drk drk brea eaking ker ernel el addres ess space e la
play

DrK DrK: Brea eaking Ker ernel el Addres ess Space e La - PowerPoint PPT Presentation

Feb 02, 2023 •164 likes •875 views

DrK DrK: Brea eaking Ker ernel el Addres ess Space e La Layout ut Ra Rando ndomi mization n wi with h In Intel el TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology, August 3, 2016 1 KA KASLR: A A P

  1. DrK DrK: Brea eaking Ker ernel el Addres ess Space e La Layout ut Ra Rando ndomi mization n wi with h In Intel el TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology, August 3, 2016 1

  2. KA KASLR: A A P Practical B Barrier f for or E Exploi oits 2

  3. Ex Exampl ple: Linux nux • To escalate privilege to root through a kernel exploit, attackers want to call commit_creds(prepare_kernel_creds(0)). 3

  4. Ex Exampl ple: Linux nux • Kernel symbols are hidden to non-root users. • KASLR changes kernel symbol addresses every boot. 1 st Boot 2 nd Boot 4

  5. Ex Exampl ple: tp tpwn - OS OS X 10.1 .10.5 .5 Ke Kernel Privilege Escalation Vulnerability • [CVE-2015-5864] IOAudioFamailiy allows a local user to obtain sensitive kernel memory-layout information via unspecified vectors. Bypassing KASLR is required… 5

  6. Ke Kernel Address Space Layout Ra Randomi mization (K (KASL ASLR) R) • A statistical mitigation for memory corruption exploits • Randomize address layout per each boot • Efficient (<5% overhead) • Attacker should guess where code/data are located for exploit. • In Windows, a successful guess rate is 1/8192. 6

  7. KA KASLR M Makes A Attacks H Harder • KASLR introduces an additional bar to exploits • Finding an information leak vulnerability Pr[ ∃ Memory Corruption Vuln ] Pr[ ∃ information_leak ] × Pr[ ∃ Memory Corruption Vuln] • Both attackers and defenders aim to detect info leak vulnerabilities. 7

  8. Po Popular OSes Adopted KASLR 8

  9. Is Is ther there e an any other ther way than than in info leak leak? • Practical Timing Side Channel Attacks Against Kernel Space ASLR (Hund et al., Oakland 2013) • A hardware-level side channel attack against KASLR • No information leak vulnerability in OS is required 9

  10. TL TLB Ti Timing Side Channel • If accessed a kernel address from the user space Unmapped address Mapped address • Regardless of its mapping status, it generates page fault. 10

  11. TL TLB Ti Timing Side Channel • If an unmapped kernel address is accessed Invalid address -> Page Fault 1. Try to get page table entry through page table walk 2. There is no page table entry found, generate page fault! 11

  12. TL TLB Ti Timing Side Channel • If a mapped kernel address is accessed Access Violation -> Page Fault 1. Try to get page table entry through page table walk 2. Cache the entry to TLB 3. Check page privilege level (3<0), generate page fault! 12

  13. TL TLB Ti Timing Side Channel Virtual Address Miss TLB Unmapped address takes ~40 cycles Hit more for page table walk Mapped address returns quicker! 13

  14. TL TLB Ti Timing Side Channel • Measuring the time in an exception handler 1. Generates Page Fault 2. CPU generates Page Fault 3. OS handles Page Fault 4. OS calls exception handler 14

  15. TL TLB Ti Timing Side Channel • Result: Fault with TLB hit took less than 4050 cycles • While TLB miss took more than that… • Limitation: Too noisy • Why???? Unmapped Mapped 15

  16. TL TLB Ti Timing Side Channel Measured Time (~4000 cycles) T User CPU L OS Exception Handling OS Noise B If we can eliminate the noise at OS, then the Timing Side Channel (~40 cycles) User Execution timing channel will be more stable. T CPU L CPU Exception B TLB Side Channel OS Noise (~100 cycles) OS Execution OS Noise Fault Handling Noise OS Handling Noise is too much ! 16

  17. A A More Practical TL TLB Side Channel Attack on KASLR • DrK Attack: We present a very practical side channel attack on KASLR • De-randomizing Kernel ASLR (this is where DrK comes from) • Exploit Intel TSX for eliminate the noise from OS DrK Hund et. al. Channel Noise Negligible A lot of noise from OS 5 sec for 100% accuracy Speed 65 seconds for 94.92% 0.1 sec for Linux Covertness OS do not know Page fault handler is called at OS Precision U / NX / X U / M Tested OSes Linux/Windows/OS X ( 64bit ) Windows 7 32bit 17

  18. St Start rting From m a Po PoC Ex Exampl ple in n the he Wi Wild Less noisy Rafal Wojtczuk, https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ 18

