GRSecurity releases Respectre (for Spectre)

October 7, 2018 ~ hucktech ~ Leave a comment

We're proud to announce Respectre today, the state of the art in Spectre defense. High coverage, automated instrumentation, negligible performance hit. It's been available to beta users for the past month and to all grsecurity customers starting today. https://t.co/BWM6ZdzSNs

— grsecurity (@grsecurity) October 5, 2018

[…]Respectre(TM) is a nod to the Spectre speculation attack and signifies that it (re)veals potential Spectre vulnerabilities, (re)spects the original intent of the code, and automatically (re)factors it via a compiler plugin to eliminate speculation-based side channels. All plugin-capable versions of the compiler commonly used to compile Linux are supported, and the plugin itself is architecture-independent. The initial release to grsecurity(R) customers focusing on Spectre v1 supports the ARMv7, AArch64, PPC64, x86, and x86_64 architectures. Special care was taken in designing the plugin to ensure both low impact to compilation time as well as negligible impact to runtime performance (measured as 0.3% in a kernel-focused stress test). The plugin incorporates advanced static analysis far beyond the level of any existing tools for any OS, and is the 4th largest plugin of the 14 available in the grsecurity(R) kernel patches. Work is already underway to enhance the static analysis of the plugin even further and add coverage for other similar Spectre types.[…]

https://www.grsecurity.net/respectre_announce.php

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

June 11, 2018 ~ hucktech ~ Leave a comment

The slides of my #AsiaCCS18 talk "Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features" are now online: https://t.co/qMtro4dbnM /cc @lavados @mlqxyz @BloodyTangerine @anders_fogh pic.twitter.com/8r0EDizPzh

— Michael Schwarz (@misc0110) June 7, 2018

This is a really cool paper. They use Flush+Reload to automatically detect double fetches, then basically fuzz the second fetch to generate a crash for !exploitable, and use xbegin/xend to fix them. https://t.co/rQUubvqpGt

— Thomas H. Ptacek (@tqbf) June 7, 2018

I mentioned this before, but everyone seems to have forgotten sgrakkyu/twiz exploited "double fetch" before "double fetch" was a thing, back in 2007: https://t.co/tfEaoqprN9 (2.4.2), see also this from 2008: https://t.co/s6vvJ5L69j

— grsecurity (@grsecurity) June 7, 2018

Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level. We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97%. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1%.

https://arxiv.org/abs/1711.01254

Click to access 1711.01254.pdf

GRsecurity drops 0day

November 23, 2017 ~ hucktech ~ Leave a comment

https://grsecurity.net/~spender/sorry_kees.c

#infosec https://t.co/PC1SbcMR5V

— Joanna Rutkowska (@rootkovska) November 23, 2017

So on the day of Kees' presentation, where he tried to drop a useless 0day on me and talk up how many upstream developers reviewed his code that did the same limitation *right*, I wrote an exploit of my own.

— grsecurity (@grsecurity) November 22, 2017

Kees, I'm sorry to tell you, you and your 7 reviewers didn't manage to do it right, and in fact you ended up producing something much worse than the bug you pointed out (which BTW wasn't actually your finding, and despite the 0day attempt, I had already fixed it in July)

— grsecurity (@grsecurity) November 22, 2017

This happened despite Kees' completely disrespectful presentation at the Linux Security Summit, comparing grsecurity to spam detection that only works because not everyone uses it, while he copy+pastes code from that very same codebase.

— grsecurity (@grsecurity) November 22, 2017

Now today I'm dropping real 0day on you: https://t.co/nnUNEYRloS

— grsecurity (@grsecurity) November 22, 2017

GRSecurity sues Bruce Perens over GPL issues

August 3, 2017 ~ hucktech ~ Leave a comment

OH MY GOD https://t.co/5P0kQFSN1t

— Matthew Garrett (@mjg59) August 3, 2017

Below Register article has a link to the PDF of the court case.

Posted on June 28, 2017 by Bruce
Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers
It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.[…]

https://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/

[…]Defendant is a computer programmer, known for his creation of the Open Source Definition and co-founder of the Open Source Initiative. This action arises from Defendants’ abusive and false claims made on a blog post 1 (“Posting”), on Defendant’s website, http://www.perens.com (the “Website”), regarding Plaintiff’s business, which has resulted in substantial harm to Plaintiff’s reputation, goodwill, and future business prospects.[…]

https://www.theregister.co.uk/AMP/2017/08/03/linux_kernel_grsecurity_sues_bruce_perens_for_defamation/

https://grsecurity.net/

a bit more on Intel CET

June 13, 2016 ~ hucktech ~ Leave a comment

http://blogs.intel.com/evangelists/2016/06/09/intel-innovating-stop-cyber-attacks/

http://blogs.intel.com/evangelists/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks/

since you asked us about Intel's CET: https://t.co/StFSmMavbc

— PaX Team (@paxteam) June 12, 2016

https://forums.grsecurity.net/viewtopic.php?f=7&t=4490

The GRSecurity post has a few more links as well:

[…]
Full disclosure: we have a competing production-ready solution to defend against code reuse attacks called RAP, see [R1], [R2]. RAP isn’t tied to any particular CPU architecture or operating system, and it scales to real-life software from Xen to Linux to Chromium with excellent performance.
[…]
Conclusion

In summary, Intel’s CET is mainly a hardware implementation of Microsoft’s weak CFI implementation with the addition of a shadow stack. Its use will require the presence of Intel processors that aren’t expected to be released for several years. Rather than truly innovating and advancing the state of the art in performance and security guarantees as RAP has, CET merely cements into hardware existing technology known and bypassed by academia and industry that is too weak to protect against the larger class of code reuse attacks. One can’t help but notice a striking similarity with Intel’s MPX, another software-dependent technology announced with great fanfare a few years ago that failed to live up to its many promises and never reached its intended adoption as the solution to end buffer overflow attacks and exists only as yet another bounds-checking based debugging technology.

GRsecurity on Linux kernel security

May 15, 2016 ~ hucktech ~ Leave a comment

Read this before believing the recent nonsense from the Linux kernel devs about new security features: https://t.co/jCEfEclWtF

— Andrew Case (@attrc) May 14, 2016

There’s an interesting post on the GRsecurity forums on the security of the Linux kernel:

https://forums.grsecurity.net/viewtopic.php?f=7&t=4476

RAP

May 1, 2016 ~ hucktech ~ Leave a comment

DEP/ASLR made exploitation fun/interesting again, looking forward to RAP. I have the highest respect for the people behind it.

— halvarflake (@halvarflake) April 29, 2016

“RAP is here. Public demo in 4.5 test patch and commercially available today! Today’s release of grsecurity® for the Linux 4.5 kernel marks an important milestone in the project’s history. It is the first kernel to contain RAP, a defense mechanism against code reuse attacks. RAP was announced to the world at the H2HC conference in October 2015 and represents the best available solution of its type. RAP is the result of our multi-years research and development in Control Flow Integrity (CFI) technologies by PaX. It ground-breakingly scales to C and C++ code bases of arbitrary sizes and provides best-effort protection against code reuse attacks with minimal performance impact. The public version of RAP available in the grsecurity test kernels from now on demonstrates a subset of the features in the full version, available today for commercial licensing from Open Source Security, Inc. The demo version will evolve over time, but is currently tailored for x64 kernel use only and does not support C++, link-time optimization, compile time static analysis, and probabilistic return address protection. In addition, the demo’s GPLv2 license excludes userland applications due to the GCC library runtime exception for GCC plugins.” […]

https://grsecurity.net/rap_announce.php
https://grsecurity.net/rap_faq.php
https://grsecurity.net/features.php

Click to access PaXTeam-H2HC15-RAP-RIP-ROP.pdf

GRSecurity quits

August 26, 2015 ~ hucktech ~ Leave a comment

https://twitter.com/grsecurity/status/626915991184932865

and:

https://twitter.com/grsecurity/status/636659374551777281

Today’s announcement:

https://grsecurity.net/announce.php

Excerpt:

“This announcement is our public statement that we’ve had enough. Companies in the embedded industry not playing by the same rules as every other company using our software violates users’ rights, misleads users and developers, and harms our ability to continue our work. Though I’ve only gone into depth in this announcement on the latest trademark violation against us, our experience with two GPL violations over the previous year have caused an incredible amount of frustration. These concerns are echoed by the complaints of many others about the treatment of the GPL by embedded Linux industry in particular over many years.”

DejaVu from 2004:

http://developers.slashdot.org/story/04/05/31/1949241/end-of-development-for-grsecurity-announced
“Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning.”

Things are not looking good for embedded Linux security today. I don’t know the backstories. I wonder what happens next?