Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Jan 2016 15:10:36 -0800
From: Kees Cook <keescook@...omium.org>
To: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Cc: Andy Lutomirski <luto@...capital.net>, Andi Kleen <ak@...ux.intel.com>
Subject: Re: [RFC PATCH 0/2] SROP Mitigation

On Sun, Jan 24, 2016 at 12:12 AM, Scotty Bauer <sbauer@....utah.edu> wrote:
> Erik Bosman previously attempted to upstream some patches which mitigate SROP
> exploits in userland. Unfortunately he never pursued it further and they never
> got upstreamed.
>
> The previous patches can be seen here:
> https://lkml.org/lkml/2014/5/15/660
> https://lkml.org/lkml/2014/5/15/661
> https://lkml.org/lkml/2014/5/15/657
> https://lkml.org/lkml/2014/5/15/858
>
> In the discussion for those patches Andy Lutomirski and Andi Kleen had a few
> suggestions which are implemented in my patch series.
>
> Andy Lutomirski suggested that the per-process secret be xord and with the location
> on the stack where the cookie will reside, then hashed. I've taken this approach but
> have concerns about the safety and collision properties of the hash function I've used.
>
> Second, Andi Kleen was concerned that the previous patches broke the ABI. He suggested
> placing the cookie above the FP state. The code I'm submitting does that by placing the
> cookie in the padding above the FP state, or if no FP state is available above the
> padding for the sigframe.
>
>
> Below is an explanation of SROP stolen and slightly modified by me from Erik's patches.
>
> These patches are meant to make Sigreturn Oriented Programming (SROP) a much
> less attractive exploitation path.  In Sigreturn Oriented Programming, an
> attacker causes a user-space program to call the sigreturn system call in order
> to get complete control control over the entire userspace context in one go.
>
> Previously attackers would have to search for ROP gadgets to get values into registers
> then call mprotect or mmap. If the ROP gadgets didnt exist well then they'd be in trouble.
> With SROP however one wouldn't have to search for ROP gadgets to get values into regs.
> The attacker would simply lay out the ucontext on the stack as they choose then
> SROP into the mprotect or mmap call.
>
> ( see: http://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf )
>
> While mitigating SROP will probably not stop determined attackers from
> exploiting a program, as there's always the much more well-known Return
> Oriented Programming, we still think SROP's relative ease warrants mitigation,
> especially since the mitigation is so cheap.

Cool! Thanks for bringing this series back! I quickly skimmed the
paper, so I apologize if I missed it, but have there been any public
exploits that used SROP, or is it considered to be "just" an
identified weakness in need of fixing?

It seems performance overhead would be lost in the noise of catching
and processing signals, but have you done any benchmarks?

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.