[kernel-hardening] [RFC 2/3] Enable the RANDSTRUCT plugin

kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed

From: Michael Leibowitz <michael.leibowitz@intel.com>
To: spender@grsecurity.net, kernel-hardening@lists.openwall.com,
	keescook@chromium.org, re.emese@gmail.com, pageexec@freemail.hu
Cc: michael.leibowitz@intel.com
Subject: [kernel-hardening] [RFC 2/3] Enable the RANDSTRUCT plugin
Date: Thu,  5 May 2016 10:21:08 -0700	[thread overview]
Message-ID: <1462468869-6210-3-git-send-email-michael.leibowitz@intel.com> (raw)
In-Reply-To: <1462468869-6210-1-git-send-email-michael.leibowitz@intel.com>

These are config changes necessary to configure/enable the
structure layout randomizing gcc plugin

This feature is ported over from grsecurity.  This is largely
unchanged from the Original code written by the PaX Team and Spender.

Signed-off-by: Michael Leibowitz <michael.leibowitz@intel.com>
---
 arch/Kconfig                 | 43 +++++++++++++++++++++++++++++++++++++++++++
 include/linux/compiler-gcc.h |  5 +++++
 include/linux/compiler.h     |  9 +++++++++
 include/linux/vermagic.h     |  9 ++++++++-
 kernel/module.c              | 27 +++++++++++++++++++++++++++
 5 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 8af17ae..c3955a2 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -389,6 +389,49 @@ config GCC_PLUGIN_SANCOV
 	  gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
 	  by Dmitry Vyukov <dvyukov@google.com>.
 
+config GCC_PLUGIN_RANDSTRUCT
+	bool "Randomize layout of sensitive kernel structures"
+	default n
+	depends on GCC_PLUGINS
+	select MODVERSIONS if MODULES
+	help
+
+	  If you say Y here, the layouts of a number of sensitive kernel
+	  structures and all structures composed entirely of function pointers
+	  (aka "ops" structs) will be randomized at compile-time.  This can make
+	  exploitation that targets these structures more difficult by either
+	  requiring an additional information leak vulnerability, or knowing the
+	  pricise build that the target is running.
+
+	  Enabling this feature will have a performance impact, slightly
+	  increase memory usage, and prevent the use of forensic tools like
+	  Volatility against the system (unless the kernel source tree isn't
+	  cleaned after kernel installation).
+
+	  Additionally, enabling this feature causes modules compiled with one
+	  random seed to have gibberish names when loaded by a kernel with a
+	  different random seed.
+
+	  The seed used for compilation is located at
+	  scripts/gcc-plugins/randomize_layout_seed.h.  It remains after a make
+	  clean to allow for external modules to be compiled with the existing
+	  seed and will be removed by a make mrproper or make distclean.
+
+	  Note that the implementation requires gcc 4.6.4. or newer.  You may need
+	  to install the supporting headers explicitly in addition to the normal
+	  gcc package.
+
+config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
+	bool "Use cacheline-aware structure randomization"
+	default n
+	depends on GCC_PLUGIN_RANDSTRUCT
+	help
+	  If you say Y here, the RANDSTRUCT randomization will make a best effort
+	  at restricting randomization to cacheline-sized groups of elements.  It
+	  will further not randomize bitfields in structures.  This reduces the
+	  performance hit of RANDSTRUCT at the cost of weakened randomization.
+
+
 config HAVE_CC_STACKPROTECTOR
 	bool
 	help
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 22ab246..7bfa763 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -201,6 +201,11 @@
 /* Mark a function definition as prohibited from being cloned. */
 #define __noclone	__attribute__((__noclone__))
 
+#ifdef RANDSTRUCT_PLUGIN
+#define __randomize_layout __attribute__((randomize_layout))
+#define __no_randomize_layout __attribute__((no_randomize_layout))
+#endif
+
 #endif /* GCC_VERSION >= 40500 */
 
 #if GCC_VERSION >= 40600
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 48f5aab..8d0776e 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -416,6 +416,15 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
 # define __attribute_const__	/* unimplemented */
 #endif
 
+#ifndef __randomize_layout
+# define __randomize_layout
+#endif
+
+#ifndef __no_randomize_layout
+# define __no_randomize_layout
+#endif
+
+
 /*
  * Tell gcc if a function is cold. The compiler will assume any path
  * directly leading to the call is unlikely.
diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index 6f8fbcf..af6c03f 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -24,10 +24,17 @@
 #ifndef MODULE_ARCH_VERMAGIC
 #define MODULE_ARCH_VERMAGIC ""
 #endif
+#ifdef RANDSTRUCT_PLUGIN
+#include <generated/randomize_layout_hash.h>
+#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED
+#else
+#define MODULE_RANDSTRUCT_PLUGIN
+#endif
 
