Microsoft Engineer Proposes "TRAMPFD" For Improving Linux Security

Written by Michael Larabel in Microsoft on 28 July 2020 at 02:00 PM EDT. 22 Comments
MICROSOFT
A Microsoft engineer is proposing the Trampoline File Descriptor "TRAMPFD" as a new kernel API for securely dealing with trampoline code on systems. There are concerns already over the potential performance implications but there does seem to be some interest in this approach.

TRAMPFD aims to better secure trampoline code used by the likes of GCC nested functions and the Foreign Function Interface library (libffi) where the pages with the instructions tend to be mapped with execute permissions. While there are Linux security modules and SELinux that try to protect against pages that have both write and execute permissions, Microsoft's Madhavan Venkatarama is aiming to provide a way to safely execute trampolines without making any security exceptions and to further reduce the potential attack surface.

TRAMPFD aims to provide a kernel API backed by anonymous file descriptors that can be used for creating and executing trampolines.
The kernel creates the trampoline mapping without any permissions. When the trampoline is executed by user code, a page fault happens and the kernel gets control. The kernel recognizes that this is a trampoline invocation. It sets up the user registers based on the specified register context, and/or pushes values on the user stack based on the specified stack context, and sets the user PC to the requested target PC. When the kernel returns, execution continues at the target PC. So, the kernel does the work of the trampoline on behalf of the application.

In this case, the attack surface is the context buffer. A hacker may attack an application with a vulnerability and may be able to modify the context buffer. So, when the register or stack context is set for a trampoline, the values may have been tampered with. From an attack surface perspective, this is similar to Trampoline Emulation. But with trampfd, user code can retrieve a trampoline's context from the kernel and add defensive checks to see if the context has been tampered with.

The Trampoline File Descriptor aims to be customizable, provide a framework for future trampoline types, and provide other kernel functionality.

More details on this proposed TRAMPFD kernel work and the ensuing kernel discussion so far via this kernel mailing list thread.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week