On 13.06.2013 11:22, Andreas Färber wrote:
Hi,
Am 13.06.2013 08:09, schrieb Peter Lieven:
I was thinking if it would be a good idea to zeroize all memory
resources on system reset and
madvise dontneed them afterwards.
The current way of not zeroing memory has led to discovery of some
firmware bugs that we wouldn't have found if QEMU defaulted to zeroing.
The memory is zero at the start due to the use of mmap. Maybe
we need to add an option to add an initialization value anyway
because I am unsure if PERTURB works with mmap?!
This would avoid system reset attacks
in case the attacker
has only access to the console of a vServer but not on the physical host
and it would shrink
RSS size of the vServer siginificantly.
Apart from the guest issue Stefan brought up (so far by definition we do
a hard reset, so guests cannot assume soft reset semantics, but we
should keep our options open), would not zeroing while marking pages as
unused be an option? E.g., -reset-memory=DEADBEEF or some other
command-line-specifiable pattern, absence would mean current behavior.
This would overwrite all contents with 0xdeadbeaf avoiding information
leak, but it would unnecessarily keep the memory alocated. So what
about an option -mem-sanitize with an optional parameter to write
a initialization value.
option missing -> no change
-mem-sanitize -> zeroize and madv_dontneed
-mem-sanitze=deadbeaf -> fill memory with 0xdeadbeaf
Where is the right postion to add this hook. qemu_system_reset() ?
Peter
Regards,
Andreas
--
Mit freundlichen Grüßen
Peter Lieven
...........................................................
KAMP Netzwerkdienste GmbH
Vestische Str. 89-91 | 46117 Oberhausen
Tel: +49 (0) 208.89 402-50 | Fax: +49 (0) 208.89 402-40
p...@kamp.de | http://www.kamp.de
Geschäftsführer: Heiner Lante | Michael Lante
Amtsgericht Duisburg | HRB Nr. 12154
USt-Id-Nr.: DE 120607556
...........................................................
