page fault liberation army
play

Page Fault Liberation Army Its turtles Turing machines all the way - PowerPoint PPT Presentation

Oct 10, 2022 •10 likes •760 views

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert, Sergey Bratus, Rebecca .bx Shapiro Trust Lab Dartmouth College Sunday, February 17, 13 Page Fault Liberation l The x86 MMU is not just

  1. Page Fault Liberation Army It’s turtles Turing machines all the way down! Julian Bangert, Sergey Bratus, Rebecca “.bx” Shapiro Trust Lab Dartmouth College Sunday, February 17, 13

  2. “Page Fault Liberation” l The x86 MMU is not just a look-up table! l x86 MMU performs complex logic on complex data structures l The MMU has state and transitions that brilliant hackers put to unorthodox uses. l Can it be programmed with its data? YES Sunday, February 17, 13

  3. Disclaimer • Turing complete it’s just a way of describing what kind of computations an environment can be programmed to do (T.-c. = any kind we know, in theory) • Wish we had a more granular scale better suited to exploit power Sunday, February 17, 13

  4. Today’s Slogan Any sufficiently advanced/complex input data/metadata acts as “ bytecode ” to the system that must interpret it; that system acts as a “ virtual machine ” for that bytecode (!) Sunday, February 17, 13

  5. Sunday, February 17, 13

  6. ALL KINDS OF DATA FLOWS, CONTROL FLOWS, FEATURES, BUGS,... “BYTECODE/TAPE” Sunday, February 17, 13

  7. ABI Metadata Machines Sarah Inteman/John Kiehl Sunday, February 17, 13

  8. ELF relocation machine LD.SO CODE Sunday, February 17, 13

  9. ELF metadata machines Relocations + symbols: a program in ABI for automaton to patch images loaded at a different virtual address than linked for. Sunday, February 17, 13

  10. RTLD arithmetic r : s : • R_X86_64_COPY: memcpy(r.r_offset, s.st_value, s.st_size) R_X86_64_64: *(base+r.r_offset) = s.st_value +r.r_addend +base R_X86_64_RELATIVE: *(base+r.r_offset) = r.r_addend+base Sunday, February 17, 13

  11. See 29c3 talk by Rebecca “ .bx ” Shapiro, https://github.com/bx/elf-bf-tools Sunday, February 17, 13

  12. Hacker research inspirations • “Backdooring binary objects, klog [Phrack 56:9] • “Cheating the ELF”, the grugq [also Phrack 58:5] • PLT redirection, Silvio Cesare [Phrack 56:7, ...] • Injecting objects, mayhem [Phrack 61:8] • ElfSh/ ERESI team , http://eresi-project.org/ • LOCREATE, skape [Uninformed 6, 2007] • Rewriting (unpacking) of binaries using REL* Sunday, February 17, 13

  13. “Page Fault Liberation” Let’s take an old and known thing... Sunday, February 17, 13

  14. “Page Fault Liberation” ...and see how far we can make it can go! Sunday, February 17, 13

  15. “Page Fault Liberation” and perhaps others can take it further! Sunday, February 17, 13

  16. “Hacking is a practical study of computational models’ limits” • [Apologies for repeating myself] • “What Church and Turing did with theorems, hackers do with exploits” • Great exploits (and effective defenses!) reveal truths about the target’s actual computational model. Sunday, February 17, 13

  17. CPU MMU Write Read IDT Pagetables Stack GDT Sunday, February 17, 13

  18. Traps + Tables = weird machine? • unmapped/bad memory reference trap , based on page tables & (current) IDT • hardware writes fault info on the stack - where it thinks the stack is (address in TSS) • If we point “ stack ” into page tables, GDT or TSS, can we get the “tape” of a Turing machine? Sunday, February 17, 13

  19. Trap-based “Design Patterns” • Overloading #PF for security policy, labeling memory (e.g., PaX, OpenWall) • Combining traps to trap on more complex events (OllyBone, “fetch from a page just written”) • Using several trap bits in different locations to label memory for data flow control (PaX UDEREF, SMAP/SMEP use) • Storing extra state in TLBs (PaX PageExec) • “Unorthodox” breakpoints, control flow, ... Sunday, February 17, 13

  20. Segment descriptor: Global Descriptor Table (GDT) Address (”offset”) Default segment must lie within selector segment limit From: duartes.org/gustavo/blog/ Sunday, February 17, 13

  21. OpenWall • Solar Designer, 1999 Kernel • cf. "Stack Smashing for Fun and Profit" Segments • Stack Data CS limit 3GB - 8 MB (for stack) • Exec from the stack is trapped • Code Kill if current inst = RET • Very specific threat, allows JIT, etc. User • (And many other hardening patches) Sunday, February 17, 13

