Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp124117yba; Thu, 25 Apr 2019 19:28:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqwbiuTBD6RlyoPL7Jr2S9EIhf4qRKzNiuk2c7b9Ii7J8jT5FAsQe+zJaTFubmWtWJ/bW1zB X-Received: by 2002:a17:902:8545:: with SMTP id d5mr7957559plo.198.1556245731456; Thu, 25 Apr 2019 19:28:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556245731; cv=none; d=google.com; s=arc-20160816; b=e6ZJoSZmuVX1ZMifBhTd+trF9cBuG2gbsdvJzVcaJ3CYE5Qw4DA6/GhSXffh39p9j9 OtDNYozcIkwuzYzfxKAXJTaaeqFjW8Azng8N+UckNfkTKxzoHVsw1ou3ZCgegJDusSLB 6C8htyRTBX/fwZl+AC/6x4a3rTmvbALU0XZqOq3fsVGaHFBVBJPoMit1q1qFBfEoWK9a Walt/3uxRdcgVwLZlq/hKwX/oxilHihKAqfZafhvB1Lc2zGkgnIIn63UXyhoJNjis2Ct L9dOj3Km0f9Yq/R95Mzq7QRpXbsln9qRZku5hlXud0jaXzd4CVVl4aZG8M+WCyTKnJt7 L/Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=112d0Xs8rSgYB+ol4sBKoXelDAYKs2aw8MYQMbZsz4M=; b=oJZqoR5DDucQhCE6mijqlsm82zKwRwtO4chDBqS7vtXB+9FEU/ElXFL3dfVc+ZJIjA +yZGkqCO5bsH5Sw0nVsDgLo09StRJSLul2ubYnCjz+PpIjAPTDAtrY6mh8nLdrQgnPwN oDo+y+qCHmjBb/0Fk4bvY75ZwM4Cum6oqBrwNjoqdWRAndIE8vQaeHmcGnTyYO/kcOP8 itM7eM2ebf8LDI/TklyKMLwI1KSrachSIWKM57YWo6Q1jNUU5EcGEwe3mckj581E4GCN m2TDgtkoGBK0qIH4gcDqwAJ993Kv2bqd/r/7ONOsHkab/Vbbr2rWmNL4ORF7yNWD1Kzj 9j5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XPVgj3+q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si22896718pgd.110.2019.04.25.19.28.32; Thu, 25 Apr 2019 19:28:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XPVgj3+q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728815AbfDZAa2 (ORCPT + 99 others); Thu, 25 Apr 2019 20:30:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:39080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727509AbfDZAa2 (ORCPT ); Thu, 25 Apr 2019 20:30:28 -0400 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCF9B21537 for ; Fri, 26 Apr 2019 00:30:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556238627; bh=ZsIbUeLOxUI7bxZ1I5VzBXBiV9Win2BFl2iIJvXToNg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=XPVgj3+qb+Ykb0MjNHKhNcV3Yo9b7Oh8+K4gAy33Im/oRgNOCSVgtwla7/2VYGvA7 7XZU2rkWj1/g4+Ifz2JGp6nZfJbSva/pRSNhUX4xbErQ3YzyJ3apIdcwE6dO7TFu04 GHSqHZvCo/ZbCqBSb7qZRx7OySOrA0h4CSc5WPc0= Received: by mail-wr1-f48.google.com with SMTP id s18so1930148wrp.0 for ; Thu, 25 Apr 2019 17:30:26 -0700 (PDT) X-Gm-Message-State: APjAAAXtlgN1pQ1XVAJ71VKHrcOFBYu0FwqVrXbHSc/3Ui+hAERJzupi BlMzjkHbiCPq+QzadXOx+lovmMM+R9eiHiUeBoGwKg== X-Received: by 2002:a5d:63c7:: with SMTP id c7mr12902589wrw.199.1556238625152; Thu, 25 Apr 2019 17:30:25 -0700 (PDT) MIME-Version: 1.0 References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> In-Reply-To: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> From: Andy Lutomirski Date: Thu, 25 Apr 2019 17:30:13 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 0/7] x86: introduce system calls addess space isolation To: Mike Rapoport Cc: LKML , Alexandre Chartre , Andy Lutomirski , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , James Bottomley , Jonathan Adams , Kees Cook , Paul Turner , Peter Zijlstra , Thomas Gleixner , Linux-MM , LSM List , X86 ML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 25, 2019 at 2:46 PM Mike Rapoport wrote: > > Hi, > > Address space isolation has been used to protect the kernel from the > userspace and userspace programs from each other since the invention of the > virtual memory. > > Assuming that kernel bugs and therefore vulnerabilities are inevitable it > might be worth isolating parts of the kernel to minimize damage that these > vulnerabilities can cause. > > The idea here is to allow an untrusted user access to a potentially > vulnerable kernel in such a way that any kernel vulnerability they find to > exploit is either prevented or the consequences confined to their isolated > address space such that the compromise attempt has minimal impact on other > tenants or the protected structures of the monolithic kernel. Although we > hope to prevent many classes of attack, the first target we're looking at > is ROP gadget protection. > > These patches implement a "system call isolation (SCI)" mechanism that > allows running system calls in an isolated address space with reduced page > tables to prevent ROP attacks. > > ROP attacks involve corrupting the stack return address to repoint it to a > segment of code you know exists in the kernel that can be used to perform > the action you need to exploit the system. > > The idea behind the prevention is that if we fault in pages in the > execution path, we can compare target address against the kernel symbol > table. So if we're in a function, we allow local jumps (and simply falling > of the end of a page) but if we're jumping to a new function it must be to > an external label in the symbol table. That's quite an assumption. The entry code at least uses .L labels. Do you get that right? As far as I can see, most of what's going on here has very little to do with jumps and calls. The benefit seems to come from making sure that the RET instruction actually goes somewhere that's already been faulted in. Am I understanding right? --Andy