Received: by 10.223.176.5 with SMTP id f5csp1006439wra;
        Sat, 3 Feb 2018 15:48:40 -0800 (PST)
X-Google-Smtp-Source: AH8x224pyhZpS0GYTap5CI6gGYIgnbDRYizqiJE0lh1os6VpdWsOgbT1IudBVlx1dGrAxHn5VoYF
X-Received: by 10.101.80.193 with SMTP id s1mr35621652pgp.417.1517701720440;
        Sat, 03 Feb 2018 15:48:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517701720; cv=none;
        d=google.com; s=arc-20160816;
        b=pOUwyL4XRaLUvEWvmaSbVTuhpjuDkN0LSxtd6IU8JACURuhkzdOkbhrmwH+Js/kOPD
         hY4YJa6UbcHeEa+Z7RI6KMKD3Cm7vP93XA1005n76UbcuBphLM2kj1uqXJObBmy7dASo
         xD1K3PuZJb0ZZVToLvyDGheUutu+bV5OXB+iATMAbXchzYnjPmrVRIloGsyBuQnflWEc
         xD21HcYl6u74QOIwt+MFk+8j1r1DwJDRtoedwA1sh4SH7SRS3/7mrcRpFU179no1a2so
         fClNR4FR9tc4FjUubIh4YXq2IMnIzAAyv4CnrMBCxwHItc708x7HXz9s769M70JAklXY
         j5cA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=6J8v415C7nTPDnExxrfpjJ8XR+eMQTEeMTtBlS/b44I=;
        b=veF72U1sfhPSeC1gYGtG5h9KNJu155AJOuDg6aZf1Dsf+hu4eoGNOq2VPCZ/p9Fc1k
         Zuh8ekCf2421OCr/iqR+kmgtxC3ZqMhGsfdC4BA1awxgNJWuMcb4ZDyyHXoXL9uHtnBf
         EDNpt+5t1pSAtNGxzODqWswDFknEo8SpFHvvmLRu1c19BfJbcAe+Ng4ctjKo8gEGpBhq
         04rwx15wf62Lh28M0C3NTOQXZU+K4ZSgXA++WTilqhHw1RnuIj9gkcUYhWmqflRfy0B3
         Y4bJg336gokH9ta46JyaSShDSYVol5DtXl2cZ32Wra9uSV37vGUccku/skgrT5LhcW2d
         zDGA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=REwY8Rf3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c1-v6si4445372pld.427.2018.02.03.15.48.26;
        Sat, 03 Feb 2018 15:48:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=REwY8Rf3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754561AbeBCW3b (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Sat, 3 Feb 2018 17:29:31 -0500
Received: from mail-pl0-f47.google.com ([209.85.160.47]:35427 "EHLO
        mail-pl0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752465AbeBCW3X (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 3 Feb 2018 17:29:23 -0500
Received: by mail-pl0-f47.google.com with SMTP id j19so9050492pll.2
        for <linux-kernel@vger.kernel.org>; Sat, 03 Feb 2018 14:29:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sempervictus-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=6J8v415C7nTPDnExxrfpjJ8XR+eMQTEeMTtBlS/b44I=;
        b=REwY8Rf3eq1FCxd1SidzUkFrv+TM2O0MgMI7Ock1l9buLpDq11FupYIiCxmO6ClnHo
         vydqi9PRZBQDISKlabTNsrJqmTuZ29ehr61rzd0pzVpuIiPa0zUpSv60I+p25FM8lLw3
         nFJvzb9N32CiF5Mk6u0s88l9tBfUx1Up8bjmLJc7w+nypGqC3xnw5emYYOTvhn8r1aPx
         ySqfteopr+3kXIEYkVMjZyz5Wx/2cJ4zNOEhl/4svfXTD60H7wWtDj4bGJaSg5tfDPE1
         MqseEe83gQyfsghgoW4CtMBH40K6D/tHWxiMvGqb6dX+FBDcsmdA5gSizmI1aydA+YV5
         M6AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=6J8v415C7nTPDnExxrfpjJ8XR+eMQTEeMTtBlS/b44I=;
        b=nQ6VZybpRYYl6M6oMd5uuviN+HUMaJq7kp0lC9YZYHTVgENhNavETxz2eiNfgqb0sN
         lU0xvArb/c576gQo4/GTicHHRDBZiAOJzUa1kdb8lI6JcsZQke7ys0n2Ic4AeVx0o9oq
         xRs+TeMG8bd99aE1c3u7gIGjBpyrV2gA6ifANkbXyVJZ2tTL0XAdesqSwUWXB2/NQodW
         inKfB6xNu6ubeM0njixcaZx4q7b2hKAbg2E7Ld4lWQzBpSnfGWacd9Gqh4p8ITCXYN0I
         NpNwHtYJ09a0DUe0Xdo9wOvU34w7dmkR1r/7YqXrzb/wK/HNIfddJllIpGCyZbDMWdp3
         tiNw==
X-Gm-Message-State: AKwxytfM55+bFdSfhFPzfSX5LmLei1qqM2Rc1Dk+HgwFNvSLAWP/nGZ0
        yp3k2e1hwNG+rmSZlFC3zM5mGZOvSSES7ETaxHhY6A==
X-Received: by 2002:a17:902:6945:: with SMTP id k5-v6mr29951879plt.389.1517696963078;
 Sat, 03 Feb 2018 14:29:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.140.141 with HTTP; Sat, 3 Feb 2018 14:29:22 -0800 (PST)
X-Originating-IP: [72.70.61.204]
In-Reply-To: <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com>
References: <20180124175631.22925-1-igor.stoppa@huawei.com>
 <20180124175631.22925-5-igor.stoppa@huawei.com> <CAG48ez0JRU8Nmn7jLBVoy6SMMrcj46R0_R30Lcyouc4R9igi-g@mail.gmail.com>
 <20180126053542.GA30189@bombadil.infradead.org> <alpine.DEB.2.20.1802021236510.31548@nuc-kabylake>
 <f2ddaed0-313e-8664-8a26-9d10b66ed0c5@huawei.com> <b75b5903-0177-8ad9-5c2b-fc63438fb5f2@huawei.com>
 <CAFUG7CfrCpcbwgf5ixMC5EZZgiVVVp1NXhDHK1UoJJcC08R2qQ@mail.gmail.com> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com>
From:   Boris Lukashev <blukashev@sempervictus.com>
Date:   Sat, 3 Feb 2018 17:29:22 -0500
Message-ID: <CAFUG7CeUhFcvA82uZ2ZH1j_6PM=aBo4XmYDN85pf8G0gPU44dg@mail.gmail.com>
Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory
To:     Igor Stoppa <igor.stoppa@huawei.com>
Cc:     Christopher Lameter <cl@linux.com>,
        Matthew Wilcox <willy@infradead.org>,
        Jann Horn <jannh@google.com>,
        Jerome Glisse <jglisse@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Michal Hocko <mhocko@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Christoph Hellwig <hch@infradead.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>
>
> On 03/02/18 22:12, Boris Lukashev wrote:
>
>> Regarding the notion of validated protected memory, is there a method
>> by which the resulting checksum could be used in a lookup
>> table/function to resolve the location of the protected data?
>
> What I have in mind is a checksum at page/vmap_area level, so there
> would be no 1:1 mapping between a specific allocation and the checksum.
>
> An extreme case would be the one where an allocation crosses one or more
> page boundaries, while the checksum refers to a (partially) overlapping
> memory area.
>
> Code accessing a pool could perform one (relatively expensive)
> validation. But still something that would require a more sophisticated
> attack, to subvert.
>
>> Effectively a hash table of protected allocations, with a benefit of
>> dedup since any data matching the same key would be the same data
>> (multiple identical cred structs being pushed around). Should leave
>> the resolver address/csum in recent memory to check against, right?
>
> I see where you are trying to land, but I do not see how it would work
> without a further intermediate step.
>
> pmalloc dishes out virtual memory addresses, when called.
>
> It doesn't know what the user of the allocation will put in it.
> The user, otoh, has the direct address of the memory it got.
>
> What you are suggesting, if I have understood it correctly, is that,
> when the pool is protected, the addresses already given out, will become
> traps that get resolved through a lookup table that is built based on
> the content of each allocation.
>
> That seems to generate a lot of overhead, not to mention the fact that
> it might not play very well with the MMU.

That is effectively what i'm suggesting - as a form of protection for
consumers against direct reads of data which may have been corrupted
by some irrelevant means. In the context of pmalloc, it would probably
be a separate type of ro+verified pool which consumers would
explicitly opt into. Say there's a maintenance cycle on a <name some
scary thing controlled by Linux> and it wants to make sure that the
instructions it read in are what they should have been before running
them, those consumers might well take the penalty if it keeps <said
scary big thing> from doing <the thing we're scared of it doing>.
If such a resolver could be implemented in a manner which doesnt break
all the things (including acceptable performance for at least a
significant number of workloads), it might be useful as a general tool
for handing out memory to userspace, even in rw, as it provides
execution context in which other requirements can be forcibly
resolved, preventing unauthorized access to pages the consumer
shouldn't get in a very generic way. Spectre comes to mind as a
potential class of issues to be addressed this way, since speculative
load could be prevented if the resolution were to fail.

>
> If I misunderstood, then I'd need a step by step description of what
> happens, because it's not clear to me how else the data would be
> accessed if not through the address that was obtained when pmalloc was
> invoked.
>
> --
> igor



-- 
Boris Lukashev
Systems Architect
Semper Victus