LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Kees Cook <keescook@chromium.org>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>,
	Andy Lutomirski <luto@kernel.org>,
	"H. J. Lu" <hjl.tools@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-doc@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
	linux-arch <linux-arch@vger.kernel.org>, X86 ML <x86@kernel.org>,
	"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
	"Shanbhogue, Vedvyas" <vedvyas.shanbhogue@intel.com>,
	"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Jonathan Corbet <corbet@lwn.net>, Oleg Nesterov <oleg@redhat.com>,
	Arnd Bergmann <arnd@arndb.de>,
	mike.kravetz@oracle.com, Florian Weimer <fweimer@redhat.com>
Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack
Date: Tue, 19 Jun 2018 10:20:03 -0700	[thread overview]
Message-ID: <0AF8B71E-B6CC-42DE-B95C-93896196C3D7@amacapital.net> (raw)
In-Reply-To: <CAGXu5jJ4ivrvi-kG0iY=4C0mQQXBDXwPdfY36Dk+JqOpX19n0w@mail.gmail.com>



> On Jun 19, 2018, at 10:07 AM, Kees Cook <keescook@chromium.org> wrote:
> 
>> On Tue, Jun 19, 2018 at 9:59 AM, Yu-cheng Yu <yu-cheng.yu@intel.com> wrote:
>>> On Tue, 2018-06-19 at 09:44 -0700, Kees Cook wrote:
>>> On Tue, Jun 19, 2018 at 7:50 AM, Andy Lutomirski <luto@amacapital.net
>>>> wrote:
>>>> 
>>>>> 
>>>>> On Jun 18, 2018, at 5:52 PM, Kees Cook <keescook@chromium.org>
>>>>> wrote:
>>>>> Following Linus's request for "slow introduction" of new security
>>>>> features, likely the best approach is to default to "relaxed"
>>>>> (with a
>>>>> warning about down-grades), and allow distros/end-users to pick
>>>>> "forced" if they know their libraries are all CET-enabled.
>>>> I still don’t get what “relaxed” is for.  I think the right design
>>>> is:
>>>> 
>>>> Processes start with CET on or off depending on the ELF note, but
>>>> they start with CET unlocked no matter what. They can freely switch
>>>> CET on and off (subject to being clever enough not to crash if they
>>>> turn it on and then return right off the end of the shadow stack)
>>>> until they call ARCH_CET_LOCK.
>>> I'm fine with this. I'd expect modern loaders to just turn on CET and
>>> ARCH_CET_LOCK immediately and be done with it. :P
>> 
>> This is the current implementation.  If the loader has CET in its ELF
>> header, it is executed with CET on.  The loader will turn off CET if
>> the application being loaded does not support it (in the ELF header).
>> The loader calls ARCH_CET_LOCK before passing to the application.  But
>> how do we handle dlopen?
> 
> I thought CET_LOCK would not get set in "relaxed" mode, due to dlopen
> usage, and that would be the WARN case. People without dlopen concerns
> can boot with "enforced" mode? If a system builder knows there are no
> legacy dlopens they build with enforced enabled, etc.

I think we’re getting ahead of ourselves. dlopen() of a non-CET-aware library in a CET process is distinctly non-trivial, especially in a multithreaded process. I think getting it right will require *userspace* support.  It certainly needs ld.so to issue to arch_prctl at a bare minimum. So I see no point to a kernel-supplied “relaxed” mode. I think there may be demand for a ld.so relaxed mode, but it will have nothing to do with boot options.

It’s potentially helpful to add an arch_prctl that turns CET off for all threads, but only if unlocked. It would obviously be one hell of a gadget.

> 
>>>> Ptrace gets new APIs to turn CET on and off and to lock and unlock
>>>> it.  If an attacker finds a “ptrace me and turn off CET” gadget,
>>>> then they might as well just do “ptrace me and write shell code”
>>>> instead. It’s basically the same gadget. Keep in mind that the
>>>> actual sequence of syscalls to do this is incredibly complicated.
>>> Right -- if an attacker can control ptrace of the target, we're way
>>> past CET. The only concern I have, though, is taking advantage of
>>> expected ptracing. For example: browsers tend to have crash handlers
>>> that launch a ptracer. If ptracing disabled CET for all threads, this
>>> won't by safe: an attacker just gains control in two threads, crashes
>>> one to get the ptracer to attach, which disables CET in the other
>>> thread and the attacker continues ROP as normal. As long as the
>>> ptrace
>>> disabling is thread-specific, I think this will be okay.
>> 
>> If ptrace can turn CET on/off and it is thread-specific, do we still
>> need ptrace lock/unlock?

Let me clarify. I don’t think ptrace() should have any automatic effect on CET. I think there should be an explicit way to ask ptrace to twiddle CET, and it should probably apply per thread.

> 
> Does it provide anything beyond what PR_DUMPABLE does?

What do you mean?


> 
> -Kees
> 
> -- 
> Kees Cook
> Pixel Security

  reply	other threads:[~2018-06-19 17:20 UTC|newest]

