Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
On Wed, Sep 14, 2016 at 10:36:34AM +0100, Mark Rutland wrote: > On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > > This patch series adds support for XPFO which protects against 'ret2dir' > > kernel attacks. The basic idea is to enforce exclusive ownership of page > > frames by either the kernel or userspace, unless explicitly requested by > > the kernel. Whenever a page destined for userspace is allocated, it is > > unmapped from physmap (the kernel's page table). When such a page is > > reclaimed from userspace, it is mapped back to physmap. > > Reference paper by the original patch authors: > > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf > For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). > Assuming that implies a lack of execute permission for x86_64, that > should provide a similar level of protection against erroneously > branching to addresses in the linear map, without the complexity and > overhead of mapping/unmapping pages. > > So to me it looks like this approach may only be useful for > architectures without page-granular execute permission controls. > > Is this also intended to protect against erroneous *data* accesses to > the linear map? Now that I read the paper more carefully, I can see that this is the case, and this does catch issues which DEBUG_RODATA cannot. Apologies for the noise. Thanks, Mark.
Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
On Wed, Sep 14, 2016 at 10:36:34AM +0100, Mark Rutland wrote: > On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > > This patch series adds support for XPFO which protects against 'ret2dir' > > kernel attacks. The basic idea is to enforce exclusive ownership of page > > frames by either the kernel or userspace, unless explicitly requested by > > the kernel. Whenever a page destined for userspace is allocated, it is > > unmapped from physmap (the kernel's page table). When such a page is > > reclaimed from userspace, it is mapped back to physmap. > > Reference paper by the original patch authors: > > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf > For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). > Assuming that implies a lack of execute permission for x86_64, that > should provide a similar level of protection against erroneously > branching to addresses in the linear map, without the complexity and > overhead of mapping/unmapping pages. > > So to me it looks like this approach may only be useful for > architectures without page-granular execute permission controls. > > Is this also intended to protect against erroneous *data* accesses to > the linear map? Now that I read the paper more carefully, I can see that this is the case, and this does catch issues which DEBUG_RODATA cannot. Apologies for the noise. Thanks, Mark.
Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Hi, On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is non-executable on x86_64 (as it does for arm64)? For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). Assuming that implies a lack of execute permission for x86_64, that should provide a similar level of protection against erroneously branching to addresses in the linear map, without the complexity and overhead of mapping/unmapping pages. So to me it looks like this approach may only be useful for architectures without page-granular execute permission controls. Is this also intended to protect against erroneous *data* accesses to the linear map? Am I missing something? Thanks, Mark.
Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Hi, On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is non-executable on x86_64 (as it does for arm64)? For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). Assuming that implies a lack of execute permission for x86_64, that should provide a similar level of protection against erroneously branching to addresses in the linear map, without the complexity and overhead of mapping/unmapping pages. So to me it looks like this approach may only be useful for architectures without page-granular execute permission controls. Is this also intended to protect against erroneous *data* accesses to the linear map? Am I missing something? Thanks, Mark.
Re: [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Resending to include the kernel-hardening list. Sorry, I wasn't subscribed with the correct email address when I sent this the first time. ...Juerg On 09/14/2016 09:18 AM, Juerg Haefliger wrote: > Changes from: > v1 -> v2: > - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) > arch-agnostic. > - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO > for x86. > - Use page_ext for the additional per-page data. > - Removed the clearing of pages. This can be accomplished by using > PAGE_POISONING. > - Split up the patch into multiple patches. > - Fixed additional issues identified by reviewers. > > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > > Additional fields in the page_ext struct are used for XPFO housekeeping. > Specifically two flags to distinguish user vs. kernel pages and to tag > unmapped pages and a reference counter to balance kmap/kunmap operations > and a lock to serialize access to the XPFO fields. > > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf > > Juerg Haefliger (3): > Add support for eXclusive Page Frame Ownership (XPFO) > xpfo: Only put previous userspace pages into the hot cache > block: Always use a bounce buffer when XPFO is enabled > > arch/x86/Kconfig | 3 +- > arch/x86/mm/init.c | 2 +- > block/blk-map.c | 2 +- > include/linux/highmem.h | 15 +++- > include/linux/page_ext.h | 7 ++ > include/linux/xpfo.h | 41 + > lib/swiotlb.c| 3 +- > mm/Makefile | 1 + > mm/page_alloc.c | 10 ++- > mm/page_ext.c| 4 + > mm/xpfo.c| 213 > +++ > security/Kconfig | 20 + > 12 files changed, 314 insertions(+), 7 deletions(-) > create mode 100644 include/linux/xpfo.h > create mode 100644 mm/xpfo.c > -- Juerg Haefliger Hewlett Packard Enterprise signature.asc Description: OpenPGP digital signature
