On 07/10/2015 07:34 PM, Jason Gunthorpe wrote:
> On Fri, Jul 10, 2015 at 06:27:59PM -0400, Doug Ledford wrote:
>
>> 1) An RDMA connection exists or can be created (TOE and iSCSI offload do
>> not do this, so something else would have to be listening and accepting
>> incoming RDMA connections)
>> 2) A global rkey exists (so it's not sufficient that any old RDMA app be
>> running, at least one app/ULP *must* create the global writable rkey)
>> 3) The QP of the RDMA connection belongs to the same PD as the global
>> rkey (so our attack surface is limited to the bad server app/ULP and the
>> existence of this does not put other apps/ULPs at risk)
>> 4) For maximum damage, the global rkey must also belong to an app/ULP
>> with elevated privilege or direct memory access (kernel ULPs are prime
>> targets, as a user app would have a mapped address space and the global
>> rkey in its domain would apply to it's process space, limiting the
>> damage that can be done).
>
> This list looks right to me.
Good, we're in agreement so far ;-)
>> Given all these requirements, I don't see this as a possibility. In
>
> Hmm. So, if I put an iWarp card in a machine, boot any distro, and add
> something to /etc/exports ..
>
> Does the NFS RDMA kernel module load and start a listening QP?
That depends on the OS.
> If not, that actually sounds like a bug. What if a distro fixes that?
Red Hat requires that you enable NFSoRDMA. But, your point is valid.
That goes back to my point about the update patch set being very verbose
about the dangers of this. The very obvious kernel message is helpful
in this case.
>>> The clearest scary path I see is a server listening on a QP and using
>>> IB_ACCESS_REMOTE_WRITE. That sure looks easy to exploit.
>>
>> This goes back to the trust domain. For a server, you simply can't
>> allow untrusted clients. Period.
>
> This feels like an antiquated security model. Most things these days
> are using in-band mutual auth and then switch to a trusted mode. Both
> NFS and iSCSI support that (kerberos,chap,etc), I assume that generic
> support extends to RDMA.
>
> If you use auth then trust as a security model, this rkey buisness is
> a problem, because you should not be vunerable to attack before
> authing.
Yes. This is an antiquated security model. There is a reason for that.
It is easier to go simple to begin with and then add the extra layers
needed to keep things safe once you have the basics right.
>> access controls and connection filtering. The app/ULP itself doesn't
>> even need to be filter aware as you can do the filtering in the TCP
>> stack on the primary listening socket using the netfilter tools.
>
> Does netfilter work for iWarp? I'm surprised to hear that.
iWARP requires a normal TCP socket to connect to, then the client must
initiate an RDMA transfer, then a new connection is opened for the RDMA
transfers. Blocking the parent dst:port/*:* will prevent these
connections. If you are referring to allowing an untrusted client in
TCP mode but blocking them in RDMA mode, that's more complex and
requires app/ULP support.
>> that goes back to the kernel warning I referred to in my previous email.
>> Let users know what module is making this risky decision and it becomes
>> easy to filter any ports that module's services are listening on.
>
> That's fine, as long as the user is opting it this situation. If I'm
> not using RDMA but have an iWarp card, I should never see the
> message, even if RDMA support is autoloaded by my distro...
See above, an unexpected vulnerability caused by this model should
result in a very obvious kernel message.
>>> A client doing this.. It is alot harder to exploit.. iSER is client
>>> only, so less worrying. Can anyone else think of a way to attack the
>>> client?
>>
>> TCP injection only is all I've got.
>
> Black hat server can also do it, and since it is possible before auth
> it is doable without the server auth credential.
Black hat server is beyond the scope of this discussion.
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: 0E572FDD
Attachment:
signature.asc
Description: OpenPGP digital signature
