Linux Kernel Security Subsystem - User contributions [en]

Kernel Protections/refcount t

2017-02-06T14:54:25Z

DavidWindsor: Minor language change in Reference Counting API

= Summary =

HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT].

= Reference Counting API =

HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters.

The following is the kernel reference counting API.

;'''<code>REFCOUNT_INIT(unsigned int)</code>'''
: Initialize a <code>refcount_t</code> object.

;'''<code>void refcount_set(refcount_t *, unsigned int)</code>'''
: Set a <code>refcount_t</code> object's internal value.

;'''<code>unsigned int refcount_read(refcount_t *)</code>'''
: Returns the <code>refcount_t</code> object's internal value.

;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>'''
: Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>'''
: Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>.

;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>'''
: Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_inc(refcount_t *r)</code>'''
: Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>.

;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>'''
: Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_dec(refcount_t *r)</code>'''
: Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>.

;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>'''
: Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise.

;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>'''
: Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise.

;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>'''
: Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise.

;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>'''
: Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise.

= Examples =

The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc.

==== Member Definition ====

This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below.

From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>:

<code>
struct super_block {
...
refcount_t s_active;
...
};
</code>

==== Object Initialization ====

When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists).

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns)
{
struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER);
...
refcount_set(&s->s_active, 1);
...
}
</code>

==== Getting a New Reference ====
This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static int grab_super(struct super_block *s) __releases(sb_lock)
{
s->s_count++;
spin_unlock(&sb_lock);
down_write(&s->s_umount);
if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) {
put_super(s);
return 1;
}
up_write(&s->s_umount);
put_super(s);
return 0;
}
</code>

==== Releasing an Existing Reference ====
This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
void deactivate_locked_super(struct super_block *s) {
...
if (refcount_dec_and_test(&s->s_active)) {
...
put_super(s);
}
}

void deactivate_super(struct super_block *s)
{
if (!refcount_dec_not_one(&s->s_active)) {
down_write(&s->s_umount);nnNnnn
deactivate_locked_super(s);
}
}
</code>

Kernel Protections/refcount t

2017-02-06T14:53:47Z

DavidWindsor: Minor language change in Summary

= Summary =

HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT].

= Reference Counting API =

HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters.

The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified.

;'''<code>REFCOUNT_INIT(unsigned int)</code>'''
: Initialize a <code>refcount_t</code> object.

;'''<code>void refcount_set(refcount_t *, unsigned int)</code>'''
: Set a <code>refcount_t</code> object's internal value.

;'''<code>unsigned int refcount_read(refcount_t *)</code>'''
: Returns the <code>refcount_t</code> object's internal value.

;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>'''
: Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>'''
: Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>.

;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>'''
: Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_inc(refcount_t *r)</code>'''
: Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>.

;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>'''
: Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_dec(refcount_t *r)</code>'''
: Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>.

;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>'''
: Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise.

;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>'''
: Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise.

;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>'''
: Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise.

;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>'''
: Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise.

= Examples =

The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc.

==== Member Definition ====

This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below.

From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>:

<code>
struct super_block {
...
refcount_t s_active;
...
};
</code>

==== Object Initialization ====

When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists).

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns)
{
struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER);
...
refcount_set(&s->s_active, 1);
...
}
</code>

==== Getting a New Reference ====
This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static int grab_super(struct super_block *s) __releases(sb_lock)
{
s->s_count++;
spin_unlock(&sb_lock);
down_write(&s->s_umount);
if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) {
put_super(s);
return 1;
}
up_write(&s->s_umount);
put_super(s);
return 0;
}
</code>

==== Releasing an Existing Reference ====
This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
void deactivate_locked_super(struct super_block *s) {
...
if (refcount_dec_and_test(&s->s_active)) {
...
put_super(s);
}
}

void deactivate_super(struct super_block *s)
{
if (!refcount_dec_not_one(&s->s_active)) {
down_write(&s->s_umount);nnNnnn
deactivate_locked_super(s);
}
}
</code>

Kernel Protections/refcount t

2017-02-06T14:45:47Z

DavidWindsor: Add Examples section

= Summary =

HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT].

= Reference Counting API =

HARDENED_ATOMIC introduces a new data type: <code>refcount_t</code>. This type is to be used for all kernel reference counters.

