Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5816631imd; Wed, 31 Oct 2018 02:27:40 -0700 (PDT) X-Google-Smtp-Source: AJdET5eDMl39W5EAt6q5dq9OSts80f/3kgrWo3+GbPLMylZdQ8K6gO21tTM7fnz92xQLi76f5nnO X-Received: by 2002:a63:f91e:: with SMTP id h30-v6mr2406282pgi.154.1540978060542; Wed, 31 Oct 2018 02:27:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540978060; cv=none; d=google.com; s=arc-20160816; b=R8zvjgl0HH6zBwQxqCm/40PW+S9lxM6iGa3gcGwkejq02i0aua+bZmA442eURvzKj9 SlX9JM5pprzrlB6ePSnS5LUjE/r2+UP1qPMiPUkioqhD70t1rT4H9nCEOJOMWFahedUL L9IcFhwrBtPasLm/2s7cd+/7kZ5zYZl2GOm8L8pIYmo/mW/dXia3YLbZWMHQu1jCDFRZ 1AgB+m/odNCULOLbjuH8oEIwIx5usQ0kOBEsVVinDal/lsA9mZGS+Ru4Df4kYwdf6Fit eYCCTDXKvzwOQjgSCeIE55wMeIaMlXbvrIG4n44IAVYufHR+tlTRo2ay9ESldc4c288M GPAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=wjWGJMBjAYOtg/ptm8tzogysjtI/euxcYBSvlp1KYNk=; b=R4P6PMA2h7GTPUJo1DJHlUBik8OGTeYpc/OTooEE4NzicIpN7spujL5UA9jwUpC/FC Oa2lGCPELnJAta0F/JrbgFqzKHg/MMtvEazODS+bK8HzOE5wZ/cAgHjETwhKzTE1oZLh HkEj1SZm7ezlRaN+8IW755GlWlzcb/aR5hrNpYjbUbhW9JQSMthmcRtcOCWbRp1l866U V3DTJiV8l2vLpv4pX6YxwVjUFJuYt8yOOQfyQy5lTPs9MRsKd6lCjS3UXC1bWH2EubvS qiW/TDAwt7Z2/8tWdsQaHgHsP0/CwKYxRSaI6VwhGAfaUd11zuFcfapU/hu9uM44LmjM qa3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hqjXSFEW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16-v6si25522761plp.336.2018.10.31.02.27.25; Wed, 31 Oct 2018 02:27:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hqjXSFEW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728044AbeJaSYX (ORCPT + 99 others); Wed, 31 Oct 2018 14:24:23 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:36666 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727757AbeJaSYW (ORCPT ); Wed, 31 Oct 2018 14:24:22 -0400 Received: by mail-lf1-f66.google.com with SMTP id h192so11095901lfg.3; Wed, 31 Oct 2018 02:27:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=wjWGJMBjAYOtg/ptm8tzogysjtI/euxcYBSvlp1KYNk=; b=hqjXSFEW6gVaIPRrCElTSgcsV+NMOLvQ7BOV2b89x13+rTMYt94wz3dmaG6pdpzv/V seYn+r2ZfJ53E850vFkdbFn6Ynv3KyyTd5fkeII+yNeDJQCLZr8qaig6bWZVo/GmBcY3 EBDsecuwrH9PYN7hpm1/JbZCUHoHtviD8Br5cwuXM22NnHDFMwgpp6dM8MlpYMaxFPAt oewIFJVktKJbOCFw8sgJiUsAV2oRIA1NmuFLt1PRNEkVy5RyWa9Wa7GwxnVTrStKfyNK S8XWyv5F//0nrN4ldCehGNVBMIGOa5o2RH+oanPJ8wLPRpKUDdN4WYhpkt94Uqrl0bww 9+3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wjWGJMBjAYOtg/ptm8tzogysjtI/euxcYBSvlp1KYNk=; b=cNGfwdYT/IROmIzSsRJhp4Iu5969I2pT1ViMXS1qGsf4XcbsdNE1O07+Shhxa70HJS TQr+3chvKsbL5HE49HAwsuSe37qen6fVl4RBaA2mRYTys6ys+Uva0igh6IzPGW7TRtbA YgeIIIt5peDqrEZCnm3kJkfAc5OJ+DpQtet9+0PBg2SWwDWaEpTfTc0GmRcXH6xlEyUs PUV6xljGbQEEgFxAo50SEneIdHFf+TmFXYi4FRnUn9DbwC+ut4Vpp1Kv5wCJnu0FQ7Fs FguQ2ZRgV2jnW4EYzXcr+tv6eBuk5XgKEbAUjuVNit4bVM0k3/3hUOu7MluFNeHyCHZR 5Bpg== X-Gm-Message-State: AGRZ1gLYuBRO2SYTXV4A0cnfb00d4pn2sM+aNbZITcgpbDqPMbEW0G5W IbknP26gSGAyJgJJPT4bWAE= X-Received: by 2002:a19:4287:: with SMTP id p129mr1387081lfa.135.1540978021862; Wed, 31 Oct 2018 02:27:01 -0700 (PDT) Received: from [192.168.10.160] (91-159-62-242.elisa-laajakaista.fi. [91.159.62.242]) by smtp.gmail.com with ESMTPSA id c5-v6sm810518lja.62.2018.10.31.02.27.