Security
ARM pointer authentication
Many exploits come down to convincing code (kernel or otherwise) to access a pointer that was crafted by the attacker. Buffer-overflow exploits and return-oriented programming, for example, both rely on placing a pointer where a return address is expected; when the processor "returns" to that address, the attacker takes control. Much of the hardening work over the years has focused on making it harder to overwrite addresses in this way. But, as demonstrated by a recent kernel patch set, there may be another way: using a new ARM processor feature to detect and reject crafted addresses.In particular, the ARM 8.3 architecture added a feature called "pointer authentication"; its purpose is to detect pointers created by an external entity. In essence, it attaches a cryptographic signature to pointer values; those signatures can be verified before a pointer is used. An attacker, lacking the key used to create the signatures, is unlikely to be able to create valid pointers for use in an exploit.
Contemporary processors use 64-bit pointer values, but not all of those bits are actually significant. On an ARM64 Linux system using three-level page tables, only the bottom 40 bits are used, while the remaining 24 are equal to the highest significant bit — the 40-bit address is sign-extended to 64 bits, in other words. (For the curious, Documentation/arm64/memory.txt describes the virtual address space layout on ARM64 systems). Those uppermost bits (or a subset thereof) could be put to other uses, including holding an authentication code.
That code is calculated from three values: the pointer itself, a secret key hidden in the process context, and a third value like the current stack pointer. The secret key is intended to make it impossible for an attacker to generate valid codes, while the stack pointer (or some other environmental value) can help prevent the reuse of a valid, signed pointer should one leak to the attacker. The new PAC instruction can be used to calculate the authentication code and insert it into a pointer value.
The value containing the authentication code cannot be dereferenced directly, since, without the sign-extension bits, it is no longer recognized as a valid address. Regaining a usable pointer requires using the AUT instruction, which will recalculate the authentication code and compare it to what is found in the authenticated pointer value. If the two match, the authentication code will be removed; otherwise, the pointer will be modified to ensure a fault should it be dereferenced. Thus, any attempt to use a pointer that lacks a proper authentication code will lead to a crash.
ARM 8.3 provides five separate keys that can be used to authenticate pointers: two for executable (instruction) pointers, two for data, and one "general" key. The RFC patch set from Mark Rutland only uses one of the instruction keys, though, reserving the other keys for future use. For the time being, the feature is only provided for user space; it is not yet used within the kernel itself. Whenever a process is created, the kernel will generate a random key and store it in that process's context; the process will then be able to use that key to sign and authenticate pointers, but it cannot read the key itself.
Actually making use of this feature to, for example, block buffer-overflow exploits is left to user space. The good news here is that the GCC 7 compiler will include basic support for pointer authentication in the form of the -msign-return-address option. Turning this option on will cause code to be added to function prologues to sign the return address; that address will then be authenticated before returning to it. Options exist to limit authentication to non-leaf functions (those that call other functions), or to all functions in the compilation unit.
If this feature works as advertised, this return-address authentication should be enough to block basic buffer-overrun attacks. An attacker may be able to overwrite a function's return address, but they cannot generate the proper authentication code, so a jump to that address will never be taken. The code itself is not large, so the potential for brute-force attacks exists, but those attacks cannot be performed without causing the target process to crash multiple times — an outcome that should attract attention in most settings.
The patch posting is a first-round request for comments, so it is likely to see some changes before being considered for merging. There is some room for future work, including deciding what to do with the other available key values and, perhaps, protecting the kernel as well. There are ways this feature could be used beyond protecting return addresses. Structures containing function pointers are a common target, for example; these, too, could be protected using authentication. Pointer authentication will not solve all of our security problems but it will, with luck, make our systems that much more resistant to attack.
(More information about this feature can be found in this Qualcomm white paper [PDF].
Brief items
Security quotes of the week
He has found dozens of vulnerabilities while studying Linux-based Tizen, the operating system that powers the devices.
