over the edge silently owning windows 10 s secure browser
play

Over the Edge: Silently Owning Windows 10's Secure Browser Erik - PowerPoint PPT Presentation

Jan 03, 2024 •570 likes •1.87k views

Over the Edge: Silently Owning Windows 10's Secure Browser Erik Bosman , Kaveh Razavi, Herbert Bos and Cristiano Giu ff rida This presentation: Deduplication (software side-channel) 1 This presentation: Deduplication (software side-channel)

  1. Over the Edge: Silently Owning Windows 10's Secure Browser Erik Bosman , Kaveh Razavi, Herbert Bos and Cristiano Giu ff rida

  3. This presentation: Deduplication (software side-channel) 1

  4. This presentation: Deduplication (software side-channel) + Rowhammer (hardware bug) 1

  5. This presentation: Deduplication (software side-channel) + Rowhammer (hardware bug) Exploit MS Edge without software bugs (from JavaScript) 1

  6. This presentation: Deduplication (software side-channel) + Rowhammer a n i h c (hardware bug) a M t s e p u d e D Exploit MS Edge without software bugs (from JavaScript) 1

  7. Outline: Deduplication - leak heap & code addresses JavaScript Array +0.0 +3.141592 42. 1 NaN 2

  8. Outline: Deduplication - leak heap & code addresses chakra.dll JavaScript Array +0.0 +3.141592 42. 1 NaN 2

  9. Outline: Deduplication - leak heap & code addresses - create a fake object 2

  10. Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object 2

  11. Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object 2

  12. memory deduplication A method of reducing memory usage. Used in virtualisation environments, (was) also enabled by default on Windows 8.1 and 10. 3

  13. memory deduplication physical memory process A process B 4

  14. memory deduplication physical memory process A process B 4

  15. memory deduplication physical memory process A process B 4

  16. memory deduplication physical memory process A process B 4

  17. memory deduplication physical memory process A process B 4

  18. memory deduplication physical memory process A * * * * * * * * * * * * * * process B * * * * * * * * * * * * * 4

  19. memory deduplication: The Problem Deduplicated memory does not need to have the same origin. (unlike fork(), file-backed memory) An attacker can use deduplication as a side-channel 5

  20. deduplication side-channel attack normal write 6

  21. deduplication side-channel attack normal write write 6

  22. deduplication side-channel attack normal write write copy on write (due to deduplication) * 6

  23. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap to kernel 6

  24. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy to whole kernel page 6

  25. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update to whole page kernel page tables 6

  26. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update return to whole page from kernel page tables kernel 6

  27. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update return to whole page from write kernel page tables kernel 6

  28. deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries - cross VM - cross-process - leak process data from javascript code 7

  29. having fun with deduplication - covert channel 8

  31. having fun with deduplication - covert channel - detect running software 9

  32. Wordpad memory dump wordpad not running 10

  33. Wordpad memory dump wordpad not running 10

  34. Wordpad memory dump wordpad running 11

  35. Wordpad memory dump wordpad running 11

  36. Signal not as clear as expected, Reason: file backed memory not deduplicated the same way on Windows. 12

  37. Skype memory dump skype not running 13

  38. Skype memory dump skype not running 13

  39. Skype memory dump skype running 14

  40. Skype memory dump skype running 14

  41. For our Edge exploit, a single-bit, page-granularity info leak isn't enough 15

  42. Can we generalize this to leaking arbitrary data, like an ASLR pointer or a password? 16

  43. Challenge 1: The secret we want to leak does not span an entire page. 17

  44. turning a secret into a page secret 18

  45. turning a secret into a page known data secret secret page 18

  46. Challenge 2: The secret we want to leak has too much entropy to leak all at once. 19

  47. primitive #1: alignment probing known data secret secret page 20

  48. primitive #1: alignment probing known data secret secret page 20

  49. primitive #2: partial reuse known data secret secret page 21

  50. primitive #2: partial reuse known data secret secret page 21

  51. Outline: Deduplication - leak heap & code addresses chakra.dll 22

  52. JIT function epilogue (MS Edge) secret mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap ... known data 23

  53. JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap 24

  54. JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap 24

  55. Outline: Deduplication - leak heap & code addresses chakra.dll 25

  56. Outline: Deduplication - leak heap & code addresses chakra.dll JavaScript Array +0.0 +3.141592 42. 1 NaN 25

  57. We were not able to create pages leaking only part of our heap pointer. 25

  58. Heap pointer entropy in Edge 0x5F48143540 26

  59. Heap pointer entropy in Edge advertised ASLR (24 bit) 0x5F48143540 26

  60. Heap pointer entropy in Edge advertised ASLR (24 bit) 0x5F48143540 non-deterministic bits (+/- 36 bit) 26

  61. Heap pointer entropy in Edge 64G advertised ASLR (24 bit) 0x5F48143540 non-deterministic bits (+/- 36 bit) 26

  62. Heap pointer entropy in Edge 64G advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits (+/- 36 bit) 26

  63. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits * redundancy (+/- 36 bit) 26