 #define VERMAGIC_STRING 						\
 	UTS_RELEASE " "							\
 	MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT 			\
 	MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS	\
-	MODULE_ARCH_VERMAGIC
+	MODULE_ARCH_VERMAGIC						\
+	MODULE_RANDSTRUCT_PLUGIN
 
diff --git a/kernel/module.c b/kernel/module.c
index 794ebe8..74cf098 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1296,12 +1296,31 @@ static int check_version(Elf_Shdr *sechdrs,
 		goto bad_version;
 	}
 
+#ifdef CONFIG_GCC_PLUGIN_RANDSTRUCT
+	/*
+	 * avoid potentially printing jibberish on attempted load
+	 * of a module randomized with a different seed
+	 */
+	pr_warn("no symbol version for %s\n", symname);
+#else
+	pr_warn("%s: no symbol version for %s\n", mod->name, symname);
+#endif
+
 	pr_warn("%s: no symbol version for %s\n", mod->name, symname);
 	return 0;
 
 bad_version:
+#ifdef CONFIG_GCC_PLUGIN_RANDSTRUCT
+	/*
+	 * avoid potentially printing jibberish on attempted load
+	 * of a module randomized with a different seed
+	 */
+	pr_warn("attempted module disagrees about version of symbol %s\n",
+		symname);
+#else
 	pr_warn("%s: disagrees about version of symbol %s\n",
 	       mod->name, symname);
+#endif
 	return 0;
 }
 
@@ -2835,7 +2854,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
 	mod = (void *)info->sechdrs[info->index.mod].sh_addr;
 
 	if (info->index.sym == 0) {
+#ifdef CONFIG_GCC_PLUGIN_RANDSTRUCT
+		/*
+		 * avoid potentially printing jibberish on attempted load
+		 * of a module randomized with a different seed
+		 */
+		pr_warn("module has no symbols (stripped?)\n");
+#else
 		pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
+#endif
 		return ERR_PTR(-ENOEXEC);
 	}
 
-- 
1.9.1

next prev parent reply	other threads:[~2016-05-05 17:21 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-05 17:21 [kernel-hardening] [RFC 0/3] Add struct randomization plugin Michael Leibowitz
2016-05-05 17:21 ` [kernel-hardening] [RFC 1/3] Add struct randomizing plugin Michael Leibowitz
2016-05-05 21:00   ` [kernel-hardening] " Brad Spengler
2016-05-06 21:58     ` Leibowitz, Michael
2016-05-05 17:21 ` Michael Leibowitz [this message]
2016-05-05 18:15   ` [kernel-hardening] Re: [RFC 2/3] Enable the RANDSTRUCT plugin Kees Cook
2016-05-05 17:21 ` [kernel-hardening] [RFC 3/3] Change initialization C99 style; tag no_ramdomize_layout structs Michael Leibowitz
2016-05-05 18:17   ` [kernel-hardening] " Kees Cook
2016-05-05 19:46     ` Julia Lawall
2016-05-06 12:37     ` Julia Lawall
2016-06-13 14:32     ` Julia Lawall
2016-06-13 18:15       ` Kees Cook
2016-06-13 19:57         ` Julia Lawall
2016-06-13 20:26           ` Kees Cook
2016-06-13 20:30             ` Julia Lawall
2016-06-13 20:34               ` Kees Cook
2016-06-13 20:28         ` Leibowitz, Michael
2016-05-05 18:26 ` [kernel-hardening] Re: [RFC 0/3] Add struct randomization plugin Kees Cook
2016-10-07 15:40 ` [kernel-hardening] " David Sterba
2016-10-07 16:39   ` Leibowitz, Michael
2016-10-07 17:07     ` Kees Cook

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8af17ae dfblob:c3955a2 dfblob:22ab246 dfblob:7bfa763
dfblob:48f5aab dfblob:8d0776e dfblob:6f8fbcf dfblob:af6c03f
dfblob:794ebe8 dfblob:74cf098 )
 OR (
bs:"[kernel-hardening] [RFC 2/3] Enable the RANDSTRUCT plugin" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1462468869-6210-3-git-send-email-michael.leibowitz@intel.com \
    --to=michael.leibowitz@intel.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=pageexec@freemail.hu \
    --cc=re.emese@gmail.com \
    --cc=spender@grsecurity.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).