As a followup to the "[PATCH] Make /proc/slabinfo 0400" thread, this
is a patch series to randomize the order of object allocations within
a page. It can be extended to SLAB and SLOB if desired. Mostly it's
for benchmarking and discussion.
It Boots For Me(tm).
Patches 1-4 and 8 touch drivers/char/random.c, to add support for
efficiently generating a series of uniform random integers in small
ranges. Is this okay with Herbert & Matt?
I did a bit of code cleanup while I was at it, but kept it to separate
patches. Patches 4 and 7 are the heart of the new code, but I'd
particularly like comments on patch 8, as I don't understand the kconfig
stuff very well. Is the feature description good and are the control
knobs adequate?
Checkpatch complains about a too-short CONFIG option description on
8/8; I think it's spurious.
On Sun, 2011-03-13 at 20:20 -0400, George Spelvin wrote:
> As a followup to the "[PATCH] Make /proc/slabinfo 0400" thread, this
> is a patch series to randomize the order of object allocations within
> a page. It can be extended to SLAB and SLOB if desired. Mostly it's
> for benchmarking and discussion.
I've spent a while thinking about this over the past few weeks, and I
really don't think it's productive to try to randomize the allocators.
It provides negligible defense and just makes life harder for kernel
hackers.
(And you definitely can't randomize SLOB like this.)
> Patches 1-4 and 8 touch drivers/char/random.c, to add support for
> efficiently generating a series of uniform random integers in small
> ranges. Is this okay with Herbert & Matt?
But I will look at these.
--
Mathematics is the supreme nostalgia of our time.
Hi Matt,
On Sun, 2011-03-13 at 20:20 -0400, George Spelvin wrote:
>> As a followup to the "[PATCH] Make /proc/slabinfo 0400" thread, this
>> is a patch series to randomize the order of object allocations within
>> a page. ?It can be extended to SLAB and SLOB if desired. ?Mostly it's
>> for benchmarking and discussion.
On Wed, Mar 16, 2011 at 4:57 AM, Matt Mackall <[email protected]> wrote:
> I've spent a while thinking about this over the past few weeks, and I
> really don't think it's productive to try to randomize the allocators.
> It provides negligible defense and just makes life harder for kernel
> hackers.
If it's an optional feature and the impact on the code is low (as it
seems to be), what's the downside? Combined with disabling SLUB's slab
merging, randomization should definitely make it more difficult to
have full control over a full slab. I don't know how much defense it
will provide but I think randomization is definitely an option worth
exploring.
> (And you definitely can't randomize SLOB like this.)
No, you can't but heap exploits like the one we discuss are slightly
harder with SLOB anyway, no?
Pekka
On Wed, 2011-03-16 at 08:23 +0200, Pekka Enberg wrote:
> Hi Matt,
>
> On Sun, 2011-03-13 at 20:20 -0400, George Spelvin wrote:
> >> As a followup to the "[PATCH] Make /proc/slabinfo 0400" thread, this
> >> is a patch series to randomize the order of object allocations within
> >> a page. It can be extended to SLAB and SLOB if desired. Mostly it's
> >> for benchmarking and discussion.
>
> On Wed, Mar 16, 2011 at 4:57 AM, Matt Mackall <[email protected]> wrote:
> > I've spent a while thinking about this over the past few weeks, and I
> > really don't think it's productive to try to randomize the allocators.
> > It provides negligible defense and just makes life harder for kernel
> > hackers.
>
> If it's an optional feature and the impact on the code is low (as it
> seems to be), what's the downside?
We still haven't established an upside, so from where I'm sitting it's
all downside.
> Combined with disabling SLUB's slab
> merging, randomization should definitely make it more difficult to
> have full control over a full slab.
Turning off slab merging will help for object types that use their own
slabs, kmalloced objects will still be vulnerable, independently of
randomization. Randomization won't prevent anything but the most naive
attack.
Again, we've already spent more time talking about this than it will
take for the exploit community to work around it.
> No, you can't but heap exploits like the one we discuss are slightly
> harder with SLOB anyway, no?
Only slightly, if at all.
--
Mathematics is the supreme nostalgia of our time.