The following is the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified.

;'''<code>REFCOUNT_INIT(unsigned int)</code>'''
: Initialize a <code>refcount_t</code> object.

;'''<code>void refcount_set(refcount_t *, unsigned int)</code>'''
: Set a <code>refcount_t</code> object's internal value.

;'''<code>unsigned int refcount_read(refcount_t *)</code>'''
: Returns the <code>refcount_t</code> object's internal value.

;'''<code>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</code>'''
: Add <code>v</code> to <code>r</code>. If <code>r + v</code> causes an overflow, the result of the addition operation is not saved to <code>r</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_add(unsigned int v, refcount_t *r)</code>'''
: Adds <code>v</code> to <code>r</code> and stores the value in <code>r</code>.

;'''<code>bool refcount_inc_not_zero(refcount_t *r)</code>'''
: Increments <code>r</code> and tests whether <code>r + 1</code> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_inc(refcount_t *r)</code>'''
: Increment <code>r</code>. Will saturate at <code>UINT_MAX</code> and <code>WARN</code>.

;'''<code>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</code>'''
: Subtract <code>v</code> from <code>r</code> and tests whether <code>r - v</code> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>. Returns <code>true</code> if the resulting value of <code>r</code> is non-zero, <code>false</code> otherwise.

;'''<code>void refcount_dec(refcount_t *r)</code>'''
: Decrement <code>r</code>. If <code>r - 1</code> causes an underflow, the result of the decrement operation is not saved to <code>r</code>. Will fail to decrement when saturated at <code>UINT_MAX</code>.

;'''<code>bool refcount_dec_if_one(refcount_t *r)</code>'''
: Attempts to transition <code>r</code> from 1 to 0. If <code>r</code> is 1, decrement it to 0. Returns <code>true</code> if <code>r</code> was decremented, <code>false</code> otherwise.

;'''<code>bool refcount_dec_not_one(refcount_t *r)</code>'''
: Decrement <code>r</code> unless the value of <code>r</code> is 1. Returns <code>true</code> if <code>r</code> was decremented, </code>false</code> otherwise.

;'''<code>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</code>'''
: Decrement <code>r</code> and lock mutex if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and mutex is held, <code>false</code> otherwise.

;'''<code>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</code>'''
: Decrement <code>r</code> and lock spinlock if <code>r</code> becomes 0. Will <code>WARN</code> on underflow and fail to decrement if <code>r</code> is saturated at <code>UINT_MAX</code>. Returns <code>true</code> if <code>r</code> is 0 and spinlock is held, <code>false</code> otherwise.

= Examples =

The following use case is an instance of correct usage of the <code>refcount_t</code> API. The object being counted is <code>struct super_block</code>, which represents a virtual filesystem superblock, an object containing a particular filesystem's metadata such as block size, the root inode, etc.

==== Member Definition ====

This is the definition of the reference counter field in the <code>struct super_block</code> object. If the object being counted is a structure, the reference counter is typically defined as a field of the counted structure, as we see in <code>struct super_block</code> below.

From <code>[http://lxr.free-electrons.com/source/include/linux/fs.h include/linux/fs.h]</code>:

<code>
struct super_block {
...
refcount_t s_active;
...
};
</code>

==== Object Initialization ====

When a counted object is created, its reference counter must be initialized to something sane, typically 1 (since, by virtue of being called in an "allocation" method, a user of the object already exists).

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static struct super_block *alloc_super(struct file_system_type *type, int flags, struct user_namespace *user_ns)
{
struct super_block *s = kzalloc(sizeof(struct super_block), GFP_USER);
...
refcount_set(&s->s_active, 1);
...
}
</code>

==== Getting a New Reference ====
This code is executed when a user wishes to obtain a new reference to a <code>struct super_block</code> object. The following code corresponds to the traditional reference counting "get" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
static int grab_super(struct super_block *s) __releases(sb_lock)
{
s->s_count++;
spin_unlock(&sb_lock);
down_write(&s->s_umount);
if ((s->s_flags & MS_BORN) && refcount_inc_not_zero(&s->s_active)) {
put_super(s);
return 1;
}
up_write(&s->s_umount);
put_super(s);
return 0;
}
</code>

==== Releasing an Existing Reference ====
This code is executed when a user currently holding a reference to a <code>struct super_block</code> object no longer needs the object and wants to release it. The following code corresponds to the traditional reference counting "put" method.

