Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies

From: Andy Lutomirski
Date: Tue Mar 29 2016 - 17:29:26 EST

Next message: Jarkko Sakkinen: "[PATCH] tpm: move tpm_pcr_read_dev() to tpm1-cmd.c"
Previous message: Andrew Morton: "Re: [PATCH] mm: Refactor find_get_pages() & friends"
In reply to: Andi Kleen: "Re: [PATCH v4 3/4] Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP."
Next in thread: Scotty Bauer: "Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 29, 2016 at 12:53 PM, Scott Bauer <sbauer@xxxxxxxxxxxx> wrote:
> Sigreturn-oriented programming is a new attack vector in userland
> where an attacker crafts a fake signal frame on the stack and calls
> sigreturn. The kernel will extract the fake signal frame, which
> contains attacker controlled "saved" registers. The kernel will then
> transfer control to the attacker controlled userland instruction pointer.
>
> To prevent SROP attacks the kernel needs to know or be able to dervive
> whether a sigreturn it is processing is in response to a legitimate
> signal the kernel previously delivered.
>
> Further information and test code can be found in Documentation/security
> and this excellent article:
> http://lwn.net/Articles/676803/
>
> These patches implement the necessary changes to generate a cookie
> which will be placed above signal frame upon signal delivery to userland.
> The cookie is generated using a per-process random value xor'd with
> the address where the cookie will be stored on the stack.
>
> Upon a sigreturn the kernel will extract the cookie from userland,
> recalculate what the original cookie should be and verify that the two
> do not differ. If the two differ the kernel will terminate the process
> with a SIGSEGV.
>
> This prevents SROP by adding a value that the attacker cannot guess,
> but the kernel can verify. Therefore an attacker cannot use sigreturn as
> a method to control the flow of a process.
>

Has anyone verified that this doesn't break CRIU cross-machine (or
cross-boot) migration and that this doesn't break dosemu? You're
changing the ABI here.

--Andy

>
> Version changes:
>
> v3->v4
> Removed ambiguous __user annotation, added Documentation
> and test code.
>
> v2->v3
> Changed cookie calculation from using restored regs->sp to
> using frame pointer from before restoration.
>
> v1->v2
> Miscellaneous nits and code cleanup.
>
> Scott Bauer (4):
> SROP Mitigation: Architecture independent code for signal cookies
> x86: SROP Mitigation: Implement Signal Cookies
> Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP.
> Documentation: SROP Mitigation: Add documentation for SROP cookies
>
>
> Documentation/security/srop-cookies.txt | 203 ++++++++++++++++++++++++++++++++
> arch/x86/ia32/ia32_signal.c | 65 +++++++++-
> arch/x86/include/asm/fpu/signal.h | 2 +
> arch/x86/kernel/fpu/signal.c | 10 ++
> arch/x86/kernel/signal.c | 83 +++++++++++--
> fs/exec.c | 3 +
> include/linux/sched.h | 7 ++
> include/linux/signal.h | 3 +
> kernel/signal.c | 49 ++++++++
> kernel/sysctl.c | 8 ++
> 10 files changed, 418 insertions(+), 15 deletions(-)
>

--
Andy Lutomirski
AMA Capital Management, LLC

Next message: Jarkko Sakkinen: "[PATCH] tpm: move tpm_pcr_read_dev() to tpm1-cmd.c"
Previous message: Andrew Morton: "Re: [PATCH] mm: Refactor find_get_pages() & friends"
In reply to: Andi Kleen: "Re: [PATCH v4 3/4] Sysctl: SROP Mitigation: Add Sysctl argument to disable SROP."
Next in thread: Scotty Bauer: "Re: [PATCH v4 0/4] SROP Mitigation: Sigreturn Cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]