Re: [patch] Add basic sanity checks to the syscall execution patch

From: Andi Kleen
Date: Fri Sep 05 2008 - 07:58:23 EST


First as a minor pedantic correction (sorry!): the ro syscall table is not
fully free. It means you cannot use 2MB pages anymore to map it, which costs
you in TLB misses.

> [ It would be nice to have a 'randomize instruction scheduling' option
> for gcc, to make automated attacks that recognize specific instruction
> patterns less reliable. ]

One way to do that today is to feed gcc random data for profile feedback.
But your performance will probably suffer.

> experienced kernel developer could reliably tell it via a kgdb session
> and full access to memory and system symbols that such a silent alarm is
> running on a box. If he cannot do it reliably then there's probably no
> good way for an attacker either.

Game copy protections have been playing similar games for decades. While
I'm sure it was endless fun for both sides afaik the crackers tended to
ultimatively win. And all of these things also make the kernel more
fragile which is not good. Likely a case of "the only way to win is not to play"

I liked Alan's proposal of using hypervisor support for truly ro pages,
although even that is not fully hole proof because of indirect pointers.
But at least it would make it generally harder to inject code.

-Andi

--
ak@xxxxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/