GSoC proposal: Implement Intel SMAP and kernel patching framework

Oliver Pinter oliver.pntr at gmail.com
Thu Mar 20 10:16:35 UTC 2014 

Hi All!

Below is my proposal:

Organization: FreeBSD

Short description: In first phase, I want to implement the Intel SMAP
(Supervisor Mode Access Prevention) technology for x86-64
architecture. In second phase, I plan to implement boot/load time
kernel and kernel module patching (instruction patching) framework.

* General Information:
** e-mail: oliver.pntr  AT gmail.com
** phone: XX
** IRC: _op_ at OFTC
** IRC: _op_ at EFNet
** IRC: _op_ at irc.atw.hu
** linkedin: http://hu.linkedin.com/in/oliverpinter/
** availability: ~30 hrs/week


* Biography:
I am Oliver Pinter, an MSc student from Budapest University of
Technology and Economics (BUTE). I'm on Specialization on Security of
Telecommunication Systems at Crysys Labratory. In 2008 I maintained
stable linux kernel tree: http://repo.or.cz/w/linux-2.6.22.y-op.git .
In Bsc thesis I investigated some aspects of Intel SMAP with contact
of Intel (See linkedin or google://freebsd+intel+smap). Currently I am
part of BUTE's Crysys Labratory (www.crysys.hu) .


* Short Description:
** In first phase, I want to implement the Intel SMAP (Supervisor Mode
Access Prevention) technology for x86-64 architecture. In second
phase, I plan to implement boot/load time kernel and kernel module
patching framework.


* Project Title:
** Implement Intel SMAP and kernel patching framework


* Project Description:
** Intel SMAP is a hardware extension to support advanced kernel
self-protection. The SMAP technology will prevent unintended data
access from kernel to userland memory. The technology will appear in
Intel Broadwell architecture in 2014Q2/Q3. Currently there is an
emulator - namely Qemu with TCG - which supports this technology.
** Runtime kernel/kernel module patching is required, otherwise the
processor will fail when processing unknown instruction. Newer
processors introducing newer instructions which didn't exist on older
one. To solve this situation this framework makes the kernel and
kernel modules self-modifiable in common way.
** http://software.intel.com/sites/default/files/319433-014.pdf
** http://forums.grsecurity.net/viewtopic.php?f=7&t=3046
** https://lwn.net/Articles/517475/

* Deliverables:
** phase #1:
    - Improved security of FreeBSD kernel in future x86-64 processors
** phase #2:
    - generic framework for boot-time/runtime kernel image and kernel
modules patching
    - elliminate hackish "manual" instruction patching:
http://svnweb.freebsd.org/base/head/sys/amd64/amd64/cpu_switch.S?r1=238450&r2=238449&pathrev=238450


* Test Plan:
** phase #1 - SMAP:
    - create a VM image
    - write vulnerable kernel module and PoC, and test
    - test in qemu with SMAP emulation
** phase #2 - kernel patching:
    - create a VM image
    - boot test in qemu
    - kernel module test in qemu
    - test in qemu with enabled SMAP
    - test on real hardware with XSAVE/XSAVEOPT
    - stress test


* Schedule:
**phase #1:
    May 19 - May 25:    update Intel SMAP knowledege
    May 26 - June 8:    update relevant FreeBSD kernel knowledge
    June 9 - June 15:    implement/refine trap handler and add/refine
required code to relevant parts of kernel
    June 16 - June 22:    test and fix
* phase #2:
    June 13 - June 29:    identify the required places to modify in
booting process and kernel module loading process
    June 30 - July 6:    design the kernel patching framework
    July 7 - July 20:    implement the kernel patching framework
    July 21 - July 27:    adapt XSAVE and SMAP instructions to new framework
    July 28 - EoC:        test, test, fix, test
0 comments

More information about the freebsd-hackers mailing list