Date: Thu, 9 Jun 2016 19:00:09 +0200 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: David Chisnall <theraven@FreeBSD.org> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org> Subject: Re: CURRENT: bhyve and Kernel SamePage Mergin Message-ID: <20160609190009.071fbde6.ohartman@zedat.fu-berlin.de> In-Reply-To: <2DE58803-9030-44D3-9AD3-BD189CBA002E@FreeBSD.org> References: <20160608170102.6a0ee504.ohartman@zedat.fu-berlin.de> <2DE58803-9030-44D3-9AD3-BD189CBA002E@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Am Thu, 9 Jun 2016 09:18:40 +0100 David Chisnall <theraven@FreeBSD.org> schrieb: > If this paper is the one that I think it is, then I was one of the reviewers. Their > attack is neat, but it depends quite a lot on being able to deterministically trigger > deduplication. Their proof-of-concept exploit was on Windows (and JavaScript attack > was really fun) and I’m not convinced that it would work reliably on Linux or VMWare > ESX, which both defer deduplication for as long as possible to avoid NUMA-related > overheads. > > We don’t currently have a FreeBSD implementation, but if someone wanted to provide one > then a defence against this attack would be fairly simple: count the number of CoW > faults that a process is receiving and if it reaches a certain threshold then remove > all of its memory from the set of eligible pages. The attack relies on being able to > repeatedly trigger CoW faults and time whether they occur, with the same set of pages. > At least some existing implementations will make this impossible as these pages will > repeatedly be deduplicated and then duplicated and this is already a pathological case > that most memory deduplication implementations need to handle (as well as being a > security hole, it’s also a big performance killer). > > Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this point it’s > more of a checkbox item than a serious mitigation technique. It adds a little bit of > work for attackers, but there are so many attacks that can bypass ASLR even with strong > entropy that it just increases the work factor slightly. If you’re running code > written in C, then you’re better off relying on Capscium compartmentalisation to limit > what the attacker can do once they’ve compromised it. > > David > > > On 8 Jun 2016, at 16:01, O. Hartmann <ohartman@zedat.fu-berlin.de> wrote: > > > > A couple of days I got as a responsible personell for a couple of systems a warning > > about the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this > > year's IEEE symposion there has been submitted a paper by Bosman et al., 2016, > > describing an attack on KSM. This technique, also referred to as memory/page > > deduplication, seems to be vulnerable by design under certain circumstances. I guess > > the experts of the readers here do already know, but I consider myself a non-expert > > and therefore, I'd like to ask about the status of that kind of development in > > FreeBSD. I read about a project of last year's Google Summer of Code 2015 targetting > > KSM on FreeBSD. > > > > In Linux, this deduplication techniques is implemented since kernel 2.6.38 and Windows > > Kernel uses this techniques since Windows 8.1 and sibblings (also Windows Server). We > > were strongly advised to disable those "features" in Windows clients, servers and > > Linux servers, if used. > > > > Other papers describe successful attacks on memory contents and ASLR by misusing KSM. > > On Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if > > planned/used/already implemented?)? > > > > If you are interested I could provide links or PDFs of the papers I already gathered > > about that subject (it is not much, simply google for "KSM FReeBSD" or KSM > > deduplication ASLR). > > > > Thanks in advance, > > > > oh > Hello David, sorry for the lack of references. Bosman et al., 2016: doi: 10.1109/SP.2016.63 (http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf), this paper has been subject of a warning given to institutions. An older one, but also interesting, is Xiao et al., 2013: doi: 10.1109/DSN.2013.6575349 (http://www.cs.wm.edu/~hnw/paper/memdedup.pdf) and this one Barresi et al., 2015 (https://www.usenix.org/node/191961). The first paper is of (my) concern, since it triggered some interests and couriosities of mine. Regards, Oliver Hartmann [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXWaCZAAoJEOgBcD7A/5N8DTQH/j+FFgPrSNxLnuIVAoVeTiF0 +1wwZqWjdtvQWSSLgzlMATUQ3U3wQFcYj5rAqXB0Mt7YpRVC0UOd3OsBre0y3F4O +mw/I8gYHnGJCDweLSDa7HhhhW8HhLr8xHigVxFXrVU4FFcVOGyRWEQg64OsyJ8L PCvNekcCwwVZYR3KC0cG2UwQpZHvWebYLnbI7sfjb1DaIImc9GRPep7msDNSPbG3 r8e0LJDhGCjKTXtl7eXCWofERL8R8KoWKos/9d8TZlmh9N86F3K3ksDX3w8Ds6Li 10GjNo0ppa7W5F165QuAkVeBAkh8Auy2a4GbRJfNTP407Z2Hn+OuIPMLw0XzgFg= =Dxth -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160609190009.071fbde6.ohartman>