Permalink
Browse files

Re-write how function hijacking is done

This commit ditches the method of writing an asm jump code to the start of a
function to hijack it, and instead replaces the pointer to that function in the
appropriate place. I pretty much lucked out here - all of the functions I end
up needing to hijack are called from an operations structure of one sort or
another, otherwise this switcharoo wouldn't be possible.

I dare say this method is "safer", but this is the initial work so I don't dare
lable it "stable" yet :) So far I've only tested it on linux 3.2.0, though I'm
fairly certain this will back-port just fine to 2.6.32 and even 2.6.18. I'm
sure there are going to be a few bugs to work out, this is the "dev" branch
after all :)

The only regression I'm aware of at this point is I'm not currently checking if
the functions are already hijacked, and I'm not even sure if that's really
possible with this method. Oh and, the code is somewhat messier in places,
cleaner in others.

An added bonus of this change - this module should now work on linux systems
that aren't on a x86 CPU set. I don't have any of those kinds of systems, but
I'll ask around for testers.
  • Loading branch information...
cormander committed May 19, 2012
1 parent fbe6ebb commit b9434207eca4985c1077bf8a783bfb0752a2f275
Showing with 262 additions and 3,834 deletions.
  1. +0 −29 FAQ
  2. +2 −22 Makefile
  3. +2 −0 README
  4. +0 −220 arch/x86/include/asm/inat.h
  5. +0 −29 arch/x86/include/asm/inat_types.h
  6. +0 −184 arch/x86/include/asm/insn.h
  7. +0 −1,033 arch/x86/lib/inat-tables.h
  8. +0 −90 arch/x86/lib/inat.c
  9. +0 −516 arch/x86/lib/insn.c
  10. +0 −893 arch/x86/lib/x86-opcode-map.txt
  11. +0 −378 arch/x86/tools/gen-insn-attr-x86.awk
  12. +0 −21 core.c
  13. +0 −282 hijacks.c
  14. +2 −5 module.c
  15. +2 −0 module.h
  16. +254 −132 security.c
View
29 FAQ
@@ -29,11 +29,6 @@ secure the system. Due to this "hot-patching" of the kernel, it is very
important that you use a kernel in the "Supported Kernels" list from the README
file.
-This method is also similar to how Ksplice works, though is not quite as
-advanced. Ksplice is a tool used to apply security fixes to your kernel
-without having to reboot your system. Shame on Oracle Corporation for buying
-them out and keeping that code closed-source.
-
* What are other security things I should do?
You're no doubt using this module to enhance the security of your system. I
@@ -57,10 +52,6 @@ however, especially the PaX features, can't be implemented with this module.
In a nutshell, I'm using a fairly basis method to hook into kernel code, and it
is limited in what it can do.
-More grsecurity features could be implemented to your distribution kernel with
-the ksplice software, as it's by far more advanced code. I'll reiterate; Shame
-on Oracle Corporation for buying them out and keeping that code closed-source.
-
* Can I use just the extra features and not TPE itself?
Yes. To do this, enable the "softmode" and disable the "log" sysctl entries.
@@ -98,26 +89,6 @@ of the scope of LSM, so to use LSM would mean to lose features.
Since you can't have more than one LSM loaded at a time, no distribution is
going to replace their preferred LSM with TPE. It's just not going to happen.
-* Could this be done another way?
-
-There are two other possible implementations for this that I know of:
-
- 1) changing the *_operations tables
-
-I could replace the pointers in some tables (ie; security_operations) to point
-to this module's functions, and then call the original. This approach is
-limited to the functions that exist in such tables, which may or may not cover
-everything TPE needs to handle.
-
- 2) kprobes
-
-This looks like it's a method similar to what I am doing, that is built into
-the kernel (assuming it was chosen at compile time). I've never used it before.
-
-If I have the time and sufficient reason, I may change the code to use one of
-the above methods. For now, I don't see anything wrong with the current
-implementation.
-
* Will TPE be put into the mainline kernel?
It wouldn't be very hard to port this module into the mainline kernel. However,
View
@@ -1,14 +1,5 @@
MODULE_NAME := tpe
-# This subdirectory contains necessary files for both x86 and x86-64.
-ARCH_DIR := arch/x86
-
-EXTRA_CFLAGS += -I$(src) -I$(src)/$(ARCH_DIR)/include -I$(obj)/$(ARCH_DIR)/lib
-
-# This auxiliary file will be generated during the build (x86 instruction
-# tables as C code).
-INAT_TABLES_FILE := inat-tables.h
-
ifeq ($(KERNELRELEASE),)
# 'Out-of-kernel' part
@@ -18,8 +9,7 @@ MODULE_SOURCES := \
security.c \
symbols.c \
malloc.c \
- sysctl.c \
- hijacks.c
+ sysctl.c
TESTS := tests/mmap-mprotect-test
@@ -66,8 +56,6 @@ clean:
else
# KBuild part.
-# It is used by the kernel build system to actually build the module.
-ccflags-y := -I$(src) -I$(src)/$(ARCH_DIR)/include -I$(obj)/$(ARCH_DIR)/lib
obj-m := $(MODULE_NAME).o
$(MODULE_NAME)-y := \
@@ -76,14 +64,6 @@ $(MODULE_NAME)-y := \
security.o \
symbols.o \
malloc.o \
- sysctl.o \
- hijacks.o \
- $(ARCH_DIR)/lib/inat.o \
- $(ARCH_DIR)/lib/insn.o
-
-$(obj)/$(ARCH_DIR)/lib/inat.o: $(obj)/$(ARCH_DIR)/lib/$(INAT_TABLES_FILE) $(src)/$(ARCH_DIR)/lib/inat.c
-
-$(obj)/$(ARCH_DIR)/lib/$(INAT_TABLES_FILE): $(src)/$(ARCH_DIR)/lib/x86-opcode-map.txt
- LC_ALL=C awk -f $(src)/$(ARCH_DIR)/tools/gen-insn-attr-x86.awk $< > $@
+ sysctl.o
endif
View
2 README
@@ -130,6 +130,8 @@ This module *should* work on most linux kernels version 2.6 and above, but has
only been verified on the above systems. If you get a compile error or a kernel
oops, please contact this module's author.
+This module *should* work on non-x86 systems, but so far hasn't been tested.
+
===============================================================================
Compatibility Issues
View
@@ -1,220 +0,0 @@
-#ifndef _ASM_X86_INAT_H
-#define _ASM_X86_INAT_H
-/*
- * x86 instruction attributes
- *
