On Sat, 11 May 2024 15:09:48 -0600
Jiri Olsa [off-list ref] wrote:

On Thu, May 09, 2024 at 04:24:37PM +0000, Edgecombe, Rick P wrote:

quoted

On Thu, 2024-05-09 at 10:30 +0200, Jiri Olsa wrote:

quoted

quoted

Per the earlier discussion, this cannot be reached unless uretprobes are in
use,
which cannot happen without something with privileges taking an action. But
are
uretprobes ever used for monitoring applications where security is
important? Or
is it strictly a debug-time thing?

sorry, I don't have that level of detail, but we do have customers
that use uprobes in general or want to use it and complain about
the speed

there are several tools in bcc [1] that use uretprobes in scripts,
like:
  memleak, sslsniff, trace, bashreadline, gethostlatency, argdist,
  funclatency

Is it possible to have shadow stack only use the non-syscall solution? It seems
it exposes a more limited compatibility in that it only allows writing the
specific trampoline address. (IIRC) Then shadow stack users could still use
uretprobes, but just not the new optimized solution. There are already
operations that are slower with shadow stack, like longjmp(), so this could be
ok maybe.

I guess it's doable, we'd need to keep both trampolines around, because
shadow stack is enabled by app dynamically and use one based on the
state of shadow stack when uretprobe is installed

so you're worried the optimized syscall path could be somehow exploited
to add data on shadow stack?

Good point. For the security concerning (e.g. leaking sensitive information
from secure process which uses shadow stack), we need another limitation
which prohibits probing such process even for debugging. But I think that
needs another series of patches. We also need to discuss when it should be
prohibited and how (e.g. audit interface? SELinux?).
But I think this series is just optimizing currently available uprobes with
a new syscall. I don't think it changes such security concerning.

Thank you,

jirka

-- 
Masami Hiramatsu (Google) [off-list ref]