From: Samir Bellabes <sam@synack.fr>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Jon Masters <jcm@redhat.com>, "Woodhouse\,
David" <dwmw@amazon.co.uk>, Paolo Bonzini <pbonzini@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andi Kleen <andi@firstfloor.org>,
Greg Kroah-Hartman <gregkh@linux-foundation.org>,
Tim Chen <tim.c.chen@linux.intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Dave Hansen <dave.hansen@intel.com>, Jeff Law <law@redhat.com>,
Nick Clifton <nickc@redhat.com>, Willy Tarreau <w@1wt.eu>
Subject: Re: Avoid speculative indirect calls in kernel
Date: Tue, 09 Jan 2018 02:44:13 +0100 [thread overview]
Message-ID: <87d12jkdqq.fsf@synack.fr> (raw)
In-Reply-To: <20180105121241.497742f7@alans-desktop> (Alan Cox's message of "Fri, 5 Jan 2018 12:12:41 +0000")
Alan Cox <gnomes@lxorguk.ukuu.org.uk> writes:
> On Fri, 5 Jan 2018 01:54:13 +0100 (CET)
> Thomas Gleixner <tglx@linutronix.de> wrote:
>
>> On Thu, 4 Jan 2018, Jon Masters wrote:
>> > P.S. I've an internal document where I've been tracking "nice to haves"
>> > for later, and one of them is whether it makes sense to tag binaries as
>> > "trusted" (e.g. extended attribute, label, whatever). It was something I
>> > wanted to bring up at some point as potentially worth considering.
>>
>> Scratch that. There is no such thing as a trusted binary.
>
> There is if you are using signing and the like. I'm sure SELiux and
> friends will grow the ability to set per process policy but that's
> certainly not a priority.
There was a proposed security module providing such a per-process
policy.
When a process want to execute a specific networking syscall regarding
specific "transport protocol", the security module catches the syscall
at the LSM hook, and ask user about the "verdict" (authorized or not ?)
Verdicts are put inside "tickets" (it's a struct of information
regarding the autorization). Verdicts can have timeout or live
forever. They are managed by a hashtable.
The policy can be define by attaching tickets to process with a
userspace tool. Interface between userspace command tool and kernel is
using netlink protocol.
I managed to do the same on process and memory. memory access requires
process to delivery a available ticket. Sharing memory is like "process
A has a ticket required to access memory of process B"
Of course, direct assignation, throught asm code or operation like :
buffer[x] = y;
are impossible to catch at this level. It requires hooks at the asm
level.
As I understand, Willy needs to built such a took to classify "trusted"
binaries from others.
This is just the top of the iceberg, because, after starting to mark
process as "trusted" or not, there is a need of an architecture to track
such operations, evaluate incoherences, evaluate the convergence of such
classification, regarding thousands of binaries, in a lot of
contexts. This was the big part of the job.
last series I propose was years ago under the name :
[RFC,v3,00/10] snet: Security for NETwork syscalls
and particulary :
[RFC,v3,08/10] snet: introduce snet_ticket
http://patchwork.ozlabs.org/patch/93808/
thanks;
sam
next prev parent reply other threads:[~2018-01-09 1:49 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-03 23:09 Avoid speculative indirect calls in kernel Andi Kleen
2018-01-03 23:09 ` [PATCH 01/11] x86/retpoline: Define retpoline indirect thunk and macros Andi Kleen
2018-01-03 23:09 ` [PATCH 02/11] x86/retpoline/crypto: Convert crypto assembler indirect jumps Andi Kleen
2018-01-03 23:09 ` [PATCH 03/11] x86/retpoline/entry: Convert entry " Andi Kleen
2018-01-03 23:09 ` [PATCH 04/11] x86/retpoline/ftrace: Convert ftrace " Andi Kleen
2018-01-03 23:09 ` [PATCH 05/11] x86/retpoline/hyperv: Convert " Andi Kleen
2018-01-03 23:09 ` [PATCH 06/11] x86/retpoline/crypto: Convert xen " Andi Kleen
2018-01-03 23:09 ` [PATCH 07/11] x86/retpoline/checksum32: Convert " Andi Kleen
2018-01-03 23:09 ` [PATCH 08/11] x86/retpoline/irq32: " Andi Kleen
