Difference between revisions of "Kernel Self Protection Project"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
(Replaced content with "This wiki has moved to the [https://kspp.github.io/ KSPP project page]")
Tag: Replaced
 
(67 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Mission Statement =
This wiki has moved to the [https://kspp.github.io/ KSPP project page]
 
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].
 
These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.
 
= Principles =
A short list of things to keep in mind when designing self-protection features:
 
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.
* Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws.
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).
 
= Get Involved =
 
Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.
 
= Work Areas =
 
While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to:
 
== [[Bug Classes]] ==
 
* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]
 
== [[Exploit Methods|Exploitation Methods]] ==
 
* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]
 
= Specific TODO Items =
 
Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:
 
* Implement kernel relocation and KASLR for ARM
* Implement PAN emulation on arm64 for ARMv8.0 hardware (pre-8.0 emulates using Domains, 8.1 and later use hardware PAN)
* Write a plugin to clear struct padding
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name
* Make CONFIG_DEBUG_RODATA mandatory on arm64
* Convert remaining BPF JITs to eBPF JIT (with blinding)
* Write drivers/misc/lkdtm.c tests for PAX_USERCOPY
* Write lib/test_bpf.c tests for eBPF constant blinding

Latest revision as of 20:08, 4 July 2024

This wiki has moved to the KSPP project page