SlideShare a Scribd company logo

KASan in a Bare-Metal Hypervisor

L
LF Events

Kernel address sanitizer (KASan) is a dynamic memory error detector for finding out-of-bounds and use-after-free bugs in Linux kernel. It uses shadow memory to record whether each byte of memory is safe to access and uses compile-time instrumentation to check shadow memory on each memory access. In this presentation Alexander Popov will describe the successful experience of porting KASan to a bare-metal hypervisor: the main steps, pitfalls and the ways to make KASan checks much more strict and multi-purpose. This presentation was delivered at LinuxCon Japan 2016 by Alexander Popov

Technology
1 of 21
Download to read offline
KASan in a Bare-Metal Hypervisor Alexander Popov LinuxCon Japan July 13, 2016 ptsecurity.com
2Motivation • C and C++ are not memory safe • Buffer overflow and use-after-free bugs can be maliciously exploited • We want to get rid of such bugs in our C code • KASan is a great technology, let's use it for PT hypervisor! ptsecurity.com
3Agenda ptsecurity.com • Basic ideas behind KASan • What is a bare-metal hypervisor • Porting KASan to a bare-metal hypervisor: – Main steps – Pitfalls – How to make KASan checks more strict and multi-purposed • Bonus
4KASan (Kernel Address Sanitizer) ptsecurity.com • KASan is a dynamic memory error detector for Linux kernel • Based on work by Andrey Konovalov and other great people at AddressSanitizer project, came to kernel from Andrey Ryabinin • Trophies: more than 65 memory errors found in Linux kernel • Low penalty: ~1.5x slowdown, ~2x memory usage • KASan is a debugging tool giving maximum profit with fuzzing • Can be used in bare-metal software
5KASan shadow memory legend Every aligned 8 bytes can have 9 states. KASan shadow encoding: • 0 if access to all 8 bytes is valid • N if access only to first N bytes is valid (1 <= N <= 7) • Negative value (poison) if access to all 8 bytes is invalid ptsecurity.com
6Mapping to KASan shadow (x86-64) ptsecurity.com Kernel address space (47 bits, 128 TB) KASan shadow memory (44 bits, 16 TB) Mappinng: shadow_addr = KASAN_SHADOW_OFFSET + (addr >> 3) 0xffff800000000000 0xffffffffffffffff 0xffffec0000000000 0xfffffc0000000000
7Compile-time instrumentation ptsecurity.com • gcc adds calling of __asan_load##size() or __asan_store##size() before memory access • gcc adds redzones around stack buffers and globals
8A bare-metal hypervisor ptsecurity.com • What is a hypervisor • What does “bare-metal” mean • How does it work with memory
9Step 1: Page tables for shadow ptsecurity.com Hypervisor memory (~200 MB) KASan shadow memory (~25 MB) 0x100000000 0x10c80a000 0x180000000 0x181901400 ... N.B. Choosing KASAN_SHADOW_OFFSET is tricky N.B. Ability to check whether hypervisor code touches foreign memory
10Step 2: Sanitize a single source file • Specify these gcc flags: -fsanitize=kernel-address -fasan-shadow-offset=... --param asan-instrumentation-with-call-threshold=0 N.B. The outline instrumentation is easier to start with N.B. The build system should support specifying different flags for different source files • Add KASan implementation from mm/kasan/kasan.c little by little (N.B. KASan is GPL) • Experiment till shadow works fine ptsecurity.com
11Step 3: Track global variables • Additionally specify --param asan-globals=1 • Take care of .ctors section in the linker script • Add do_ctors() looking at init/main.c • Poison the redzones by negative KASAN_GLOBAL_REDZONE in __asan_register_globals() • Use -fsanitize-sections=... to instrument globals in all sections • N.B. gcc does not create a KASan constructor for globals declared in assembler ptsecurity.com
12Step 4: Track heap • Make allocator add redzones around every allocation • Introduce kasan_alloc() which poisons shadow of redzones by KASAN_HEAP_REDZONE • Introduce kasan_free() which poisons shadow of freed memory by KASAN_HEAP_AFTER_FREE • If there is a stack of allocators, integrate KASan with each one to find more bugs: reserved memory != accessible memory • Implement delayed freeing, which reduces the probability of missing use-after-free ptsecurity.com
13Step 5: Poison shadow by default ptsecurity.com • Fill whole shadow memory by KASAN_GENERAL_POISON in kasan_init() • It's a whitelist instead of a blacklist • A perfectionist sleeps better now :)
14Step 6: Track stack • Additionally specify --param asan-stack=1 • When GCC sanitizes stack accesses it works with KASan shadow on its own • Pitfall 1: GCC instruments stack expecting that stack shadow is filled by 0. A perfectionist is sad. • Pitfall 2: Don't put kasan_init() call into a function with local variables. ptsecurity.com
15Step 7: Design a noKASan API • Allow memory access without KASan checks in: – nokasan_r64(), nokasan_w64() and others – nokasan_memset(), nokasan_memcmp() and others • checking the whole region at once • avoiding copying the code • except nokasan_snprintf(), which works with arglist N.B. Now we can very carefully apply this API to the hypervisor code which legitimately works with foreign memory ptsecurity.com
16Steps 8,9,10: Apply to the whole project • Cover files by KASan gradually – Fix memory access bugs – Apply noKASan API very carefully N.B. Changed memory layout and timings may trigger bugs N.B. Thorough code review by the code authors is vital • Move kasan_init() as early as possible (not so easy) • This took me 3 months to do (project size is 55000 SLOC) ptsecurity.com
17Next steps: Continuously support KASan • Be paranoid, check that KASan is switched on • Create a test for KASan and run it regularly • Teach the team how to interpret KASan reports • Control noKASan API usage ptsecurity.com
18Summary • KASan has been successfully ported to a bare-metal hypervisor and has found some very tricky memory errors in it • The new environment allowed to add new features to KASan • Using KASan in new environments make it better: patch to the Linux kernel mainline commit 5d5aa3cfca5cf74cd928daf3674642e6004328d1 x86/kasan: Fix KASAN shadow region page tables • KASan is very helpful for developing ptsecurity.com
19Undefined Behaviour Sanitizer (UBSan) • UB is a result of executing the code which doesn't have a prescribed behaviour in the language specification • Why UB is dangerous • Why UB exists • The programmers must avoid it, but sometimes they fail • UBSan can help, even in bare-metal projects! ptsecurity.com
20Porting UBSan to a bare-metal hypervisor • Specify -fsanitize=undefined for a single source file • Add __ubsan_handle_*() stubs • Experiment with UB and add UBSan implementation little by little looking at lib/ubsan.c • Choose the needed subset of UBSan flags • Instrument the whole project and run it • Become scared and carefully fix detected UB ptsecurity.com
21 Thanks. Questions? alex.popov@linux.com alpopov@ptsecurity.com ptsecurity.com

Recommended

How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)
Gavin Guo
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 

Recommended

How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)
Gavin Guo
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
Joseph Lu
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
shimosawa
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
Adrian Huang
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototyping
Yan Vugenfirer
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
Brendan Gregg
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
Champ Yen
 
Linux kernel status in RISC-V
Linux kernel status in RISC-VLinux kernel status in RISC-V
Linux kernel status in RISC-V
Atish Patra
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
Gene Chang
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
RISC-V International
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
Anil Kumar Pugalia
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
Adrian Huang
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
RajKumar Rampelli
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
Adrian Huang
 
리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB
Manjong Han
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
shimosawa
 
Device tree
Device treeDevice tree
Device tree
Rouyun Pan
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
Positive Hack Days
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Nikolay Savvinov
 

More Related Content

What's hot

Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 

What's hot (20)

Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototyping
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
 
Linux kernel status in RISC-V
Linux kernel status in RISC-VLinux kernel status in RISC-V
Linux kernel status in RISC-V
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
 
Device tree
Device treeDevice tree
Device tree
 

Similar to KASan in a Bare-Metal Hypervisor

Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack
eurobsdcon
 
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
DataStax Academy
 
Leveraging Cassandra for real-time multi-datacenter public cloud analytics
Leveraging Cassandra for real-time multi-datacenter public cloud analyticsLeveraging Cassandra for real-time multi-datacenter public cloud analytics
Leveraging Cassandra for real-time multi-datacenter public cloud analytics
Julien Anguenot
 
Keeping Latency Low for User-Defined Functions with WebAssembly
Keeping Latency Low for User-Defined Functions with WebAssemblyKeeping Latency Low for User-Defined Functions with WebAssembly
Keeping Latency Low for User-Defined Functions with WebAssembly
ScyllaDB
 
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
HostedbyConfluent
 
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
rhatr
 
Under The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureUnder The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database Architecture
ScyllaDB
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 

Similar to KASan in a Bare-Metal Hypervisor (20)

Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...Using the big guns: Advanced OS performance tools for troubleshooting databas...
Using the big guns: Advanced OS performance tools for troubleshooting databas...
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack
 
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
iland Internet Solutions: Leveraging Cassandra for real-time multi-datacenter...
 
Leveraging Cassandra for real-time multi-datacenter public cloud analytics
Leveraging Cassandra for real-time multi-datacenter public cloud analyticsLeveraging Cassandra for real-time multi-datacenter public cloud analytics
Leveraging Cassandra for real-time multi-datacenter public cloud analytics
 
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
PGConf.ASIA 2019 Bali - Building PostgreSQL as a Service with Kubernetes - Ta...
 
Seastar / ScyllaDB, or how we implemented a 10-times faster Cassandra
Seastar / ScyllaDB, or how we implemented a 10-times faster CassandraSeastar / ScyllaDB, or how we implemented a 10-times faster Cassandra
Seastar / ScyllaDB, or how we implemented a 10-times faster Cassandra
 
How Opera Syncs Tens of Millions of Browsers and Sleeps Well at Night
How Opera Syncs Tens of Millions of Browsers and Sleeps Well at NightHow Opera Syncs Tens of Millions of Browsers and Sleeps Well at Night
How Opera Syncs Tens of Millions of Browsers and Sleeps Well at Night
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017
 
Keeping Latency Low for User-Defined Functions with WebAssembly
Keeping Latency Low for User-Defined Functions with WebAssemblyKeeping Latency Low for User-Defined Functions with WebAssembly
Keeping Latency Low for User-Defined Functions with WebAssembly
 
Audit
AuditAudit
Audit
 
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
What’s Slowing Down Your Kafka Pipeline? With Ruizhe Cheng and Pete Stevenson...
 
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
 
Under The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureUnder The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database Architecture
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Running Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesRunning Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anynines
 

More from LF Events

Efficient kernel backporting
Efficient kernel backportingEfficient kernel backporting
Efficient kernel backporting
LF Events
 
Introduction to Open-O
Introduction to Open-OIntroduction to Open-O
Introduction to Open-O
LF Events
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
LF Events
 
Linxu conj2016 96boards
Linxu conj2016 96boardsLinxu conj2016 96boards
Linxu conj2016 96boards
LF Events
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
LF Events
 
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
LF Events
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
LF Events
 
Trading Derivatives on Hyperledger
Trading Derivatives on HyperledgerTrading Derivatives on Hyperledger
Trading Derivatives on Hyperledger
LF Events
 
Containers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices InsteadContainers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices Instead
LF Events
 

More from LF Events (16)

Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionFeature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with Encryption
 
Efficient kernel backporting
Efficient kernel backportingEfficient kernel backporting
Efficient kernel backporting
 
Raspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOTRaspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOT
 
Introduction to Open-O
Introduction to Open-OIntroduction to Open-O
Introduction to Open-O
 
CNCF and Fujitsu
CNCF and FujitsuCNCF and Fujitsu
CNCF and Fujitsu
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
 
NVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in LinuxNVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in Linux
 
Linxu conj2016 96boards
Linxu conj2016 96boardsLinxu conj2016 96boards
Linxu conj2016 96boards
 
Taking over to the Next Generation
Taking over to the Next GenerationTaking over to the Next Generation
Taking over to the Next Generation
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
 
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Trading Derivatives on Hyperledger
Trading Derivatives on HyperledgerTrading Derivatives on Hyperledger
Trading Derivatives on Hyperledger
 
Introducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With kspliceIntroducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With ksplice
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
 
Containers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices InsteadContainers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices Instead
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

KASan in a Bare-Metal Hypervisor

  • 1. KASan in a Bare-Metal Hypervisor Alexander Popov LinuxCon Japan July 13, 2016 ptsecurity.com
  • 2. 2Motivation • C and C++ are not memory safe • Buffer overflow and use-after-free bugs can be maliciously exploited • We want to get rid of such bugs in our C code • KASan is a great technology, let's use it for PT hypervisor! ptsecurity.com
  • 3. 3Agenda ptsecurity.com • Basic ideas behind KASan • What is a bare-metal hypervisor • Porting KASan to a bare-metal hypervisor: – Main steps – Pitfalls – How to make KASan checks more strict and multi-purposed • Bonus
  • 4. 4KASan (Kernel Address Sanitizer) ptsecurity.com • KASan is a dynamic memory error detector for Linux kernel • Based on work by Andrey Konovalov and other great people at AddressSanitizer project, came to kernel from Andrey Ryabinin • Trophies: more than 65 memory errors found in Linux kernel • Low penalty: ~1.5x slowdown, ~2x memory usage • KASan is a debugging tool giving maximum profit with fuzzing • Can be used in bare-metal software
  • 5. 5KASan shadow memory legend Every aligned 8 bytes can have 9 states. KASan shadow encoding: • 0 if access to all 8 bytes is valid • N if access only to first N bytes is valid (1 <= N <= 7) • Negative value (poison) if access to all 8 bytes is invalid ptsecurity.com
  • 6. 6Mapping to KASan shadow (x86-64) ptsecurity.com Kernel address space (47 bits, 128 TB) KASan shadow memory (44 bits, 16 TB) Mappinng: shadow_addr = KASAN_SHADOW_OFFSET + (addr >> 3) 0xffff800000000000 0xffffffffffffffff 0xffffec0000000000 0xfffffc0000000000
  • 7. 7Compile-time instrumentation ptsecurity.com • gcc adds calling of __asan_load##size() or __asan_store##size() before memory access • gcc adds redzones around stack buffers and globals
  • 8. 8A bare-metal hypervisor ptsecurity.com • What is a hypervisor • What does “bare-metal” mean • How does it work with memory
  • 9. 9Step 1: Page tables for shadow ptsecurity.com Hypervisor memory (~200 MB) KASan shadow memory (~25 MB) 0x100000000 0x10c80a000 0x180000000 0x181901400 ... N.B. Choosing KASAN_SHADOW_OFFSET is tricky N.B. Ability to check whether hypervisor code touches foreign memory
  • 10. 10Step 2: Sanitize a single source file • Specify these gcc flags: -fsanitize=kernel-address -fasan-shadow-offset=... --param asan-instrumentation-with-call-threshold=0 N.B. The outline instrumentation is easier to start with N.B. The build system should support specifying different flags for different source files • Add KASan implementation from mm/kasan/kasan.c little by little (N.B. KASan is GPL) • Experiment till shadow works fine ptsecurity.com
  • 11. 11Step 3: Track global variables • Additionally specify --param asan-globals=1 • Take care of .ctors section in the linker script • Add do_ctors() looking at init/main.c • Poison the redzones by negative KASAN_GLOBAL_REDZONE in __asan_register_globals() • Use -fsanitize-sections=... to instrument globals in all sections • N.B. gcc does not create a KASan constructor for globals declared in assembler ptsecurity.com
  • 12. 12Step 4: Track heap • Make allocator add redzones around every allocation • Introduce kasan_alloc() which poisons shadow of redzones by KASAN_HEAP_REDZONE • Introduce kasan_free() which poisons shadow of freed memory by KASAN_HEAP_AFTER_FREE • If there is a stack of allocators, integrate KASan with each one to find more bugs: reserved memory != accessible memory • Implement delayed freeing, which reduces the probability of missing use-after-free ptsecurity.com
  • 13. 13Step 5: Poison shadow by default ptsecurity.com • Fill whole shadow memory by KASAN_GENERAL_POISON in kasan_init() • It's a whitelist instead of a blacklist • A perfectionist sleeps better now :)
  • 14. 14Step 6: Track stack • Additionally specify --param asan-stack=1 • When GCC sanitizes stack accesses it works with KASan shadow on its own • Pitfall 1: GCC instruments stack expecting that stack shadow is filled by 0. A perfectionist is sad. • Pitfall 2: Don't put kasan_init() call into a function with local variables. ptsecurity.com
  • 15. 15Step 7: Design a noKASan API • Allow memory access without KASan checks in: – nokasan_r64(), nokasan_w64() and others – nokasan_memset(), nokasan_memcmp() and others • checking the whole region at once • avoiding copying the code • except nokasan_snprintf(), which works with arglist N.B. Now we can very carefully apply this API to the hypervisor code which legitimately works with foreign memory ptsecurity.com
  • 16. 16Steps 8,9,10: Apply to the whole project • Cover files by KASan gradually – Fix memory access bugs – Apply noKASan API very carefully N.B. Changed memory layout and timings may trigger bugs N.B. Thorough code review by the code authors is vital • Move kasan_init() as early as possible (not so easy) • This took me 3 months to do (project size is 55000 SLOC) ptsecurity.com
  • 17. 17Next steps: Continuously support KASan • Be paranoid, check that KASan is switched on • Create a test for KASan and run it regularly • Teach the team how to interpret KASan reports • Control noKASan API usage ptsecurity.com
  • 18. 18Summary • KASan has been successfully ported to a bare-metal hypervisor and has found some very tricky memory errors in it • The new environment allowed to add new features to KASan • Using KASan in new environments make it better: patch to the Linux kernel mainline commit 5d5aa3cfca5cf74cd928daf3674642e6004328d1 x86/kasan: Fix KASAN shadow region page tables • KASan is very helpful for developing ptsecurity.com
  • 19. 19Undefined Behaviour Sanitizer (UBSan) • UB is a result of executing the code which doesn't have a prescribed behaviour in the language specification • Why UB is dangerous • Why UB exists • The programmers must avoid it, but sometimes they fail • UBSan can help, even in bare-metal projects! ptsecurity.com
  • 20. 20Porting UBSan to a bare-metal hypervisor • Specify -fsanitize=undefined for a single source file • Add __ubsan_handle_*() stubs • Experiment with UB and add UBSan implementation little by little looking at lib/ubsan.c • Choose the needed subset of UBSan flags • Instrument the whole project and run it • Become scared and carefully fix detected UB ptsecurity.com