Re: [PATCH] Make /proc/slabinfo 0400

[Dan Rosenberg]

On Sun, 2011-03-06 at 01:42 +0100, Jesper Juhl wrote:
> On Fri, 4 Mar 2011, Dan Rosenberg wrote:
> 
> > On Fri, 2011-03-04 at 22:58 +0200, Pekka Enberg wrote:
> > > On Fri, Mar 4, 2011 at 10:37 PM, Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> wrote:
> > > > This patch makes these techniques more difficult by making it hard to
> > > > know whether the last attacker-allocated object resides before a free or
> > > > allocated object.  Especially with vulnerabilities that only allow one
> > > > attempt at exploitation before recovery is needed to avoid trashing too
> > > > much heap state and causing a crash, this could go a long way.  I'd
> > > > still argue in favor of removing the ability to know how many objects
> > > > are used in a given slab, since randomizing objects doesn't help if you
> > > > know every object is allocated.
> > > 
> > > So if the attacker knows every object is allocated, how does that help
> > > if we're randomizing the initial freelist?
> > 
> > If you know you've got a slab completely full of your objects, then it
> > doesn't matter that they happened to be allocated in a random fashion -
> > they're still all allocated, and by freeing one of them and
> > reallocating, you'll still be next to your target.
> > 
> 
> But still, if randomizing allocations makes life just a little harder for 
> attackers in some scenarios, why not just do it?
> Same with making /proc/slabinfo 0400, if it just makes things a little 
> harder in a few cases, why not do it? It's not like a admin who needs 
> /proc/slabinfo to have other permissions can't arrange for that.
> 
> Having been employed as a systems administrator for many years and having 
> seen many a box cracked, my oppinion is that every little bit helps. The 
> kernel is currently not a hard target and everything we can do to harden 
> it is a good thing (within reason of course).
> 
> Why not just do both randomization and 0400 as a start? We can always 
> harden further later.

I agree that there's no harm in these patches, and they might make it
(only) slightly harder in some cases, so yes, we might as well.  I just
don't want to trick anyone into a false sense of security by thinking
that these measures by themselves are doing anything especially
substantial to prevent heap exploits.  But as you say, it's a start.

Another hardening measure that's been mentioned before is validating the
address of each to-be-returned pointer during allocation, to avoid
attacks that rely on corrupting free list pointers (i.e. compare against
TASK_SIZE).  But then we're talking about introducing additional
overhead into every single kmalloc() call.

-Dan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/