Microsoft Engineer Proposes "TRAMPFD" For Improving Linux Security

Written by Michael Larabel in Microsoft on 28 July 2020 at 02:00 PM EDT. 22 Comments
MICROSOFT
A Microsoft engineer is proposing the Trampoline File Descriptor "TRAMPFD" as a new kernel API for securely dealing with trampoline code on systems. There are concerns already over the potential performance implications but there does seem to be some interest in this approach.

TRAMPFD aims to better secure trampoline code used by the likes of GCC nested functions and the Foreign Function Interface library (libffi) where the pages with the instructions tend to be mapped with execute permissions. While there are Linux security modules and SELinux that try to protect against pages that have both write and execute permissions, Microsoft's Madhavan Venkatarama is aiming to provide a way to safely execute trampolines without making any security exceptions and to further reduce the potential attack surface.

TRAMPFD aims to provide a kernel API backed by anonymous file descriptors that can be used for creating and executing trampolines.
The kernel creates the trampoline mapping without any permissions. When the trampoline is executed by user code, a page fault happens and the kernel gets control. The kernel recognizes that this is a trampoline invocation. It sets up the user registers based on the specified register context, and/or pushes values on the user stack based on the specified stack context, and sets the user PC to the requested target PC. When the kernel returns, execution continues at the target PC. So, the kernel does the work of the trampoline on behalf of the application.

In this case, the attack surface is the context buffer. A hacker may attack an application with a vulnerability and may be able to modify the context buffer. So, when the register or stack context is set for a trampoline, the values may have been tampered with. From an attack surface perspective, this is similar to Trampoline Emulation. But with trampfd, user code can retrieve a trampoline's context from the kernel and add defensive checks to see if the context has been tampered with.

The Trampoline File Descriptor aims to be customizable, provide a framework for future trampoline types, and provide other kernel functionality.

More details on this proposed TRAMPFD kernel work and the ensuing kernel discussion so far via this kernel mailing list thread.
22 Comments
Related News
Microsoft Helping Out In Making The Linux Kernel Language More Inclusive
Microsoft Engineer Sends Rust Linux Kernel Patches For In-Place Module Initialization
Microsoft Enables DNS Tunneling By Default For WSL - More Reliable Networking
Microsoft Better Seeds The RNG For Hyper-V VMs In Linux 6.9
Microsoft's DirectX Shader Compiler Sees Improved Linux Build Support
Microsoft Rebranding CBL-Mariner Linux Distribution To "Azure Linux"
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"