Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor

From: Pavel Machek <hidden>
Date: 2020-09-23 08:14:34
Also in: linux-arm-kernel, linux-fsdevel, linux-integrity, linux-security-module, lkml

Possibly related (same subject, not in this thread)

2020-09-27 · Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor · Madhavan T. Venkataraman <hidden>
2020-09-27 · Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor · Madhavan T. Venkataraman <hidden>
2020-09-26 · Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor · Arvind Sankar <hidden>
2020-09-25 · Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor · Madhavan T. Venkataraman <hidden>
2020-09-25 · Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor · Madhavan T. Venkataraman <hidden>

Hi!

Introduction
============

Dynamic code is used in many different user applications. Dynamic code is
often generated at runtime. Dynamic code can also just be a pre-defined
sequence of machine instructions in a data buffer. Examples of dynamic
code are trampolines, JIT code, DBT code, etc.

Dynamic code is placed either in a data page or in a stack page. In order
to execute dynamic code, the page it resides in needs to be mapped with
execute permissions. Writable pages with execute permissions provide an
attack surface for hackers. Attackers can use this to inject malicious
code, modify existing code or do other harm.

To mitigate this, LSMs such as SELinux implement W^X. That is, they may not
allow pages to have both write and execute permissions. This prevents
dynamic code from executing and blocks applications that use it. To allow
genuine applications to run, exceptions have to be made for them (by setting
execmem, etc) which opens the door to security issues.

The W^X implementation today is not complete. There exist many user level
tricks that can be used to load and execute dynamic code. E.g.,

- Load the code into a file and map the file with R-X.

- Load the code in an RW- page. Change the permissions to R--. Then,
  change the permissions to R-X.

- Load the code in an RW- page. Remap the page with R-X to get a separate
  mapping to the same underlying physical page.

IMO, these are all security holes as an attacker can exploit them to inject
his own code.

IMO, you are smoking crack^H^H very seriously misunderstanding what
W^X is supposed to protect from.

W^X is not supposed to protect you from attackers that can already do
system calls. So loading code into a file then mapping the file as R-X
is in no way security hole in W^X.

If you want to provide protection from attackers that _can_ do system
calls, fine, but please don't talk about W^X and please specify what
types of attacks you want to prevent and why that's good thing.

Hint: attacker that can "Load the code into a file and map the file
with R-X." can probably also load the code into /foo and
os.system("/usr/bin/python /foo").

This is not first crazy patch from your company. Perhaps you should
have a person with strong Unix/Linux experience performing "straight
face test" on outgoing patches?

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachments

signature.asc [application/pgp-signature] 181 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help