At Arms Length h2hc 2013

7/23/2019 At Arms Length h2hc 2013

http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 1/40

At ARMs Le Yet So Far AB

Open Source S

O



&he Story o' ()R*)+)% and

o



hat is it/

• ARM port o' two o' 0a+1s crucial arch2speci3c 4ernel sprotection 'eatures

• -)R)F5 pre6ents accidental78alicious direct userlan6ia the 4ernel

• *LL dere's

• 0oorly2chosen 98agic: poisoned pointers

•OOB inde; < tri6ially 'orged structs =0)RF>)?)*&S@

• ()R*)+)%5 re8o6e R+ 8e8ory 'ro8 the 4ernel

• I8plies no e;ecution o' userland 8e8ory

• 0rotects against eecti6ely2R+ 8e8ory 6ia 6irtual aliases

• Allows 'or read2only protection abo6e and beyond si8ple co



hy/

• pstrea8 4ernel sel'2protection 'eatures are non2e;

• So8e 6endor 4ernels ha6e %O*FIC>S&RI%&>M)MOR

• %on3g description is a lie

• I8ple8entation is a Do4e

• Lets 6endors 8ar4 a chec4bo;

• Sel'2de8onstrate Euic4ly applying security conceptsarch 8ostly 9new: to 8e, ar8ed only with the 8an

• Spite

• See last year1s $$% presentation



Beginning steps

• AcEuired an Arndale de6elop8ent board =with Linar

userland@

• Sa8sung );ynos, ARM6G, %orte; A"



Beginning steps

• Started with ARM6G since it supports 0ri6ileged );e*e6er =0+*@

• &hin4 ;H SM)0

• 0+* didn1t e;ist upstrea8 yet, so I wanted to add support

• Focused on Large 0hysical Address );tension =L0A)

3rst• #2le6el paging structures instead o' 2le6el

• More uni'or8 layout o' 3elds =easier to wor4 with@

• &hin4 ;H 0A)



()R*)+)% on ARM L0A)

•arch7ar8788788u.c handles setup o' protections on 8ost 8appings

• 8e8>types array J base do8ain7page protection in'or8ation 'or eadescriptors

• build>8e8>type>table=@ J a8ends in'or8ation in 8e8>types with abased on %0 capabilities

• Most used is M&>M)MORY, used 'or R+ 4ernel 8appings

• %o8pletely eli8inated, replaced with M&>M)MORY>R and M&>M)M'ail sa'ely during 'orward porting

• Modi3ed 4ernel lin4er script to group up sections with sa8e

• Boot with wea4ened protections on the 4ernel i8age, loc4 iprotections when 'reeing init8e8

• >>read>only



()R*)+)% on ARM L0A)

• 0roble8 0a+ allows te8porary suppression o' pageprotections to allow pri6ileged code to write to readareas

• pa;>open>4ernel=6oid@ 7 pa;>close>4ernel=6oid@

• L0A) see8ingly oers no way to do this as on ;H

• %reating te8porary aliases would reEuire per2cpu pgds to

• ould need to 8uddy up all open7close calls with argu8enwould be co8pletely ignored on ;H

• 0unted on this

• Mo6ed on to L0A) -)R)F, but this set the seed 'or an apwould wor4 'or 8ost 8odern ARM users



-)R)F on ARM L0A)

• Modules are located at !;BF!!!!!!, need to 8o6e &ranslation &able Base Register =&&BR@ granularity

• *ow &&BR! 'ully co6ers userland, &&BR" 'ully co6er4ernelland

• %an disable userland access by disabling &&BR! andASI-

!;c!!!!!!!!;b'!!!!!!

(ernel(ernel

serland serland



-)R)F on ARM L0A)

• 0er'or8ed a Euic4 test de8onstrating pre6ious tech

need 'or changing ASI-

• Mo6ed on at this point

• Cot laNy and didn1t 'eel li4e rewriting ASI- generation cod

• Started disli4ing L0A) already 'or its inability to support th()R*)+)%

•%ould split ASI- space in hal', or perhaps so8ething s8ar

• I disco6ered a'ter writing the blog that the pre6iousdescription co6ers e;actly how Apple iOS1 -)R)F2'eature wor4s



()R*)+)% 'or ARM6<

•Able to reuse 8ost o' the wor4 put into ()R*)+)% '• %07L0A)2speci3c details 8ostly abstracted out by use o'

• 0M->S)%&>R-O*LY

• Found an upstrea8 de3ciency here

• On ARM6G we can still use 0+* to pre6ent userland'ro8 4ernel

• It1s not as 3ne2grained as with L0A), but it ends up not 8a

• ithout L0A), we ha6e a 8uch 8ore power'ul 'eatue;ploit

• -o8ains



()R*)+)% 'or ARM6<

•-o8ain Access %ontrol Register =-A%R@

• " do8ains =Linu; only uses #@

• )ach do8ain supports se6eral access types5

• -OMAI*>*OA%%)SS J reDect access regardless o' page prote

• -OMAI*>%LI)*& J obey nor8al page protections

• -OMAI*>MA*AC)R J ignore any page protections

• -o8ain is a P2bit 3eld in page table entries

• I8portant5 do8ain also included in &LB entry, -A%Rconsulted

15 14 13 12 1

1

10 9 8 7 6 5 4 3 2 1 0



()R*)+)% 'or ARM6<

•-o8ains are an e;tre8ely power'ul 'eature• Ability to bloc4 access to nearly2arbitrary 8e8ory ranges7

8e8ory on a per2%0 basis

• 0ossible ()R*S)AL uses

• hat else could you thin4 o' 'or this/

• For ()R*)+)%, 8ain use is to sol6e the

pa;>open7close>4ernel proble8• Set access o' 4ernel do8ain to -OMAI*>MA*AC)R on ope

• Switch bac4 to -OMAI*>%LI)*& access on close

• ButQ.



-)R)F 'or ARM6<

•

Again using do8ains• pgalloc.h5de3ne >0AC)>S)R>&ABL) =0M->&Y0)>&ABL) 0M

0M->-OMAI*=-OMAI*>S)R@@

• So by setting the user do8ain to -OMAI*>*OA%%)SS, we cut to userland

• (ernel has appro6ed userland accessors

• copy>>user=@

• strnlen>'ro8>user=@

• csu8>partial>copy>'ro8>user=@

• Q

• Introduce pa;>open>userland=@ and pa;>close>userland



-)R)F 'or ARM6<

(ernel

serland

(ernel

serland

(ernel

serland

(e

se

);ecuting in userlandA8bient 4ernelper8issions

serland accessorcopying to userland=S)R>-S@

Interrcode interruserlaacces

(ernel

serland

serland accessorcopying to 4ernel=()R*)L>-S@



()R*)+)%7-)R)F 'or ARM6

• ?ia do8ains we achie6e protection eEui6alent to 0a()R*)+)%7-)R)F on i#H

• &his 8a4es pipacs and 8ysel' happy

• I hate the shadow region on the non20%I- 6ersion o' a8d

• ith both 'eatures enabled, ". per'or8ance hit oin *CI*+ Bench8ar4 ".!.".", below stdde6 o' test

• &his per'or8ance can be i8pro6ed 'urther, 8y asse8bly w'or clarity



*otes on #."! upstrea8 ARM 3

•Special page installed into each tas4, sigreturn stubs locsyste82wide 9rando8: oset within that page

• Installed page is subDect to 88ap rando8iNation

• I don1t 4now o' any userland that can wor4 without the 4helpers, reEuiring one to enable the option that adds the

• Lea6es 3;ed2address 6ector 8ap accessible

•

&hese helpers are still necessarily at 3;ed addresses =than4s toglibc7toolchain@

• My Linaro user perhaps needs the 'ewest, Dust get>tls=@

• (ernel address lea4s 'ro8 the 6ector page should be dea

• Rele6ant code7data 8o6ed to an adDacent 4ernel2only page



Our ARM 6ector page 3;es

• As part o' ()R*)+)% wor4, 4ernel R+ on the 6ecto6irtual aliasing =one R, another R+@ was eli8inate

• *o special page installed into each tas4 'or sigretur

• (ernel controls the address o' the sigreturn stub userland e;ecute

• niEue rando8 inaccessible 4ernel address assigned to ea88u>conte;t struct

• e cause userland to try to e;ecute at this rando8 addres'ault, and per'or8 the sigreturn

• ?ector page is inaccessible to userland

• e e8ulate get>tls=@ in the 4ernel



&esting

• 0re6ious 8entioned 4ernel 9bac4doors: to trigger e;p

acti6ity

• %reated page table du8per 'or both short and long 8odescriptor 'or8at

• L0A)5 https577grsecurity.net7Tspender748aps2ar826.c

• L0A)5 https577grsecurity.net7Tspender748aps2ar82lpae.c

• ses 7de678e8

• Finds and reports pages o' 8e8ory that are R+ through 6irt

• ?eri3ed 'ull re8o6al o' R+ 'ro8 the 4ernel

• ?eri3ed inability to e;ecute7access userland directly 'r4ernel

https://grsecurity.net/~spender/kmaps-arm-v6.c

https://grsecurity.net/~spender/kmaps-arm-lpae.c










&estingroot5TU .7test

0a+5 (ernel tried to access userland 8e8ory at !;!!!!H!"!, 'srV!!

Internal error5 5 ! W"X 0R))M0& SM0 ARM

Modules lin4ed in5

%05 ! *ot tainted =#.G."2grsec2!!!G"2gac"Pbd2dirty P@

pc 5 WZc!aP[X lr 5 WZc!bP[X psr5 !!!!!"#

sp 5 eeHPG'! ip 5 #!cG#HGd 'p 5 !!!!!!!!

r"!5 !!!!!!!! r 5 eeHP!!! rH 5 c!!"H

rG 5 !!!!!!d r 5 !!!!Ga r 5 b#!aGHH rP 5 !!!!!!!!

r# 5 !!!!H!!! r 5 P!!!#!!! r" 5 b#!aHcP r! 5 !!!!GaFlags5 n\%6 IR]s on FI]s on Mode S?%># ISA ARM Seg8ent user

%ontrol5 #!c#HGd &able5 P!!!#!!! -A%5 'd

0rocess test =pid5 P!, stac4 li8it V !;eeHP#H@

W Q X

%ode5 e"a!!!!G eHbdP"'! ea!!P"'d e#a!#! =e#P!"!@

(ernel panic 2 not syncing5 grsec5 halting the syste8 due to suspiciou

4ernel crash caused by root



Lessons Learned

•Spite 'ails to 8oti6ate when realiNation sets in that 8ust be 8aintained 'or 'ree 'ore6er

• Frag8ented7old userland is a 8aintenance night8a4ernel

• Mobile Linu; 6endors care 8ore about chec4ing a breal security i8pro6e8ents

• );pect Apple to continue to do8inate o6er the8, S)Andro Dust sa8e tired 9security V access control: 'rauds

• Focus on 'unda8entals, not 'ads

• Ma4es it easy to apply security to new plat'or8s



);ploit eapon=For the

=Re



hy/

• Because na8espace76irtualiNation7LSM usage is incwith little discussion o' tradeos or i8portance o' 4protection

• Because ring2! can do whate6er it wants

• Because I16e been told 8a4ing weaponiNation7reliab

in'or8ation public reduces the 6alue o' e;ploit selle• I a8 all 'or this

• Because it1s e8barrassingly easy, as you1ll see



-isable S)Linu;

• Set security>ops to ^de'ault>security>ops =always w• &han4s to so8e S)Linu; 9code cleanup: you can al

to 6oid reset>security>ops=6oid@ =wor4s 'or all other

• I' %O*FIC>S)%RI&Y>S)LI*+>-)?)LO0 enabled, yoalso 8odi'y selinu;>en'orcing1 =read by geten'orce

reading 7selinu;7en'orce, also in 7selinu;7status@• By patching sel>read>en'orce and selinu;>4ernel>st

you can put S)Linu; into per8issi6e 8ode while 8auserland thin4 it1s in en'orcing 8ode



-isable AppAr8or

• Set security>ops to ^de'ault>security>ops

• Or return to reset>security>ops

• Older 4ernels had so8e toggles5 appar8or>enabledappar8or>audit, appar8or>logsyscall, appar8or>co

•*ewer 4ernels =#.;@ uses new 6ariables5 aa>g>pro3leaa>g>audit, aa>g>audit>header, aa>g>logsyscall,aa>g>loc4>policy



-isable IMA



• 0atch out i8a>bpr8>chec4, i8a>3le>88ap, i8a>pa

and i8a>3le>chec4 to all return ! =_;#"_;c!_;c#@



-isable &OMOYO7all other LS





-isable Auditing

• %lear audit>enabled



-isable *o2*ew20ri6s =**0

• Bit 3eld located between current2[personality and c[pid =both 4nown 6alues@

• Other 3elds are uni8portant, Dust clear all P bytes



Brea4 out o' user na8espac

• 0erhaps surprisingly, 8y co88it>creds=prepare>4ernel>techniEue does it auto8atically

• struct cred `

Q

struct user>na8espace user>ns 7 user>ns the caps and 4eyringsto. 7

Q



Brea4 out o' chroots

• Cet tas4>struct 2['s oset either through si8ple staanalysis on 4ernel i8age or 3nding init>'s oset witinit>tas4

• Find oset o' root and pwd within 's>struct• %all set>'s>root=current2['s, init>'s.root@, set>'s>pwd

['s, init>'s.pwd@



Brea4 out o' 6ser6er

• Find osets o' ;id, 6;>in'o, nid, n;>in'o in tas4 struc

• ill be ! in init>tas4, but set in a con3ned process

• %lear the 3elds



Brea4 out o' Open?\

• %all prepare>6e!>process=current@



Reliability under +en

• -on1t blindly change cr!.0 and atte8pt to 8odi'ycode, it will cause a C0F

•%all 8a4e>low8e8>page>readwrite=addr@ instead

• %lean up with 8a4e>low8e8>page>readonly=addr@



Reliability under%O*FIC>-)BC>0AC)ALLO

• -on1t blindly scan through 4ernel 8e8ory, 4ernels woption enabled ha6e been obser6ed to ha6e a guardthe 4ernel i8age

•)nlighten8ent parses page tables to deter8ine sa'to scan



Reliability under %O*FIC>(ALLS

• n4nown 4ernel, no 68linu;, no 7proc74allsy8s, noSyste8.8ap/ *o proble8

• Assu8ing ring! e;ecution can be obtained without the8

• 0ayload reliability obtained by using the 4ernel1s owtables in 8e8ory

• )nlighten8ent 3nds the 4ernel1s own sy8bol resoluroutines and can thus resol6e 8odule sy8bols as w



Reliability when returning to use

• Ma4e sure the userland code is loc4ed into physical 8e8ory

• npri6ileged users can loc4 P(B

• Linu; is not indows *o 4ernel 8e8ory is paged, atte8ptinon2present 8e8ory =outside o' e;ception2handled areas@ w6isible oops, or worse

•More li4ely under low 8e8ory, 8e8ory pressure, high e;ploreEs, higher ti8e between allocation and use

• A decade o' e;ploits returning to userland, and no one gets t

• $ow was 8y 0)RF>)?)*&S e;ploit so reliable despite the Pli8it/

• Read the enlighten8ent source 'or this one @



+H 0)RF>)?)*&S );ploit WX Array base is !;c"aGa!

WX -etected structure siNe o' " bytes WX &argeting !;c"ab"!

W<X Cot ring!

W<X -etected .7#.; style H4 stac4s, with current at !;'"'csupport

W<X -isabled security o' 5 AppAr8or LSM

W<X Found 2['s oset at !;#HH

W<X Bro4e out o' any chroots or 8nt na8espaces

W<X Cot root

rootubuntu57ho8e7spender7enlighten8entid

uidV!=root@ gidV!=root@ groupsV!=root@

rootubuntu57ho8e7spender7enlighten8entuna8e 2a

Linu; ubuntu #..!2#2generic #Tprecise"2buntu SM0 Fr

&% !"# iH iH i#H C*7Linu;



Re'ehttp577in'ocenter.ar8.co87help7inde;.Dsp/topicV7co8.ar8.doc.ddi!

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.html






]uesAll code described in this tal4 is a6ailable at http

More details a6ailable on blog5 https577'oru8s.grsecurity.net76iewtopic.p

&han4s to Rodrigo and

https://grsecurity.net/

https://forums.grsecurity.net/viewtopic.php?f=7&t=3292




https://grsecurity.net/

At Arms Length h2hc 2013

Documents

Transcript of At Arms Length h2hc 2013