Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 26 Sep 2016 10:55:16 -0700
From: "LeMay, Michael" <michael.lemay@...el.com>
To: musl@...ts.openwall.com, LeMay@...t70.net
Subject: Re: [RFC] Support for segmentation-hardened SafeStack



On 9/23/2016 03:22, Szabolcs Nagy wrote:
> * LeMay, Michael <michael.lemay@...el.com> [2016-09-22 23:00:45 +0000]:
>> I submitted several patches to LLVM and Clang to harden SafeStack using segmentation on x86-32 [1].  See [2] for general background on SafeStack.
> ...
>> [1] http://lists.llvm.org/pipermail/llvm-dev/2016-May/100346.html
>> [2] http://clang.llvm.org/docs/SafeStack.html
> is all runtime support in the libc with your patches?
> (i.e. no static linked interposition code from compiler-rt)

For programs linked against my patched version of musl with 
segmentation-hardened SafeStack enabled, the SafeStack library in 
compiler-rt is not needed.

>
> can you call into non-instrumented code?
> (as Rich noted this looks like a new abi on i386)
> i assume the segmented variant breaks abi while the
> non-segmented one does not.

Restricting segment limits does introduce additional considerations that 
are not applicable to the original version of SafeStack, as I described 
in the reply to Rich that I just sent.

>
> what is the unsafe stack size of the main thread?
> how much is the resource usage overhead?

I arbitrarily chose to allocate a main-thread unsafe stack that is twice 
as large as the main-thread safe stack.  The unsafe stack sizes for new 
threads are computed similarly to the safe stack sizes.  I'll post the 
current revision of my patches soon for the sake of discussion.

>
> what happens if unsafe stack allocation fails?

A limitation of my current patches is that there is no support for 
dynamically expanding the size of the unsafe stack.  By the way, I think 
that this is also a limitation of the current compiler-rt support for 
the original version of SafeStack.

> how does the stack get deallocated at thread exit?
> i assume they are consistent with normal stack
> handling if this is done in musl.. except for the
> main thread.

Yes, the unsafe stack gets deallocated when non-main threads exit.

>
> can signal handlers work with sigaltstack?

That's an interesting question.  One thing to consider is that the 
kernel will only switch the safe stack when sigaltstack is used, not the 
unsafe stack.  Furthermore, for the segmentation-based hardening to 
apply to the stack passed to sigaltstack, that stack would need to be 
allocated above the restricted limits of DS and ES.

Thanks,
Michael

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.