kernelmemorysanitizer kmsan signed off by alexander
play

KernelMemorySanitizer (KMSAN) ----------------------------- - PowerPoint PPT Presentation

Nov 02, 2023 •154 likes •554 views

KernelMemorySanitizer (KMSAN) ----------------------------- Signed-off-by: Alexander Potapenko <glider@google.com> Dynamic Tools Team @ Google --------------------------- Userspace tools: * ASan, LSan, MSan, TSan, UBSan * libFuzzer

  1. KernelMemorySanitizer (KMSAN) ----------------------------- Signed-off-by: Alexander Potapenko <glider@google.com>

  2. Dynamic Tools Team @ Google --------------------------- Userspace tools: * ASan, LSan, MSan, TSan, UBSan * libFuzzer (coverage-based userspace fuzzer) * control flow integrity in LLVM * tens of thousands bugs in Google and opensource code Kernel tools: * KASAN, KMSAN, KTSAN (prototype) * syzkaller (coverage-based kernel fuzzer) * hundreds of bugs in the kernel(s)

  3. MemorySanitizer (MSan) ---------------------- * around since 2012 * detects uses of uninitialized values in the userspace * found 2000+ bugs * works on big programs (think Chrome or server-side apps) See also: "MemorySanitizer: fast detector of uninitialized memory use in C++" by E. Stepanov and K. Serebryany, CGO 2015

  4. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel

  5. What one might think KMSAN does ------------------------------- int a; int b = c + a; // report reading of uninit a or: int p = a; copy_to_user(u, &p, 4); // don't report since p is inited This is useless: both false positives and false negatives!

  6. What KMSAN actually does ------------------------ int a; if (flag) a = 1; // initialized b = c + a; // not a "use" if (flag) copy_to_user(p, &b, 4); // use: don't report

  7. What KMSAN actually does (contd.) --------------------------------- int x; // uninitialized int a = x; // still uninitialized copy_to_user(p, &a, 4); // use: report an error

  8. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel: - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc.

  9. Example 1 --------- struct config *update_config(struct config *conf) { if (!conf) conf = kmalloc(CONFIG_SIZE, GFP_KERNEL) do_update(conf); return conf; } void do_update(struct config *conf) { if (conf->is_root) allow_everything(conf); }

  10. Example 2 --------- int socket_bind(int sockfd, __user struct sockaddr *uaddr, int ulen) { struct sockaddr kaddr; if (ulen > sizeof(struct sockaddr) || ulen < 0) return -EINVAL; copy_from_user(&kaddr, uaddr, ulen); return do_bind(sockfd, &kaddr); }

  11. Example 3 --------- void put_dev_name_32(struct device *dev, __user char *buf) { char name[32]; strncpy(name, dev->name, 32); if (buf) copy_to_user(buf, name, 32); }

  12. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel: - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc. * almost working since April 2017 * found/fixed 13 bugs (and counting) * based on MSan * therefore requires Clang

  13. KernelMemorySanitizer (KMSAN) ----------------------------- * detects uses of uninitialized values in the kernel - conditions - pointer dereferencing and indexing - values copied to the userspace, hardware etc. * almost working since April 2017 * found/fixed 13 bugs (and counting) * based on MSan * therefore requires Clang * life is too short to hack GCC `\_("/)_/`

  14. Sample report (redacted) ------------------------ BUG: KMSAN: use of unitialized memory in strlen __msan_warning32 mm/kmsan/kmsan_instr.c:424 strlen lib/string.c:484 strlcpy lib/string.c:144 packet_bind_spkt net/packet/af_packet.c:3132 SYSC_bind net/socket.c:1370 origin: __msan_set_alloca_origin4 mm/kmsan/kmsan_instr.c:380 SYSC_bind net/socket.c:1356 SyS_bind net/socket.c:1356 origin description: ----address@SYSC_bind

  15. Shadow memory ------------- Bit to bit shadow mapping * struct page { ... struct page *shadow; ... }; * "1" means "poisoned" (uninitialized) Uninitialized memory: * kmalloc() * local stack objects Writing a constant to memory unpoisons it Shadow is propagated through arithmetics and memory accesses

  16. Compiler instrumentation ------------------------ $ clang -fsanitize=kernel-memory adding code that: * poisons local variables * handles loads and stores * propagates shadow through arithmetic operations * passes shadow to/from function calls * performs shadow checks

