Linux Kernel Security Subsystem - User contributions [en]

Kernel Self Protection Project/Work

2019-07-03T18:13:05Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument (WIP: Romain Perier <romain.perier@gmail.com>, "rperier" on FreeNode)
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)

Kernel Self Protection Project/Work

2019-07-01T09:52:58Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF() (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)

Kernel Self Protection Project/Work

2019-06-27T14:28:53Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF()
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)

Kernel Self Protection Project/Work

2019-06-27T14:28:17Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF()
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* audit and fix all misuse of NLA_STRING (DONE)
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)

Kernel Self Protection Project/Work

2019-06-10T16:08:59Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF()
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range (WIP: Shyam Saini <mayhs11saini@gmail.com>)
* audit and fix all misuse of NLA_STRING (WIP: Romain Perier <romain.perier@gmail.com> (aka "rperier", on IRC))
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)

Kernel Self Protection Project/Work

2019-06-10T16:07:38Z

RomainPerier: /* Kernel items */

= Work Areas =

The [[Kernel Self Protection Project]] has a lot of work to do! While there are already a number of upstream [[Feature List|kernel security features]], we are still missing many. The following is far from a comprehensive list, but it's at least a starting point we can add to:

== [[Bug Classes]] ==

* [[Bug Classes/Stack overflow|Stack overflow]]
* [[Bug Classes/Integer overflow|Integer overflow]]
* [[Bug Classes/Heap overflow|Heap overflow]]
* [[Bug Classes/Format string injection|Format string injection]]
* [[Bug Classes/Kernel pointer leak|Kernel pointer leak]]
* [[Bug Classes/Uninitialized variables|Uninitialized variables]]
* [[Bug Classes/Use after free|Use-after-free]]

== [[Exploit Methods|Exploitation Methods]] ==

* [[Exploit Methods/Kernel location|Kernel location]]
* [[Exploit Methods/Text overwrite|Text overwrite]]
* [[Exploit Methods/Function pointer overwrite|Function pointer overwrite]]
* [[Exploit Methods/Userspace execution|Userspace execution]]
* [[Exploit Methods/Userspace data usage|Userspace data usage]]
* [[Exploit Methods/Reused code chunks|Reused code chunks]]

= Specific TODO Items =

Besides the general work outlined above, there are number of specific tasks that have either been asked about frequently or are otherwise in need some time and attention:

== Kernel items ==
* Split thread_info off of kernel stack (Done: x86, arm64, s390. Needed on arm, powerpc and others?)
* Move kernel stack to vmap area (Done: x86, s390. Needed on arm, arm64, powerpc and others?)
* Implement kernel relocation and KASLR for ARM
* Make CONFIG_STRICT_KERNEL_RWX and CONFIG_STRICT_MODULE_RWX mandatory (done for arm64 and x86, other archs still need it)
* Further restriction of perf_event_open (e.g. perf_event_paranoid=3)
* Extend HARDENED_USERCOPY to split user-facing kmalloc()s and in-kernel kmalloc()
* split short-lived kmalloc()s from long-lived kmalloc()s
* split user-size-controlled kmalloc()s from regular kmalloc()s
* protect ARM vector table as fixed-location kernel target
* disable kuser helpers on arm
* add constant-blinding tests to lib/test_bpf.c
* rename CONFIG_DEBUG_LIST better and default=y
* create defconfig "make" target for by-default hardened Kconfigs
* expand use of __ro_after_init, especially in arch/arm64
* restrict autoloading of kernel modules (like GRKERNSEC_MODHARDEN) ([http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Timgad LSM])
* set_memory_*() needs __must_check and/or atomicity
* refactor tasklets to avoid unsigned long argument
* have kfree() (and related) set the pointer to NULL too
* create per-task stack canary (Done: x86, arm, arm64, powerpc. Needed on s390 and others?)
* deprecate strcpy() in favor of strscpy()
* deprecate strlcpy() in favor of strscpy()
* deprecate strncpy() in favor of strscpy(), strscpy_pad(), or str2mem_pad()
* fix sizeof_field() vs SIZEOF_FIELD() vs FIELD_SIZEOF()
* expand use of opt-in mult/div/add/sub overflow wrappers
* WARN on kfree() of ERR_PTR range
* audit and fix all misuse of NLA_STRING (WIP: rperier)
* add detection for double-reads
* add FORTIFY_SOURCE checks to strscpy*()
* add static_branch for iopl removal (and zeroing?)
* enhance objtool to search for ROP gadgets
* signed integer overflow detection
* unsigned integer overflow detection
* exec brute force detection

== Compiler items ==
* Write a plugin to do format string warnings correctly (gcc's -Wformat-security is bad about const strings)
* Finish Clang implementation of __randomize_layout
* Implement clearing of caller-saved regs (https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs-gcc8.patch)