Some of the software bugs "felt like 2005", he said, arguing that the OS hasn't been designed with security in mind and isn't up to any modern standards.
"I've found over 40 different vulnerabilities in Tizen. Almost every system app is vulnerable," Neiderman said.
Here's one perverse result of this action. When you make a voice call on your smartphone, the information is protected: Your phone company can't sell the fact that you are calling car dealerships to others who want to sell you a car. But if the same device and the same network are used to contact car dealers through the internet, that information — the same information, in fact — can be captured and sold by the network. To add insult to injury, you pay the network a monthly fee for the privilege of having your information sold to the highest bidder.
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Project Zero)
Here's a lengthy and detailed description of how the Project Zero team reverse engineered Broadcom's proprietary WiFi processor and developed a remote code execution exploit. "All that said and done, the introduction of Wi-Fi FullMAC chips does not come without a cost. Introducing these new pieces of hardware, running proprietary and complex code bases, may weaken the overall security of the devices and introduce vulnerabilities which could compromise the entire system."
Android Security Bulletin—April 2017
The April Android Security Bulletin provides a discouragingly long list of vulnerabilities fixed in the latest update (for those with devices sufficiently well supported to receive them). "The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files." There's also a fix for CVE-2016-10229, which is a remotely exploitable vulnerability in the UDP stack that was fixed in the 4.5 and 4.4.21 kernels. Those kernels were not vulnerable as the result of other work, but older kernels with backported fixes (Android kernels, for example) were.
Security updates
Alert summary March 30, 2017 to April 5, 2017
| Dist. | ID | Release | Package | Date |
|---|---|---|---|---|
| Arch Linux | ASA-201703-19 | chromium | 2017-03-31 | |
| Debian | DLA-884-1 | LTS | collectd | 2017-04-04 |
| Debian | DLA-883-1 | LTS | curl | 2017-04-04 |
| Debian | DLA-881-1 | LTS | ejabberd | 2017-04-01 |
| Debian | DLA-879-1 | LTS | firebird2.5 | 2017-03-29 |
| Debian | DSA-3824-1 | stable | firebird2.5 | 2017-03-29 |
| Debian | DSA-3825-1 | stable | jhead | 2017-03-31 |
| Debian | DLA-885-1 | LTS | python-django | 2017-04-05 |
| Debian | DSA-3816-2 | stable | samba | 2017-04-02 |
| Debian | DLA-880-1 | LTS | tiff3 | 2017-03-30 |
| Debian | DLA-882-1 | LTS | tryton-server | 2017-04-04 |
| Debian | DSA-3826-1 | stable | tryton-server | 2017-04-04 |
| Fedora | FEDORA-2017-07c8f3ea2b | F26 | R | 2017-04-01 |
| Fedora | FEDORA-2017-ff6940bf63 | F25 | chromium | 2017-04-01 |
| Fedora | FEDORA-2017-4a981b2ded | F26 | drupal8 | 2017-04-01 |
| Fedora | FEDORA-2017-8840ec0204 | F26 | empathy | 2017-04-01 |
| Fedora | FEDORA-2017-e2480c7f50 | F24 | erlang | 2017-03-31 |
| Fedora | FEDORA-2017-42ebcac2b5 | F25 | erlang | 2017-03-31 |
| Fedora | FEDORA-2017-cbed8f4169 | F26 | erlang | 2017-04-01 |
| Fedora | FEDORA-2017-97d7758431 | F24 | firebird | 2017-04-04 |
| Fedora | FEDORA-2017-b42b86201c | F26 | firefox | 2017-04-01 |
| Fedora | FEDORA-2017-3bfbe2acb9 | F26 | firefox | 2017-04-01 |
| Fedora | FEDORA-2017-a861eb07ee | F26 | icoutils | 2017-04-01 |
| Fedora | FEDORA-2017-02174df32f | F24 | kernel | 2017-04-03 |
| Fedora | FEDORA-2017-93dec9eba5 | F25 | kernel | 2017-04-03 |
| Fedora | FEDORA-2017-3456ba4c93 | F26 | kernel | 2017-04-01 |
| Fedora | FEDORA-2017-45ebf1e164 | F26 | knot-resolver | 2017-04-01 |
| Fedora | FEDORA-2017-7ac378e011 | F26 | libICE | 2017-04-01 |
| Fedora | FEDORA-2017-09f65e5e00 | F26 | libXdmcp | 2017-04-01 |
| Fedora | FEDORA-2017-23535a31f8 | F26 | libupnp | 2017-04-01 |
| Fedora | FEDORA-2017-b5899f809e | F26 | links | 2017-04-01 |
| Fedora | FEDORA-2017-718154e0f2 | F26 | mbedtls | 2017-04-01 |
| Fedora | FEDORA-2017-0fcaf52f1a | F24 | moodle | 2017-03-31 |
| Fedora | FEDORA-2017-0196511d58 | F25 | moodle | 2017-04-01 |
| Fedora | FEDORA-2017-d5dbc23747 | F26 | moodle | 2017-04-01 |
| Fedora | FEDORA-2017-487051ac16 | F26 | mupdf | 2017-04-01 |
| Fedora | FEDORA-2017-20d54b2782 | F26 | ntp | 2017-04-01 |
| Fedora | FEDORA-2017-ffc47d48ec | F26 | openslp | 2017-04-01 |
| Fedora | FEDORA-2017-7accc8010b | F24 | pcs | 2017-04-03 |
| Fedora | FEDORA-2017-71e69a691b | F25 | pcs | 2017-04-03 |
| Fedora | FEDORA-2017-07c8f3ea2b | F26 | rkward | 2017-04-01 |
| Fedora | FEDORA-2017-07c8f3ea2b | F26 | rpy | 2017-04-01 |
| Fedora | FEDORA-2017-c22a1dbe8b | F25 | samba | 2017-04-02 |
| Fedora | FEDORA-2017-1be1218e7f | F26 | sane-backends | 2017-04-01 |
| Fedora | FEDORA-2017-712ffce24d | F24 | sscg | 2017-03-31 |
| Fedora | FEDORA-2017-d219f0e5fc | F25 | sscg | 2017-04-01 |
| Fedora | FEDORA-2017-b68534e41f | F26 | sscg | 2017-04-01 |
| Fedora | FEDORA-2017-da50233929 | F26 | sscg | 2017-04-01 |
| Fedora | FEDORA-2017-7980b5e846 | F24 | tcpreplay | 2017-04-01 |
| Fedora | FEDORA-2017-5e945de883 | F25 | tcpreplay | 2017-04-01 |
| Fedora | FEDORA-2017-8306577cc7 | F26 | tcpreplay | 2017-04-01 |
| Fedora | FEDORA-2017-ffd4a36f09 | F26 | thunderbird | 2017-04-01 |
| Fedora | FEDORA-2017-dfaf0ca892 | F26 | webkitgtk4 | 2017-04-01 |
| Mageia | MGASA-2017-0095 | 5 | deluge | 2017-03-31 |
