Date: Wed, 20 Feb 2019 14:20:17 -0800 From: Kees Cook <keescook@...omium.org> To: "Reshetova, Elena" <elena.reshetova@...el.com> Cc: "Perla, Enrico" <enrico.perla@...el.com>, Andy Lutomirski <luto@...capital.net>, Jann Horn <jannh@...gle.com>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "tytso@....edu" <tytso@....edu> Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call On Wed, Feb 13, 2019 at 11:52 PM Reshetova, Elena <elena.reshetova@...el.com> wrote: > Now back to our proposed countermeasures given that attacker has found a way to do > a crafted overflow and overwrite: > > 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing. > If discovered, then attack succeeds as of now. > 2) relative stack offset is not predictable and randomized, cannot be probed very easily via > cache or ptrace. So, this is an additional hurdle on the attacker's way since stack is non- > deterministic now. > 3) nothing changed for this type of attack, given that attacker's goal is not to overwrite CS > in adjusted pt_regs. If it is his goal, then it helps with that. > > > Now summary: > > It would seem to me that: > > - regs->cs |= 3 on exit is a thing worth doing anyway, just because it is cheap, as Andy said, and it > might make a positive difference in two out of three attack scenarios. Objections? I would agree, let's just do this. > - randomization of stack top is only worth doing in ptrace-blocked scenario. > Do we have such scenarios left that people care about? > Because if we do, then we know that there is a real attack vector that we close this way, otherwise not. > This is actually interesting, because we need to remember to take ptrace into our overall > kernel hardening threat model (smth that at least I haven't quite realized before) and evaluate every new > feature (especially randomization ones) being robust against ptrace probing. > > - randomization after pt_regs only would make a difference in attack scenario "c", for which > we don't yet have a proof of concept exploit or technique that would work (does not guarantee that > attackers don't have the exploits ready through :( ). > So, if we implement this, the "justification part" for the feature would be smth like "to make it > harder for future possible stack-based exploits that utilize overflows", if/when someone find a new > 'ala VLA' way of doing the controlled overflow. > How do people feel about it? Is it worth having? I can work on the POC for this in direction that Andy > outlined and can provide performance impact/etc., but it is good that we understand that we cannot > provide a better justification for this feature at the moment unless someone is ready to share some > new exploit technique with us. I think this make sense. I do think, however, the work should be done at syscall entry, though. Thoughts? -- Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.