From: Solar Designer <solar@openwall.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Djalal Harouni <tixxdz@opendz.org>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 1/9] exec: add a global execve counter
Date: Sun, 11 Mar 2012 12:24:31 +0400 [thread overview]
Message-ID: <20120311082431.GA26640@openwall.com> (raw)
In-Reply-To: <CA+55aFz6Ben=b_jKXTneUm7-ULP_Z8J5uua+=CA+kXjVpSSVjg@mail.gmail.com>
On Sat, Mar 10, 2012 at 04:58:01PM -0800, Linus Torvalds wrote:
> On Sat, Mar 10, 2012 at 4:36 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > I wonder if the number part of exec_id would even have to be 64-bit. I
> > think I can do about 10000 execves per second if I make the program a
> > small static one - and that's on a fast CPU. And it's a per-thread
> > counter, so you can't scale it with lots of CPU's. So it would take
> > something like four days to wrap. Hmm..
>
> Actually, using a pure counter is horrible, because even if it takes
> four days to wrap, it *will* wrap, and the attacker can just count his
> own execve's.
Four days (for a 32-bit counter) is just not enough, so the counter
needs to be e.g. 64-bit as proposed. A 64-bit counter won't wrap during
lifetime of a system.
> If, instead, you were to use a counter that counts *independently* of
> execve's, you're much better off.
>
> And if you use one that is free - because the CPU implements it
> natively - you're even better off.
>
> IOW, why is the exec-id just the time stamp counter
The CPUs' timestamp counters were not designed for security. I would
not be too surprised if some implementation of a CPU architecture (maybe
emulated, maybe under a hypervisor) has such timestamp counter
granularity that we may see the same value across a second execve().
Also, we'd need extra code for archs/CPUs that lack timestamp counters.
> (on any random cpu - we really don't care)?
I'd rather not rely on the timestamp counters across CPUs being in sync,
and if they are not in sync then we may see the same value again (on one
CPU vs. another). So at least we'd need to record the CPU number as well.
> That should be safe even in just 32 bits
> exactly because it's not under the control of the user.
32 bits is just not enough even if not under control of an attacker.
If there's some low chance of hitting the same counter value on execve()
vs. procfs file access and there's no lockout on multiple counter
mismatches, an attacker may simply try that in a loop, and with 32-bit
values might have a good chance of succeeding in a reasonable amount of
time (such as a few days).
Alexander
next prev parent reply other threads:[~2012-03-11 8:24 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-10 23:25 [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-11 0:12 ` Linus Torvalds
2012-03-11 0:36 ` Linus Torvalds
2012-03-11 0:58 ` Linus Torvalds
2012-03-11 8:24 ` Solar Designer [this message]
2012-03-11 9:56 ` Ingo Molnar
2012-03-11 14:03 ` Alan Cox
2012-03-11 17:15 ` Djalal Harouni
2012-03-11 8:39 ` Djalal Harouni
2012-03-11 9:40 ` Solar Designer
2012-03-11 17:25 ` Oleg Nesterov
2012-03-11 17:49 ` self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 18:02 ` Linus Torvalds
2012-03-11 18:37 ` richard -rw- weinberger
2012-03-11 18:39 ` Oleg Nesterov
2012-03-14 18:55 ` [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55 ` [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-18 18:25 ` Linus Torvalds
2012-03-18 20:53 ` Oleg Nesterov
2012-03-11 22:48 ` [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 23:32 ` Djalal Harouni
2012-03-11 23:42 ` Linus Torvalds
2012-03-12 0:25 ` Djalal Harouni
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 14:01 ` Djalal Harouni
2012-03-11 23:36 ` Djalal Harouni
2012-03-12 14:34 ` Oleg Nesterov
2012-03-10 23:25 ` [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-11 8:05 ` Alexey Dobriyan
2012-03-11 17:01 ` Djalal Harouni
2012-03-10 23:25 ` [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-11 0:01 ` [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Linus Torvalds
2012-03-11 0:27 ` Djalal Harouni
2012-03-11 8:46 ` Djalal Harouni
2012-03-11 10:35 ` exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 18:20 ` Oleg Nesterov
2012-03-12 19:13 ` [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 20:44 ` Djalal Harouni
2012-03-12 21:47 ` Eric W. Biederman
2012-03-12 22:41 ` Djalal Harouni
2012-03-12 23:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120311082431.GA26640@openwall.com \
--to=solar@openwall.com \
--cc=Jason@zx2c4.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=tixxdz@opendz.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).