| Mageia | MGASA-2017-0105 | 5 | jhead | 2017-04-04 |
| Mageia | MGASA-2017-0097 | 5 | kernel | 2017-03-31 |
| Mageia | MGASA-2017-0099 | 5 | kernel-linus | 2017-03-31 |
| Mageia | MGASA-2017-0098 | 5 | kernel-tmb | 2017-03-31 |
| Mageia | MGASA-2017-0096 | 5 | mariadb | 2017-03-31 |
| Mageia | MGASA-2017-0101 | 5 | munin | 2017-04-04 |
| Mageia | MGASA-2017-0103 | 5 | mxml | 2017-04-04 |
| Mageia | MGASA-2017-0100 | 5 | phpmyadmin | 2017-04-03 |
| Mageia | MGASA-2017-0102 | 5 | pidgin | 2017-04-04 |
| Mageia | MGASA-2017-0104 | 5 | wget | 2017-04-04 |
| openSUSE | openSUSE-SU-2017:0908-1 | Chromium | 2017-04-02 | |
| openSUSE | openSUSE-SU-2017:0909-1 | 42.1 42.2 | Chromium | 2017-04-02 |
| openSUSE | openSUSE-SU-2017:0891-1 | 42.1 | GraphicsMagick | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0894-1 | 42.2 | GraphicsMagick | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0903-1 | 42.1 | apache2 | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0897-1 | 42.2 | apache2 | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0910-1 | 42.2 | ceph | 2017-04-03 |
| openSUSE | openSUSE-SU-2017:0916-1 | geotiff | 2017-04-04 | |
| openSUSE | openSUSE-SU-2017:0917-1 | 42.1 42.2 | geotiff | 2017-04-04 |
| openSUSE | openSUSE-SU-2017:0847-1 | 42.2 | gstreamer-0_10-plugins-good | 2017-03-29 |
| openSUSE | openSUSE-SU-2017:0906-1 | 42.1 | kernel | 2017-04-01 |
| openSUSE | openSUSE-SU-2017:0907-1 | 42.2 | kernel | 2017-04-01 |
| openSUSE | openSUSE-SU-2017:0850-1 | 42.1 42.2 | php5 | 2017-03-29 |
| openSUSE | openSUSE-SU-2017:0925-1 | 42.1 | pidgin | 2017-04-04 |
| openSUSE | openSUSE-SU-2017:0892-1 | 42.2 | pidgin | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0933-1 | 42.1 42.2 | ruby2.2, ruby2.3 | 2017-04-05 |
| openSUSE | openSUSE-SU-2017:0902-1 | 42.2 | virglrenderer | 2017-03-31 |
| openSUSE | openSUSE-SU-2017:0890-1 | 42.1 42.2 | wget | 2017-03-31 |
| Oracle | ELSA-2017-0847 | OL6 | curl | 2017-03-29 |
| Oracle | ELSA-2017-3535 | OL5 | kernel | 2017-04-01 |
| Oracle | ELSA-2017-3533 | OL6 | kernel | 2017-04-01 |
| Oracle | ELSA-2017-3534 | OL6 | kernel | 2017-04-01 |
| Oracle | ELSA-2017-3535 | OL6 | kernel | 2017-04-01 |
| Oracle | ELSA-2017-3533 | OL7 | kernel | 2017-04-01 |
| Oracle | ELSA-2017-3534 | OL7 | kernel | 2017-04-01 |
| Red Hat | RHSA-2017:0860-01 | EL6 | chromium-browser | 2017-03-31 |
| Red Hat | RHSA-2017:0869-01 | EL6.7 | kernel | 2017-04-04 |
| Red Hat | RHSA-2017:0882-01 | OSP10.0 | v8 | 2017-04-05 |
| Red Hat | RHSA-2017:0881-01 | OSP7.0/EL7 | v8 | 2017-04-05 |
| Red Hat | RHSA-2017:0879-01 | OSP8.0 | v8 | 2017-04-05 |
| Red Hat | RHSA-2017:0880-01 | OSP9.0 | v8 | 2017-04-05 |
| Scientific Linux | SLSA-2017:0725-1 | SL6 | bash | 2017-04-05 |
