From: Ken Goldman <kgoldman@us.ibm.com>
To: linux-kernel@vger.kernel.org
Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org
Cc: tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: Re: [RFC] tpm2-space: add handling for global session exhaustion
Date: Sun, 29 Jan 2017 19:52:20 -0500 [thread overview]
Message-ID: <o6m2nv$g6n$1@blaine.gmane.org> (raw)
In-Reply-To: <1485554699.3229.20.camel@HansenPartnership.com>
On 1/27/2017 5:04 PM, James Bottomley wrote:
>> Beware the nasty corner case:
>>
>> - Application asks for a session and gets 02000000
>>
>> - Time elapses and 02000000 gets forcibly flushed
>>
>> - Later, app comes back, asks for a second session and again gets
>> 02000000.
>>
>> - App gets very confused.
>>
>> May it be better to close the connection completely, which the
>> application can detect, than flush a session and give this corner
>> case?
>
> if I look at the code I've written, I don't know what the session
> number is, I just save sessionHandle in a variable for later use (lets
> say to v1). If I got the same session number returned at a later time
> and placed it in v2, all I'd notice is that an authorization using v1
> would fail. I'm not averse to killing the entire connection but,
> assuming you have fallback, it might be kinder simply to ensure that
> the operations with the reclaimed session fail (which is what the code
> currently does).
My worry is that this session failure cannot be detected by the
application. An HMAC failure could cause the app to tell a user that
they entered the wrong password. Misleading. On the TPM, it could
trigger the dictionary attack lockout. For a PIN index, it could
consume a failure count. Killing a policy session that has e.g., a
policy signed term could cause the application to go back to some
external entity for another authorization signature.
Let's go up to the stack. What's the attack?
If we're worried about many simultaneous applications (wouldn't that be
wonderful), why not just let startauthsession fail? The application can
just retry periodically. Just allocate them in triples so there's no
deadlock.
If we're worried about a DoS attack, killing a session just helps the
attacker. The attacker can create a few connections and spin on
startauthsession, locking everyone out anyway.
~~
Also, let's remember that this is a rare application. Sessions are only
needed for remote access (requiring encryption, HMAC or salt), or policy
sessions.
~~
Should the code also reserve a session for the kernel? Mark it not
kill'able?
next prev parent reply other threads:[~2017-01-30 1:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-18 20:48 [RFC] tpm2-space: add handling for global session exhaustion James Bottomley
2017-01-19 12:25 ` [tpmdd-devel] " Jarkko Sakkinen
2017-01-19 12:41 ` Jarkko Sakkinen
[not found] ` <o6gdhu$li$1@blaine.gmane.org>
2017-01-27 21:59 ` James Bottomley
2017-01-19 12:59 ` James Bottomley
2017-01-20 13:40 ` Jarkko Sakkinen
[not found] ` <o6gese$pev$1@blaine.gmane.org>
2017-01-27 22:04 ` James Bottomley
2017-01-27 23:35 ` Jason Gunthorpe
2017-01-27 23:48 ` James Bottomley
2017-01-30 0:52 ` Ken Goldman [this message]
2017-01-30 16:04 ` James Bottomley
2017-01-30 21:58 ` Jarkko Sakkinen
2017-01-30 22:13 ` James Bottomley
2017-01-31 13:31 ` Jarkko Sakkinen
[not found] ` <o6qog0$30l$1@blaine.gmane.org>
2017-01-31 19:55 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='o6m2nv$g6n$1@blaine.gmane.org' \
--to=kgoldman@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox