From: Vegard Nossum <vegard.nossum@oracle.com>
To: Jann Horn <jannh@google.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Kees Cook <keescook@chromium.org>,
Brad Spengler <spender@grsecurity.net>,
PaX Team <pageexec@freemail.hu>
Subject: Re: two potential randstruct improvements
Date: Mon, 29 Mar 2021 12:16:40 +0200 [thread overview]
Message-ID: <8d84f00e-9c99-c48b-8b7e-0b49d6b32390@oracle.com> (raw)
In-Reply-To: <CAG48ez1Mr1FNCDGFscVg0SpuuA_Z4tn=WJhEqJVWW1rOuRiG2w@mail.gmail.com>
On 2021-03-29 09:26, Jann Horn wrote:
> Hi!
>
> I'm currently in the middle of writing a blogpost on some Linux kernel
> stuff; while working on that I looked at the randstruct version in
> Linus' tree a bit and noticed two potential areas for improvement. I
> have no idea whether any of this (still) applies to the PaX/grsecurity
> version, but since the code originates from there, I figured I should
> also send this to the original authors.
>
>
[...]
> I don't know whether the amount of information leakage would be enough
> to actually determine the seed - and I'm not a cryptographer, I have
> no clue how much output from the RNG you'd actually need to recover
> the seed (and an attacker would not even be getting raw RNG output,
> but RNG output after additional modulo operations). But if the goal
> here is to ensure that an attacker without access to the binary kernel
> image can't determine struct layouts without a proper leak primitive,
> even if they know exactly from which sources and with what
> configuration the kernel was built, then I think this needs a
> cryptographically secure RNG.
Hi,
I just wanted to add something that stood out to me (assuming I'm
reading the code correctly):
It looks like the per-struct seed is constructed only based on a hash of
the struct name (using name_hash()), and anonymous structs use the name
"anonymous", which means that anonymous structs with the same number of
members will always be shuffled the same way (using full_shuffle() at
least). Which means that you can gain information about one struct and
potentially use it on another. It doesn't look like anonymous structs
being randomized is very common, a quick run against kernel/fork.c shows
there's only 3 cases and they all have different numbers of members (7,
59, and 182). In any case, to mitigate this, maybe include some details
of the struct (original member offsets/sizes/names) in the per-struct
seed derivation?
I definitely second the recommendation to use cryptographically secure
algorithms -- specifically, use a 256-bit HMAC that depends on the seed
instead of name_hash() and a cryptographically secure PRNG for ranval().
Vegard
next prev parent reply other threads:[~2021-03-29 11:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-29 7:26 two potential randstruct improvements Jann Horn
2021-03-29 10:16 ` Vegard Nossum [this message]
2021-03-30 21:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8d84f00e-9c99-c48b-8b7e-0b49d6b32390@oracle.com \
--to=vegard.nossum@oracle.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=pageexec@freemail.hu \
--cc=spender@grsecurity.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).