|
Date: Thu, 5 May 2016 10:21:06 -0700 From: Michael Leibowitz <michael.leibowitz@...el.com> To: spender@...ecurity.net, kernel-hardening@...ts.openwall.com, keescook@...omium.org, re.emese@...il.com, pageexec@...email.hu Cc: michael.leibowitz@...el.com Subject: [RFC 0/3] Add struct randomization plugin This patch set ports over grsecurity's structure randomization feature. The plugin is largely unchanged from grsecurity, with some porting to go over Emese Revfy's v7 patch set for gcc plugin infrastructure. This is an RFC. Although this set of changes does not directly make exploitation harder, when a number of structures are randomized, it will make it difficult to splat many relevant structures without knowing the exact build of the kernel the target is using. While for one structure, there are limited number of guesses required, in aggregate, this can be a large obstacle for exploitation. Patch 3 is a grab bag that probably needs to be broken up, although I'm not sure of the best way to do so. Breaking by subsystem would seem to make an unwieldy patch set. Known TODO that is not addressed as part of this patch set: * tag security relevant structures for randomization * add checkpatch checking for non-C99 initialization * automated testing of randomization * better description and examples of exploits effectively mitigated by this feature Tagging of structures to be randomized will come in subsequent series of patches. -- arch/Kconfig | 35 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 18 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/block/cciss.h | 30 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 +-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 40 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/video/fbdev/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/fbdev/matrox/matroxfb_Ti3026.c | 5 +- fs/reiserfs/item_ops.c | 24 +- include/linux/compiler-gcc.h | 5 + include/linux/compiler.h | 9 + include/linux/rbtree_augmented.h | 4 +- include/linux/vermagic.h | 9 +- kernel/module.c | 27 + lib/rbtree.c | 4 +- mm/page_alloc.c | 2 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 41 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- scripts/Makefile.gcc-plugins | 11 +- scripts/gcc-plugins/.gitignore | 1 + scripts/gcc-plugins/Makefile | 12 + scripts/gcc-plugins/gen-random-seed.sh | 8 + scripts/gcc-plugins/randomize_layout_plugin.c | 935 ++++++++++++++++++++++++ sound/synth/emux/emux_seq.c | 14 +- 44 files changed, 1402 insertions(+), 316 deletions(-)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.