From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Pavel Emelyanov <xemul@parallels.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Glauber Costa <glommer@parallels.com>,
Andi Kleen <andi@firstfloor.org>, Tejun Heo <tj@kernel.org>,
Matt Helsley <matthltc@us.ibm.com>,
Pekka Enberg <penberg@kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks
Date: Sat, 19 Nov 2011 19:34:10 +0400 [thread overview]
Message-ID: <20111119153410.GB1722@moon> (raw)
In-Reply-To: <20111119081012.GC2675@albatros>
On Sat, Nov 19, 2011 at 12:10:12PM +0400, Vasiliy Kulikov wrote:
> On Sat, Nov 19, 2011 at 11:57 +0400, Vasiliy Kulikov wrote:
> > Doing something like hash(cookie1 ++ obj ++ cookie) would leak only the
> > equation of two objects, but it can be still dangerous - learn hashes of
> > (a) objects created at boot time (their addresses are known) and (b)
> > some objects, which allocation scheme is known (i.e. we know
> > kmem_cache_alloc() gives us specific addresses with high probability),
> > and then compare the hashes against other objects after (a) and (b)
> > objects are kfree'd.
> >
First of all, thanks a *huge* for comments Vasiliy! Yes, agreed that plain
single xor is not sufficient here.
> >
> > What is the highest timeframe which must maintain the property of unique
> > ids? Is it the whole system lifetime or probably [dump start; dump
> > end] and we can change the cookie many times? Can we probably shorten
Yes, dump-start/dump-end is a mininum timeframe.
> > the time even? Can we ensure that during this timeframe no new kernel
> > objects will be created (unrealistic, but would be great)?
> >
We might use PT_SEIZED as such flag and don't allow to allocate new kernel
objects but it will bring too much complexity into kernel code I think,
which is not what we want eventually ;)
> > Also, I didn't understand from the quoted text who will use it - only
> > the dumper or this interface is exposed to all userspace processes and
> > anybody may learn hash(&kern_obj) for any kern_obj he may reference?
>
It's limited to /proc/$pid/
> Also, if one should have an ability to learn IDs of specific object
> types and the set of types is very limited, it's much safer to have one
> increasing u64 counter for each created object of one of these types.
> The exposed to userspace data will be:
>
> ID = hash(counter ^ cookie)
>
> cookie is generated at boot time, once. counter is a single
> variable, one for all exposed kernel object types.
>
> ID will be unpredictable if hash() is cryptographically secure, and
> counter is not duplicated. So, for each newly created object the ID is
> the new random value, which is unique and says nothing to userspace about
> either kernel object addresses or the counter itself.
>
> The cost:
>
> 1) counter storing for each kernel object exposed through this interface.
>
Yes, this is main concern.
> 2) object creation will be slowed down by hash().
>
This is not that important I think, since it's not a time-critical operation.
> Also, one thought - is it safe to say two kernel objects are the same to
> userspace? :) I don't see anything obviously dangerous, though.
>
Cyrill
WARNING: multiple messages have this Message-ID (diff)
From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Pavel Emelyanov <xemul@parallels.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Glauber Costa <glommer@parallels.com>,
Andi Kleen <andi@firstfloor.org>, Tejun Heo <tj@kernel.org>,
Matt Helsley <matthltc@us.ibm.com>,
Pekka Enberg <penberg@kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks
Date: Sat, 19 Nov 2011 19:34:10 +0400 [thread overview]
Message-ID: <20111119153410.GB1722@moon> (raw)
In-Reply-To: <20111119081012.GC2675@albatros>
On Sat, Nov 19, 2011 at 12:10:12PM +0400, Vasiliy Kulikov wrote:
> On Sat, Nov 19, 2011 at 11:57 +0400, Vasiliy Kulikov wrote:
> > Doing something like hash(cookie1 ++ obj ++ cookie) would leak only the
> > equation of two objects, but it can be still dangerous - learn hashes of
> > (a) objects created at boot time (their addresses are known) and (b)
> > some objects, which allocation scheme is known (i.e. we know
> > kmem_cache_alloc() gives us specific addresses with high probability),
> > and then compare the hashes against other objects after (a) and (b)
> > objects are kfree'd.
> >
First of all, thanks a *huge* for comments Vasiliy! Yes, agreed that plain
single xor is not sufficient here.
> >
> > What is the highest timeframe which must maintain the property of unique
> > ids? Is it the whole system lifetime or probably [dump start; dump
> > end] and we can change the cookie many times? Can we probably shorten
Yes, dump-start/dump-end is a mininum timeframe.
> > the time even? Can we ensure that during this timeframe no new kernel
> > objects will be created (unrealistic, but would be great)?
> >
We might use PT_SEIZED as such flag and don't allow to allocate new kernel
objects but it will bring too much complexity into kernel code I think,
which is not what we want eventually ;)
> > Also, I didn't understand from the quoted text who will use it - only
> > the dumper or this interface is exposed to all userspace processes and
> > anybody may learn hash(&kern_obj) for any kern_obj he may reference?
>
It's limited to /proc/$pid/
> Also, if one should have an ability to learn IDs of specific object
> types and the set of types is very limited, it's much safer to have one
> increasing u64 counter for each created object of one of these types.
> The exposed to userspace data will be:
>
> ID = hash(counter ^ cookie)
>
> cookie is generated at boot time, once. counter is a single
> variable, one for all exposed kernel object types.
>
> ID will be unpredictable if hash() is cryptographically secure, and
> counter is not duplicated. So, for each newly created object the ID is
> the new random value, which is unique and says nothing to userspace about
> either kernel object addresses or the counter itself.
>
> The cost:
>
> 1) counter storing for each kernel object exposed through this interface.
>
Yes, this is main concern.
> 2) object creation will be slowed down by hash().
>
This is not that important I think, since it's not a time-critical operation.
> Also, one thought - is it safe to say two kernel objects are the same to
> userspace? :) I don't see anything obviously dangerous, though.
>
Cyrill
next prev parent reply other threads:[~2011-11-19 15:34 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 9:55 [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 1/4] Routine for generating a safe ID for kernel pointer Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 2/4] proc: Show namespaces IDs in /proc/pid/ns/* files Pavel Emelyanov
2011-11-17 9:56 ` [PATCH 3/4] proc: Show open file ID in /proc/pid/fdinfo/* Pavel Emelyanov
2011-11-17 20:48 ` [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Andrew Morton
2011-11-18 9:24 ` Pavel Emelyanov
2011-11-18 19:07 ` Andrew Morton
2011-11-18 20:03 ` Cyrill Gorcunov
2011-11-18 20:37 ` Andrew Morton
2011-11-18 21:03 ` Cyrill Gorcunov
2011-11-18 21:09 ` Pekka Enberg
2011-11-18 22:10 ` Kyle Moffett
2011-11-18 23:46 ` Tejun Heo
2011-11-19 1:09 ` Kyle Moffett
2011-11-19 5:30 ` Cyrill Gorcunov
2011-11-18 23:38 ` Matt Helsley
2011-11-19 5:35 ` Cyrill Gorcunov
2011-11-19 7:57 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 7:57 ` Vasiliy Kulikov
2011-11-19 8:10 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 8:10 ` Vasiliy Kulikov
2011-11-19 8:18 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19 8:18 ` Vasiliy Kulikov
2011-11-19 15:34 ` Cyrill Gorcunov [this message]
2011-11-19 15:34 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111119153410.GB1722@moon \
--to=gorcunov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=eric.dumazet@gmail.com \
--cc=glommer@parallels.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=penberg@kernel.org \
--cc=segoon@openwall.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.