Over the Edge: Silently Owning Windows 10's Secure Browser Erik - - PowerPoint PPT Presentation

over the edge silently owning windows 10 s secure browser
SMART_READER_LITE
LIVE PREVIEW

Over the Edge: Silently Owning Windows 10's Secure Browser Erik - - PowerPoint PPT Presentation

Jan 03, 2024 570 likes •1.87k views

Over the Edge: Silently Owning Windows 10's Secure Browser Erik Bosman , Kaveh Razavi, Herbert Bos and Cristiano Giu ff rida This presentation: Deduplication (software side-channel) 1 This presentation: Deduplication (software side-channel)

slide-1
SLIDE 1

Over the Edge: Silently Owning Windows 10's Secure Browser

Erik Bosman, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida

slide-2
SLIDE 2
slide-3
SLIDE 3

Deduplication (software side-channel) This presentation:

1

slide-4
SLIDE 4

Deduplication (software side-channel) + Rowhammer (hardware bug) This presentation:

1

slide-5
SLIDE 5

Deduplication (software side-channel) + Rowhammer (hardware bug) Exploit MS Edge without software bugs (from JavaScript) This presentation:

1

slide-6
SLIDE 6

Deduplication (software side-channel) + Rowhammer (hardware bug) Exploit MS Edge without software bugs (from JavaScript) This presentation:

D e d u p e s t M a c h i n a

1

slide-7
SLIDE 7

Deduplication

  • leak heap & code addresses

+3.141592 +0.0 42. 1 NaN

JavaScript Array

Outline:

2

slide-8
SLIDE 8

Deduplication

  • leak heap & code addresses

+3.141592 +0.0 42. 1 NaN

JavaScript Array chakra.dll

Outline:

2

slide-9
SLIDE 9

Deduplication

  • leak heap & code addresses
  • create a fake object

Outline:

2

slide-10
SLIDE 10

Deduplication Rowhammer

  • leak heap & code addresses
  • create a fake object
  • create reference to our fake object

Outline:

2

slide-11
SLIDE 11

Deduplication Rowhammer

  • leak heap & code addresses
  • create a fake object
  • create reference to our fake object

Outline:

2

slide-12
SLIDE 12

memory deduplication A method of reducing memory usage. Used in virtualisation environments, (was) also enabled by default on Windows 8.1 and 10.

3

slide-13
SLIDE 13

memory deduplication

physical memory process A process B

4

slide-14
SLIDE 14

memory deduplication

physical memory process A process B

4

slide-15
SLIDE 15

memory deduplication

physical memory process A process B

4

slide-16
SLIDE 16

memory deduplication

physical memory process A process B

4

slide-17
SLIDE 17

memory deduplication

physical memory process A process B

4

slide-18
SLIDE 18

memory deduplication

physical memory process A process B * * * * * * * * * * * * * * * * * * * * * * * * * * *

4

slide-19
SLIDE 19

memory deduplication: The Problem Deduplicated memory does not need to have the same origin. (unlike fork(), file-backed memory) An attacker can use deduplication as a side-channel

5

slide-20
SLIDE 20

deduplication side-channel attack

normal write

6

slide-21
SLIDE 21

deduplication side-channel attack

normal write write

6

slide-22
SLIDE 22

deduplication side-channel attack

normal write copy on write (due to deduplication) write

*

6

slide-23
SLIDE 23

deduplication side-channel attack

normal write copy on write (due to deduplication) write trap to kernel

*

6

slide-24
SLIDE 24

deduplication side-channel attack

normal write copy on write (due to deduplication) write trap to kernel copy whole page

*

6

slide-25
SLIDE 25

deduplication side-channel attack

normal write copy on write (due to deduplication) write trap to kernel copy whole page update page tables

*

6

slide-26
SLIDE 26

deduplication side-channel attack

normal write copy on write (due to deduplication) write trap to kernel copy whole page update page tables return from kernel

*

6

slide-27
SLIDE 27

deduplication side-channel attack

normal write copy on write (due to deduplication) write trap to kernel copy whole page update page tables return from kernel write

*

6

slide-28
SLIDE 28

deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries

  • cross VM
  • cross-process
  • leak process data from javascript code

7

slide-29
SLIDE 29

having fun with deduplication

  • covert channel

8

slide-30
SLIDE 30
slide-31
SLIDE 31

having fun with deduplication

  • covert channel
  • detect running software

9

slide-32
SLIDE 32

Wordpad memory dump wordpad not running

10

slide-33
SLIDE 33

Wordpad memory dump wordpad not running

10

slide-34
SLIDE 34

Wordpad memory dump wordpad running

11

slide-35
SLIDE 35

Wordpad memory dump wordpad running

11

slide-36
SLIDE 36

Signal not as clear as expected, Reason: file backed memory not deduplicated the same way

  • n Windows.

