From: Scotty Bauer <sbauer@eng.utah.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
the arch/x86 maintainers <x86@kernel.org>,
Andi Kleen <ak@linux.intel.com>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
wmealing@redhat.com
Subject: [kernel-hardening] Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies
Date: Tue, 29 Mar 2016 17:11:04 -0600 [thread overview]
Message-ID: <56FB0B88.2020306@eng.utah.edu> (raw)
In-Reply-To: <CA+55aFy2bac+-j6wWZ4D2UeA=h6rrdFL+B2Kns+ws6wGkVJzmg@mail.gmail.com>
On 03/29/2016 04:54 PM, Linus Torvalds wrote:
> On Tue, Mar 29, 2016 at 2:53 PM, Scott Bauer <sbauer@eng.utah.edu> wrote:
>>
>> These patches implement the necessary changes to generate a cookie
>> which will be placed above signal frame upon signal delivery to userland.
>> The cookie is generated using a per-process random value xor'd with
>> the address where the cookie will be stored on the stack.
>
> Side note: wouldn't it be better to make the cookie something that
> doesn't make it trivial to figure out the random value in case you
> already have access to a signal stack?
>
> Maybe there could be a stronger variation of this that makes the
> cookie be something like a single md5 round (not a full md5).
> Something fast, and not necessarily secure, but something that needs
> more than one single CPU instruction to figure out.
>
> So you could do 4 32
>
> - the random value
> - the low 32 bits of the address of the cookie
> - the low 32 bits of the return point stack and instruction pointer
>
> Yes, yes, md5 is not cryptographically secure, and making it a single
> iteration rather than the full four makes it even less so, but if the
> attacker can generate long arbitrary code, then the whole SROP is
> pointless to begin with, no?
>
Yeah I had toyed with using hashes, I used hash_64 not md5 which is like 14
extra instructions or something. Anyway Daniel Micay pointed out we could use SipHash
https://131002.net/siphash/, but there's no siphash for me to use in the kernel
and I'm the *last* person on earth to start porting/implementing 'crypto' algos.
Anyway, we all sort of agreed that if you have enough arbitrary execution already
to cause a signal, leak the cookie, do some xor magic to get the per-process
secret then you probably don't really need to SROP in your exploit. Although
you did mention an interesting attack which is force a signal then muck with
an existing legitimate frame, which I would like to protect against now.
> In contrast, with the plain xor, the SROP would be a trivial operation
> if you can just force it to happen within the context of a signal, so
> that you can just re-use the signal return stack as-is. But mixing in
> the returning IP and SP would make it *much* harder to use the
> sigreturn as an attack vector.
>
> I realize that this would likely need to be a separate and non-default
> extra hardening mode, because there are *definitely* applications that
> take signals and then update the return address (maybe single-stepping
> over instructions etc). But for a *lot* of applications, signal return
> implies changing no signal state at all, and mixing in the returning
> IP and SP would seem to be a fundamentally stronger cookie.
>
> No?
It's not hard to implement So I can try it. When you say an extra hardening
mode do you mean hide it behind a sysctl or some sort of compile time CONFIG?
WARNING: multiple messages have this Message-ID (diff)
From: Scotty Bauer <sbauer@eng.utah.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
the arch/x86 maintainers <x86@kernel.org>,
Andi Kleen <ak@linux.intel.com>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
wmealing@redhat.com
Subject: Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies
Date: Tue, 29 Mar 2016 17:11:04 -0600 [thread overview]
Message-ID: <56FB0B88.2020306@eng.utah.edu> (raw)
In-Reply-To: <CA+55aFy2bac+-j6wWZ4D2UeA=h6rrdFL+B2Kns+ws6wGkVJzmg@mail.gmail.com>
On 03/29/2016 04:54 PM, Linus Torvalds wrote:
> On Tue, Mar 29, 2016 at 2:53 PM, Scott Bauer <sbauer@eng.utah.edu> wrote:
>>
>> These patches implement the necessary changes to generate a cookie
>> which will be placed above signal frame upon signal delivery to userland.
>> The cookie is generated using a per-process random value xor'd with
>> the address where the cookie will be stored on the stack.
>
> Side note: wouldn't it be better to make the cookie something that
> doesn't make it trivial to figure out the random value in case you
> already have access to a signal stack?
>
> Maybe there could be a stronger variation of this that makes the
> cookie be something like a single md5 round (not a full md5).
> Something fast, and not necessarily secure, but something that needs
> more than one single CPU instruction to figure out.
>
> So you could do 4 32
>
> - the random value
> - the low 32 bits of the address of the cookie
> - the low 32 bits of the return point stack and instruction pointer
>
> Yes, yes, md5 is not cryptographically secure, and making it a single
> iteration rather than the full four makes it even less so, but if the
> attacker can generate long arbitrary code, then the whole SROP is
> pointless to begin with, no?
>
Yeah I had toyed with using hashes, I used hash_64 not md5 which is like 14
extra instructions or something. Anyway Daniel Micay pointed out we could use SipHash
https://131002.net/siphash/, but there's no siphash for me to use in the kernel
and I'm the *last* person on earth to start porting/implementing 'crypto' algos.
