[trustable-software] Learning how to trust the Linux kernel

trustable at panic.fluff.org trustable at panic.fluff.org
Wed Jun 17 09:21:24 BST 2020 

Paul,

This is an interesting article but in fact mistaken, you initial 
assumptions about the behaviour of systems is just incorrect.

The data you present to support you case in these arguments, has a 
ludicrously small sample size and there is no comment about whether the 
same kernel was consistently used.

The article makes the assumption that in fact you can, in a reproducible 
and statistically sensible manner, produce an artifact which when can ba 
reasoned about, as you have in this piece.

As has been consistently shown, by Codethink and others, the ability to 
produce such a reproducile artifact is complex and hard. Without this, the 
attempt to reason about linkage behaviour and the ability to re-use code 
leads to a mis-understanding of whether you static analysis approach is 
infact reasonable. I would argue that without such a reproducible known 
lineage artifact, you cannot argue about whether the static analysis has 
any value is probably unsupportable.

However, the approaches of both SMEP and SMAP in my view have more value. 
This is particularly because they have impact on behaviour which is in the 
execution cycles. It does raise a question about what is the level of 
value here, particularly given the approaches they take require code 
itself to be linked from libraries you don't have necessary audit or 
linkage details of.


It should be noted that bypassing both of these approaches has no become 
widely understood particularly approaches using like page table matching 
for userspace/kernel space synonyms[1] is well understood and the ability 
to place these within your tool chain without notice is again a far from 
impossible approach.

In effect, you are not checking your ingredients that are going into your 
pharmaceutical and hoping that it doesn't kill people.

Given you don't understand how things are constructed or do so 
reproducibly, it would be relatively easy to infect the code chain via the 
compiler in a way static analysis wouldn't spot and would allow SMAP 
bypassing.

Edmund


[1] 
https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf





-- 
========================================================================
Edmund J. Sutcliffe                     Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org>               Implemented and Communicated
<http://panic.fluff.org>                +44 (0) 7976 938841

More information about the trustable-software mailing list