  17. Poisoning locals ---------------- void foo() { int a = 1; char b[8]; }

  18. Poisoning locals ---------------- void foo() { int a = 1; __msan_unpoison(&a, 4); char b[8]; __msan_poison_alloca(b, 8, "b"); }

  19. Instrumenting loads and stores ------------------------------ void copy(char *from, char *to) { if (!from) *to = -1; } else { *to = *from; } }

  20. Instrumenting loads and stores ------------------------------ void copy(char *from, char *to) { if (!from) *to = -1; __msan_store_shadow_1(to, 0); } else { u64 shadow = __msan_load_shadow_1(from); *to = *from; __msan_store_shadow_1(to, shadow); } }

  21. Shadow propagation ------------------ 0b00??1101 & 0b000011?1 is always initialized A = B + C ==> A' = B' | C' A = B << C ==> A' = B' << C A = B & C ==> A' = (B' & C') | (B' & ~C) | (~B & C') * helps to minimize the number of false positives * somewhat similar to Valgrind, but working with SSA registers at compile time - we can leverage compiler optimizations * operations are sometimes approximated for efficiency

  22. Instrumenting function calls ---------------------------- int sum_n(int n) { if (n == 0) { return 0; } int sum_rec = sum_n(n - 1); return n + sum_rec; }

  23. Instrumenting function calls ---------------------------- int sum_n(int n) { kmsan_context_state *s = __msan_get_context_state(); int shadow_n = s->args[0]; if (n == 0) { s->ret = 0; return 0; } int sum_rec = sum_n(n - 1); s->ret = shadow_n | s->ret; return n + sum_rec; }

  24. Adding shadow checks -------------------- if (i >= 0) { res = a[i]; }

  25. Adding shadow checks -------------------- if (__msan_load_shadow_4(&i) & INT_MIN) __msan_warning(); if (i >= 0) { if (__msan_load_shadow_4(a) || __msan_load_shadow_4(&i)) __msan_warning(); u64 shadow = __msan_load_shadow_4(&a[i]); res = a[i]; __msan_store_shadow(&res, shadow); }

  26. Tracking origins ---------------- a = kmalloc(...); ... b = kmalloc(...); ... memcpy(c, b, sizeof(*b)); ... d = *a + *c; ... if (d) ... // Which argument is guilty in the case of UMR?

  27. Tracking origins (contd.) ------------------------- * when an uninit value is allocated: - put the stack into the stack depot (lib/stackdepot.c) - for each 4 bytes of allocated memory, store the 4-byte stack ID into the secondary shadow * when the memory is copied: - create a new origin from the current stack and the previous origin * when two values are used in an expression: - take the origin of the first uninitialized operand

  28. Handling non-instrumented code ------------------------------ * asm() in *.c: - check that inputs are initialized - outputs are unpoisoned * can't instrument around 40 files: - arch/x86/... - mm/... - *.S * KMSAN_SANITIZE_filename.o := n - no instrumentation - locals, function args, return values may be dirty

  29. Closing the gap --------------- * __attribute__((no_sanitize("kernel-memory"))) - no shadow propagation, unpoison locals and stores * kmsan_poison_memory() - kmalloc() * kmsan_unpoison_memory() - copy_from_user() - struct pt_regs in interrupts - RNGs * kmsan_check_memory() - copy_to_user() - hardware (send to network, write to disk)

  30. What about kmemcheck? --------------------- * When did you last run kmemcheck? - 1 commit fixing a bug from kmemcheck in 2017, 4 in 2014 - 1 false positive in 2016, 1 in 2014 * Throughput in `netperf -l 30` - nodebug: 39056.37 - kasan: 5217.185 - kmsan: 478.96 (there's still room for improvement) - kmemcheck: was 2000 times slower than nodebug in 2015

  31. Long shot: taint analysis ------------------------- * use shadow to indicate that a value came from an untrusted source * use origin to mark the place where this value was obtained * call kmsan_check_memory() at places where we expect only trusted data # There's also another Clang tool, DFSan, which can help.

