[memory hardware isolation] Add session content #11
Conversation
cristian-vijelie
changed the title
cristian-vijelie
force-pushed
the
hardware_isolation
branch
from
f493623
to
6b74a35
Compare
cristian-vijelie
requested review from
gabrielmocanu,
StefanJum and
mariasfiraiala
cristian-vijelie
force-pushed
the
hardware_isolation
branch
from
6b74a35
to
fc35c4c
Compare
cristian-vijelie
changed the title
There was a problem hiding this comment.
This looks really nice @cristian-vijelie, see the few comments.
Also, will the hardware-isolation directory be used for something else? If not we should just remove it.
hardware-memory-isolation/README.md
Outdated
| You have encountered (hopefully) the main protection mechanism that the hardware uses to ensure memory isolation: pages. | ||
| There are other less-known mechanisms for ensuring memory isolation, through which we will go this session: segments, privilege rings, memory protection keys. |
There was a problem hiding this comment.
| You have encountered (hopefully) the main protection mechanism that the hardware uses to ensure memory isolation: pages. | |
| There are other less-known mechanisms for ensuring memory isolation, through which we will go this session: segments, privilege rings, memory protection keys. | |
| You have encountered (hopefully) the main protection mechanism that the hardware uses to ensure memory isolation: [pages](...). | |
| There are other less-known mechanisms for ensuring memory isolation, through which we will go this session: [segments](...), [privilege rings](...), [memory protection keys](...). |
Leave links to some relevant pages about the topics.
| all: | ||
| make -C /home/cristi/WSL2-Linux-Kernel M=$(shell pwd) modules | ||
|
|
||
| clean: | ||
| make -C /home/cristi/WSL2-Linux-Kernel M=$(shell pwd) clean |
There was a problem hiding this comment.
| all: | |
| make -C /home/cristi/WSL2-Linux-Kernel M=$(shell pwd) modules | |
| clean: | |
| make -C /home/cristi/WSL2-Linux-Kernel M=$(shell pwd) clean | |
| all: | |
| make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules | |
| clean: | |
| make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean |
There was a problem hiding this comment.
Besides this, ask people somewhere in the session to install the kernel header files.
$ apt-cache search linux-headers-`uname -r`
$ sudo apt install linux-headers.....Also ask them to run this from inside a virtual machine.
|
|
||
| ##### Tutorial: Reading the GDT of the Linux Kernel | ||
|
|
||
| Go to the [`read-gdt`](./activities/read-gdt/) folder. |
There was a problem hiding this comment.
See the comments on the Makefile.
| We have the following scenario: | ||
| an application wants to change an area of its memory from read-write to read-only, for reasons. | ||
| To do this it will call `mprotect` on that area. | ||
| What will happen behind the scenes will be that the OS will change permissions for each page that is part of the memory area, then it will flush the TLB. |
There was a problem hiding this comment.
The TLB appears out of nowhere here. Add the concept of MMU + TLB as a prerequisite altogether, together with paging in general.
| This allows an application to allocate its pages to a `protection domain`. | ||
| When accessing a page, instead of checking only the page permissions, the MMU will also check the protection domain permissions. | ||
|
|
||
| Let's take a practical example: |
There was a problem hiding this comment.
This is too much text. Try to make a practical example out of this somehow (hopefully via a tutorial that modifies the PKRU). You can draw some inspiration from here.
cristian-vijelie
force-pushed
the
hardware_isolation
branch
from
fc35c4c
to
861c43e
Compare
There was a problem hiding this comment.
Thanks @cristian-vijelie, this looks nice. See my comments below.
|
|
||
| #### Segmentation | ||
|
|
||
| Segmentation is the x86 CPU feature that allows assigning permissions and ownership to a certain memory zone, using segments. |
There was a problem hiding this comment.
Add a bit more detail as to what segments represent. They can be easily confused with pages by novices.
| But wait, don't we have the `Stack Canary` for the last one? | ||
| The main problem with that solution is that the canary is placed on the same memory zone as the return address. | ||
| If we can modify the return address, what is stopping someone from reading the canary first, then modifying the return address, while keeping the canary intact? | ||
| The shadow stack places a copy of the return address in a separate memory zone, that can be accessed using only some special instructions. |
There was a problem hiding this comment.
You might want to show how this can be achieved hardware wise. There are already some compiler enforced mechanism similar to this, that were however, deemed not as efficient (ShadowCallStack, SafeStack).
|
|
||
| #### Indirect Branch Tracking | ||
|
|
||
| The main idea behind some attacks is to chain small pieces of code (gadgets), in order to call a system function, usually, in a certain way. |
There was a problem hiding this comment.
usually, in a certain way
This is quite vague
There was a problem hiding this comment.
I'd suggest referring to the ROP session of the Binary track for this since it's beyond the scope of the Hardware track.
cristian-vijelie
force-pushed
the
hardware_isolation
branch
from
861c43e
to
5dbd543
Compare
cristian-vijelie
force-pushed
the
hardware_isolation
branch
from
5dbd543
to
1b5d683
Compare
No description provided.