From: Kees Cook <keescook@chromium.org>
To: Wenhui Zhang <wenhui@gwmail.gwu.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Paul Moore <paul@paul-moore.com>,
SELinux <selinux@vger.kernel.org>,
Ondrej Mosnacek <omosnace@redhat.com>,
Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: [RFC PATCH] selinux: randomize layout of key structures
Date: Thu, 19 Dec 2019 10:29:20 -0800 [thread overview]
Message-ID: <201912191028.549604D@keescook> (raw)
In-Reply-To: <CAOSEQ1quzmnB4700JdOob=DNgbF5ma2rt7O-ayZwWeWBjymcjw@mail.gmail.com>
On Tue, Dec 17, 2019 at 08:02:58PM -0500, Wenhui Zhang wrote:
> EVM protects while security attributes data in memory and disk.
> structrand protects security attributes data in memory.
>
> It seem like EVM introduces higher overhead than trampoline based
> structrand in general.
>
> So, if we know our disks are reliable, does it make sense if we add some
> ifdef options for disabling EVM please?
>
> However this really depends on which one is faster, the trampoline
> function or the encryption hash function.
There is no trampoline. It's just a per-compile re-ordering of the
structures. It makes attack that depend on knowing structure layouts
less reliable. EVM does not check these at memory access times, so they
are complimentary.
-Kees
>
>
> On Tue, Dec 17, 2019 at 7:47 PM Kees Cook <keescook@chromium.org> wrote:
>
> > On Tue, Dec 17, 2019 at 07:21:49PM -0500, Wenhui Zhang wrote:
> > > In my understanding, evm is called whenever a security related attribute
> > is
> > > committed to VFS.
> > > It is set as enabled by default.
> > > (ref.
> > >
> > https://github.com/torvalds/linux/blob/8b68150883ca466a23e90902dd4113b22e692f04/security/integrity/evm/evm_main.c
> > > )
> >
> > Okay, so yes, complimentary. randstruct means attackers need use bugs to
> > expose enough memory from the kernel to determine the order of structure
> > members before they can manipulate them with a kernel bug.
> >
> > -Kees
> >
> > >
> > > On Tue, Dec 17, 2019 at 7:16 PM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > > On Tue, Dec 17, 2019 at 07:12:28PM -0500, Wenhui Zhang wrote:
> > > > > Hi, Sorry for bothering you again.
> > > > >
> > > > > However I came into some *evm code* in LSM, which calculates HMAC for
> > > > data
> > > > > structures.
> > > > > It looks like HMAC could protect integrity of LSM data structures.
> > > > >
> > > > > IMHO, __randomize_layout and evm might duplicate the work, any
> > > > instructions
> > > > > on this please?
> > > >
> > > > When does the EVM code perform the checking? I would assume these are
> > > > complimentary features rather than duplicate.
> > > >
> > > > -Kees
> > > >
> > > > >
> > > > >
> > > > > On Tue, Dec 17, 2019 at 6:50 PM Kees Cook <keescook@chromium.org>
> > wrote:
> > > > >
> > > > > > On Fri, Dec 13, 2019 at 03:28:38PM -0500, Stephen Smalley wrote:
> > > > > > > Randomize the layout of key selinux data structures.
> > > > > > > Initially this is applied to the selinux_state, selinux_ss,
> > > > > > > policydb, and task_security_struct data structures.
> > > > > > >
> > > > > > > NB To test/use this mechanism, one must install the
> > > > > > > necessary build-time dependencies, e.g. gcc-plugin-devel on
> > Fedora,
> > > > > > > and enable CONFIG_GCC_PLUGIN_RANDSTRUCT in the kernel
> > configuration.
> > > > > > >
> > > > > > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > > > > >
> > > > > > Reviewed-by: Kees Cook <keescook@chromium.org>
> > > > > >
> > > > > > -Kees
> > > > > >
> > > > > > > ---
> > > > > > > I would have expected that two kernels built with the same config
> > > > > > > with this enabled would have yielded different struct layouts in
> > > > > > > pahole vmlinux output, but that doesn't appear to be the case.
> > They
> > > > > > > do have different seeds. Am I doing something wrong?
> > > > > > > Also, does DEBUG_INFO_BTF effectively undermine/negate the
> > benefits
> > > > of
> > > > > > this
> > > > > > > change if enabled?