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 02:27:01 -0700 (PDT) Subject: Re: [PATCH 10/17] prmem: documentation To: Kees Cook , Peter Zijlstra Cc: Mimi Zohar , Matthew Wilcox , Dave Chinner , James Morris , Michal Hocko , Kernel Hardening , linux-integrity , linux-security-module , Igor Stoppa , Dave Hansen , Jonathan Corbet , Laura Abbott , Randy Dunlap , Mike Rapoport , "open list:DOCUMENTATION" , LKML , Andy Lutomirski , Thomas Gleixner References: <20181023213504.28905-1-igor.stoppa@huawei.com> <20181023213504.28905-11-igor.stoppa@huawei.com> <20181026092609.GB3159@worktop.c.hoisthospitality.com> <20181028183126.GB744@hirez.programming.kicks-ass.net> <40cd77ce-f234-3213-f3cb-0c3137c5e201@gmail.com> <20181030152641.GE8177@hirez.programming.kicks-ass.net> From: Igor Stoppa Message-ID: <58295796-9bb5-080a-4c4d-47761d0876a9@gmail.com> Date: Wed, 31 Oct 2018 11:27:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30/10/2018 18:37, Kees Cook wrote: > On Tue, Oct 30, 2018 at 8:26 AM, Peter Zijlstra wrote: >> I suppose the 'normal' attack goes like: >> >> 1) find buffer-overrun / bound check failure >> 2) use that to write to 'interesting' location >> 3) that write results arbitrary code execution >> 4) win >> >> Of course, if the store of 2 is to the current cred structure, and >> simply sets the effective uid to 0, we can skip 3. > > In most cases, yes, gaining root is game over. However, I don't want > to discount other threat models: some systems have been designed not > to trust root, so a cred attack doesn't always get an attacker full > control (e.g. lockdown series, signed modules, encrypted VMs, etc). Reading these points I see where I was not clear. Maybe I can fix that. SELinux is a good example of safeguard against a takeover of root, so it is a primary target. Unfortunately it contains some state variables that can be used to disable it. Other attack that comes to my mind, for executing code within the kernel, without sweating too much with ROP is the following: 1) find the rabbit hole to write kernel data, whatever it might be 2) spray the keyring with own key 3) use the module loading infrastructure to load own module, signed with the key at point 2) Just to say that direct arbitrary code execution is becoming harder to perform, but there are ways around it which rely more on overwriting unprotected data. They are a lower hanging fruit for an attacker. -- igor