Date: Tue, 19 Feb 2019 15:47:41 +0100 From: Jann Horn <jannh@...gle.com> To: "Reshetova, Elena" <elena.reshetova@...el.com> Cc: "Perla, Enrico" <enrico.perla@...el.com>, Andy Lutomirski <luto@...capital.net>, "keescook@...omium.org" <keescook@...omium.org>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "tytso@....edu" <tytso@....edu> Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call On Thu, Feb 14, 2019 at 8:52 AM Reshetova, Elena <elena.reshetova@...el.com> wrote: > After some thinking and discussions, let me try to summarize the options and the > security benefits of each approach based on everyone else feedback before > going any further with work. We all want only useful things in kernel, so merging > smth that provides a subtle/almost non-existing benefit is clearly not a priority. > > So, first about the protection methods. We can do randomization in two ways: > > 1. stack top itself (and location of pt_regs) > 2. relative stack positioning (offset from pt_regs). > > In addition to randomization we can do some fixup on exit, like Andy proposed: > > 3. Make sure CS always points to user on exit (for example by regs->cs |= 3), > potentially smth else can be fixed up similarly, if needed > > Here are *known* (at least to me, please shout if you know more!) possible > attacks vectors and implications on them by doing 1), 2) or 3) > > a) attacker's goal is to store some user-controlled data in pt_regs to reference it later > 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing. > If discovered, then attack succeeds as of now. > 2) nothing changed for this type of attack, attack succeeds as of now > 3) nothing changed for this type of attack, attack succeeds as of now > > b) attacker's goal is to return to userland from a syscall with CS pointing to kernel > 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing. > If discovered, then attack succeeds as of now. > 2) nothing changed for this type of attack, attack succeeds as of now > 3) CS changed explicitly on exit, so impossible to have this attack, *given* that the > change is done late enough and no races, sleeps, etc. are possible > > c) attacker's goal is to perform some kind of stack overflow into parts of adjusted stack > memory via some method. Here the main unknown is the "method". > This vector of attack is the challenge for the current exploit writers: I guess if you can do > it now with all the current protections for stack enabled, you get a nice defcon talk at least :) > VLA used to be an easy way of doing it, hopefully they are gone from the main source now > (out of tree drivers is a different story). > Uninitialized locals might be other way, but there is work ongoing to close this (see Kees's > patches on stackinit). > Smth else we don’t yet know? > Now back to our proposed countermeasures given that attacker has found a way to do > a crafted overflow and overwrite: > > 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing. > If discovered, then attack succeeds as of now. > 2) relative stack offset is not predictable and randomized, cannot be probed very easily via > cache or ptrace. So, this is an additional hurdle on the attacker's way since stack is non- > deterministic now. > 3) nothing changed for this type of attack, given that attacker's goal is not to overwrite CS > in adjusted pt_regs. If it is his goal, then it helps with that. > > > Now summary: > > It would seem to me that: > > - regs->cs |= 3 on exit is a thing worth doing anyway, just because it is cheap, as Andy said, and it > might make a positive difference in two out of three attack scenarios. Objections? > > - randomization of stack top is only worth doing in ptrace-blocked scenario. > Do we have such scenarios left that people care about? There are some, I think; for example, Chrome renderers on desktop Linux can't use ptrace.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.