angry module excavation
play

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas - PowerPoint PPT Presentation

Jun 19, 2023 •261 likes •798 views

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July 14, 2016 1 MODULE EXCAVATION ? Use concolic analysis to explore kernel modules and get informations about their IOCTLs 2 WHAT IS AN IOCTL ? long

  1. ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July 14, 2016 1

  2. MODULE EXCAVATION ? Use concolic analysis to explore kernel modules and get informations about their IOCTLs 2

  3. WHAT IS AN IOCTL ? long random_ioctl(int fd, unsigned int cmd, unsigned long arg); A syscall to get custom operations on a resource Device specific commands, code or specs needed Unavailable for private drivers 3

  4. BUT, WHY ? 4

  5. CHECK IF HEADERS AND IOCTLS MATCH // linux/include/uapi/linux/firewire-cdev.h #define FW_CDEV_IOC_GET_INFO _IOWR('#', 0x00, struct fw_cdev_get_info) #define FW_CDEV_IOC_SEND_REQUEST _IOW('#', 0x01, struct fw_cdev_send_request) #define FW_CDEV_IOC_ALLOCATE _IOWR('#', 0x02, struct fw_cdev_allocate) #define FW_CDEV_IOC_DEALLOCATE _IOW('#', 0x03, struct fw_cdev_deallocate) #define FW_CDEV_IOC_SEND_RESPONSE _IOW('#', 0x04, struct fw_cdev_send_response) #define FW_CDEV_IOC_INITIATE_BUS_RESET _IOW('#', 0x05, struct fw_cdev_initiate_bus_reset) #define FW_CDEV_IOC_ADD_DESCRIPTOR _IOWR('#', 0x06, struct fw_cdev_add_descriptor) #define FW_CDEV_IOC_REMOVE_DESCRIPTOR _IOW('#', 0x07, struct fw_cdev_remove_descriptor) #define FW_CDEV_IOC_CREATE_ISO_CONTEXT _IOWR('#', 0x08, struct fw_cdev_create_iso_context) #define FW_CDEV_IOC_QUEUE_ISO _IOWR('#', 0x09, struct fw_cdev_queue_iso) #define FW_CDEV_IOC_START_ISO _IOW('#', 0x0a, struct fw_cdev_start_iso) #define FW_CDEV_IOC_STOP_ISO _IOW('#', 0x0b, struct fw_cdev_stop_iso) 5

  6. IOCTL COMMANDS CONTAIN DATA // linux/include/uapi/linux/firewire-cdev.h #define FW_CDEV_IOC_GET_INFO _IOWR('#', 0x00, struct fw_cdev_get_info) // linux/include/uapi/asm-generic/ioctl.h #define _IOC(dir,type,nr,size) \ (((dir) << _IOC_DIRSHIFT) | \ ((type) << _IOC_TYPESHIFT) | \ ((nr) << _IOC_NRSHIFT) | \ ((size) << _IOC_SIZESHIFT)) #ifndef __KERNEL__ #define _IOC_TYPECHECK(t) (sizeof(t)) #endif /* used to create numbers */ #define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0) #define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size))) #define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size))) #define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size))) 6

  7. STILL DOESN'T TELL US WHY... To find bugs To find vulnerabilities (Yay) To discover IOCTLs from private drivers 7

  8. AND, AS A BONUS Experience and challenge this kind of analysis in a new context A.K.A not in a userland CTF exercise 8

  9. THE PEELER: STEPS Find the functions accurately Find which commands are valid Find a way to determine the type of 'arg' 9

  10. ANGR Framework developped by the UC Santa Barbara's Computer Security Lab, and their associated CTF team, Shellphish. 10

  11. WHAT IS IT ? angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks. Participated in the DARPA CGC (Autonomous Hacking) - One of the 7 team qualified for the finals Submodules: CLE, claripy, simuvex... 11

  12. CONCOLIC ? Conc rete execution + Symb olic execution Concrete execution: Program being executed Symbolic execution allows at a time T to determine for a branch all conditions necessary to take the branch or not 12

  13. EXAMPLE int example(int x, int y) { int x = i1; int y = i2; if (x > 80) { if (x == 256) return True; } else { x = 0; y = 0; } return False; } 13

  14. GIVES US 14

  15. PRACTICAL EXAMPLE Defcon Quals 2016 - babyre 15

  16. Solved in 5 minutes with angr: main = 0x4025e7 p = angr.Project('baby-re') init = p.factory.blank_state(addr=main) # Taken from IDA's xrefs scanf_off = [0x4d, 0x85, 0xbd, 0xf5, 0x12d, 0x165, 0x19d, 0x1d5, 0x20d, 0x245, 0x27d, 0x2b5, 0x2ed] def scanf(state): state.mem[state.regs.rsi:] = state.se.BVS('c', 8) for o in scanf_off: p.hook(main + o, func=scanf, length=5) pgp = p.factory.path_group(init, threads=8) win = 0x4028e9 fail = 0x402941 ex = pgp.explore(find=(win), avoid=(fail)) s = ex.found[0].state flag_addr = 0x7fffffffffeff98 # First rsi from scanf flag = s.se.any_str(s.memory.load(flag_addr, 50)) print("The flag is '{0}'".format(flag)) 16

  17. 16 SO ? It seems to do everything we ask for Good results in CTF Most of the work has been put in the ELF handling 17

  18. BUT (YES, THERE IS A BUT...) (AGAIN...) 18

  19. Apparently it doesn't like kernel modules, you need to write a custom loader -- Gaby 19

  20. 19 PROBLEMS Object files (modules) are different from executables Relocations had to be done 20

  21. RELOCATIONS References to symbols in other sections Need to be resolved at link time 21

  22. EXAMPLE ;; x.o .text: f: call external_func ;; Relocation to external func lea eax, inter_section, ;; Inter section relocation ret .data: inter_section: .long 12 ;; y.o .text: main: call f ;; Inter object relocation 22

  23. LET'S EXPLORE 23

  24. Peeler behavior overview: ioctls = find_ioctls("peel_me_sensually.bin"); for (ioctl in ioctls) { endpoints = find_endpoints(ioctl); ex = explorer(); for (endpoint in endpoints) { paths = get_paths(ex, ioctl.entry, endpoint); for (path in paths) { if (get_ret_val(path) > -1) do_stuff(path); } } } 24

  25. 24 int my_false_ioctl(int fd, unsigned long cmd, void* arg) { int ret = -1; switch (cmd) { case 0xcafe: ret = 1 * 2 + 98 - 3000; if (ret + fd - 23 + cmd == 0xa110c) ret = 1; } return ret; } gives us Path from 0x4005dc to 4006a7 Required conditions (constraints): <Bool reg_40_5_64 == 0xcafe> <Bool (reg_40_5_64 + SignExt(32, ((reg_48_4_64 + 0xfffff4ac) - 0x17))) == 0xa110c> Simplified: <Bool (reg_40_5_64 == 0xcafe) \ && (reg_48_4_64 == 0x95179) \ && ((0xfffff495 + reg_48_4_64[31:0])[31:31] == 0))> return value: 0x1 25

  26. 25 MINOR FIXES The intra-block address patch 26

  27. HEY, IT WOR-- ... WAIT A MINUTE. (drm.ko) 27

  28. DRM_MODE_ATOMIC_IOCTL p1kachu@GreenLabOfGazon:src$ ./pyfinder.py drm.ko -f drm_mode_atomic_ioctl -q [ ] INFOS Peeling drm's ioctls [ ] INFOS Analyzing function drm_mode_atomic_ioctl at 0x421b30 [ ] INFOS Launching path_group explorer [ ] INFOS Explorer: <PathGroup with 1 deadended, 1 found> [ ] INFOS Analyzing 1 found paths [ ] INFOS Path from 0x421b30 to 0x421f12L (1/1) [ ] INFOS Return value would be 0xffffffeaL - Skipping [ ] INFOS Analyzing 1 deadended paths [ ] INFOS Path from 0x421b30 to 0x421ba7L (1/1) [-] FAIL Something went wrong in se.min/max: Unsat Error [ ] INFOS End of analysis 28

  29. DRM_COMPAT_IOCTL p1kachu@GreenLabOfGazon:src$ ./pyfinder.py drm.ko -f drm_compat_ioctl -q [ ] INFOS Peeling drm's ioctls [ ] INFOS Analyzing function drm_compat_ioctl at 0x422490 [ ] INFOS Launching path_group explorer [ ] INFOS Explorer: <PathGroup with 5 deadended, 2 active, 1 found> [ ] INFOS Analyzing 1 found paths [ ] INFOS Path from 0x422490 to 0x4224bdL (1/1) [ ] INFOS Return value would be 0xffffffffffffffedL - Skipping [ ] INFOS Analyzing 5 deadended paths [ ] INFOS Path from 0x422490 to 0x405b44L (1/5) [-] FAIL Something went wrong in se.min/max: Unsat Error [ ] INFOS Path from 0x422490 to 0x4059f5L (2/5) [-] FAIL Something went wrong in se.min/max: Unsat Error [ ] INFOS Path from 0x422490 to 0x423e4eL (3/5) [ ] INFOS Return value would be 0xfffffff2L - Skipping [ ] INFOS Path from 0x422490 to 0x405b44L (4/5) [-] FAIL Something went wrong in se.min/max: Unsat Error [ ] INFOS Path from 0x422490 to 0x4059f5L (5/5) [-] FAIL Something went wrong in se.min/max: Unsat Error [ ] INFOS Explorer: <PathGroup with 2 deadended> 29

  30. __KSTRTAB_DRM_IOCTL_PERMIT [ ] INFOS Analyzing function __kstrtab_drm_ioctl_permit at 0x4399ce Traceback (most recent call last): File "./pyfinder.py", line 201, in <module> recover_function(f, cfg, addr) File "/home/p1kachu/peeling-ioctls/src/excavator.py", line 195, in recover_function ins = blk.capstone.insns[last_ins] IndexError: list index out of range 30

  31. WHAT NOW ? We need to enhance and strengthen the peeler angr cannot work without some human pre-work How to save resources (time and memory) ? Automate verifications Discard useless stuff Analyze interesting functions only 31

  32. FIND IOCTLS SMARTLY HOW DO WE DO THAT ? 32

  33. IOCTL REGISTRATION PROCESSUS Create a struct file_operations Multiple function pointers Used to register operations on the device Load the structure in memory (using a register function) Classic operations will now be handled by these functions static const struct file_operations i8k_fops = { .owner = THIS_MODULE, .open = i8k_open_fs, .read = seq_read, .llseek = seq_lseek, .release = single_release, .unlocked_ioctl = i8k_ioctl, }; 33

  34. LEGEND For the next slides, please refer to this legend: - fops : file_operations struct containing our ioctl - register_ioctl : register function that will load fops - call_me_addr : address of 'call register_ioctl' - Caller : function containing call_me_addr 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la laying aside fals lsehood, SPEAK TRUTH EACH ONE of you WIT ITH HIS IS NEIGHBOR, for we are members of one another. BE ANGRY, AND yet DO NOT SIN

374 views • 8 slides
Excavation, Confined Space &amp; Work Zone Safety Ray Morang Team E.J.Prescott What is an

Excavation, Confined Space &amp; Work Zone Safety Ray Morang Team E.J.Prescott What is an

Excavation, Confined Space &amp; Work Zone Safety Ray Morang Team E.J.Prescott What is an excavation? (1926.650) Excavation - Any man made cut, cavity, trench, or depression in the earths surface. Trench A narrow excavation in

1.02k views • 90 slides
VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro

VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro

VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro Excavation Air Excavation vs. Hydro Excavation ---------------------------------------- ---------------------------------------- Pros Pros

385 views • 25 slides
Jonahs angry response Jonahs death wish Jonah sulks &amp; waits The withered

Jonahs angry response Jonahs death wish Jonah sulks &amp; waits The withered

THE STORY CONTINUES Jonahs angry response Jonahs death wish Jonah sulks &amp; waits The withered tree Gods final challenge JONAHS ANGRY RESPONSE But this was very displeasing to Jonah, and he became angry. He prayed

285 views • 17 slides
New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation

New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation

19 New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation of Approach following installation of SOE and concrete piles Struts and Walers to brace excavation Placement of Inverts, Walls, Roofs

400 views • 18 slides
Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of

Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of

Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of bulk excavation Geo Piers Spread Eng. Fill Footings Caissons 4 Different foundation methods required Benches for CSLM Stone at ice ring

601 views • 42 slides
33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT

33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT

33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT LAr Layout Generalized Development Sequence 33 kT LAr Excavation Sequence Ground Support &amp; Stability Modeling Veto Tube

583 views • 33 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
Dealing With Angry Library Patron Behaviors With Andrew Sanderbeck Lets Talk About

Dealing With Angry Library Patron Behaviors With Andrew Sanderbeck Lets Talk About

Dealing With Angry Library Patron Behaviors With Andrew Sanderbeck Lets Talk About Where You Get Stuck Dealing With Angry Patrons Emotion vs. Logic in Dealing with Your Patrons Using the E+R=O technique to reduce stress and

478 views • 37 slides
Effective Communication Engaging an Angry Public Jonathan Bartsch CDR Associates, Principal Agenda

Effective Communication Engaging an Angry Public Jonathan Bartsch CDR Associates, Principal Agenda

Effective Communication Engaging an Angry Public Jonathan Bartsch CDR Associates, Principal Agenda Why is the Public Angry? Does it matter? Who is the Public? Spectrum of Public Engagement How Do We Effectively Engage Interests

586 views • 22 slides
Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

NW Ministries Conference 2019 Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to that wont run away Me Romans 12:2 (NIV) 2 Do not conform to the pattern of this world, but be transformed by the

446 views • 28 slides
Ephesians 4:26,27 Be angry but do not sin. Dont let the sun go down on your anger and

Ephesians 4:26,27 Be angry but do not sin. Dont let the sun go down on your anger and

Ephesians 4:26,27 Be angry but do not sin. Dont let the sun go down on your anger and dont give the devil an opportunity. James 1:20 Anger does not bring about the righteous life that God desires. Proverbs 12:16 A fool is

774 views • 43 slides
WEB / FONT / DESIGN You Dont Have To Angry Any More Just Because You Can Doesnt Mean You

WEB / FONT / DESIGN You Dont Have To Angry Any More Just Because You Can Doesnt Mean You

WEB / FONT / DESIGN You Dont Have To Angry Any More Just Because You Can Doesnt Mean You Should With Power Comes Great Responsibility 1 Thursday, March 29, 12 1 ABCS HAVE LONG HISTORY, DESIGN FOLLOWS TOOLS Technology Type

547 views • 54 slides
WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the

WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the

WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the latest vacuum excavators and our professional operators to ensure you get your job completed safely, on time and in budget WHY CHOOSE VAC UK?

231 views • 20 slides
WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3 Status Boards Position Log Request for Assistance Mission/Task Significant Events Module 4 Forms Module 5 Links Module 6

847 views • 72 slides
Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio informatics .ca Module 7 Data Visualization Anamaria Crisan Learning Objectives of Module Understand the process of encoding and decoding

1.31k views • 79 slides
Introducing Health@Home High-Performance Housing Rehabilitation Guidelines June 18, 2020 1

Introducing Health@Home High-Performance Housing Rehabilitation Guidelines June 18, 2020 1

Introducing Health@Home High-Performance Housing Rehabilitation Guidelines June 18, 2020 1 Connection Issues and Chats Should you have any technical issues or concerns: 1. Use the Chat Box on the bottom right (or) make sure the

525 views • 49 slides
2015 IECC Air Sealing Multifamily For Code Compliance 2 Funding for Energy Code Training 1

2015 IECC Air Sealing Multifamily For Code Compliance 2 Funding for Energy Code Training 1

11/7/2018 2015 IECC Air Sealing Multifamily For Code Compliance 2 Funding for Energy Code Training 1 11/7/2018 Sponsor Also Recognize Resources Provided by Department of Energy: DOE Building America Program https://www.energycodes.gov/

333 views • 22 slides
University of Southampton Fluid-Structure Interactions Group OpenFOAM Research Tom Lloyd

University of Southampton Fluid-Structure Interactions Group OpenFOAM Research Tom Lloyd

2 nd Gothenburg OpenFOAM user-group meeting Chalmers University, 14 th November 2012 University of Southampton Fluid-Structure Interactions Group OpenFOAM Research Tom Lloyd T.P.Lloyd@soton.ac.uk Marion James M.James@soton.ac.uk

610 views • 24 slides
AIR-SOURCE HEAT PUMP WORKSHOP FACILITATED BY DAVE LIS Director of Market Strategies NORTHEAST

AIR-SOURCE HEAT PUMP WORKSHOP FACILITATED BY DAVE LIS Director of Market Strategies NORTHEAST

2016 NORTHEAST/MID-ATLANTIC AIR-SOURCE HEAT PUMP WORKSHOP FACILITATED BY DAVE LIS Director of Market Strategies NORTHEAST ENERGY EFFICIENCY PARTNERSHIPS July 21-22, 2016 Thank you to our Workshop Sponsors! 1 WORKSHOP DAY 2- ASHP

243 views • 22 slides
Adaptive Design of a Unidirectional Adaptive Design of a Unidirectional Source in a Duct Source

Adaptive Design of a Unidirectional Adaptive Design of a Unidirectional Source in a Duct Source

ISMA23 - International Conference on Noise and Vibration Engineering HELSINKI UNIVERSITY OF TECHNOLOGY Sept. 16-18, 1998, Leuven, Belgium Adaptive Design of a Unidirectional Adaptive Design of a Unidirectional Source in a Duct Source in a

566 views • 21 slides
Focus on the Solid Tumor Rules: Breast and Urinary Presented by Denise Harrison, BS, CTR 1

Focus on the Solid Tumor Rules: Breast and Urinary Presented by Denise Harrison, BS, CTR 1

4/1/2019 Focus on the Solid Tumor Rules: Breast and Urinary Presented by Denise Harrison, BS, CTR 1 Solid Tumor Rule Revisions This presentation outlines updates issued in January 2019, as well as updates which will be released soon. 2 2

455 views • 22 slides
Kentucky Energy Code Compliance Study Program Update Project Team George Mann (Project

Kentucky Energy Code Compliance Study Program Update Project Team George Mann (Project

Kentucky Energy Code Compliance Study Program Update Project Team George Mann (Project Manager) Larry Mahaffey (Circuit Rider) Isaac Elnecave/Chris Burgess/Kelsey Horton (MEEA) Roger Banks/Ric McNees (DHBC) Lee Colten /Michael

1.05k views • 85 slides
CityFibre The UKs builder of advanced-intelligence, full fibre communications networks Mark

CityFibre The UKs builder of advanced-intelligence, full fibre communications networks Mark

CityFibre The UKs builder of advanced-intelligence, full fibre communications networks Mark Collins Director, Strategy &amp; Public Affairs FCS: 4 th October 2018 Our mission Build a new generation of future-proof digital

406 views • 21 slides

More recommend