Commit e7fc62c6 authored by Kees Cook's avatar Kees Cook Committed by Valerie Aurora (Bow Shock)
Browse files

MI-KCFI: Consolidate memory protection sections 

Collapse the control-flow protections together (implementions vary),
and collapse the memory tagging protection (implementations vary). They
protect the same basic things, just in very different ways, but the
testing for each are fundamentally the same. It doesn't seem worthwhile
getting hyper-specific here.
parent c7ae5497

EN-304-626.md

+11 −32
Original line number Diff line number Diff line
@@ -1136,46 +1136,25 @@ Use case: phone, general purpose, desktop, server, router, firewall 
* Requirements: way to read log output on product as shipped

* Documentation:



#### 5.2.X.x **MI-KFCI**: Kernel forward control flow integrity

#### 5.2.X.x **MI-KFCI**: Kernel control flow integrity



* Sub-threat: Kernel function pointer overwrite

* Mitigation: Protect saved function pointers from overwrite

* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer

Use case: laptop, phone, other devices at higher risk of malicious code execution



* Sub-threat: Kernel function pointer and return pointer overwrite

* Mitigation: Protect saved pointers from overwrite via software (e.g. KASan) or hardware (e.g. Pointer Authentication), or validate transitions of expected control flow graph (e.g. KCFI, Shadow Stack)

* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer. Repeat but with a return address that was stored to the stack.

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:



#### 5.2.X.x **MI-XXXX**: Memory protection using Pointer Authentication Codes



Use case: phone, other devices at higher risk of malicious code execution



* Mitigation:

* Test:

* Result:

* Output:

* False positive test:

* Requirements:

* Documentation:



#### 5.2.X.x **MI-XXXX**: Memory protection using hardware memory tagging



Use case: phone, other devices at higher risk of malicious code execution



* Mitigation: Use hardware memory tagging feature for kernel memory allocations

* Test: Allocate memory with a tag, attempt to access the memory without the tag

* Result: segmentation fault, error handling code executed or thread killed

* Output: error message or log message for killed thread

* Requirements: way to read output on product as shipped

* Documentation: source code of tests, output of error message or thread kill



#### 5.2.X.x **MI-XXXX**: Memory protection using enhanced hardware memory tagging

#### 5.2.X.x **MI-KMT**: Kernel memory protection using memory tagging



Use case: phone, other devices at higher risk of malicious code execution

Use case: laptop, phone, other devices at higher risk of malicious code execution



* Mitigation: Use enhanced hardware memory tagging feature for kernel memory allocations

* Test: Allocate memory with a tag, attempt to access the memory without the tag

* Result: segmentation fault, error handling code executed or thread killed

* Mitigation: Use software or hardware memory tagging feature for kernel memory allocations

* Test: Allocate 2 adjacent memory regions with separate tags. Attempt to read and write memory with a positive offset into trailing region from leading region's tagged pointer. Attempt to read and write with negative offset into leading region using trailing region's tagged pointer. Free a region and read and write to the region using the original tagged pointer.

* Result: segmentation fault, error handling code executed or thread killed under in all test conditions

* Output: error message or log message for killed thread

* Requirements: way to read output on product as shipped

* Documentation: source code of tests, output of error message or thread kill