Difference between revisions of "Kernel Self Protection Project/Work"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 32: Line 32:
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Convert remaining BPF JITs to eBPF JIT (with blinding) (In progress: arm)
* Write lib/test_bpf.c tests for eBPF constant blinding
* Write lib/test_bpf.c tests for eBPF constant blinding
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to use slab whitelisting (in progress)
* Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress)
* Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress)
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* disable kuser helpers on arm
Line 42: Line 42:
* add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
* add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
* create UNEXPECTED(), like BUG() but without the lock-busting, etc
* create UNEXPECTED(), like BUG() but without the lock-busting, etc
* create defconfig "make" target for by-default hardened Kconfigs (using guidelines below)
* create defconfig "make" target for by-default hardened Kconfigs
* provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
* provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
* expand use of __ro_after_init, especially in arch/arm64
* expand use of __ro_after_init, especially in arch/arm64
* Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?)
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: [http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* wire up LKDTM tests to kselftest
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary on arm and arm64

Revision as of 22:25, 31 October 2018

Work Areas

The Kernel Self Protection Project has a lot of work to do! While there are already a number of upstream kernel security features, we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

Bug Classes

Exploitation Methods

Specific TODO Items

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

  • Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
  • Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
  • Implement kernel relocation and KASLR for ARM
  • Write a plugin to clear struct padding
  • Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
  • Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
  • Write lib/test_bpf.c tests for eBPF constant blinding
  • Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
  • Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages (in progress)
  • split short-lived kmalloc()s from long-lived kmalloc()s
  • split user-size-controlled kmalloc()s from regular kmalloc()s
  • protect ARM vector table as fixed-location kernel target
  • disable kuser helpers on arm
  • rename CONFIG_DEBUG_LIST better and default=y
  • add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
  • create UNEXPECTED(), like BUG() but without the lock-busting, etc
  • create defconfig "make" target for by-default hardened Kconfigs
  • provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
  • expand use of __ro_after_init, especially in arch/arm64
  • restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) (In progress: Timgad LSM)
  • wire up LKDTM tests to kselftest
  • set_memory_*() needs __must_check and/or atomicity
  • refactor tasklets to avoid unsigned long argument
  • have kfree() (and related) set the pointer to NULL too
  • create per-task stack canary on arm and arm64