Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2622665pxb; Mon, 19 Apr 2021 09:47:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCU9o2GHRmByi9kPl/KYRyKQQv0J86ep4j8bDJSqs4FpqlxZlT5jS/6s/y6O9MgxL09XRM X-Received: by 2002:a17:906:5052:: with SMTP id e18mr22858069ejk.112.1618850866883; Mon, 19 Apr 2021 09:47:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618850866; cv=none; d=google.com; s=arc-20160816; b=ED+zBnZNELqgI9czVbYL5R5HCjkJXT5Iez1ioUAqxX4GR6Nh31xnWB6u/UdpNUcWSl PxZlo20t358vT5hU4hJ3fhRFWwuXv3C9Tg6+oDdAIpo5fj3rWf18UhAQMgV+gPce76MD oV68gvNNh70L4A1Mx7IQtZAKNEFZW0jBVCy0mL8wJe7+UyxyoajRN7gHegJLs2alk3KK 312HT3wl3cAwHcQc/UFJfFxOQxsesD495q1FBExfU50lG/HELU7VuT8tSySSBzWNBNB8 5Tkfqzq9iE6c4qd2TtO29Z6xqlnqXncCSMNU13iN5wE9X9ITOSN6fcDB3kICVjZc1yhf +HsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=0kc/By8dYZorGbyayG8g3cDXIgd8qQAI/6RS9+GKtPs=; b=R3WfKU7RFJgWqTzKI3b+Dhlv8RFVeLFZokWU7XVjBskvfr5xahT6iX2cheh2N6hCbj zwXpT/IgX/wnzgwdOnVi8ih2QFSYvT4iJPb+qdwlEjKPmxOc531QXKkcPCZFhXm2UMLA yJwaeN89sRpYqctHRdjAymNZQqK6ZVn3GfIWvznMygZCf9/F2a1Ka8W8wkvGh7kGiaYX MCdJwC8JhWlGSwE1gcOVSp3jMu4lTt/q0PLhCbXK14I3HfnDDCc/AtRLYnAYNLCAOny1 0hX7ES96F2x8LHF0IdSO/CvBQtEnJyG+ctSyxzkODUaWrgvOlOlp/E4KGdReiCwHoFkA yYfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a1si9224036edr.67.2021.04.19.09.47.22; Mon, 19 Apr 2021 09:47:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232897AbhDSQpR (ORCPT + 99 others); Mon, 19 Apr 2021 12:45:17 -0400 Received: from relay4-d.mail.gandi.net ([217.70.183.196]:42083 "EHLO relay4-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231888AbhDSQpQ (ORCPT ); Mon, 19 Apr 2021 12:45:16 -0400 X-Originating-IP: 73.37.121.169 Received: from Joaos-MacBook-Pro.local (c-73-37-121-169.hsd1.or.comcast.net [73.37.121.169]) (Authenticated sender: joao@overdrivepizza.com) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id D6517E000A; Mon, 19 Apr 2021 16:44:39 +0000 (UTC) Subject: Re: [PATCH 05/15] x86: Implement function_nocfi To: Rasmus Villemoes , Kees Cook , Andy Lutomirski Cc: Borislav Petkov , Sami Tolvanen , X86 ML , Josh Poimboeuf , Peter Zijlstra , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , linux-hardening@vger.kernel.org, LKML , clang-built-linux References: <20210416203844.3803177-1-samitolvanen@google.com> <20210416203844.3803177-6-samitolvanen@google.com> <20210416211855.GD22348@zn.tnic> <20210416220251.GE22348@zn.tnic> <202104161519.1D37B6D26@keescook> <2812c98b-3b5a-7be5-9fd9-2a6260406a45@rasmusvillemoes.dk> From: Joao Moreira Message-ID: Date: Mon, 19 Apr 2021 09:45:48 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <2812c98b-3b5a-7be5-9fd9-2a6260406a45@rasmusvillemoes.dk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Why not? In particular, I'd really like somebody to answer the question > "why not just store a cookie before each address-taken or > external-linkage function?". > FWIIW, this was done before (at least twice): First with grsecurity/PaX RAP (https://grsecurity.net/rap_faq) then with kCFI (https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel-wp.pdf, https://github.com/kcfi/kcfi - which is no longer maintained). At the time I worked on kCFI someone raised a concern regarding this cookie-based design being mutually exclusive to execute-only memories (XOM), what, if XOM is really relevant to someone, should be a valid concern. Since design is being questioned, an x86/CET-specific third design for CFI was recently discussed here: https://www.openwall.com/lists/kernel-hardening/2021/02/11/1 -- I assume that, arch-dependency considered, this should be easier to integrate when compared to clang-cfi. Also, given that it is based on CET, this also has the benefit of constraining mispeculations (which is a nice side-effect). Tks, Joao