Re: [RFC v1] mm: SLAB freelist randomization

On Thu, Apr 7, 2016 at 2:14 PM, Jesper Dangaard Brouer wrote: > > On Wed, 6 Apr 2016 14:45:30 -0700 Kees Cook wrote: > >> On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: > [...] >> > re-used on slab creation for performance.

Re: [RFC v1] mm: SLAB freelist randomization

On Thu, Apr 7, 2016 at 2:14 PM, Jesper Dangaard Brouer wrote: > > On Wed, 6 Apr 2016 14:45:30 -0700 Kees Cook wrote: > >> On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: > [...] >> > re-used on slab creation for performance. >> >> I'd like to see some benchmark results for this so the

Re: [RFC v1] mm: SLAB freelist randomization

On Wed, 6 Apr 2016 14:45:30 -0700 Kees Cook wrote: > On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: [...] > > re-used on slab creation for performance. > > I'd like to see some benchmark results for this so the Kconfig can > include the

Re: [RFC v1] mm: SLAB freelist randomization

On Wed, 6 Apr 2016 14:45:30 -0700 Kees Cook wrote: > On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: [...] > > re-used on slab creation for performance. > > I'd like to see some benchmark results for this so the Kconfig can > include the performance characteristics. I recommend using

Re: [kernel-hardening] Re: [RFC v1] mm: SLAB freelist randomization

That's a use after free. The randomization of the freelist should not have much effect on that. I was going to quote this exploit that is applicable to SLAB as well: https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow Regards. Thomas On Thu, Apr 7, 2016 at 9:17 AM,

Re: [kernel-hardening] Re: [RFC v1] mm: SLAB freelist randomization

That's a use after free. The randomization of the freelist should not have much effect on that. I was going to quote this exploit that is applicable to SLAB as well: https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow Regards. Thomas On Thu, Apr 7, 2016 at 9:17 AM,

Re: [kernel-hardening] Re: [RFC v1] mm: SLAB freelist randomization

On mer., 2016-04-06 at 14:45 -0700, Kees Cook wrote: > > This security feature reduces the predictability of > > the kernel slab allocator against heap overflows. > > I would add "... rendering attacks much less stable." And if you can > find a specific example exploit that is foiled by this, I

Re: [kernel-hardening] Re: [RFC v1] mm: SLAB freelist randomization

On mer., 2016-04-06 at 14:45 -0700, Kees Cook wrote: > > This security feature reduces the predictability of > > the kernel slab allocator against heap overflows. > > I would add "... rendering attacks much less stable." And if you can > find a specific example exploit that is foiled by this, I

Re: [RFC v1] mm: SLAB freelist randomization

Thanks for the feedback Kees. I am preparing another RFC version. For the config, I plan on creating an equivalent option for SLUB. Both can benefit from randomizing their freelist order. Thomas On Wed, Apr 6, 2016 at 2:45 PM Kees Cook wrote: > > On Wed, Apr 6, 2016 at

Re: [RFC v1] mm: SLAB freelist randomization

Thanks for the feedback Kees. I am preparing another RFC version. For the config, I plan on creating an equivalent option for SLUB. Both can benefit from randomizing their freelist order. Thomas On Wed, Apr 6, 2016 at 2:45 PM Kees Cook wrote: > > On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier

Re: [RFC v1] mm: SLAB freelist randomization

On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: > Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the > SLAB freelist. It may be useful to describe _how_ it randomizes it (i.e. a high-level description of what needed changing). > This security

Re: [RFC v1] mm: SLAB freelist randomization

On Wed, Apr 6, 2016 at 12:35 PM, Thomas Garnier wrote: > Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the > SLAB freelist. It may be useful to describe _how_ it randomizes it (i.e. a high-level description of what needed changing). > This security feature reduces the

Re: [kernel-hardening] [RFC v1] mm: SLAB freelist randomization

Yes, sorry about that. It will be in the next RFC or PATCH. On Wed, Apr 6, 2016 at 1:54 PM, Greg KH wrote: > On Wed, Apr 06, 2016 at 12:35:48PM -0700, Thomas Garnier wrote: >> Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the >> SLAB freelist. This

Re: [kernel-hardening] [RFC v1] mm: SLAB freelist randomization

Yes, sorry about that. It will be in the next RFC or PATCH. On Wed, Apr 6, 2016 at 1:54 PM, Greg KH wrote: > On Wed, Apr 06, 2016 at 12:35:48PM -0700, Thomas Garnier wrote: >> Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the >> SLAB freelist. This security feature reduces the

Re: [kernel-hardening] [RFC v1] mm: SLAB freelist randomization

On Wed, Apr 06, 2016 at 12:35:48PM -0700, Thomas Garnier wrote: > Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the > SLAB freelist. This security feature reduces the predictability of > the kernel slab allocator against heap overflows. > > Randomized lists are pre-computed

Re: [kernel-hardening] [RFC v1] mm: SLAB freelist randomization

On Wed, Apr 06, 2016 at 12:35:48PM -0700, Thomas Garnier wrote: > Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the > SLAB freelist. This security feature reduces the predictability of > the kernel slab allocator against heap overflows. > > Randomized lists are pre-computed

[RFC v1] mm: SLAB freelist randomization

Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the SLAB freelist. This security feature reduces the predictability of the kernel slab allocator against heap overflows. Randomized lists are pre-computed using a Fisher-Yates shuffle and re-used on slab creation for performance.

[RFC v1] mm: SLAB freelist randomization

Provide an optional config (CONFIG_FREELIST_RANDOM) to randomize the SLAB freelist. This security feature reduces the predictability of the kernel slab allocator against heap overflows. Randomized lists are pre-computed using a Fisher-Yates shuffle and re-used on slab creation for performance.