![Page 1: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/1.jpg)
Mission Impossible Steal Kernel Data from User Space
YueqiangCheng,ZhaofengChen,YulongZhang,YuDing,TaoWeiBaiduSecurity
![Page 2: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/2.jpg)
About Speakers
Dr.TaoWeiDr.YueqiangCheng Mr.ZhaofengChen Mr.YulongZhang Dr.YuDing
OurSecurityProjects:
![Page 3: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/3.jpg)
How to Read Unauthorized Kernel Data From User Space?
![Page 4: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/4.jpg)
Strong Kernel-User Isolation (KUI) Enforced by MMU via Page Table
Why is Hard?
Assume Kernel has NO implementation bug: No kernel vulnerability to arbitrarily read kernel data
![Page 5: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/5.jpg)
Memory Access in KUI
Lookup TLB
Fetch Page Table
Update TLB
Protection Check
Miss Hit
Denied Permitted Protection
Fault
SIGSEGV
Physical Address
Virtual Address
![Page 6: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/6.jpg)
Permission Checkings
2: Control Registers, e.g., SMAP in CR4
1: Page Table Permissions
Image from Intel sdm
![Page 7: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/7.jpg)
1. Unprivileged App + 2. KUI Permission Checking + 3. Bug-free Kernel
No Way to Go?
![Page 8: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/8.jpg)
However, in order to gain high performance,
CPU …
1. Unprivileged App + 2. Permission Checking + 3. Bug-free Kernel
![Page 9: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/9.jpg)
Microarchitecture
SpeculativeExecution+Out-of-orderExecution
![Page 10: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/10.jpg)
Speculative Execution
S
F T
E
NoSpeculativeExecution
Misprediction
CorrectPrediction
![Page 11: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/11.jpg)
Out-of-order Execution
ImagesarefromDr.LihuRappoport
![Page 12: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/12.jpg)
SpeculativeExecution+Out-of-orderExecution
Enough?
NotEnough!!!
![Page 13: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/13.jpg)
Delayed Permission Checking + Cache Side Effects
PermissioncheckingisdelayedtoRetire
Unit
Imagefromhttps://www.cse.msu.edu/~enbody/postrisc/postrisc2.htm
BranchPredictorinFrontEndServing
SpeculativeExecution
ExecutionEngineexecutesinaout-of-orderway
Side effects in cache are still
there!!!
![Page 14: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/14.jpg)
1. The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register.
Pointtothetargetkerneladdress
How Meltdown (v3) Works
![Page 15: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/15.jpg)
How Meltdown (v3) Works
2. A transient instruction accesses a cache line based on the secret content of the register.
Bringdataintocache
Thisnumbershould>=0x6
![Page 16: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/16.jpg)
3. The attacker uses Flush+Reload to determine the accessed cache line and hence the secret stored at the chosen memory location.
ArrayBase 256Slots
0 1 2 254 255
Theselectedindexisthevalueofthetargetbytee.g.,iftheselectedindexis0x65,thevalueis‘A’
How Meltdown (v3) Works
![Page 17: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/17.jpg)
ForeShadow Attack
Put secrets in L1 Unmap Page Table Entry Meltdown
![Page 18: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/18.jpg)
How about Spectre (v1/v2)?
![Page 19: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/19.jpg)
How Spectre (v1) Works
1. The setup phase, in which the processor is mistrained to make "an exploitable erroneous speculative prediction."
e.g., x < array1_size
Pointtothetargetaddress
Slotindexofarray2leaks
data
RealExecutionflowandSpeculativeExecutiongohere
![Page 20: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/20.jpg)
2. The processor speculatively executes instructions from the target context into a microarchitectural covert channel.
e.g., x > array1_size
Executionflowshouldgohere
SpeculativeExecutiongoes
here!
Aslotofarray2isloadedintocache
How Spectre (v1) Works
![Page 21: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/21.jpg)
3: The sensitive data is recovered. This can be done by timing access to memory addresses in the CPU cache.
Array2Base 256Slots
0 1 2 254 255
Theselectedindexisthevalueofthetargetbytee.g.,iftheselectedindexis0x66,thevalueis‘B’
How Spectre Works
![Page 22: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/22.jpg)
How Spectre Read Kernel Data
array1+xpointstosecret
ü array1 and array2 are in user-space ü x is controlled by the adversary
Slotindexofarray2leakskerneldata
![Page 23: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/23.jpg)
1. Unprivileged App + 2. Permission Checking + 3. Bug-free Kernel
Happy! We Get Kernel Data Now
![Page 24: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/24.jpg)
SMAPSpectre
(GadgetinKernelSpace)
However...
