escalating privileges in linux using fault injection
play

Escalating Privileges in Linux using Fault Injection Niek Timmers - PowerPoint PPT Presentation

Aug 13, 2022 •482 likes •969 views

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

  1. Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017

  2. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?

  3. Fault injection techniques clock voltage e-magnetic laser We used Voltage Fault Injection for all experiments!

  4. Fault injection techniques clock voltage e-magnetic laser We used Voltage Fault Injection for all experiments!

  5. Fault injection fault model Let’s keep it simple: instruction corruption Single-bit (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Multi-bit (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Includes other fault models (e.g. instruction skipping)

  6. Let’s inject faults!

  7. Fault injection setup Target • Fast and feature rich System-on-Chip (SoC) • ARM Cortex-A9 (32-bit) • Ubuntu 14.04 LTS (fully patched)

  8. Characterization • Determine if the target is vulnerable to fault injection • Determine if the fault injection setup is effective • Estimate required fault injection parameters for an attack • An open target is required; but not required for an attack

  9. Characterization Test Application

  10. Characterization – Alter a loop . . . set_trigger(1); for(i = 0; i < 10000; i++) { // glitch here j++; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are not that time dependent

  11. Characterization – Possible responses Expected: ’glitch is too soft’ counter = 00010000 Mute/Reset: ’glitch is too hard’ counter = Success: ’glitch is exactly right’ counter = 00009999 counter = 00010015 counter = 00008687

  12. Characterization – Alter a loop Remarks • We took 16428 experiments in 65 hours • We randomize the Glitch VCC Glitch Length Glitch Delay • We can fix either the Glitch VCC or the Glitch Length

  13. Characterization – Bypassing a check . . . set_trigger(1); if(cmd.cmdid < 0 || cmd.cmdid > 10) { return -1; } if(cmd.length > 0x100) { // glitch here return -1; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are time dependent

  14. Characterization – Bypassing a check Remarks • We took 16315 experiments in 19 hours • The success rate between 6 . 2 µs and 6 . 8 µs is: 0.41% • The check is bypassed every 15 minutes !

  15. Let’s attack Linux! Relevant when vulnerabilities are not known!

  16. Attacking Linux

  17. Opening /dev/mem – Description (1) Open /dev/mem using open syscall (2) Bypass check performed by Linux kernel using a glitch (3) Map arbitrary address in physical address space

  18. Opening /dev/mem – Code Algorithm 1 Open /dev/mem 1: r 1 ← 2 2: r 0 ← ” / dev / mem ” 3: r 7 ← 0 x 5 4: svc # 0 5: if r 0 == 3 then address ← mmap ( ... ) 6: printf ( ∗ address ) 7: 8: end if Remarks • Implemented using ARM assembly • Linux syscall: sys open (0x5)

  19. Opening /dev/mem – Results Remarks • We took 22118 experiments in 17 hours • The success rate between 25 . 5 µs and 26 . 8 µs is: 0.53% • The Linux kernel is compromised every 10 minutes !

  20. Privilege escalation #1

  21. Spawning a root shell – Description (1) Set all registers to 0 to increase the probability 1 (2) Perform setresuid syscall to set process IDs to root (3) Bypass check performed by Linux kernel using a glitch (4) Execute root shell using system function 1 Linux uses 0 for valid return values

  22. Spawning a root shell – Code Algorithm 2 Executing a root shell 1: r 0 ← r 1 ← r 2 ← 0 2: r 3 ← r 4 ← r 5 ← 0 3: r 6 ← r 7 ← r 8 ← 0 4: r 9 ← r 10 ← r 11 ← 0 5: r 7 ← 0 xd 0 6: svc # 0 7: if r 0 == 0 then system (” / bin / sh ”) 8: 9: end if Remarks • Implemented using ARM assembly • Linux syscall: sys setresuid (0xd0)

  23. Spawning a root shell – Results Remarks • We took 18968 experiments in 21 hours • The success rate between 3 . 14 µs and 3 . 44 µs is: 1.3% • We spawn a root shell every 5 minutes !

  24. Privilege escalation #2

  25. Reflection • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

  26. Reflection • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

  27. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  28. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  29. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  30. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  31. Is this all?

  32. There are more attack vectors!

  33. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  34. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  35. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  36. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018 WHO AM I? Saar Amar Security Researcher Pasten CTF team member @AmarSaar saaramar OUTLINE World rld s quic ickest t in intr tro to

743 views • 43 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is strace? A diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions between processes and the Linux

541 views • 24 slides
KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 22, 2017 Who are we? Niek Timmers (@tieknimmers) Security Analyst @

1.08k views • 70 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Fall 2009 Lecture 4 Operating Systems: Configuration &amp; Use CIS345 Introduction to UBUNTU LINUX Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an account for a user named root (Superuser) who has

1.32k views • 62 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Partnering and Pragmatic Trials in a Learning Health Care System AcademyHealth Annual Research

Partnering and Pragmatic Trials in a Learning Health Care System AcademyHealth Annual Research

Partnering and Pragmatic Trials in a Learning Health Care System AcademyHealth Annual Research Meeting By: Anna Spier June 25, 2017 J- PALs U.S. Health Care Delivery Initiative (HCDI) HCDI develops rigorous evidence of strategies to

913 views • 32 slides
How Should CMMI Evaluations Attempt to Account for Model Overlap? Workgroup members: Gregory

How Should CMMI Evaluations Attempt to Account for Model Overlap? Workgroup members: Gregory

How Should CMMI Evaluations Attempt to Account for Model Overlap? Workgroup members: Gregory Boyer, Susannah Cafardi, Philip Cotterill, Tim Day, Franklin Hendrick, Jennifer Lloyd, Patricia Markovich, Kelsey Weaver Objective Develop a strategy

501 views • 18 slides
Why do banks not lend: An experiment testing contractual frictions. 1 Ali Choudhary 1 and Anil Jain

Why do banks not lend: An experiment testing contractual frictions. 1 Ali Choudhary 1 and Anil Jain

Introduction Experiment Results Conclusion Why do banks not lend: An experiment testing contractual frictions. 1 Ali Choudhary 1 and Anil Jain 2 1 State Bank of Pakistan and CEP, LSE 2 Federal Reserve Board of Governors January 7, 2020 1 The

393 views • 16 slides
Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 5 Fran 1 T el ecom-ParisTech, Crypto

1.04k views • 62 slides
Faculty Orientation 2018 Agenda Introduction Technology Services Instructional

Faculty Orientation 2018 Agenda Introduction Technology Services Instructional

The Catholic University of America Faculty Orientation 2018 Agenda Introduction Technology Services Instructional Technology Enrollment Services Technology Services Service Desk Technology Services Audio/Visual

698 views • 48 slides
Children, Families, Health and Human Services Interim Committee June 20, 2016 NetReflector

Children, Families, Health and Human Services Interim Committee June 20, 2016 NetReflector

NetReflector, Inc. Presentation for the: Children, Families, Health and Human Services Interim Committee June 20, 2016 NetReflector Confidential 1 TOPICS OF CONVERSATION NetReflector Company Overview NetReflector Software and Service

496 views • 22 slides
How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway Why do we need push? How I spend my time in Netflix application... What is push? What is push? How you can build it What is push?

965 views • 83 slides
On max- k -sums Michael J. Todd January 10, 2018 School of Operations Research and Information

On max- k -sums Michael J. Todd January 10, 2018 School of Operations Research and Information

On max- k -sums Michael J. Todd January 10, 2018 School of Operations Research and Information Engineering, Cornell University http://people.orie.cornell.edu/ miketodd/todd.html 11th US-Mexico Workshop on Optimization and its Applications,

528 views • 19 slides

More recommend