Re: CURRENT: bhyve and Kernel SamePage Mergin

2016-06-09 Thread Shawn Webb 
Hey David,

I'm responding inline.

On Thu, Jun 09, 2016 at 09:18:40AM +0100, David Chisnall wrote:
> If this paper is the one that I think it is, then I was one of the reviewers. 
>  Their attack is neat, but it depends quite a lot on being able to 
> deterministically trigger deduplication.  Their proof-of-concept exploit was 
> on Windows (and JavaScript attack was really fun) and I???m not convinced 
> that it would work reliably on Linux or VMWare ESX, which both defer 
> deduplication for as long as possible to avoid NUMA-related overheads.
> 
> We don???t currently have a FreeBSD implementation, but if someone wanted to 
> provide one then a defence against this attack would be fairly simple: count 
> the number of CoW faults that a process is receiving and if it reaches a 
> certain threshold then remove all of its memory from the set of eligible 
> pages.  The attack relies on being able to repeatedly trigger CoW faults and 
> time whether they occur, with the same set of pages.  At least some existing 
> implementations will make this impossible as these pages will repeatedly be 
> deduplicated and then duplicated and this is already a pathological case that 
> most memory deduplication implementations need to handle (as well as being a 
> security hole, it???s also a big performance killer).

Competely agreed. This is a "nothing to see here" situation. The paper
simply doesn't apply to FreeBSD.

> 
> Kib has been working on ASLR for FreeBSD (I think it???s in 11?), but at this 
> point it???s more of a checkbox item than a serious mitigation technique.  It 
> adds a little bit of work for attackers, but there are so many attacks that 
> can bypass ASLR even with strong entropy that it just increases the work 
> factor slightly.  If you???re running code written in C, then you???re better 
> off relying on Capscium compartmentalisation to limit what the attacker can 
> do once they???ve compromised it.

Kib's ASR implementation hasn't made it to HEAD, yet. It differs from
ASLR in pretty drastic ways. Using heap spraying attacks, an attacker
will easily be able to disable the ASR implementation Kib has proposed.
The same does not hold true for the proper ASLR implementation that has
existed for a number of years--HardenedBSD's. Simply forcing address
space fragmentation should not disable ASLR, which is the case for
FreeBSD's ASR. Kib's implementation requires a lot of further work,
especially in regards to stack and shared page randomization, which
doesn't exist in his patch. He views stack and shared page randomization
outside the scope of ASR and I have no clue why as no explanation has
been given.

While ASLR bypasses exist (ROP, SROP, JROP, etc.), they require a number
of additional vulnerabilities to be able to effectively control [ER]IP.
Just like any security technology, ASLR isn't meant to be the
end-all-be-all of security, but just one more layer in a
defense-in-depth strategy. The more layers an attacker has to punch
through, the higher the burden.

Capsicum would indeed be something to look into, but is heavy-handed and
requires modification of source code. Capsicum cannot be applied to
proprietary applications without coordination from the vendor, whereas
ASLR can be. I like Capsicum, but integrating "ALL THE THINGS!" with it
takes a lot of work.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: CURRENT: bhyve and Kernel SamePage Mergin

2016-06-09 Thread David Chisnall 
If this paper is the one that I think it is, then I was one of the reviewers.  
Their attack is neat, but it depends quite a lot on being able to 
deterministically trigger deduplication.  Their proof-of-concept exploit was on 
Windows (and JavaScript attack was really fun) and I’m not convinced that it 
would work reliably on Linux or VMWare ESX, which both defer deduplication for 
as long as possible to avoid NUMA-related overheads.

We don’t currently have a FreeBSD implementation, but if someone wanted to 
provide one then a defence against this attack would be fairly simple: count 
the number of CoW faults that a process is receiving and if it reaches a 
certain threshold then remove all of its memory from the set of eligible pages. 
 The attack relies on being able to repeatedly trigger CoW faults and time 
whether they occur, with the same set of pages.  At least some existing 
implementations will make this impossible as these pages will repeatedly be 
deduplicated and then duplicated and this is already a pathological case that 
most memory deduplication implementations need to handle (as well as being a 
security hole, it’s also a big performance killer).

Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this 
point it’s more of a checkbox item than a serious mitigation technique.  It 
adds a little bit of work for attackers, but there are so many attacks that can 
bypass ASLR even with strong entropy that it just increases the work factor 
slightly.  If you’re running code written in C, then you’re better off relying 
on Capscium compartmentalisation to limit what the attacker can do once they’ve 
compromised it.

David

> On 8 Jun 2016, at 16:01, O. Hartmann  wrote:
> 
> A couple of days I got as a responsible personell for a couple of systems a 
> warning about
> the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this 
> year's IEEE
> symposion there has been submitted a paper by Bosman et al., 2016, describing 
> an attack
> on KSM. This technique, also referred to as memory/page deduplication, seems 
> to be
> vulnerable by design under certain circumstances. I guess the experts of the 
> readers here
> do already know, but I consider myself a non-expert and therefore, I'd like 
> to ask about
> the status of that kind of development in FreeBSD. I read about a project of 
> last year's
> Google Summer of Code 2015 targetting KSM on FreeBSD.
> 
> In Linux, this deduplication techniques is implemented since kernel 2.6.38 
> and Windows
> Kernel uses this techniques since Windows 8.1 and sibblings (also Windows 
> Server). We
> were strongly advised to disable those "features" in Windows clients, servers 
> and Linux
> servers, if used.
> 
> Other papers describe successful attacks on memory contents and ASLR by 
> misusing KSM. On
> Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
> planned/used/already implemented?)? 
> 
> If you are interested I could provide links or PDFs of the papers I already 
> gathered
> about that subject (it is not much, simply google for "KSM FReeBSD" or KSM 
> deduplication
> ASLR).
> 
> Thanks in advance,
> 
> oh



smime.p7s
Description: S/MIME cryptographic signature

Re: CURRENT: bhyve and Kernel SamePage Mergin

2016-06-08 Thread Pedro Giffuni 

Hi oh;

Nothing to worry: for good or bad, FreeBSD has no memory deduplication 
mechanism implemented.


Pedro.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

CURRENT: bhyve and Kernel SamePage Mergin

2016-06-08 Thread O. Hartmann 
A couple of days I got as a responsible personell for a couple of systems a 
warning about
the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this 
year's IEEE
symposion there has been submitted a paper by Bosman et al., 2016, describing 
an attack
on KSM. This technique, also referred to as memory/page deduplication, seems to 
be
vulnerable by design under certain circumstances. I guess the experts of the 
readers here
do already know, but I consider myself a non-expert and therefore, I'd like to 
ask about
the status of that kind of development in FreeBSD. I read about a project of 
last year's
Google Summer of Code 2015 targetting KSM on FreeBSD.

In Linux, this deduplication techniques is implemented since kernel 2.6.38 and 
Windows
Kernel uses this techniques since Windows 8.1 and sibblings (also Windows 
Server). We
were strongly advised to disable those "features" in Windows clients, servers 
and Linux
servers, if used.

Other papers describe successful attacks on memory contents and ASLR by 
misusing KSM. On
Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
planned/used/already implemented?)? 

If you are interested I could provide links or PDFs of the papers I already 
gathered
about that subject (it is not much, simply google for "KSM FReeBSD" or KSM 
deduplication
ASLR).

Thanks in advance,

oh


pgpaCTmo1B49J.pgp
Description: OpenPGP digital signature