* Ingo Molnar <mi...@kernel.org> wrote:
> > It's quite likely that you will find that compilers put read-only constants
> > in
> > the text section, knowing that executable means readable.
>
> At least with pkeys enabling true --x mappings, that compiler practice
> becomes a
> (mild) security problem: it provides a readable and executable return target
> for
> stack/buffer overflow attacks - FWIIW. (It's a limited concern because the
> true
> code areas are executable already.)
Btw., it's not just security, there will also a robustness advantage to
creating
true PROT_EXEC mappings: right now if buggy user-space code accidentally
references into an executable section: say uses a negative index in a table put
into .rodata, the code will not crash, it will happily read from the .text area.
But if we mapped .text with true PROT_EXEC (and the CPU enforced that) then
we'd
get a nice segfault.
This has additional security benefits as well, beyond not providing readable
ROP
sites - which in fact look more significant than the ROP readability angle I
mentioned initially.
So to sum it up, if we use true --x (non-readable PROT_EXEC) mappings using
pkeys,
we get the following benefits:
- Overflows and other out of bounds accesses from .rodata (and other data
sections near .text) will be caught by the CPU instead of silent data flow
corruption. This has robustness (and thus security) advantages.
- True --x code is not readable, thus not 'soft-discoverable' via information
leaks for ROP purposes.
- The version fingerprinting of unknown remote target binaries via information
leaks becomes harder as well.
- The local (and remote) guessing of ASLR offsets via information leaks gets
harder as well.
- We get to test pkeys much more seriously than the opt-in special uses! :-)
Intel sent me pkeys test hardware, so I can give it a go in practice as well
and
see how well it works.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
