Re: CURRENT: bhyve and Kernel SamePage Mergin
Hey David, I'm responding inline. On Thu, Jun 09, 2016 at 09:18:40AM +0100, David Chisnall wrote: > If this paper is the one that I think it is, then I was one of the reviewers. > Their attack is neat, but it depends quite a lot on being able to > deterministically trigger deduplication. Their proof-of-concept exploit was > on Windows (and JavaScript attack was really fun) and I???m not convinced > that it would work reliably on Linux or VMWare ESX, which both defer > deduplication for as long as possible to avoid NUMA-related overheads. > > We don???t currently have a FreeBSD implementation, but if someone wanted to > provide one then a defence against this attack would be fairly simple: count > the number of CoW faults that a process is receiving and if it reaches a > certain threshold then remove all of its memory from the set of eligible > pages. The attack relies on being able to repeatedly trigger CoW faults and > time whether they occur, with the same set of pages. At least some existing > implementations will make this impossible as these pages will repeatedly be > deduplicated and then duplicated and this is already a pathological case that > most memory deduplication implementations need to handle (as well as being a > security hole, it???s also a big performance killer). Competely agreed. This is a "nothing to see here" situation. The paper simply doesn't apply to FreeBSD. > > Kib has been working on ASLR for FreeBSD (I think it???s in 11?), but at this > point it???s more of a checkbox item than a serious mitigation technique. It > adds a little bit of work for attackers, but there are so many attacks that > can bypass ASLR even with strong entropy that it just increases the work > factor slightly. If you???re running code written in C, then you???re better > off relying on Capscium compartmentalisation to limit what the attacker can > do once they???ve compromised it. Kib's ASR implementation hasn't made it to HEAD, yet. It differs from ASLR in pretty drastic ways. Using heap spraying attacks, an attacker will easily be able to disable the ASR implementation Kib has proposed. The same does not hold true for the proper ASLR implementation that has existed for a number of years--HardenedBSD's. Simply forcing address space fragmentation should not disable ASLR, which is the case for FreeBSD's ASR. Kib's implementation requires a lot of further work, especially in regards to stack and shared page randomization, which doesn't exist in his patch. He views stack and shared page randomization outside the scope of ASR and I have no clue why as no explanation has been given. While ASLR bypasses exist (ROP, SROP, JROP, etc.), they require a number of additional vulnerabilities to be able to effectively control [ER]IP. Just like any security technology, ASLR isn't meant to be the end-all-be-all of security, but just one more layer in a defense-in-depth strategy. The more layers an attacker has to punch through, the higher the burden. Capsicum would indeed be something to look into, but is heavy-handed and requires modification of source code. Capsicum cannot be applied to proprietary applications without coordination from the vendor, whereas ASLR can be. I like Capsicum, but integrating "ALL THE THINGS!" with it takes a lot of work. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: CURRENT: bhyve and Kernel SamePage Mergin
If this paper is the one that I think it is, then I was one of the reviewers. Their attack is neat, but it depends quite a lot on being able to deterministically trigger deduplication. Their proof-of-concept exploit was on Windows (and JavaScript attack was really fun) and I’m not convinced that it would work reliably on Linux or VMWare ESX, which both defer deduplication for as long as possible to avoid NUMA-related overheads. We don’t currently have a FreeBSD implementation, but if someone wanted to provide one then a defence against this attack would be fairly simple: count the number of CoW faults that a process is receiving and if it reaches a certain threshold then remove all of its memory from the set of eligible pages. The attack relies on being able to repeatedly trigger CoW faults and time whether they occur, with the same set of pages. At least some existing implementations will make this impossible as these pages will repeatedly be deduplicated and then duplicated and this is already a pathological case that most memory deduplication implementations need to handle (as well as being a security hole, it’s also a big performance killer). Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this point it’s more of a checkbox item than a serious mitigation technique. It adds a little bit of work for attackers, but there are so many attacks that can bypass ASLR even with strong entropy that it just increases the work factor slightly. If you’re running code written in C, then you’re better off relying on Capscium compartmentalisation to limit what the attacker can do once they’ve compromised it. David > On 8 Jun 2016, at 16:01, O. Hartmannwrote: > > A couple of days I got as a responsible personell for a couple of systems a > warning about > the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this > year's IEEE > symposion there has been submitted a paper by Bosman et al., 2016, describing > an attack > on KSM. This technique, also referred to as memory/page deduplication, seems > to be > vulnerable by design under certain circumstances. I guess the experts of the > readers here > do already know, but I consider myself a non-expert and therefore, I'd like > to ask about > the status of that kind of development in FreeBSD. I read about a project of > last year's > Google Summer of Code 2015 targetting KSM on FreeBSD. > > In Linux, this deduplication techniques is implemented since kernel 2.6.38 > and Windows > Kernel uses this techniques since Windows 8.1 and sibblings (also Windows > Server). We > were strongly advised to disable those "features" in Windows clients, servers > and Linux > servers, if used. > > Other papers describe successful attacks on memory contents and ASLR by > misusing KSM. On > Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if > planned/used/already implemented?)? > > If you are interested I could provide links or PDFs of the papers I already > gathered > about that subject (it is not much, simply google for "KSM FReeBSD" or KSM > deduplication > ASLR). > > Thanks in advance, > > oh smime.p7s Description: S/MIME cryptographic signature
Re: CURRENT: bhyve and Kernel SamePage Mergin
Hi oh; Nothing to worry: for good or bad, FreeBSD has no memory deduplication mechanism implemented. Pedro. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
CURRENT: bhyve and Kernel SamePage Mergin
A couple of days I got as a responsible personell for a couple of systems a warning about the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this year's IEEE symposion there has been submitted a paper by Bosman et al., 2016, describing an attack on KSM. This technique, also referred to as memory/page deduplication, seems to be vulnerable by design under certain circumstances. I guess the experts of the readers here do already know, but I consider myself a non-expert and therefore, I'd like to ask about the status of that kind of development in FreeBSD. I read about a project of last year's Google Summer of Code 2015 targetting KSM on FreeBSD. In Linux, this deduplication techniques is implemented since kernel 2.6.38 and Windows Kernel uses this techniques since Windows 8.1 and sibblings (also Windows Server). We were strongly advised to disable those "features" in Windows clients, servers and Linux servers, if used. Other papers describe successful attacks on memory contents and ASLR by misusing KSM. On Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if planned/used/already implemented?)? If you are interested I could provide links or PDFs of the papers I already gathered about that subject (it is not much, simply google for "KSM FReeBSD" or KSM deduplication ASLR). Thanks in advance, oh pgpaCTmo1B49J.pgp Description: OpenPGP digital signature