  22. Virtual Address Translation 0xDEADBEEF Linear Address: 1011011011 cr3 + 1101111010 111011101111 4 * 37a 2db 37a EEF 0x10000 Present + 4 * 2db 0x11111 0x1111 1EEF Physical Address = l All P bits set l Ring 3: All U/S bits have to be set l Write: All R/W bits have to be set l What if we violate these rules? Sunday, February 17, 13

  23. ITS A TRAP Sunday, February 17, 13

  24. PaX • PaX is an awesome Linux hardening patch • Many 'firsts' on real-world OS's, e.g. NX on Intel and ASLR (PaX in 2000, OpenBSD in 2003) • PaX has NX on all CPUs since the Pentium (Intel has hardware support since P4?) • SEGMEXEC and PAGEEXEC • Leverages difference between instruction and data memory paths Sunday, February 17, 13

  25. PaX NX : SegmExec Virtual • Instruction: Virtual address = Linear + CS.base • Data: VA= Linear + DS.base Code • 3GB user space • All Segment limits = 1.5 GB • Data access goes to lower half of VA space Data Linear • Instruction fetch goes to upper half of VA space Sunday, February 17, 13

  26. PaX NX : PageExec • “ split TLB ” (iTLB for fetches, dTLB for loads) [Plex86 1997, to detect self-modifying code: http://pax.grsecurity.net/docs/pageexec.old.txt ] • TLBs are not synchronized with page tables in RAM (manually flushed every time tables change) • NX ~ User/Supervisor bit Sunday, February 17, 13

  27. PageExec data lookup If U=1 Access TLB Not found Pagetable Always U=0 Set user bit, read one byte to #PF fault fill TLB, if EIP=addr, clear user bit it’s a fetch Terminate Sunday, February 17, 13

  28. OllyBone: Trap on end of unpacker • Debugger plugin to analyze (un)packers • Want to break execution on a memory range (so you trap every time you exec from a page after writing it ) • The idea goes back to Plex86 (before PaX) who tried to do virtualization that way http://www.joestewart.org/ollybone/ Sunday, February 17, 13

  29. ShadowWalker Phrack 63:8, BlackHat 2005, DEFCON 13 • When a rootkit detector scans the code (as data !), why not give a different page than when the code is executed? • Instead of having different User bits, we could also have different page frame numbers (trap on P=0 in pagetables) Sunday, February 17, 13

  30. What’s in a trap handler (let’s roll our own) Sunday, February 17, 13

  31. IDT entries: ... 8: #DF ... 14: #PF ... Sunday, February 17, 13

  32. Call through a Trap Gate 32 bit? nested interrupts? New code segment Like a FAR call of old. If the new segment is in a lower (i.e. higher privilege) Ring, we load a new SP . Sunday, February 17, 13

  33. Pushes parameters to “handler’s stack” These two are only pushed if we changed the stack ESP “IRET” instruction can return from this Sunday, February 17, 13

  34. What if this fails? • Stack invalid? • Code segment invalid? • IDT entry not present? Causes “ Double Fault ”(#8). “Triple fault” = Reboot Usually DF means OS bug, so a lot of state might be corrupted (i.e. invalid kernel stack) Sunday, February 17, 13

  35. Hardware Task Switching Can use it for #PF and #DF traps instead of Trap Gates TR Sunday, February 17, 13

  36. Task gate • (unused) mechanism for hardware tasking • Reloads (nearly) all CPU state from memory • Task gate causes task switch on trap Sunday, February 17, 13

  37. IDT -> GDT ->TSS IDT It still pushes the error code (addressed indirectly through GDT) GDT Sunday, February 17, 13

  38. Brief digression Intel Manual: Sunday, February 17, 13

  39. Brief digression Intel Manual: Bypass (all) paging from the kernel? VM Escape? Wouldn’t that be nice? Sunday, February 17, 13

  40. Sunday, February 17, 13

  41. Maybe we should actually verify it.. CPU translates DWORD by DWORD Sunday, February 17, 13

  42. (CC-BY-SA)Lizzie Bitty/DevianArt Sunday, February 17, 13

  43. Look Ma, it’s a machine! Sunday, February 17, 13

  44. A one-instruction machine Instruction Format: • “Decrement-Branch-If- Label = (X <-Y,A,B) Negative” • Turing complete (!) Label: X=Y • “ “ Computer Architecture: If X<4: A Minimalist Perspective” Goto B by Gilreath and Laplathe Else (~$200) X-=4 • Or Wikipedia :) Goto A Sunday, February 17, 13

