• GCC Plugins

    Automatic discovery and prevention of Spectre vulnerabilities

    Existing approaches to identification and remediation of Spectre vulnerabilities are lacking in coverage, rudimentary, and often performed manually. The backport of a single security fix has the potential to introduce a new expoitable Spectre gadget, meaning that this identification and remediation process needs to be performed constantly, including after any modifications made by the end user. This approach simply does not scale. The Respectre™ plugin solves this problem with advanced static analysis to find vastly more Spectre vulnerabilities than existing approaches. It then makes use of the result of that analysis to automatically instrument the code with fixes that introduce negligible performance impact.

    Randomized kernel structure layouts

    The RANDSTRUCT plugin forces some exploits into requiring additional information leaks to achieve reliability. It does this by randomizing the layout of sensitive selected kernel structures as well as automatically randomizing the layout of all structures comprised purely of function pointers -- a common target for exploits.

    Prevents integer overflows in size arguments

    Integer overflows are a common bug class in the kernel. This feature was first realized as a clever macro to deal with overflows occuring in size expressions of kernel memory allocators, but was replaced and greatly expanded in scope by Emese Revfy with what is now our largest GCC plugin. This powerful plugin can detect and prevent exploitation of a wide range of integer overflow and integer truncation bugs that are likely to result in exploitable conditions.

    Adds entropy at early boot and runtime

    Grsecurity provides a feature to help address the problem of entropy starvation at early boot on IoT devices. The demonstrable effects of entropy starvation at early boot are weak private keys, predictable stack canaries, and more. PaX's latent entropy plugin modifies the instruction streams of functions called only during boot as well as some specific functions at runtime that perform some unpredictable computations from the perspective of an attacker. These functions are modified to produce a nondeterministic value based on the flow of execution. At several points in the boot process and at runtime, this pseudorandom value is mixed in to the entropy pool.

    Makes read-only sensitive kernel structures

    For some years, grsecurity had maintained a large patch that systematically constified a few dozen structure types used frequently in the kernel -- collections of function pointers, or so-called "ops structures". This patch, weighing in at over 1MB, became time-consuming to maintain and upstream kernel developers did not accept the patch wholesale (responsive maintainers adopted patches specific to their domain, but many unresponsive maintainers did not). Creation of the CONSTIFY plugin allowed us to generalize the approach and apply it to hundreds of additional structure types, currently causing up to 75% of function pointers in the kernel image to be made read-only.

    Ensures all kernel function pointers point into the kernel

    This plugin supplements the protection provided by PaX's KERNEXEC feature on the X64 architecture. While on i386 KERNEXEC is able to prevent execution of userland code using segmentation, that is not possible on X64. This plugin forces the upper bit on in all function pointers and return addresses dereferenced by the kernel. This doesn't impact legitimate kernel code, but causes attempts to return to userland code to result in a non-canonical address that will cause a GPF upon access. Modulo attacks on kernel paging structures, this feature is not needed if PaX's UDEREF is enabled.

    Prevents leaking of stack data from previous syscalls

    Information leaks of kernel stack data are the most common type of leaks in the kernel and potentially the most dangerous. The reason for this is that the data arising from an uninitialized structure field can possibly come from data on the kernel stack from a previous system call invocation. By carefully choosing a system call to leave stale data on the stack, an attacker can leak the addresses to a wide number of sensitive kernel structures. The STACKLEAK plugin addresses this issue by clearing the portion of the kernel stack that was used during a system call before returning to userland. This ensures that if any leak of an uninitialized field is possible, it must come from a previously-called function in the current system call. This plugin also prevents dynamic stack-based allocation in the kernel from overflowing the kernel stack, which would normally permit an attacker to corrupt an adjacent memory object in order to exploit the system.