  64. Slab allocator for JavaScript objects array object 27

  65. Slab allocator for JavaScript objects array array object data 27

  66. Slab allocator for JavaScript objects array array object data Allocated together 27

  67. Slab allocator for JavaScript objects array (almost) object arbirary data Allocated together 27

  68. Slab allocator for JavaScript objects 16K slab 28

  69. Slab allocator for JavaScript objects ... 1M VirtualAlloc() 28

  70. Slab allocator for JavaScript objects 1st after VirtualAlloc() call ... 1M VirtualAlloc() 28

  71. Slab allocator for JavaScript objects 29

  72. Slab allocator for JavaScript objects potential 1M aligned objects 29

  73. Slab allocator for JavaScript objects potential 1M aligned objects 29

  74. Slab allocator for JavaScript objects potential 1M aligned objects 29

  75. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits * redundancy (+/- 36 bit) 30

  76. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48100000 entropy after 1MB alignment (20 bit) 30

  77. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48100000 4G entropy after 1MB alignment * redundancy (20 bit) 30

  78. birthday problem 31

  79. birthday problem 31

  80. birthday problem 31

  81. birthday problem 31

  82. birthday problem 31

  83. birthday problem 31

  84. birthday problem 31

  85. birthday problem 31

  86. birthday problem 31

  87. birthday problem 31

  88. birthday problem 31

  89. birthday problem 31

  90. birthday problem 31

  91. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  92. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  93. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  94. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  95. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  96. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  97. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  98. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  99. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  100. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really

www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really

todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really Chrome IE Edge (barf!) Sleipnir, etc. Windows desktop Mac desktop Linux

601 views • 45 slides
IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat HUMANS HAVE DOMESTICATED MANY DIFFERENT TYPES OF ANIMALS AS PETS Canis lupus Oryctolagus Felis catus Carassius familiaris cuniculus auratus PHOTO

158 views • 11 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update

Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update

Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update Recap from Chicago IETF TFO (TCP Fast Open) enabled by default in the Edge browser in Creators Update Experimental support for CUBIC

344 views • 12 slides
ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to

ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to

ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to go to session webpage http://csserver.evansville.edu/~hwang/f11-courses/engrcs101/cs.html Right-click on Inclass11.zip link. Save link/target

386 views • 21 slides
Requirements for Secure Device Authentication Iden&ty in the browser

Requirements for Secure Device Authentication Iden&ty in the browser

Requirements for Secure Device Authentication Iden&ty in the browser workshop, 24-25 May 2011, Mountain View Mark Watson, Mitch Zollinger, Wesley Miaw 1

327 views • 9 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based Laptop Workstation Workstation Laptop Internet moore (CAS Linux server) Secure Shell terminal Secure . Shell servers Requires:

841 views • 25 slides
Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based Laptop Workstation Workstation Laptop Internet moore (CAS Linux server) Secure Shell terminal Secure . Shell servers Requires:

526 views • 25 slides
Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home

Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home

Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home nestled amidst trees every last detail perfectly fjnished all you need to bring are the keys Imagine low slung roofs and large bright windows the

913 views • 24 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud platform that lets organizations deliver amazing experiences and workflows to users on all connected devices . Pixels user input Confidential Why

540 views • 21 slides
IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM. Hanno Bck https://hboeck.de 1 This was too easy . It should not be possible to find a serious memory corruption vulnerability in the default

577 views • 31 slides
Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W

Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W

Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W Bell, Ph.D. Terminal on Macs BaRC Hot Topics October, 2016 Bioinformatics and Research Computing Whitehead Institute Command prompt user@tak

249 views • 7 slides
Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua

Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua

Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua Tan Xuechen Zhang Kei Davis* * Octree Meshing is Widely Used in HPC Simulation Droplet breakup Micro-boiling Droplet ejection 2

691 views • 31 slides
Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Operating System Concepts 16.1 Silberschatz, Galvin and Gagne

277 views • 24 slides
The Fork-Join Model and its Implementation in Cilk Marc Moreno Maza University of Western

The Fork-Join Model and its Implementation in Cilk Marc Moreno Maza University of Western

The Fork-Join Model and its Implementation in Cilk Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS 4402 - CS 9535 Plan Parallelism Complexity Measures cilk for Loops Scheduling Theory and Implementation Measuring

862 views • 65 slides
Memory Questions? ! What is main memory? CSCI [4|6]730 ! How does multiple processes share memory

Memory Questions? ! What is main memory? CSCI [4|6]730 ! How does multiple processes share memory

Memory Questions? ! What is main memory? CSCI [4|6]730 ! How does multiple processes share memory Operating Systems space? Key is how do they refer to memory addresses? ! What is static and dynamic allocation? Main Memory ! What is

285 views • 10 slides
CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating

CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating

CS 423 Operating System Design: Memory Wrap-Up Professor Adam Bates CS 423: Operating Systems Design Goals for Today Learning Objective: Recap memory management unit (this time, with a hot mic) Announcements, etc: MP2 out!

578 views • 26 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.17k views • 115 slides
Complexity Measures for Parallel Computation Complexity Measures for Parallel Computation

Complexity Measures for Parallel Computation Complexity Measures for Parallel Computation

Complexity Measures for Parallel Computation Complexity Measures for Parallel Computation Problem parameters: n index of problem size p number of processors Algorithm parameters: t p running time on p processors t 1 time on 1

311 views • 16 slides
Delerium and Dementia -Sadly, I still have nothing new to disclose since early my last

Delerium and Dementia -Sadly, I still have nothing new to disclose since early my last

Disclosures Delerium and Dementia -Sadly, I still have nothing new to disclose since early my last presentation John Engstrom, M.D. -Using the ARS for this talk Professor of Neurology -References include answer key and link to UCSF Memory

344 views • 13 slides

More recommend