  32. Long shot: fuzzing assistance ----------------------------- We already have instrumentation of comparison instructions and switch statements in LLVM: * for each comparison, insert instrument_cmp(arg1, arg2) * if either arg1 or arg2 can be found in the input [1], try to mutate that input But the value's presence in the input doesn't guarantee the input actually affects this value! [1] - or some f(argi) can be found in the input

  33. Long shot: fuzzing assistance (contd.) -------------------------------------- * poison each argument of each syscall and assign a unique origin to it * for each comparison: if (shadow1 | shadow2) instrument_cmp(arg1, sh1, orig1, arg2, sh2, orig2); * mutate only the arguments that really affect arg1 or arg2

  34. Food for thought ---------------- CVE-2017-1000380: data race on /dev/snd/timer allows the attacker to read uninitialized heap memory. In fact, a user with access to the device was able to e.g. read the data another user wrote into a file or socket. Can we do something to kill all uninit bugs? (Something smarter than s/kmalloc/kzalloc ?)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph

Zaslavskys Theorem on acyclic orientations of signed graphs Definitions: is a signed graph is the function that assigns +1 or -1 to each edge k is a signed coloring of , k is proper if k(v) - (e)k(w) is nonzero for all e = vw is an

148 views • 11 slides
Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative

Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative

Signed numbers Goals unsigned numbers - non-negative integers signed numbers - positive/negative numbers represent negative numbers Chapter 10: Signed Addition twos complement representation Many ways to represent signed numbers add &amp;

301 views • 7 slides
Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed) Polynomial time algorithms for distance &amp; operations First polynomial result for a realistic model of genome rearrangements HP Theory

239 views • 10 slides
MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers

MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers

1 MULTIPLICATION p = x y x (multiplicand), y (multiplier), and p (product) signed integers SCHEMES a) SEQUENTIAL ADD-SHIFT RECURRENCE CPA, CSA, SIGNED-DIGIT ADDER HIGHER RADIX AND RECODING b) COMBINATIONAL CPA, CSA,

808 views • 54 slides
Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed distance fields . 1. Fire ray into scene 2. At each step, measure distance field function: d = [distance to nearest object in scene] 3. Advance ray

403 views • 4 slides
Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat

Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat

Signed graphs Colorings Acyclic orientations References Signed posets and a B -symmetric generalization of Stanleys acyclicity theorem Jake Huryn, Kat Husar, and Hannah Johnson joint work with Eric Fawcett, Torey Hilbert and Mikey Reilly

878 views • 59 slides
Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium

Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium

Origin-Signed Exchanges draft-yasskin-http-origin-signed-responses-03 Jeffrey Yasskin, Chromium IETF 101 March 2018 Use Cases From draft-yasskin-webpackage-use-cases-01: Privacy-preserving prefetch This, with other changes, lets

736 views • 12 slides
On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

Introduction Sorting signed permutations Conclusion On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima &amp; 1 , 2 Mauricio Ayala-Rinc on atica 1 &amp; Ci ao 2 Departamentos de Matem encia

795 views • 46 slides
Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the

Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the

Denial Letters PLEASE NOTE: MGP no longer send automated denial letters signed by the Dean of the Graduate School. Your program is now responsible for setting up a customized denial email template signed by the authority of your choice

938 views • 9 slides
Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral

Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral

Spectral Clustering of Signed Graphs via Matrix Power Means Pedro Mercado, Francesco Tudisco and Matthias Hein ICML 2019, Long Beach, USA Poster #190 1 Spectral Clustering of Signed Graphs Poster #190 Our Goal: Extend Spectral Clustering to

106 views • 7 slides
Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia ,

Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia ,

Alexander Ostrovsky (1823-1886) 1 1 Alexander Ostrovsky , Wikipedia , http://en.wikipedia.org/wiki/File:Wassilij_Grigorjewitsch_Perow_003.jpg 110629 Bibliotheca Alexandrina Compiled by: Ahmed Ghazi, Basma

239 views • 8 slides
Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling

Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling

Compiling the Linux kernel with LLVM tools FOSDEM 19 Signed-off-by: Bill Wendling &lt;morbo@google.com&gt; Signed-off-by: Nick Desaulniers &lt;ndesaulniers@google.com&gt; Goals Improve the Linux kernel Additional warning coverage

344 views • 13 slides
Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University

Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University

Balance and Clustering in Signed Graphs Thomas Zaslavsky Binghamton University (State University of New York) C R Rao Advanced Institute of Mathematics, Statistics and Computer Science 26 July 2010 Outline 1. Signed Graphs 2. Balance 3.

