Abusing luks to hack the system DeepSec 10-11 Nov 2016 Vienna, - PowerPoint PPT Presentation

Abusing luks to hack the system DeepSec 10-11 Nov 2016 – Vienna, Austria Ismael Ripoll-Ripoll Hector Marco-Gisbert iripoll@upv.es hmarco@hmarco.org Universitat Politècnica de València hector.marco@uws.ac.uk University of the West of Scotland https://cybersecurity.upv.es

Contents 1) About complexity and security. 2) A real bug, caused by excessive complexity 1) Overview of the exploitatjon scenario. 2) Analysis of the vulnerability. 3) A real demo of exploitatjon. 3) Conclusions ● The vulnerability analyzed is CVE-2016-4484. ● The issue has been reported to the developers. 2

About complexity “ Complexity is the Enemy of Security ” Adding new security mechanisms => increases the complexity => larger bug surface (code++, interactjons++) => potentjally weaker system. 3

About complexity ● There are many sources of “ Complexity ”: – APIs can be large, baroque and cumbersome. – Communicatjon protocols can be complex. – The hardware may be complex ● And so the drivers. ● Fightjng complexity: 1) Simplify → reduce(remove) functjonality. 2) Split, Isolate and then Combine . Mars Climate Orbiter, Nov. 10, 1999 4

Complexity measurement ESA Guide for Independent Sofuware Verifjcatjon & Validatjon: Error potentjal questjonnaire 1) Is the number of people in the sofuware development team more than 20 ? 2) Is the development team split across several geographical working locatjons The team (more than 5 minutes walking distance) ? 3) Is the maturity of the sofuware development team’s process low (...) ? 4) Is the sofuware development team lacking in experience with the sofuware technology, the domain, or the applicatjon ? 5) Is the sofuware supplier lacking in experience of the required critjcality level ? 6) Does development of the sofuware Factors which may infmuence complexity: require innovatjve designs ? ● size of the sofuware The product ● number of components 7) Are sofuware requirements stjll ● number of relatjonships between them unstable ? ● the complexity of the algorithms ● number of internal and external interfaces 8) Is the complexity complexity of the sofuware ● tools available to visualise sofuware high ? ● the cognitjve capacity of the observer ● …. 5

Complexity ● Some bugs that can be atuributed to complexity complexity are also complex complex to exploit: – OpenSSL FREAK requires MITM capabilitjes. – It took more that one year from RowHammer to Flip Fen Shui or DRAMMER. ● Not not all of them are hard to exploit This presentatjon shows an example of a bug that is simple to exploit, caused by the unexpected interactjon between modules in a complex system. 6

A real bug caused by complexity ● LUKS LUKS is a disk encryptjon sofuware. ● It is the one used by Debian/Ubuntu by default. ● The bootjng sequence is a complex process: 1) BIOS/UEFI. 2) GRUB. 3) Initrd: Luks setup. Luks setup. 4) Systemd/upstart. 7

Boot sequence: default install Mandatory Mandatory Init PASS Servers PASS Login Applications BIOS/UEFI GRUB Kernel initrd 8 Encrypted Initial setup ROM Boot partition system partition 8

Securing the boot ● Both, BIOS/UEFI and GRUB are too powerful. ● By default, they are not protected – It is possible to change the boot device in the BIOS. Just hittjng the <F2> key to enter confjg menu. – By pressing <ESC> you get the GRUB menu, and so edit the kernel parameters → get a root shell easily. ● It is necessary to block these atuack vectors: – BIOS password. – GRUB password. 9

Boot protectjon Mandatory Necessary only Necessary only Mandatory for editing for editing Init PASS PASS PASS Servers PASS Login Applications BIOS/UEFI GRUB Kernel initrd 10 Encrypted Initial setup ROM Boot partition system partition 10

Initrd: preparatjons to mount the real root fjlesystem ● Discover existjng hardware. ● Some devices (sata, USB, etc.) may need some tjme to warm-up. ● The init scripts allows hardware to fail a few tjmes untjl it becomes ready. – There may be transient errors or dependencies between hardware devices. ● There is a wide variety of bootjng devices. ● …. 11

Mountjng the encrypted partjtjon ● If the system partjtjon is encrypted system partjtjon is encrypted then the init process must ask to the user the password in order to unlock and mount. Can an atuacker abuse this interface? 12

Let’s analyze /init and related scripts …. ??? init ??? scripts/ ● GRUB loads: vmlinuz & initrd.img ??? functions ??? init-bottom/ ? ??? ORDER ? ??? udev ??? init-premount/ ? ??? lvm2 ? ??? ORDER init ? ??? plymouth ??? init-top/ ... ? ??? …. cryptroot ??? local ??? local-block/ ? ??? cryptroot ? ??? lvm2 ? ??? ORDER ??? local-bottom/ Uncompressed ? ??? cryptopensc Initrd.img ? ??? ntfs_3g Initrd ramfs ? ??? ORDER ??? local-premount/ vmlinuz ? ??? …. Linux kernel ??? local-top/ ? ??? cryptopensc ? ??? cryptroot ? ??? lvm2 ? ??? ORDER Boot partjtjon RAM ??? panic/ ??? console_setup ??? keymap 13 ??? ORDER ??? plymouth

The / init script @ initramfs #!/bin/sh # Default PATH differs between shells, and is not automatically exported # by klibc dash. Make it consistent. export PATH=/sbin:/usr/sbin:/bin:/usr/bin [ -d /dev ] || mkdir -m 0755 /dev [ -d /root ] || mkdir -m 0700 /root [ -d /sys ] || mkdir /sys [ -d /proc ] || mkdir /proc [ -d /tmp ] || mkdir /tmp mkdir -p /var/lock mount -t sysfs -o nodev,noexec,nosuid sysfs /sys mount -t proc -o nodev,noexec,nosuid proc /proc … . /scripts/local . /scripts/local . /scripts/nfs . /scripts/${BOOT} parse_numeric ${ROOT} maybe_break mountroot mount_top mount_premount mountroot mountroot /scripts/local:mountroot … 14 /init

local_mount_root () ● Multjple atuempts to mount fjlesystems mountroot () { local_mount_root } local_mount_root () { 1 local_top local_top local_device_setup "${ROOT}" root … … } /scripts/local 15

local_mount_root () ● Multjple trials to mount fjlesystems mountroot () { local_mount_root local_top () local_top local_top () local_top } { { if [ "${local_top_used}" != "yes" ]; then if [ "${local_top_used}" != "yes" ]; then local_mount_root () { [ "$quiet" != "y" ] && log_begin_msg "Run... [ "$quiet" != "y" ] && log_begin_msg "Run... run_scripts /scripts/local-top run_scripts /scripts/local-top 1 local_top local_top [ "$quiet" != "y" ] && log_end_msg [ "$quiet" != "y" ] && log_end_msg fi fi local_top_used=yes local_top_used=yes } } local_device_setup "${ROOT}" root … … } /scripts/local 16

local_mount_root () ● Multjple trials to mount fjlesystems mountroot () { local_mount_root local_top () local_top local_top () local_top } { { if [ "${local_top_used}" != "yes" ]; then if [ "${local_top_used}" != "yes" ]; then local_mount_root () { [ "$quiet" != "y" ] && log_begin_msg "Run... [ "$quiet" != "y" ] && log_begin_msg "Run... run_scripts /scripts/local-top run_scripts /scripts/local-top /script/local-top/cryptroot /script/local-top/cryptroot run_scripts /scripts/local-top run_scripts /scripts/local-top 1 local_top local_top [ "$quiet" != "y" ] && log_end_msg [ "$quiet" != "y" ] && log_end_msg fi fi local_top_used=yes local_top_used=yes } } local_device_setup "${ROOT}" root … … } /scripts/local 17

The /scripts/local-top/cryptroot setup_mapping () { cyptkeyscript=/lib/cryptsetup/askpass …. 2 crypttries=3 …. while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do …. if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ $cryptkeyscript "$cryptkey" | $cryptopen; then message " cryptsetup: cryptsetup failed, bad password or options? " continue fi …. done if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then message " cryptsetup: maximum number of tries exceeded for $crypttarget " return 1 fi udev_settle return 0 } …. # Do we have any settings from the /conf/conf.d/cryptroot file? if [ -r /conf/conf.d/cryptroot ]; then while read mapping <&3; do For each encrypted device: 1 setup_mapping "$mapping" 3<&- setup_mapping "$mapping" 3<&- Try to unlock it done 3< /conf/conf.d/cryptroot 18 fi /scripts/local-top/cryptroot