Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Feb 2019 14:20:17 -0800
From: Kees Cook <>
To: "Reshetova, Elena" <>
Cc: "Perla, Enrico" <>, Andy Lutomirski <>, 
	Jann Horn <>, Andy Lutomirski <>, 
	Peter Zijlstra <>, 
	"" <>, 
	"" <>, "" <>, "" <>, 
	"" <>
Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon
 system call

On Wed, Feb 13, 2019 at 11:52 PM Reshetova, Elena
<> wrote:
> Now back to our proposed countermeasures given that attacker has found a way to do
> a crafted overflow and overwrite:
>   1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing.
>      If discovered, then attack succeeds as of now.
>   2) relative stack offset is not predictable and randomized, cannot be probed very easily via
>       cache or ptrace. So, this is an additional hurdle on the attacker's way since stack is non-
>       deterministic now.
>   3) nothing changed for this type of attack, given that attacker's goal is not to overwrite CS
>       in adjusted pt_regs. If it is his goal, then it helps with that.
> Now summary:
> It would seem to me that:
> - regs->cs |= 3 on exit is a thing worth doing anyway, just because it is cheap, as Andy said, and it
> might make a positive difference in two out of three attack scenarios. Objections?

I would agree, let's just do this.

> - randomization of stack top is only worth doing in ptrace-blocked scenario.
> Do we have such scenarios left that people care about?
> Because if we do, then we know that there is a real attack vector that we close this way, otherwise not.
> This is actually interesting, because we need to remember to take ptrace into our overall
> kernel hardening threat model (smth that at least I haven't quite realized before) and evaluate every new
> feature (especially randomization ones) being robust against ptrace probing.
> - randomization after pt_regs only would make a difference in attack scenario "c", for which
>   we don't yet have a proof of concept exploit or technique that would work (does not guarantee that
> attackers don't have the exploits ready through :( ).
> So, if we implement this, the "justification part" for the feature would be smth like "to make it
> harder for future possible stack-based exploits that utilize overflows", if/when someone find a new
> 'ala VLA' way of doing the controlled overflow.
> How do people feel about it? Is it worth having? I can work on the POC for this in direction that Andy
> outlined and can provide performance impact/etc., but it is good that we understand that we cannot
> provide a better justification for this feature at the moment unless someone is ready to share some
> new exploit technique with us.

I think this make sense. I do think, however, the work should be done
at syscall entry, though. Thoughts?

Kees Cook

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.