Linux 是否支持进程的内存隔离?
Does Linux support memory isolation for processes?
更详细的问题是:没有 root 权限,一个进程是否可以读取(不仅是写入)另一个进程的内存? (例如,通过某种方式读取 /proc/gcore 或 /proc/[PID]/mem。我还不确定他们的许可要求。)
我知道虚拟地址已经实现,每个进程都有自己的 space。我进行了快速搜索,但既没有找到强有力的保证也没有找到破解方法。 This article 说:
Each process in the system has its own virtual address space. These virtual address spaces are completely separate from each other and so a process running one application cannot affect another. Also, the hardware virtual memory mechanisms allow areas of memory to be protected against writing. This protects code and data from being overwritten by rogue applications.
我不确定"affect"是否也包括"read",硬件似乎只是保护内存不被覆盖。
任何人都知道 Linux 系统的这种隔离是否得到强有力的保证,或者如果它可能被黑客入侵,如何保证?
提前致谢!
旁注:据我所知,考虑到它作为安全问题的重要性,这是一个记录很少的主题。
太长;请勿阅读:进程的 virtual address space is fully isolated from another. The Linux kernel has access to the whole memory as it runs in kernel mode。它提供系统调用,允许一个进程在特定情况下(参见下面的 Ptrace 访问模式检查)访问另一个进程的内存。
Linux 内核中有允许 reading/writing 其他进程内存的系统调用:
process_vm_readv() and process_vm_writev()(相同的手册页)
These system calls transfer data between the address space of the calling process ("the local process") and the process identified by pid ("the remote process"). The data moves directly between the address spaces of the two processes, without passing through kernel space.
最后一句是指在内核模式下发生的事情(内核实际上是在两个物理地址之间进行复制)。用户态不能访问其他虚拟地址space。有关技术细节,请查看 the implementation patch.
关于所需权限:
Permission to read from or write to another process is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check; see ptrace().
-
The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers.
关于所需的权限,根据 ptrace() 手册页:
Ptrace access mode checking
Various parts of the kernel-user-space API (not just ptrace() operations), require so-called "ptrace access mode" checks, whose outcome determines whether an operation is permitted (or, in a few cases, causes a "read" operation to return sanitized data). These checks are performed in cases where one process can inspect sensitive information about, or in some cases modify the state of, another process. The checks are based on factors such as the credentials and capabilities of the two processes, whether or not the "target" process is dumpable, and the results of checks performed by any enabled Linux Security Module (LSM)—for example, SELinux, Yama, or Smack—and by the commoncap LSM (which is always invoked).
相关资料:
CAP_SYS_PTRACE能力。请参阅 capabilities 手册页。
List 以及 Linux 内核系统调用的所有手册页。
Meltdown and Spectre 个漏洞。
更详细的问题是:没有 root 权限,一个进程是否可以读取(不仅是写入)另一个进程的内存? (例如,通过某种方式读取 /proc/gcore 或 /proc/[PID]/mem。我还不确定他们的许可要求。)
我知道虚拟地址已经实现,每个进程都有自己的 space。我进行了快速搜索,但既没有找到强有力的保证也没有找到破解方法。 This article 说:
Each process in the system has its own virtual address space. These virtual address spaces are completely separate from each other and so a process running one application cannot affect another. Also, the hardware virtual memory mechanisms allow areas of memory to be protected against writing. This protects code and data from being overwritten by rogue applications.
我不确定"affect"是否也包括"read",硬件似乎只是保护内存不被覆盖。
任何人都知道 Linux 系统的这种隔离是否得到强有力的保证,或者如果它可能被黑客入侵,如何保证?
提前致谢!
旁注:据我所知,考虑到它作为安全问题的重要性,这是一个记录很少的主题。
太长;请勿阅读:进程的 virtual address space is fully isolated from another. The Linux kernel has access to the whole memory as it runs in kernel mode。它提供系统调用,允许一个进程在特定情况下(参见下面的 Ptrace 访问模式检查)访问另一个进程的内存。
Linux 内核中有允许 reading/writing 其他进程内存的系统调用:
process_vm_readv() and process_vm_writev()(相同的手册页)
These system calls transfer data between the address space of the calling process ("the local process") and the process identified by pid ("the remote process"). The data moves directly between the address spaces of the two processes, without passing through kernel space.
最后一句是指在内核模式下发生的事情(内核实际上是在两个物理地址之间进行复制)。用户态不能访问其他虚拟地址space。有关技术细节,请查看 the implementation patch.
关于所需权限:
Permission to read from or write to another process is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check; see ptrace().
-
The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers.
关于所需的权限,根据 ptrace() 手册页:
Ptrace access mode checking
Various parts of the kernel-user-space API (not just ptrace() operations), require so-called "ptrace access mode" checks, whose outcome determines whether an operation is permitted (or, in a few cases, causes a "read" operation to return sanitized data). These checks are performed in cases where one process can inspect sensitive information about, or in some cases modify the state of, another process. The checks are based on factors such as the credentials and capabilities of the two processes, whether or not the "target" process is dumpable, and the results of checks performed by any enabled Linux Security Module (LSM)—for example, SELinux, Yama, or Smack—and by the commoncap LSM (which is always invoked).
相关资料:
CAP_SYS_PTRACE能力。请参阅 capabilities 手册页。List 以及 Linux 内核系统调用的所有手册页。
Meltdown and Spectre 个漏洞。