Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Oct 2016 13:19:42 -0700
From: Kees Cook <keescook@...omium.org>
To: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Cc: Mark Rutland <mark.rutland@....com>, Nick Kralevich <nnk@...gle.com>, 
	Laura Abbott <labbott@...oraproject.org>, Thomas Garnier <thgarnie@...gle.com>
Subject: Re: initcall randomization

On Wed, Oct 12, 2016 at 1:55 AM, Ard Biesheuvel
<ard.biesheuvel@...aro.org> wrote:
> (+ Nick)
>
> On 12 October 2016 at 00:40, Mark Rutland <mark.rutland@....com> wrote:
>> On Tue, Oct 11, 2016 at 07:28:46PM +0100, Ard Biesheuvel wrote:
>>> vmalloc and ioremap calls will simply be served bottom up, which is
>>> why the beginning of the vmalloc area mostly looks the same between
>>> boots, i.e., all non-kaslr boots look identical, and all kaslr boots
>>> look identical with little variation.
>>>
>>> I am aware that random vmalloc is a bad idea,
>>
>> I must confess ignorance here; what problems does random vmalloc pose in
>> particular?
>>
>
> It has been attempted in Android, and resulted in vmalloc failures due
> to fragmentation. I realize this may not apply to 64-bit ARM, though
> (and I assume the Android example concerned 32-bit ARM)
>
>>> hence my suggestion to perhaps randomize during the __init phase. I
>>> must admit that this is simply me holding the randomization hammer and
>>> looking for things that vaguely resemble nails, hence my request for
>>> discussion rather than proposing patches.
>>
>> Do we have a particular threat model this helps with?
>>
>> Is it similar to that for SLUB freelist randomization?
>>
>> Do we have vmalloc area sepcific information leaks?
>>
>
> Well, that was my question as well. Given that it seemed like a good
> idea for the Android guys at the time, I would assume yes
>
> Nick?

The specific issue is to randomize any targets living in vmalloc areas
that are allocated at boot time, which results in effectively static
locations for a given software/hardware combination. Thomas
(explicitly CCed now) saw a bunch of these when he was looking for
possible targets, which motivated his RANDOMIZE_MEMORY config for x86.
He also randomized the base offset for page tables, which are another
very common target, though it sounds to me like those would already be
randomized with the kernel position?

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.