Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 May 2017 15:23:59 +0200
From: Daniel Gruss <>
To: Thomas Garnier <>
CC: kernel list <>,
        Kernel Hardening
        Michael Schwarz
        Richard Fellner
        "Kirill A. Shutemov"
        Ingo Molnar <>,
        "" <>
Subject: Re: [RFC, PATCH] x86_64: KAISER - do not map
 kernel in user mode

On 05.05.2017 10:23, Daniel Gruss wrote:
>>  - How this approach prevent the hardware attacks you mentioned? You
>> still have to keep a part of _text in the pagetable and an attacker
>> could discover it no? (and deduce the kernel base address).
> These parts are moved to a different section (.user_mapped) which is at a possibly predictable location - the location
> of the randomized parts of the kernel is independent of the location of .user_mapped.
> The code/data footprint for .user_mapped is quite small, helping to reduce or eliminate the attack surface...

We just discussed that in our group again: although we experimented with this part, it's not yet included in the patch. 
The solution we sketched is, as I wrote, we map the required (per-thread) variables in the user CR3 to a fixed location 
in memory. During the context switch, only this fixed part remains mapped but not the randomized pages. This is not a 
lot of work, because it's just mapping a few more pages and fixing a 1 or 2 lines in the context switch.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.