From <code>[http://lxr.free-electrons.com/source/fs/super.c fs/super.c]</code>:

<code>
void deactivate_locked_super(struct super_block *s) {
...
if (refcount_dec_and_test(&s->s_active)) {
...
put_super(s);
}
}

void deactivate_super(struct super_block *s)
{
if (!refcount_dec_not_one(&s->s_active)) {
down_write(&s->s_umount);nnNnnn
deactivate_locked_super(s);
}
}
</code>

Kernel Protections/refcount t

2017-02-06T12:19:19Z

DavidWindsor: Change <tt> tags to <code>

Kernel Protections/refcount t

2017-02-04T11:20:47Z

DavidWindsor: Minor language change in Reference Counting API

Kernel Protections/refcount t

2017-02-04T11:19:13Z

DavidWindsor: Minor language change in Summary

Kernel Self Protection Project

2017-02-04T06:44:15Z

DavidWindsor: Fix link to HARDENED_ATOMIC

= Mission Statement =

This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].

These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.

= Principles =
A short list of things to keep in mind when designing self-protection features:

* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.
* Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws.
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).

= Get Involved =

Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.

= Work Areas =

While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Completed Kernel Protections =

The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development.

==== [[Kernel_Protections/HARDENED_ATOMIC|HARDENED_ATOMIC]] ====
: Kernel reference counter overflow protection

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Write a plugin to clear struct padding
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress)
* Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it)
* Convert remaining BPF JITs to eBPF JIT (with blinding)
* Write lib/test_bpf.c tests for eBPF constant blinding
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?)
* Extend HARDENED_USERCOPY to use slab whitelisting
* Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* harden and rename CONFIG_DEBUG_LIST better and default=y
* add zeroing of copy_from_user on failure test to test_usercopy.c
* consolidate all architecture's use of usercopy into asm-generic/uaccess.h
* add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
* create UNEXPECTED(), like BUG() but without the lock-busting, etc
* adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too)
* provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
* expand use of __ro_after_init, especially in arch/arm64
* Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?)

= Recommended settings =

People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system.

== CONFIGs ==

# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y

# Make sure kernel page tables have safe permissions.
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_RODATA=y

# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y

# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y

# Perform additional validation of various commonly targetted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_BUG_ON_DATA_CORRUPTION=y

# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y

# Perform usercopy bounds checking.
CONFIG_HARDENED_USERCOPY=y

# Randomize allocator freelists.
CONFIG_SLAB_FREELIST_RANDOM=y

# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y

# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y

# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set

# Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set

# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set

# Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set

# Easily confused by misconfigured userspace, keep off.
# CONFIG_BINFMT_MISC is not set

# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set

# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1

# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set

# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_DEBUG_SET_MODULE_RONX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

=== x86_32 ===

# On 32-bit kernels, require PAE for NX bit support.
# CONFIG_M486 is not set
# CONFIG_HIGHMEM4G is not set
CONFIG_HIGHMEM64G=y
CONFIG_X86_PAE=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel.
CONFIG_RANDOMIZE_BASE=y

=== x86_64 ===

# Full 64-bit means PAE and NX bit.
CONFIG_X86_64=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y

# Remove additional attack surface, unless you really need them.
# CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32 is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set

=== arm ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# For maximal userspace memory area (and maximum ASLR).
CONFIG_VMSPLIT_3G=y

# If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA.
CONFIG_STRICT_MEMORY_RWX=y

# Make sure PXN/PAN emulation is enabled.
CONFIG_CPU_SW_DOMAIN_PAN=y

# Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is unset

=== arm64 ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
CONFIG_RANDOMIZE_BASE=y

== kernel command line options ==

# Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).
slub_debug=P

# Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).
page_poison=1

=== x86_64 ===

# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)
vsyscall=none

== sysctls ==

# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1

# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1

# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")
kernel.perf_event_paranoid = 3

# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1

# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope = 1

Kernel Protections/refcount t

2017-02-04T06:42:17Z

DavidWindsor: Add refcount_t API

= Summary =

HARDENED_ATOMIC is a kernel self-protection feature that greatly helps with the mitigation of [[Bug Classes/Use after free|use-after-free]] bugs. It is based off of work done by the [https://pax.grsecurity.net PaX Team], originally called [https://forums.grsecurity.net/viewtopic.php?f=7&t=4173 PAX_REFCOUNT].

= Reference Counting API =

HARDENED_ATOMIC introduces a new data type: <tt>refcount_t</tt>. This type is to be used for all kernel reference counters.

The following operations are the kernel reference counting API. Please note that all operations are atomic, unless otherwise specified.

;'''<tt>REFCOUNT_INIT(unsigned int)</tt>'''
: Initialize a <tt>refcount_t</tt> object.

;'''<tt>void refcount_set(refcount_t *, unsigned int)</tt>'''
: Set a <tt>refcount_t</tt> object's internal value.

;'''<tt>unsigned int refcount_read(refcount_t *)</tt>'''
: Returns the <tt>refcount_t</tt> object's internal value.

;'''<tt>bool refcount_add_not_zero(unsigned int v, refcount_t *r)</tt>'''
: Add <tt>v</tt> to <tt>r</tt>. If <tt>r + v</tt> causes an overflow, the result of the addition operation is not saved to <tt>r</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise.

;'''<tt>void refcount_add(unsigned int v, refcount_t *r)</tt>'''
: Adds <tt>v</tt> to <tt>r</tt> and stores the value in <tt>r</tt>.

;'''<tt>bool refcount_inc_not_zero(refcount_t *r)</tt>'''
: Increments <tt>r</tt> and tests whether <tt>r + 1</tt> causes an overflow. If an overflow does occur, the result of the increment operation is not saved to <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise.

;'''<tt>void refcount_inc(refcount_t *r)</tt>'''
: Increment <tt>r</tt>. Will saturate at <tt>UINT_MAX</tt> and <tt>WARN</tt>.

;'''<tt>bool refcount_sub_and_test(unsigned int v, refcount_t *r)</tt>'''
: Subtract <tt>v</tt> from <tt>r</tt> and tests whether <tt>r - v</tt> causes an underflow. If an underflow does occur, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if the resulting value of <tt>r</tt> is non-zero, <tt>false</tt> otherwise.

;'''<tt>void refcount_dec(refcount_t *r)</tt>'''
: Decrement <tt>r</tt>. If <tt>r - 1</tt> causes an underflow, the result of the decrement operation is not saved to <tt>r</tt>. Will fail to decrement when saturated at <tt>UINT_MAX</tt>.

;'''<tt>bool refcount_dec_if_one(refcount_t *r)</tt>'''
: Attempts to transition <tt>r</tt> from 1 to 0. If <tt>r</tt> is 1, decrement it to 0. Returns <tt>true</tt> if <tt>r</tt> was decremented, <tt>false</tt> otherwise.

;'''<tt>bool refcount_dec_not_one(refcount_t *r)</tt>'''
: Decrement <tt>r</tt> unless the value of <tt>r</tt> is 1. Returns <tt>true</tt> if <tt>r</tt> was decremented, </tt>false</tt> otherwise.

;'''<tt>bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock)</tt>'''
: Decrement <tt>r</tt> and lock mutex if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and mutex is held, <tt>false</tt> otherwise.

;'''<tt>bool refcount_dec_and_lock(refcount_t *r, spinlock_t *s)</tt>'''
: Decrement <tt>r</tt> and lock spinlock if <tt>r</tt> becomes 0. Will <tt>WARN</tt> on underflow and fail to decrement if <tt>r</tt> is saturated at <tt>UINT_MAX</tt>. Returns <tt>true</tt> if <tt>r</tt> is 0 and spinlock is held, <tt>false</tt> otherwise.

Kernel Self Protection Project

2017-02-04T05:38:25Z

DavidWindsor: Adjust linked page name to be consistent with existing naming scheme

= Mission Statement =

This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].

These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.

= Principles =
A short list of things to keep in mind when designing self-protection features:

* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.
* Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws.
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).

= Get Involved =

Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.

= Work Areas =

While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Completed Kernel Protections =

The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development.

==== [[Kernel_Protections/HARDENED_ATOMC|HARDENED_ATOMIC]] ====
: Kernel reference counter overflow protection

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Write a plugin to clear struct padding
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress)
* Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it)
* Convert remaining BPF JITs to eBPF JIT (with blinding)
* Write lib/test_bpf.c tests for eBPF constant blinding
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?)
* Extend HARDENED_USERCOPY to use slab whitelisting
* Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* harden and rename CONFIG_DEBUG_LIST better and default=y
* add zeroing of copy_from_user on failure test to test_usercopy.c
* consolidate all architecture's use of usercopy into asm-generic/uaccess.h
* add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
* create UNEXPECTED(), like BUG() but without the lock-busting, etc
* adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too)
* provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
* expand use of __ro_after_init, especially in arch/arm64
* Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?)

= Recommended settings =

People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system.

== CONFIGs ==

# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y

# Make sure kernel page tables have safe permissions.
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_RODATA=y

# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y

# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y

# Perform additional validation of various commonly targetted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_BUG_ON_DATA_CORRUPTION=y

# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y

# Perform usercopy bounds checking.
CONFIG_HARDENED_USERCOPY=y

# Randomize allocator freelists.
CONFIG_SLAB_FREELIST_RANDOM=y

# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y

# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y

# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set

# Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set

# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set

# Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set

# Easily confused by misconfigured userspace, keep off.
# CONFIG_BINFMT_MISC is not set

# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set

# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1

# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set

# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_DEBUG_SET_MODULE_RONX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

=== x86_32 ===

# On 32-bit kernels, require PAE for NX bit support.
# CONFIG_M486 is not set
# CONFIG_HIGHMEM4G is not set
CONFIG_HIGHMEM64G=y
CONFIG_X86_PAE=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel.
CONFIG_RANDOMIZE_BASE=y

=== x86_64 ===

# Full 64-bit means PAE and NX bit.
CONFIG_X86_64=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y

# Remove additional attack surface, unless you really need them.
# CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32 is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set

=== arm ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# For maximal userspace memory area (and maximum ASLR).
CONFIG_VMSPLIT_3G=y

# If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA.
CONFIG_STRICT_MEMORY_RWX=y

# Make sure PXN/PAN emulation is enabled.
CONFIG_CPU_SW_DOMAIN_PAN=y

# Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is unset

=== arm64 ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
CONFIG_RANDOMIZE_BASE=y

== kernel command line options ==

# Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).
slub_debug=P

# Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).
page_poison=1

=== x86_64 ===

# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)
vsyscall=none

== sysctls ==

# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1

# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1

# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")
kernel.perf_event_paranoid = 3

# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1

# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope = 1

Kernel Self Protection Project

2017-02-04T05:34:45Z

DavidWindsor: Create sections for Completed Kernel Protections and HARDENED_ATOMIC subsection

= Mission Statement =

This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].

These kinds of protections have existed for years in [https://pax.grsecurity.net/ PaX], [https://grsecurity.net/features.php grsecurity], and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.

= Principles =
A short list of things to keep in mind when designing self-protection features:

* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.
* Features will be more than finding bugs. Should be active at run-time to catch previously unknown flaws.
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).

= Get Involved =

Want to get involved? [http://www.openwall.com/lists/#subscribe Join] the [http://www.openwall.com/lists/kernel-hardening/ kernel hardening mailing list] and introduce yourself. Then pick an area of work from below (or add a new one), coordinate on the mailing list, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [http://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.

= Work Areas =

While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. While the following is far from a comprehensive list, it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Completed Kernel Protections =

The following kernel protections have been already been accepted into the mainline Linux kernel, or are in some stage of development.

==== [[Protections/HARDENED_ATOMC|HARDENED_ATOMIC]] ====
: Kernel reference counter overflow protection

