kernelfault pwning linux using hardware fault injection
play

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek - PowerPoint PPT Presentation

Apr 08, 2024 •378 likes •1.08k views

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 22, 2017 Who are we? Niek Timmers (@tieknimmers) Security Analyst @

  1. KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 22, 2017

  2. Who are we? Niek Timmers (@tieknimmers) • Security Analyst @ Riscure • Security testing of different products and technologies Cristofaro Mune (@pulsoid) • Product Security Consultant and Researcher • Loves the intermixing of HW and SW, IoT, TEEs, FI and anything else challenging my curiosity. We have shared interests • Embedded device security • Fault injection Not so much on the question if beer or wine is better...

  3. Who are we? Niek Timmers (@tieknimmers) • Security Analyst @ Riscure • Security testing of different products and technologies Cristofaro Mune (@pulsoid) • Product Security Consultant and Researcher • Loves the intermixing of HW and SW, IoT, TEEs, FI and anything else challenging my curiosity. We have shared interests • Embedded device security • Fault injection Not so much on the question if beer or wine is better...

  4. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?

  5. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?

  6. Fault injection techniques Clock Laser Voltage EM Remarks • These affect the target’s environmental conditions • All have their own characteristics • We used Voltage Fault Injection for all attacks

  7. Fault injection techniques Clock Laser Voltage EM Remarks • These affect the target’s environmental conditions • All have their own characteristics • We used Voltage Fault Injection for all attacks

  8. Fault injection fault model We like to keep it simple: instruction corruption Single-bit (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Multi-bit (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Includes other fault models (e.g. instruction skipping)

  9. Some real world examples!

  10. Unlooper 1 – Hacking smart cards Remarks • Hacked smart cards were being disabled using infinite loop • Use a glitch to enable them again 1 https://en.wikipedia.org/wiki/Unlooper

  11. DFA – Recovering keys Similar attacks for most crypto algorithms!

  12. DFA – Recovering keys Similar attacks for most crypto algorithms!

  13. XBOX 2 – Bypassing secure boot Remarks • Use a glitch in the reset line to reset registers • Bypass hash comparison used by integrity check 2Video-game consoles architecture under microscope - R. Benadjila and M. Renard

  14. Nintendo 3 – Bypassing secure boot Remarks • Use a glitch to bypass length check: code execution • Dump decryption key from memory 3 https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016

  15. BADFET 4 Remarks • Use an EM glitch to bypass secure boot of a Cisco phone • Not that invasive... (i.e. phone’s housing can be closed) 4 https://github.com/RedBalloonShenanigans/BADFET

  16. More fault injection during boot... 5 Why not use Fault Injection during runtime? 5 https://www.blackhat.com/docs/eu-16/materials/ eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf

  17. More fault injection during boot... 5 Why not use Fault Injection during runtime? 5 https://www.blackhat.com/docs/eu-16/materials/ eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf

  18. Fault injection meets Linux!

  19. How is Linux’ security usually compromised? A summary of Linux CVEs 6 Year DoS Exec Overflow Corruption Leak PrivEsc 2015 55 6 15 4 10 17 2016 153 5 38 18 35 52 2017 92 166 35 16 78 29 What if they are not present or not known? 6 http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

  20. How is Linux’ security usually compromised? A summary of Linux CVEs 6 Year DoS Exec Overflow Corruption Leak PrivEsc 2015 55 6 15 4 10 17 2016 153 5 38 18 35 52 2017 92 166 35 16 78 29 What if they are not present or not known? 6 http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

  21. Others 7 came to the same conclusion: Fault injection!!!! 7 https://derrekr.github.io/3ds/33c3/#/18

  22. Others 7 came to the same conclusion: Fault injection!!!! 7 https://derrekr.github.io/3ds/33c3/#/18

  23. Voltage fault injection setup Target • Fast and feature rich System-on-Chip (SoC) • ARM Cortex-A9 (32-bit) • Ubuntu 14.04 LTS (fully patched)

  24. Voltage fault injection parameters

  25. In the lab...

  26. On stage...

  27. Characterization • Determine if the target is vulnerable to fault injection • Determine if the fault injection setup is effective • Estimate required fault injection parameters for an attack • An open target is required, but not a requirement

  28. Characterization Test Application

  29. Characterization – Altering a loop . . . set_trigger(1); for(i = 0; i < 10000; i++) { // glitch here j++; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are not time dependent

  30. Characterization – Possible responses Expected: ’glitch is too soft’ counter = 00010000 Mute/Reset: ’glitch is too hard’ counter = Success: ’glitch is exactly right’ counter = 00009999 counter = 00010015 counter = 00008687

  31. Characterization – Altering a loop Remarks • We took 16428 experiments in 65 hours • We randomize: Glitch VCC / Glitch Length / Glitch Delay • We can fix either the Glitch VCC or the Glitch Length

  32. Characterization – Altering a loop Remarks • We took 16428 experiments in 65 hours • We randomize: Glitch VCC / Glitch Length / Glitch Delay • We can fix either the Glitch VCC or the Glitch Length

  33. Characterization – Bypassing a check . . . set_trigger(1); if(cmd.cmdid < 0 || cmd.cmdid > 10) { return -1; } if(cmd.length > 0x100) { // glitch here return -1; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are time dependent

  34. Characterization – Bypassing a check Remarks • We took 16315 experiments in 19 hours • The success rate between 6 . 2 µs and 6 . 8 µs is: 0.41% • The check is bypassed every 15 minutes

  35. We are ready for attack! Let’s attack Linux!

  36. We are ready for attack! Let’s attack Linux!

  37. Attacking Linux

  38. Opening /dev/mem – Description (1) Open /dev/mem using open syscall (2) Bypass check performed by Linux kernel using a glitch (3) Map arbitrary address in physical memory

  39. Opening /dev/mem – Code *(volatile unsigned int *)(trigger) = HIGH; int mem = open("/dev/mem", O_RDWR | O_SYNC); *(volatile unsigned int *)(trigger) = LOW; if( mem == 4 ) { void * addr = mmap ( 0, ..., ..., mem, 0); printf("%08x\n", *(unsigned int *)(addr)); } . . . Remarks • This code is running in user space • Linux syscall: sys open (0x5)

  40. Opening /dev/mem – Results Remarks • We took 22118 experiments in 17 hours • The success rate between 25 . 5 µs and 26 . 8 µs is: 0.53% • The Kernel is pwned every 10 minutes

  41. Linux kernel pwn #1

  42. SHellzapoppin’ – Description (1) Set all registers to 0 to increase the probability 8 (2) Perform setresuid syscall to set process IDs to root (3) Bypass check performed by Linux kernel using a glitch (4) Execute root shell using system function 8Linux kernel uses (mostly) return value 0 when a function executes successfully

  43. SHellzapoppin’ – Code *(volatile unsigned int *)(trigger) = HIGH; asm volatile ( "movw r12, #0x0;" // Repeat for other "movt r12, #0x0;" // unused registers . . . "mov r7, #0xd0;" // setresuid syscall "swi #0;" // Linux kernel takes over "mov %[ret], r0;" // Store return value in r0 : [ret] "=r" (ret) : : "r0", . . ., "r12" ) *(volatile unsigned int *)(trigger) = LOW; if(ret == 0) { system("/bin/sh"); } Remarks • This code is running in user space • Linux syscall: sys setresuid (0xd0)

  44. SHellzapoppin’ – Results Remarks • We took 18968 experiments in 21 hours • The success rate between 3 . 14 µs and 3 . 44 µs is: 1.3% • We pop a root shell every 5 minutes !

