Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rewriter: Omit register scrubbing when caller/target pkey are zero #299

Merged
merged 1 commit into from
Oct 16, 2023

Conversation

ayrtonm
Copy link
Contributor

@ayrtonm ayrtonm commented Oct 6, 2023

If a call gate's caller has pkey zero then its memory is accessible to all compartments and we shouldn't care about scrubbing registers before calling the target since its memory is not protected anyway. If the call gate's target has pkey zero then the same argument holds for the register scrubbing after calling the target function.

If a call gate's caller has pkey zero then its memory is accessible to all
compartments and we shouldn't care about scrubbing registers before calling the
target since its memory is not protected anyway. If the call gate's target has
pkey zero then the same argument holds for the register scrubbing after calling
the target function.
@ayrtonm
Copy link
Contributor Author

ayrtonm commented Oct 10, 2023

To summarize our conversation on security issues yesterday, by omitting dead register (i.e. those not used for args/return val) scrubbing compartment A could write to B's memory. This could either happen if a function in B uses inline assembly to write a nominally dead register (dead according to function B's ABI) to memory or if a signal handler is invoked while in compartment B and all registers must be written to the stack in B.

However if compartment A wanted to write to B's memory it could always just use a live register which B spills to the stack. To me the two cases above seem much more difficult to achieve than using live registers (which must always be an option since that's the bare minimum we need for compartments to be able to interact) so I don't think we should have register scrubbing just for these scenarios. That's why I see register scrubbing as more important for preventing unintended data from exiting a compartment (e.g. leaking sensitive information) rather than preventing unintended data from entering a compartment (e.g. injecting malicious values into a compartment). @fw-immunant feel free to add anything I may have misinterpreted. @rinon thoughts?

Copy link
Collaborator

@rinon rinon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, I took a look through the resulting assembly and things look right to me. We are effectively assuming that any necessary scrubs happen before transitioning to compartment zero. I agree on scrubs being necessary for confidentiality, not integrity, i.e. we don't care if values end up spilled to the stack as long as they aren't secret values.

@ayrtonm ayrtonm merged commit df6ae38 into main Oct 16, 2023
33 checks passed
@ayrtonm ayrtonm deleted the am/remove_double_scrub branch March 22, 2024 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants