From: Scotty Bauer <sbauer@eng.utah.edu>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>, X86 ML <x86@kernel.org>,
wmealing@redhat.com, Andi Kleen <ak@linux.intel.com>,
Abhiram Balasubramanian <abhiram@cs.utah.edu>
Subject: [kernel-hardening] Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies
Date: Tue, 8 Mar 2016 14:49:35 -0700 [thread overview]
Message-ID: <56DF48EF.2080305@eng.utah.edu> (raw)
In-Reply-To: <CALCETrVLyg3CJHoFORnmJ+_0WirKck=unBQ8Zu2JUd+WhF6C5g@mail.gmail.com>
On 03/08/2016 01:58 PM, Andy Lutomirski wrote:
> On Tue, Mar 8, 2016 at 12:47 PM, Scott Bauer <sbauer@eng.utah.edu> wrote:
>> This patch adds a per-process secret to the task struct which
>> will be used during signal delivery and during a sigreturn.
>> Also, logic is added in signal.c to generate, place, extract,
>> clear and verify the signal cookie.
>>
>
> Potentially silly question: it's been a while since I read the SROP
> paper, but would the technique be effectively mitigated if sigreturn
> were to zero out the whole signal frame before returning to user mode?
>
I don't know if I fully understand your question, but I'll respond anyway.
SROP is possible because the kernel doesn't know whether or not the
incoming sigreturn syscall is in response from a legitimate signal that
the kernel had previously delivered and the program handled. So essentially
these patches are an attempt to give the kernel a way to verify whether or
not the the incoming sigreturn is a valid response or a exploit trying to
hijack control of the user program.
So no, zeroing out the frame wouldn't do much because if I understand your
question correctly once we call sigreturn the kernel is going to hand off
control to wherever the sigframe tells it to so I don't think zeroing would
do much.
The reason why I zero out the cookie is so if there is a stack leak bug or
something along those lines an attacker couldnt leak the cookie and try and
derive what the per-process kernel secret is.
Hope that clarifies!
WARNING: multiple messages have this Message-ID (diff)
From: Scotty Bauer <sbauer@eng.utah.edu>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>, X86 ML <x86@kernel.org>,
wmealing@redhat.com, Andi Kleen <ak@linux.intel.com>,
Abhiram Balasubramanian <abhiram@cs.utah.edu>
Subject: Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies
Date: Tue, 8 Mar 2016 14:49:35 -0700 [thread overview]
Message-ID: <56DF48EF.2080305@eng.utah.edu> (raw)
In-Reply-To: <CALCETrVLyg3CJHoFORnmJ+_0WirKck=unBQ8Zu2JUd+WhF6C5g@mail.gmail.com>
On 03/08/2016 01:58 PM, Andy Lutomirski wrote:
> On Tue, Mar 8, 2016 at 12:47 PM, Scott Bauer <sbauer@eng.utah.edu> wrote:
>> This patch adds a per-process secret to the task struct which
>> will be used during signal delivery and during a sigreturn.
>> Also, logic is added in signal.c to generate, place, extract,
>> clear and verify the signal cookie.
>>
>
> Potentially silly question: it's been a while since I read the SROP
> paper, but would the technique be effectively mitigated if sigreturn
> were to zero out the whole signal frame before returning to user mode?
>
I don't know if I fully understand your question, but I'll respond anyway.
SROP is possible because the kernel doesn't know whether or not the
incoming sigreturn syscall is in response from a legitimate signal that
the kernel had previously delivered and the program handled. So essentially
these patches are an attempt to give the kernel a way to verify whether or
not the the incoming sigreturn is a valid response or a exploit trying to
hijack control of the user program.
So no, zeroing out the frame wouldn't do much because if I understand your
question correctly once we call sigreturn the kernel is going to hand off
control to wherever the sigframe tells it to so I don't think zeroing would
do much.
The reason why I zero out the cookie is so if there is a stack leak bug or
something along those lines an attacker couldnt leak the cookie and try and
derive what the per-process kernel secret is.
Hope that clarifies!
next prev parent reply other threads:[~2016-03-08 21:49 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 20:47 [kernel-hardening] [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies Scott Bauer
2016-03-08 20:47 ` Scott Bauer
2016-03-08 20:47 ` [kernel-hardening] [PATCH v3 2/3] x86: SROP mitigation: implement " Scott Bauer
2016-03-08 20:47 ` Scott Bauer
2016-03-08 21:03 ` [kernel-hardening] " One Thousand Gnomes
2016-03-08 21:03 ` One Thousand Gnomes
2016-03-08 21:38 ` [kernel-hardening] " Scotty Bauer
2016-03-08 21:38 ` Scotty Bauer
2016-03-08 20:47 ` [kernel-hardening] [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection Scott Bauer
2016-03-08 20:47 ` Scott Bauer
2016-03-08 21:00 ` [kernel-hardening] " One Thousand Gnomes
2016-03-08 21:00 ` One Thousand Gnomes
2016-03-10 6:36 ` [kernel-hardening] " Kees Cook
2016-03-10 6:46 ` Andy Lutomirski
2016-03-08 20:58 ` [kernel-hardening] Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies Andy Lutomirski
2016-03-08 20:58 ` Andy Lutomirski
2016-03-08 21:49 ` Scotty Bauer [this message]
2016-03-08 21:49 ` Scotty Bauer
2016-03-08 21:57 ` [kernel-hardening] " Andy Lutomirski
2016-03-08 21:57 ` Andy Lutomirski
2016-03-08 22:06 ` [kernel-hardening] " Scotty Bauer
2016-03-08 22:06 ` Scotty Bauer
2016-03-09 22:02 ` [kernel-hardening] " Scotty Bauer
2016-03-09 22:02 ` Scotty Bauer
2016-03-08 21:04 ` [kernel-hardening] " kbuild test robot
2016-03-08 21:04 ` kbuild test robot
2016-03-09 8:32 ` [kernel-hardening] " Ingo Molnar
2016-03-09 8:32 ` Ingo Molnar
2016-03-09 22:07 ` [kernel-hardening] " Scotty Bauer
2016-03-09 22:07 ` Scotty Bauer
2016-03-09 22:22 ` [kernel-hardening] " Jonathan Corbet
2016-03-09 22:22 ` Jonathan Corbet
2016-03-10 9:43 ` [kernel-hardening] " Ingo Molnar
2016-03-10 9:43 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DF48EF.2080305@eng.utah.edu \
--to=sbauer@eng.utah.edu \
--cc=abhiram@cs.utah.edu \
--cc=ak@linux.intel.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wmealing@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.