Date: Thu, 9 Jun 2016 19:00:09 +0200 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: David Chisnall <theraven@FreeBSD.org> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org> Subject: Re: CURRENT: bhyve and Kernel SamePage Mergin Message-ID: <20160609190009.071fbde6.ohartman@zedat.fu-berlin.de> In-Reply-To: <2DE58803-9030-44D3-9AD3-BD189CBA002E@FreeBSD.org> References: <20160608170102.6a0ee504.ohartman@zedat.fu-berlin.de> <2DE58803-9030-44D3-9AD3-BD189CBA002E@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/bzAVfP5w/QidhSo/WkVjMPQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am Thu, 9 Jun 2016 09:18:40 +0100 David Chisnall <theraven@FreeBSD.org> schrieb: > If this paper is the one that I think it is, then I was one of the review= ers. Their > attack is neat, but it depends quite a lot on being able to deterministic= ally trigger > deduplication. Their proof-of-concept exploit was on Windows (and JavaSc= ript attack > was really fun) and I=E2=80=99m not convinced that it would work reliably= on Linux or VMWare > ESX, which both defer deduplication for as long as possible to avoid NUMA= -related > overheads. >=20 > We don=E2=80=99t currently have a FreeBSD implementation, but if someone = wanted to provide one > then a defence against this attack would be fairly simple: count the numb= er of CoW > faults that a process is receiving and if it reaches a certain threshold = then remove > all of its memory from the set of eligible pages. The attack relies on b= eing able to > repeatedly trigger CoW faults and time whether they occur, with the same = set of pages. > At least some existing implementations will make this impossible as these= pages will > repeatedly be deduplicated and then duplicated and this is already a path= ological case > that most memory deduplication implementations need to handle (as well as= being a > security hole, it=E2=80=99s also a big performance killer). >=20 > Kib has been working on ASLR for FreeBSD (I think it=E2=80=99s in 11?), b= ut at this point it=E2=80=99s > more of a checkbox item than a serious mitigation technique. It adds a l= ittle bit of > work for attackers, but there are so many attacks that can bypass ASLR ev= en with strong > entropy that it just increases the work factor slightly. If you=E2=80=99= re running code > written in C, then you=E2=80=99re better off relying on Capscium compartm= entalisation to limit > what the attacker can do once they=E2=80=99ve compromised it. >=20 > David >=20 > > On 8 Jun 2016, at 16:01, O. Hartmann <ohartman@zedat.fu-berlin.de> wrot= e: > >=20 > > A couple of days I got as a responsible personell for a couple of syste= ms a warning > > about the vulnerabilities of the mechanism called "Kernel SamePage Merg= in". On this > > year's IEEE symposion there has been submitted a paper by Bosman et al.= , 2016, > > describing an attack on KSM. This technique, also referred to as memory= /page > > deduplication, seems to be vulnerable by design under certain circumsta= nces. I guess > > the experts of the readers here do already know, but I consider myself = a non-expert > > and therefore, I'd like to ask about the status of that kind of develop= ment in > > FreeBSD. I read about a project of last year's Google Summer of Code 20= 15 targetting > > KSM on FreeBSD. > >=20 > > In Linux, this deduplication techniques is implemented since kernel 2.6= .38 and Windows > > Kernel uses this techniques since Windows 8.1 and sibblings (also Windo= ws Server). We > > were strongly advised to disable those "features" in Windows clients, s= ervers and > > Linux servers, if used. > >=20 > > Other papers describe successful attacks on memory contents and ASLR by= misusing KSM. > > On Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBS= D (if > > planned/used/already implemented?)?=20 > >=20 > > If you are interested I could provide links or PDFs of the papers I alr= eady gathered > > about that subject (it is not much, simply google for "KSM FReeBSD" or = KSM > > deduplication ASLR). > >=20 > > Thanks in advance, > >=20 > > oh =20 >=20 Hello David, sorry for the lack of references.=20 Bosman et al., 2016: doi: 10.1109/SP.2016.63 (http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf), this paper ha= s been subject of a warning given to institutions. An older one, but also interesting, is Xiao et al., 2013: doi: 10.1109/DSN.2013.6575349 (http://www.cs.wm.edu/~hnw/paper/memdedup.pdf)=20 and this one=20 Barresi et al., 2015 (https://www.usenix.org/node/191961). The first paper is of (my) concern, since it triggered some interests and c= ouriosities of mine. Regards, Oliver Hartmann --Sig_/bzAVfP5w/QidhSo/WkVjMPQ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXWaCZAAoJEOgBcD7A/5N8DTQH/j+FFgPrSNxLnuIVAoVeTiF0 +1wwZqWjdtvQWSSLgzlMATUQ3U3wQFcYj5rAqXB0Mt7YpRVC0UOd3OsBre0y3F4O +mw/I8gYHnGJCDweLSDa7HhhhW8HhLr8xHigVxFXrVU4FFcVOGyRWEQg64OsyJ8L PCvNekcCwwVZYR3KC0cG2UwQpZHvWebYLnbI7sfjb1DaIImc9GRPep7msDNSPbG3 r8e0LJDhGCjKTXtl7eXCWofERL8R8KoWKos/9d8TZlmh9N86F3K3ksDX3w8Ds6Li 10GjNo0ppa7W5F165QuAkVeBAkh8Auy2a4GbRJfNTP407Z2Hn+OuIPMLw0XzgFg= =Dxth -----END PGP SIGNATURE----- --Sig_/bzAVfP5w/QidhSo/WkVjMPQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160609190009.071fbde6.ohartman>