2018-01-03 23:09 ` [PATCH 09/11] x86/retpoline: Finally enable retpoline for C code Andi Kleen
2018-01-04 8:28 ` Greg KH
2018-01-04 8:30 ` Dave Hansen
2018-01-03 23:09 ` [PATCH 10/11] retpoline/taint: Taint kernel for missing retpoline in compiler Andi Kleen
2018-01-04 0:29 ` Thomas Gleixner
2018-01-04 0:35 ` Randy Dunlap
2018-01-03 23:09 ` [PATCH 11/11] retpoline/objtool: Disable some objtool warnings Andi Kleen
2018-01-03 23:51 ` Avoid speculative indirect calls in kernel Linus Torvalds
2018-01-04 0:00 ` Alan Cox
2018-01-04 0:09 ` Andi Kleen
2018-01-04 0:12 ` Thomas Gleixner
2018-01-04 0:15 ` Andi Kleen
2018-01-04 0:19 ` Jiri Kosina
2018-01-05 2:01 ` james harvey
2018-01-05 10:40 ` Woodhouse, David
2018-01-05 12:29 ` james harvey
2018-01-05 12:06 ` Alan Cox
2018-01-04 0:29 ` Alan Cox
2018-01-04 0:31 ` Thomas Gleixner
2018-01-04 0:38 ` Alan Cox
2018-01-04 0:40 ` Andi Kleen
2018-01-04 8:15 ` Woodhouse, David
2018-01-04 15:53 ` Andi Kleen
2018-01-04 15:55 ` Woodhouse, David
2018-01-04 0:20 ` Linus Torvalds
2018-01-04 0:26 ` Thomas Gleixner
2018-01-04 0:18 ` David Lang
2018-01-04 1:00 ` Paul Turner
2018-01-04 1:41 ` Paolo Bonzini
2018-01-04 1:59 ` Alan Cox
2018-01-04 2:11 ` Paolo Bonzini
2018-01-04 8:20 ` Woodhouse, David
2018-01-04 11:42 ` Pavel Machek
2018-01-04 11:47 ` Woodhouse, David
2018-01-04 14:20 ` Paolo Bonzini
2018-01-04 14:51 ` Andrew Cooper
2018-01-04 15:29 ` Woodhouse, David
2018-01-04 15:32 ` Paolo Bonzini
2018-01-04 15:37 ` Andrew Cooper
2018-01-04 16:15 ` David Woodhouse
2018-01-04 20:00 ` Tom Lendacky
2018-01-04 20:05 ` David Woodhouse
2018-01-04 23:47 ` Tom Lendacky
2018-01-05 0:06 ` Andrew Cooper
2018-01-05 0:26 ` Tom Lendacky
2018-01-04 16:52 ` Andrea Arcangeli
2018-01-04 15:32 ` Paolo Bonzini
2018-01-04 16:25 ` Andrea Arcangeli
2018-01-04 17:04 ` Alan Cox
2018-01-04 17:40 ` Andrea Arcangeli
2018-01-04 17:13 ` Dave Hansen
2018-01-04 17:15 ` Paolo Bonzini
2018-01-04 18:05 ` Andrea Arcangeli
2018-01-04 14:55 ` Woodhouse, David
2018-01-04 18:24 ` Pavel Machek
2018-01-04 19:57 ` Jon Masters
2018-01-05 0:41 ` Jon Masters
2018-01-05 0:54 ` Thomas Gleixner
2018-01-05 4:11 ` Jon Masters
2018-01-05 9:59 ` Thomas Gleixner
2018-01-08 10:28 ` Andrea Arcangeli
2018-01-08 20:42 ` [tip:x86/pti] x86/tboot: Unbreak tboot with PTI enabled tip-bot for Dave Hansen
2018-01-08 20:53 ` Avoid speculative indirect calls in kernel Thomas Gleixner
2018-01-08 21:32 ` Andrea Arcangeli
2018-01-10 0:45 ` Thomas Gleixner
2018-01-10 1:11 ` Dave Hansen
2018-01-10 16:02 ` Thomas Gleixner
2018-01-05 6:49 ` Willy Tarreau
2018-01-05 6:57 ` Dave Hansen
2018-01-05 7:13 ` Willy Tarreau
2018-01-07 14:14 ` Borislav Petkov
2018-01-07 17:21 ` David Lang
2018-01-07 18:49 ` Borislav Petkov
2018-01-07 17:44 ` Willy Tarreau
2018-01-07 18:55 ` Borislav Petkov
2018-01-07 22:10 ` Willy Tarreau
2018-01-08 9:18 ` Thomas Gleixner
2018-01-08 9:29 ` Willy Tarreau
2018-01-08 16:22 ` Borislav Petkov
2018-01-08 16:53 ` Willy Tarreau
2018-01-05 12:12 ` Alan Cox
2018-01-09 1:44 ` Samir Bellabes [this message]
[not found] ` <CAL9bgJ8XNJgCtxR6+M+Vm9eDBVZ4Dyi_-Lt-Q1ei9N=TE2c6cg@mail.gmail.com>
2018-01-07 5:04 ` Fwd: " Kiernan Hager
2018-01-07 6:39 ` Willy Tarreau
2018-01-07 14:01 ` Alan Cox
2018-01-07 17:47 ` Willy Tarreau
2018-01-07 18:01 ` Ivan Ivanov
2018-01-07 18:16 ` Woodhouse, David
2018-01-04 11:26 ` Pavel Machek
2018-01-04 11:54 ` Alan Cox
2018-01-04 18:33 ` Linus Torvalds
2018-01-04 20:08 ` Jon Masters
-- strict thread matches above, loose matches on Subject: below --
2018-01-04 2:00 Andi Kleen
2018-01-04 11:49 ` Pavel Machek
2018-01-04 12:09 ` Alan Cox
2018-01-04 13:32 ` Pavel Machek
2018-01-12 8:20 Dr. Greg Wettstein
2018-02-23 21:10 Ywe Cærlyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d12jkdqq.fsf@synack.fr \
--to=sam@synack.fr \
--cc=andi@firstfloor.org \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linux-foundation.org \
--cc=jcm@redhat.com \
--cc=law@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nickc@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).