12

slide-37
SLIDE 37

Skype memory dump skype not running

13

slide-38
SLIDE 38

Skype memory dump skype not running

13

slide-39
SLIDE 39

Skype memory dump skype running

14

slide-40
SLIDE 40

Skype memory dump skype running

14

slide-41
SLIDE 41

For our Edge exploit, a single-bit, page-granularity info leak isn't enough

15

slide-42
SLIDE 42

Can we generalize this to leaking arbitrary data, like an ASLR pointer or a password?

16

slide-43
SLIDE 43

Challenge 1: The secret we want to leak does not span an entire page.

17

slide-44
SLIDE 44

turning a secret into a page secret

18

slide-45
SLIDE 45

turning a secret into a page known data secret secret page

18

slide-46
SLIDE 46

Challenge 2: The secret we want to leak has too much entropy to leak all at once.

19

slide-47
SLIDE 47

primitive #1: alignment probing known data secret secret page

20

slide-48
SLIDE 48

primitive #1: alignment probing known data secret secret page

20

slide-49
SLIDE 49

primitive #2: partial reuse known data secret secret page

21

slide-50
SLIDE 50

primitive #2: partial reuse known data secret secret page

21

slide-51
SLIDE 51

Deduplication

  • leak heap & code addresses

chakra.dll

Outline:

22

slide-52
SLIDE 52

JIT function epilogue (MS Edge)

mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap ... trap trap trap trap trap trap trap trap

known data

secret

23

slide-53
SLIDE 53

JIT function epilogue (MS Edge)

mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap

page

24

slide-54
SLIDE 54

JIT function epilogue (MS Edge)

mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap

page

24

slide-55
SLIDE 55

Deduplication

  • leak heap & code addresses

chakra.dll

Outline:

25

slide-56
SLIDE 56

Deduplication

  • leak heap & code addresses

+3.141592 +0.0 42. 1 NaN

JavaScript Array chakra.dll

Outline:

25

slide-57
SLIDE 57

We were not able to create pages leaking

  • nly part of our heap pointer.

25

slide-58
SLIDE 58

Heap pointer entropy in Edge

0x5F48143540

26

slide-59
SLIDE 59

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit)

26

slide-60
SLIDE 60

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit) non-deterministic bits (+/- 36 bit)

26

slide-61
SLIDE 61

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit) non-deterministic bits (+/- 36 bit)

64G

26

slide-62
SLIDE 62

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit) non-deterministic bits (+/- 36 bit)

64G 256T

26

slide-63
SLIDE 63

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit) non-deterministic bits (+/- 36 bit)

64G 256T

* redundancy * redundancy

26

slide-64
SLIDE 64

Slab allocator for JavaScript objects

array

  • bject

27

slide-65
SLIDE 65

Slab allocator for JavaScript objects

array

  • bject

array data

27

slide-66
SLIDE 66

Slab allocator for JavaScript objects

array

  • bject

array data Allocated together

27

slide-67
SLIDE 67

Slab allocator for JavaScript objects

array

  • bject

(almost) arbirary data Allocated together

27

slide-68
SLIDE 68

Slab allocator for JavaScript objects

16K slab

28

slide-69
SLIDE 69

Slab allocator for JavaScript objects

1M VirtualAlloc() ...

28

slide-70
SLIDE 70

Slab allocator for JavaScript objects

1M VirtualAlloc() ...

1st after VirtualAlloc() call

28

slide-71
SLIDE 71

Slab allocator for JavaScript objects

29

slide-72
SLIDE 72

Slab allocator for JavaScript objects

potential 1M aligned objects

29

slide-73
SLIDE 73

Slab allocator for JavaScript objects

potential 1M aligned objects

29

slide-74
SLIDE 74

Slab allocator for JavaScript objects

potential 1M aligned objects

29

slide-75
SLIDE 75

Heap pointer entropy in Edge

0x5F48143540

advertised ASLR (24 bit) non-deterministic bits (+/- 36 bit)

64G 256T

* redundancy * redundancy

30

slide-76
SLIDE 76

Heap pointer entropy in Edge

advertised ASLR (24 bit)

64G

0x5F48100000

entropy after 1MB alignment (20 bit)

* redundancy

30

slide-77
SLIDE 77

Heap pointer entropy in Edge

advertised ASLR (24 bit)

64G

0x5F48100000

entropy after 1MB alignment (20 bit)

