From: Ingo Molnar <mingo@elte.hu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>,
"Rafael J. Wysocki" <rjw@sisk.pl>,
Tony Luck <tony.luck@gmail.com>,
linux-kernel@vger.kernel.org, davej@redhat.com,
kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
adobriyan@gmail.com, penberg@kernel.org, hpa@zytor.com,
Arjan van de Ven <arjan@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Valdis.Kletnieks@vt.edu, pageexec@freemail.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Fri, 27 May 2011 20:17:24 +0200 [thread overview]
Message-ID: <20110527181724.GA6485@elte.hu> (raw)
In-Reply-To: <BANLkTimGQh7P9O+BEd85Wm5iqzWg5DuYYg@mail.gmail.com>
* Linus Torvalds <torvalds@linux-foundation.org> wrote:
> On Fri, May 27, 2011 at 10:46 AM, Ingo Molnar <mingo@elte.hu> wrote:
> >
> > If i understood you correctly you suggest randomizing the image
> > by shifting the symbols in it around. The boot loader would still
> > load an 'image' where it always loads it - just that image itself
> > is randomized internally somewhat, right?
>
> You snipped the other part of my email you responded to:
>
> For chrissake - you're doing the same thing. The only question is
> "when" (and the fact that if you do it at install-time, you can do a
> fancier job of it)
>
> ie the fact that if you do it at install-time, you have the option of
> being much more fancy about it.
>
> So sure, the install time option *can* do more. It doesn't *have*
> to do more.
>
> But being able to do a better job of randomization is *better*. Ok?
> It doesn't mean you have to, but you have more options to do things
> if you want to.
>
> IOW, there is absolutely zero difference between doing it at
> install-time or run-time, but the install-time one is (a) likely
> easier and (b) certainly more flexible. But both of them do the
> exact same thing, and require the exact same support in things like
> /proc/kallsyms.
>
> Of course, if we end up doing something really fancy (which the
> install-time option allows), that obviously does mean that the
> remapping by %pK thing for kallsyms needs to be much smarter too.
>
> But at %pK time, you can *afford* to do that kind of things. At
> boot-time, before you're even loaded and have a hard time even
> parsing the e820 maps? Yeah, you're not going to do anything smart
> there, I can tell you.
Ok, you are right, we could patch in all the things into the image at
install time to be able to 'derandomize' symbols and still be able to
provide them.
[ One worry i have is that distro logic is to go for the simplest
route: which is to randomize the symbols by padding the beginning
or the end of the kernel image a bit, but don't bother making %pK
smart or fancy. This means that /proc/kallsyms will be restricted
(maybe even turned off completely, because it's now broken) and a
'real' System.map put, only readable to root. This still 'allows'
tooling, in a full SystemTap and Oprofile usability fashion. ]
Anyway, this strikes off the second item from my list. Meanwhile i
also found two other usecases which i added to the head of the list:
- Boot time dynamic randomization allows randomization of 'mass
install' systems, where the same image is used, to still be
randomized: for example a million phones all with the same Flash
ROM image and no 'install' performed at all on them.
With static randomization these systems will all have the same
kernel addresses.
- Boot time dynamic randomization allows read-only systems to still
be randomized: for example internet cafes that use some popular
pre-packaged kiosk-mode live-DVD. They probably wont bother
randomizing and relinking the ISOs per machine and burning per
machine DVDs ...
- A root exploit will still not give away the location of the
kernel (assuming module loading has been disabled after bootup),
so a rootkit cannot be installed 'silently' on the system, into
RAM only, evading most offline-storage-checking tools.
With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.
- Crash & reboot & retry brute force exploits get harder: if one
attempt at an exploit causes a crash and a reboot, the kernel
addresses are different after the reboot so the attempt has to be
retried without the advantage of any prior history.
With static linking this kind of exploit is somewhat easier: every
crash gives a permanent proof that the guessed RIP offet was
wrong, so history can be used on subsequent retries.
- It gives a way to go one step further in secure server lockdown:
where even root with full access to all storage has no way to
break into the kernel. Reboots, module loading and kexec can be
controlled, ioperm() and iopl() can be restricted. If those are
taken away then even if a root exploit allows the attacker to
overwrite the kernel image, a reboot has to be waited for and if
reboots do sanity checks [based on immutable storage] of the
system then the exploit can be found.
With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.
