Kees Cook Yakaunza Matches Matsva Ekuvandudza Linux Kernel Stack Security

Linux
Kees Cook, aimbova mukuru sysadmin pa kernel.org uye mutungamiri weboka rekuchengetedza reUbuntu, izvozvi ari kushanda kuGoogle kuchengetedza Android neChannelOS, yakaburitsa seti yezvigamba zvinoshandura iyo kernel stack offsets paunenge uchibata system yekufona. Patches inovandudza kernel chengetedzo nekuchinja iyo stack nzvimbo, lkana izvo zvinoita kuti kurwisa kwemastock kuome zvakanyanya uye kusabudirira

Pfungwa yepakutanga yechigamba ndeyePaX RANDKSTACK chirongwa. Muna 2019, Elena Reshetova, injinjini kuIntel, akaedza kugadzira kuita kweiri zano, rakakodzera kuiswa mukuumbwa kukuru kweLinux kernel.


Shure kwaizvozvo, danho iri rakatorwa naKees Cook uyo akaunza yakakodzera kuitisa yeiyo huru vhezheni yekernel uye ane zvigamba zvakarongerwa vhezheni 5.13 yeLinux.

Iyo modhi icharemara nekukanganisa uye kuitisa iyo, iyo kernel yekuraira mutsara paramende inopihwa "Randomize_kstack_offset = kuvhura / kudzima»Uye marongero CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, Uye zvakare, iwo pamusoro wekugonesa iyo modhi inofungidzirwa kungangoita 1% kurasikirwa kwekuita.

Musimboti wedziviriro yakatarwa kusarudza yakasarudzika stack offset pane yega system kufona, izvo zvinonetsa kuisirwa kwesitaki dhizaini mundangariro kunyangwe kana kero yeruzivo ikagamuchirwa, nekuti kero yepasi petaki ichachinja pane inotevera kufona.

Kusiyana nekuitwa kwe PaX RANDK STACK, muzvimedu zvakatemerwa kuiswa mumutsara, kusarongeka hakuitwe padanho rekutanga, asi mushure mekumisikidza iyo pt_regs chimiro, izvo zvinoita kuti zvisakwanisika kushandisa ptrace-based nzira kuona yakasarudzika offset panguva refu-inomhanya system kufona.

Sezvo Linux kernel stack dziviriro yagara ichivandudzika (vmap-based stack mapping nemapeji ekudzivirira, thread_info kubviswa, STACKLEAK), varwisi vaifanirwa kutsvaga nzira nyowani dzekushandisa kwavo kuti vashande.

Ivo, uye vanoramba vachivimba nekernel stack determinism, mumamiriro ezvinhu uko VMAP_STACK uye THREAD_INFO_IN_TASK_STRUCT ivo vaive vasina basa. Semuenzaniso, kurwisa kunotevera kuchangobva kuitika kungadai kwakatadziswa dai stack offset yakanga isiri yekufungidzira pakati pesisitimu yekufona

Chinangwa cheiyo randomize_kstack_offset basa kuwedzera kusarongeka mushure me pt_regs yakadzvanywa padura uye isati yasara tambo yekushandisa ichishandiswa panguva yekugadzirisa kufona, uye ichinje nguva yega yega maitiro painoburitsa system yekufona. Kwayakaitika yekusarongeka parizvino inotsanangurwa neyakavakirwa (asi x86 inoshandisa yakaderera byte ye rdtsc ()).

Zvinowedzera zvemberi zvinokwanisika kune akasiyana masosi e entropy, asi kunze kwechikamu chechigamba ichi. Zvakare, kuwedzera kusafungidzira, matsva matsva anosarudzwa pakupera kwesystem mafoni (iyo nguva inofanira kunge iri nyore kuyera kubva kumushandisi nzvimbo pane panguva yekupinda kweiyo system yekufona) uye Iwo anochengetwa mushanduko imwe chete CPU, kuitira kuti iyo hupenyu hwese kukosha isarambe yakajeka yakasungirirwa kune rimwe basa.

Iko hakuna shanduko dzinooneka dzeichi pa x86 nekuti saver yekudyara yatove isina mvumo yakaomeswa yeyunifomu yuniti, asi shanduko inodikanwa muarm64. Nehurombo, hapana hunhu hunogona kushandiswa kudzima stack saver kune mamwe mabasa. Kufananidza nePaX RANDKSTACK basa: RANDKSTACK basa rinoshandura nzvimbo yekutangira kweiyo stack (cpu_current_top_of_stack), ndiko kuti, inosanganisira nzvimbo yeiyo pt_regs chimiro pane stack.

Pakutanga, chigamba ichi chakatevera nzira imwecheteyo, asi panguva yenhaurwa dzichangoburwa zvakavezwa kuti hazvina kukosha senge ptrace mashandiro aripo kune anorwisa, unogona kushandisa PTRACE_PEEKUSR kuverenga / kunyora zvisaririra zvakasiyana kune iyo pt_regs chimiro, chengetedza yekuwanza cache maitiro pt_regs uye uwane izvo zvisina kujairika. stack kukanganisa.

Pakupedzisira zvinonzi kutanga kuitisa kunotsigira ARM64 uye x86 / x86_64 processor.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

bool (chokwadi)