Re: [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Resending to include the kernel-hardening list. Sorry, I wasn't subscribed with the correct email address when I sent this the first time. ...Juerg On 09/14/2016 09:18 AM, Juerg Haefliger wrote: > Changes from: > v1 -> v2: > - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) > arch-agnostic. > - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO > for x86. > - Use page_ext for the additional per-page data. > - Removed the clearing of pages. This can be accomplished by using > PAGE_POISONING. > - Split up the patch into multiple patches. > - Fixed additional issues identified by reviewers. > > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > > Additional fields in the page_ext struct are used for XPFO housekeeping. > Specifically two flags to distinguish user vs. kernel pages and to tag > unmapped pages and a reference counter to balance kmap/kunmap operations > and a lock to serialize access to the XPFO fields. > > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf > > Juerg Haefliger (3): > Add support for eXclusive Page Frame Ownership (XPFO) > xpfo: Only put previous userspace pages into the hot cache > block: Always use a bounce buffer when XPFO is enabled > > arch/x86/Kconfig | 3 +- > arch/x86/mm/init.c | 2 +- > block/blk-map.c | 2 +- > include/linux/highmem.h | 15 +++- > include/linux/page_ext.h | 7 ++ > include/linux/xpfo.h | 41 + > lib/swiotlb.c| 3 +- > mm/Makefile | 1 + > mm/page_alloc.c | 10 ++- > mm/page_ext.c| 4 + > mm/xpfo.c| 213 > +++ > security/Kconfig | 20 + > 12 files changed, 314 insertions(+), 7 deletions(-) > create mode 100644 include/linux/xpfo.h > create mode 100644 mm/xpfo.c > -- Juerg Haefliger Hewlett Packard Enterprise signature.asc Description: OpenPGP digital signature
[RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Changes from: v1 -> v2: - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) arch-agnostic. - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO for x86. - Use page_ext for the additional per-page data. - Removed the clearing of pages. This can be accomplished by using PAGE_POISONING. - Split up the patch into multiple patches. - Fixed additional issues identified by reviewers. This patch series adds support for XPFO which protects against 'ret2dir' kernel attacks. The basic idea is to enforce exclusive ownership of page frames by either the kernel or userspace, unless explicitly requested by the kernel. Whenever a page destined for userspace is allocated, it is unmapped from physmap (the kernel's page table). When such a page is reclaimed from userspace, it is mapped back to physmap. Additional fields in the page_ext struct are used for XPFO housekeeping. Specifically two flags to distinguish user vs. kernel pages and to tag unmapped pages and a reference counter to balance kmap/kunmap operations and a lock to serialize access to the XPFO fields. Known issues/limitations: - Only supports x86-64 (for now) - Only supports 4k pages (for now) - There are most likely some legitimate uses cases where the kernel needs to access userspace which need to be made XPFO-aware - Performance penalty Reference paper by the original patch authors: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Juerg Haefliger (3): Add support for eXclusive Page Frame Ownership (XPFO) xpfo: Only put previous userspace pages into the hot cache block: Always use a bounce buffer when XPFO is enabled arch/x86/Kconfig | 3 +- arch/x86/mm/init.c | 2 +- block/blk-map.c | 2 +- include/linux/highmem.h | 15 +++- include/linux/page_ext.h | 7 ++ include/linux/xpfo.h | 41 + lib/swiotlb.c| 3 +- mm/Makefile | 1 + mm/page_alloc.c | 10 ++- mm/page_ext.c| 4 + mm/xpfo.c| 213 +++ security/Kconfig | 20 + 12 files changed, 314 insertions(+), 7 deletions(-) create mode 100644 include/linux/xpfo.h create mode 100644 mm/xpfo.c -- 2.9.3
[RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Changes from: v1 -> v2: - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) arch-agnostic. - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO for x86. - Use page_ext for the additional per-page data. - Removed the clearing of pages. This can be accomplished by using PAGE_POISONING. - Split up the patch into multiple patches. - Fixed additional issues identified by reviewers. This patch series adds support for XPFO which protects against 'ret2dir' kernel attacks. The basic idea is to enforce exclusive ownership of page frames by either the kernel or userspace, unless explicitly requested by the kernel. Whenever a page destined for userspace is allocated, it is unmapped from physmap (the kernel's page table). When such a page is reclaimed from userspace, it is mapped back to physmap. Additional fields in the page_ext struct are used for XPFO housekeeping. Specifically two flags to distinguish user vs. kernel pages and to tag unmapped pages and a reference counter to balance kmap/kunmap operations and a lock to serialize access to the XPFO fields. Known issues/limitations: - Only supports x86-64 (for now) - Only supports 4k pages (for now) - There are most likely some legitimate uses cases where the kernel needs to access userspace which need to be made XPFO-aware - Performance penalty Reference paper by the original patch authors: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Juerg Haefliger (3): Add support for eXclusive Page Frame Ownership (XPFO) xpfo: Only put previous userspace pages into the hot cache block: Always use a bounce buffer when XPFO is enabled arch/x86/Kconfig | 3 +- arch/x86/mm/init.c | 2 +- block/blk-map.c | 2 +- include/linux/highmem.h | 15 +++- include/linux/page_ext.h | 7 ++ include/linux/xpfo.h | 41 + lib/swiotlb.c| 3 +- mm/Makefile | 1 + mm/page_alloc.c | 10 ++- mm/page_ext.c| 4 + mm/xpfo.c| 213 +++ security/Kconfig | 20 + 12 files changed, 314 insertions(+), 7 deletions(-) create mode 100644 include/linux/xpfo.h create mode 100644 mm/xpfo.c -- 2.9.3
[RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Changes from: v1 -> v2: - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) arch-agnostic. - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO for x86. - Use page_ext for the additional per-page data. - Removed the clearing of pages. This can be accomplished by using PAGE_POISONING. - Split up the patch into multiple patches. - Fixed additional issues identified by reviewers. This patch series adds support for XPFO which protects against 'ret2dir' kernel attacks. The basic idea is to enforce exclusive ownership of page frames by either the kernel or userspace, unless explicitly requested by the kernel. Whenever a page destined for userspace is allocated, it is unmapped from physmap (the kernel's page table). When such a page is reclaimed from userspace, it is mapped back to physmap. Additional fields in the page_ext struct are used for XPFO housekeeping. Specifically two flags to distinguish user vs. kernel pages and to tag unmapped pages and a reference counter to balance kmap/kunmap operations and a lock to serialize access to the XPFO fields. Known issues/limitations: - Only supports x86-64 (for now) - Only supports 4k pages (for now) - There are most likely some legitimate uses cases where the kernel needs to access userspace which need to be made XPFO-aware - Performance penalty Reference paper by the original patch authors: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Juerg Haefliger (3): Add support for eXclusive Page Frame Ownership (XPFO) xpfo: Only put previous userspace pages into the hot cache block: Always use a bounce buffer when XPFO is enabled arch/x86/Kconfig | 3 +- arch/x86/mm/init.c | 2 +- block/blk-map.c | 2 +- include/linux/highmem.h | 15 +++- include/linux/page_ext.h | 7 ++ include/linux/xpfo.h | 41 + lib/swiotlb.c| 3 +- mm/Makefile | 1 + mm/page_alloc.c | 10 ++- mm/page_ext.c| 4 + mm/xpfo.c| 213 +++ security/Kconfig | 20 + 12 files changed, 314 insertions(+), 7 deletions(-) create mode 100644 include/linux/xpfo.h create mode 100644 mm/xpfo.c -- 2.9.3
[RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Changes from: v1 -> v2: - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) arch-agnostic. - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO for x86. - Use page_ext for the additional per-page data. - Removed the clearing of pages. This can be accomplished by using PAGE_POISONING. - Split up the patch into multiple patches. - Fixed additional issues identified by reviewers. This patch series adds support for XPFO which protects against 'ret2dir' kernel attacks. The basic idea is to enforce exclusive ownership of page frames by either the kernel or userspace, unless explicitly requested by the kernel. Whenever a page destined for userspace is allocated, it is unmapped from physmap (the kernel's page table). When such a page is reclaimed from userspace, it is mapped back to physmap. Additional fields in the page_ext struct are used for XPFO housekeeping. Specifically two flags to distinguish user vs. kernel pages and to tag unmapped pages and a reference counter to balance kmap/kunmap operations and a lock to serialize access to the XPFO fields. Known issues/limitations: - Only supports x86-64 (for now) - Only supports 4k pages (for now) - There are most likely some legitimate uses cases where the kernel needs to access userspace which need to be made XPFO-aware - Performance penalty Reference paper by the original patch authors: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Juerg Haefliger (3): Add support for eXclusive Page Frame Ownership (XPFO) xpfo: Only put previous userspace pages into the hot cache block: Always use a bounce buffer when XPFO is enabled arch/x86/Kconfig | 3 +- arch/x86/mm/init.c | 2 +- block/blk-map.c | 2 +- include/linux/highmem.h | 15 +++- include/linux/page_ext.h | 7 ++ include/linux/xpfo.h | 41 + lib/swiotlb.c| 3 +- mm/Makefile | 1 + mm/page_alloc.c | 10 ++- mm/page_ext.c| 4 + mm/xpfo.c| 213 +++ security/Kconfig | 20 + 12 files changed, 314 insertions(+), 7 deletions(-) create mode 100644 include/linux/xpfo.h create mode 100644 mm/xpfo.c -- 2.9.3
