From: pageexec@freemail.hu
To: Peter Zijlstra <peterz@infradead.org>
Cc: "Larry H." <research@subreption.com>,
Arjan van de Ven <arjan@infradead.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>, Ingo Molnar <mingo@elte.hu>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@osdl.org>,
linux-mm@kvack.org, Ingo Molnar <mingo@redhat.com>
Subject: Re: [patch 0/5] Support for sanitization flag in low-level page allocator
Date: Sat, 30 May 2009 15:54:48 +0200 [thread overview]
Message-ID: <4A213AA8.18076.182E39C1@pageexec.freemail.hu> (raw)
In-Reply-To: <1243689707.6645.134.camel@laptop>
On 30 May 2009 at 15:21, Peter Zijlstra wrote:
> On Sat, 2009-05-30 at 13:42 +0200, pageexec@freemail.hu wrote:
> > > Why waste time on this?
> >
> > e.g., when userland executes a syscall, it 'can run kernel code'. if that kernel
> > code (note: already exists, isn't provided by the attacker) gives unintended
> > kernel memory back to userland, there is a problem. that problem is addressed
> > in part by early sanitizing of freed data.
>
> Right, so the whole point is to minimize the impact of actual bugs,
> right?
correct. this approach is the manifestation of a particular philosophy
in computer security where instead of finding all bugs, we minimize or,
at times, eliminate their bad sideeffects. non-executable pages, ASLR,
etc are all about this. see below why.
> So why not focus on fixing those actual bugs? Can we create tools
> to help us find such bugs faster? We use sparse for a lot of static
> checking, we create things like lockdep and kmemcheck to dynamically
> find trouble.
>
> Can we instead of working around a problem, fix the actual problem?
finding all use-after-free bugs is not possible, as far as i know. the
fundamental problem is that you'd have to find bugs with arbitrary read
sideeffects (which is just as hard a problem as finding bugs with arbitrary
write sideeffects which you'd also have to solve). if you solve these
problems, you'll have solved the most important bug class in computer
security that many decades of academic/industrial/etc research failed at.
since there's no (practical and theoretical) solution in sight for finding
and eliminating such memory handling bugs, we're left with tackling a less
ambitious goal of at least reducing their sideeffects to acceptable levels.
of course there'll be always instances and subclasses of bugs that we can
find by manual or automated inspection, but that only shows that the rest
can only by handled by 'working around the problem'.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-05-30 13:54 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-20 18:30 Larry H.
2009-05-20 20:42 ` Peter Zijlstra
2009-05-20 21:24 ` Larry H.
2009-05-21 15:21 ` Robin Holt
2009-05-21 18:43 ` Larry H.
2009-05-29 22:58 ` Andrew Morton
2009-05-30 7:00 ` Larry H.
2009-05-30 7:12 ` Pekka Enberg
2009-05-30 7:35 ` Larry H.
2009-05-30 7:39 ` Pekka Enberg
2009-05-21 19:08 ` Rik van Riel
2009-05-21 19:26 ` Alan Cox
2009-05-21 19:56 ` Larry H.
2009-05-21 20:47 ` Alan Cox
2009-05-21 21:46 ` Larry H.
2009-05-21 22:47 ` Alan Cox
2009-05-22 11:22 ` Larry H.
2009-05-22 13:37 ` Alan Cox
2009-05-26 19:02 ` Pavel Machek
2009-05-21 19:17 ` Rik van Riel
2009-05-21 19:30 ` Larry H.
2009-05-22 7:34 ` Ingo Molnar
2009-05-22 11:38 ` Larry H.
2009-05-22 13:39 ` Alan Cox
2009-05-22 18:03 ` Larry H.
2009-05-22 18:21 ` Alan Cox
2009-05-22 23:25 ` [PATCH] Support for kernel memory sanitization Larry H.
2009-05-22 23:52 ` Randy Dunlap
2009-05-22 23:40 ` [patch 0/5] Support for sanitization flag in low-level page allocator Larry H.
2009-05-23 8:09 ` Alan Cox
2009-05-23 15:56 ` Arjan van de Ven
2009-05-23 18:21 ` [PATCH] Support for unconditional page sanitization Larry H.
2009-05-23 21:05 ` Arjan van de Ven
2009-05-24 10:19 ` pageexec
2009-05-24 16:38 ` Arjan van de Ven
2009-05-28 19:36 ` [patch 0/5] Support for sanitization flag in low-level page allocator Peter Zijlstra
2009-05-29 14:32 ` Arjan van de Ven
2009-05-30 5:48 ` Larry H.
