From: Ingo Molnar <mingo@elte.hu>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Tony Luck <tony.luck@gmail.com>,
linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
torvalds@linux-foundation.org, adobriyan@gmail.com,
penberg@kernel.org, hpa@zytor.com,
Arjan van de Ven <arjan@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Valdis.Kletnieks@vt.edu, pageexec@freemail.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Wed, 25 May 2011 13:23:39 +0200 [thread overview]
Message-ID: <20110525112339.GC30983@elte.hu> (raw)
In-Reply-To: <1306278038.1921.5.camel@dan>
* Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> > No, the right solution is what i suggested a few mails ago:
> > /proc/kallsyms (and other RIP printing places) should report the
> > non-randomized RIP.
> >
> > That way we do not have to change the kptr_restrict default and
> > tools will continue to work ...
>
> Ok, I'll do it this way, and leave the kptr_restrict default to 0.
> But I still think having the dmesg_restrict default depend on
> randomization makes sense, since kernel .text is explicitly
> revealed in the syslog.
Hm, where is it revealed beyond intcall addresses, which ought to be
handled if they are printed via %pK?
All such information leaks need to be fixed. (This will be the
slowest part of the process i suspect - there's many channels.)
in the syslog we obviously want any RIPs converted to the canonical
'unrandomized' address, so that it can be matched against
/proc/kallsyms, etc. Their randomized value isnt very useful. That
will also protect the randomization secret as a side effect.
The only thorny issue AFAICS are oopses. There's real value in having
'raw' data from a crash (interpreting crashes is hard enough even
without randomization!), OTOH we could keep most of the value of them
by converting them back to canonical addresses.
This would be more or less easy to do for the RIP and the registers,
but less obvious for the stack: a kernel pointer can lie on the stack
at arbitrary alignment. On 64-bit we could probably detect them
rather reliably based on the randomized prefix of kernel addresses:
[ 32.946003] Stack:
[ 32.946003] 0000000000000202 0000000000000002 0000000000000001 0000000000000000
[ 32.946003] 0000000000000198 0000000000000002 0000000000000000 00000000002ca5b0
[ 32.946003] 0000000000000000 ffff88003e5533e0 ffff88003f977c00 ffffffff802225e3
the ffffffff8 prefix (assuming we end up randomizing the address
within the 2GB window available to a RIP-relative addressed kernel)
would be easy to detect even if it's not word aligned. There *would*
be false positives (a 32-bit value of -7 is common), but as long as
we marked any unrandomization clearly with an asterix:
[ 32.946003] Stack:
[ 32.946003] 0000000000000202 0000000000000002 0000000000000001 0000000000000000
[ 32.946003] 0000000000000198 0000000000000002 0000000000000000 00000000002ca5b0
[ 32.946003] 0000000000000000*ffff88003e5533e0*ffff88003f977c00*ffffffff802225e3
we'd be informed that the stack content was slighly different. If we
fixed up register values, say the raw value is:
[ 32.946003] RDX: 0000000000000000 RSI: ffffffff80ce0100 RDI: 0000000000000000
and randomization is -0x100000 then we'd print the normalized value
for 'RSI':
[ 32.946003] RDX: 0000000000000000 RSI:*ffffffff80de0100 RDI: 0000000000000000
And the '*' tells us that this value got normalized.
On 32-bit systems the rate of false positive is probably higher, he
'0xc0' byte pattern is pretty common.
Now, theoretically there's still a tiny information hole here: if an
attacker can crash a kernel in a non-fatal way that puts some known
data on the kernel stack, then the unrandomization will reveal the
secret ...
I guess we'll have to live with that: really paranoid places will
disable dmesg access to unprivileged users.
[ They might also want to have a knob to not log kernel crashes at
all - best protection is if *no one* (not even root) has a way to
figure out the secret. That needs to go hand in hand with forced
use of signed modules, sanitized /dev/mem, no root-controllable DMA
access to any device, no ioperm() and iopl(), etc. - so a very
locked down kernel that protects even root from being able to
execute kernel code. Such systems are still useful btw even if root
otherwise has access to all disks and has access to the kernel
image and can install its own image: a reboot will generally set
off an alarm. ]
> Thanks very much for the feedback.
Hey, thanks for taking up on implementing this rather non-trivial
security feature!
