From: Dave Hansen <dave.hansen@intel.com>
To: Laura Abbott <laura@labbott.name>, Christoph Lameter <cl@linux.com>
Cc: kernel-hardening@lists.openwall.com,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Kees Cook <keescook@chromium.org>
Subject: Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization
Date: Tue, 22 Dec 2015 11:32:56 -0800 [thread overview]
Message-ID: <5679A568.9000604@intel.com> (raw)
In-Reply-To: <5679A0CB.3060707@labbott.name>
On 12/22/2015 11:13 AM, Laura Abbott wrote:
>> 3. Zero at free, *don't* Zero at alloc (when __GFP_ZERO)
>> (what I'm suggesting, possibly less perf impact vs. #2)
>
> poisoning with non-zero memory makes it easier to determine that the error
> came from accessing the sanitized memory vs. some other case. I don't think
> the feature would be as strong if the memory was only zeroed vs. some other
> data value.
How does that scenario work? Your patch description says:
> + Use-after-free bugs for structures containing
> + pointers can also be detected as dereferencing the sanitized pointer
> + will generate an access violation.
In the case that we wrote all zeros, we'd be accessing userspace at a
known place that we don't generally allow memory to be mapped anyway.
Could you elaborate on a scenario where zeros are weaker than a random
poison value?
In any case (if a poison value is superior to 0's), it's a balance
between performance vs. the likelihood of the poisoned value being
tripped over.
I think the performance impact of this feature is going to be *the*
major thing that keeps folks from using it in practice. I'm trying to
suggest a way that you _might_ preserve some performance, and get more
folks to use it.
1. Keep information from leaking (doesn't matter which value we write)
2. Detect use-after-free bugs (0's are less likely to be detected???)
3. Preserve performance (0's are likely to preserve more performance)
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave.hansen@intel.com>
To: Laura Abbott <laura@labbott.name>, Christoph Lameter <cl@linux.com>
Cc: kernel-hardening@lists.openwall.com,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Kees Cook <keescook@chromium.org>
Subject: Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization
Date: Tue, 22 Dec 2015 11:32:56 -0800 [thread overview]
Message-ID: <5679A568.9000604@intel.com> (raw)
In-Reply-To: <5679A0CB.3060707@labbott.name>
On 12/22/2015 11:13 AM, Laura Abbott wrote:
>> 3. Zero at free, *don't* Zero at alloc (when __GFP_ZERO)
>> (what I'm suggesting, possibly less perf impact vs. #2)
>
> poisoning with non-zero memory makes it easier to determine that the error
> came from accessing the sanitized memory vs. some other case. I don't think
> the feature would be as strong if the memory was only zeroed vs. some other
> data value.
How does that scenario work? Your patch description says:
> + Use-after-free bugs for structures containing
> + pointers can also be detected as dereferencing the sanitized pointer
> + will generate an access violation.
In the case that we wrote all zeros, we'd be accessing userspace at a
known place that we don't generally allow memory to be mapped anyway.
Could you elaborate on a scenario where zeros are weaker than a random
poison value?
In any case (if a poison value is superior to 0's), it's a balance
between performance vs. the likelihood of the poisoned value being
tripped over.
I think the performance impact of this feature is going to be *the*
major thing that keeps folks from using it in practice. I'm trying to
suggest a way that you _might_ preserve some performance, and get more
folks to use it.
