Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp927677yba; Fri, 26 Apr 2019 11:04:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwG5CSpUOkQdMy9bpQVRL71slr2TFpBu2w6WPy8txwKceowoZrG9BZEj4wfCCiYBZLltuB X-Received: by 2002:a17:902:bc83:: with SMTP id bb3mr2449265plb.303.1556301855662; Fri, 26 Apr 2019 11:04:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556301855; cv=none; d=google.com; s=arc-20160816; b=g1XWh2RneFfD6yBMABoKH7Wrj9AW65K1vJBR37bYCNjAoJCrqnhaN29LLvyNnGoRWa bT1eM6HbYLoeVCb0A1osKf3xRWgoaxlLCHV3WRFRTnaAQuUzHsL9YpYlOmm2VPAdL5K+ okleB3C9AqBAh6M7WyEesTocUucJg3lQeQd6eCt336Mrz2PdOTaxUm8JaITxyxVzW9CQ leU4sZ8Cq+rHXJ2jXBPL7FBAO4izt+nQ9taHBX822iNfrGbzaQbnH2c2b7fVj5ouq5Tg NyxjSGLIZD9tDR34nJ8/3Q5T5OwvENQ26HddWc2kwqwLKn8k5UDJPEO13XJ6ajGRlo1r GpZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:in-reply-to:references:subject :message-id:date:mime-version:from:content-transfer-encoding :dkim-signature; bh=uf9+Gc4IGjm5bXfQmbt+aGr/dzzLVRS2xZVZ9HE9m58=; b=jo1yvOcfyMzDXd/Aow1DnwTM2Pf9kI/O9The58SJdmG+DXghXw5upNQcbpdMM4YEZv vhuUnNtjwInFvb+3SvNi/YfMBBaVqIaYYQ7DItFqH8yHI08DXeV1/dz0IoJWYSuNcZAw GxvbfMJR9YlHo5C9eh4rd2KLId9g092cERBE6ufXbsHznLYHVpMx7KXiJUynBu6mONYK p8ItyEFe7w9USpX+2tdN96wq47f4FebjqX9muhIWVIqOJZezv/BAvPPSX9UcipBpCs45 p/cTJxh+1aUUr0cbKCcPJk1MwKiLlfp9NpvBEtTsvGe74xEE9xB+IrHDiFm+YP/SAlk3 KCCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="LO2yBP/4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b15si27294402pfb.231.2019.04.26.11.04.00; Fri, 26 Apr 2019 11:04:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="LO2yBP/4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726193AbfDZSCz (ORCPT + 99 others); Fri, 26 Apr 2019 14:02:55 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:39525 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726049AbfDZSCz (ORCPT ); Fri, 26 Apr 2019 14:02:55 -0400 Received: by mail-pf1-f194.google.com with SMTP id i17so2091012pfo.6 for ; Fri, 26 Apr 2019 11:02:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:date:message-id:subject :references:in-reply-to:to:cc; bh=uf9+Gc4IGjm5bXfQmbt+aGr/dzzLVRS2xZVZ9HE9m58=; b=LO2yBP/43Gaxq2G427F4quiP0FFiCIk+EbiXVQe5DTb0hxctE2AttHWb6tWuexLs3L ZkgG1bwlvK7lyTAodQcHTtnOIHnbCFp9kz0q5A0+btCGRUTPSe0ZDv/yUcUGoaI4Rnlk POZD7BlXQwFPt1fFpDSqeXtHETEWLhggiXmUS7fRcPEHbEKMnALPeB2xOwiFoJBB6XqV doRFYnnnMI40ZmQb8mE1Lgw+qjcbkk2g59wZvyeOR7s+5xpjLqhxr0BhfZT+vtLzmeT2 pNJbsy6DDny9FxIJnnFyBwYu1AkprSd5oSgpU/8x9kx6LPOL9cmTqq+QBhTSJsDQVwa+ NiJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :message-id:subject:references:in-reply-to:to:cc; bh=uf9+Gc4IGjm5bXfQmbt+aGr/dzzLVRS2xZVZ9HE9m58=; b=CElRMXMZxYE0a9X6cK3f0i1iUAOcNoVH7phrrNZ1SUbkLiML6fmkfp8vJcbOfDp91O PWl8ypj1P6N+xcteOGIZDcS3VR2jEdfwmvk0iR8Ba3FnWzxH0/Ej5IO7DySfn1KJmMCl q4N0n4p+yCLLNTXJBQlVFJu8JwQWs+LQOykScxqNM9QezxOuACNTJo2qpzws4M3N2nAn PyNT0JtvhCFA7ePVLGuGGoewiuz+iV2xKqFIZotkRoS1I4BQ74w4PeYVKmD5kw/dx/bl mQPGJLfvNrMI8nhzSvBCiYWNjXb3sH5bdjVbZQwQ+TONITVZWG/pc3Nq5bmuhvm8kE5k njcQ== X-Gm-Message-State: APjAAAUTryxBY997erNbfL824+McOB+KSv6lMtiwBcrCwQe/901HQwYi mJW7ETeT6V4XIZUm9zdMdhKUVA== X-Received: by 2002:a62:e213:: with SMTP id a19mr46999249pfi.85.1556301774455; Fri, 26 Apr 2019 11:02:54 -0700 (PDT) Received: from ?IPv6:2601:647:5803:15b9:2926:d41b:33e7:d8df? ([2601:647:5803:15b9:2926:d41b:33e7:d8df]) by smtp.gmail.com with ESMTPSA id f8sm8533429pfk.88.2019.04.26.11.02.