4G

* redundancy * redundancy

30

slide-78
SLIDE 78

birthday problem

31

slide-79
SLIDE 79

birthday problem

31

slide-80
SLIDE 80

birthday problem

31

slide-81
SLIDE 81

birthday problem

31

slide-82
SLIDE 82

birthday problem

31

slide-83
SLIDE 83

birthday problem

31

slide-84
SLIDE 84

birthday problem

31

slide-85
SLIDE 85

birthday problem

31

slide-86
SLIDE 86

birthday problem

31

slide-87
SLIDE 87

birthday problem

31

slide-88
SLIDE 88

birthday problem

31

slide-89
SLIDE 89

birthday problem

31

slide-90
SLIDE 90

birthday problem

31

slide-91
SLIDE 91

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-92
SLIDE 92

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-93
SLIDE 93

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-94
SLIDE 94

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-95
SLIDE 95

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-96
SLIDE 96

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-97
SLIDE 97

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-98
SLIDE 98

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-99
SLIDE 99

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-100
SLIDE 100

primitive #3: birthday heapspray

physical memory attacker memory victim memory

32

slide-101
SLIDE 101

primitive #3: birthday heapspray

physical memory attacker memory * victim memory *

32

slide-102
SLIDE 102

Creating Secret Pages

1M Aligned

  • bjects

...

33

slide-103
SLIDE 103

Creating Secret Pages

1M Aligned

  • bjects

... array data

33

slide-104
SLIDE 104

Creating Secret Pages

1M Aligned

  • bjects

... page page page page

33

slide-105
SLIDE 105

Creating Secret Pages

1M Aligned

  • bjects

... page page page page

33

slide-106
SLIDE 106

Creating Secret Pages

1M Aligned

  • bjects

... page secret A secret B secret C

33

slide-107
SLIDE 107

Creating Probe Pages

typed array data

34

slide-108
SLIDE 108

Creating Probe Pages

guessed aligned addresses, 128M apart ... typed array data

??? ??? ??? ??? ??? ???

34

slide-109
SLIDE 109

Creating Probe Pages

guessed aligned addresses, 128M apart ... guess X guess Y guess Z guess Q

??? ??? ??? ??? ??? ???

34

slide-110
SLIDE 110

Birthday heap spray

+1M, +1M, +1M, ... +128M, +128M, +128M, ...

35

slide-111
SLIDE 111

Birthday heap spray

+1M, +1M, +1M, ... +128M, +128M, +128M, ...

secret pages (allocated addresses)

35

slide-112
SLIDE 112

Birthday heap spray

+1M, +1M, +1M, ... +128M, +128M, +128M, ...

secret pages (allocated addresses) probe pages (guessed addresses)

35

slide-113
SLIDE 113

Birthday heap spray

+1M, +1M, +1M, ... +128M, +128M, +128M, ...

secret pages (allocated addresses) probe pages (guessed addresses)

35

slide-114
SLIDE 114

Deduplication Rowhammer

  • leak heap & code addresses
  • create a fake object
  • create reference to our fake object

Outline:

36

slide-115
SLIDE 115

fake Uint8Array object

array data

37

slide-116
SLIDE 116

pointer pivotting

array data

38

slide-117
SLIDE 117

pointer pivotting

array data array header JavaScript Array

38

slide-118
SLIDE 118

pointer pivotting

array data array header array header array data JavaScript Array JavaScript Array

38

slide-119
SLIDE 119

pointer pivotting

array data array header array header array data JavaScript Array JavaScript Array

38

slide-120
SLIDE 120

pointer pivotting

array data array header array header array data JavaScript Array JavaScript Array

38

slide-121
SLIDE 121

rowhammer attack DDR memory rows

39

slide-122
SLIDE 122

rowhammer attack DDR memory row activation

39

slide-123
SLIDE 123

rowhammer attack DDR memory row activation

39

slide-124
SLIDE 124

rowhammer attack DDR memory row activation

39

slide-125
SLIDE 125

pointer pivotting

array data array header array header array data JavaScript Array JavaScript Array

40

slide-126
SLIDE 126

pointer pivotting

array data array header array header array data JavaScript Array JavaScript Array

40

slide-127
SLIDE 127
  • NOriginally:NnoNnativeNbitNflipsNonNourNDRAM

chipN(hadNtoNlowerNdefaultNrefreshNrate).

  • NNow:NnativeNbitNflipsN(defaultNsettings).
  • NHadNtoNoperateNaNnumberNofNoptimizations

(e.g.,NusingNJSNworkerNthreads).

41

Rowhammer from JavaScript

slide-128
SLIDE 128

Dedup mitigation

  • Disable memory deduplication
  • We've reported this issue to Microsoft

and they have addressed this issue in ms-16-093, July 18th (CVE-2016-3272) by disabling dedup.

> Disable-MMAgent -PageCombining

41

slide-129
SLIDE 129

takeaways:

  • Dedup Est Machina: Memory deduplication is a

weird machine, and a more powerful side-channel than previously thought.

  • Memory saving optimisations, both in hardware and

in software come at a price.

  • Even without bugs, reliable browser exploitation

in JavaScript is possible, using dedup+rowhammer. https://www.vusec.net/projects/dedup-est-machina

42