- * Written by Masami Hiramatsu <mhiramat@redhat.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- */
-#include <asm/inat_types.h>
-
-/*
- * Internal bits. Don't use bitmasks directly, because these bits are
- * unstable. You should use checking functions.
- */
-
-#define INAT_OPCODE_TABLE_SIZE 256
-#define INAT_GROUP_TABLE_SIZE 8
-
-/* Legacy last prefixes */
-#define INAT_PFX_OPNDSZ 1 /* 0x66 */ /* LPFX1 */
-#define INAT_PFX_REPE 2 /* 0xF3 */ /* LPFX2 */
-#define INAT_PFX_REPNE 3 /* 0xF2 */ /* LPFX3 */
-/* Other Legacy prefixes */
-#define INAT_PFX_LOCK 4 /* 0xF0 */
-#define INAT_PFX_CS 5 /* 0x2E */
-#define INAT_PFX_DS 6 /* 0x3E */
-#define INAT_PFX_ES 7 /* 0x26 */
-#define INAT_PFX_FS 8 /* 0x64 */
-#define INAT_PFX_GS 9 /* 0x65 */
-#define INAT_PFX_SS 10 /* 0x36 */
-#define INAT_PFX_ADDRSZ 11 /* 0x67 */
-/* x86-64 REX prefix */
-#define INAT_PFX_REX 12 /* 0x4X */
-/* AVX VEX prefixes */
-#define INAT_PFX_VEX2 13 /* 2-bytes VEX prefix */
-#define INAT_PFX_VEX3 14 /* 3-bytes VEX prefix */
-
-#define INAT_LSTPFX_MAX 3
-#define INAT_LGCPFX_MAX 11
-
-/* Immediate size */
-#define INAT_IMM_BYTE 1
-#define INAT_IMM_WORD 2
-#define INAT_IMM_DWORD 3
-#define INAT_IMM_QWORD 4
-#define INAT_IMM_PTR 5
-#define INAT_IMM_VWORD32 6
-#define INAT_IMM_VWORD 7
-
-/* Legacy prefix */
-#define INAT_PFX_OFFS 0
-#define INAT_PFX_BITS 4
-#define INAT_PFX_MAX ((1 << INAT_PFX_BITS) - 1)
-#define INAT_PFX_MASK (INAT_PFX_MAX << INAT_PFX_OFFS)
-/* Escape opcodes */
-#define INAT_ESC_OFFS (INAT_PFX_OFFS + INAT_PFX_BITS)
-#define INAT_ESC_BITS 2
-#define INAT_ESC_MAX ((1 << INAT_ESC_BITS) - 1)
-#define INAT_ESC_MASK (INAT_ESC_MAX << INAT_ESC_OFFS)
-/* Group opcodes (1-16) */
-#define INAT_GRP_OFFS (INAT_ESC_OFFS + INAT_ESC_BITS)
-#define INAT_GRP_BITS 5
-#define INAT_GRP_MAX ((1 << INAT_GRP_BITS) - 1)
-#define INAT_GRP_MASK (INAT_GRP_MAX << INAT_GRP_OFFS)
-/* Immediates */
-#define INAT_IMM_OFFS (INAT_GRP_OFFS + INAT_GRP_BITS)
-#define INAT_IMM_BITS 3
-#define INAT_IMM_MASK (((1 << INAT_IMM_BITS) - 1) << INAT_IMM_OFFS)
-/* Flags */
-#define INAT_FLAG_OFFS (INAT_IMM_OFFS + INAT_IMM_BITS)
-#define INAT_MODRM (1 << (INAT_FLAG_OFFS))
-#define INAT_FORCE64 (1 << (INAT_FLAG_OFFS + 1))
-#define INAT_SCNDIMM (1 << (INAT_FLAG_OFFS + 2))
-#define INAT_MOFFSET (1 << (INAT_FLAG_OFFS + 3))
-#define INAT_VARIANT (1 << (INAT_FLAG_OFFS + 4))
-#define INAT_VEXOK (1 << (INAT_FLAG_OFFS + 5))
-#define INAT_VEXONLY (1 << (INAT_FLAG_OFFS + 6))
-/* Attribute making macros for attribute tables */
-#define INAT_MAKE_PREFIX(pfx) (pfx << INAT_PFX_OFFS)
-#define INAT_MAKE_ESCAPE(esc) (esc << INAT_ESC_OFFS)
-#define INAT_MAKE_GROUP(grp) ((grp << INAT_GRP_OFFS) | INAT_MODRM)
-#define INAT_MAKE_IMM(imm) (imm << INAT_IMM_OFFS)
-
-/* Attribute search APIs */
-extern insn_attr_t inat_get_opcode_attribute(insn_byte_t opcode);
-extern insn_attr_t inat_get_escape_attribute(insn_byte_t opcode,
- insn_byte_t last_pfx,
- insn_attr_t esc_attr);
-extern insn_attr_t inat_get_group_attribute(insn_byte_t modrm,
