strolling into ring 0 via i o kit drivers
play

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS - PowerPoint PPT Presentation

Feb 16, 2024 •166 likes •648 views

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

  1. STROLLING INTO RING-0 via i/o kit drivers @patrickwardle

  2. WHOIS security for the 21st century “ leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints ” career hobby @patrickwardle

  3. O UTLINE ring-0 via i/o kit motivations understanding i/o ring-0/kext bugz kit exploitation wrap it up!

  4. MOTIVATIONS need ring-0 (and $$!?)

  5. T HE 'G OOD O LD D AYS ' basically; no protections hacking used to be easier } } no no no 
 code-signing sandbox sip a single exploit was enough to fully compromise a system (and allow for the installation of a persistence implant)

  6. T IMES H AVE C HANGED kernel mode coded execution, a must? kernel bug } kernel bug escape sandbox 
 › bypass code-signing 
 › circumvent sip › full persistence and capabilities! yes yes yes 
 sandbox code-signing sip no kernel bug? ...gtfo :/

  7. T IMES H AVE C HANGED kernel mode coded execution -> $$$ Apple (iOS) bug bounty program

  8. (some of) google p0 kernel bugs W HERE T O L OOK ? where the bugs at? El Capitan 10.11.6 patched kernel bugs: CVE-2016-4625 › › CVE-2016-4626 
 › CVE-2016-4633 › CVE-2016-4634 
 › CVE-2016-4647 
 › CVE-2016-4648 
 CVE-2016-4653 › all bugs in I/O Kit drivers

  9. I/O Kit understanding ...

  10. I/O K IT XNU's device driver environment "Apple’s object-oriented framework for developing device drivers for OS X" -apple.com implemented in C++ i/o kit resources › object-oriented › " Mac OS X and iOS Internals " 
 › " OS X and iOS Kernel Programming " 
 › " IOKit Fundamentals " (apple.com) self-contained, runtime environment

  11. I/O K IT C OMPONENTS user & kernel mode pieces maintained in kernel memory (query-able from user-mode) } 'device' drivers 3rd-party drivers (firewalls, etc) i/o registry ring-0 ring-3 "The user-space API though which a process communicates with a kernel driver is provided by a framework known as 'IOKit.framework'" - OS X & iOS Kernel Programming

  12. I/O R EGISTRY database of objects (& properties) IORegistryExplorer "a multi-layered hierarchical database, tracking both the [i/o kit] objects and their interrelations" 
 - Mac OS X and iOS Internals

  13. 
 I/O K IT D RIVER a basic template/example #include <IOKit/IOLib.h> #define super IOService OSDefineMetaClassAndStructors(com_osxkernel_driver_IOKitTest, IOService) bool com_osxkernel_driver_IOKitTest::init(OSDictionary* dict) { Xcode template bool res = super::init(dict); IOLog("IOKitTest::init\n"); return res; } IOService* com_osxkernel_driver_IOKitTest::probe(IOService* provider, SInt32* score) { IOService *res = super::probe(provider, score); IOLog("IOKitTest::probe\n"); return res; } $ sudo kextload IOKitTest.kext bool com_osxkernel_driver_IOKitTest::start(IOService *provider) { bool res = super::start(provider); $ grep IOKitTest /var/log/system.log IOLog("IOKitTest::start\n"); users-Mac kernel[0]: IOKitTest::init return res; users-Mac kernel[0]: IOKitTest::probe } users-Mac kernel[0]: IOKitTest::start sample i/o kit driver load kext; output

  14. I/O K IT 'inter-ring' communications serial port driver other i/o kit drivers ring-0 ring-3 I/O Kit Framework find driver; then: read/write 'properties' open(/dev/xxx) or read() / write() today's focus send control requests

  15. I/O K IT connecting to a driver (service) //initializations " called automatically by initWithTask(owningTask, ..., type, ...) I/O Kit when a user process attempts to › can verify (user) client connect to [a] service. " -apple.com //init class, invoke initWithTask() newUserClient(owningTask, ..., type, ...) › instantiate class › invoke class->initWithTask(); ring-0 ring-3 IOServiceOpen(...)

  16. I/O K IT invoking driver methods //check params, invoke method super::externalMethod(..., dispatch, ...) } method_0(); dispatch (method) method_1(); //look up method, invoke super externalMethod(selector, ...) › dispatch = methods[selector] method_2(); ring-0 ring-3 selector (method index)

  17. I/O K IT example driver interface const IOExternalMethodDispatch com_osxkernel_driver_IOKitTestUserClient::sMethods[kTestUserClientMethodCount] = { //kTestUserClientStartTimer(void); array of 'callable' methods {sStartTimer, 0, 0, 0, 0}, //kTestUserClientDelayForTime(const TimerValue* timerValue); {sDelayForTime, 0, sizeof(TimerValue), 0, 0}, 
 entry point, user-mode requests }; IOReturn com_osxkernel_driver_IOKitTestUserClient::externalMethod (uint32_t selector, IOExternalMethodArguments* arguments, IOExternalMethodDispatch* dispatch, OSObject* target, void* reference) { 
 forward request to super, 
 //ensure the requested control selector is within range if(selector >= kTestUserClientMethodCount) which routes to method return kIOReturnUnsupported; dispatch = (IOExternalMethodDispatch*)&sMethods[selector]; target = this; reference = NULL; return super::externalMethod(selector, arguments, dispatch, target, reference); } i/o kit driver interface

  18. I/O K IT IOExternalMethodDispatch struct function pointer & param descriptors IOUserClient.h struct IOExternalMethodDispatch { IOExternalMethodAction function; //function pointer uint32_t checkScalarInputCount; //number of scalar inputs uint32_t checkStructureInputSize; //size of struct input uint32_t checkScalarOutputCount; //number of scalar outputs uint32_t checkStructureOutputSize; //size of struct output }; const IOExternalMethodDispatch ::sMethods[kTestUserClientMethodCount] = { ... {sDelayForTime, 0, sizeof(TimerValue), 0, 0} .function = sDelayForTime; }; .checkScalarInputCount = 0; .checkStructureInputSize = sizeof(TimerValue); .checkScalarOutputCount = 0; .checkStructureOutputSize 0; " The checkScalarInputCount, checkStructureInputSize, checkScalarOutputCount, and checkStructureOutputSize fields allow for sanity-checking of the argument list before passing it along to the target object. " -apple.com

  19. I/O K IT super's externalMethod() only checks sizes (not values) IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args, IOExternalMethodDispatch * dispatch, OSObject * target, void * reference ) { count = dispatch->checkScalarInputCount; check scalar input if((kIOUCVariableStructureSize != count) && (count != args->scalarInputCount)) return (kIOReturnBadArgument); count = dispatch->checkStructureInputSize; if((kIOUCVariableStructureSize != count) && (count != ((args->structureInputDescriptor) check struct input ? args->structureInputDescriptor->getLength() : args->structureInputSize))) { return (kIOReturnBadArgument); } count = dispatch->checkScalarOutputCount; check scalar output if((kIOUCVariableStructureSize != count) && (count != args->scalarOutputCount)) return (kIOReturnBadArgument); count = dispatch->checkStructureOutputSize; if ((kIOUCVariableStructureSize != count) && (count != ((args->structureOutputDescriptor) check struct output ? args->structureOutputDescriptor->getLength() : args->structureOutputSize))) { return (kIOReturnBadArgument); } finally, call method :) err = (*dispatch->function)(target, reference, args);

  20. 
 I/O K IT user 'client' (find/connect) 'service name' : $ ioreg -c IOService com_osxkernel_driver_IOKitTest com_osxkernel_driver_IOKitTesT { "CFBundleIdentifier" = "com.osxkernel.IOKitTest" "IOMatchCategory" = "com_osxkernel_driver_IOKitTest" "CFBundleIdentifer" = "com.osxkernel.IOKitTest" "IOResourceMatch" = "IOKit io_connect_t driverConnection = 0; } //open connection 'ioreg' output IOServiceOpen(service, mach_task_self(), 0, &driverConnection); open/create connection mach_port_t masterPort = 0; io_service_t service = 0; 
 //get master port IOMasterPort(MACH_PORT_NULL, &masterPort); //get matching service service = IOServiceGetMatchingService(masterPort, IOServiceMatching("com_osxkernel_driver_IOKitTest")); 'finding' i/o kit driver

  21. I/O K IT user 'client' (send request) IOKitLib.h kern_return_t IOConnectCallStructMethod(mach_port_t connection, uint32_t selector, const void *inputStruct, size_t inputStructCnt, void *outputStruct, size_t *outputStructCnt); or kern_return_t IOConnectCallScalarMethod(mach_port_t connection, uint32_t selector, const uint64_t *input, uint32_t inputCnt, uint64_t *output, uint32_t *outputCnt); IOConnectCall* methods struct TimerValue { uint64_t time, uint64_t timebase; }; struct TimerValue timerValue = { .time=500, .timebase=0 }; selector //make request to driver 
 IOConnectCallStructMethod(driverConnection, kTestUserClientDelayForTime, timerValue, sizeof(TimerValue), NULL, 0); send request (w/ struct) " OS X & iOS Kernel Programming" 
 (chapter 5)

  22. FINDING AN I/O KIT DRIVER BUG target: little snitch (v 3.6)

  23. A UDITING I/O K IT D RIVERS * a basic plan of attack find a target I/O kit driver enumerate dispatch methods & their parameters fuzz, or manually analyze *here, we're focusing on auditing driver's dispatch methods

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

3/6/12 Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5 million LOC and 70% of kernel Little exposure to this breadth of driver code from research Better understanding of drivers can lead to

484 views • 14 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
100 Drivers of Change for the Accountancy Profession DRIVERS OF CHANGE . ACCA Accountancy

100 Drivers of Change for the Accountancy Profession DRIVERS OF CHANGE . ACCA Accountancy

100 Drivers of Change for the Accountancy Profession DRIVERS OF CHANGE . ACCA Accountancy Futures Academy The global body for professional accountants THE DRIVERS AND THEIR IMPORTANCE Turbulence is the new normal Constant

614 views • 22 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms II. Universal localisations III. Recollements Throughout, A will denote a ring (with unit) and K a field. I. Ring epimorphisms Ring epimorphisms

418 views • 5 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res esona onator tors s Initial patterning and update by Agn iuiulkait Uppsala University Motivation Fabricate magneto-plasmonic

321 views • 28 slides
Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB Ring-HF 1 Elektrische Anlagen im AEB Ring HF BG1016 Sicherheitsbelehrung AEB Ring-HF 2 Elektr. Anlagen im BG1016 Netzgerte fr

290 views • 17 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

A clitellum is a band of thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released After eggs are fertilized in the ring, the ring slips off the worm's body and forms a protective cocoon.

218 views • 7 slides
Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP &amp;

Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP &amp;

Welcome to the Cyber Risk Insights Conference! Welcoming Remarks Rebecca Bole EVP &amp; Editor-in-Chief Advisen Leading the way to smarter and more efficient risk and insurance communities, Advisen delivers: The right information into The

861 views • 60 slides
Earnings Release FY 2020 &amp; Q4 2020 Results July 30, 2020 Business Results Fiscal Year

Earnings Release FY 2020 &amp; Q4 2020 Results July 30, 2020 Business Results Fiscal Year

Earnings Release FY 2020 &amp; Q4 2020 Results July 30, 2020 Business Results Fiscal Year 2020 IMMEDIATE PRIORITIES 1. Ensuring the health and safety of the men and women of P&amp;G around the world. 2. Maximizing the availability of

912 views • 40 slides
Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter,

Data Driven Bug Bounty Arkadiy Tetelman (@arkadiyt) Agenda Program logistics @ Twitter, Airbnb Running a data driven program Methodology Questions Program Logistics - Twitter Single public program Soft launch

930 views • 20 slides
Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough

Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough

Lecture 1: Introduction to Computer Security RK Shyamasundar Aims Provide a thorough understanding of Policy (what are being protected) Mechanisms (authentication, authorization, auditing/monitoring, ) Attacks (vulnerabilities,

629 views • 33 slides
Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for

Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for

Contracting Tensor Network on a Noisy Quantum Computer Isaac H. Kim Stanford Institute for Theoretical Physics September 13th, 2018 arXiv:1703.02093, arXiv:1703.00032, arXiv:1711.07500(w. Brian Swingle(UMD)) + some unpublished tidbits Before

644 views • 33 slides
Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org 2 whois lukas@owncloud.com 1/31/16 3 Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4 The

606 views • 56 slides
1 For the love of money is a root of all kinds of evils. It is through this craving that some

1 For the love of money is a root of all kinds of evils. It is through this craving that some

COUNTING IT ALL GARBAGE Part 5: Spending - 05.16.10 PLAY Count It All Play: Count It All Garbage Video Clip [2:00] Garbage {2:00] Intro: We re now into part 5 of this sermon series. Garbage is anything that comes between us and

659 views • 4 slides
Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for

Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for

Tcl Bounties November 16, 2016 Tcl Bounties FlightAware is offering a number of bounties for various enhancements, fixes, etc, for Tcl and/or Tcl extensions Donal referred to this as a series of Grand Challenges. Recognizing a golden

394 views • 27 slides

More recommend