Thanks,
Ingo
next prev parent reply other threads:[~2011-05-27 18:17 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55 ` Dan Rosenberg
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00 ` Dan Rosenberg
2011-05-25 11:23 ` Ingo Molnar
2011-05-25 14:20 ` Dan Rosenberg
2011-05-25 14:29 ` Ingo Molnar
2011-05-24 23:06 ` H. Peter Anvin
2011-05-25 14:03 ` Dan Rosenberg
2011-05-25 14:14 ` Ingo Molnar
2011-05-25 15:48 ` H. Peter Anvin
2011-05-25 16:15 ` Dan Rosenberg
2011-05-25 16:24 ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01 ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04 ` Dan Rosenberg
2011-05-24 23:07 ` H. Peter Anvin
2011-05-24 23:34 ` Dan Rosenberg
2011-05-24 23:36 ` H. Peter Anvin
2011-05-24 23:14 ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25 2:05 ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06 ` Dan Rosenberg
2011-05-26 20:16 ` Valdis.Kletnieks
2011-05-26 20:31 ` Vivek Goyal
2011-05-27 9:36 ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40 ` Vivek Goyal
2011-05-26 20:44 ` Dan Rosenberg
2011-05-26 20:55 ` Vivek Goyal
2011-05-27 9:38 ` Ingo Molnar
2011-05-27 13:07 ` Vivek Goyal
2011-05-27 13:38 ` Ingo Molnar
2011-05-27 13:13 ` Vivek Goyal
2011-05-27 13:21 ` Dan Rosenberg
2011-05-27 13:46 ` Ingo Molnar
2011-05-27 13:50 ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27 7:15 ` Ingo Molnar
2011-05-31 16:52 ` Matthew Garrett
2011-05-31 18:40 ` H. Peter Anvin
2011-05-31 18:51 ` Matthew Garrett
2011-05-31 19:03 ` Dan Rosenberg
2011-05-31 19:07 ` H. Peter Anvin
2011-05-31 19:50 ` Ingo Molnar
2011-05-31 19:55 ` Ingo Molnar
2011-05-31 20:15 ` H. Peter Anvin
2011-05-31 20:27 ` Ingo Molnar
2011-05-31 20:30 ` H. Peter Anvin
2011-06-01 6:18 ` Ingo Molnar
2011-06-01 15:44 ` H. Peter Anvin
2011-05-31 20:17 ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32 ` H. Peter Anvin
2011-05-27 0:26 ` Dan Rosenberg
2011-05-27 16:21 ` Rafael J. Wysocki
2011-05-27 2:45 ` Dave Jones
2011-05-27 9:40 ` Ingo Molnar
2011-05-27 16:11 ` Rafael J. Wysocki
2011-05-27 16:07 ` Rafael J. Wysocki
2011-05-27 15:42 ` Linus Torvalds
2011-05-27 16:11 ` Dan Rosenberg
2011-05-27 17:00 ` Ingo Molnar
2011-05-27 17:06 ` H. Peter Anvin
2011-05-27 17:10 ` Dan Rosenberg
2011-05-27 17:13 ` H. Peter Anvin
2011-05-27 17:16 ` Linus Torvalds
2011-05-27 17:38 ` Ingo Molnar
2011-05-27 17:20 ` Kees Cook
2011-05-27 17:16 ` Ingo Molnar
2011-05-27 17:21 ` Linus Torvalds
2011-05-27 17:46 ` Ingo Molnar
2011-05-27 17:53 ` H. Peter Anvin
2011-05-27 18:05 ` Linus Torvalds
2011-05-27 19:15 ` Vivek Goyal
2011-05-27 21:37 ` H. Peter Anvin
2011-05-27 23:51 ` H. Peter Anvin
2011-05-28 12:18 ` Ingo Molnar
2011-05-29 1:13 ` H. Peter Anvin
2011-05-29 12:47 ` Ingo Molnar
2011-05-29 18:19 ` H. Peter Anvin
2011-05-29 18:44 ` Ingo Molnar
2011-05-29 18:52 ` H. Peter Anvin
2011-05-29 19:56 ` Ingo Molnar
2011-05-27 17:57 ` Linus Torvalds
2011-05-27 18:17 ` Ingo Molnar [this message]
2011-05-27 18:43 ` Kees Cook
2011-05-27 18:48 ` david
2011-05-27 21:51 ` Olivier Galibert
2011-05-27 22:11 ` Valdis.Kletnieks
2011-05-28 0:50 ` H. Peter Anvin
2011-05-28 6:32 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110527181724.GA6485@elte.hu \
--to=mingo@elte.hu \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=eranian@google.com \
--cc=hpa@zytor.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=rjw@sisk.pl \
--cc=tony.luck@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox