[trustable-software] Learning how to trust the Linux kernel
trustable at panic.fluff.org
trustable at panic.fluff.org
Wed Jun 17 09:21:24 BST 2020
Paul,
This is an interesting article but in fact mistaken, you initial
assumptions about the behaviour of systems is just incorrect.
The data you present to support you case in these arguments, has a
ludicrously small sample size and there is no comment about whether the
same kernel was consistently used.
The article makes the assumption that in fact you can, in a reproducible
and statistically sensible manner, produce an artifact which when can ba
reasoned about, as you have in this piece.
As has been consistently shown, by Codethink and others, the ability to
produce such a reproducile artifact is complex and hard. Without this, the
attempt to reason about linkage behaviour and the ability to re-use code
leads to a mis-understanding of whether you static analysis approach is
infact reasonable. I would argue that without such a reproducible known
lineage artifact, you cannot argue about whether the static analysis has
any value is probably unsupportable.
However, the approaches of both SMEP and SMAP in my view have more value.
This is particularly because they have impact on behaviour which is in the
execution cycles. It does raise a question about what is the level of
value here, particularly given the approaches they take require code
itself to be linked from libraries you don't have necessary audit or
linkage details of.
It should be noted that bypassing both of these approaches has no become
widely understood particularly approaches using like page table matching
for userspace/kernel space synonyms[1] is well understood and the ability
to place these within your tool chain without notice is again a far from
impossible approach.
In effect, you are not checking your ingredients that are going into your
pharmaceutical and hoping that it doesn't kill people.
Given you don't understand how things are constructed or do so
reproducibly, it would be relatively easy to infect the code chain via the
compiler in a way static analysis wouldn't spot and would allow SMAP
bypassing.
Edmund
[1]
https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf
--
========================================================================
Edmund J. Sutcliffe Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org> Implemented and Communicated
<http://panic.fluff.org> +44 (0) 7976 938841
More information about the trustable-software
mailing list