Thread overview: 98+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-07 14:37 [PATCH 00/10] Control Flow Enforcement - Part (3) Yu-cheng Yu
2018-06-07 14:37 ` [PATCH 01/10] x86/cet: User-mode shadow stack support Yu-cheng Yu
2018-06-07 16:37   ` Andy Lutomirski
2018-06-07 17:46     ` Yu-cheng Yu
2018-06-07 17:55       ` Dave Hansen
2018-06-07 18:23       ` Andy Lutomirski
2018-06-12 11:56   ` Balbir Singh
2018-06-12 15:03     ` Yu-cheng Yu
2018-06-07 14:37 ` [PATCH 02/10] x86/cet: Introduce WRUSS instruction Yu-cheng Yu
2018-06-07 16:40   ` Andy Lutomirski
2018-06-07 16:51     ` Yu-cheng Yu
2018-06-07 18:41     ` Peter Zijlstra
2018-06-07 20:31       ` Yu-cheng Yu
2018-06-11  8:17     ` Peter Zijlstra
2018-06-11 15:02       ` Yu-cheng Yu
2018-06-14  1:30   ` Balbir Singh
2018-06-14 14:43     ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 03/10] x86/cet: Signal handling for shadow stack Yu-cheng Yu
2018-06-07 18:30   ` Andy Lutomirski
2018-06-07 18:58     ` Florian Weimer
2018-06-07 19:51       ` Yu-cheng Yu
2018-06-07 20:07     ` Cyrill Gorcunov
2018-06-07 20:57       ` Andy Lutomirski
2018-06-08 12:07         ` Cyrill Gorcunov
2018-06-07 20:12     ` Yu-cheng Yu
2018-06-07 20:17       ` Dave Hansen
2018-06-07 14:38 ` [PATCH 04/10] x86/cet: Handle thread " Yu-cheng Yu
2018-06-07 18:21   ` Andy Lutomirski
2018-06-07 19:47     ` Florian Weimer
2018-06-07 20:53       ` Andy Lutomirski
2018-06-08 14:53         ` Florian Weimer
2018-06-08 15:01           ` Andy Lutomirski
2018-06-08 15:50             ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 05/10] x86/cet: ELF header parsing of Control Flow Enforcement Yu-cheng Yu
2018-06-07 18:38   ` Andy Lutomirski
2018-06-07 20:40     ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack Yu-cheng Yu
2018-06-07 18:48   ` Andy Lutomirski
2018-06-07 20:30     ` Yu-cheng Yu
2018-06-07 21:01       ` Andy Lutomirski
2018-06-07 22:02         ` H.J. Lu
2018-06-07 23:01           ` Andy Lutomirski
2018-06-08  4:09             ` H.J. Lu
2018-06-08  4:38               ` Andy Lutomirski
2018-06-08 12:24                 ` H.J. Lu
2018-06-08 14:57                   ` Andy Lutomirski
2018-06-08 15:52                     ` Cyrill Gorcunov
2018-06-08  4:22           ` H.J. Lu
2018-06-08  4:35             ` Andy Lutomirski
2018-06-08 12:17               ` H.J. Lu
2018-06-12 10:03           ` Thomas Gleixner
2018-06-12 11:43             ` H.J. Lu
2018-06-12 16:01               ` Andy Lutomirski
2018-06-12 16:05                 ` H.J. Lu
2018-06-12 16:34                   ` Andy Lutomirski
2018-06-12 16:51                     ` H.J. Lu
2018-06-12 18:59                       ` Thomas Gleixner
2018-06-12 19:34                         ` H.J. Lu
2018-06-18 22:03                           ` Andy Lutomirski
2018-06-19  0:52                             ` Kees Cook
2018-06-19  6:40                               ` Florian Weimer
2018-06-19 14:50                               ` Andy Lutomirski
2018-06-19 16:44                                 ` Kees Cook
2018-06-19 16:59                                   ` Yu-cheng Yu
2018-06-19 17:07                                     ` Kees Cook
2018-06-19 17:20                                       ` Andy Lutomirski [this message]
2018-06-19 20:12                                         ` Kees Cook
2018-06-19 20:47                                           ` Andy Lutomirski
2018-06-19 22:38                                             ` Yu-cheng Yu
2018-06-20  0:50                                               ` Andy Lutomirski
2018-06-21 23:07                                                 ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 07/10] mm: Prevent mprotect from changing " Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 08/10] mm: Prevent mremap of " Yu-cheng Yu
2018-06-07 18:48   ` Andy Lutomirski
2018-06-07 20:18     ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 09/10] mm: Prevent madvise from changing " Yu-cheng Yu
2018-06-07 20:54   ` Andy Lutomirski
2018-06-07 21:09   ` Nadav Amit
2018-06-07 21:18     ` Yu-cheng Yu
2018-06-07 14:38 ` [PATCH 10/10] mm: Prevent munmap and remap_file_pages of " Yu-cheng Yu
2018-06-07 18:50   ` Andy Lutomirski
2018-06-07 20:15     ` Yu-cheng Yu
2018-06-12 10:56 ` [PATCH 00/10] Control Flow Enforcement - Part (3) Balbir Singh
2018-06-12 15:03   ` Yu-cheng Yu
2018-06-12 16:00     ` Andy Lutomirski
2018-06-12 16:21       ` Yu-cheng Yu
2018-06-12 16:31         ` Andy Lutomirski
2018-06-12 17:24           ` Yu-cheng Yu
2018-06-12 20:15             ` Yu-cheng Yu
2018-06-14  1:07     ` Balbir Singh
2018-06-14 14:56       ` Yu-cheng Yu
2018-06-17  3:16         ` Balbir Singh
2018-06-18 21:44           ` Andy Lutomirski
2018-06-19  8:52             ` Balbir Singh
2018-06-26  2:46 ` Jann Horn
2018-06-26 14:56   ` Yu-cheng Yu
2018-06-26  5:26 ` Andy Lutomirski
2018-06-26 14:56   ` Yu-cheng Yu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0AF8B71E-B6CC-42DE-B95C-93896196C3D7@amacapital.net \
    --to=luto@amacapital.net \
    --cc=arnd@arndb.de \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=fweimer@redhat.com \
    --cc=hjl.tools@gmail.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=mike.kravetz@oracle.com \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=ravi.v.shankar@intel.com \
    --cc=tglx@linutronix.de \
    --cc=vedvyas.shanbhogue@intel.com \
    --cc=x86@kernel.org \
    --cc=yu-cheng.yu@intel.com \
    --subject='Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).