  45. Linux kernel pwn #2

  46. Reflection on these attacks... • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

  47. Reflection on these attacks... • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

969 views • 47 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

IBM T. J. Watson Research Center Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge Alper Buyuktosunoglu Pradip Bose 2 nd Workshop on Computer Architecture Research with RISC-V Motivation: Selective

395 views • 15 slides
Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is strace? A diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions between processes and the Linux

541 views • 24 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Toward the bKAGRA Hardware Injection The 3rd KAGRA International Workshop 2017/05/21@Academia

Toward the bKAGRA Hardware Injection The 3rd KAGRA International Workshop 2017/05/21@Academia

Toward the bKAGRA Hardware Injection The 3rd KAGRA International Workshop 2017/05/21@Academia Sinica, NTU campus Osaka City University : Takaaki Yokozawa on the behalf of calibration subgroup The 3rd KIW Toward bKAGRA Hardware Injection

525 views • 15 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
We are all energy savers ! By: Emma Green, Annabel Green, Ashley Gaccetta, Amaya Rose and our

We are all energy savers ! By: Emma Green, Annabel Green, Ashley Gaccetta, Amaya Rose and our

We are all energy savers ! By: Emma Green, Annabel Green, Ashley Gaccetta, Amaya Rose and our filmer Malia Rudeen Renew Our Schools Competition!! The Renew Our Schools Energy contest is between, Fall River, Central, Centennial, Burlington,

927 views • 16 slides
Soda Folk is a range of traditional American soft drinks. Our products are all-natural, free from

Soda Folk is a range of traditional American soft drinks. Our products are all-natural, free from

Soda Folk is a range of traditional American soft drinks. Our products are all-natural, free from preservatives, and made with the best ingredients , such as Madagascan bourbon vanilla, organic maple syrup, and cane sugar. Each drink is packaged in

474 views • 6 slides
201 2016 AIMS OF PGL AT THE CHATEAU Le Le Ch Chatea teau u de de G Grand nde e Rom

201 2016 AIMS OF PGL AT THE CHATEAU Le Le Ch Chatea teau u de de G Grand nde e Rom

FRANCE TRIP Le Le Ch Chatea teau u de de Gr Grande nde Ro Roma maine ine 201 2016 AIMS OF PGL AT THE CHATEAU Le Le Ch Chatea teau u de de G Grand nde e Rom omaine ine Football Pitches Activity Rooms Archery MUGA The

311 views • 28 slides
Vertical Integration Between Registries and Registrars The Economic Pros and Cons Sydney,

Vertical Integration Between Registries and Registrars The Economic Pros and Cons Sydney,

Vertical Integration Between Registries and Registrars The Economic Pros and Cons Sydney, Australia 22 June 2009 1 Background Issue debated since creation of ICANN Originally generated because only one (commonly owned) commercial

162 views • 12 slides
Trans ransform forming B ng Bus usines ness Proces rocesses s in H n Higher gher Educa

Trans ransform forming B ng Bus usines ness Proces rocesses s in H n Higher gher Educa

ULEAD N D Nov ovember 2 2018 Trans ransform forming B ng Bus usines ness Proces rocesses s in H n Higher gher Educa Educati tion on Kauline Cipriani, PhD Assistant Dean for Inclusive Excellence Associate Professor Public Health

616 views • 20 slides
DATA CENTER GPU MANAGER Brent Stolle and David Beer March 2018 TOOLS FOR MANAGING GPUs

DATA CENTER GPU MANAGER Brent Stolle and David Beer March 2018 TOOLS FOR MANAGING GPUs

DATA CENTER GPU MANAGER Brent Stolle and David Beer March 2018 TOOLS FOR MANAGING GPUs Out-of-Band In-Band GPU Metrics and Monitoring via Tools use the NVIDIA driver to BMC (SMBPBI) provide GPU and NVSwitch metrics Provide metrics

587 views • 27 slides
ROPE UL T RASONIC DAC O N INSPEC T IO N SERVIC ES ACCE SS INSPE CT ION Who we ar e Co

ROPE UL T RASONIC DAC O N INSPEC T IO N SERVIC ES ACCE SS INSPE CT ION Who we ar e Co

ADVANCE ROPE UL T RASONIC DAC O N INSPEC T IO N SERVIC ES ACCE SS INSPE CT ION Who we ar e Co nve ntio na l a nd Oil a nd Ga s, Re fine ry, Ove r 400 pe rso nne l T ha ila nd he a dq ua rte rs Adva nc e d NDT a nd Pe tro c he

460 views • 13 slides
Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview Oil &amp; Gas Mining Crane and industrial Specialist fibre and steel rope High quality steel wire ropes High performance wire ropes Mooring,

341 views • 15 slides

More recommend