 18:35 ` Ingo Molnar
2011-05-22 18:45 ` Dan Rosenberg
[not found] ` <BANLkTik1SK_kWVvGsKk0SqdByQ5-0b5nFg@mail.gmail.com>
2011-05-23 0:25 ` Dan Rosenberg
2011-05-23 0:37 ` H. Peter Anvin
2011-05-23 10:49 ` Ingo Molnar
2011-05-23 19:02 ` Ray Lee
2011-05-23 19:35 ` Ingo Molnar
2011-05-24 1:59 ` Valdis.Kletnieks
2011-05-24 4:06 ` Ingo Molnar
2011-05-12 14:48 Stephane Eranian
2011-05-12 18:06 ` David Miller
2011-05-12 18:37 ` Dave Jones
2011-05-12 19:01 ` David Miller
2011-05-12 19:58 ` Pekka Enberg
2011-05-13 6:12 ` Kees Cook
2011-05-13 6:24 ` Pekka Enberg
2011-05-12 20:24 ` Alexey Dobriyan
2011-05-12 21:06 ` Ingo Molnar
2011-05-12 20:31 ` Linus Torvalds
2011-05-12 20:43 ` David Miller
2011-05-12 21:07 ` Stephane Eranian
2011-05-12 21:30 ` Stephane Eranian
2011-05-12 21:35 ` Ingo Molnar
2011-05-12 21:38 ` Stephane Eranian
2011-05-12 21:50 ` Ingo Molnar
2011-05-12 21:56 ` Stephane Eranian
2011-05-12 22:00 ` Ingo Molnar
2011-05-12 22:07 ` Dave Jones
2011-05-12 22:15 ` Stephane Eranian
2011-05-13 9:01 ` Ingo Molnar
2011-05-13 8:57 ` Ingo Molnar
2011-05-13 16:23 ` Andi Kleen
2011-05-17 12:17 ` Ingo Molnar
2011-05-12 21:36 ` Ingo Molnar
2011-05-12 21:41 ` Stephane Eranian
2011-05-12 21:54 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110520182838.GA12765@elte.hu \
--to=mingo@elte.hu \
--cc=adobriyan@gmail.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=eranian@google.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.