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, arm64, s390. Needed on powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Write a plugin to clear struct padding
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Reorganize and rename CONFIG_DEBUG_RODATA (and related options) to something without "DEBUG" in the name (in progress)
* Make CONFIG_DEBUG_RODATA mandatory (done for arm64 and x86, other archs still need it)
* Convert remaining BPF JITs to eBPF JIT (with blinding)
* Write lib/test_bpf.c tests for eBPF constant blinding
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?)
* Extend HARDENED_USERCOPY to use slab whitelisting
* Extend HARDENED_USERCOPY to split user-facing malloc()s and in-kernel malloc()svmalloc stack guard pages
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* harden and rename CONFIG_DEBUG_LIST better and default=y
* add zeroing of copy_from_user on failure test to test_usercopy.c
* consolidate all architecture's use of usercopy into asm-generic/uaccess.h
* add WARN path for page-spanning usercopy checks (instead of the separate CONFIG)
* create UNEXPECTED(), like BUG() but without the lock-busting, etc
* adjust usercopy CONFIG to be !DEVKMEM && STRICT_DEVMEM=y (PROC_KCORE is incompat with usercopy too)
* provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register()
* expand use of __ro_after_init, especially in arch/arm64
* Add stack-frame walking to usercopy implementations (Done: x86. In progress: arm64. Needed on arm, others?)

= Recommended settings =

People ask from time to time what a good security set of build CONFIGs and runtime sysctl are. This is a brain-dump of the various options for a particularly paranoid system.

== CONFIGs ==

# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y

# Make sure kernel page tables have safe permissions.
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_RODATA=y

# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y

# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y

# Perform additional validation of various commonly targetted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_BUG_ON_DATA_CORRUPTION=y

# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y

# Perform usercopy bounds checking.
CONFIG_HARDENED_USERCOPY=y

# Randomize allocator freelists.
CONFIG_SLAB_FREELIST_RANDOM=y

# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y

# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y

# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set

# Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set

# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set

# Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set

# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set

# Easily confused by misconfigured userspace, keep off.
# CONFIG_BINFMT_MISC is not set

# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set

# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1

# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set

# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_DEBUG_SET_MODULE_RONX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

=== x86_32 ===

# On 32-bit kernels, require PAE for NX bit support.
# CONFIG_M486 is not set
# CONFIG_HIGHMEM4G is not set
CONFIG_HIGHMEM64G=y
CONFIG_X86_PAE=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel.
CONFIG_RANDOMIZE_BASE=y

=== x86_64 ===

# Full 64-bit means PAE and NX bit.
CONFIG_X86_64=y

# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

# Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y

# Remove additional attack surface, unless you really need them.
# CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32 is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set

=== arm ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# For maximal userspace memory area (and maximum ASLR).
CONFIG_VMSPLIT_3G=y

# If building an out-of-tree Qualcomm kernel, this is similar to CONFIG_DEBUG_RODATA.
CONFIG_STRICT_MEMORY_RWX=y

# Make sure PXN/PAN emulation is enabled.
CONFIG_CPU_SW_DOMAIN_PAN=y

# Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is unset

=== arm64 ===

# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768

# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
CONFIG_RANDOMIZE_BASE=y

== kernel command line options ==

# Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).
slub_debug=P

# Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).
page_poison=1

=== x86_64 ===

# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)
vsyscall=none

== sysctls ==

# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1

# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1

# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")
kernel.perf_event_paranoid = 3

# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1

# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope = 1

Bug Classes/Use after free

2017-02-04T05:14:40Z

DavidWindsor: Add reference counter overflow protection to Mitigations

= Details =
When a memory allocation gets freed but there are still accidentally users of that memory, it is possible that an attacker could control the new memory allocation that fills the freed area, and then manipulate the contents in a way that the system uses its stale pointer and expects a different structure than is currently present. If there are function pointers contained in the structure, this allows for trivial execution control.

= Examples =

* [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring use-after-free]

= Mitigations =

* clearing memory on free can stop attacks where there is no reallocation control (e.g. PAX_MEMORY_SANITIZE)
* segregating memory used by the kernel and by userspace can stop attacks where this boundary is crossed (e.g. PAX_USERCOPY)
* randomizing heap allocations can frustrate the reallocation efforts the attack needs to perform (e.g. OpenBSD malloc)
* reference counter overflow protection (e.g. PAX_REFCOUNT, HARDENED_ATOMIC)

Bug Classes/Use after free

2017-02-04T05:13:56Z

DavidWindsor: Undo revision 3836 by DavidWindsor (talk)

Bug Classes/Use after free

2017-02-04T05:13:36Z

DavidWindsor: Undo revision 3837 by DavidWindsor (talk)

Bug Classes/Use after free

2017-02-04T05:12:59Z

DavidWindsor: /* Mitigations */

Bug Classes/Use after free

2017-02-04T05:12:39Z

DavidWindsor: /* Mitigations */