Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4313368yba;
        Wed, 17 Apr 2019 08:56:59 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzhQeWS0aCAEevTlC2kebplTl0oarGukfIxPMTMCc97N/KLpapKymbqCYPjwaY6niosR0Gm
X-Received: by 2002:a63:df12:: with SMTP id u18mr84063822pgg.135.1555516619360;
        Wed, 17 Apr 2019 08:56:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555516619; cv=none;
        d=google.com; s=arc-20160816;
        b=ncZbvl/6V9eCGozpPJ2CyjlsQDljznjXIIHkJjgohOqAXw+j4eyGGn9CFmv6iM5IPV
         V0mVckBnueeJtxooiBdF7jZqV81BL+YXW5/3Ig88mYMWfUsPHEAhL/eLHYPHpJkb6NIi
         COAxZD9d6o3y9jA7rccY26TDE0Gd0zNpL51H5q7PWXTQ4C/1bUHfEbZQYjMHPiZ1Jvhc
         /YVgXZ5l6zB5s9Yh61pNaKT0tI8hKc8ewIQXjSVhntDw60YuZOpZaF2RldVcZrb29el5
         hkWzw2/Ubc+Dy1Y4YZG4TVcYy9hWi9iOINzb2j5UvnpmppbBCcP8jCODzsYGk2EFHyx0
         jS4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :content-language:accept-language:in-reply-to:references:message-id
         :date:thread-index:thread-topic:subject:cc:to:from;
        bh=oW1o/KMCEN8yUBI977/c7UNRAYxKN3PKrP5AiKIMS+Y=;
        b=qrMOcRmI8yJDuVd3BdSdbxUFvyt/ZV14DLvh8B07JsCnTmXKRTXPoY6ghUK202mPmZ
         /pRZgupU8djUFyyF7YC1EflPcnqTBThqWC2H58amPNdZvcE0JvgMMy8KYsHBQUgn1OiN
         kzpCf0OrbjvEmE/hL/qwIYhXXDIDDAoMwSi66dXf8KGb+78aJ/gptcaIxDCLhaTUD7Tl
         WWKq47fK0SQVtOuTw6lonV5/14h0IzrTM1cW3US+01HeOmhCB4cBNTm4acLEW2QFUWRh
         M+jeNPUlvqjNkkBPoqVPanRxb0AgX0Oc1w+mL9+KHxLtlj7pMxYjOb1eC4wQ7rb4zZEi
         7rQg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g4si31769357plb.168.2019.04.17.08.56.43;
        Wed, 17 Apr 2019 08:56:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732787AbfDQPzd convert rfc822-to-8bit (ORCPT
        <rfc822;linux.htchiang@gmail.com> + 99 others);
        Wed, 17 Apr 2019 11:55:33 -0400
Received: from eu-smtp-delivery-151.mimecast.com ([146.101.78.151]:40205 "EHLO
        eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1731454AbfDQPzd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Apr 2019 11:55:33 -0400
Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using
 TLS) by relay.mimecast.com with ESMTP id
 uk-mta-43-4U1-6HfcPGaTLGSoAXGjSw-1; Wed, 17 Apr 2019 16:55:07 +0100
Received: from AcuMS.Aculab.com (fd9f:af1c:a25b::d117) by AcuMS.aculab.com
 (fd9f:af1c:a25b::d117) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed,
 17 Apr 2019 16:53:36 +0100
Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by
 AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000;
 Wed, 17 Apr 2019 16:53:36 +0100
From:   David Laight <David.Laight@ACULAB.COM>
To:     'Theodore Ts'o' <tytso@mit.edu>
CC:     "'Reshetova, Elena'" <elena.reshetova@intel.com>,
        'Peter Zijlstra' <peterz@infradead.org>,
        Ingo Molnar <mingo@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        "luto@kernel.org" <luto@kernel.org>,
        "luto@amacapital.net" <luto@amacapital.net>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "jpoimboe@redhat.com" <jpoimboe@redhat.com>,
        "keescook@chromium.org" <keescook@chromium.org>,
        "jannh@google.com" <jannh@google.com>,
        "Perla, Enrico" <enrico.perla@intel.com>,
        "mingo@redhat.com" <mingo@redhat.com>,
        "bp@alien8.de" <bp@alien8.de>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Thread-Topic: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Thread-Index: AQHU9E1UquBTkhVACE2y3BuRFoekIqY8wW2AgAAdM1CAAXexAIAANZ3ggAAW1gCAAApRgIAAMeKAgAAd+PCAARJkYIAAWDaAgAAZlPA=
Date:   Wed, 17 Apr 2019 15:53:36 +0000
Message-ID: <99e045427125403ba2b90c2707d74e02@AcuMS.aculab.com>
References: <20190415060918.3766-1-elena.reshetova@intel.com>
 <20190415072535.GA51449@gmail.com>
 <2236FBA76BA1254E88B949DDB74E612BA4C4F90F@IRSMSX102.ger.corp.intel.com>
 <20190416073444.GC127769@gmail.com>
 <2236FBA76BA1254E88B949DDB74E612BA4C51962@IRSMSX102.ger.corp.intel.com>
 <20190416120822.GV11158@hirez.programming.kicks-ass.net>
 <01914abbfc1a4053897d8d87a63e3411@AcuMS.aculab.com>
 <20190416154348.GB3004@mit.edu>
 <2236FBA76BA1254E88B949DDB74E612BA4C52338@IRSMSX102.ger.corp.intel.com>
 <9cf586757eb44f2c8f167abf078da921@AcuMS.aculab.com>
 <20190417151555.GG4686@mit.edu>
In-Reply-To: <20190417151555.GG4686@mit.edu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.202.205.107]
MIME-Version: 1.0
X-MC-Unique: 4U1-6HfcPGaTLGSoAXGjSw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Theodore Ts'o
> Sent: 17 April 2019 16:16
> On Wed, Apr 17, 2019 at 09:28:35AM +0000, David Laight wrote:
> >
> > If you can guarantee back to back requests on the PRNG then it is probably
> > possible to recalculate its state from 'bits of state'/5 calls.
> > Depend on the PRNG this might be computationally expensive.
> > For some PRNG it will be absolutely trivial.
> > ...
> > Stirring in a little bit of entropy doesn't help much either.
> > The entropy bits are effectively initial state bits.
> > Add 4 in with each request and 128 outputs gives 640 linear
> > equations in the (128 + 4 * 128) unknowns - still solvable.
> 
> This is basically a scenario where the attacker has already taken
> control of Ring 3 execution and the question is how hard is it for
> them to perform privilege escalation attack to ring 0, right?

Or extract information that should only be known by ring 0.
I fairly sure many of the side-channel attacks not only require
ring 3 access, but also the ability to request ring 0 repeatedly
perform a specific action on an otherwise idle system.

> I'm sure the security folks will think I'm defeatist, but my personal rule
> of thumb is if the attacker has ring 3 control, you've already lost
> --- I figure there are so many zero days that getting ring 0 control
> is a foregone conclusion.  :-(
> 
> So that basically means if we want to protect against this, we're
> going to do something which involves Real Crypto (tm).  Whether that's
> RDRAND, or using Chacha20, etc., or something that has some attack
> resistance, such as "half MD5", etc., but emminently crackable by
> brute force, is essentially a overhead vs. security argument, and what
> it is we are willing to pay.

Some of these 'random' values have a short lifetime - and would need
to be cracked quickly to be of any use.

I suspect that combining the output three linear generators with
addition not xor would make it computationally much harder to
reverse.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)