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Apr 2019 11:02:53 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Date: Fri, 26 Apr 2019 10:40:18 -0700 Message-Id: <8E695557-1CD2-431A-99CC-49A4E8247BAE@amacapital.net> Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> <1556228754-12996-3-git-send-email-rppt@linux.ibm.com> <627d9321-466f-c4ed-c658-6b8567648dc6@intel.com> <1556290658.2833.28.camel@HansenPartnership.com> <54090243-E4C7-4C66-8025-AFE0DF5DF337@amacapital.net> <1556291961.2833.42.camel@HansenPartnership.com> In-Reply-To: <1556291961.2833.42.camel@HansenPartnership.com> To: James Bottomley Cc: Dave Hansen , Mike Rapoport , linux-kernel@vger.kernel.org, Alexandre Chartre , Andy Lutomirski , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Jonathan Adams , Kees Cook , Paul Turner , Peter Zijlstra , Thomas Gleixner , linux-mm@kvack.org, linux-security-module@vger.kernel.org, x86@kernel.org X-Mailer: iPhone Mail (16E227) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 26, 2019, at 8:19 AM, James Bottomley wrote: >=20 > On Fri, 2019-04-26 at 08:07 -0700, Andy Lutomirski wrote: >>> On Apr 26, 2019, at 7:57 AM, James Bottomley >> npartnership.com> wrote: >>>=20 >>>>> On Fri, 2019-04-26 at 07:46 -0700, Dave Hansen wrote: >>>>> On 4/25/19 2:45 PM, Mike Rapoport wrote: >>>>> After the isolated system call finishes, the mappings created >>>>> during its execution are cleared. >>>>=20 >>>> Yikes. I guess that stops someone from calling write() a bunch >>>> of times on every filesystem using every block device driver and >>>> all the DM code to get a lot of code/data faulted in. But, it >>>> also means not even long-running processes will ever have a >>>> chance of behaving anything close to normally. >>>>=20 >>>> Is this something you think can be rectified or is there >>>> something fundamental that would keep SCI page tables from being >>>> cached across different invocations of the same syscall? >>>=20 >>> There is some work being done to look at pre-populating the >>> isolated address space with the expected execution footprint of the >>> system call, yes. It lessens the ROP gadget protection slightly >>> because you might find a gadget in the pre-populated code, but it >>> solves a lot of the overhead problem. >>=20 >> I=E2=80=99m not even remotely a ROP expert, but: what stops a ROP payload= >> from using all the =E2=80=9Cfault-in=E2=80=9D gadgets that exist =E2=80=94= any function that >> can return on an error without doing to much will fault in the whole >> page containing the function. >=20 > The address space pre-population is still per syscall, so you don't get > access to the code footprint of a different syscall. So the isolated > address space is created anew for every system call, it's just pre- > populated with that system call's expected footprint. That=E2=80=99s not what I mean. Suppose I want to use a ROP gadget in vmallo= c(), but vmalloc isn=E2=80=99t in the page tables. Then first push vmalloc i= tself into the stack. As long as RDI contains a sufficiently ridiculous valu= e, it should just return without doing anything. And it can return right bac= k into the ROP gadget, which is now available. >=20 >> To improve this, we would want some thing that would try to check >> whether the caller is actually supposed to call the callee, which is >> more or less the hard part of CFI. So can=E2=80=99t we just do CFI and c= all >> it a day? >=20 > By CFI you mean control flow integrity? In theory I believe so, yes, > but in practice doesn't it require a lot of semantic object information > which is easy to get from higher level languages like java but a bit > more difficult for plain C. Yes. As I understand it, grsecurity instruments gcc to create some kind of h= ash of all function signatures. Then any indirect call can effectively verif= y that it=E2=80=99s calling a function of the right type. And every return v= erified a cookie. On CET CPUs, RET gets checked directly, and I don=E2=80=99t see the benefit o= f SCI. >=20 >> On top of that, a robust, maintainable implementation of this thing >> seems very complicated =E2=80=94 for example, what happens if vfree() get= s >> called? >=20 > Address space Local vs global object tracking is another thing on our > list. What we'd probably do is verify the global object was allowed to > be freed and then hand it off safely to the main kernel address space. >=20 >=20 This seems exceedingly complicated.=