Re: [Security] proactive defense: using read-only memory, RO/NXmodules

From: Ingo Molnar
Date: Wed Nov 10 2010 - 04:04:43 EST

Next message: Ingo Molnar: "Re: [PATCH 2/2] perf bench: add x86-64 specific benchmarks to perfbench mem memcpy"
Previous message: Marek Belisko: "[PATCH] staging: ft100: Create common return point."
In reply to: Kees Cook: "Re: [Security] proactive defense: using read-only memory, RO/NXmodules"
Next in thread: Kees Cook: "Re: [Security] proactive defense: using read-only memory, RO/NXmodules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Kees Cook <kees.cook@xxxxxxxxxxxxx> wrote:

> Hi,
>
> On Mon, Nov 08, 2010 at 07:13:24AM +0100, Ingo Molnar wrote:
> > * Kees Cook <kees.cook@xxxxxxxxxxxxx> wrote:
> > > While Dan Rosenberg is working to make things harder to locate potential targets
> > > in the kernel through fixing kernel address leaks[1], I'd like to approach a
> > > related proactive security measure: enforcing read-only memory for things that
> > > would make good targets.
> >
> > Nice! IMHO we need more of that. (If the readonly section gets big enough in
> > practice we could perhaps even mark it large-page in the future. It could serve as
> > an allocator to module code as well - that would probably be a speedup even for
> > modules.)
>
> Well, I can try to extract and send what PaX does, but it seems relatively
> incompatible with the existing system that uses set_kernel_text_rw() and
> friends.
>
> > > - Modules need to be correctly marked RO/NX. This patch exists[3], but is
> > > not in mainline. It needs to be in mainline.
> > [...]
> > >
> > > [3] http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commitdiff;h=65187d24fa3ef60f691f847c792e8eaca7e19251
> >
> > The reason the RO/NX patch from Siarhei Liakh is not upstream yet is rather mundane:
> > it introduced regressions - it caused boot crashes on one of my testboxes.
> >
> > But there is no fundamental reason why it shouldnt be upstream. We can push it
> > upstream if the crashes are resolved and if it gets an Ack from Rusty or Linus
> > for the module bits.
>
> Oh, well, yes, that's a good reason. :) Where was this covered? I'd like to help
> get it reproduced and ironed out.

Matthieu Castet seems to have dusted off those patches and submitted two of them in
this mail:

Subject: [RFC] reworked NX protection for kernel data

Matthieu, are you still interested in this topic?

The original, broken patches were these -tip commits:

1e858c081af5: x86, mm: RO/NX protection for loadable kernel modules
18c60ddc9eff: x86, mm: NX protection for kernel data
c226a2feba21: x86, mm: Set first MB as RW+NX
b29d530510d4: x86, mm: Correcting improper large page preservation

I reported one of the crashes in:

Subject: Re: [tip:x86/mm] x86, mm: Set first MB as RW+NX

on lkml.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH 2/2] perf bench: add x86-64 specific benchmarks to perfbench mem memcpy"
Previous message: Marek Belisko: "[PATCH] staging: ft100: Create common return point."
In reply to: Kees Cook: "Re: [Security] proactive defense: using read-only memory, RO/NXmodules"
Next in thread: Kees Cook: "Re: [Security] proactive defense: using read-only memory, RO/NXmodules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]