x32 without ia32 syscalls

30 views
Skip to first unread message

Mike Frysinger

unread,
Jan 24, 2012, 10:12:32 PM1/24/12
to x32...@googlegroups.com
the current x32 kernel config depends on the ia32 emulation layer:
config X86_X32_ABI
bool "x32 ABI for 64-bit mode"
depends on X86_64 && IA32_EMULATION

i'm guessing this wasn't just an accident. how hard would it be to
re-architect things slightly to split the user-space visible ia32
syscalls from the ia32 emulation bits that x32 needs ? and perhaps
even taking it further, removing even the native x86_64 syscall layer.

we'd like to be able to restrict the attack surface so that if we only
have a x32 userland, we'd kill off ia32 and x86_64 syscalls. examples
of how this layer has bitten people in the past:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301

i vaguely recall others, but even this small list shows that the
attack surface is not insignificant nor trivial to verify.
-mike

H. Peter Anvin

unread,
Jan 24, 2012, 11:12:35 PM1/24/12
to x32...@googlegroups.com, Mike Frysinger
On 01/24/2012 07:12 PM, Mike Frysinger wrote:
> the current x32 kernel config depends on the ia32 emulation layer:
> config X86_X32_ABI
> bool "x32 ABI for 64-bit mode"
> depends on X86_64&& IA32_EMULATION

>
> i'm guessing this wasn't just an accident. how hard would it be to
> re-architect things slightly to split the user-space visible ia32
> syscalls from the ia32 emulation bits that x32 needs ? and perhaps
> even taking it further, removing even the native x86_64 syscall layer.
>
> we'd like to be able to restrict the attack surface so that if we only
> have a x32 userland, we'd kill off ia32 and x86_64 syscalls. examples
> of how this layer has bitten people in the past:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0029
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0835
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301
>
> i vaguely recall others, but even this small list shows that the
> attack surface is not insignificant nor trivial to verify.
> -mike

This isn't very hard at all to factor out ia32, but a lot of the code is
the same, so it doesn't make the attack surface as much smaller as you
think. I don't think we want to do that until x32 is upstream, though.

Factoring out x86-64 would be substantially harder, but not impossible
by any means. The same caveat applies there, though.

-hpa

Reply all
Reply to author
Forward
0 new messages