  45. Implementation sketch: • If EIP of a handler is pointed at invalid memory, we get another page fault immediately; keep EIP invalid in all tasks • Var Decrement: use TSS’ SP , pushing the stack decrements SP by 4. • Branch: <4 or not? Implement by double fault when SP cannot be decremented Sunday, February 17, 13

  46. Dramatis Personae I • One GDT to rule them all • One TSS Descriptor per instruction, aligned with the end of a page • IDT is mapped differently, per instruction • A target (branch-not-taken) in Int 14, #PF • B target (branch taken) in Int 8, #DF Sunday, February 17, 13

  47. Dramatis Personae II • Higher half of TSS (variables) • Map A.Y, B.Y (the value we want to load for next instruction) at their TSS addresses • map X (the value we want to write) at the addr of the current task • So we have the move and decrement Sunday, February 17, 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Chinese Perspective Since 1990, the People s Liberation Army (PLA) has participated

The Chinese Perspective Since 1990, the People s Liberation Army (PLA) has participated

Participation of Force Enablers in UN Peacekeeping Operations: The Chinese Perspective Since 1990, the People s Liberation Army (PLA) has participated in a total of 23 UN peacekeeping operations, involving more than 24,000 military

130 views • 12 slides
Page Table Entry Page Fault Protection D R V Page frame number Exception raised by the MMU

Page Table Entry Page Fault Protection D R V Page frame number Exception raised by the MMU

11/1/2018 Page Table Entry Page Fault Protection D R V Page frame number Exception raised by the MMU indicating a requested virtual address is not in memory Dirty bit Referenced bit Valid bit Handling a Page Fault 1. Determine faulting

856 views • 4 slides
Let me begin with the easiest elements of my positionality in relation to liberation theologies. I

Let me begin with the easiest elements of my positionality in relation to liberation theologies. I

Feminist Liberation Theology Network What does liberation mean? Mayra Rivera Rivera Let me begin with the easiest elements of my positionality in relation to liberation theologies. I have engaged Latin American versions of liberation theology

394 views • 6 slides
Liberation of Concentration Camps L ocation: Oswiecim, Poland E stablished: May 26th1940

Liberation of Concentration Camps L ocation: Oswiecim, Poland E stablished: May 26th1940

Liberation of Concentration Camps L ocation: Oswiecim, Poland E stablished: May 26th1940 L iberation: January 27th, 1945, by the Soviet Army. E stimated number of victims: 2,1 to 2,5 million (This estimated number of death is

619 views • 26 slides
Sports Clubs liberation@eusa.ed.ac.uk Liberation Campaigns These campaigns exist to create a

Sports Clubs liberation@eusa.ed.ac.uk Liberation Campaigns These campaigns exist to create a

Inclusive Sports Clubs liberation@eusa.ed.ac.uk Liberation Campaigns These campaigns exist to create a space where self-defining students can come together, discuss the issues affecting them, and campaign Elliot - Trans and Non-Binary

372 views • 12 slides
1 Clock algorithm Least Recently Used (LRU) Same functionality as Assume pages used

1 Clock algorithm Least Recently Used (LRU) Same functionality as Assume pages used

Page replacement algorithms Page fault forces a choice No room for new page (steady state) Which page must be removed to make room for an Chapter 4: Memory Management incoming page? How is a page removed from physical memory?

853 views • 6 slides
Virtual Memory - III Effective Access Time (EAT) EAT = (1 p ) x memory access + p x (page

Virtual Memory - III Effective Access Time (EAT) EAT = (1 p ) x memory access + p x (page

CSC 4103 - Operating Systems Performance of Demand Paging Spring 2008 Page Fault Rate 0 p 1.0 if p = 0 no page faults Lecture - XVII if p = 1, every reference is a fault Virtual Memory - III Effective Access Time (EAT)

283 views • 3 slides
ARMY ARMY ARMY ARMY Timothy Park Timothy Park Timothy Park Timothy Park 2LT MC USAR 2LT MC

ARMY ARMY ARMY ARMY Timothy Park Timothy Park Timothy Park Timothy Park 2LT MC USAR 2LT MC

ARMY ARMY ARMY ARMY Timothy Park Timothy Park Timothy Park Timothy Park 2LT MC USAR 2LT MC USAR 2LT MC USAR 2LT MC USAR Overview of Army Graduate Education Largest program in the military Majority of Army physicians train in Army

559 views • 32 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Lt Col Stuart Hitchman TD Engagement team Army West Midlands What the Army does Army 2020

Lt Col Stuart Hitchman TD Engagement team Army West Midlands What the Army does Army 2020

Lt Col Stuart Hitchman TD Engagement team Army West Midlands What the Army does Army 2020 Protect the UK Fights the UKs enemies Prevent conflict Deal with disasters Contingency Operations Capacity UK resilience

