hansendc10 hours ago
"On x86-64, there are two CPU settings which control the kernel’s ability to access memory."
There are a couple more than two, even in 2021.
Memory Protection Keys come to mind, as do the NPT/EPT tables when virtualization is in play. SEV and SGX also have their own ways of preventing the kernel from writing to memory. The CPU also has range registers that protect certain special physical address ranges, like the TDX module's range. You can't write there either.
That's all that comes to mind at the moment. It's definitely a fun question!
karlgkk5 hours ago
a thought: do MPK actually control the kernel's ability to access memory? on intel, i think if you try to read that memory, a page fault wont be thrown. although with PKS, kernel reads will cause a page fault.
so can the kernel (ring0) freely read/write to memory encrypted with MPK? I think so, yes. good luck with whatever happens next tho lol
aliceryhl3 hours ago
Interesting. Though looking at the code, it does still check VM_MAYWRITE, so the mapping needs to be something you could remap as writable.
KenoFischer7 hours ago
I'm still surprised I was the first one to notice when Linus tried to change this - I always thought it was a pretty well known behavior.
anthkan hour ago
/proc it's a bad imitation of plan9's /proc.
bluepeter10 hours ago
The kernel owns the page tables. It can always find another way in.
vlovich1235 hours ago
But the point here is that userspace can use this to bypass kernel protections that would otherwise prevent it from mutating R^X pages for example, not that the kernel can bypass its own.
pjmlp3 hours ago
Not really, of the security measures on Windows, is exactly to control how kernel can access secure process memory, as possible mitigation to attacks by rogue drivers.
Naturally it is the kind of stuff that requires Windows 11 vlatest with the nice Pluton security CPU, as part of CoPilot+ PCs design.
mschuster9110 hours ago
> The kernel owns the page tables.
not entirely, IOMMU is a thing, that is IIRC how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
gruez7 hours ago
>how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
Even if we take those promises at face value, it practically doesn't mean much because every server still needs to handle reboots, which is when they can inject their evil code.
Borealid6 hours ago
MK-TME allows having memory encrypted at run time, and the platform TPM signs an attestation saying the memory was not altered.
Malicious code can't be injected at boot without breaking that TPM.
fc417fc8026 hours ago
Subject to the huge caveat that the attacker does not have physical access. https://tee.fail/
Borealid3 hours ago
An interesting implementation flaw, but not a conceptual problem with the design.
fc417fc8023 hours ago
Well, it kind of is actually. The previous iteration of the design didn't have that vulnerability but it was slower because managing IVs within the given constraints adds an additional layer of complexity. This is the pragmatic compromise so to speak.
Does it count as a conceptual problem when technical challenges without an acceptable solution block your goal?
[deleted]4 hours agocollapsed
ronsor8 hours ago
If your threat model is being v& by feds, maybe you should keep your server at home behind Tor.
haberman8 hours ago
TL;DR: when a user writes to /proc/self/mem, the kernel bypasses the MMU and hardware address translation, opting to emulate it in software (including emulated page faults!), which allows it to disregard any memory protection that is currently setup in the page tables.
IAmLiterallyAB5 hours ago
It doesn't bypass it exactly, it's still accessing it via virtual memory and the page tables. It's just that the kernel maintains one big linear memory map of RAM that's writable.
rramadass7 hours ago
Thank You.