1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Intel CET Support?

    From Felix Potthast@21:1/5 to All on Mon Sep 5 23:00:01 2022
    Hello,

    i just stumbled upon the fact that debian doesn't yet make use of the
    Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.

    The idea is to insert endbr instructions,
    (which are just NOPs on older CPUs) at the beginning
    of functions to identify valid call targets to mitigate
    ROP attacks.

    You can do a quick test with

    objdump -d /usr/bin/mv | grep endbr | wc -l

    which outputs a nonzero number if the feature is used.

    See for example this Phoronix article: https://www.phoronix.com/news/Intel-CET-IBT-For-Linux-5.18

    What is the reason debian doesn't use this?
    It seems like a sensible thing to do for me, but
    maybe you had a discussion about it and came to another conclusion?

    Or was this just overlooked?

    Looking forward to your answers.

    Regards,
    Felix Potthast

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Felix Potthast on Mon Sep 5 23:50:02 2022
    On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:
    i just stumbled upon the fact that debian doesn't yet make use of
    the Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.
    [...]

    Forgive me if this is a dumb question, but were you running on a
    Linux 5.18 kernel when you tested this? The default kernel on the
    current Debian release is too old to support it, but there is a 5.18
    kernel in the bullseye-backports suite. This is from my workstation
    running a relatively up to date Debian unstable booted on a 5.18.x
    kernel, as you can see:

    fungi@dhole:~$ uname -v
    #1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
    fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
    2
    fungi@dhole:~$ objdump -d /bin/mv | grep endbr
    4230: f3 0f 1e fa endbr64
    4270: f3 0f 1e fa endbr64

    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmMWZsFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCk+ug//TBm5e9iwFLu0lTLhvtNtkkAtLBe+jva8d/of5HBMcRGzIT3/8UVKjOfy fDyB61S5TrRDFPKg/kwdMDZwU6sd5R5euIP3ufa1RXl1XwnsXTLxX0MyWsjpg2Om 8GfX4TJ4Tk1uwf27BxwSs9yp7cBrkwtnYuKqWwrHUtWpu59sLVyEdwyVVCDp2/EU LH5ihtkGwU9OITNDW+4gSbyZBgajWsiSL3uP/8r84nwFvXvuBbYVyKIi585GJlOR CpxP3kF4aGa4dlohjpvYPKgt2HApMLRNOC7l5rMmtkOmGxFa8oZRow3+aqYEVFxQ Cr0nXg85J1p4cYx/ATuF3KWO7CeARQn58+XMhkEaZg5Jh97Kltve122X1sfVHEYS f/T+tehvkgK6aJqX2Mvv0k2F+DCQDP/MjJCFYjM9tqThfq0GXBBWeTEs0ceOLMlD 9tUr/CbTzyUshv6kRWy8WCit4WrwE/Y4MG0eiB89A5wgvxpChpKVvAzYtaaLTQ10 pJjKEmHpfH1SarwUgIkPg64RQZEgLH1Y8n1RkI8XGnTWzs+4IoszUc2FNABegS7x hjJDLj8sMSEtD6FKCU3DmRvjytrVcGS/USRYvpIt6jwinHWMY894K4KAtyu7zEIx wD7ikwxdvFlEojqNHllFbWWbn0DK+Sa2wJP03sT7gZLhXsWWivU=
    =MGQT
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Andrey Rahmatullin@21:1/5 to Felix Potthast on Tue Sep 6 12:00:01 2022
    On Mon, Sep 05, 2022 at 10:44:52PM +0200, Felix Potthast wrote:
    i just stumbled upon the fact that debian doesn't yet make use of the
    Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.

    The idea is to insert endbr instructions,
    (which are just NOPs on older CPUs) at the beginning
    of functions to identify valid call targets to mitigate
    ROP attacks.

    You can do a quick test with

    objdump -d /usr/bin/mv | grep endbr | wc -l

    which outputs a nonzero number if the feature is used.
    It's indeed nonzero on my testing and sid machines, with coreutils 8.32-4.1.
    In which version is it zero?

    --
    WBR, wRAR

    -----BEGIN PGP SIGNATURE-----

    iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmMXGJ0tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh IbsQAIkge+Txjl34LxRTalrNHOBLI1RjngOEYjqALwPpTY8N2Ssa15YQPwSkP379 np6qtYoO2aa9Uekg4uMNo/ZbHsf19QX/S2bV2TCK+z3j0cSr6c8x1QJCOtThw2Da FWnBlDxcztGDWdetb6QI5yjIA848vwKQiu7RWBpDgu9NDkRJWpff0E6ux6qgeNMu snxPGOdU/mpkWRLD3rN6lzhMzl1Oay7m10fQH5isagkvjA6HizGX4SSfVAPUq1yC fbJo21nZxMjfpS+5Puf+vePm82wzqQdL+NyeQgPsrDwg//sUNj+kxRb3dngsc5gI 3AJZO7W7t2rwjd/stBFtvACZ09G3acdZLoVLc8ZwAZY01+N7x88Jm6IdTNbrZ64n UNfPmtgWmJM0zX5H6Lrrh2daNLsMHa+ZTdM7fu6E9JVVyS7jI4GIY8OnqVLxt0nq 0O/YxHTBzLxjyWDK1YsHSk6A2WYReZj11Z2F5u8r2UkZnxvReGhEYlAUs+tamFTo oSXXUPjw7a5uIeVs4TXUIcnY2/exwb1idrBLTdCx6BU0iLrqxw3RXSbY43GAinbz SLG4CYkIZrvCLAtz4S7SLenDdbZvQFMSNMNe/+rU63hrdY7cbt59Gun18XQLXP5Z eUkLWw6T/GXQvvexiM3dmstgDge+pCMMpZLvGgvubwQpre4k
    =zC46
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Felix Potthast@21:1/5 to Jeremy Stanley on Tue Sep 6 14:00:01 2022
    Ok, it turns out the quick test i spontaneously came up with is flawed,
    sorry about that.

    However, if you look at the disassembly, you can see that the
    endbr instruction is not at the beginning of a function,
    but rather directly after a nop instruction, so it seems to
    me this is just used as another nop variant for alignment purposes.

    Another file one can test that actually gives zero is

    /lib64/ld-linux-x86-64.so.2

    so the right command to test is

    objdump -d /lib64/ld-linux-x86-64.so.2 | grep endbr | wc -l

    On Mon, 2022-09-05 at 21:14 +0000, Jeremy Stanley wrote:
    On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:
    i just stumbled upon the fact that debian doesn't yet make use of
    the Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.
    [...]

    Forgive me if this is a dumb question, but were you running on a
    Linux 5.18 kernel when you tested this? The default kernel on the
    current Debian release is too old to support it, but there is a 5.18
    kernel in the bullseye-backports suite. This is from my workstation
    running a relatively up to date Debian unstable booted on a 5.18.x
    kernel, as you can see:

      fungi@dhole:~$ uname -v
      #1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
      fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
      2
      fungi@dhole:~$ objdump -d /bin/mv | grep endbr
          4230:       f3 0f 1e fa             endbr64       4270:       f3 0f 1e fa             endbr64


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrien CLERC@21:1/5 to All on Tue Sep 6 14:10:01 2022
    This is a multi-part message in MIME format.
    Le 05/09/2022 à 22:44, Felix Potthast a écrit :
    objdump -d /usr/bin/mv | grep endbr | wc -l

    I got 2 on my current Bookworm/testing with 5.18.0-4-amd64

    <html style="scroll-behavior: auto !important;">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style></style>
    </head>
    <body style="scroll-behavior: auto !important;">
    <div class="moz-cite-prefix">Le 05/09/2022 à 22:44, Felix Potthast a
    écrit :<br>
    </div>
    <blockquote type="cite" cite="mid:6b0a21364a8bd1ae1311836bb5ff5863f2982482.camel@student.uni-siegen.de">
    <pre class="moz-quote-pre" wrap="">objdump -d /usr/bin/mv | grep endbr | wc -l</pre>
    </blockquote>
    <p>I got 2 on my current Bookworm/testing with 5.18.0-4-amd64<br>
    </p>
    <div id="grammalecte_menu_main_button_shadow_host" style="width:
    0px; height: 0px;"></div>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to Felix Potthast on Wed Sep 7 01:50:01 2022
    On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:

    i just stumbled upon the fact that debian doesn't yet make use of the
    Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.

    Allegedly Intel CET provides weak protection, although perhaps it
    improved since the 2016 analysis by grsecurity folks:

    https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmMX2r8ACgkQMRa6Xp/6 aaMzKhAAg0JVx33wjKDhXBckP4akGi0PpWIUSah8Z93rSw/N80xuXJsj396nFlQ7 gDZ087rZ3CWm/P4+opXbd66NdcVwn/DDVrImSI+9aMrC+ulpXgEUxZOg5iexDJRS 3Kjbx2WOlUaN4dbn5k9/xhXykwBS6f009Wp0GpZXct7RSyQpRnLBiX8WKXS2QKv9 d7LaxdKxS6YjFgh3OCZksqtCZMj9GiIqGJXYqij5lQF21fMp66krcPXKmhSsylu/ Mwo/ZsQOMNRTA74Dfr6jnvBE7fF+3oyXA0Yk84sQuzf6wEK8xt3RmXqqgHJ+XTZ7 GhIvtH0vIUqXTC0LU7OVt43nuSL/Z1oaXW0GHgUEYgArTS3ljshfCsL8FMjOBven cU45ph9b+2RgLSMkAbA2UMgCwU/sCK1i82e7W4wb8cYttI2E9eLEkz9kl78Ig9Rp AOB2P/Ig2/bv2R+CV8s2GjSaLI0GncqUBV7IWSALBaSloNsCCwSpxF4PiJFzc087 PWV8op71vkEI2uLzXbaZUmFJFvURcpjqulM63Z3lhMKpsCC6+FTMSuc5ljsoyJj8 b3RcPI0e5nGuKMDdE9iGVh/GLaN6GvYZcyXWNzH2v9A+RawNmLux04ToNDJbg6eM Asi+S8iT3w712fT2VQiD55Jb8s/e43tV23M3BVqpnv67C2mJwEI=
    =QLTk
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From nick black@21:1/5 to All on Wed Sep 7 02:40:01 2022
    Paul Wise left as an exercise for the reader:
    On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:

