forked from opntr/pax-docs-mirror
-
Notifications
You must be signed in to change notification settings - Fork 1
/
randkstack.txt
73 lines (63 loc) · 4.41 KB
/
randkstack.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
1. Design
The goal of RANDKSTACK is to introduce randomness into the kernel stack
addresses of a task.
Linux assigns two pages of kernel stack to every task. This stack is used
whenever the task enters the kernel (system call, device interrupt, CPU
exception, etc). Note that once the task is executing in kernel land,
further kernel (re)entry events (device interrupts or CPU exceptions can
occur at almost any time) will not cause a stack switch.
By the time the task returns to userland, the kernel land stack pointer
will be at the point of the initial entry to the kernel (this also means
that signals are not delivered to the task until it is ready to return to
userland, that is signals are asynchronous notifications from the userland
point of view, not from the kernel's).
This behaviour means that a userland originating attack against a kernel
bug would find itself always at the same place on the task's kernel stack
therefore we will introduce randomization into the initial value of the
task's kernel stack pointer. There is another interesting consequence in
that we can not only introduce but also change the randomization at each
userland/kernel transition (compare this to RANDUSTACK where the userland
stack pointer is randomized only once at the very beginning of the task's
life therefore it is vulnerable to information leaking attacks). In the
current implementation we opted for changing the randomization at every
system call since that is the most likely method of kernel entry during
an attack. Note that while per system call randomization prevents making
use of leaked information about the randomization in a given task, it does
not help with attacks where more than one task is involved (where one task
may be able to learn the randomization of another and then communicate it
to the other without having to enter the kernel).
2. Implementation
RANDKSTACK randomizes every task's kernel stack pointer before returning
from a system call to userland. The i386 specific system call entry point
is in arch/i386/kernel/entry.S and this is where PaX adds a call to the
kernel stack pointer randomization function pax_randomize_kstack() found
in arch/i386/kernel/process.c. The code in entry.S needs to duplicate some
code found at the ret_from_sys_call label because this code can be reached
from different paths (e.g., exception handlers) where we do not want to
apply randomization. Note also that if the task is being debugged (via
the ptrace() interface) then new randomization is not applied.
pax_randomize_kstack() gathers entropy from the rdtsc instruction (read
time stamp counter) and applies it to bits 2-6 of the kernel stack pointer.
This means that 5 bits are randomized providing a maximum shift of 128
bytes - this was deemed safe enough to not cause kernel stack overflows
yet give enough randomness to deter guessing/brute forcing attempts.
The use of rdtsc is justified by the facts that we need a quick entropy
source and that by the time a remote attacker would get to execute his
code to exploit a kernel bug, enough system calls would have been issued
by the attacked process to accumulate more than 5 bits of 'real' entropy
in the randomized bits (this is why xor is used to apply the rdtsc output).
Note that most likely due to its microarchitecture, the Intel P4 CPU seems
to always return the same value in the least significant bit of the time
stamp counter therefore we ignore it in kernels compiled for the P4.
The kernel stack pointer has to be modified at two places: tss->esp0 which
is the ring-0 stack pointer in the Task State Segment of the current CPU
(and is used to load esp on a ring transition, such as a system call), and
second, current->thread.esp0 which is used to reload tss->esp0 on a context
switch. There is one last subtlety: since the randomization is applied via
xor and the initial kernel stack pointer of a new task points just above
its assigned stack (and hence is a page aligned address), we would produce
esp values pointing above the assigned stack, therefore in copy_thread() we
initialize thread.esp0 to 4 bytes less than usual so that the randomization
will shift it within the assigned stack and not above. Since this solution
'wastes' a mere 4 bytes on the kernel stack, we saw no need to apply it
selectively to specific tasks only.