[kernel-hardening] Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies

public inbox for kernel-hardening@lists.openwall.com
 help / color / mirror / Atom feed

From: Scotty Bauer <sbauer@eng.utah.edu>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>, X86 ML <x86@kernel.org>,
	wmealing@redhat.com, Andi Kleen <ak@linux.intel.com>,
	Abhiram Balasubramanian <abhiram@cs.utah.edu>
Subject: [kernel-hardening] Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies
Date: Wed, 9 Mar 2016 15:02:04 -0700	[thread overview]
Message-ID: <56E09D5C.5090908@eng.utah.edu> (raw)
In-Reply-To: <CALCETrVf1uSKJh7zENOgHW6et0wed5goU6AfaTB5RSiBhbCfeA@mail.gmail.com>



On 03/08/2016 02:57 PM, Andy Lutomirski wrote:
> On Tue, Mar 8, 2016 at 1:49 PM, Scotty Bauer <sbauer@eng.utah.edu> wrote:
>>
>>
>> On 03/08/2016 01:58 PM, Andy Lutomirski wrote:
>>> On Tue, Mar 8, 2016 at 12:47 PM, Scott Bauer <sbauer@eng.utah.edu> wrote:
>>>> This patch adds a per-process secret to the task struct which
>>>> will be used during signal delivery and during a sigreturn.
>>>> Also, logic is added in signal.c to generate, place, extract,
>>>> clear and verify the signal cookie.
>>>>
>>>
>>> Potentially silly question: it's been a while since I read the SROP
>>> paper, but would the technique be effectively mitigated if sigreturn
>>> were to zero out the whole signal frame before returning to user mode?
>>>
>>
>> I don't know if I fully understand your question, but I'll respond anyway.
>>
>> SROP is possible because the kernel doesn't know whether or not the
>> incoming sigreturn syscall is in response from a legitimate signal that
>> the kernel had previously delivered and the program handled. So essentially
>> these patches are an attempt to give the kernel a way to verify whether or
>> not the the incoming sigreturn is a valid response or a exploit trying to
>> hijack control of the user program.
>>
> 
> I got that part, but I thought that the interesting SROP bit was using
> sigreturn to return back to a frame where you could just repeat the
> sigreturn a bunch of times to compute things and do other evil.  I'm
> wondering whether zeroing the whole frame would make SROP much less
> interesting to an attacker.
> 
> --Andy
> 

I've been thinking about this a little bit more. I don't think zeroing the frame
is a proper mitigation. If an attacker has the ability to write a lot of data to
the stack they could simply create a new fake signal frame above the current frame.
In this scenario the kernel would zero the current frame then return somewhere attacker
controlled, where the attackers payload would then use the next signal frame above
the zero'd frame.

So while this zeroing would solve a stricter case where an attacker has to keep reusing
the same frame over and over, perhaps to avoid overwriting a stack cookie, It doesn't solve
every case. 

Thanks for the good ideas.

next prev parent reply	other threads:[~2016-03-09 22:02 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-08 20:47 [kernel-hardening] [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies Scott Bauer
2016-03-08 20:47 ` [kernel-hardening] [PATCH v3 2/3] x86: SROP mitigation: implement " Scott Bauer
2016-03-08 21:03   ` [kernel-hardening] " One Thousand Gnomes
2016-03-08 21:38     ` Scotty Bauer
2016-03-08 20:47 ` [kernel-hardening] [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection Scott Bauer
2016-03-08 21:00   ` [kernel-hardening] " One Thousand Gnomes
2016-03-10  6:36     ` Kees Cook
2016-03-10  6:46       ` Andy Lutomirski
2016-03-08 20:58 ` [kernel-hardening] Re: [PATCH v3 1/3] SROP Mitigation: Architecture independent code for signal cookies Andy Lutomirski
2016-03-08 21:49   ` Scotty Bauer
2016-03-08 21:57     ` Andy Lutomirski
2016-03-08 22:06       ` Scotty Bauer
2016-03-09 22:02       ` Scotty Bauer [this message]
2016-03-08 21:04 ` kbuild test robot
2016-03-09  8:32 ` Ingo Molnar
2016-03-09 22:07   ` Scotty Bauer
2016-03-09 22:22     ` Jonathan Corbet
2016-03-10  9:43       ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56E09D5C.5090908@eng.utah.edu \
    --to=sbauer@eng.utah.edu \
    --cc=abhiram@cs.utah.edu \
    --cc=ak@linux.intel.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=wmealing@redhat.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox