From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E53F2C282DC for ; Wed, 17 Apr 2019 20:14:01 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B106A217D7 for ; Wed, 17 Apr 2019 20:14:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="rItIqVcN"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="Df6X8xST" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B106A217D7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:Reply-To:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=k4UjUaY9XXMptSr/sWDAd10G6deNx2j14iNAonhdW8U=; b=rItIqVcNppUBgO GrrcdFjN+PFMNTDSRfRAjX/JMq9bukSA8ZBP0tKdep+Tj83tUs3jiF7esR6j69zVgb41J294zMqAQ wFBUSQBkk++GtL6zdOMZdEn+Ie4TeGmZuSWn01KQLZr7+gsxCv9uj+3UjgCwdRmnj+uTBl6C0ecCg 6I4Q21yre8UBJF8bj20UzC7cqFjNPU7faif6Xe91XS6Me+gpJLOme2ge7XXVeowC2QTzOmzB++H5K hNLnmhXUFD4X24TevIgsPpixOh7mHwI8NvF9pdNdFjTHfY4qORFrJLDzc5Q6gIhshNshh+Q3XNhOg vqN9QiXASfyczgHIrb+w==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hGqwQ-0001o7-9S; Wed, 17 Apr 2019 20:13:58 +0000 Received: from userp2130.oracle.com ([156.151.31.86]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1hGqwN-0001nn-31 for linux-arm-kernel@lists.infradead.org; Wed, 17 Apr 2019 20:13:56 +0000 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3HK43l6027377; Wed, 17 Apr 2019 20:13:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=I6O8XHipCkxtNyBt5qT+WpjDhWybwFMx3dhCuUMlgX4=; b=Df6X8xSTnNbjlECiEEs0dM9pTTEuLaAWILYb+3FVHnTbzbRso80tWiMiCCKew3u1ut8b TLcWUbhG84sQH6SBFXaKI0Klt2uj/wv2CDPlzS3kqc877AX2RJpKLwBkvITz4J0dX+yy nY6rZ4iQzgA18SgoM2aT776fbQxl8SfVpBLf8ds9rKnTkPfGv841EMFoH7SxWqH6nvV0 mwMRs7X+y11GdS97TrUt9gGKo8kqHakyrK+CUQVNsG9TAPxQsD89RZjRY8GJnbu5OyCq Vq/stihExhIzf4UfNBgjSHL9K+YL+YtmzhEltW0PrZ2Kquq0Bruw1aaQqw+gs9dr/CwR cQ== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2130.oracle.com with ESMTP id 2rvwk3wa96-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Apr 2019 20:13:05 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3HKC8qv117201; Wed, 17 Apr 2019 20:13:04 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserp3030.oracle.com with ESMTP id 2rwe7aky1v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Apr 2019 20:13:04 +0000 Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x3HKD2Bt022023; Wed, 17 Apr 2019 20:13:03 GMT Received: from [192.168.1.16] (/24.9.64.241) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Apr 2019 13:13:02 -0700 Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) To: Andy Lutomirski References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <8d314750-251c-7e6a-7002-5df2462ada6b@oracle.com> From: Khalid Aziz Organization: Oracle Corp Message-ID: <96ea344b-c86b-f64d-a944-871196941a38@oracle.com> Date: Wed, 17 Apr 2019 14:12:56 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9230 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904170129 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9230 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904170129 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190417_131355_220021_090AEF4C X-CRM114-Status: GOOD ( 27.93 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dave Hansen , Thomas Gleixner , "open list:DOCUMENTATION" , Linux-MM , deepa.srinivasan@oracle.com, "H. Peter Anvin" , Ingo Molnar , Tycho Andersen , X86 ML , iommu@lists.linux-foundation.org, jsteckli@amazon.de, Arjan van de Ven , Peter Zijlstra , Konrad Rzeszutek Wilk , Jon Masters , Greg Kroah-Hartman , Borislav Petkov , Boris Ostrovsky , chris hyser , linux-arm-kernel , Khalid Aziz , Juerg Haefliger , Andrew Cooper , LKML , Tyler Hicks , LSM List , Juerg Haefliger , Kees Cook , Andrew Morton , Linus Torvalds , "Woodhouse, David" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 4/17/19 1:49 PM, Andy Lutomirski wrote: > On Wed, Apr 17, 2019 at 10:33 AM Khalid Aziz wrote: >> >> On 4/17/19 11:09 AM, Ingo Molnar wrote: >>> >>> * Khalid Aziz wrote: >>> >>>>> I.e. the original motivation of the XPFO patches was to prevent execution >>>>> of direct kernel mappings. Is this motivation still present if those >>>>> mappings are non-executable? >>>>> >>>>> (Sorry if this has been asked and answered in previous discussions.) >>>> >>>> Hi Ingo, >>>> >>>> That is a good question. Because of the cost of XPFO, we have to be very >>>> sure we need this protection. The paper from Vasileios, Michalis and >>>> Angelos - , >>>> does go into how ret2dir attacks can bypass SMAP/SMEP in sections 6.1 >>>> and 6.2. >>> >>> So it would be nice if you could generally summarize external arguments >>> when defending a patchset, instead of me having to dig through a PDF >>> which not only causes me to spend time that you probably already spent >>> reading that PDF, but I might also interpret it incorrectly. ;-) >> >> Sorry, you are right. Even though that paper explains it well, a summary >> is always useful. >> >>> >>> The PDF you cited says this: >>> >>> "Unfortunately, as shown in Table 1, the W^X prop-erty is not enforced >>> in many platforms, including x86-64. In our example, the content of >>> user address 0xBEEF000 is also accessible through kernel address >>> 0xFFFF87FF9F080000 as plain, executable code." >>> >>> Is this actually true of modern x86-64 kernels? We've locked down W^X >>> protections in general. >>> >>> I.e. this conclusion: >>> >>> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and >>> triggering the kernel to dereference it, an attacker can directly >>> execute shell code with kernel privileges." >>> >>> ... appears to be predicated on imperfect W^X protections on the x86-64 >>> kernel. >>> >>> Do such holes exist on the latest x86-64 kernel? If yes, is there a >>> reason to believe that these W^X holes cannot be fixed, or that any fix >>> would be more expensive than XPFO? >> >> Even if physmap is not executable, return-oriented programming (ROP) can >> still be used to launch an attack. Instead of placing executable code at >> user address 0xBEEF000, attacker can place an ROP payload there. kfptr >> is then overwritten to point to a stack-pivoting gadget. Using the >> physmap address aliasing, the ROP payload becomes kernel-mode stack. The >> execution can then be hijacked upon execution of ret instruction. This >> is a gist of the subsection titled "Non-executable physmap" under >> section 6.2 and it looked convincing enough to me. If you have a >> different take on this, I am very interested in your point of view. > > My issue with all this is that XPFO is really very expensive. I think > that, if we're going to seriously consider upstreaming expensive > exploit mitigations like this, we should consider others first, in > particular CFI techniques. grsecurity's RAP would be a great start. > I also proposed using a gcc plugin (or upstream gcc feature) to add > some instrumentation to any code that pops RSP to verify that the > resulting (unsigned) change in RSP is between 0 and THREAD_SIZE bytes. > This will make ROP quite a bit harder. > Yes, XPFO is expensive. I have been able to reduce the overhead of XPFO from 2537% to 28% (on large servers) but 28% is still quite significant. Alternative mitigation techniques with lower impact would easily be more acceptable as long as they provide same level of protection. If we have to go with XPFO, we will continue to look for more performance improvement to bring that number down further from 28%. Hopefully what Tycho is working on will yield better results. I am continuing to look for improvements to XPFO in parallel. Thanks, Khalid _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel