UNICORE member and representative of IBM, Mike Rapoport, jointly with James Bottomley, also from IBM, gave a presentation focused on “Analysing and Improving the Security Properties of Secret Memory“. This talk took place at the Linux Security Summit (LSS) on October 1.
In the words of the speakers, “various patches are advancing through the kernel to designate regions of memory as hidden or secret. The current implementation mechanism for almost all of them is to remove them from the direct map of the kernel, meaning that it becomes impossible to refer to the memory from within the kernel without finding a way to map it and if an address in secret memory is ever accessed by the kernel or from another user space process, a page fault will result. The enhanced security for secret memory comes from the fact that most of the attempts to exfiltrate secrets mostly rely either on rop gadgets or privilege escalation. Since root cannot gain access to the secret from userspace because of the lack of direct map entry, the only viable exfiltration mechanism is via rop. Since there are no easy gadgets available to map a kernel address, it involves constructing a complex rop chain, making the exfiltration significantly harder (although not impossible)”. In this session, speakers discussed how the security posture of secret memory could be improved and what its use cases might be.