RE: [PATCH v5 02/12] array_idx: sanitize speculative array de-references
From: Van De Ven, Arjan
Date: Tue Jan 30 2018 - 15:28:00 EST
> > Anyway, I do think the patches I've seen so far are ok, and the real
> > reason I'm writing this email is actually more about future patches:
> > do we have a good handle on where these array index sanitations will
> > be needed?
the obvious cases are currently obviously being discussed.
but to be realistic, the places people will find will go on for the next two+ years, and the distros will also
end up needing to backport those for the next two years.
(v1 is like "buffer overflow", it's a class of issues. buffer overflows were not fixed in one patch or overnight)
> > Also, while array limit checking was obviously the official
> > "spectre-v1" issue, I do wonder if there are possible other issues
> > where mispredicted conditional branches can end up leaking
> > information?
there's obviously many things one can do to leak things, for example the v1 paper talks about using the cache
as a mechanism to leak, but you can trivially construct something that uses the TLBs as the channel to leak
(thankfully KPTI cuts that side off) but other variations are possible. I suspect many maser thesis projects
got redirected in the last few months ;-)
> > IOW, is there some work on tooling/analysis/similar? Not asking for
> > near-term, but more of a "big picture" question..
short term there was some extremely rudimentary static analysis done.
clearly that has extreme limitations both in insane rate of false positives, and missing cases.
the real case is to get things like compiler plugins and the like to identify suspect cases.
but we also need to consider changing the kernel a bit. Part of what makes fixing
V1 hard is that security checks on user data are spread in many places across drivers and subsystems.
If we do the security checks more concentrated we cut off many attacks.
For example, we are considering doing a
copy_from_user_struct(*dst, *src, type, validation_function)
where the validation function gets auto-generated from the uapi headers (with some form of annotation)
and if anything fails or the copy faults partway through, the dst is zeroed.
such a beast can do the basic security checks on the user data inside that function(wrapper), and that greatly
limits the number of places we need to take care of.
bonus is that this also will improve the situation of drivers being sloppy with input validation and where
the current rootholes are happening