Re: [BUG] perf: bogus correlation of kernel symbols

From: Dan Rosenberg
Date: Mon May 16 2011 - 12:14:26 EST

Next message: Andres Salomon: "Re: [PATCH 07/11] x86, olpc-xo1-sci: Add GPE handler and ebookswitch functionality"
Previous message: Steven Whitehouse: "Re: [PATCH v5 13/21] evm: add evm_inode_post_init call in gfs2"
In reply to: Ingo Molnar: "Re: [BUG] perf: bogus correlation of kernel symbols"
Next in thread: Dan Rosenberg: "Re: [BUG] perf: bogus correlation of kernel symbols"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2011-05-16 at 17:35 +0200, Ingo Molnar wrote:

> Agreed, it would be a very useful feature.
>
> I'd suggest to implement it along the lines of:
>
> - First check whether grsecurity or PAX has this implemented already via the
> relocation facility - they are pretty good at being paranoid so i'd be
> surprised if they didnt think of this already! :-)
>
> - If not then have a look at CONFIG_RELOCATABLE and to relocate the kernel
> binary intentionally via a hardcoded parameter. Just see whether you can do
> it and whether it works as you expect it. Check /proc/kallsyms changing
> after your patch. Enjoy the kernel still working ;-)
>
> - Then promote it to a boot parameter - this way you'll be able to tell
> whether there's any hidden build-time assumptions about relocation position.
> (there really shouldnt be any given that kexec works just fine - but i'd
> suggest this step just in case.)
>
> - Then promote that hack to be a randomized parameter. Marvel at a different,
> randomized /proc/kallsyms output at every bootup and enjoy the still working
> kernel!
>
> - Then look at all RIP outputs (thanks to your prior efforts they are now
> mostly concentrated in the vprints code!) and reverse apply the random
> offset before it's exported into user-space. wchan, etc. Marvel at the
> constant /proc/kallsyms output, fully knowing that the *real* addresses
> are randomized.
>
> - Please do not forget to transfer perf RIPs and callchains and marvel at the
> well working 'perf top' output.
>
> At that point the feature will be highly useful already IMO. Remaining work
> will be to think through and close down all remaining avenues of RIP leakage.
>
> At this point kptr_restrict will be a lot less relevant - the symbols will
> expose offsets (so it's not totally unhelpful to attackers) but not the real
> absolute addresses.
>
> Unless i'm missing some particularly difficult roadblock, which is possible.
>
> If you try this then please keep us posted at every step above, even if your
> patches are not fully working and useful yet. Maybe some other
> details/ideas/suggestions will arise at that point.
>

Thanks for the detailed response. I will attempt to go down this road,
and will keep people posted with my progress.

-Dan

> Thanks,
>
> Ingo

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andres Salomon: "Re: [PATCH 07/11] x86, olpc-xo1-sci: Add GPE handler and ebookswitch functionality"
Previous message: Steven Whitehouse: "Re: [PATCH v5 13/21] evm: add evm_inode_post_init call in gfs2"
In reply to: Ingo Molnar: "Re: [BUG] perf: bogus correlation of kernel symbols"
Next in thread: Dan Rosenberg: "Re: [BUG] perf: bogus correlation of kernel symbols"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]