From: Andi Kleen <andi@firstfloor.org>
To: Ingo Molnar <mingo@elte.hu>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
pageexec@freemail.hu, Andi Kleen <andi@firstfloor.org>,
Arjan van de Ven <arjan@infradead.org>,
linux-kernel@vger.kernel.org, tglx@tglx.de, hpa@zytor.com
Subject: Re: [patch] Add basic sanity checks to the syscall execution patch
Date: Fri, 5 Sep 2008 14:01:27 +0200 [thread overview]
Message-ID: <20080905120127.GT18288@one.firstfloor.org> (raw)
In-Reply-To: <20080905114233.GA27878@elte.hu>
First as a minor pedantic correction (sorry!): the ro syscall table is not
fully free. It means you cannot use 2MB pages anymore to map it, which costs
you in TLB misses.
> [ It would be nice to have a 'randomize instruction scheduling' option
> for gcc, to make automated attacks that recognize specific instruction
> patterns less reliable. ]
One way to do that today is to feed gcc random data for profile feedback.
But your performance will probably suffer.
> experienced kernel developer could reliably tell it via a kgdb session
> and full access to memory and system symbols that such a silent alarm is
> running on a box. If he cannot do it reliably then there's probably no
> good way for an attacker either.
Game copy protections have been playing similar games for decades. While
I'm sure it was endless fun for both sides afaik the crackers tended to
ultimatively win. And all of these things also make the kernel more
fragile which is not good. Likely a case of "the only way to win is not to play"
I liked Alan's proposal of using hypervisor support for truly ro pages,
although even that is not fully hole proof because of indirect pointers.
But at least it would make it generally harder to inject code.
-Andi
--
ak@linux.intel.com
next prev parent reply other threads:[~2008-09-05 11:58 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-04 2:51 [patch] Add basic sanity checks to the syscall execution patch Arjan van de Ven
2008-09-04 12:01 ` Andi Kleen
2008-09-04 12:34 ` Alan Cox
2008-09-04 13:06 ` Andi Kleen
2008-09-04 12:44 ` Arjan van de Ven
2008-09-05 9:43 ` pageexec
2008-09-05 10:14 ` Benjamin Herrenschmidt
2008-09-05 10:49 ` pageexec
2008-09-05 10:57 ` Benjamin Herrenschmidt
2008-09-05 11:42 ` Ingo Molnar
2008-09-05 12:00 ` pageexec
2008-09-05 15:42 ` Ingo Molnar
2008-09-05 16:23 ` pageexec
2008-09-05 16:52 ` Ingo Molnar
2008-09-05 17:26 ` Andi Kleen
2008-09-05 19:42 ` pageexec
2008-09-05 20:48 ` Andi Kleen
2008-09-05 19:37 ` pageexec
2008-09-06 15:42 ` Ingo Molnar
2008-09-07 0:17 ` pageexec
2008-09-05 12:01 ` Andi Kleen [this message]
2008-09-05 20:41 ` Willy Tarreau
2008-09-06 15:45 ` Ingo Molnar
2008-09-06 16:34 ` Jeroen van Rijn
2008-09-07 12:53 ` Pavel Machek
2008-09-05 16:05 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080905120127.GT18288@one.firstfloor.org \
--to=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=benh@kernel.crashing.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=pageexec@freemail.hu \
--cc=tglx@tglx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox