From: "Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"peterz@infradead.org" <peterz@infradead.org>
Cc: "ssicleru@bitdefender.com" <ssicleru@bitdefender.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"mic@digikod.net" <mic@digikod.net>,
"marian.c.rotariu@gmail.com" <marian.c.rotariu@gmail.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"wei.liu@kernel.org" <wei.liu@kernel.org>,
"virtualization@lists.linux-foundation.org"
<virtualization@lists.linux-foundation.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"tgopinath@microsoft.com" <tgopinath@microsoft.com>,
"chao.p.peng@linux.intel.com" <chao.p.peng@linux.intel.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jgowans@amazon.com" <jgowans@amazon.com>,
"ztarkhani@microsoft.com" <ztarkhani@microsoft.com>,
"mdontu@bitdefender.com" <mdontu@bitdefender.com>,
"x86@kernel.org" <x86@kernel.org>, "bp@alien8.de" <bp@alien8.de>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"jamorris@linux.microsoft.com" <jamorris@linux.microsoft.com>,
"seanjc@google.com" <seanjc@google.com>,
"vkuznets@redhat.com" <vkuznets@redhat.com>,
"Andersen, John S" <john.s.andersen@intel.com>,
"yu.c.zhang@linux.intel.com" <yu.c.zhang@linux.intel.com>,
"nicu.citu@icloud.com" <nicu.citu@icloud.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"Graf, Alexander" <graf@amazon.com>,
"wanpengli@tencent.com" <wanpengli@tencent.com>,
"dev@lists.cloudhypervisor.org" <dev@lists.cloudhypervisor.org>,
"will@kernel.org" <will@kernel.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"yuanyu@google.com" <yuanyu@google.com>,
"linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"quic_tsoni@quicinc.com" <quic_tsoni@quicinc.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>
Subject: Re: [RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching
Date: Wed, 6 Dec 2023 10:41:14 -0600 [thread overview]
Message-ID: <db9c5049-70b5-4261-b7e8-cd371c50aaea@linux.microsoft.com> (raw)
In-Reply-To: <4103d68b07bb382e434cdaf19ab1986f9079b0bb.camel@intel.com>
On 11/30/23 18:45, Edgecombe, Rick P wrote:
> On Wed, 2023-11-29 at 15:07 -0600, Madhavan T. Venkataraman wrote:
>> Threat Model
>> ------------
>>
>> In the threat model in Heki, the attacker is a user space attacker
>> who exploits
>> a kernel vulnerability to gain more privileges or bypass the kernel's
>> access
>> control and self-protection mechanisms.
>>
>> In the context of the guest page table, one of the things that the
>> threat model translates
>> to is a hacker gaining access to a guest page with RWX permissions.
>> E.g., by adding execute
>> permissions to a writable page or by adding write permissions to an
>> executable page.
>>
>> Today, the permissions for a guest page in the extended page table
>> are RWX by
>> default. So, if a hacker manages to establish RWX for a page in the
>> guest page
>> table, then that is all he needs to do some damage.
>
> I had a few random comments from watching the plumbers talk online:
>
> Is there really a big difference between a page that is RWX, and a RW
> page that is about to become RX? I realize that there is an addition of
> timing, but when executable code is getting loaded it can be written to
> then and later executed. I think that gap could be addressed in two
> different ways, both pretty difficult:
> 1. Verifying the loaded code before it gets marked
> executable. This is difficult because the kernel does lots of
> tweaks on the code it is loading (alternatives, etc). It can't
> just check a signature.
> 2. Loading the code in a protected environment. In this model the
> (for example) module signature would be checked, then the code
> would be loaded in some sort of protected environment. This way
> integrity of the loaded code would be enforced. But extracting
> module loading into a separate domain would be difficult.
> Various scattered features all have their hands in the loading.
