At Arms Length h2hc 2013
Transcript of At Arms Length h2hc 2013
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 1/40
At ARMs Le Yet So Far AB
Open Source S
O
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 2/40
&he Story o' ()R*)+)% and
o
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 3/40
hat is it/
• ARM port o' two o' 0a+1s crucial arch2speci3c 4ernel sprotection 'eatures
• -)R)F5 pre6ents accidental78alicious direct userlan6ia the 4ernel
• *LL dere's
• 0oorly2chosen 98agic: poisoned pointers
•OOB inde; < tri6ially 'orged structs =0)RF>)?)*&S@
• ()R*)+)%5 re8o6e R+ 8e8ory 'ro8 the 4ernel
• I8plies no e;ecution o' userland 8e8ory
• 0rotects against eecti6ely2R+ 8e8ory 6ia 6irtual aliases
• Allows 'or read2only protection abo6e and beyond si8ple co
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 4/40
hy/
• pstrea8 4ernel sel'2protection 'eatures are non2e;
• So8e 6endor 4ernels ha6e %O*FIC>S&RI%&>M)MOR
• %on3g description is a lie
• I8ple8entation is a Do4e
• Lets 6endors 8ar4 a chec4bo;
• Sel'2de8onstrate Euic4ly applying security conceptsarch 8ostly 9new: to 8e, ar8ed only with the 8an
• Spite
• See last year1s $$% presentation
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 5/40
Beginning steps
• AcEuired an Arndale de6elop8ent board =with Linar
userland@
• Sa8sung );ynos, ARM6G, %orte; A"
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 6/40
Beginning steps
• Started with ARM6G since it supports 0ri6ileged );e*e6er =0+*@
• &hin4 ;H SM)0
• 0+* didn1t e;ist upstrea8 yet, so I wanted to add support
• Focused on Large 0hysical Address );tension =L0A)
3rst• #2le6el paging structures instead o' 2le6el
• More uni'or8 layout o' 3elds =easier to wor4 with@
• &hin4 ;H 0A)
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 7/40
()R*)+)% on ARM L0A)
•arch7ar8788788u.c handles setup o' protections on 8ost 8appings
• 8e8>types array J base do8ain7page protection in'or8ation 'or eadescriptors
• build>8e8>type>table=@ J a8ends in'or8ation in 8e8>types with abased on %0 capabilities
• Most used is M&>M)MORY, used 'or R+ 4ernel 8appings
• %o8pletely eli8inated, replaced with M&>M)MORY>R and M&>M)M'ail sa'ely during 'orward porting
• Modi3ed 4ernel lin4er script to group up sections with sa8e
• Boot with wea4ened protections on the 4ernel i8age, loc4 iprotections when 'reeing init8e8
• >>read>only
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 8/40
()R*)+)% on ARM L0A)
• 0roble8 0a+ allows te8porary suppression o' pageprotections to allow pri6ileged code to write to readareas
• pa;>open>4ernel=6oid@ 7 pa;>close>4ernel=6oid@
• L0A) see8ingly oers no way to do this as on ;H
• %reating te8porary aliases would reEuire per2cpu pgds to
• ould need to 8uddy up all open7close calls with argu8enwould be co8pletely ignored on ;H
• 0unted on this
• Mo6ed on to L0A) -)R)F, but this set the seed 'or an apwould wor4 'or 8ost 8odern ARM users
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 9/40
-)R)F on ARM L0A)
• Modules are located at !;BF!!!!!!, need to 8o6e &ranslation &able Base Register =&&BR@ granularity
• *ow &&BR! 'ully co6ers userland, &&BR" 'ully co6er4ernelland
• %an disable userland access by disabling &&BR! andASI-
!;c!!!!!!!!;b'!!!!!!
(ernel(ernel
serland serland
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 10/40
-)R)F on ARM L0A)
• 0er'or8ed a Euic4 test de8onstrating pre6ious tech
need 'or changing ASI-
• Mo6ed on at this point
• Cot laNy and didn1t 'eel li4e rewriting ASI- generation cod
• Started disli4ing L0A) already 'or its inability to support th()R*)+)%
•%ould split ASI- space in hal', or perhaps so8ething s8ar
• I disco6ered a'ter writing the blog that the pre6iousdescription co6ers e;actly how Apple iOS1 -)R)F2'eature wor4s
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 11/40
()R*)+)% 'or ARM6<
•Able to reuse 8ost o' the wor4 put into ()R*)+)% '• %07L0A)2speci3c details 8ostly abstracted out by use o'
• 0M->S)%&>R-O*LY
• Found an upstrea8 de3ciency here
• On ARM6G we can still use 0+* to pre6ent userland'ro8 4ernel
• It1s not as 3ne2grained as with L0A), but it ends up not 8a
• ithout L0A), we ha6e a 8uch 8ore power'ul 'eatue;ploit
• -o8ains
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 12/40
()R*)+)% 'or ARM6<
•-o8ain Access %ontrol Register =-A%R@
• " do8ains =Linu; only uses #@
• )ach do8ain supports se6eral access types5
• -OMAI*>*OA%%)SS J reDect access regardless o' page prote
• -OMAI*>%LI)*& J obey nor8al page protections
• -OMAI*>MA*AC)R J ignore any page protections
• -o8ain is a P2bit 3eld in page table entries
• I8portant5 do8ain also included in &LB entry, -A%Rconsulted
15 14 13 12 1
1
10 9 8 7 6 5 4 3 2 1 0
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 13/40
()R*)+)% 'or ARM6<
•-o8ains are an e;tre8ely power'ul 'eature• Ability to bloc4 access to nearly2arbitrary 8e8ory ranges7
8e8ory on a per2%0 basis
• 0ossible ()R*S)AL uses
• hat else could you thin4 o' 'or this/
• For ()R*)+)%, 8ain use is to sol6e the
pa;>open7close>4ernel proble8• Set access o' 4ernel do8ain to -OMAI*>MA*AC)R on ope
• Switch bac4 to -OMAI*>%LI)*& access on close
• ButQ.
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 14/40
-)R)F 'or ARM6<
•
Again using do8ains• pgalloc.h5de3ne >0AC)>S)R>&ABL) =0M->&Y0)>&ABL) 0M
0M->-OMAI*=-OMAI*>S)R@@
• So by setting the user do8ain to -OMAI*>*OA%%)SS, we cut to userland
• (ernel has appro6ed userland accessors
• copy>>user=@
• strnlen>'ro8>user=@
• csu8>partial>copy>'ro8>user=@
• Q
• Introduce pa;>open>userland=@ and pa;>close>userland
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 15/40
-)R)F 'or ARM6<
(ernel
serland
(ernel
serland
(ernel
serland
(e
se
);ecuting in userlandA8bient 4ernelper8issions
serland accessorcopying to userland=S)R>-S@
Interrcode interruserlaacces
(ernel
serland
serland accessorcopying to 4ernel=()R*)L>-S@
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 16/40
()R*)+)%7-)R)F 'or ARM6
• ?ia do8ains we achie6e protection eEui6alent to 0a()R*)+)%7-)R)F on i#H
• &his 8a4es pipacs and 8ysel' happy
• I hate the shadow region on the non20%I- 6ersion o' a8d
• ith both 'eatures enabled, ". per'or8ance hit oin *CI*+ Bench8ar4 ".!.".", below stdde6 o' test
• &his per'or8ance can be i8pro6ed 'urther, 8y asse8bly w'or clarity
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 17/40
*otes on #."! upstrea8 ARM 3
•Special page installed into each tas4, sigreturn stubs locsyste82wide 9rando8: oset within that page
• Installed page is subDect to 88ap rando8iNation
• I don1t 4now o' any userland that can wor4 without the 4helpers, reEuiring one to enable the option that adds the
• Lea6es 3;ed2address 6ector 8ap accessible
•
&hese helpers are still necessarily at 3;ed addresses =than4s toglibc7toolchain@
• My Linaro user perhaps needs the 'ewest, Dust get>tls=@
• (ernel address lea4s 'ro8 the 6ector page should be dea
• Rele6ant code7data 8o6ed to an adDacent 4ernel2only page
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 18/40
Our ARM 6ector page 3;es
• As part o' ()R*)+)% wor4, 4ernel R+ on the 6ecto6irtual aliasing =one R, another R+@ was eli8inate
• *o special page installed into each tas4 'or sigretur
• (ernel controls the address o' the sigreturn stub userland e;ecute
• niEue rando8 inaccessible 4ernel address assigned to ea88u>conte;t struct
• e cause userland to try to e;ecute at this rando8 addres'ault, and per'or8 the sigreturn
• ?ector page is inaccessible to userland
• e e8ulate get>tls=@ in the 4ernel
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 19/40
&esting
• 0re6ious 8entioned 4ernel 9bac4doors: to trigger e;p
acti6ity
• %reated page table du8per 'or both short and long 8odescriptor 'or8at
• L0A)5 https577grsecurity.net7Tspender748aps2ar826.c
• L0A)5 https577grsecurity.net7Tspender748aps2ar82lpae.c
• ses 7de678e8
• Finds and reports pages o' 8e8ory that are R+ through 6irt
• ?eri3ed 'ull re8o6al o' R+ 'ro8 the 4ernel
• ?eri3ed inability to e;ecute7access userland directly 'r4ernel
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 20/40
&estingroot5TU .7test
0a+5 (ernel tried to access userland 8e8ory at !;!!!!H!"!, 'srV!!
Internal error5 5 ! W"X 0R))M0& SM0 ARM
Modules lin4ed in5
%05 ! *ot tainted =#.G."2grsec2!!!G"2gac"Pbd2dirty P@
pc 5 WZc!aP[X lr 5 WZc!bP[X psr5 !!!!!"#
sp 5 eeHPG'! ip 5 #!cG#HGd 'p 5 !!!!!!!!
r"!5 !!!!!!!! r 5 eeHP!!! rH 5 c!!"H
rG 5 !!!!!!d r 5 !!!!Ga r 5 b#!aGHH rP 5 !!!!!!!!
r# 5 !!!!H!!! r 5 P!!!#!!! r" 5 b#!aHcP r! 5 !!!!GaFlags5 n\%6 IR]s on FI]s on Mode S?%># ISA ARM Seg8ent user
%ontrol5 #!c#HGd &able5 P!!!#!!! -A%5 'd
0rocess test =pid5 P!, stac4 li8it V !;eeHP#H@
W Q X
%ode5 e"a!!!!G eHbdP"'! ea!!P"'d e#a!#! =e#P!"!@
(ernel panic 2 not syncing5 grsec5 halting the syste8 due to suspiciou
4ernel crash caused by root
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 21/40
Lessons Learned
•Spite 'ails to 8oti6ate when realiNation sets in that 8ust be 8aintained 'or 'ree 'ore6er
• Frag8ented7old userland is a 8aintenance night8a4ernel
• Mobile Linu; 6endors care 8ore about chec4ing a breal security i8pro6e8ents
• );pect Apple to continue to do8inate o6er the8, S)Andro Dust sa8e tired 9security V access control: 'rauds
• Focus on 'unda8entals, not 'ads
• Ma4es it easy to apply security to new plat'or8s
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 22/40
);ploit eapon=For the
=Re
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 23/40
hy/
• Because na8espace76irtualiNation7LSM usage is incwith little discussion o' tradeos or i8portance o' 4protection
• Because ring2! can do whate6er it wants
• Because I16e been told 8a4ing weaponiNation7reliab
in'or8ation public reduces the 6alue o' e;ploit selle• I a8 all 'or this
• Because it1s e8barrassingly easy, as you1ll see
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 24/40
-isable S)Linu;
• Set security>ops to ^de'ault>security>ops =always w• &han4s to so8e S)Linu; 9code cleanup: you can al
to 6oid reset>security>ops=6oid@ =wor4s 'or all other
• I' %O*FIC>S)%RI&Y>S)LI*+>-)?)LO0 enabled, yoalso 8odi'y selinu;>en'orcing1 =read by geten'orce
reading 7selinu;7en'orce, also in 7selinu;7status@• By patching sel>read>en'orce and selinu;>4ernel>st
you can put S)Linu; into per8issi6e 8ode while 8auserland thin4 it1s in en'orcing 8ode
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 25/40
-isable AppAr8or
• Set security>ops to ^de'ault>security>ops
• Or return to reset>security>ops
• Older 4ernels had so8e toggles5 appar8or>enabledappar8or>audit, appar8or>logsyscall, appar8or>co
•*ewer 4ernels =#.;@ uses new 6ariables5 aa>g>pro3leaa>g>audit, aa>g>audit>header, aa>g>logsyscall,aa>g>loc4>policy
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 26/40
-isable IMA
• Set security>ops to ^de'ault>security>ops
• Or return to reset>security>ops
• 0atch out i8a>bpr8>chec4, i8a>3le>88ap, i8a>pa
and i8a>3le>chec4 to all return ! =_;#"_;c!_;c#@
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 27/40
-isable &OMOYO7all other LS
• Set security>ops to ^de'ault>security>ops
• Or return to reset>security>ops
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 28/40
-isable Auditing
• %lear audit>enabled
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 29/40
-isable *o2*ew20ri6s =**0
• Bit 3eld located between current2[personality and c[pid =both 4nown 6alues@
• Other 3elds are uni8portant, Dust clear all P bytes
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 30/40
Brea4 out o' user na8espac
• 0erhaps surprisingly, 8y co88it>creds=prepare>4ernel>techniEue does it auto8atically
• struct cred `
Q
struct user>na8espace user>ns 7 user>ns the caps and 4eyringsto. 7
Q
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 31/40
Brea4 out o' chroots
• Cet tas4>struct 2['s oset either through si8ple staanalysis on 4ernel i8age or 3nding init>'s oset witinit>tas4
• Find oset o' root and pwd within 's>struct• %all set>'s>root=current2['s, init>'s.root@, set>'s>pwd
['s, init>'s.pwd@
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 32/40
Brea4 out o' 6ser6er
• Find osets o' ;id, 6;>in'o, nid, n;>in'o in tas4 struc
• ill be ! in init>tas4, but set in a con3ned process
• %lear the 3elds
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 33/40
Brea4 out o' Open?\
• %all prepare>6e!>process=current@
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 34/40
Reliability under +en
• -on1t blindly change cr!.0 and atte8pt to 8odi'ycode, it will cause a C0F
•%all 8a4e>low8e8>page>readwrite=addr@ instead
• %lean up with 8a4e>low8e8>page>readonly=addr@
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 35/40
Reliability under%O*FIC>-)BC>0AC)ALLO
• -on1t blindly scan through 4ernel 8e8ory, 4ernels woption enabled ha6e been obser6ed to ha6e a guardthe 4ernel i8age
•)nlighten8ent parses page tables to deter8ine sa'to scan
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 36/40
Reliability under %O*FIC>(ALLS
• n4nown 4ernel, no 68linu;, no 7proc74allsy8s, noSyste8.8ap/ *o proble8
• Assu8ing ring! e;ecution can be obtained without the8
• 0ayload reliability obtained by using the 4ernel1s owtables in 8e8ory
• )nlighten8ent 3nds the 4ernel1s own sy8bol resoluroutines and can thus resol6e 8odule sy8bols as w
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 37/40
Reliability when returning to use
• Ma4e sure the userland code is loc4ed into physical 8e8ory
• npri6ileged users can loc4 P(B
• Linu; is not indows *o 4ernel 8e8ory is paged, atte8ptinon2present 8e8ory =outside o' e;ception2handled areas@ w6isible oops, or worse
•More li4ely under low 8e8ory, 8e8ory pressure, high e;ploreEs, higher ti8e between allocation and use
• A decade o' e;ploits returning to userland, and no one gets t
• $ow was 8y 0)RF>)?)*&S e;ploit so reliable despite the Pli8it/
• Read the enlighten8ent source 'or this one @
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 38/40
+H 0)RF>)?)*&S );ploit WX Array base is !;c"aGa!
WX -etected structure siNe o' " bytes WX &argeting !;c"ab"!
W<X Cot ring!
W<X -etected .7#.; style H4 stac4s, with current at !;'"'csupport
W<X -isabled security o' 5 AppAr8or LSM
W<X Found 2['s oset at !;#HH
W<X Bro4e out o' any chroots or 8nt na8espaces
W<X Cot root
rootubuntu57ho8e7spender7enlighten8entid
uidV!=root@ gidV!=root@ groupsV!=root@
rootubuntu57ho8e7spender7enlighten8entuna8e 2a
Linu; ubuntu #..!2#2generic #Tprecise"2buntu SM0 Fr
&% !"# iH iH i#H C*7Linu;
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 39/40
Re'ehttp577in'ocenter.ar8.co87help7inde;.Dsp/topicV7co8.ar8.doc.ddi!
7/23/2019 At Arms Length h2hc 2013
http://slidepdf.com/reader/full/at-arms-length-h2hc-2013 40/40
]uesAll code described in this tal4 is a6ailable at http
More details a6ailable on blog5 https577'oru8s.grsecurity.net76iewtopic.p
&han4s to Rodrigo and