commoncriteria / operatingsystem

Protection Profile for Operating Systems
The Unlicense
9 stars 6 forks source link

SMEP #53

Closed bourdett closed 9 years ago

bourdett commented 9 years ago

Should we require, Supervisor Mode Execution Protection (SMEP), or something like it. The OS kernel shall only read data from the address space of the kernel. App note, the kernel share not read data from user mode.

Looks like Linux has support http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/

Windows also supports SMEP.

not sure about other OS'es

jeffblank commented 9 years ago

Interesting idea. Maybe add it as a GitHub issue? The question is whether we'd provide value by 'requiring' it if everybody does it, and whether our testing would provide some value too.

On Mon, Jun 1, 2015 at 8:26 PM, bourdett notifications@github.com wrote:

Should we require, Supervisor Mode Execution Protection (SMEP), or something like it. The OS kernel shall only read data from the address space of the kernel. App note, the kernel share not read data from user mode.

Looks like Linux has support

http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/

Windows also supports SMEP.

not sure about other OS'es

— Reply to this email directly or view it on GitHub https://github.com/commoncriteria/operatingsystem/issues/53.


Jeffrey Blank 410-854-8675 Operating Systems and Applications Division Systems and Technologies Analysis Group NSA Information Assurance

ajcousi commented 9 years ago

While SMEP and SMAP are nice to haves - firstly they're hardware backed (and we can't push requirements down to hardware), and secondly they're still not deployed that widely in OSs (I doubt some of the OS vendors that are in the TC will be able to confirm that their OS does them and then we'll have a barrage of complaints). If I was to use a modern OS, I wouldn't say it was negligent if it didn't support SMEP and SMAP whereas I'd be very surprised if it didn't do ASLR or user memory separate for example.

kgal commented 9 years ago

Available in Solaris, Linux, Mac OS X, and Windows... This is tempting. We could add wording that says if the underlying platform doesn't support it, just as we did for App on OS.

jher commented 9 years ago

We should hold the same position as we do for any hardware feature such as DEP or ASLR. If the underlying hardware supports it, it should be utilized by the OS. Also, if the all four of those OS vendors support it already, it doesn't seem unreasonable to have it as a requirement.

ajcousi commented 9 years ago

Fair enough - while the OSs support it we weren't able to mandate some parts of secure boot as that's down to the type of underlying hardware (does the UEFI support it etc) - if we take the same approach as ASLR and DEP - then I think it's ok though.

jeffblank commented 9 years ago

Not this version.