Microsoft Engineer Proposes "TRAMPFD" For Improving Linux Security
TRAMPFD aims to better secure trampoline code used by the likes of GCC nested functions and the Foreign Function Interface library (libffi) where the pages with the instructions tend to be mapped with execute permissions. While there are Linux security modules and SELinux that try to protect against pages that have both write and execute permissions, Microsoft's Madhavan Venkatarama is aiming to provide a way to safely execute trampolines without making any security exceptions and to further reduce the potential attack surface.
TRAMPFD aims to provide a kernel API backed by anonymous file descriptors that can be used for creating and executing trampolines.
The kernel creates the trampoline mapping without any permissions. When the trampoline is executed by user code, a page fault happens and the kernel gets control. The kernel recognizes that this is a trampoline invocation. It sets up the user registers based on the specified register context, and/or pushes values on the user stack based on the specified stack context, and sets the user PC to the requested target PC. When the kernel returns, execution continues at the target PC. So, the kernel does the work of the trampoline on behalf of the application.
In this case, the attack surface is the context buffer. A hacker may attack an application with a vulnerability and may be able to modify the context buffer. So, when the register or stack context is set for a trampoline, the values may have been tampered with. From an attack surface perspective, this is similar to Trampoline Emulation. But with trampfd, user code can retrieve a trampoline's context from the kernel and add defensive checks to see if the context has been tampered with.
The Trampoline File Descriptor aims to be customizable, provide a framework for future trampoline types, and provide other kernel functionality.
More details on this proposed TRAMPFD kernel work and the ensuing kernel discussion so far via this kernel mailing list thread.