From: Dan Rosenberg <drosenberg@vsecurity.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Tony Luck <tony.luck@gmail.com>,
linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
torvalds@linux-foundation.org, adobriyan@gmail.com,
penberg@kernel.org, hpa@zytor.com,
Arjan van de Ven <arjan@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Valdis.Kletnieks@vt.edu, Ingo Molnar <mingo@elte.hu>,
pageexec@freemail.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Fri, 27 May 2011 09:21:32 -0400 [thread overview]
Message-ID: <1306502492.3339.2.camel@dan> (raw)
In-Reply-To: <20110527131313.GB8053@redhat.com>
On Fri, 2011-05-27 at 09:13 -0400, Vivek Goyal wrote:
> On Thu, May 26, 2011 at 04:44:34PM -0400, Dan Rosenberg wrote:
> > On Thu, 2011-05-26 at 16:40 -0400, Vivek Goyal wrote:
> > > On Thu, May 26, 2011 at 04:35:02PM -0400, Vivek Goyal wrote:
> > > > On Tue, May 24, 2011 at 04:31:45PM -0400, Dan Rosenberg wrote:
> > > > > This introduces CONFIG_RANDOMIZE_BASE, which randomizes the address at
> > > > > which the kernel is decompressed at boot as a security feature that
> > > > > deters exploit attempts relying on knowledge of the location of kernel
> > > > > internals. The default values of the kptr_restrict and dmesg_restrict
> > > > > sysctls are set to (1) when this is enabled, since hiding kernel
> > > > > pointers is necessary to preserve the secrecy of the randomized base
> > > > > address.
> > > >
> > > > What happens to /proc/iomem interface which gives us the physical memory
> > > > location where kernel is loaded. kexec-tools relies on that interface
> > > > heavily so we can not take it away. And if we can not take it away then
> > > > I think somebody should be easibly be able to calculate this randomized
> > > > base address.
> >
> > Is it common to run kexec-tools as non-root? It may be necessary to
> > restrict this interface to root when randomization is used (keep in mind
> > nobody's going to force you to turn this on by default, at least for the
> > foreseeable future).
>
> Dan,
>
> I had a stupid question. /proc/kallsyms is also readable by root only. So
> if we are doing this so that non-root user can not know kernel virtual and
> physical address that should be already covered as non-root users can't
> read /proc/kallsysm or /boot/System.map.
>
Not sure what system you're running, but /proc/kallsyms is 0444 on my
machine (and in mainline, afaik). Likewise for /proc/iomem.
The problem is mainly with distribution kernels - it's trivial to just
grab an identical vmlinux to a target machine and then you instantly
know exactly where everything is.
> And if this randomization is also to protect information from root user
> then /proc/iomem exporting the physical address of kernel is still a
> valid question in that context.
>
I think we can deal with unprivileged users first, and if we want to
truly prevent root from finding this out, we can introduce a separate
toggle that locks things down further.
-Dan
> Thanks
> Vivek
next prev parent reply other threads:[~2011-05-27 13:21 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55 ` Dan Rosenberg
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00 ` Dan Rosenberg
2011-05-25 11:23 ` Ingo Molnar
2011-05-25 14:20 ` Dan Rosenberg
2011-05-25 14:29 ` Ingo Molnar
2011-05-24 23:06 ` H. Peter Anvin
2011-05-25 14:03 ` Dan Rosenberg
2011-05-25 14:14 ` Ingo Molnar
2011-05-25 15:48 ` H. Peter Anvin
2011-05-25 16:15 ` Dan Rosenberg
2011-05-25 16:24 ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01 ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04 ` Dan Rosenberg
2011-05-24 23:07 ` H. Peter Anvin
2011-05-24 23:34 ` Dan Rosenberg
2011-05-24 23:36 ` H. Peter Anvin
2011-05-24 23:14 ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25 2:05 ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06 ` Dan Rosenberg
2011-05-26 20:16 ` Valdis.Kletnieks
2011-05-26 20:31 ` Vivek Goyal
2011-05-27 9:36 ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40 ` Vivek Goyal
2011-05-26 20:44 ` Dan Rosenberg
2011-05-26 20:55 ` Vivek Goyal
2011-05-27 9:38 ` Ingo Molnar
2011-05-27 13:07 ` Vivek Goyal
2011-05-27 13:38 ` Ingo Molnar
2011-05-27 13:13 ` Vivek Goyal
2011-05-27 13:21 ` Dan Rosenberg [this message]
2011-05-27 13:46 ` Ingo Molnar
2011-05-27 13:50 ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27 7:15 ` Ingo Molnar
2011-05-31 16:52 ` Matthew Garrett
2011-05-31 18:40 ` H. Peter Anvin
2011-05-31 18:51 ` Matthew Garrett
2011-05-31 19:03 ` Dan Rosenberg
2011-05-31 19:07 ` H. Peter Anvin
2011-05-31 19:50 ` Ingo Molnar
2011-05-31 19:55 ` Ingo Molnar
2011-05-31 20:15 ` H. Peter Anvin
2011-05-31 20:27 ` Ingo Molnar
2011-05-31 20:30 ` H. Peter Anvin
2011-06-01 6:18 ` Ingo Molnar
2011-06-01 15:44 ` H. Peter Anvin
2011-05-31 20:17 ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32 ` H. Peter Anvin
2011-05-27 0:26 ` Dan Rosenberg
2011-05-27 16:21 ` Rafael J. Wysocki
2011-05-27 2:45 ` Dave Jones
2011-05-27 9:40 ` Ingo Molnar
2011-05-27 16:11 ` Rafael J. Wysocki
2011-05-27 16:07 ` Rafael J. Wysocki
2011-05-27 15:42 ` Linus Torvalds
2011-05-27 16:11 ` Dan Rosenberg
2011-05-27 17:00 ` Ingo Molnar
2011-05-27 17:06 ` H. Peter Anvin
2011-05-27 17:10 ` Dan Rosenberg
2011-05-27 17:13 ` H. Peter Anvin
2011-05-27 17:16 ` Linus Torvalds
2011-05-27 17:38 ` Ingo Molnar
2011-05-27 17:20 ` Kees Cook
2011-05-27 17:16 ` Ingo Molnar
2011-05-27 17:21 ` Linus Torvalds
2011-05-27 17:46 ` Ingo Molnar
2011-05-27 17:53 ` H. Peter Anvin
2011-05-27 18:05 ` Linus Torvalds
2011-05-27 19:15 ` Vivek Goyal
2011-05-27 21:37 ` H. Peter Anvin
2011-05-27 23:51 ` H. Peter Anvin
2011-05-28 12:18 ` Ingo Molnar
2011-05-29 1:13 ` H. Peter Anvin
2011-05-29 12:47 ` Ingo Molnar
2011-05-29 18:19 ` H. Peter Anvin
2011-05-29 18:44 ` Ingo Molnar
2011-05-29 18:52 ` H. Peter Anvin
2011-05-29 19:56 ` Ingo Molnar
2011-05-27 17:57 ` Linus Torvalds
2011-05-27 18:17 ` Ingo Molnar
2011-05-27 18:43 ` Kees Cook
2011-05-27 18:48 ` david
2011-05-27 21:51 ` Olivier Galibert
2011-05-27 22:11 ` Valdis.Kletnieks
2011-05-28 0:50 ` H. Peter Anvin
2011-05-28 6:32 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306502492.3339.2.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eranian@google.com \
--cc=hpa@zytor.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=tony.luck@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox