Linux's FineIBT Protections "Critically Flawed" Until Intel CPUs Appear With FRED
([Linux Security] 32 Minutes Ago
FineIBT Broken)
- Reference: 0001529220
- News link: https://www.phoronix.com/news/Linux-FineIBT-Critically-Flawed
- Source link:
[1]FineIBT is a Linux kernel initiative led by Intel engineers that aimed to [2]combine the best of Intel Control-flow Enforcement Technology (CET) and Control Flow Integrity . FineIBT was [3]merged in 2022 for the Linux 6.2 kernel as an alternative control flow integrity implementation. Some [4]FineIBT weaknesses were previously addressed but now the implementation has been determined to be "critically flawed" at least until next-generation Intel processors appear with FRED.
This fine-grain Control-flow Enforcement Technology with Indirect Branch Tracking aimed to pair the best with offering the fine-grained nature of kernel control-flow integrity (kCFI) while making use of coarse-grained hardware CFI of IBT on modern x86_64 CPUs. Except security researchers [5]reported last week they have been able to circumvent FineIBT via kernel entry points.
[6]
Arizona State University researchers [7]noted :
"As part of a recently accepted paper we demonstrated that syscall entrypoints can be misused on x86-64 systems to generically bypass FineIBT/KERNEL_IBT from forwards-edge control flow hijacking. We communicated this finding to [8][email protected] before submitting the paper and were encouraged to bring the issue to hardening after the paper was accepted to have a discussion on how to address the issue.
The bypass takes advantage of the architectural requirement of entrypoints to begin with the endbr64 instruction and the ability to control GS_BASE from userspace via wrgsbase, from to the FSGSBASE extension, in order to perform a stack pivot to a ROP-chain."
Linux kernel developer Andrew Cooper with Citrix was among those [9]commenting in response:
"This is fun indeed. Linux cannot use supervisor shadow stacks because the mess around NMI re-entrancy (and IST more generally) requires ROP gadgets in order to function safely. Implementing this with shadow stacks active, while not impossible, is deemed to be prohibitively complicated.
Linux's supervisor shadow stack support is waiting for FRED support, which fixes both the NMI re-entrancy problem, and other exceptions nesting within NMIs, as well as prohibiting the use of the SWAPGS instruction as FRED tries to make sure that the correct GS is always in context.
But, FRED support is slated for PantherLake/DiamondRapids which haven't shipped yet, so are no use to the problem right now."
Linux kernel developers have ultimately come to the consensus from this research that FineIBT is "critically flawed" in its current form on existing processors. In turn no solution for now for safely making use of FineIBT on Linux systems until CPUs are out with Flexible Return Event Delivery (FRED). [10]Intel FRED looks like it will roll-out with upcoming Core Ultra "Panther Lake" and Xeon 7 "Diamond Rapids" processors.
What the Linux kernel in turn is doing is making the FineIBT support depend upon FRED being enabled for the kernel. [11]This patch makes that fundamental change and as of today is queued up for the tip/tip.git's "x86/cpu" branch -- either for the upcoming Linux 6.15 merge window or if it gets pulled into x86/fixes for going still into Linux 6.14.
[1] https://www.phoronix.com/search/FineIBT
[2] https://www.phoronix.com/news/Intel-FineIBT-Security
[3] https://www.phoronix.com/news/FineIBT-TIP-x86-core
[4] https://www.phoronix.com/news/Linux-kCFI-FineIBT-Weaknesses
[5] https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
[6] https://www.phoronix.com/image-viewer.php?id=2025&image=fineibt_broken_lrg
[7] https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
[8] https://www.phoronix.com/cdn-cgi/l/email-protection
[9] https://lore.kernel.org/linux-hardening/c46f5614-a82e-42fc-91eb-05e483a7df9c@citrix.com/
[10] https://www.phoronix.com/search/Intel+FRED
[11] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12315780faf1cbfe00991077a1e8c8e4c201f3b
This fine-grain Control-flow Enforcement Technology with Indirect Branch Tracking aimed to pair the best with offering the fine-grained nature of kernel control-flow integrity (kCFI) while making use of coarse-grained hardware CFI of IBT on modern x86_64 CPUs. Except security researchers [5]reported last week they have been able to circumvent FineIBT via kernel entry points.
[6]
Arizona State University researchers [7]noted :
"As part of a recently accepted paper we demonstrated that syscall entrypoints can be misused on x86-64 systems to generically bypass FineIBT/KERNEL_IBT from forwards-edge control flow hijacking. We communicated this finding to [8][email protected] before submitting the paper and were encouraged to bring the issue to hardening after the paper was accepted to have a discussion on how to address the issue.
The bypass takes advantage of the architectural requirement of entrypoints to begin with the endbr64 instruction and the ability to control GS_BASE from userspace via wrgsbase, from to the FSGSBASE extension, in order to perform a stack pivot to a ROP-chain."
Linux kernel developer Andrew Cooper with Citrix was among those [9]commenting in response:
"This is fun indeed. Linux cannot use supervisor shadow stacks because the mess around NMI re-entrancy (and IST more generally) requires ROP gadgets in order to function safely. Implementing this with shadow stacks active, while not impossible, is deemed to be prohibitively complicated.
Linux's supervisor shadow stack support is waiting for FRED support, which fixes both the NMI re-entrancy problem, and other exceptions nesting within NMIs, as well as prohibiting the use of the SWAPGS instruction as FRED tries to make sure that the correct GS is always in context.
But, FRED support is slated for PantherLake/DiamondRapids which haven't shipped yet, so are no use to the problem right now."
Linux kernel developers have ultimately come to the consensus from this research that FineIBT is "critically flawed" in its current form on existing processors. In turn no solution for now for safely making use of FineIBT on Linux systems until CPUs are out with Flexible Return Event Delivery (FRED). [10]Intel FRED looks like it will roll-out with upcoming Core Ultra "Panther Lake" and Xeon 7 "Diamond Rapids" processors.
What the Linux kernel in turn is doing is making the FineIBT support depend upon FRED being enabled for the kernel. [11]This patch makes that fundamental change and as of today is queued up for the tip/tip.git's "x86/cpu" branch -- either for the upcoming Linux 6.15 merge window or if it gets pulled into x86/fixes for going still into Linux 6.14.
[1] https://www.phoronix.com/search/FineIBT
[2] https://www.phoronix.com/news/Intel-FineIBT-Security
[3] https://www.phoronix.com/news/FineIBT-TIP-x86-core
[4] https://www.phoronix.com/news/Linux-kCFI-FineIBT-Weaknesses
[5] https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
[6] https://www.phoronix.com/image-viewer.php?id=2025&image=fineibt_broken_lrg
[7] https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
[8] https://www.phoronix.com/cdn-cgi/l/email-protection
[9] https://lore.kernel.org/linux-hardening/c46f5614-a82e-42fc-91eb-05e483a7df9c@citrix.com/
[10] https://www.phoronix.com/search/Intel+FRED
[11] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12315780faf1cbfe00991077a1e8c8e4c201f3b
bug77