From: Andy Lutomirski <luto@amacapital.net>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Dave Hansen <dave.hansen@intel.com>,
Mike Rapoport <rppt@linux.ibm.com>,
linux-kernel@vger.kernel.org,
Alexandre Chartre <alexandre.chartre@oracle.com>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Jonathan Adams <jwadams@google.com>,
Kees Cook <keescook@chromium.org>, Paul Turner <pjt@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-mm@kvack.org, linux-security-module@vger.kernel.org,
x86@kernel.org
Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation
Date: Fri, 26 Apr 2019 10:40:18 -0700 [thread overview]
Message-ID: <8E695557-1CD2-431A-99CC-49A4E8247BAE@amacapital.net> (raw)
In-Reply-To: <1556291961.2833.42.camel@HansenPartnership.com>
> On Apr 26, 2019, at 8:19 AM, James Bottomley <James.Bottomley@hansenpartnership.com> wrote:
>
> On Fri, 2019-04-26 at 08:07 -0700, Andy Lutomirski wrote:
>>> On Apr 26, 2019, at 7:57 AM, James Bottomley <James.Bottomley@hanse
>>> npartnership.com> wrote:
>>>
>>>>> On Fri, 2019-04-26 at 07:46 -0700, Dave Hansen wrote:
>>>>> On 4/25/19 2:45 PM, Mike Rapoport wrote:
>>>>> After the isolated system call finishes, the mappings created
>>>>> during its execution are cleared.
>>>>
>>>> Yikes. I guess that stops someone from calling write() a bunch
>>>> of times on every filesystem using every block device driver and
>>>> all the DM code to get a lot of code/data faulted in. But, it
>>>> also means not even long-running processes will ever have a
>>>> chance of behaving anything close to normally.
>>>>
>>>> Is this something you think can be rectified or is there
>>>> something fundamental that would keep SCI page tables from being
>>>> cached across different invocations of the same syscall?
>>>
>>> There is some work being done to look at pre-populating the
>>> isolated address space with the expected execution footprint of the
>>> system call, yes. It lessens the ROP gadget protection slightly
>>> because you might find a gadget in the pre-populated code, but it
>>> solves a lot of the overhead problem.
>>
>> I’m not even remotely a ROP expert, but: what stops a ROP payload
>> from using all the “fault-in” gadgets that exist — any function that
>> can return on an error without doing to much will fault in the whole
>> page containing the function.
>
> The address space pre-population is still per syscall, so you don't get
> access to the code footprint of a different syscall. So the isolated
> address space is created anew for every system call, it's just pre-
> populated with that system call's expected footprint.
That’s not what I mean. Suppose I want to use a ROP gadget in vmalloc(), but vmalloc isn’t in the page tables. Then first push vmalloc itself into the stack. As long as RDI contains a sufficiently ridiculous value, it should just return without doing anything. And it can return right back into the ROP gadget, which is now available.
>
>> To improve this, we would want some thing that would try to check
>> whether the caller is actually supposed to call the callee, which is
>> more or less the hard part of CFI. So can’t we just do CFI and call
>> it a day?
>
> By CFI you mean control flow integrity? In theory I believe so, yes,
> but in practice doesn't it require a lot of semantic object information
> which is easy to get from higher level languages like java but a bit
> more difficult for plain C.
Yes. As I understand it, grsecurity instruments gcc to create some kind of hash of all function signatures. Then any indirect call can effectively verify that it’s calling a function of the right type. And every return verified a cookie.
On CET CPUs, RET gets checked directly, and I don’t see the benefit of SCI.
>
>> On top of that, a robust, maintainable implementation of this thing
>> seems very complicated — for example, what happens if vfree() gets
>> called?
>
> Address space Local vs global object tracking is another thing on our
> list. What we'd probably do is verify the global object was allowed to
> be freed and then hand it off safely to the main kernel address space.
>
>
This seems exceedingly complicated.
next prev parent reply other threads:[~2019-04-26 18:02 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-25 21:45 [RFC PATCH 0/7] x86: introduce system calls addess space isolation Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 1/7] x86/cpufeatures: add X86_FEATURE_SCI Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation Mike Rapoport
2019-04-26 7:49 ` Peter Zijlstra
2019-04-28 5:45 ` Mike Rapoport
2019-04-26 8:31 ` Ingo Molnar
2019-04-26 9:58 ` Ingo Molnar
2019-04-26 21:26 ` Andy Lutomirski
2019-04-27 8:47 ` Ingo Molnar
2019-04-27 10:46 ` Ingo Molnar
2019-04-29 18:26 ` James Morris
2019-04-29 18:43 ` Andy Lutomirski
2019-04-29 18:46 ` Andy Lutomirski
2019-04-30 5:03 ` Ingo Molnar
2019-04-30 9:38 ` Peter Zijlstra
2019-04-30 11:05 ` Ingo Molnar
2019-05-02 11:35 ` Robert O'Callahan
2019-05-02 15:20 ` Ingo Molnar
2019-05-02 21:07 ` Robert O'Callahan
2019-04-26 14:44 ` James Bottomley
2019-04-26 14:46 ` Dave Hansen
2019-04-26 14:57 ` James Bottomley
2019-04-26 15:07 ` Andy Lutomirski
2019-04-26 15:19 ` James Bottomley
2019-04-26 17:40 ` Andy Lutomirski [this message]
2019-04-26 18:49 ` James Bottomley
2019-04-26 19:22 ` Andy Lutomirski
2019-04-25 21:45 ` [RFC PATCH 3/7] x86/entry/64: add infrastructure for switching to isolated syscall context Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 4/7] x86/sci: hook up isolated system call entry and exit Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 5/7] x86/mm/fault: hook up SCI verification Mike Rapoport
2019-04-26 7:42 ` Peter Zijlstra
2019-04-28 5:47 ` Mike Rapoport
2019-04-30 16:44 ` Andy Lutomirski
2019-05-01 5:39 ` Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 6/7] security: enable system call isolation in kernel config Mike Rapoport
2019-04-25 21:45 ` [RFC PATCH 7/7] sci: add example system calls to exercse SCI Mike Rapoport
2019-04-26 0:30 ` [RFC PATCH 0/7] x86: introduce system calls addess space isolation Andy Lutomirski
2019-04-26 8:07 ` Jiri Kosina
2019-04-28 6:01 ` Mike Rapoport
2019-04-26 14:41 ` Dave Hansen
2019-04-28 6:08 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8E695557-1CD2-431A-99CC-49A4E8247BAE@amacapital.net \
--to=luto@amacapital.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alexandre.chartre@oracle.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jwadams@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rppt@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox