exploiting kernel races through taming thread interleaving
play

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan - PowerPoint PPT Presentation

Nov 25, 2022 •145 likes •530 views

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS Summary New technique turning Background on races

  1. Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS

  2. Summary • New technique turning • Background on races • Classification on races unexploitable races to • Unexploitable races exploitable races #BHUSA @BLACKHATEVENTS

  3. Race condition is an increasing attack vector 30 bugs 143 bugs 104 bugs 81 bugs 15 bugs 111 bugs 7 bugs 59 bugs 67 bugs UAF UAF UAF OOB OOB Race Race Uninit OOB # of fixed bugs that Syzkaller found in 2017 # of fixed bugs that Syzkaller found in 2018 # of fixed bugs that Syzkaller found in 2019 • Razzer, IEEE S&P 2019, found more than 30 race bugs . • KCSAN, developed by Google 2019, found more than 300 race bugs . #BHUSA @BLACKHATEVENTS 3

  4. Background : Race condition Core 1 Core 2 current A Result can be a execution value stored in memory or B a value read by read instruction Pair of race instruction Access Order B A >> Result X è Instructions that A B access the same memory A B >> Result Y è • Accessing the same memory location from two processors è Execution results are different depending on the access order. #BHUSA @BLACKHATEVENTS 4

  5. Background : Race Condition Vulnerability Race Condition Race Condition = + Memory Corruption Vulnerability Race instruction pair A Overflow Race instruction pair B Use-After-Free . . . . . . #BHUSA @BLACKHATEVENTS 5

  6. Background : to trigger Race Condition Vulnerability if A B C , then memory corruption occurs. Brute forcing : Try until success #BHUSA @BLACKHATEVENTS 6

  7. Background : Exploitability of Race Condition Vulnerability A very specific Availability of Exploitable = + memory access order Memory Corruption Races? B C , then) A >> >> (e.g., if #BHUSA @BLACKHATEVENTS 7

  8. Classification of Race Condition Vulnerability Race Condition Vulnerability Single Variable Multi Variable Race Condition Race Condition Race instruction pair 1 for M1 Race instruction pair 1 for M1 Race instruction pair 2 for M1 Race instruction pair 2 for M2 Single variable Multi variable … … #BHUSA @BLACKHATEVENTS 8

  9. Single-variable Race Condition do_ip_setsockopt() raw_sendmsg() { Core 1 Core 2 { … Pair A … inet->hdrincl is 1 if ( ! inet->hdrincl ) { A // initialize rfv variable B inet->hdrincl = 0; rfv.msg = msg; Time … B … Window } C } inet->hdrincl is 0 if ( ! inet->hdrincl ) { memcpy(to, rfv->hdr.c, … ); C } Pair … } Case study : CVE-2017-17712 Control Flow Dependency A B C , then uninitialized buffer use occurs. Data Flow Dependency if >> >> #BHUSA @BLACKHATEVENTS 9

  10. Exploitability of Single-variable Race Core 1 Core 2 Order violation A Time B Window C Order violation • Brute-forcing would somehow trigger the race è if B can be executed within the time window • The smaller the time window is, the lower the probability of successful races. #BHUSA @BLACKHATEVENTS 10

  11. Multi-variable Race Condition Core 1 Core 2 Pair of race instruction A Instructions that B A access the M1 B Time Time Window Window Pair of race instruction x y C Instructions that C D access the M2 D B C A D if >> && >> , Control flow Dependency then memory corruption occurs. Data flow Dependency #BHUSA @BLACKHATEVENTS 11

  12. Multi-variable Race Condition Multi-variable Race Condition Core 1 Core 2 Core 1 Core 2 Inst pair to access M1 A Inst pair B to access M1 B A Ty Tx Tx Ty C D D C Inst pair Inst pair to access M2 to access M2 Tx > Ty Tx ≤ Ty Inclusive Multi-variable Race Non-inclusive Multi-variable Race #BHUSA @BLACKHATEVENTS 12

  13. Exploitability of Inclusive Multi-variable Race Core 1 Core 2 Race Pair A B Ty Tx C D Race Pair • Brute-force somehow works. • The more similar the two time windows are, the lower the probability that a race will occur. #BHUSA @BLACKHATEVENTS 13

  14. Problem : Exploitability of Non-inclusive Race Core 1 Core 2 binder_alloc_new_buf_locked() binder_alloc_mmap_handler() A { { // initialize vma B Tx B A if (alloc-> vma == NULL) return ERR; alloc-> vma = vma; D Tx = 18 cycles Ty = 2250 cycles D alloc-> vma_vm_mm = vma->vm_mm; Ty C mmget_not_zero(alloc-> vma_vm_mm )); Even if, A >> B is succeed, } C >> D will be failed } C Case study : Patch #987393 && C A B D C if >> >> , then uninitialized buffer use occurs in . • Brute-force never works. • impossible to execute with the order of . && C A B D >> >> #BHUSA @BLACKHATEVENTS 14

  15. Problem : Exploitability of Non-inclusive Race Core 1 Core 2 Tx Ty 35 450 A CVE-2017-15265 150 1,800 CVE-2019-1999 B Tx 50 600 CVE-2019-2025 D 18 1,210 CVE-2019-6974 Non-inclusive race vulnerabilities 1,153 13,121 #1035566 Ty Even if, found in linux kernel 18 2,250 #987393 A >> B is succeed, 120 730 #759959 C >> D will be failed C . . . • Brute-force never works. • impossible to execute with the order of . && C A B D >> >> #BHUSA @BLACKHATEVENTS 15

  16. Previous method : Using Different Core Latency Execution Order : C D A >> B & >> race_function1(): D A Core 1 1.6 Ghz race_function2(): C B Core 2 2.5 Ghz • e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz #BHUSA @BLACKHATEVENTS 16

  17. Previous method : Using Different Core Latency Execution Order : C D A >> B & >> race_function1(): D A Core 1 1.6 Ghz function2(): C B Core 2 2.5 Ghz • e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz #BHUSA @BLACKHATEVENTS 17

  18. Limitations of Use Different Core Latency • Must use the CPU that latency between the cores are different. CPU • Not applicable to vulnerabilities with large time window differences CPU dependency #BHUSA @BLACKHATEVENTS 18

  19. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C D A >> B & >> Core 0 Jann Horn, Linux Security Summit EU 2019, "Exploiting Race Conditions Using the Scheduler” Core 1 è sched_setaffinity() Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 19

  20. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : A sched_setaffinity(Core 1, self): R Core 0 Hey, you need to reschedule race_function1(): D A Core 1 race_function2(): C B Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 20

  21. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C A >> B & Core 0 sched_setaffinity(Core 1, self): R Core 1 function2(): C B Core 2 race_function1(): current Wait queue : D execution #BHUSA @BLACKHATEVENTS 21

  22. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C D A >> B & >> Core 0 race_function1(): D A Core 1 Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 22

  23. Limitation of Using scheduler • Can be used when COFIG_PREEMPT option is applied. • Linux uses CONFIG_PREEMPT_VOLUTARY option by default. Configuration dependency #BHUSA @BLACKHATEVENTS 23

  24. Each of methods has obvious limitations CPU CPU dependency Configuration dependency • All previous methods are hard to be used in general. • We need a new method that extends the time window. #BHUSA @BLACKHATEVENTS 24

  25. How to extend the time window? A D Core 1 Core 1 1. Stop the core 2. Degrade the performance #BHUSA @BLACKHATEVENTS 25

  26. Slow Fast ExpRace Performance : A Interrupt handler! Interrupt handler! Interrupt handler! D Core 1 Bullets • Inter-processor interrupt • Hardware Interrupt Attacker • The key idea of ExpRace is to keep raising interrupts to indirectly alter kernel thread’s interleaving. #BHUSA @BLACKHATEVENTS 26

  27. ExpRace : How to send IPI & IRQ with user priv user_function() syscall() Send IPI { { syscall(); send_IPI(); to core1 } } Attacker Core 1 User mode Kernel mode (User Priv) user_function() syscall() Request Send IRQ { { syscall(); send_REQ(); to device to core1 } } Hardware device Attacker Core 1 User mode Kernel mode (User Priv) #BHUSA @BLACKHATEVENTS 27

  28. ExpRace : TLB Shootdown ~ ~ ~ ~ ~ ~ 0xABC0 0xABD0 0xABE0 0xABC0 0xABD0 0xABE0 IPI cache Flush 0xABD0 cache ? IPI_handler() munmap(0xABD0) Core 1 Core 2 • Modern OSs implement a TLB shootdown mechanism to ensure that TLB entries are synchronized across different cores. • Syscalls that either modify the permission of the page (e.g., mprotect()) or unmap (e.g., munmap()) the page use IPI for TLB shootdown. #BHUSA @BLACKHATEVENTS 28

  29. ExpRace : IPI Environment setting mm α mm β mm α Process C Process A Process B Process C Process A Process B (Core 0) (Core 1) (Core 2) (Core 0) (Core 1) (Core 2) A A B B IPI_send IPI_send (core 1) (core 1 and core 2) Interrupt Interrupt α α handler Tx + α handler Interrupt Ty + α α Tx + α Ty handler D C C D If 3 processes have same mm If process A and C have same mm, and B have different mm #BHUSA @BLACKHATEVENTS 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity

643 views • 31 slides
Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan

Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan

Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan Nicolas Viennot Chia-Che Tsai Chris Blinn Junfeng Yang Jason Nieh ps aux | grep pizza ps aux | grep pizza outputs how many lines: A) 0 B)

768 views • 65 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer in shared

959 views • 42 slides
A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources for Improved Recommender Systems Oluwasanmi (Sanmi) Koyejo Joydeep Ghosh ECE Dept., University of Texas at Austin HetRec 11, October 27, 2011,

574 views • 43 slides
Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun Cho , Jinbum Park, Joonwon Kang, Tiffany Bao Ruoyu Wang, Yan Shoshitaishvili, Adam Doup, Gail-Joon Ahn Uninitialized variables in the stack

806 views • 35 slides
Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Overview Problem Definition Interrupt- Driven Programs Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing FreeRTOS Kernel Library Nikita Chopra, Deepak DSouza and Rekha Pai Conclusion Indian

512 views • 21 slides
Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1 Understanding how Python works in N simple steps (with N still growing) 1.2 Step 0. What this talk is about (and what it isnt) Four basic things you

266 views • 12 slides
OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

www.bsc.es www.bsc.es OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray Ozen guray.ozen@bsc.es Exascale in BSC Marenostrum 4 (13.7 Petaflops ) General purpose cluster (3400 nodes) with Intel

464 views • 20 slides
Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are suitable for all execution policies Dependent task Task exploiting thread confinement Response time sensitive tasks ThreadLocal tasks

358 views • 32 slides
to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

Exploiting the DRAM row hammer bug to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction Exploit ! without exploiting software bug Row hammer repeated accesses DRAMs row DRAM chipset DRAM

932 views • 77 slides
Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T.

Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T.

Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T. Plagemann, M. van Steen and A. Tanenbaum) Overview What are threads? Why threads? Thread implementation User level Kernel level

580 views • 36 slides
13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread

13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread

Thread Pooling CHAPTER 13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread Pooling 308 A Generic Thread Pool: ThreadPool 309 A Specialized Worker Thread Pool: HttpServer 319 Techniques

556 views • 34 slides
ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in Full Scale Exercise 2012 and 2013 Monroe County ARES / RACES Inc. Tools used

1.05k views • 93 slides
WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional

WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional

WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional coarser-grain parallelism cheap thread management memory ordering enforced through wave-ordered memory Winter 2006 CSE 548 - WaveScalar 1

579 views • 27 slides
Race in the 21 st Century Cecilia Stanton, CEO Malissa Adams, COO Stanton Adams Consulting

Race in the 21 st Century Cecilia Stanton, CEO Malissa Adams, COO Stanton Adams Consulting

Race in the 21 st Century Cecilia Stanton, CEO Malissa Adams, COO Stanton Adams Consulting Stanton Adams Consulting Cstanton@Stantonadams.com Madams@Stantonadams.com Race in the 21 st Century Define Race. Reasons we dont talk about

321 views • 4 slides
d PLANNING INFORMATION EXCHANGE (PIE) e n QUARTERLY WEBINAR SERIES PRESNTS: t o h i g t

d PLANNING INFORMATION EXCHANGE (PIE) e n QUARTERLY WEBINAR SERIES PRESNTS: t o h i g t

Planning Information Exchange (PIE) Webinar Series The Fire/Flood Dynamic: Linkages, Tools & Actions d PLANNING INFORMATION EXCHANGE (PIE) e n QUARTERLY WEBINAR SERIES PRESNTS: t o h i g t c The Fire/Flood Dynamic: i r u y d

864 views • 28 slides
The role of mechanistic models in Bayesian inference Dan Cornford 1 , Alexis Boukouvalas, Yuan

The role of mechanistic models in Bayesian inference Dan Cornford 1 , Alexis Boukouvalas, Yuan

The role of mechanistic models in Bayesian inference Dan Cornford 1 , Alexis Boukouvalas, Yuan Shen, Michael Vrettas, Manfred Opper and many others Neural Computing Research Group Grasmere, Sept 2008, BARK 2 1 http://wiki.aston.ac.uk/DanCornford/

564 views • 12 slides
The Semantic Web Craig Knoblock (based on slides by Yolanda Gil, Ian Horrocks, Jose Luis Ambite,

The Semantic Web Craig Knoblock (based on slides by Yolanda Gil, Ian Horrocks, Jose Luis Ambite,

The Semantic Web Craig Knoblock (based on slides by Yolanda Gil, Ian Horrocks, Jose Luis Ambite, and Tom Russ) The Semantic Web W3Cs Tim Berners-Lee: Weaving the Web: I have a dream for the Web and it has two parts. The

843 views • 57 slides
RISING HOUSING COSTS & RE-SEGREGATION IN THE BAY AREA Miriam Zuk Dan Rinzler Urban

RISING HOUSING COSTS & RE-SEGREGATION IN THE BAY AREA Miriam Zuk Dan Rinzler Urban

RISING HOUSING COSTS & RE-SEGREGATION IN THE BAY AREA Miriam Zuk Dan Rinzler Urban Displacement Project California Housing Partnership UC Berkeley California Housing Partnership Created by the State Legislature in 1988 (no ongoing

333 views • 18 slides
Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy

Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy

Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy Centers Policy Insights 2019 Michael Leachman March 27, 2019 1 2 3 4 5 6 7 8 9 10 Michael Leachman leachman@cbpp.org www.cbpp.org

399 views • 12 slides
ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer ThreadSanitizer Data race detector ThreadSanitizer Data race detector LLVM IR instrumentation: ThreadSanitizer Data race detector LLVM

706 views • 47 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides

More recommend