RE: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit against spraying attacks

From: David Laight
Date: Mon May 20 2013 - 10:37:32 EST

Next message: Liu, Joseph: "RE: Subject : [ PATCH ]pci-reset-error_state-to-pci_channel_io_normal-at-report_slot_reset"
Previous message: Paul E. McKenney: "[PATCH tip/core/rcu 4/6] rcu: Drive quiescent-state-forcing delay from HZ"
In reply to: Eric Dumazet: "Re: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit againstspraying attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > What about emitting additional instructions at random locations in the
> > generated code itself?
> >
> > Eg., after every instruction, have random chance to insert
> > 'xor $0xcc,%al; xor $0xcc,%al', etc?
>
> This will be the latest thing I'll do.
>
> Frankly, whole point of BPF JIT is speed.
>
> If we have slow code, just use the interpretor instead.

Adding one of the standard nop opcodes wouldn't be too bad.
IIRC 0x90 is skipped very early on by modern cpu.
Adding one after every nth (or n-mth) instruction would
probably break the alternate instruction stream.

However the attacker could (probably) keep installing
code patterns until the guess pattern matched.

Also the code size changes might make the JIT compile fail
- maybe because of branch offsets, or just size.

David

èº{.nÇ+‰·Ÿ®‰†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j¢f£¢·hš‹àz¹®w¥¢¸¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðÃnÆàþY&—

Next message: Liu, Joseph: "RE: Subject : [ PATCH ]pci-reset-error_state-to-pci_channel_io_normal-at-report_slot_reset"
Previous message: Paul E. McKenney: "[PATCH tip/core/rcu 4/6] rcu: Drive quiescent-state-forcing delay from HZ"
In reply to: Eric Dumazet: "Re: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit againstspraying attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]