Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Oct 2016 14:36:55 -0700
From: Kees Cook <keescook@...omium.org>
To: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Cc: Julia Lawall <julia.lawall@...6.fr>
Subject: Re: Use-after-free and management of reference counts

On Tue, Oct 18, 2016 at 5:22 AM, Vaishali Thakkar
<vaishali.thakkar@...cle.com> wrote:
> Hi,
>
> Recently I studied the reported CVEs of last 2 years and there were
> fair number of use-after-free bugs. Usually we also see many reports
> of use-after-free bugs in the LKML [reported by one or other tools].
>
> Also, at Kernel recipes Jonathan Corbet  mentioned reference counts as
> a security issue. I believe if we have more kernel hardening patches
> then we can avoid such bugs. I was wondering if there is some ongoing
> work in the both [use-after-free and management of reference counts]
> of these areas?
>
> If not, then I would like to work on the same. Any pointers on this
> would be appreciated.

Others have already mentioned the HARDENED_ATOMIC work that is
underway, but one place I'd really like to take a little bit more time
to examine is how to improve the zero-poisoning work that Laura Abbott
did recently. Having this feature reduces the availability of a subset
of kernel memory exposures and can frustrate a subset of
use-after-free exploits. It's been in the kernel since v4.6, but it
needs some performance tuning and likely some other adjustments. I
talk about it a bit here:

https://outflux.net/blog/archives/2016/09/30/security-things-in-linux-v4-6/

I think to really dial in this protection so it is more like
PAX_MEMORY_SANITIZE, we'd need to do the following:

- adjust the slab poisoning to do zeroing (upstream's slab poisoning
uses a different value)
- consolidate the CONFIG and run-time cmdlines to give us a single "do
the right thing" CONFIG
- identify frequently-freed slabs that are less security-sensitive and
whitelist them from the poisoning (as done by PAX_MEMORY_SANITIZE)
- add kernel command-line argument to control poisoning (as done by
PAX_MEMORY_SANITIZE)

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.