> > > > > > >
> > > > > > > security/selinux/include/objsec.h | 2 +-
> > > > > > > security/selinux/include/security.h | 2 +-
> > > > > > > security/selinux/ss/policydb.h | 2 +-
> > > > > > > security/selinux/ss/services.h | 2 +-
> > > > > > > 4 files changed, 4 insertions(+), 4 deletions(-)
> > > > > > >
> > > > > > > diff --git a/security/selinux/include/objsec.h
> > > > > > b/security/selinux/include/objsec.h
> > > > > > > index a4a86cbcfb0a..330b7b6d44e0 100644
> > > > > > > --- a/security/selinux/include/objsec.h
> > > > > > > +++ b/security/selinux/include/objsec.h
> > > > > > > @@ -35,7 +35,7 @@ struct task_security_struct {
> > > > > > > u32 create_sid; /* fscreate SID */
> > > > > > > u32 keycreate_sid; /* keycreate SID */
> > > > > > > u32 sockcreate_sid; /* fscreate SID */
> > > > > > > -};
> > > > > > > +} __randomize_layout;
> > > > > > >
> > > > > > > enum label_initialized {
> > > > > > > LABEL_INVALID, /* invalid or not initialized */
> > > > > > > diff --git a/security/selinux/include/security.h
> > > > > > b/security/selinux/include/security.h
> > > > > > > index 49737087ad33..3ea406ad91b6 100644
> > > > > > > --- a/security/selinux/include/security.h
> > > > > > > +++ b/security/selinux/include/security.h
> > > > > > > @@ -110,7 +110,7 @@ struct selinux_state {
> > > > > > > bool policycap[__POLICYDB_CAPABILITY_MAX];
> > > > > > > struct selinux_avc *avc;
> > > > > > > struct selinux_ss *ss;
> > > > > > > -};
> > > > > > > +} __randomize_layout;
> > > > > > >
> > > > > > > void selinux_ss_init(struct selinux_ss **ss);
> > > > > > > void selinux_avc_init(struct selinux_avc **avc);
> > > > > > > diff --git a/security/selinux/ss/policydb.h
> > > > > > b/security/selinux/ss/policydb.h
> > > > > > > index bc56b14e2216..98afe52a3d19 100644
> > > > > > > --- a/security/selinux/ss/policydb.h
> > > > > > > +++ b/security/selinux/ss/policydb.h
> > > > > > > @@ -307,7 +307,7 @@ struct policydb {
> > > > > > >
> > > > > > > u16 process_class;
> > > > > > > u32 process_trans_perms;
> > > > > > > -};
> > > > > > > +} __randomize_layout;;
> > > > > > >
> > > > > > > extern void policydb_destroy(struct policydb *p);
> > > > > > > extern int policydb_load_isids(struct policydb *p, struct sidtab
> > > > *s);
> > > > > > > diff --git a/security/selinux/ss/services.h
> > > > > > b/security/selinux/ss/services.h
> > > > > > > index fc40640a9725..c5896f39e8f6 100644
> > > > > > > --- a/security/selinux/ss/services.h
> > > > > > > +++ b/security/selinux/ss/services.h
> > > > > > > @@ -31,7 +31,7 @@ struct selinux_ss {
> > > > > > > struct selinux_map map;
> > > > > > > struct page *status_page;
> > > > > > > struct mutex status_lock;
> > > > > > > -};
> > > > > > > +} __randomize_layout;
> > > > > > >
> > > > > > > void services_compute_xperms_drivers(struct extended_perms
> > *xperms,
> > > > > > > struct avtab_node *node);
> > > > > > > --
> > > > > > > 2.23.0
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Kees Cook
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > V/R,
> > > > >
> > > > > Wenhui Zhang
> > > > >
> > > > > Email: wenhui@gwmail.gwu.edu
> > > > > Telephone: 1-(703) 424 3193
> > > >
> > > > --
> > > > Kees Cook
> > > >
> > >
> > >
> > > --
> > > V/R,
> > >
> > > Wenhui Zhang
> > >
> > > Email: wenhui@gwmail.gwu.edu
> > > Telephone: 1-(703) 424 3193
> >
> > --
> > Kees Cook
> >
>
>
> --
> V/R,
>
> Wenhui Zhang
>
> Email: wenhui@gwmail.gwu.edu
> Telephone: 1-(703) 424 3193
--
Kees Cook
prev parent reply other threads:[~2019-12-19 18:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-13 20:28 [RFC PATCH] selinux: randomize layout of key structures Stephen Smalley
2019-12-14 18:50 ` Dan Aloni
2019-12-16 14:22 ` Stephen Smalley
2019-12-16 23:46 ` Paul Moore
2019-12-17 13:44 ` Stephen Smalley
2019-12-19 2:35 ` Paul Moore
2019-12-17 23:50 ` Kees Cook
[not found] ` <CAOSEQ1qFpLX5hTyNZ+QZuhunH3gr+KAB5PDgcoFjUcyNojEVMQ@mail.gmail.com>
2019-12-18 0:16 ` Kees Cook
[not found] ` <CAOSEQ1ow2XGQ4faoFekK9s3HfmfcvnVKZgGC6tPm0ChJ0F+-vw@mail.gmail.com>
2019-12-18 0:47 ` Kees Cook
[not found] ` <CAOSEQ1quzmnB4700JdOob=DNgbF5ma2rt7O-ayZwWeWBjymcjw@mail.gmail.com>
2019-12-19 18:29 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201912191028.549604D@keescook \
--to=keescook@chromium.org \
--cc=jeffv@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=wenhui@gwmail.gwu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.