Date: Wed, 27 Feb 2019 11:03:42 +0000 From: "Reshetova, Elena" <elena.reshetova@...el.com> To: Kees Cook <keescook@...omium.org>, "Perla, Enrico" <enrico.perla@...el.com> CC: Andy Lutomirski <luto@...capital.net>, Andy Lutomirski <luto@...nel.org>, Jann Horn <jannh@...gle.com>, Peter Zijlstra <peterz@...radead.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "tytso@....edu" <tytso@....edu> Subject: RE: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call > On Wed, Feb 20, 2019 at 2:53 PM Kees Cook <keescook@...omium.org> wrote: > > BTW, the attack that inspired grsecurity's RANDKSTACK is described in > > these slides (lots of steps, see slide 79): > > https://www.slideshare.net/scovetta/stackjacking > > Sorry, as PaX Team reminded me, I misremembered this. RANDKSTACK > already existed. It was STACKLEAK that was created in response to this > particular attack. I still think this attack is worth understanding to > see what hoops must be jumped through when dealing with stack > randomization (and other defenses). Yes, I actually went through a number of stack-based attacks, including above, in order to understand what we are trying to protect against. If you are interested, I wrote some notes here mainly for organizing my own thoughts and understanding: https://docs.google.com/document/d/1h1gRuZpOjVxaaDag-MxOrASka0OEBeApQOl8OK2GIVY/edit?usp=sharing It also has references to slidedecks of relevant attacks. I am going to update them now based on our good discussion here. Anyhow, I am glad that we arrived to conclusion here and I know how to proceed. So, I will start working on randomizing after pt_regs in direction that Andy outlined. With regards to disabling iopl(), this is pretty separate thing. If anyone wants to run with this and submit a patch, please go ahead, I can also do it a bit later (after a study of it since I never used it before) if noone finds bandwidth in the meantime. Best Regards, Elena.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.