Re: [RFC] Circumventing FineIBT Via Entrypoints

[Kees Cook <kees@kernel.org>]

On Thu, Feb 13, 2025 at 09:57:37PM +0100, Jann Horn wrote:
> On Thu, Feb 13, 2025 at 9:53 PM Kees Cook <kees@kernel.org> wrote:
> > On Thu, Feb 13, 2025 at 08:41:16PM +0000, Andrew Cooper wrote:
> > > On 13/02/2025 8:28 pm, Kees Cook wrote:
> > > > On Thu, Feb 13, 2025 at 01:31:30AM +0000, Andrew Cooper wrote:
> > > >>>> Assuming this is an issue you all feel is worth addressing, I will
> > > >>>> continue working on providing a patch. I'm concerned though that the
> > > >>>> overhead from adding a wrmsr on both syscall entry and exit to
> > > >>>> overwrite and restore the KERNEL_GS_BASE MSR may be quite high, so
> > > >>>> any feedback in regards to the approach or suggestions of alternate
> > > >>>> approaches to patching are welcome :)
> > > >>> Since the kernel, as far as I understand, uses FineIBT without
> > > >>> backwards control flow protection (in other words, I think we assume
> > > >>> that the kernel stack is trusted?),
> > > >> This is fun indeed.  Linux cannot use supervisor shadow stacks because
> > > >> the mess around NMI re-entrancy (and IST more generally) requires ROP
> > > >> gadgets in order to function safely.  Implementing this with shadow
> > > >> stacks active, while not impossible, is deemed to be prohibitively
> > > >> complicated.
> > > > And just validate my understanding here, this attack is fundamentally
> > > > about FineIBT, not regular CFI (IBT or not), as the validation of target
> > > > addresses is done at indirect call time, yes?
> > >
> > > I'm not sure I'd classify it like that.  As a pivot primitive, it works
> > > very widely.
> > >
> > > FineIBT (more specifically any hybrid CFI scheme which includes CET-IBT)
> > > relies on hardware to do the course grain violation detection, and some
> > > software hash for fine grain violation detection.
> > >
> > > In this case, the requirement for the SYSCALL entrypoint to have an
> > > ENDBR64 instruction means it passes the CET-IBT check (does not yield
> > > #CP), and then lacks the software hash check as well.
> > >
> > > i.e. this renders FineIBT (and other hybrid CFI schemes) rather moot,
> > > because one hole is all the attacker needs to win, if they can control a
> > > function pointer / return address.  At which point it's a large overhead
> > > for no security benefit over simple CET-IBT.
> >
> > Right, the "if they can control a function pointer" is the part I'm
> > focusing on. This attack depends on making an indirect call with a
> > controlled pointer. Non-FineIBT CFI will protect against that step,
> > so I think this is only an issue for IBT-only and FineIBT, but not CFI
> > nor CFI+IBT.
> 
> To me, "CFI" is really just a fairly abstract concept; are you talking
> specifically about the Clang scheme from
> <https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html>, or
> something else?

Ah, sorry, I mean KCFI (and note that FineIBT is a run-time alternatives
pass that transforms the "stock" KCFI):

https://clang.llvm.org/docs/ControlFlowIntegrity.html#fsanitize-kcfi
https://lpc.events/event/16/contributions/1315/
https://www.youtube.com/watch?v=bmv6blX_F_g

-Kees

-- 
Kees Cook