Re: [RFC PATCH v3 1/2] Add support for eXclusive Page Frame Ownership (XPFO)
From: Juerg Haefliger
Date: Tue Nov 15 2016 - 06:18:28 EST
On 11/10/2016 08:24 PM, Kees Cook wrote:
> On Fri, Nov 4, 2016 at 7:45 AM, Juerg Haefliger <juerg.haefliger@xxxxxxx> wrote:
>> This patch adds support for XPFO which protects against 'ret2dir' kernel
>> attacks. The basic idea is to enforce exclusive ownership of page frames
>> by either the kernel or userspace, unless explicitly requested by the
>> kernel. Whenever a page destined for userspace is allocated, it is
>> unmapped from physmap (the kernel's page table). When such a page is
>> reclaimed from userspace, it is mapped back to physmap.
>>
>> Additional fields in the page_ext struct are used for XPFO housekeeping.
>> Specifically two flags to distinguish user vs. kernel pages and to tag
>> unmapped pages and a reference counter to balance kmap/kunmap operations
>> and a lock to serialize access to the XPFO fields.
>>
>> Known issues/limitations:
>> - Only supports x86-64 (for now)
>> - Only supports 4k pages (for now)
>> - There are most likely some legitimate uses cases where the kernel needs
>> to access userspace which need to be made XPFO-aware
>> - Performance penalty
>>
>> Reference paper by the original patch authors:
>> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
>
> Would it be possible to create an lkdtm test that can exercise this protection?
I'll look into it.
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 118f4549404e..4502e15c8419 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -6,6 +6,25 @@ menu "Security options"
>>
>> source security/keys/Kconfig
>>
>> +config ARCH_SUPPORTS_XPFO
>> + bool
>
> Can you include a "help" section here to describe what requirements an
> architecture needs to support XPFO? See HAVE_ARCH_SECCOMP_FILTER and
> HAVE_ARCH_VMAP_STACK or some examples.
Will do.
>> +config XPFO
>> + bool "Enable eXclusive Page Frame Ownership (XPFO)"
>> + default n
>> + depends on ARCH_SUPPORTS_XPFO
>> + select PAGE_EXTENSION
>> + help
>> + This option offers protection against 'ret2dir' kernel attacks.
>> + When enabled, every time a page frame is allocated to user space, it
>> + is unmapped from the direct mapped RAM region in kernel space
>> + (physmap). Similarly, when a page frame is freed/reclaimed, it is
>> + mapped back to physmap.
>> +
>> + There is a slight performance impact when this option is enabled.
>> +
>> + If in doubt, say "N".
>> +
>> config SECURITY_DMESG_RESTRICT
>> bool "Restrict unprivileged access to the kernel syslog"
>> default n
>
> I've added these patches to my kspp tree on kernel.org, so it should
> get some 0-day testing now...
Very good. Thanks!
> Thanks!
Appreciate the feedback.
...Juerg
> -Kees
>
Attachment:
signature.asc
Description: OpenPGP digital signature