Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2019 07:49:23 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Jann Horn <jannh@...gle.com>
Cc: Andy Lutomirski <luto@...nel.org>, Kees Cook <keescook@...omium.org>,
 "Reshetova, Elena" <elena.reshetova@...el.com>,
 "Perla, Enrico" <enrico.perla@...el.com>,
 Peter Zijlstra <peterz@...radead.org>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 "tglx@...utronix.de" <tglx@...utronix.de>,
 "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>,
 "tytso@....edu" <tytso@....edu>
Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call



> On Feb 21, 2019, at 5:20 AM, Jann Horn <jannh@...gle.com> wrote:
> 
> On Thu, Feb 21, 2019 at 7:38 AM Andy Lutomirski <luto@...nel.org> wrote:
>>> On Feb 20, 2019, at 2:20 PM, Kees Cook <keescook@...omium.org> wrote:
>>> 
>>> On Wed, Feb 13, 2019 at 11:52 PM Reshetova, Elena
>>> <elena.reshetova@...el.com> wrote:
>>>> Now back to our proposed countermeasures given that attacker has found a way to do
>>>> a crafted overflow and overwrite:
>>>> 
>>>> 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing.
>>>>    If discovered, then attack succeeds as of now.
>>>> 2) relative stack offset is not predictable and randomized, cannot be probed very easily via
>>>>     cache or ptrace. So, this is an additional hurdle on the attacker's way since stack is non-
>>>>     deterministic now.
>>>> 3) nothing changed for this type of attack, given that attacker's goal is not to overwrite CS
>>>>     in adjusted pt_regs. If it is his goal, then it helps with that.
>>>> 
>>>> 
>>>> Now summary:
>>>> 
>>>> It would seem to me that:
>>>> 
>>>> - regs->cs |= 3 on exit is a thing worth doing anyway, just because it is cheap, as Andy said, and it
>>>> might make a positive difference in two out of three attack scenarios. Objections?
>>> 
>>> I would agree, let's just do this.
>> 
>> Thinking slightly more about this, it’s an incomplete protection.  It
>> keeps an attacker from returning to kernel mode, but it does not
>> protect the privileged flag bits.  I think that IOPL is the only thing
>> we really care about, and doing anything useful about IOPL would be
>> rather more complex, unfortunately.  I suppose we could just zero it
>> and guard that with a static branch that is switched off the first
>> time anyone uses iopl(3).
>> 
>> I suppose we could also add a config option to straight-up disable
>> IOPL.  I sincerely hope that no one uses it any more. Even the small
>> number of semi-legit users really ought to be using ioperm() instead.
> 
> /me raises hand. iopl(3) is useful for making CLI and STI work from
> userspace, I've used it for that (for testing stuff, not for anything
> that has been shipped to people). Of course, that's probably a reason
> to get rid of it, not to keep it. ^^

I was thinking that I don’t even try to make this use case work correctly ;)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.