Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp124117yba;
        Thu, 25 Apr 2019 19:28:51 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwbiuTBD6RlyoPL7Jr2S9EIhf4qRKzNiuk2c7b9Ii7J8jT5FAsQe+zJaTFubmWtWJ/bW1zB
X-Received: by 2002:a17:902:8545:: with SMTP id d5mr7957559plo.198.1556245731456;
        Thu, 25 Apr 2019 19:28:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556245731; cv=none;
        d=google.com; s=arc-20160816;
        b=e6ZJoSZmuVX1ZMifBhTd+trF9cBuG2gbsdvJzVcaJ3CYE5Qw4DA6/GhSXffh39p9j9
         OtDNYozcIkwuzYzfxKAXJTaaeqFjW8Azng8N+UckNfkTKxzoHVsw1ou3ZCgegJDusSLB
         6C8htyRTBX/fwZl+AC/6x4a3rTmvbALU0XZqOq3fsVGaHFBVBJPoMit1q1qFBfEoWK9a
         Walt/3uxRdcgVwLZlq/hKwX/oxilHihKAqfZafhvB1Lc2zGkgnIIn63UXyhoJNjis2Ct
         L9dOj3Km0f9Yq/R95Mzq7QRpXbsln9qRZku5hlXud0jaXzd4CVVl4aZG8M+WCyTKnJt7
         L/Cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=112d0Xs8rSgYB+ol4sBKoXelDAYKs2aw8MYQMbZsz4M=;
        b=oJZqoR5DDucQhCE6mijqlsm82zKwRwtO4chDBqS7vtXB+9FEU/ElXFL3dfVc+ZJIjA
         +yZGkqCO5bsH5Sw0nVsDgLo09StRJSLul2ubYnCjz+PpIjAPTDAtrY6mh8nLdrQgnPwN
         oDo+y+qCHmjBb/0Fk4bvY75ZwM4Cum6oqBrwNjoqdWRAndIE8vQaeHmcGnTyYO/kcOP8
         itM7eM2ebf8LDI/TklyKMLwI1KSrachSIWKM57YWo6Q1jNUU5EcGEwe3mckj581E4GCN
         m2TDgtkoGBK0qIH4gcDqwAJ993Kv2bqd/r/7ONOsHkab/Vbbr2rWmNL4ORF7yNWD1Kzj
         9j5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XPVgj3+q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b1si22896718pgd.110.2019.04.25.19.28.32;
        Thu, 25 Apr 2019 19:28:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XPVgj3+q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728815AbfDZAa2 (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 25 Apr 2019 20:30:28 -0400
Received: from mail.kernel.org ([198.145.29.99]:39080 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727509AbfDZAa2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Apr 2019 20:30:28 -0400
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BCF9B21537
        for <linux-kernel@vger.kernel.org>; Fri, 26 Apr 2019 00:30:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1556238627;
        bh=ZsIbUeLOxUI7bxZ1I5VzBXBiV9Win2BFl2iIJvXToNg=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=XPVgj3+qb+Ykb0MjNHKhNcV3Yo9b7Oh8+K4gAy33Im/oRgNOCSVgtwla7/2VYGvA7
         7XZU2rkWj1/g4+Ifz2JGp6nZfJbSva/pRSNhUX4xbErQ3YzyJ3apIdcwE6dO7TFu04
         GHSqHZvCo/ZbCqBSb7qZRx7OySOrA0h4CSc5WPc0=
Received: by mail-wr1-f48.google.com with SMTP id s18so1930148wrp.0
        for <linux-kernel@vger.kernel.org>; Thu, 25 Apr 2019 17:30:26 -0700 (PDT)
X-Gm-Message-State: APjAAAXtlgN1pQ1XVAJ71VKHrcOFBYu0FwqVrXbHSc/3Ui+hAERJzupi
        BlMzjkHbiCPq+QzadXOx+lovmMM+R9eiHiUeBoGwKg==
X-Received: by 2002:a5d:63c7:: with SMTP id c7mr12902589wrw.199.1556238625152;
 Thu, 25 Apr 2019 17:30:25 -0700 (PDT)
MIME-Version: 1.0
References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com>
In-Reply-To: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Thu, 25 Apr 2019 17:30:13 -0700
X-Gmail-Original-Message-ID: <CALCETrWkYYh=L1nSO7GYt0FvMhjCcEaQiM2JEi3FfkJbYJFh2g@mail.gmail.com>
Message-ID: <CALCETrWkYYh=L1nSO7GYt0FvMhjCcEaQiM2JEi3FfkJbYJFh2g@mail.gmail.com>
Subject: Re: [RFC PATCH 0/7] x86: introduce system calls addess space isolation
To:     Mike Rapoport <rppt@linux.ibm.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Alexandre Chartre <alexandre.chartre@oracle.com>,
        Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        Jonathan Adams <jwadams@google.com>,
        Kees Cook <keescook@chromium.org>,
        Paul Turner <pjt@google.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linux-MM <linux-mm@kvack.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        X86 ML <x86@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 25, 2019 at 2:46 PM Mike Rapoport <rppt@linux.ibm.com> wrote:
>
> Hi,
>
> Address space isolation has been used to protect the kernel from the
> userspace and userspace programs from each other since the invention of the
> virtual memory.
>
> Assuming that kernel bugs and therefore vulnerabilities are inevitable it
> might be worth isolating parts of the kernel to minimize damage that these
> vulnerabilities can cause.
>
> The idea here is to allow an untrusted user access to a potentially
> vulnerable kernel in such a way that any kernel vulnerability they find to
> exploit is either prevented or the consequences confined to their isolated
> address space such that the compromise attempt has minimal impact on other
> tenants or the protected structures of the monolithic kernel.  Although we
> hope to prevent many classes of attack, the first target we're looking at
> is ROP gadget protection.
>
> These patches implement a "system call isolation (SCI)" mechanism that
> allows running system calls in an isolated address space with reduced page
> tables to prevent ROP attacks.
>
> ROP attacks involve corrupting the stack return address to repoint it to a
> segment of code you know exists in the kernel that can be used to perform
> the action you need to exploit the system.
>
> The idea behind the prevention is that if we fault in pages in the
> execution path, we can compare target address against the kernel symbol
> table.  So if we're in a function, we allow local jumps (and simply falling
> of the end of a page) but if we're jumping to a new function it must be to
> an external label in the symbol table.

That's quite an assumption.  The entry code at least uses .L labels.
Do you get that right?

As far as I can see, most of what's going on here has very little to
do with jumps and calls.  The benefit seems to come from making sure
that the RET instruction actually goes somewhere that's already been
faulted in.  Am I understanding right?

--Andy