Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack

[Kees Cook]

On Tue, Jun 19, 2018 at 7:50 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> On Jun 18, 2018, at 5:52 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> Following Linus's request for "slow introduction" of new security
>> features, likely the best approach is to default to "relaxed" (with a
>> warning about down-grades), and allow distros/end-users to pick
>> "forced" if they know their libraries are all CET-enabled.
>
> I still donât get what ârelaxedâ is for.  I think the right design is:
>
> Processes start with CET on or off depending on the ELF note, but they start with CET unlocked no matter what. They can freely switch CET on and off (subject to being clever enough not to crash if they turn it on and then return right off the end of the shadow stack) until they call ARCH_CET_LOCK.

I'm fine with this. I'd expect modern loaders to just turn on CET and
ARCH_CET_LOCK immediately and be done with it. :P

> Ptrace gets new APIs to turn CET on and off and to lock and unlock it.  If an attacker finds a âptrace me and turn off CETâ gadget, then they might as well just do âptrace me and write shell codeâ instead. Itâs basically the same gadget. Keep in mind that the actual sequence of syscalls to do this is incredibly complicated.

Right -- if an attacker can control ptrace of the target, we're way
past CET. The only concern I have, though, is taking advantage of
expected ptracing. For example: browsers tend to have crash handlers
that launch a ptracer. If ptracing disabled CET for all threads, this
won't by safe: an attacker just gains control in two threads, crashes
one to get the ptracer to attach, which disables CET in the other
thread and the attacker continues ROP as normal. As long as the ptrace
disabling is thread-specific, I think this will be okay.

-Kees

-- 
Kees Cook
Pixel Security