From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 20 10:16:35 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2DD72FFF; Thu, 20 Mar 2014 10:16:35 +0000 (UTC) Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E465EE60; Thu, 20 Mar 2014 10:16:34 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id uy5so630132obc.20 for ; Thu, 20 Mar 2014 03:16:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=max8SKPVx5LBgk9Inxv4MDDUPFjDi3d6Ih/klvi0v4I=; b=k7JHzgoFZELMBnA0mIDKDRXK0HTBgiF2M9Sbx9/yhgI8ci9vqJpCjTBM/5cGVEsZOS hNlNObJXTySxZoNLgjVHRzcceLNIimYdBkigh1Sdw3CP4CMZvE2s+IeUKNF5Vv4GNRwX emP8My2Mhb1JC5G6ksqJySejDrNUxG9MLVJJxZ+hh2J9FFfrSYzLcJSzexniMZ4fQL78 FsyrYqWz+Ml74JFXsrLVu79sRFk4h/0y5IdX7deXJy2QDzXp4f5ShH88umcNRuG9IgQi Itzc2ooXKyT7CfFy8qnwvkIyDMY9CbwPqqyoOFyEEXn8tPJHSQ9wn+G1byTllnsb+T/Z K5zg== MIME-Version: 1.0 X-Received: by 10.182.16.33 with SMTP id c1mr6437202obd.4.1395310593726; Thu, 20 Mar 2014 03:16:33 -0700 (PDT) Received: by 10.182.80.7 with HTTP; Thu, 20 Mar 2014 03:16:33 -0700 (PDT) Date: Thu, 20 Mar 2014 11:16:33 +0100 Message-ID: Subject: GSoC proposal: Implement Intel SMAP and kernel patching framework From: Oliver Pinter To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: gavin@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 10:16:35 -0000 Hi All! Below is my proposal: Organization: FreeBSD Short description: In first phase, I want to implement the Intel SMAP (Supervisor Mode Access Prevention) technology for x86-64 architecture. In second phase, I plan to implement boot/load time kernel and kernel module patching (instruction patching) framework. * General Information: ** e-mail: oliver.pntr AT gmail.com ** phone: XX ** IRC: _op_@OFTC ** IRC: _op_@EFNet ** IRC: _op_@irc.atw.hu ** linkedin: http://hu.linkedin.com/in/oliverpinter/ ** availability: ~30 hrs/week * Biography: I am Oliver Pinter, an MSc student from Budapest University of Technology and Economics (BUTE). I'm on Specialization on Security of Telecommunication Systems at Crysys Labratory. In 2008 I maintained stable linux kernel tree: http://repo.or.cz/w/linux-2.6.22.y-op.git . In Bsc thesis I investigated some aspects of Intel SMAP with contact of Intel (See linkedin or google://freebsd+intel+smap). Currently I am part of BUTE's Crysys Labratory (www.crysys.hu) . * Short Description: ** In first phase, I want to implement the Intel SMAP (Supervisor Mode Access Prevention) technology for x86-64 architecture. In second phase, I plan to implement boot/load time kernel and kernel module patching framework. * Project Title: ** Implement Intel SMAP and kernel patching framework * Project Description: ** Intel SMAP is a hardware extension to support advanced kernel self-protection. The SMAP technology will prevent unintended data access from kernel to userland memory. The technology will appear in Intel Broadwell architecture in 2014Q2/Q3. Currently there is an emulator - namely Qemu with TCG - which supports this technology. ** Runtime kernel/kernel module patching is required, otherwise the processor will fail when processing unknown instruction. Newer processors introducing newer instructions which didn't exist on older one. To solve this situation this framework makes the kernel and kernel modules self-modifiable in common way. ** http://software.intel.com/sites/default/files/319433-014.pdf ** http://forums.grsecurity.net/viewtopic.php?f=7&t=3046 ** https://lwn.net/Articles/517475/ * Deliverables: ** phase #1: - Improved security of FreeBSD kernel in future x86-64 processors ** phase #2: - generic framework for boot-time/runtime kernel image and kernel modules patching - elliminate hackish "manual" instruction patching: http://svnweb.freebsd.org/base/head/sys/amd64/amd64/cpu_switch.S?r1=238450&r2=238449&pathrev=238450 * Test Plan: ** phase #1 - SMAP: - create a VM image - write vulnerable kernel module and PoC, and test - test in qemu with SMAP emulation ** phase #2 - kernel patching: - create a VM image - boot test in qemu - kernel module test in qemu - test in qemu with enabled SMAP - test on real hardware with XSAVE/XSAVEOPT - stress test * Schedule: **phase #1: May 19 - May 25: update Intel SMAP knowledege May 26 - June 8: update relevant FreeBSD kernel knowledge June 9 - June 15: implement/refine trap handler and add/refine required code to relevant parts of kernel June 16 - June 22: test and fix * phase #2: June 13 - June 29: identify the required places to modify in booting process and kernel module loading process June 30 - July 6: design the kernel patching framework July 7 - July 20: implement the kernel patching framework July 21 - July 27: adapt XSAVE and SMAP instructions to new framework July 28 - EoC: test, test, fix, test 0 comments