411 views • 20 slides
ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN. He got married and his wife's name was Mrs.Candace and they had a kid named Grace. Alexander Miles was born May 18,1838. He died May 7, 1918

357 views • 9 slides
Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed:

Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed:

Uniform and Appearance Policy Date: May 2018 To be reviewed May 2021 Signed: ________________________________ Executive Headteacher ________________ Date Signed: ________________________________ Chair of Governors

486 views • 10 slides
O signed into law the Controlling the Sending messages from e-mail accounts or Assault of

O signed into law the Controlling the Sending messages from e-mail accounts or Assault of

G The Tech Group Alert January 2004 The CAN-SPAM Act: Federal Government Regulates Unsolicited Commercial E-mail By David Leit, Esq. n December 16, 2003, President Bush Falsifying header information; O signed into law the Controlling

239 views • 3 slides
NICMOS Data Processing Software in STSDAS Ivo C. Busko Space Telescope Science Institute,

NICMOS Data Processing Software in STSDAS Ivo C. Busko Space Telescope Science Institute,

1997 HST Calibration Workshop Space Telescope Science Institute, 1997 S. Casertano, et al., eds. NICMOS Data Processing Software in STSDAS Ivo C. Busko Space Telescope Science Institute, Baltimore 1. Motivation Until now the standard form of

57 views • 5 slides
A Plan to Move One Region Forward First Rough Draft Review March 5, 2014 What we are doing

A Plan to Move One Region Forward First Rough Draft Review March 5, 2014 What we are doing

towards a more sustainable Buffalo Niagara A Plan to Move One Region Forward First Rough Draft Review March 5, 2014 What we are doing today 1. Welcome, Introductions and Review 2. Project-wide update 3. Working Team Progress Report,

1.47k views • 77 slides
Commissioners Court: Postings, Agendas &amp; the Open Meetings Act Mary Cunningham, Judicial

Commissioners Court: Postings, Agendas &amp; the Open Meetings Act Mary Cunningham, Judicial

Commissioners Court: Postings, Agendas &amp; the Open Meetings Act Mary Cunningham, Judicial Project Manager Office: (512) 478-8753 County Court Assistants Training February 2019 COMMISSIONERS COURT Not the same as constitutional county

458 views • 21 slides
NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October

NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October

NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October 2017 Introduction The natural resource management programme started out in 1995 and was only known as Working for Water The main focus

294 views • 12 slides
Delivering Sensor &amp; Microelectronic Solutions Worldwide Over 500 million die shipped per

Delivering Sensor &amp; Microelectronic Solutions Worldwide Over 500 million die shipped per

Delivering Sensor &amp; Microelectronic Solutions Worldwide Over 500 million die shipped per year www.semefab.com www.semefab.com &gt;500 Million die shipped per year Our Vision To put Semefab at the heart of todays life enhancing

758 views • 54 slides
PreK12 Instructional Program Pathways (IPP) School Board Work Session February 12, 2019

PreK12 Instructional Program Pathways (IPP) School Board Work Session February 12, 2019

PreK12 Instructional Program Pathways (IPP) School Board Work Session February 12, 2019 Agenda Time Topic Facilitator Reid Goldstein 7:00 Welcome and Introductions Dr. Patrick Murphy Setting the Context Dr. Tara Nattrass 7:05

626 views • 45 slides
Salzer Electronics Limited Investor Presentation September 2017 Disclaimer This presentation has

Salzer Electronics Limited Investor Presentation September 2017 Disclaimer This presentation has

Salzer Electronics Limited Investor Presentation September 2017 Disclaimer This presentation has been prepared by Salzer Electronics Limited (the Copa) solely for information purposes and does not constitute any offer,

729 views • 39 slides
Other Kinds of Semantics Introduction to Operational Semantics Denotational semantics

Other Kinds of Semantics Introduction to Operational Semantics Denotational semantics

Lecture Outline COOL operational semantics Operational Semantics of Cool Motivation Notation Adapted from Lectures by Profs. Alex Aiken and George Necula (UCB) The rules CS781(Prasad) L24CG 2 CS781(Prasad) L24CG 1

320 views • 7 slides

More recommend