1. Keep information from leaking (doesn't matter which value we write)
2. Detect use-after-free bugs (0's are less likely to be detected???)
3. Preserve performance (0's are likely to preserve more performance)
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-12-22 19:32 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-22 3:40 [kernel-hardening] [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 20:48 ` [kernel-hardening] " Vlastimil Babka
2015-12-22 20:48 ` Vlastimil Babka
2015-12-22 20:48 ` Vlastimil Babka
2016-01-06 0:17 ` [kernel-hardening] " Kees Cook
2016-01-06 0:17 ` Kees Cook
2016-01-06 0:17 ` Kees Cook
2016-01-06 2:06 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:06 ` Laura Abbott
2016-01-06 2:06 ` Laura Abbott
2016-01-06 0:19 ` [kernel-hardening] " Kees Cook
2016-01-06 0:19 ` Kees Cook
2016-01-06 0:19 ` Kees Cook
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 2/7] slub: Add support for sanitization Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 3/7] slab: " Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 4/7] slob: " Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 5/7] mm: Mark several cases as SLAB_NO_SANITIZE Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2016-01-06 0:21 ` [kernel-hardening] " Kees Cook
2016-01-06 0:21 ` Kees Cook
2016-01-06 0:21 ` Kees Cook
2016-01-06 2:11 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:11 ` Laura Abbott
2016-01-06 2:11 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 9:33 ` [kernel-hardening] " Mathias Krause
2015-12-22 9:33 ` Mathias Krause
2015-12-22 17:51 ` Laura Abbott
2015-12-22 17:51 ` Laura Abbott
2015-12-22 18:37 ` Mathias Krause
2015-12-22 18:37 ` Mathias Krause
2015-12-22 19:18 ` Laura Abbott
2015-12-22 19:18 ` Laura Abbott
2015-12-22 20:01 ` Christoph Lameter
2015-12-22 20:01 ` Christoph Lameter
2015-12-22 20:06 ` Mathias Krause
2015-12-22 20:06 ` Mathias Krause
2015-12-22 14:57 ` Dave Hansen
2015-12-22 14:57 ` Dave Hansen
2015-12-22 16:25 ` Christoph Lameter
2015-12-22 16:25 ` Christoph Lameter
2015-12-22 17:22 ` Dave Hansen
2015-12-22 17:24 ` Christoph Lameter
2015-12-22 17:28 ` Dave Hansen
2015-12-22 17:28 ` Dave Hansen
2015-12-22 18:08 ` Christoph Lameter
2015-12-22 18:08 ` Christoph Lameter
2015-12-22 18:19 ` Dave Hansen
2015-12-22 18:19 ` Dave Hansen
2015-12-22 19:13 ` Laura Abbott
2015-12-22 19:13 ` Laura Abbott
2015-12-22 19:32 ` Dave Hansen [this message]
2015-12-22 19:32 ` Dave Hansen
2016-01-06 0:29 ` Kees Cook
2016-01-06 0:29 ` Kees Cook
2016-01-06 2:46 ` Laura Abbott
2016-01-06 2:46 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 7/7] lkdtm: Add READ_AFTER_FREE test Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2016-01-06 0:15 ` [kernel-hardening] " Kees Cook
2016-01-06 0:15 ` Kees Cook
2016-01-06 0:15 ` Kees Cook
2016-01-06 2:49 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:49 ` Laura Abbott
2016-01-06 2:49 ` Laura Abbott
2015-12-22 16:08 ` [kernel-hardening] Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX Christoph Lameter
2015-12-22 16:08 ` Christoph Lameter
2015-12-22 16:08 ` Christoph Lameter
2015-12-22 16:15 ` [kernel-hardening] " Dave Hansen
2015-12-22 16:15 ` Dave Hansen
2015-12-22 16:38 ` Daniel Micay
2015-12-22 20:04 ` Laura Abbott
2015-12-22 20:04 ` Laura Abbott
2015-12-22 20:04 ` Laura Abbott
2016-01-06 0:09 ` [kernel-hardening] " Kees Cook
2016-01-06 0:09 ` Kees Cook
2016-01-06 0:09 ` Kees Cook
2016-01-06 3:17 ` [kernel-hardening] " Laura Abbott
2016-01-06 3:17 ` Laura Abbott
2016-01-06 3:17 ` Laura Abbott
2016-01-07 16:26 ` [kernel-hardening] " Christoph Lameter
2016-01-07 16:26 ` Christoph Lameter
2016-01-07 16:26 ` Christoph Lameter
2016-01-08 1:23 ` [kernel-hardening] " Laura Abbott
2016-01-08 1:23 ` Laura Abbott
2016-01-08 1:23 ` Laura Abbott
2016-01-08 14:07 ` [kernel-hardening] " Christoph Lameter
2016-01-08 14:07 ` Christoph Lameter
2016-01-08 14:07 ` Christoph Lameter
2016-01-14 3:49 ` [kernel-hardening] " Laura Abbott
2016-01-14 3:49 ` Laura Abbott
2016-01-14 3:49 ` Laura Abbott
2016-01-21 3:35 ` [kernel-hardening] " Laura Abbott
2016-01-21 3:35 ` Laura Abbott
2016-01-21 3:35 ` Laura Abbott
2016-01-21 15:39 ` [kernel-hardening] " Christoph Lameter
2016-01-21 15:39 ` Christoph Lameter
2016-01-21 15:39 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5679A568.9000604@intel.com \
--to=dave.hansen@intel.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=laura@labbott.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.