From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Kyle Moffett <kyle@moffetthome.net>
Cc: Tejun Heo <tj@kernel.org>, Pekka Enberg <penberg@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Pavel Emelyanov <xemul@parallels.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Glauber Costa <glommer@parallels.com>,
Andi Kleen <andi@firstfloor.org>,
Matt Helsley <matthltc@us.ibm.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Vasiliy Kulikov <segoon@openwall.com>
Subject: Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks
Date: Sat, 19 Nov 2011 09:30:07 +0400 [thread overview]
Message-ID: <20111119053007.GE21041@moon> (raw)
In-Reply-To: <CAGZ=bqJSDjfkx3E_WDh77j7cmNS0AcFoKe6oBHLbiEQC+qGn-w@mail.gmail.com>
On Fri, Nov 18, 2011 at 08:09:12PM -0500, Kyle Moffett wrote:
...
> >
> > The new version is using different poison for different types of
> > objects.
>
> Even still, if you use a one-time pad (IE: XOR with a random data
> value) to obscure more than exactly 1 object total, ever, all of its
> security properties are null and void.
>
True. It's not one-time pads there.
>
> >> If you actually want to be able to compare uniqueness without exposing
> >> anything vulnerable to various kinds of guessing, you should generate
> >> a random 64-bit value for each class of object and then use a proper
> >> cryptographic hash function on it:
> >> crypto_hash(concat(object_ptr, random_value))
> >>
> >> Even given the best possible practical attacks against SHA1 or MD5
> >> today both still provides more than enough security to prevent someone
> >> from guessing "object_ptr" in less than an absurd amount of time.
> >
> > So, per-type poison + crypto hash, it is then.
>
> Yes. I haven't thought through whether or not you would ever care
> about a system giving out the same number for two different kinds of
> object. The only possible vulnerability I can think of would be if
> the kernel had a use-after-free bug... You could allocate and free a
> bunch of the vulnerable objects and use this data-structure-ID system
> to find an allocated data-structure of a different type which matches
> up with one of the used-after-freed ones. Then in theory you could
> compromise something, I suppose.
>
> Sort of an off-the-wall scenario, I will admit.
>
> The per-type random value is certainly a safe bet and should have zero
> actual impact on performance. Good luck!
>
Thanks for all comments Kyle! Of course address allocation specifics with
simple xor wont give us enough obscurity here. If we stick with root-only
approach then we don't need this scheme at all but could expose plain
addresses. I'm waiting for Pavel's comment on such approach.
Cyrill
next prev parent reply other threads:[~2011-11-19 5:30 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 9:55 [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 1/4] Routine for generating a safe ID for kernel pointer Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 2/4] proc: Show namespaces IDs in /proc/pid/ns/* files Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 3/4] proc: Show open file ID in /proc/pid/fdinfo/* Pavel Emelyanov
2011-11-17 20:48 ` [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Andrew Morton
2011-11-18 9:24 ` Pavel Emelyanov
2011-11-18 19:07 ` Andrew Morton
2011-11-18 20:03 ` Cyrill Gorcunov
2011-11-18 20:37 ` Andrew Morton
2011-11-18 21:03 ` Cyrill Gorcunov
2011-11-18 21:09 ` Pekka Enberg
2011-11-18 22:10 ` Kyle Moffett
2011-11-18 23:46 ` Tejun Heo
2011-11-19 1:09 ` Kyle Moffett
2011-11-19 5:30 ` Cyrill Gorcunov [this message]
2011-11-18 23:38 ` Matt Helsley
2011-11-19 5:35 ` Cyrill Gorcunov
2011-11-19 7:57 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 7:57 ` Vasiliy Kulikov
2011-11-19 8:10 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 8:10 ` Vasiliy Kulikov
2011-11-19 8:18 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 8:18 ` Vasiliy Kulikov
2011-11-19 15:34 ` [kernel-hardening] " Cyrill Gorcunov
2011-11-19 15:34 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111119053007.GE21041@moon \
--to=gorcunov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=eric.dumazet@gmail.com \
--cc=glommer@parallels.com \
--cc=kyle@moffetthome.net \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=penberg@kernel.org \
--cc=segoon@openwall.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.