>
> Secondly, I wonder if another way to look at the memory parts of HEKI
> could be that this is a way to protect certain page table bits from
> stay writes. The RWX bits in the EPT are not directly writable, so more
> steps are needed to change things than just a stray write (instead the
> helpers involved in the operations need to be called). If that is a
> fair way of looking at it, then I wonder how HEKI compares to a
> solution like this security-wise:
> https://lore.kernel.org/lkml/20210830235927.6443-1-rick.p.edgecombe@intel.com/
>
> Functional-wise it had the benefit of working on bare metal and
> supporting the normal kernel features.
Thanks for the comments. I will think about what you have said and will respond
soon.
Madhavan
next prev parent reply other threads:[~2023-12-06 16:41 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-13 2:23 [RFC PATCH v2 00/19] Hypervisor-Enforced Kernel Integrity Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 01/19] virt: Introduce Hypervisor Enforced Kernel Integrity (Heki) Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 02/19] KVM: x86: Add new hypercall to lock control registers Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 03/19] KVM: x86: Add notifications for Heki policy configuration and violation Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 04/19] heki: Lock guest control registers at the end of guest kernel init Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 05/19] KVM: VMX: Add MBEC support Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 06/19] KVM: x86: Add kvm_x86_ops.fault_gva() Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 07/19] KVM: x86: Make memory attribute helpers more generic Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 08/19] KVM: x86: Extend kvm_vm_set_mem_attributes() with a mask Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 09/19] KVM: x86: Extend kvm_range_has_memory_attributes() with match_all Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 10/19] KVM: x86: Implement per-guest-page permissions Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 11/19] KVM: x86: Add new hypercall to set EPT permissions Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 12/19] x86: Implement the Memory Table feature to store arbitrary per-page data Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 13/19] heki: Implement a kernel page table walker Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 14/19] heki: x86: Initialize permissions counters for pages mapped into KVA Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 15/19] heki: x86: Initialize permissions counters for pages in vmap()/vunmap() Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 16/19] heki: x86: Update permissions counters when guest page permissions change Mickaël Salaün
2023-11-13 2:23 ` [RFC PATCH v2 17/19] heki: x86: Update permissions counters during text patching Mickaël Salaün
2023-11-13 8:19 ` Peter Zijlstra
2023-11-27 16:48 ` Madhavan T. Venkataraman
2023-11-27 20:08 ` Peter Zijlstra
2023-11-29 21:07 ` Madhavan T. Venkataraman
2023-11-30 11:33 ` Peter Zijlstra
2023-12-06 16:37 ` Madhavan T. Venkataraman
2023-12-06 18:51 ` Peter Zijlstra
2023-12-08 18:41 ` Madhavan T. Venkataraman
2023-12-01 0:45 ` Edgecombe, Rick P
2023-12-06 16:41 ` Madhavan T. Venkataraman [this message]
2023-11-13 2:23 ` [RFC PATCH v2 18/19] heki: x86: Protect guest kernel memory using the KVM hypervisor Mickaël Salaün
2023-11-13 8:54 ` Peter Zijlstra
2023-11-27 17:05 ` Madhavan T. Venkataraman
2023-11-27 20:03 ` Peter Zijlstra
2023-11-29 19:47 ` Madhavan T. Venkataraman
2023-11-13 2:23 ` [RFC PATCH v2 19/19] virt: Add Heki KUnit tests Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db9c5049-70b5-4261-b7e8-cd371c50aaea@linux.microsoft.com \
--to=madvenka@linux.microsoft.com \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dev@lists.cloudhypervisor.org \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jamorris@linux.microsoft.com \
--cc=jgowans@amazon.com \
--cc=john.s.andersen@intel.com \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=marian.c.rotariu@gmail.com \
--cc=mdontu@bitdefender.com \
--cc=mic@digikod.net \
--cc=mingo@redhat.com \
--cc=nicu.citu@icloud.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=qemu-devel@nongnu.org \
--cc=quic_tsoni@quicinc.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=ssicleru@bitdefender.com \
--cc=tglx@linutronix.de \
--cc=tgopinath@microsoft.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=yu.c.zhang@linux.intel.com \
--cc=yuanyu@google.com \
--cc=ztarkhani@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).