Explore a revised proposal for protecting kernel data memory in this 34-minute conference talk from the Linux Foundation. Delve into the follow-up to the "Protecting the Protection Mechanisms" presentation from Security Summit 2018, addressing previously uncovered points. Examine the rewritten patch-set's focus on expressing meta-data for memory region properties while reducing verification overhead. Learn about the innovative approach of segmenting vmalloc address space and encoding specific properties in memory page mapping address ranges. Discover how this method aims to pave the way for page table hardening. Investigate topics such as data classification, concurrency problems, meta-data considerations, link-time allocations, run-time allocator challenges, memory pool protection, and actual protection mechanisms. Gain insights into critical kernel data protection strategies and their potential impact on Linux kernel security.
A New Proposal for Protecting Kernel Data Memory
Overview
Syllabus
Intro
Summary
Goal: protect critical kernel data
Taking a closer look: data classification
Taking a closer look concurrency problems
Taking a closer look: meta data
Considerations about the desired solution
Link-Time allocations
Considerations about the ad-hoc Run-time allocator
Solution for Run-time allocator vs ranges
More considerations on Run-time allocations
The Memory pool
Protecting the pool metadata
Solution for Link-time allocation of pools metadata
More metadata attacks: the page table
The actual protection mechanism
Final considerations
Conclusions
Taught by
Linux Foundation
