LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Supervisor mode access prevention

By Jonathan Corbet
September 26, 2012
Operating system designers and hardware designers tend to put a lot of thought into how the kernel can be protected from user-space processes. The security of the system as a whole depends on that protection. But there can also be value in protecting user space from the kernel. The Linux kernel will soon have support for a new Intel processor feature intended to make that possible.

Under anything but the strangest (out of tree) memory configurations, the kernel's memory is always mapped, so user-space code could conceivably read and modify it. But the page protections are set to disallow that access; any attempt by user space to examine or modify the kernel's part of the address space will result in a segmentation violation (SIGSEGV) signal. Access in the other direction is rather less controlled: when the processor is in kernel mode, it has full access to any address that is valid in the page tables. Or nearly full access; the processor will still not normally allow writes to read-only memory, but that check can be disabled when the need arises.

Intel's new "Supervisor Mode Access Prevention" (SMAP) feature changes that situation; those wanting the details can find them starting on page 408 of this reference manual [PDF]. This extension defines a new SMAP bit in the CR4 control register; when that bit is set, any attempt to access user-space memory while running in a privileged mode will lead to a page fault. Linux support for this feature has been posted by H. Peter Anvin to generally positive reviews; it could show up in the mainline as early as 3.7.

Naturally, there are times when the kernel needs to work with user-space memory. To that end, Intel has defined a separate "AC" flag that controls the SMAP feature. If the AC flag is set, SMAP protection is in force; otherwise access to user-space memory is allowed. Two new instructions (STAC and CLAC) are provided to manipulate that flag relatively quickly. Unsurprisingly, much of Peter's patch set is concerned with adding STAC and CLAC instructions in the right places. User-space access functions (get_user(), for example, or copy_to_user()) clearly need to have user-space access enabled. Other places include transitions between kernel and user mode, futex operations, floating-point unit state saving, and so on. Signal handling, as usual, has special requirements; Peter had to make some significant changes to allow signal delivery to happen without excessive overhead.

Speaking of overhead, support for this feature will clearly have its costs. User-space access functions tend to be expanded inline, so there will be a lot of STAC and CLAC instructions spread around the kernel. The "alternatives" mechanism is used to patch them out if the SMAP feature is not in use (either not supported by the kernel or disabled with the nosmap boot flag), but the kernel will grow a little regardless. The STAC and CLAC instructions also require a little time to execute. Thus far, no benchmarks have been posted to quantify what the cost is; one assumes that it is small but not nonexistent.

The kernel will treat SMAP violations like it treats any other bad pointer access: the result will be an oops.

One might well ask what the value of this protection is, given that the kernel can turn it off at will. The answer is that it can block a whole class of exploits where the kernel is fooled into reading from (or writing to) user-space memory by mistake. The set of null pointer vulnerabilities exposed a few years ago is one obvious example. There have been many situations where an attacker has found a way to get the kernel to use a bad pointer, while the cases where the attacker could execute arbitrary code in kernel space (before exploiting the bad pointer) have been far less common. SMAP should block the more common attacks nicely.

The other benefit, of course, is simply finding kernel bugs. Driver writers (should) know that they cannot dereference user-space pointers directly from the kernel, but code that does so tends to work on some architectures anyway. With SMAP enabled, that kind of mistake will be found and fixed earlier, before the bad code is shipped in a mainline kernel. As is so often the case, there is real value in having the system enforce the rules that developers are supposed to be following.

Linus liked the patch set and nobody else has complained, so the changes have found their way into the "tip" tree. That makes it quite likely that we will see them again quite soon, probably once the 3.7 merge window opens. It will take a little longer, though, to get processors that support this feature; SMAP is set to first appear in the Haswell line, which should start shipping in 2013. But, once the hardware is available, Linux will be able to take advantage of this new feature.

(Log in to post comments)

Supervisor mode access prevention

Posted Sep 27, 2012 1:05 UTC (Thu) by spender (subscriber, #23067) [Link]

Users of grsecurity and PaX have had this same protection (and more) for the past 6 years. See: http://forums.grsecurity.net/viewtopic.php?f=7&t=3046

Interestingly, SMAP now makes kernel infoleak vulns even more valuable. Again in this case, as the blog mentions, we're in the lead with several features specifically targeting information leaks.

Regarding what upstream bugs this functionality discovered (generally pertaining to x86-specific hardware as architectures like SPARC would have picked up the errors in core code), I discussed it in my Linux Security Summit presentation in 2010. See: http://grsecurity.net/spender_summit.pdf ,slide 9.

Funny how the writers of history forget these things.

-Brad

Supervisor mode access prevention

Posted Sep 27, 2012 8:21 UTC (Thu) by liljencrantz (guest, #28458) [Link]

But at least you're not bitter!

Supervisor mode access prevention

Posted Oct 4, 2012 6:02 UTC (Thu) by kevinm (guest, #69913) [Link]

But that protection was only for those running 32 bit x86 PaX kernels, right? The vestigial segmentation support in x86-64 isn't sufficient for that method to work.

This new hardware feature will work in x86-64 kernels (as you'd expect).

Supervisor mode access prevention

Posted Oct 4, 2012 8:43 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> But that protection was only for those running 32 bit x86 PaX kernels, right?
> The vestigial segmentation support in x86-64 isn't sufficient for that method to work.

i implemented UDEREF on amd64 as well some years ago, but it's a lot less efficient.

> This new hardware feature will work in x86-64 kernels (as you'd expect).

and unfortunately it'll still provide less security than the by then 7-year-old UDEREF/i386 feature in PaX. so SMAP is a step in the right direction, but Intel could have done better, it'd have cost them nothing to make this feature really powerful for certain kernel self-protection purposes. there's some hope that they'll make it better in the next iteration.

Good to see the code early

Posted Oct 5, 2012 16:13 UTC (Fri) by alex (subscriber, #1355) [Link]

It's nice to get early visibility of the code before silicon starts shipping to users. It makes a change from the post-release code dumps.

Haswell without smap?

Posted Jun 6, 2013 9:53 UTC (Thu) by bartsch (guest, #89377) [Link]

As the first tests and benchmarks float in on various sites, I'm missing something. I haven't seen any /proc/cpuinfo dump with "smap" within the flags. It should be there, right? (Given that the kernel has this feature enabled.)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds