Re: [patch 1/1] net: convert %p usage to %pK

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: Eric Dumazet <eric.dumazet@gmail.com>,
	Dan Rosenberg <drosenberg@vsecurity.com>
Cc: David Miller <davem@davemloft.net>,
	kees.cook@canonical.com, joe@perches.com,
	akpm@linux-foundation.org, netdev@vger.kernel.org,
	drosenberg@vsecurity.com, a.p.zijlstra@chello.nl,
	eparis@parisplace.org, eugeneteo@kernel.org, jmorris@namei.org,
	tgraf@infradead.org
Subject: Re: [patch 1/1] net: convert %p usage to %pK
Date: Fri, 27 May 2011 08:37:06 +0200	[thread overview]
Message-ID: <20110527063706.GC9260@elte.hu> (raw)
In-Reply-To: <1306465841.2543.52.camel@edumazet-laptop>

* Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Le jeudi 26 mai 2011 à 22:44 -0400, David Miller a écrit :
> > From: Kees Cook <kees.cook@canonical.com>
> > Date: Thu, 26 May 2011 17:14:49 -0700
> > > 
> > > We got this dropped from the /proc view; why can't we do the same for
> > > this netlink interface?
> > 
> > Because it's not only an opaque "output" blob, it's also an input key
> > for lookups which the user can trigger.
> 
> Yes, we wan add a layer to obfuscate the real pointers. We dont 
> trust values given by user, only match them.
> 
> Either we use a XOR with a boot time random value (but let the NULL 
> cookie being the NULL one), or we generate an unique 64bit socket 
> id for the cookie (and keep a 64bit cookie in all sockets, 
> increasing ram usage)

FYI, Dan Rosenberg is currently working on a kernel image 
randomization feature, see this lkml thread:

   [RFC][PATCH] Randomize kernel base address on boot

That will come with an easy vsprintf method to 'unrandomize' IPs. 

( this will be used to display a real-looking /proc/kallsyms and all 
  IPs that the kernel passes to user-space (via perf, etc.) will be 
  unrandomized as well, protecting the randomization seed. )

Once that code goes upstream the networking code could rather simply 
use it to 'randomize' these real data pointers as well. (Assuming you 
never ever pass in zero, that would expose the secret seed.)

The only worry would be statistical analysis performed by local 
attackers: by creating and closing enough sockets on a busy system 
you can over time cover almost all ranges of RAM, so if you can 
observe a pattern of 'over the address space limit' addresses at the 
top or the bottom of the address space you can estimate the random 
seed to within 4-5 bits realistically, maybe even more.

The upper and lower limit of the address space (big holes are useful 
too) can be calculated rather precisely based on RAM size, the 
identity of the system and the kernel version.

So maybe networking real-pointer randomization should be separate 
from kernel IP randomization after all.

Thanks,

	Ingo

     prev parent reply	other threads:[~2011-05-27  6:37 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-23 22:17 [patch 1/1] net: convert %p usage to %pK akpm
2011-05-24  5:13 ` David Miller
2011-05-24  6:17   ` Eric Dumazet
2011-05-24  6:33     ` Joe Perches
2011-05-24  6:57       ` Ingo Molnar
2011-05-24  7:04         ` Eric Dumazet
2011-05-24  7:35           ` Joe Perches
2011-05-24  7:45             ` Eric Dumazet
2011-05-24  7:58               ` David Miller
2011-05-24 14:43                 ` Stephen Hemminger
2011-05-24 17:18                   ` David Miller
2011-05-25 23:29                 ` Kees Cook
2011-05-26  1:50                   ` David Miller
2011-05-27  0:14                     ` Kees Cook
2011-05-27  2:44                       ` David Miller
2011-05-27  3:10                         ` Eric Dumazet
2011-05-27  6:37                           ` Ingo Molnar [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110527063706.GC9260@elte.hu \
    --to=mingo@elte.hu \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=drosenberg@vsecurity.com \
    --cc=eparis@parisplace.org \
    --cc=eric.dumazet@gmail.com \
    --cc=eugeneteo@kernel.org \
    --cc=jmorris@namei.org \
    --cc=joe@perches.com \
    --cc=kees.cook@canonical.com \
    --cc=netdev@vger.kernel.org \
    --cc=tgraf@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).