search

zephyrproject-rtos / zephyr

Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures.
https://docs.zephyrproject.org
Apache License 2.0
10.53k stars 6.46k forks source link

least-privilege validation framework for kernel object permissions #23214

Open andrewboie opened 4 years ago

andrewboie commented 4 years ago

Is your enhancement proposal related to a problem? Please describe. Programmers are sometimes lazy and may grant threads access to more kernel objects or device drivers than they actually need. In particular, it's easy to just pass K_INHERIT_PERMS when creating child threads without carefully thinking about what the child thread needs. It would be great if we could audit what permissions threads have been given vs. what they actually need to do their job.

Describe the solution you'd like This sort of accounting will involve extra bookkeeping and overhead, so this should be a non-default debugging configuration option.

All thread access to kernel objects is checked in z_object_validate(). Every kernel object metadata struct (struct _k_object) has the perms bitfield indicating what threads have access to it. Add a parallel bitfield perms_checked. In this bitfield, if thread with id N validates access, enable the Nth bit in perms_checked.

Then introduce a function k_thread_perms_audit() which, when invoked, will iterate over all known kernel objects with z_object_wordlist_foreach() and compare the perms and perms_checked bitfields. If bit N in active in perms but not perms_checked, that means that at least so far, such permission is not necessary for thread N, and dump appropriate human-comprehensible information about this to the console if thread N is a user thread. Applications will invoke this at a time they deem appropriate.

Additionally add a hook on thread exit to do the same, but just for the exiting thread and not all threads.

Describe alternatives you've considered None, this seems pretty straightforward for any runtime solution.

I don't believe that it's possible to conduct this sort of analysis at build time without some Coverity-level static analysis infrastructure available; doesn't seem practical at this time.

pqcfox commented 1 year ago

Would love to hop on this if still available!

ceolin commented 1 year ago

@foxmoder that is still in the backlog. Fell free to jump on it.