Re: CURRENT: bhyve and Kernel SamePage Mergin

From: David Chisnall <theraven_at_FreeBSD.org>
Date: Thu, 9 Jun 2016 09:18:40 +0100
If this paper is the one that I think it is, then I was one of the reviewers.  Their attack is neat, but it depends quite a lot on being able to deterministically trigger deduplication.  Their proof-of-concept exploit was on Windows (and JavaScript attack was really fun) and I’m not convinced that it would work reliably on Linux or VMWare ESX, which both defer deduplication for as long as possible to avoid NUMA-related overheads.

We don’t currently have a FreeBSD implementation, but if someone wanted to provide one then a defence against this attack would be fairly simple: count the number of CoW faults that a process is receiving and if it reaches a certain threshold then remove all of its memory from the set of eligible pages.  The attack relies on being able to repeatedly trigger CoW faults and time whether they occur, with the same set of pages.  At least some existing implementations will make this impossible as these pages will repeatedly be deduplicated and then duplicated and this is already a pathological case that most memory deduplication implementations need to handle (as well as being a security hole, it’s also a big performance killer).

Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this point it’s more of a checkbox item than a serious mitigation technique.  It adds a little bit of work for attackers, but there are so many attacks that can bypass ASLR even with strong entropy that it just increases the work factor slightly.  If you’re running code written in C, then you’re better off relying on Capscium compartmentalisation to limit what the attacker can do once they’ve compromised it.

David

> On 8 Jun 2016, at 16:01, O. Hartmann <ohartman_at_zedat.fu-berlin.de> wrote:
> 
> A couple of days I got as a responsible personell for a couple of systems a warning about
> the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this year's IEEE
> symposion there has been submitted a paper by Bosman et al., 2016, describing an attack
> on KSM. This technique, also referred to as memory/page deduplication, seems to be
> vulnerable by design under certain circumstances. I guess the experts of the readers here
> do already know, but I consider myself a non-expert and therefore, I'd like to ask about
> the status of that kind of development in FreeBSD. I read about a project of last year's
> Google Summer of Code 2015 targetting KSM on FreeBSD.
> 
> In Linux, this deduplication techniques is implemented since kernel 2.6.38 and Windows
> Kernel uses this techniques since Windows 8.1 and sibblings (also Windows Server). We
> were strongly advised to disable those "features" in Windows clients, servers and Linux
> servers, if used.
> 
> Other papers describe successful attacks on memory contents and ASLR by misusing KSM. On
> Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
> planned/used/already implemented?)? 
> 
> If you are interested I could provide links or PDFs of the papers I already gathered
> about that subject (it is not much, simply google for "KSM FReeBSD" or KSM deduplication
> ASLR).
> 
> Thanks in advance,
> 
> oh


Received on Thu Jun 09 2016 - 06:28:11 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC