Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 11 Nov 2016 10:04:42 -0800
From: Kees Cook <keescook@...omium.org>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Will Deacon <will.deacon@....com>, Greg KH <gregkh@...uxfoundation.org>, 
	David Windsor <dave@...gbits.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Elena Reshetova <elena.reshetova@...el.com>, Arnd Bergmann <arnd@...db.de>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	"H. Peter Anvin" <h.peter.anvin@...el.com>
Subject: Re: Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

On Fri, Nov 11, 2016 at 9:46 AM, Peter Zijlstra <peterz@...radead.org> wrote:
> On Fri, Nov 11, 2016 at 09:43:00AM -0800, Kees Cook wrote:
>> > 1) kref: Used for honest-to-goodness reference counters that want
>> > overflow protection.  Uses a new type: atomic_nowrap_t that has
>> > HARDENED_ATOMIC protection.
>>
>> Based on other feedback, it sounds like we're better off with
>> refcount_t (which kref could be implemented on top of). And refcount_t
>> would have a limited API: inc, dec_and_test (or whatever is determined
>> as sanely minimal).
>>
>> > 2) statistical counters: Atomic in all cases, but wraps.
>>
>> Yup. sequence_t seems to make the most sense on naming, I think. If we
>> want to get crazy, the type could be sequence_wrap_t.
>
> Why? atomic_t is still perfectly fine here, right?
>
>> > 3) atomic_t: All other users of atomics (locks, etc.).  Wrapping
>> > behavior depends on a CONFIG setting.
>>
>> Correct: if CONFIG_PARANOID_ATOMIC (or something) is set, atomic_t is
>> implemented as refcount_t, otherwise as sequence_t.
>
> Can't happen. There is far more atomic_t usage than reference and/or
> statistics counters.

The opt-out direction we need to take means that we can't leave
atomic_t as a possible refcount implementation. As such, we need to
convert everything to be either wrapping or non-wrapping, and define
atomic_t as one or the other via CONFIG (to allow the user to choose
their risk level).

Just replacing known-atomic_t refcounters with refcount_t is opt-in,
and won't cover new drivers that get missed by maintainers. We need a
hardened infrastructure, not just "stuff people can maybe remember to
use".

I'm totally open about how to get there, but things can't just be opt-in.

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.