CVS commit: src

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src
From: "Maxime Villard" <maxv%netbsd.org@localhost>
Date: Sun, 2 Dec 2018 21:00:14 +0000

Module Name:    src
Committed By:   maxv
Date:           Sun Dec  2 21:00:13 UTC 2018

Modified Files:
        src/share/mk: bsd.sys.mk
        src/sys/arch/amd64/conf: GENERIC
        src/sys/arch/amd64/include: param.h
        src/sys/conf: files ssp.mk
        src/sys/kern: files.kern subr_pool.c sys_syscall.c
        src/sys/sys: systm.h
        src/sys/uvm: uvm_km.c
Added Files:
        src/sys/arch/amd64/include: kleak.h
        src/sys/kern: subr_kleak.c
        src/usr.sbin/kleak: Makefile kleak.c

Log Message:
Introduce KLEAK, a new feature that can detect kernel information leaks.

It works by tainting memory sources with marker values, letting the data
travel through the kernel, and scanning the kernel<->user frontier for
these marker values. Combined with compiler instrumentation and rotation
of the markers, it is able to yield relevant results with little effort.

We taint the pools and the stack, and scan copyout/copyoutstr. KLEAK is
supported on amd64 only for now, but it is not complicated to add more
architectures (just a matter of having the address of .text, and a stack
unwinder).

A userland tool is provided, that allows to execute a command in rounds
and monitor the leaks generated all the while.

KLEAK already detected directly 12 kernel info leaks, and prompted changes
that in total fixed 25+ leaks.

Based on an idea developed jointly with Thomas Barabosch (of Fraunhofer
FKIE).


To generate a diff of this commit:
cvs rdiff -u -r1.286 -r1.287 src/share/mk/bsd.sys.mk
cvs rdiff -u -r1.508 -r1.509 src/sys/arch/amd64/conf/GENERIC
cvs rdiff -u -r0 -r1.1 src/sys/arch/amd64/include/kleak.h
cvs rdiff -u -r1.26 -r1.27 src/sys/arch/amd64/include/param.h
cvs rdiff -u -r1.1216 -r1.1217 src/sys/conf/files
cvs rdiff -u -r1.2 -r1.3 src/sys/conf/ssp.mk
cvs rdiff -u -r1.25 -r1.26 src/sys/kern/files.kern
cvs rdiff -u -r0 -r1.1 src/sys/kern/subr_kleak.c
cvs rdiff -u -r1.227 -r1.228 src/sys/kern/subr_pool.c
cvs rdiff -u -r1.11 -r1.12 src/sys/kern/sys_syscall.c
cvs rdiff -u -r1.279 -r1.280 src/sys/sys/systm.h
cvs rdiff -u -r1.145 -r1.146 src/sys/uvm/uvm_km.c
cvs rdiff -u -r0 -r1.1 src/usr.sbin/kleak/Makefile src/usr.sbin/kleak/kleak.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/sys/arch/aarch64/include
Next by Date: CVS commit: src/sys/kern
Previous by Thread: CVS commit: src/sys/arch/aarch64/include
Next by Thread: CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index