    i just stumbled upon the fact that debian doesn't yet make use of the
    Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.

    Allegedly Intel CET provides weak protection, although perhaps it
    improved since the 2016 analysis by grsecurity folks: https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks

    ehh, CET seems like the kind of "make easy things hard" defense-in-depth
    that's the cornerstone of protecting against the highest level
    of attackers. ASLR and a dozen other things are in the same
    boat; they make attacks more difficult to generalize and make
    reliable.

    also, the grsecurity folk in my experience tend to speak very
    harshly regarding any other efforts in their space (and they
    prefix this article with disclosure that CET can be considered
    competing technology). see their comments on other software CFI
    implementations [0] and kspp [1]. they explicitly sum up that
    "CET is not advancing the state of the art", which indeed it
    might not be, but that doesn't mean it's a useless piece of
    engineering. it has a value that needs be weighed against its
    cost like most technologies.

    [0] https://grsecurity.net/rap_faq
    [1] https://lwn.net/Articles/698891/


    --
    nick black -=- https://www.nick-black.com
    to make an apple pie from scratch,
    you need first invent a universe.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEmi//dHmU4oe+xCLxX0NADCHL+swFAmMX5fAACgkQX0NADCHL +swwXxAAm5Vei+MQ9xy3GYqg7OBXvIJRXN1k+cJlFH4y1WJAXXf3Uh9qQKq7VHYq 1lvNh3YPoa+gGerlE3ZjMPhcfnTKEdaP6xlgAmMNNzS+70lvlhX1U1w2TxE9w/dx 8FApDdPR9nZfIGcpJZf0/qqHarvw3wimRbZkkr9wOqPkmyJkO11dCQ0cdn41CcB5 bsMKfYOucHvy9enngnzp66zyn8IC8xHZkl8s6g4/AWr21YftFqLsujyT1CAhTmGH 2Ti/gS5dlSc4Aq2Cqph8is7MQaD0q5SHqiaRQ14zg9rswy8tCxITJk7jK9anabpg brk2RK7hYdpV7Jk7jlmJPmTFNq7To+dSo0DbTc1atAUOJM3NJShjYFVYQxCNkRVR GIB15pvtLnEkW2f3D/wXhz+4ICWt2No8YFj+jSr497c+IZnCSzNwebTlY4NNSHFn X8C9cG5BRyBRmZUFon1uACUnePulbozpKHtUZHJ8B90NN1j+48ZuBChq7xp97oy3 cpZY5hAJz4uZy1NNpYUyMalq+X4tN0G0+MC6Ndb0C76U9/Sk2NUgZOAsxbFaHPRY kdBUPQ1cSOHa89eHjb7djcZ3m7qGYlhOqSsmcsY0QpX6ASCVJ1EQfQUJQzD0IFdw y6I8yF9crYmC1pfz7HL13GvBnZOFirdtdwuJOmbbWX8Mr37+VPs=
    =B4Qv
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet G
  • From Florian Weimer@21:1/5 to All on Sun Sep 11 05:50:01 2022
    * Felix Potthast:

    i just stumbled upon the fact that debian doesn't yet make use of the
    Intel CET security feature, while many other distributions
    (Ubuntu, Fedora, Suse, Arch Linux) do.

    There's no kernel support for userspace CET, and it's been missing for
    many years now. The userspace ABi will change, but the hope is that a
    glibc update is sufficient to enable it for those distributions that
    are already built to spec. Reportedly, Fedora mostly works with
    custom kernels (not the Fedora kernel though; it follows mainline).
    There's some hope that userspace CET lands in an upcoming 6.y kernel
    upstream, with a low value for y, but we've been disappointed
    countless times.

    The most interesting part is probably the shadow stack and the
    efficient backtrace generation it enables (the full call stack, not
    just the last 32 or so frames, as with LBR; and even faster than
    frame-pointer traversal). This particular part of CET is already
    available in AMD's Zen 3 CPUs, not just Intel's Tigerlake and later
    CPUs.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)