- insn_byte_t last_pfx,
- insn_attr_t esc_attr);
-extern insn_attr_t inat_get_avx_attribute(insn_byte_t opcode,
- insn_byte_t vex_m,
- insn_byte_t vex_pp);
-
-/* Attribute checking functions */
-static inline int inat_is_legacy_prefix(insn_attr_t attr)
-{
- attr &= INAT_PFX_MASK;
- return attr && attr <= INAT_LGCPFX_MAX;
-}
-
-static inline int inat_is_address_size_prefix(insn_attr_t attr)
-{
- return (attr & INAT_PFX_MASK) == INAT_PFX_ADDRSZ;
-}
-
-static inline int inat_is_operand_size_prefix(insn_attr_t attr)
-{
- return (attr & INAT_PFX_MASK) == INAT_PFX_OPNDSZ;
-}
-
-static inline int inat_is_rex_prefix(insn_attr_t attr)
-{
- return (attr & INAT_PFX_MASK) == INAT_PFX_REX;
-}
-
-static inline int inat_last_prefix_id(insn_attr_t attr)
-{
- if ((attr & INAT_PFX_MASK) > INAT_LSTPFX_MAX)
- return 0;
- else
- return attr & INAT_PFX_MASK;
-}
-
-static inline int inat_is_vex_prefix(insn_attr_t attr)
-{
- attr &= INAT_PFX_MASK;
- return attr == INAT_PFX_VEX2 || attr == INAT_PFX_VEX3;
-}
-
-static inline int inat_is_vex3_prefix(insn_attr_t attr)
-{
- return (attr & INAT_PFX_MASK) == INAT_PFX_VEX3;
-}
-
-static inline int inat_is_escape(insn_attr_t attr)
-{
- return attr & INAT_ESC_MASK;
-}
-
-static inline int inat_escape_id(insn_attr_t attr)
-{
- return (attr & INAT_ESC_MASK) >> INAT_ESC_OFFS;
-}
-
-static inline int inat_is_group(insn_attr_t attr)
-{
- return attr & INAT_GRP_MASK;
-}
-
-static inline int inat_group_id(insn_attr_t attr)
-{
- return (attr & INAT_GRP_MASK) >> INAT_GRP_OFFS;
-}
-
-static inline int inat_group_common_attribute(insn_attr_t attr)
-{
- return attr & ~INAT_GRP_MASK;
-}
-
-static inline int inat_has_immediate(insn_attr_t attr)
-{
- return attr & INAT_IMM_MASK;
-}
-
-static inline int inat_immediate_size(insn_attr_t attr)
-{
- return (attr & INAT_IMM_MASK) >> INAT_IMM_OFFS;
-}
-
-static inline int inat_has_modrm(insn_attr_t attr)
-{
- return attr & INAT_MODRM;
-}
-
-static inline int inat_is_force64(insn_attr_t attr)
-{
- return attr & INAT_FORCE64;
-}
-
-static inline int inat_has_second_immediate(insn_attr_t attr)
-{
- return attr & INAT_SCNDIMM;
-}
-
-static inline int inat_has_moffset(insn_attr_t attr)
-{
- return attr & INAT_MOFFSET;
-}
-
-static inline int inat_has_variant(insn_attr_t attr)
-{
- return attr & INAT_VARIANT;
-}
-
-static inline int inat_accept_vex(insn_attr_t attr)
-{
- return attr & INAT_VEXOK;
-}
-
-static inline int inat_must_vex(insn_attr_t attr)
-{
- return attr & INAT_VEXONLY;
-}
-#endif
@@ -1,29 +0,0 @@
-#ifndef _ASM_X86_INAT_TYPES_H
-#define _ASM_X86_INAT_TYPES_H
-/*
- * x86 instruction attributes
- *
- * Written by Masami Hiramatsu <mhiramat@redhat.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- */
-
-/* Instruction attributes */
-typedef unsigned int insn_attr_t;
-typedef unsigned char insn_byte_t;
-typedef signed int insn_value_t;
-
-#endif
Oops, something went wrong.

0 comments on commit b943420

Please sign in to comment.