Linux - PROT_NONE, L1TF mitigation and layer address translation fix #1335
Conversation
There was a problem hiding this comment.
Roughly happy with the concept, but needs to be more accurate on what's linux and what's general Intel. I'm a little concern that we're exposing the guts of the layer and that not that many parameters need to be accessible by the OS/outside the layer (we did name method starting with _ for a reason). If we're happy it's all important and necessary then it's not far off getting merged.
|
Hey @ikelos, I believe everything has been addressed in this PR. Are you waiting on anything else from me, or it's just you haven't had a chance to review it yet? |
There was a problem hiding this comment.
Ok, still can't entirely see why some of those need pulling out into properties rather than just one off variables defined at the class level, but I accept the point about documenting clearly. I'd prefer not to let ~ sneak in, but I'm pretty sure Andrew managed to sneak some in in the past, so I'll let it slide if you want. Just shout when you want it merged.
Also, this is a deep change to the core Intel layer, so after merge please keep a close eye on general use for the first week or two after merge, and longer term for tickets that might be because of this for a couple months. I've cut the release branch before this so that we get a few more months testing of it before it goes live.
| # Note that within the Intel class it's a class method. However, since it uses | ||
| # complement operations and we are working in Python, it would be more careful to | ||
| # limit it to the architecture's pointer size. | ||
| return ~(self.page_size - 1) & self._register_mask |
There was a problem hiding this comment.
Yeah, I'm not a big fan of ~ in python, just because python ints can be any size. If you're happy this will work properly I'll accept it, but I'd prefer some maths using the known actual limit to form the complement...
|
|
||
| @functools.cached_property | ||
| def _pte_flags_mask(self) -> int: | ||
| return ~self._pte_pfn_mask & self._register_mask |
This PR introduces improvements and fixes for address translation in the Linux Intel layers
PROT_NONE pages
First, this PR fixes one of the oldest issues in the queue #134, adding support for PROT_NONE protected pages.
Using the @gleeda PoC from their excellent post Using mprotect PROT_NONE on Linux.
$ ./victim PID 2116 buffer at 0x76f63a132000 <= PROT_NONE vma buffer2 at 0x76f63a133000Before:
After:
Intel Side Channel Vulnerability L1TF mitigation.
In 2018, to mitigate Intel's L1TF (L1 Terminal Fault) vulnerability, that code in Linux kernel was again updated in this commit, incorporating PTE inversion to calculate the PFN. This PR includes support for handling these cases as well.
__PHYSICAL_MASK_SHIFT and _maxphyaddr
While addressing the previous issues, I found that the changes didn't work for older kernels. After further investigation, it turned out the problem was the
physical_maskand the reason was this commit.In the Linux kernel, the __PHYSICAL_MASK_SHIFT is a mask used to extract the physical address from a PTE. In Volatility3, this is referred to as
_maxphyaddr.Until kernel version 4.17, Linux x86-64 used a 46-bit mask. With this commit, this was extended to 52 bits, applying to both 4 and 5-level page tables.
We previously used 52 bits for all Intel 64-bit systems, but this produced incorrect results for PROT_NONE pages. Since the mask value is defined by a preprocessor macro, it's difficult to detect the exact bit shift used in the current kernel.
Using 46 bits has proven reliable for our use case, as seen in tools like crashtool. See this and this.