On 9/14/2020 11:31 AM, Andy Lutomirski wrote:
On Sep 14, 2020, at 7:50 AM, Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
On 9/11/20 3:59 PM, Yu-cheng Yu wrote:
...
Here are the changes if we take the mprotect(PROT_SHSTK) approach.
Any comments/suggestions?
I still don't like it. :)
I'll also be much happier when there's a proper changelog to accompany
this which also spells out the alternatives any why they suck so much.
Let’s take a step back here. Ignoring the precise API, what exactly is
a shadow stack from the perspective of a Linux user program?
The simplest answer is that it’s just memory that happens to have
certain protections. This enables all kinds of shenanigans. A
program could map a memfd twice, once as shadow stack and once as
non-shadow-stack, and change its control flow. Similarly, a program
could mprotect its shadow stack, modify it, and mprotect it back. In
What if we do the following:
- If the mapping has VM_SHARED, it cannot be turned to shadow stack.
Shadow stack cannot be shared anyway.
- Only allow an anonymous mapping to be converted to shadow stack, but
not the other way.
some threat models, though could be seen as a WRSS bypass. (Although
if an attacker can coerce a process to call mprotect(), the game is
likely mostly over anyway.)
But we could be more restrictive, or perhaps we could allow user code
to opt into more restrictions. For example, we could have shadow
stacks be special memory that cannot be written from usermode by any
means other than ptrace() and friends, WRSS, and actual shadow stack
usage.
What is the goal?
There primary goal is to allocate/mmap a shadow stack from user space.
No matter what we do, the effects of calling vfork() are going to be a
bit odd with SHSTK enabled. I suppose we could disallow this, but
that seems likely to cause its own issues.
Do you mean vfork() has issues with call/return? That is taken care of
in GLIBC. Or do you mean it has issues with mprotect(PROT_SHSTK)?