| Scientific Linux | SLSA-2017:0654-1 | SL6 | coreutils | 2017-04-05 |
| Scientific Linux | SLSA-2017:0847-1 | SL6 | curl | 2017-04-05 |
| Scientific Linux | SLSA-2017:0680-1 | SL6 | glibc | 2017-04-05 |
| Scientific Linux | SLSA-2017:0574-1 | SL6 | gnutls | 2017-04-05 |
| Scientific Linux | SLSA-2017:0817-1 | SL6 | kernel | 2017-04-05 |
| Scientific Linux | SLSA-2017:0564-1 | SL6 | libguestfs | 2017-04-05 |
| Scientific Linux | SLSA-2017:0565-1 | SL6 | ocaml | 2017-04-05 |
| Scientific Linux | SLSA-2017:0641-1 | SL6 | openssh | 2017-04-05 |
| Scientific Linux | SLSA-2017:0621-1 | SL6 | qemu-kvm | 2017-04-05 |
| Scientific Linux | SLSA-2017:0794-1 | SL6 | quagga | 2017-04-05 |
| Scientific Linux | SLSA-2017:0662-1 | SL6 | samba | 2017-04-05 |
| Scientific Linux | SLSA-2017:0744-1 | SL6 | samba4 | 2017-04-05 |
| Scientific Linux | SLSA-2017:0698-1 | SL6 | subscription-manager | 2017-04-05 |
| Scientific Linux | SLSA-2017:0631-1 | SL6 | wireshark | 2017-04-05 |
| Slackware | SSA:2017-091-01 | samba | 2017-03-31 | |
| SUSE | SUSE-SU-2017:0913-1 | MGR2.1 MP2.1 OS5 SLE11 | kernel | 2017-04-03 |
| SUSE | SUSE-SU-2017:0912-1 | SLE11 | kernel | 2017-04-03 |
| SUSE | SUSE-SU-2017:0864-1 | SLE12 | kernel | 2017-03-30 |
| SUSE | SUSE-SU-2017:0865-1 | SLE12 | kernel | 2017-03-30 |
| SUSE | SUSE-SU-2017:0866-1 | SLE12 | kernel | 2017-03-30 |
| SUSE | SUSE-SU-2017:0914-1 | ruby19 | 2017-04-03 | |
| SUSE | SUSE-SU-2017:0862-1 | SLE12 | samba | 2017-03-29 |
| SUSE | SUSE-SU-2017:0859-1 | SLE12 | samba | 2017-03-29 |
| SUSE | SUSE-SU-2017:0858-1 | SLE12 | samba | 2017-03-29 |
| Ubuntu | USN-3216-2 | 12.04 14.04 16.04 16.10 | firefox | 2017-03-30 |
| Ubuntu | USN-3250-1 | 14.04 | kernel | 2017-03-29 |
| Ubuntu | USN-3255-1 | 16.04 16.10 | lightdm | 2017-04-04 |
| Ubuntu | USN-3249-1 | 16.04 | linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon | 2017-03-29 |
| Ubuntu | USN-3251-1 | 16.10 | linux, linux-raspi2 | 2017-03-29 |
| Ubuntu | USN-3248-1 | 12.04 | linux, linux-ti-omap4 | 2017-03-29 |
| Ubuntu | USN-3256-2 | 12.04 14.04 16.04 | linux-hwe, linux-lts-trusty, linux-lts-xenial | 2017-04-04 |
| Ubuntu | USN-3251-2 | 16.04 | linux-hwe | 2017-03-29 |
| Ubuntu | USN-3250-2 | 12.04 | linux-lts-trusty | 2017-03-29 |
| Ubuntu | USN-3249-2 | 14.04 | linux-lts-xenial | 2017-03-29 |
| Ubuntu | USN-3256-1 | 12.04 14.04 16.04 16.10 | linux-ti-omap4 | 2017-04-04 |
| Ubuntu | USN-3253-1 | 14.04 16.04 16.10 | nagios3 | 2017-04-03 |
| Ubuntu | USN-3236-1 | 14.04 16.04 16.10 | oxide-qt | 2017-03-29 |
| Ubuntu | USN-3254-1 | 12.04 14.04 16.04 16.10 | python-django | 2017-04-04 |
| Ubuntu | USN-3242-2 | 12.04 14.04 16.04 16.10 | samba | 2017-03-30 |
Page editor: Jake Edge
Next page:
Kernel development>>