Thanks,
Ingo
next prev parent reply other threads:[~2011-05-25 11:23 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55 ` Dan Rosenberg
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00 ` Dan Rosenberg
2011-05-25 11:23 ` Ingo Molnar [this message]
2011-05-25 14:20 ` Dan Rosenberg
2011-05-25 14:29 ` Ingo Molnar
2011-05-24 23:06 ` H. Peter Anvin
2011-05-25 14:03 ` Dan Rosenberg
2011-05-25 14:14 ` Ingo Molnar
2011-05-25 15:48 ` H. Peter Anvin
2011-05-25 16:15 ` Dan Rosenberg
2011-05-25 16:24 ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01 ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04 ` Dan Rosenberg
2011-05-24 23:07 ` H. Peter Anvin
2011-05-24 23:34 ` Dan Rosenberg
2011-05-24 23:36 ` H. Peter Anvin
2011-05-24 23:14 ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25 2:05 ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06 ` Dan Rosenberg
2011-05-26 20:16 ` Valdis.Kletnieks
2011-05-26 20:31 ` Vivek Goyal
2011-05-27 9:36 ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40 ` Vivek Goyal
2011-05-26 20:44 ` Dan Rosenberg
2011-05-26 20:55 ` Vivek Goyal
2011-05-27 9:38 ` Ingo Molnar
2011-05-27 13:07 ` Vivek Goyal
2011-05-27 13:38 ` Ingo Molnar
2011-05-27 13:13 ` Vivek Goyal
2011-05-27 13:21 ` Dan Rosenberg
2011-05-27 13:46 ` Ingo Molnar
2011-05-27 13:50 ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27 7:15 ` Ingo Molnar
2011-05-31 16:52 ` Matthew Garrett
2011-05-31 18:40 ` H. Peter Anvin
2011-05-31 18:51 ` Matthew Garrett
2011-05-31 19:03 ` Dan Rosenberg
2011-05-31 19:07 ` H. Peter Anvin
2011-05-31 19:50 ` Ingo Molnar
2011-05-31 19:55 ` Ingo Molnar
2011-05-31 20:15 ` H. Peter Anvin
2011-05-31 20:27 ` Ingo Molnar
2011-05-31 20:30 ` H. Peter Anvin
2011-06-01 6:18 ` Ingo Molnar
2011-06-01 15:44 ` H. Peter Anvin
2011-05-31 20:17 ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32 ` H. Peter Anvin
2011-05-27 0:26 ` Dan Rosenberg
2011-05-27 16:21 ` Rafael J. Wysocki
2011-05-27 2:45 ` Dave Jones
2011-05-27 9:40 ` Ingo Molnar
2011-05-27 16:11 ` Rafael J. Wysocki
2011-05-27 16:07 ` Rafael J. Wysocki
2011-05-27 15:42 ` Linus Torvalds
2011-05-27 16:11 ` Dan Rosenberg
2011-05-27 17:00 ` Ingo Molnar
2011-05-27 17:06 ` H. Peter Anvin
2011-05-27 17:10 ` Dan Rosenberg
2011-05-27 17:13 ` H. Peter Anvin
2011-05-27 17:16 ` Linus Torvalds
2011-05-27 17:38 ` Ingo Molnar
2011-05-27 17:20 ` Kees Cook
2011-05-27 17:16 ` Ingo Molnar
2011-05-27 17:21 ` Linus Torvalds
2011-05-27 17:46 ` Ingo Molnar
2011-05-27 17:53 ` H. Peter Anvin
2011-05-27 18:05 ` Linus Torvalds
2011-05-27 19:15 ` Vivek Goyal
2011-05-27 21:37 ` H. Peter Anvin
2011-05-27 23:51 ` H. Peter Anvin
2011-05-28 12:18 ` Ingo Molnar
2011-05-29 1:13 ` H. Peter Anvin
2011-05-29 12:47 ` Ingo Molnar
2011-05-29 18:19 ` H. Peter Anvin
2011-05-29 18:44 ` Ingo Molnar
2011-05-29 18:52 ` H. Peter Anvin
2011-05-29 19:56 ` Ingo Molnar
2011-05-27 17:57 ` Linus Torvalds
2011-05-27 18:17 ` Ingo Molnar
2011-05-27 18:43 ` Kees Cook
2011-05-27 18:48 ` david
2011-05-27 21:51 ` Olivier Galibert
2011-05-27 22:11 ` Valdis.Kletnieks
2011-05-28 0:50 ` H. Peter Anvin
2011-05-28 6:32 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110525112339.GC30983@elte.hu \
--to=mingo@elte.hu \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=eranian@google.com \
--cc=hpa@zytor.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=tony.luck@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox