Hi Dave,
Since we're using the feature for control-flow integrity, we assume the control-flow is still intact at this point. I.e. the attacker thread can't run arbitrary instructions.
* For JIT code, we're going to scan it for wrpkru instructions before writing it to executable memory
* For regular code, we only use wrpkru around short critical sections to temporarily enable write access
Sigreturn is a separate problem that we hope to solve by adding pkey support to sigaltstack
On Mon, May 15, 2023, 16:28 Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
On 5/15/23 06:05, jeffxu@xxxxxxxxxxxx wrote:
> We're using PKU for in-process isolation to enforce control-flow integrity
> for a JIT compiler. In our threat model, an attacker exploits a
> vulnerability and has arbitrary read/write access to the whole process
> space concurrently to other threads being executed. This attacker can
> manipulate some arguments to syscalls from some threads.
This all sounds like it hinges on the contents of PKRU in the attacker
thread.
Could you talk a bit about how the attacker is prevented from running
WRPKRU, XRSTOR or compelling the kernel to write to PKRU like at sigreturn?
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
