Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Feb 2019 11:03:42 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: Kees Cook <keescook@...omium.org>, "Perla, Enrico"
	<enrico.perla@...el.com>
CC: Andy Lutomirski <luto@...capital.net>, Andy Lutomirski <luto@...nel.org>,
	Jann Horn <jannh@...gle.com>, Peter Zijlstra <peterz@...radead.org>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	"tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com"
	<mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "tytso@....edu"
	<tytso@....edu>
Subject: RE: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon
 system call


> On Wed, Feb 20, 2019 at 2:53 PM Kees Cook <keescook@...omium.org> wrote:
> > BTW, the attack that inspired grsecurity's RANDKSTACK is described in
> > these slides (lots of steps, see slide 79):
> > https://www.slideshare.net/scovetta/stackjacking
> 
> Sorry, as PaX Team reminded me, I misremembered this. RANDKSTACK
> already existed. It was STACKLEAK that was created in response to this
> particular attack. I still think this attack is worth understanding to
> see what hoops must be jumped through when dealing with stack
> randomization (and other defenses).

Yes, I actually went through a number of stack-based attacks, including above,
in order to understand what we are trying to protect against. 
If you are interested, I wrote some notes here mainly for organizing my own 
thoughts and understanding:

https://docs.google.com/document/d/1h1gRuZpOjVxaaDag-MxOrASka0OEBeApQOl8OK2GIVY/edit?usp=sharing

It also has references to slidedecks of relevant attacks. 
I am going to update them now based on our good discussion here.

Anyhow, I am glad that we arrived to conclusion here and I know how to proceed. 
So, I will start working on randomizing after pt_regs in direction that Andy outlined.

With regards to disabling iopl(), this is pretty separate thing. If anyone wants to run
with this and submit a patch, please go ahead, I can also do it a bit later (after a study of it 
since I never used it before) if noone finds bandwidth in the meantime.  

Best Regards,
Elena.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.