2009-05-30 10:39 ` Peter Zijlstra
2009-05-30 10:43 ` Larry H.
2009-05-30 11:42 ` pageexec
2009-05-30 13:21 ` Peter Zijlstra
2009-05-30 13:24 ` Peter Zijlstra
2009-05-30 13:54 ` pageexec [this message]
2009-05-30 14:04 ` Larry H.
2009-05-30 14:13 ` Rik van Riel
2009-05-30 14:08 ` Rik van Riel
2009-05-30 14:30 ` Alan Cox
2009-05-30 14:45 ` Peter Zijlstra
2009-05-30 14:48 ` Rik van Riel
2009-05-30 17:00 ` Larry H.
2009-05-30 17:25 ` Larry H.
2009-05-30 18:32 ` Ingo Molnar
2009-06-05 13:15 ` Pavel Machek
2009-05-31 14:38 ` Arjan van de Ven
2009-05-31 15:03 ` Arjan van de Ven
2009-05-22 18:37 ` Nai Xia
2009-05-22 19:18 ` Nai Xia
2009-05-23 12:49 ` Ingo Molnar
2009-05-23 22:28 ` Larry H.
2009-05-23 22:42 ` Rik van Riel
2009-05-25 1:17 ` [PATCH] Sanitize memory on kfree() and kmem_cache_free() Larry H.
2009-05-27 22:34 ` [patch 0/5] Support for sanitization flag in low-level page allocator Ingo Molnar
2009-05-28 6:27 ` Alan Cox
2009-05-28 7:00 ` Larry H.
2009-05-28 9:08 ` Ingo Molnar
2009-05-28 11:50 ` Alan Cox
2009-05-28 19:44 ` Peter Zijlstra
2009-05-30 7:35 ` Pekka Enberg
2009-05-30 7:50 ` Larry H.
2009-05-30 7:53 ` Pekka Enberg
2009-05-30 8:20 ` Larry H.
2009-05-30 8:33 ` Pekka Enberg
2009-05-30 15:05 ` Ray Lee
2009-05-30 17:34 ` Ingo Molnar
2009-05-30 18:03 ` Larry H.
2009-05-30 18:21 ` Ingo Molnar
2009-05-30 18:45 ` Larry H.
2009-05-30 19:08 ` Ingo Molnar
2009-05-30 20:39 ` Rik van Riel
2009-05-30 20:53 ` Pekka Enberg
2009-05-30 21:33 ` Larry H.
2009-05-30 23:13 ` Alan Cox
2009-05-30 23:18 ` Larry H.
2009-05-31 6:30 ` Pekka Enberg
2009-05-31 11:49 ` Larry H.
2009-05-31 7:17 ` Pekka Enberg
2009-05-31 11:58 ` Larry H.
2009-05-31 12:16 ` Pekka Enberg
2009-05-31 12:30 ` Larry H.
2009-05-31 12:35 ` Pekka Enberg
2009-05-30 23:10 ` Alan Cox
2009-05-31 6:14 ` Pekka Enberg
2009-05-31 10:24 ` Alan Cox
2009-05-31 10:24 ` Pekka Enberg
2009-05-31 12:16 ` Larry H.
2009-05-31 12:19 ` Pekka Enberg
2009-05-31 16:25 ` Alan Cox
2009-05-30 22:10 ` Ingo Molnar
2009-05-30 23:15 ` Alan Cox
2009-05-30 20:22 ` Pekka Enberg
2009-05-30 22:14 ` Ingo Molnar
2009-05-30 17:39 ` Ingo Molnar
2009-05-30 7:57 ` Pekka Enberg
2009-05-30 9:05 ` Larry H.
2009-05-30 17:46 ` Ingo Molnar
2009-05-30 18:09 ` Larry H.
2009-05-30 8:31 ` Alan Cox
2009-05-30 8:35 ` Pekka Enberg
2009-05-30 9:27 ` Larry H.
2009-05-28 18:48 ` pageexec
2009-05-30 17:50 ` Ingo Molnar
2009-05-28 12:48 ` Pavel Machek
2009-05-28 12:55 ` Larry H.
2009-05-28 18:56 pageexec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A213AA8.18076.182E39C1@pageexec.freemail.hu \
--to=pageexec@freemail.hu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@elte.hu \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=research@subreption.com \
--cc=riel@redhat.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox