Visualizing Page Tables - Black Hat
Transcript of Visualizing Page Tables - Black Hat
![Page 1: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/1.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. © 2013 CrowdStrike, Inc. All rights reserved.
Visualizing Page Tables … for Local Exploitation: Hacking Like in the Movies
![Page 2: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/2.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 2
2 © 2013 CrowdStrike, Inc. All rights reserved. 2
Alexandru Radocea
• Developer at CrowdStrike, Inc.
– iOS internals fan
– Recovering software security assessor
– Likes bringing pain to the adversary
• @defendtheworld on Twitter
![Page 3: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/3.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 3
Georg Wicherski
• Researcher at CrowdStrike, Inc. – x86 & ARM low-level stuff
– Reverse Engineering, Malware analysis
– Exploitation and Mitigation research
• @ochsff on Twitter
• http://blog.oxff.net/
![Page 4: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/4.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. © 2013 CrowdStrike, Inc. All rights reserved.
Introduction
![Page 5: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/5.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 5
Paging 101
• Translation from virtual addresses to physical – Virtual address: the pointers your program works with
– Physical address: the actual address of a memory cell in the physical RAM chip
• Virtual address unique per virtual memory space – Usually means per process for userland, one shared
kernel space for all processes
![Page 6: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/6.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 7
Efficient Hardware Implementation
• Group addresses into pages: block of addresses
that are translated in the same way
• Cache translation results: TLB
• Hierarchical translation tables (trees) to conserve
memory – Three levels on x86 and amd64
– Two levels on ARMv7-A, three levels with LPAE
![Page 7: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/7.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 8
Memory Protections
• Memory protections implemented on top of paging – Read-only vs. read-write memory areas
– Executable vs. data-only memory areas
–x86: NX (No-eXecute) bit per page
–ARM: XN (eXecute-Never) bit per page
– Privilege level to access page
–ARM: Supervisor bit, Domains, different table sets
–x86: Supervisor bit (CPL, SMEP, SMAP)
![Page 8: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/8.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 9
What a Movie Hacker Looks for
• Mappings at repeatedly constant addresses – Constant physical address: Subject to reliable FireWire
attacks
– Constant virtual address: ASLR bypass
• Mappings with unexpected protections – Read-write but not NX/XN: Classical copy shellcode
and execute scenario
– Driver specific weirdness (DMA memory, …)
![Page 9: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/9.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. © 2013 CrowdStrike, Inc. All rights reserved.
Background and Methodology
![Page 10: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/10.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 11
ARMv7-A VMSA
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0333h/Cihbfagh.html
![Page 11: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/11.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 12
1
2
© 2013 CrowdStrike, Inc. All rights reserved. 12
IA-32e, four layers of fun
http://www.cs.rutgers.edu/~pxk/416/notes/09a-paging.html
![Page 12: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/12.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 13
Data Collection
• Android: Both custom kernel and local exploit
• iOS: Custom driver for jailbroken device
• x86_64 Linux: Custom kernel module
• x86_64 OS X: Custom kernel extension
• Windows Surface RT: Crash dumps & WinDBG
• Windows 8 x86_64: Custom kernel driver
![Page 13: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/13.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 14
1
4
© 2013 CrowdStrike, Inc. All rights reserved.
Hilbert Curve Legend
14
User read only
Super read
only
User write
Super write
User exec
Super exec
User WX
Super WX
![Page 14: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/14.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. © 2013 CrowdStrike, Inc. All rights reserved.
Case Studies
![Page 15: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/15.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 16
Android Process Comparison 1. init
2. dhcpd
3. zygote
4. com.android.email
5. sandboxed_process0 (Chrome)
![Page 16: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/16.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 17
Galaxy Nexus, Android 4.2.2
![Page 17: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/17.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 18
Nexus 7, Android 4.2.2
![Page 18: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/18.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 19
Galaxy S4, Android 4.2.2 (MSM)
![Page 19: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/19.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 20
Android Observations
• Fixed r-x mapping at 0xffff0000 in all processes – 0xffff0000 is the ARM exception vectors base address
– Abused in a vsyscall like manner by Linux on ARM
• Kernel .text is rwx on almost all kernels –CONFIG_DEBUG_RODATA not set in kernel configs
– 3.4.x MSM kernel has RO .text
– CONFIG_STRICT_MEMORY_RWX (Qualcomm)
– Still has two rwx supervisor sections (1Mb pages)
![Page 20: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/20.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 21
Android 4.2.2 ASLR Bypass
• __kuser_cmpxchg: @ 0xffff0fc0 – arch/arm/kernel/entry-armv.S
– iff *r2 == r0: *r2 := r1
– Bruteforce addresses by invoking a loop, r0-r2 are legitimate register parameters
– Jump past equality check for arbitrary write gadget
• __kuser_cmpxchg64: @ 0xffff0f60
• ffff0008: ldr pc, [pc, #1072] ; 0xffff0440 – This leaks the kernel’s system call handler address to user-space
![Page 21: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/21.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 22
OS X Observations
• Userland – Per-boot randomization (shared cache)
– Per-execution randomization (dyld, pfz, commpage, stack, heap)
![Page 22: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/22.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 23
OS X Observations
• Kernel – KASLR
– Incomplete W^X
–Randomized RWX
– Shared address space
–SMEP available
![Page 23: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/23.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 24
![Page 24: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/24.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 25
iOS 6 Security Properties
• Userland – Per-boot randomization (shared cache)
– Per-execution randomization (dyld, .text, stack, heap)
– Heap and stack separately randomized
– W^X + Signed pages
![Page 25: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/25.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 26
iOS 6 Security Properties
• Kernel – KASLR
– W^X
– TTBR0/1 swapping
![Page 26: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/26.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 27
iOS: Example process (MobileSlideshow)
![Page 27: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/27.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 28
iOS: Example process (MobileSlideshow)
![Page 28: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/28.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 29
iOS: Example process (MobileSafari)
![Page 29: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/29.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 30
iOS: Example process (MobileSafari)
![Page 30: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/30.jpg)
© 2013 CrowdStrike, Inc. All rights reserved. 31
iOS Observations
• Evasi0n jailbreak leaves kernel mappings as RWX
• Fixed physical memory mappings across boots – Weakness with virtual mapping leak or physical
memory write
![Page 31: Visualizing Page Tables - Black Hat](https://reader033.fdocuments.in/reader033/viewer/2022051716/58a1a26a1a28abf2228b9014/html5/thumbnails/31.jpg)
© 2013 CrowdStrike, Inc. All rights reserved.