  19. TSX Gives Better Precision on Ti Timing Attack • Access to mapped address in TSX: 172 clk • Access to unmapped address in TSX : 200 clk 28 cycles 2 cycles • 28 clk in timing difference, with stddev 0~2 • Access to mapped address in __try: 2172 clk • Access to unmapped address in _try: 2192 clk • 20 clk in timing difference, with stddev 35~57 20 cycles 35 cycles 19

  20. Tr Transactional Synchronization Extension (I (Intel TSX) • Traditional Lock 1. Block until acquires the lock 2. Atomic region (Guaranteed!) 3. Release the lock (finishes atomic region) 20

  21. Tr Transactional Synchronization Extension (I (Intel TSX) • TSX: relaxed but faster way of handling synchronization 1. Do not block, do not use lock 2. Try atomic operation (can fail) 3. If failed, handle failure with abort handler (retry, get back to traditional lock, etc.) 21

  22. Tr Transaction Aborts If Exist any of a Conflict • Condition of Conflict • Thread races • Cache eviction (L1 write/L3 read) • Interrupt • Context Switch (timer) • Syscalls • Exceptions • Page Fault • General Protection • Debugging • … Run If Transaction Aborts 22

  23. Abo Abort Handl ndler Suppr uppresse sses s Ex Exceptions ns • Abort Handler of TSX • Suppress all sync. exceptions • E.g., page fault • Do not notify OS • Just jump into abort_handler() No Exception delivery to the OS! (returns quicker, so less noisy than __try __except) Run If Transaction Aborts 23

  24. Expl Exploiting ng TSX as s an n Ex Exception n Handl ndler • How to use TSX as an exception handler? 1. Timestamp at the beginning 2. Access kernel memory within the TSX region (always aborts) Processor directly calls the handler OS handling path is not involved 3. Measure timing at abort handler 24

  25. Reducing Noise with Intel TSX Re Measured Time (~ 4000 cycles) T OS Noise OS Exception Handling User CPU L B Measured Time (~ 180 cycles) User Execution Timing Side Channel (~ 40 cycles) CPU Exception T TLB Side Channel Not involving OS, User CPU L OS Execution Less noisy! B OS Handling Noise 25

  26. Measuring Ti Timing Side Channel • Access Mapped / Unmapped kernel addresses • Attempt READ access within the TSX region • mov [rax], 1 26

  27. Measuring Ti Timing Side Channel • Access Executable / Non-executable address • Attempt JUMP access within the TSX region • jmp rax 27

  28. Demo 1: Ti Timing Difference on M/U and X/NX • Video Link • https://www.youtube.com/watch?v=NdndV_cMJ8k 28

  29. Measuring Ti Timing Side Channel • Mapped / Unmapped kernel addresses • Ran 1000 iterations for the probing, minimum clock on 10 runs Processor Mapped Page Unmapped Page i7-6700K (4.0Ghz) 209 240 (+31) i5-6300HQ (2.3Ghz) 164 188 (+24) i7-5600U (2.6Ghz) 149 173 (+24) E3-1271v3 (3.6Ghz) 177 195 (+18) 29

  30. Measuring Ti Timing Side Channel • Executable / Non-executable kernel addresses • Ran 1000 iterations for the probing, minimum clock on 10 runs Processor Executable Page Non-exec Page i7-6700K (4.0Ghz) 181 226 (+45) i5-6300HQ (2.3Ghz) 142 178 (+36) i7-5600U (2.6Ghz) 134 164 (+30) E3-1271v3 (3.6Ghz) 159 189 (+30) 30

  31. Clear Ti Timing Channel Non-Executable or Unmapped Unmapped Mapped Executable Clear separation between different mapping status! 31

  32. TS TSX vs vs SEH Unmapped Unmapped Mapped Mapped Clear separation between different mapping status! 32

  33. At Attack on Various OSes • Attack Targets • DrK is hardware side-channel attack • The mechanism is independent to OS • We target popular OSes: Linux, Windows, and OS X • Attack Types • Type 1: Revealing mapping status of each page • Type 2: Finer-grained module detection 33

  34. At Attack on Various OSes • Type 1: Revealing mapping status of each page • Find the start location of Kernel / Module (ASLR slide) • Mostly they are located contiguously in a chunk Kernel Modules Find ASLR slide for module Scan through the whole kernel space Scan through the whole module space Find ASLR slide for kernel 34

  35. At Attack on Various OSes • Type 1: Revealing mapping status of each page • Try to reveal the mapping status per each page in the area • X (executable) / NX (Non-executable) / U (unmapped) Compute the accuracy by comparing this with ground-truth page table entry data 35

  36. At Attack on Various OSes • Type 2: Finer-grained module detection • Section-size Signature • Modules are allocated in fixed size of X/NX sections if the attacker knows the binary file • Example • If the size of executable map is 0x4000, and the size of non- executable section is 0x4000, then it is libahci! 36

  37. At Attack on Linux • Processor • Intel Core i5-6300HQ (Skylake) • OS Settings • Kernel 4.4.0, running with Ubuntu 16.04 LTS • Available Slots • Kernel: 64 slots • 0xffffffff80000000 – 0xffffffffc0000000 (2MB page) • Module: 1,024 slots • 0xffffffffc0000000 – 0xffffffffc0400000 (4KB page) 37

  38. De Demo 2 2: F Full A ll Attack ack o on L Lin inux • Video Link • https://www.youtube.com/watch?v=WXGCylmAZkA 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Impact on E-Commerce 35 Br eaking 56 Ba d Performance 1

Impact on E-Commerce 35 Br eaking 56 Ba d Performance 1

Felix Gessert Mobile Site Speed and the Impact on E-Commerce 35 Br eaking 56 Ba d Performance 1 0 o o o o o o

1.09k views • 55 slides
Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A

Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A

Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A Radica cal Leap Fo Forward @W @Work Pe Peter Kh Khoury: Magnetic Sp Spea eaking www www.Magnetic icSp Spea eaking ng Take home message

458 views • 25 slides
W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011

970 views • 69 slides
Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet &amp; Clment Rouault 20

Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet &amp; Clment Rouault 20

Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet &amp; Clment Rouault 20 November 2015 Samuel Chevet &amp; Clment Rouault Where does this talk

515 views • 48 slides
Break eaking ng through ugh to the e other her side Secrets of Science Story Telling or How

Break eaking ng through ugh to the e other her side Secrets of Science Story Telling or How

EMRS Spring 2015 Conference Lille, France Workshop on Science Communication Seminar handouts Break eaking ng through ugh to the e other her side Secrets of Science Story Telling or How Not to Get by A. E. Kafantaris Science

526 views • 6 slides
eaking Br 56 nd Ba A Breakdown of High- performance Communication Rohit Zambre,* Megan

eaking Br 56 nd Ba A Breakdown of High- performance Communication Rohit Zambre,* Megan

1 35 eaking Br 56 nd Ba A Breakdown of High- performance Communication Rohit Zambre,* Megan Grodowitz, Aparna Chandramowlishwaran,* Pavel Shamis *University of California, Irvine Arm Research 2

916 views • 50 slides
Addr Addres essing t g the Ga he Gap: p: Identi tifying Varyin ing Le Levels of s of Pro

Addr Addres essing t g the Ga he Gap: p: Identi tifying Varyin ing Le Levels of s of Pro

Addr Addres essing t g the Ga he Gap: p: Identi tifying Varyin ing Le Levels of s of Pro ro-En Envi viron onmental al B Beha ehavi viour in t the e Cana nadian P Popu opulation MATTHEW HEW P PERKS, M MA SOCIOL OLOG

224 views • 19 slides
Taking the Scared Ou Out of t of School hool Strategies ies to Addres ess Anxiety

Taking the Scared Ou Out of t of School hool Strategies ies to Addres ess Anxiety

Taking the Scared Ou Out of t of School hool Strategies ies to Addres ess Anxiety ety- based d Absent nteeism eeism Teresa Miller, LLPC Forest Hills Public Schools, Grand Rapids Community College Donna Secor Pennington, LMSW

575 views • 43 slides
P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K ivnek This project has received funding from the European Unions Horizon 2020 research and innovation programme under the Charles University, Prague

315 views • 30 slides
P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas

P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas

P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas at El Paso Shirley Moore Oak Ridge National Lab Mark S. Gordon , Kristopher Keipert Iowa State University Jeffrey Vetter , Seyong Lee Oak

419 views • 7 slides
I.I.S CARLO LEVI The e school ol is is an institute with h va varius studys addres ess. .

I.I.S CARLO LEVI The e school ol is is an institute with h va varius studys addres ess. .

I.I.S CARLO LEVI The e school ol is is an institute with h va varius studys addres ess. . It It is is located ed in Portici, a city near Naples es. The e school ol have ve three ee scientific labora ratori ories es, , one is

893 views • 4 slides
Wha hat has has chan changed (ag (again in) in n HER HER2 te testi ting of of br brea

Wha hat has has chan changed (ag (again in) in n HER HER2 te testi ting of of br brea

Wha hat has has chan changed (ag (again in) in n HER HER2 te testi ting of of br brea east t can ancers H. Evin Gulbahce, MD Department of Pathology University of Utah Disclosures None ISSUES Changing guidelines /

587 views • 29 slides
U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN I NRIA / LIG / U NIV . G RENOBLE , F RANCE alexis.martin@inria.fr We do Need Benchmarking ! Benchmark : a standard or point of reference

764 views • 43 slides
Building Premium Online Games For the New Games Era David Reid Senior Vice President, Publishing

Building Premium Online Games For the New Games Era David Reid Senior Vice President, Publishing

Building Premium Online Games For the New Games Era David Reid Senior Vice President, Publishing Trion Worlds RIFT Polish, Depth and Innovation = RIFT 1997 1999 2004 2011 Brea reakth through Brea reakth through Brea reakth through

577 views • 36 slides
Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an

Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an

Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an and Id Iden entit ity As y Associa ciatio ion CARIS2 Workshop Cambridge, MA, 1 Mar 2019 David Plonka

1.01k views • 60 slides
Using S Using Systems ystems Thinking hinking to to Addr Addres ess S s Structur tructural

Using S Using Systems ystems Thinking hinking to to Addr Addres ess S s Structur tructural

Using S Using Systems ystems Thinking hinking to to Addr Addres ess S s Structur tructural R al Racism acism 2014 Introducing IISC Mission Values IISC works for social The love that

576 views • 28 slides
Hu An Electric (Singapore) Pte Ltd Corporation Presentation Transmission of reliability &amp;

Hu An Electric (Singapore) Pte Ltd Corporation Presentation Transmission of reliability &amp;

Welcome To Hu An Electric (Singapore) Pte Ltd Corporation Presentation Transmission of reliability &amp; Brightness Listed on Singapore Stock Exchange KI3.SI Top 10 largest cable manufacturers in China Listed on Taiwan Stock Exchange

1.14k views • 28 slides
1Q FY2019 Financial Results Presentation 29 July 2019 Disclaimers This material shall be read in

1Q FY2019 Financial Results Presentation 29 July 2019 Disclaimers This material shall be read in

1Q FY2019 Financial Results Presentation 29 July 2019 Disclaimers This material shall be read in conjunction with Ascendas Reits financial statements for the financial year ended 30 June 2019. This presentation may contain forward-looking

642 views • 45 slides
CapitaLand Group Creating Asia's Largest Diversified Real Estate Group January 14, 2019

CapitaLand Group Creating Asia's Largest Diversified Real Estate Group January 14, 2019

CapitaLand Group Creating Asia's Largest Diversified Real Estate Group January 14, 2019 Disclaimer This presentation may contain forward-looking statements that involve risks and uncertainties. Actual future performance, outcomes and results

740 views • 50 slides
Deep Drilling 1 Pte Ltd Corporate Presentation 23 October 2015 Disclaimer This presentation

Deep Drilling 1 Pte Ltd Corporate Presentation 23 October 2015 Disclaimer This presentation

May 2014 Deep Drilling 1 Pte Ltd Corporate Presentation 23 October 2015 Disclaimer This presentation (the Presentation) has been produced and delivered by Deep Drilling 1 Pte. Ltd. (the Issuer or Deep Drilling 1) and its

518 views • 12 slides
An Overview of Revenue Estimating and Data Availability Andrew Schaufele Director, Bureau of

An Overview of Revenue Estimating and Data Availability Andrew Schaufele Director, Bureau of

An Overview of Revenue Estimating and Data Availability Andrew Schaufele Director, Bureau of Revenue Estimates Comptroller of Maryland Revenue Estimates 2 Board of Revenue Estimates Comptroller Peter Franchot Treasurer Nancy Kopp

463 views • 34 slides
Canadian Foresight Group PTE. LTD. June 2015 M15 1 Reader Advisories The information in this

Canadian Foresight Group PTE. LTD. June 2015 M15 1 Reader Advisories The information in this

Canadian Foresight Group PTE. LTD. June 2015 M15 1 Reader Advisories The information in this presentation contains certain forward-looking statements. All statements other than statements of historical fact may be forward- looking statements.

233 views • 21 slides
SolarWorld Introduction SolarWorld Asia Pacific Pte Ltd Bangkok Innovative Solution Co., Ltd

SolarWorld Introduction SolarWorld Asia Pacific Pte Ltd Bangkok Innovative Solution Co., Ltd

SolarWorld Introduction SolarWorld Asia Pacific Pte Ltd Bangkok Innovative Solution Co., Ltd SolarWorld Company Overview Products Project Refereneces 2 SolarWorld Asia Pacific Pte Ltd 40 years of manufacturing expertise A direct lineage

514 views • 24 slides
First Quarter 2019 Financial Results 15 April 2019 Important Notice Not for distribution in the

First Quarter 2019 Financial Results 15 April 2019 Important Notice Not for distribution in the

First Quarter 2019 Financial Results 15 April 2019 Important Notice Not for distribution in the United States The information contained in this presentation is for information purposes only and does not constitute or form part of, and should

722 views • 22 slides

More recommend