perf-security: document collected perf_events/Perf data categories

Document and categorize system and performance data into groups that
can be captured by perf_events/Perf and explicitly indicate the group
that can contain process sensitive data.

Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Alexey Budankov 2019-02-11 16:43:54 +03:00 committed by Jonathan Corbet
parent 9d87bbae2d
commit 68570ca0b4
1 changed files with 30 additions and 2 deletions

View File

@ -11,8 +11,34 @@ impose a considerable risk of leaking sensitive data accessed by monitored
processes. The data leakage is possible both in scenarios of direct usage of processes. The data leakage is possible both in scenarios of direct usage of
perf_events system call API [2]_ and over data files generated by Perf tool user perf_events system call API [2]_ and over data files generated by Perf tool user
mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that
perf_events performance monitoring units (PMU) [2]_ collect and expose for perf_events performance monitoring units (PMU) [2]_ and Perf collect and expose
performance analysis. Having that said perf_events/Perf performance monitoring for performance analysis. Collected system and performance data may be split into
several categories:
1. System hardware and software configuration data, for example: a CPU model and
its cache configuration, an amount of available memory and its topology, used
kernel and Perf versions, performance monitoring setup including experiment
time, events configuration, Perf command line parameters, etc.
2. User and kernel module paths and their load addresses with sizes, process and
thread names with their PIDs and TIDs, timestamps for captured hardware and
software events.
3. Content of kernel software counters (e.g., for context switches, page faults,
CPU migrations), architectural hardware performance counters (PMC) [8]_ and
machine specific registers (MSR) [9]_ that provide execution metrics for
various monitored parts of the system (e.g., memory controller (IMC), interconnect
(QPI/UPI) or peripheral (PCIe) uncore counters) without direct attribution to any
execution context state.
4. Content of architectural execution context registers (e.g., RIP, RSP, RBP on
x86_64), process user and kernel space memory addresses and data, content of
various architectural MSRs that capture data from this category.
Data that belong to the fourth category can potentially contain sensitive process
data. If PMUs in some monitoring modes capture values of execution context registers
or data from process memory then access to such monitoring capabilities requires
to be ordered and secured properly. So, perf_events/Perf performance monitoring
is the subject for security access control management [5]_ . is the subject for security access control management [5]_ .
perf_events/Perf access control perf_events/Perf access control
@ -134,6 +160,8 @@ Bibliography
.. [5] `<https://www.kernel.org/doc/html/latest/security/credentials.html>`_ .. [5] `<https://www.kernel.org/doc/html/latest/security/credentials.html>`_
.. [6] `<http://man7.org/linux/man-pages/man7/capabilities.7.html>`_ .. [6] `<http://man7.org/linux/man-pages/man7/capabilities.7.html>`_
.. [7] `<http://man7.org/linux/man-pages/man2/ptrace.2.html>`_ .. [7] `<http://man7.org/linux/man-pages/man2/ptrace.2.html>`_
.. [8] `<https://en.wikipedia.org/wiki/Hardware_performance_counter>`_
.. [9] `<https://en.wikipedia.org/wiki/Model-specific_register>`_
.. [11] `<http://man7.org/linux/man-pages/man2/getrlimit.2.html>`_ .. [11] `<http://man7.org/linux/man-pages/man2/getrlimit.2.html>`_
.. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_ .. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_