Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp169497imm; Fri, 21 Sep 2018 12:13:20 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYdLwmwKJKmdOI9QZxwUrBMAJpvTfcMuuLVdsZIKG1XxJiIPwE99QHd4iJwfQOhZ6UTRMz8 X-Received: by 2002:a63:d90b:: with SMTP id r11-v6mr43050263pgg.315.1537557200425; Fri, 21 Sep 2018 12:13:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537557200; cv=none; d=google.com; s=arc-20160816; b=ZZtnjuKIAhVXTlOG5MoM/UGz8uIghs0H0sGstD2ruytPw/8sI4VX0edvHEf8xOLVsO U9dwhbyzoOfb6XOGx6yQ7ll3dl59MzGoGKAa1tMODqzxRrydj9WIf45kr05I4YSyz0z3 wzO4DEA6Te0v45gBDj3O8K1Ozt2wA0ZY/TKSqqhhElisyiJe7EsendRqUfInbGcZUDS2 Yg3UnhMfs1btaBgrWtp5cnzdddZZJ8BiIm+60ZYsDStbiGQkpo0fBXxGt6PgSLsMItIw fmvsEGvs3MPw1pdL9D4RBSH5HYWc94uFW0lahOgdnux5c8gaW3VZRPkwTnesEHEB+K2A ut5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=yQn0zHFpqULn0bK3B6Gan6jnMfKsWdjQXBQ05cqv1M8=; b=FxtVAWAbu5k0zzqnji7CNatgJGMs2BIvslVtcVwSB0GPjN18K9+qMxpeB0uLkWYtz1 IGCgnpNp7QvTGrXsamybVnihhMl8eIlVNEuBBsDg9iyVm+Vm/qBv5lu1Jf+kbBAQiObX LeEimpr9x4WGNInvk1nyIMWltb9670uIa39hc8OPjpEhK+asY+F3bbwKxxpkA1AVs/56 jYZjp0rvG/oHmvwepzXIyFTVklSdrZ4gICKG27nHkRZ9sSrYMNjPVgfXt/69B7R26EL8 IYjwkTg6DLMuHYR+XJG/C0ebztdI1YGH6dIgw9fgacipYrG7yB32WYED66fe1OqUgU0r jZkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TmgWEPZb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r39-v6si27343169pld.218.2018.09.21.12.12.47; Fri, 21 Sep 2018 12:13:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TmgWEPZb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391290AbeIVBCt (ORCPT + 99 others); Fri, 21 Sep 2018 21:02:49 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:45349 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390726AbeIVBCt (ORCPT ); Fri, 21 Sep 2018 21:02:49 -0400 Received: by mail-yw1-f66.google.com with SMTP id p206-v6so5601016ywg.12 for ; Fri, 21 Sep 2018 12:12:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=yQn0zHFpqULn0bK3B6Gan6jnMfKsWdjQXBQ05cqv1M8=; b=TmgWEPZbBcXXtNjYBoE2BnYl5edbUEi1H6ZGvgPeSwjsMn6Ti187tHHt+1u+/nt85j QwJdROG6zbNzAWnf7O3ap1zkFrFd3Di/A8S2GaROh+akNdjHC6XRjSaKquZI4fF+bDtw a1ljNbtR55IWGiFIT6+BnTPxMROSub9Xsq8Zw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=yQn0zHFpqULn0bK3B6Gan6jnMfKsWdjQXBQ05cqv1M8=; b=fDr4ZJXkze2d6CnLT+bqym1Y7Fs1jTLuhtcwlYbxyZFXFnzajd8bPNYqQq0uscbkvt pz2A2XInp4wQxy6RuamULzcJEy0iKkFjdrx4HQ0i8YCchFg6Ehg7PTuBT4Zg7pbvNJkO 23Qa9vcD+DomsiCfYa2+xAIw801n50u6EuNMeCN+dXx2AygA6RpZmUYO5xuY7i3AmEpr q2uYMgzgTPTEWl3RK0+FIWsQXGNeHvmpZUvF44RKnVN1qLKO9CUVqhOdBhh6Bwsdlr/c 0wT0Ev1IDcM8mmKzkSqGrfCLmYYvxIPOH6fgaxZU/cGwi5QkPhoWo6wZplLnE14IQ+ho 3P5A== X-Gm-Message-State: APzg51CI2YAqKTShtlqXyQLz1yFCr+Tg/lqsUqzh+gB/eCil99on8Xb0 Zh+sQ9avXNmbQxnOLDCYf9Uj3NYAPEk= X-Received: by 2002:a0d:cfc2:: with SMTP id r185-v6mr21599178ywd.337.1537557153514; Fri, 21 Sep 2018 12:12:33 -0700 (PDT) Received: from mail-yb1-f182.google.com (mail-yb1-f182.google.com. [209.85.219.182]) by smtp.gmail.com with ESMTPSA id m82-v6sm16494902ywm.19.2018.09.21.12.12.