Re: [PATCH] doc: self-protection: provide initial details

From: Randy Dunlap
Date: Tue May 17 2016 - 11:32:54 EST

Next message: Michal Hocko: "Re: [PATCH v2 1/1] userfaultfd: don't pin the user memory in userfaultfd_file_create()"
Previous message: jeffrey.lin: "[PATCH] dt-bindings: input: add Raydium I2C touch bindings"
In reply to: Greg KH: "Re: [kernel-hardening] [PATCH] doc: self-protection: provide initial details"
Next in thread: Jonathan Corbet: "Re: [PATCH] doc: self-protection: provide initial details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/16/16 19:27, Kees Cook wrote:
> This document attempts to codify the intent around kernel self-protection
> along with discussion of both existing and desired technologies, with
> attention given to the rationale behind them, and the expectations of
> their usage.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> Documentation/security/self-protection.txt | 261 +++++++++++++++++++++++++++++
> 1 file changed, 261 insertions(+)
> create mode 100644 Documentation/security/self-protection.txt
>
> diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt
> new file mode 100644
> index 000000000000..33ad7183a074
> --- /dev/null
> +++ b/Documentation/security/self-protection.txt
> @@ -0,0 +1,261 @@

[snip]

> +
> +The goals for successful self-protection systems would be to that they

would be that they

> +are effective, on by default, require no opt-in by developers, have no
> +performance impact, do not impede kernel debugging, and have tests. It
> +is uncommon that all these goals can be met, but it is worth explicitly
> +mentioning them, since these aspects need to be explored, dealt with,
> +and/or accepted.
> +
> +
> +
> +What remains are variables that are updated rarely (e.g. GDT). These
> +will need another infrastructure (similar to the temporary exceptions
> +made to kernel code mentioned above) that allow them to spend the rest
> +of their lifetime read-only. (For example, when being updated, only the
> +CPU thread performing the update would be given uninterruptable write

uninterruptible

> +access to the memory.)

(add to spelling.txt ?)

> +
> +

> +
> +
> +To protect against even privileged users, systems may need to either
> +disable module loading entirely (e.g. monolithic kernel builds or
> +modules_disabled sysctl), or provide signed modules (e.g.
> +CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
> +oot load arbitrary kernel code via the module loader interface.

spell out 'oot'

> +
> +
> +## Preventing Leaks
> +
> +Since the location of sensitive structures are the primary target for

is
or
locations are

> +attacks, it is important to defend against leaks of both kernel memory
> +addresses and kernel memory contents (since they may contain kernel
> +addresses or other sensitive things like canary values).
> +

Nice job.
Reviewed-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>

Thanks.

--
~Randy

Next message: Michal Hocko: "Re: [PATCH v2 1/1] userfaultfd: don't pin the user memory in userfaultfd_file_create()"
Previous message: jeffrey.lin: "[PATCH] dt-bindings: input: add Raydium I2C touch bindings"
In reply to: Greg KH: "Re: [kernel-hardening] [PATCH] doc: self-protection: provide initial details"
Next in thread: Jonathan Corbet: "Re: [PATCH] doc: self-protection: provide initial details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]