Various patches are advancing through the kernel to designate regions of memory as hidden or secret. The current implementation mechanism for almost all of them is to remove them from the direct map of the kernel, meaning that it becomes impossible to refer to the memory from within the kernel without finding a way to map it and if an address in secret memory is ever accessed by the kernel or from another user space process, a page fault will result. The enhanced security for secret memory comes from the fact that most of the attempts to exfiltrate secrets mostly rely either on rop gadgets or privilege escalation. Since root cannot gain access to the secret from userspace because of the lack of direct map entry, the only viable exfiltration mechanism is via rop. Since there are no easy gadgets available to map a kernel address, it involves constructing a complex rop chain, making the exfiltration significantly harder (although not impossible). What we'd like to discuss in this session is how we could improve the security posture of secret memory and what its use cases might be (we've already put together a preloader that allocates openssl private keys in secret memory).
We'll be using the Plumbers BBB infrastructure. You can try it out here
bbb5.lpc.events.- We've disabled the authentication, so just type your name to join
- We'll be using the plumbers protocols, so unmute video to interact
- It will all be streamed over the AccelEvents platform, so if you only want to ask questions over chat, you don't need to use BBB