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Sep 2018 12:12:32 -0700 (PDT) Received: by mail-yb1-f182.google.com with SMTP id w7-v6so5872138ybm.7 for ; Fri, 21 Sep 2018 12:12:32 -0700 (PDT) X-Received: by 2002:a25:19c3:: with SMTP id 186-v6mr21581913ybz.410.1537557151666; Fri, 21 Sep 2018 12:12:31 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:5f04:0:0:0:0:0 with HTTP; Fri, 21 Sep 2018 12:12:30 -0700 (PDT) In-Reply-To: <20180917161245.c4bb8546d2c6069b0506c5dd@linux-foundation.org> References: <153702858249.1603922.12913911825267831671.stgit@dwillia2-desk3.amr.corp.intel.com> <20180917161245.c4bb8546d2c6069b0506c5dd@linux-foundation.org> From: Kees Cook Date: Fri, 21 Sep 2018 12:12:30 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 0/3] mm: Randomize free memory To: Andrew Morton Cc: Dan Williams , Michal Hocko , Dave Hansen , Linux-MM , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 17, 2018 at 4:12 PM, Andrew Morton wrote: > On Sat, 15 Sep 2018 09:23:02 -0700 Dan Williams wrote: > >> Data exfiltration attacks via speculative execution and >> return-oriented-programming attacks rely on the ability to infer the >> location of sensitive data objects. The kernel page allocator, has >> predictable first-in-first-out behavior for physical pages. Pages are >> freed in physical address order when first onlined. There are also >> mechanisms like CMA that can free large contiguous areas at once >> increasing the predictability of allocations in physical memory. >> >> In addition to the security implications this randomization also >> stabilizes the average performance of direct-mapped memory-side caches. >> This includes memory-side caches like the one on the Knights Landing >> processor and those generally described by the ACPI HMAT (Heterogeneous >> Memory Attributes Table [1]). Cache conflicts are spread over a random >> distribution rather than localized. >> >> Given the performance sensitivity of the page allocator this >> randomization is only performed for MAX_ORDER (4MB by default) pages. A >> kernel parameter, page_alloc.shuffle_page_order, is included to change >> the page size where randomization occurs. >> >> [1]: See ACPI 6.2 Section 5.2.27.5 Memory Side Cache Information Structure > > I'm struggling to understand the justification of all of this. Are > such attacks known to exist? Or reasonably expected to exist in the > future? What is the likelihood and what is their cost? Or is this all > academic and speculative and possibly pointless? While we already have a base-address randomization (CONFIG_RANDOMIZE_MEMORY), attacks against the same hardware and memory layouts would certainly be using the predictability of allocation ordering (i.e. for attacks where the base address isn't important: only the relative positions between allocated memory). This is common in lots of heap-style attacks. They try to gain control over ordering by spraying allocations, etc. I'd really like to see this because it gives us something similar to CONFIG_SLAB_FREELIST_RANDOM but for the page allocator. (This may be worth mentioning in the series, especially as a comparison to its behavior and this.) > ie, something must have motivated you to do this work rather than > . Please spell out that motivation. I'd be curious to hear more about the mentioned cache performance improvements. I love it when a security feature actually _improves_ performance. :) Thanks for working on this! -Kees -- Kees Cook Pixel Security