959 views • 17 slides
Business 101: The Nuts &amp; Bolts of Starting a Games Studio Rachel Presser The Code Liberation

Business 101: The Nuts &amp; Bolts of Starting a Games Studio Rachel Presser The Code Liberation

The Code Liberation Foundation Lecture #: content Business 101: The Nuts &amp; Bolts of Starting a Games Studio Rachel Presser The Code Liberation Foundation Lecture #: content What is Code Liberation? A little about us. The Code Liberation

1.03k views • 65 slides
Army Career Program 53 (Medical) Aligning and Developing the Army's Medical Civilian

Army Career Program 53 (Medical) Aligning and Developing the Army's Medical Civilian

Army Career Program 53 (Medical) Aligning and Developing the Army's Medical Civilian Workforce to Support The Surgeon General's Strategic Campaign Objectives and Army Medicine Department's Mission Mrs. Carolyn Collins, Army Career

722 views • 46 slides
ARMY OneSource Training Chiropractors on Th I The Invisible Wounds of War i ibl W d f W

ARMY OneSource Training Chiropractors on Th I The Invisible Wounds of War i ibl W d f W

ARMY OneSource Training Chiropractors on Th I The Invisible Wounds of War i ibl W d f W ARMY OneSource A Partnership Between COCSA, Army OneSource and Army Community Covenant ARMY OneSource O eSou ce What is Army OneSource ? y

390 views • 20 slides
Explaining Liberation Psychology in English Mark Burton mark.burton@poptel.org

Explaining Liberation Psychology in English Mark Burton mark.burton@poptel.org

Explaining Liberation Psychology in English Mark Burton mark.burton@poptel.org http://libpsy.org @LiberationPsyEn Liberation Psychology 1 Another kind of critical psychology , that goes beyond mere criticism, and (re)constructs an

573 views • 9 slides
U.S. Army Combined Arms Center and Fort Leavenworth The Importance of an Army Ethic 20 November

U.S. Army Combined Arms Center and Fort Leavenworth The Importance of an Army Ethic 20 November

AMERICAS ARMY: OUR PROFESSION LIVING THE ARMY ETHIC United States Army Combined Arms Center Intellectual Center of the Army U.S. Army Combined Arms Center and Fort Leavenworth The Importance of an Army Ethic 20 November 2014 This

189 views • 15 slides
PEO EIS Connecting the Army. Working for Soldiers. AFCEA NOVA Army IT Day Jan. 21, 2020

PEO EIS Connecting the Army. Working for Soldiers. AFCEA NOVA Army IT Day Jan. 21, 2020

PEO EIS Connecting the Army. Working for Soldiers. AFCEA NOVA Army IT Day Jan. 21, 2020 Distribution Statement A. UNCLASSIFIED//Approved for Public Release AESIP MISSION Army Enterprise Systems Integration Program (AESIP) delivers innovative

749 views • 48 slides
CHEP 2010 How to harness the performance potential How to harness the performance potential of

CHEP 2010 How to harness the performance potential How to harness the performance potential of

CHEP 2010 How to harness the performance potential How to harness the performance potential of current Multi-Core CPUs and GPUs Sverre Jarp CERN openlab IT Dept. CERN CERN Taipei, Monday 18 October 2010 CHEP 2010, Taipei Contents

551 views • 42 slides
THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University

THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University

THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Homework 6 is due on Apr. 18 th This lecture Thread level parallelism

432 views • 18 slides
An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos

An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI &amp; Security An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos Workshop on RFID Security 2010 07. - 09.06.2010,

1.12k views • 17 slides
we have been assuming that the data collections we

we have been assuming that the data collections we

we have been assuming that the data collections we have been manipulating were entirely stored in memory. In practice, this is

1.24k views • 92 slides
ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen (schen@wcupa.edu) Compile the code gcc -m32 fno-stack-protector z execstack o ./overflow2 ./overflow2.c Page 2 No eXecute (NX) -z

636 views • 37 slides
Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

A Universal Program (4) Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals of Theoretical Computer Science , 2nd edition, authored by Martin Davis, Ron Sigal, and Elaine J. Weyuker. course note

832 views • 48 slides
Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Center for Information Services and High Performance Computing (ZIH) Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945 Matthias Lieber (Matthias.Lieber@tu-dresden.de) Why using a Debugger? Your

759 views • 47 slides
LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC

LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC

LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC LHC 3 LHC - overview Eight sectors plus: Point 1: Atlas Point 2: Alice, injection Point 3: Momentum cleaning Point 4: RF Point 5: CMS Point 6:

897 views • 60 slides

More recommend