Anyway, we all sort of agreed that if you have enough arbitrary execution already
to cause a signal, leak the cookie, do some xor magic to get the per-process
secret then you probably don't really need to SROP in your exploit. Although
you did mention an interesting attack which is force a signal then muck with
an existing legitimate frame, which I would like to protect against now.
> In contrast, with the plain xor, the SROP would be a trivial operation
> if you can just force it to happen within the context of a signal, so
> that you can just re-use the signal return stack as-is. But mixing in
> the returning IP and SP would make it *much* harder to use the
> sigreturn as an attack vector.
>
> I realize that this would likely need to be a separate and non-default
> extra hardening mode, because there are *definitely* applications that
> take signals and then update the return address (maybe single-stepping
> over instructions etc). But for a *lot* of applications, signal return
> implies changing no signal state at all, and mixing in the returning
> IP and SP would seem to be a fundamentally stronger cookie.
>
> No?
It's not hard to implement So I can try it. When you say an extra hardening
mode do you mean hide it behind a sysctl or some sort of compile time CONFIG?
next prev parent reply other threads:[~2016-03-29 23:11 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-29 19:53 [kernel-hardening] [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies Scott Bauer
2016-03-29 19:53 ` Scott Bauer
2016-03-29 19:53 ` [kernel-hardening] [PATCH v4 1/4] SROP Mitigation: Architecture independent code for signal cookies Scott Bauer
2016-03-29 19:53 ` Scott Bauer
2016-03-29 23:04 ` [kernel-hardening] " Linus Torvalds
2016-03-29 23:04 ` Linus Torvalds
2016-03-31 20:25 ` [kernel-hardening] " Eric W. Biederman
2016-03-31 20:25 ` Eric W. Biederman
2016-03-31 22:00 ` [kernel-hardening] " Linus Torvalds
2016-03-31 22:00 ` Linus Torvalds
2016-03-31 22:17 ` [kernel-hardening] " Eric W. Biederman
2016-03-31 22:17 ` Eric W. Biederman
2016-03-29 19:53 ` [kernel-hardening] [PATCH v4 2/4] x86: SROP Mitigation: Implement Signal Cookies Scott Bauer
2016-03-29 19:53 ` Scott Bauer
2016-03-29 19:53 ` [kernel-hardening] [PATCH v4 3/4] Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP Scott Bauer
2016-03-29 19:53 ` Scott Bauer
2016-03-29 19:59 ` [kernel-hardening] " Andi Kleen
2016-03-29 19:59 ` Andi Kleen
2016-03-29 20:46 ` [kernel-hardening] " Scotty Bauer
2016-03-29 20:46 ` Scotty Bauer
2016-03-29 20:53 ` [kernel-hardening] " Andi Kleen
2016-03-29 20:53 ` Andi Kleen
2016-03-29 19:53 ` [kernel-hardening] [PATCH v4 4/4] Documentation: SROP Mitigation: Add documentation for SROP cookies Scott Bauer
2016-03-29 19:53 ` Scott Bauer
2016-03-29 20:12 ` [kernel-hardening] " Brian Gerst
2016-03-29 20:12 ` Brian Gerst
2016-04-24 16:27 ` [kernel-hardening] " Pavel Machek
2016-04-24 16:27 ` Pavel Machek
2016-03-29 21:29 ` [kernel-hardening] Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies Andy Lutomirski
2016-03-29 21:29 ` Andy Lutomirski
2016-03-29 21:36 ` [kernel-hardening] " Scotty Bauer
2016-03-29 21:36 ` Scotty Bauer
2016-03-29 21:38 ` [kernel-hardening] " Andy Lutomirski
2016-03-29 21:38 ` Andy Lutomirski
2016-03-29 22:34 ` [kernel-hardening] " Linus Torvalds
2016-03-29 22:34 ` Linus Torvalds
2016-03-29 23:14 ` [kernel-hardening] " Scotty Bauer
2016-03-29 23:14 ` Scotty Bauer
2016-03-31 20:22 ` [kernel-hardening] " Eric W. Biederman
2016-03-31 20:22 ` Eric W. Biederman
2016-04-01 12:57 ` [kernel-hardening] " Cyrill Gorcunov
2016-04-01 12:57 ` Cyrill Gorcunov
2016-03-29 22:55 ` [kernel-hardening] " Daniel Micay
2016-04-24 16:14 ` Pavel Machek
2016-04-24 16:14 ` Pavel Machek
2016-03-29 22:54 ` [kernel-hardening] " Linus Torvalds
2016-03-29 22:54 ` Linus Torvalds
2016-03-29 22:55 ` [kernel-hardening] " Linus Torvalds
2016-03-29 22:55 ` Linus Torvalds
2016-03-29 23:05 ` [kernel-hardening] " Andy Lutomirski
2016-03-29 23:05 ` Andy Lutomirski
2016-03-29 23:11 ` Scotty Bauer [this message]
2016-03-29 23:11 ` Scotty Bauer
2016-03-29 23:25 ` [kernel-hardening] " Linus Torvalds
2016-03-29 23:25 ` Linus Torvalds
2016-03-29 23:34 ` [kernel-hardening] " Scotty Bauer
2016-03-29 23:34 ` Scotty Bauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56FB0B88.2020306@eng.utah.edu \
--to=sbauer@eng.utah.edu \
--cc=ak@linux.intel.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wmealing@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.