KPTIMeltdown
Spectre(GadgetinUserSpace)
![Page 25: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/25.jpg)
KernelSpace
PCIDhelpsperformanceBeforeKPTI
UserSpace
KernelSpace
UserSpace
KernelSpace
UserSpace
AfterKPTI
User/kernelmode kernelmode Usermode
KPTI
![Page 26: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/26.jpg)
Even we put the Spectre gadget into the kernel space, SMAP will stop it
SMAP
SupervisorMode
(kernelSpace)
UserMode(UserSpace)
ü SMAP is enabled when the SMAP bit in the CR4 is set
ü SMAP can be temporarily disabled by setting the EFLAGS.AC flag
ü SMAP checking is done long before retirement or even execution
![Page 27: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/27.jpg)
Attack and Mitigation Summary Techniques Steal
KernelData?
Mitigations AfterMitigation,kern.DataLeakage?
Spectre Yes KPTI+SMAP NOMeltdown Yes KPTI NOForeShadow Yes KPTI NO
Only for Kernel Data Leakage. For other aspects, the summary is not included here.
![Page 28: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/28.jpg)
Despair...
KPTI + SMAP + KUI
Imagefromhttp://nohopefor.us/credits
![Page 29: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/29.jpg)
BeforeKPTI
UserSpace
KernelSpace
AfterKPTI
User/kernelmode
Hope in Despair
Sharedrangeasabridgetoleakkerneldata
UserSpace
KernelSpace
UserSpace
kernelmode Usermode
KernelSpace
Thispartcannotbeeliminated
![Page 30: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/30.jpg)
Breaking SMAP + KPTI + user-kernel Isolation
1: Use new gadget to build data-dependence between target kernel data and the bridge (bypass SMAP) 2: Use Reliable Meltdown to probe bridge to leak kernel data (bypass KPTI and KUI)
New Variant Meltdown v3z
![Page 31: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/31.jpg)
1st Step: Trigger New Gadget Similar to Spectre gadget, but not exact the same
Pointtothetargetaddress
Arr2+offsetisthebaseof”bridge”
xandoffsetshouldbecontrolledbytheadversary!!
Slotindexof“bridge”
![Page 32: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/32.jpg)
How to Trigger the New Gadget There are many sources to trigger the new gadget
1: Syscalls 2: /proc and /sys etc. interfaces 3: Interrupt and exception handlers 4: eBPF 5: …
![Page 33: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/33.jpg)
How to Find the New Gadget Source Code Scanning
We use smatch for Linux Kernel 4.17.3, Ø Default config: 36 gadget candidates Ø Allyes config: 166 gadget candidates
However, there are many restrictions to the gadget in real exploits
ü Offset range ü Controllable invocation ü Cache noise ü …
Binary Code Scanning??
![Page 34: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/34.jpg)
2nd Step: Probe Bridge
UserArrayBase
0 1 2 254 255
BridgeBase
0 1 2 254 255
User Space
Obviously, in each round there are (256*256) probes To make the result reliable, usually we need multiple rounds
Bridge
Inefficient
![Page 35: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/35.jpg)
Make it Practical/Efficient
UserArrayBase
0 1 2 254 255
BridgeBase0 1 2 254 255
Why do we need to probe 256 times in Meltdown? If we know the value of the slot 0 of the BridgeBase, we probe it only once.
Can we know the values in advance?
User Space
Bridge
![Page 36: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/36.jpg)
No for Meltdown (v3) Meltdown is able to read kernel data. But, it requires that the target data is in the CPU L1d cache. If the target data is NOT in L1d cache, 0x00 returns.
We need reliably reading kernel data!
![Page 37: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/37.jpg)
Reliable Meltdown (V3r)
WetestitonLinux4.4.0withIntelCPUE3-1280v6,andMacOS10.12.6(16G1036)withIntelCPUi7-4870HQ
V3r has two steps: 1st step: bring data into L1d cache 2nd step: use v3 getting data
Pointtothetargetaddress
Everywhereinkernel
![Page 38: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/38.jpg)
Put Everything Together Offline phase: Ø Use v3r dumping bridge data, and save them into a table Online phase: Ø 1st step: Build data dependence between target data and
bridge slot Ø 2nd step: Probe each slot of the bridge Efficiency: Ø from several minutes (even around 1 hour in certain
cases) to only several seconds to leak one byte.
![Page 39: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/39.jpg)
Demo Settings
Kernel:Linux4.4.0withSMAP+KPTICPU:IntelCPUE3-1280v6
In kernel space, we have a secret msg, e.g., xlabsecretxlabsecret, location is at, e.g., 0xffffffffc0e7e0a0
![Page 40: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/40.jpg)
Countermeasure Discussions Software Mitigations ü Patch kernel to eliminate all expected gadgets
ü Minimize the shared “bridge” region
ü Randomize the shared “bridge” region
ü Monitor cache-based side channel activities
![Page 41: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/41.jpg)
Countermeasure Discussions Hardware Mitigations ü Do permission checking during or even execution stage
ü Revise speculative execution and out-of-order execution
ü Use side channel resistant cache, e.g., exclusive/random cache
ü Add hardware-level side channel detection mechanism
![Page 42: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/42.jpg)
Take Away • Trinational Spectre and Meltdown can NOT steal kernel
data with KPTI + SMAP + KUI enabled.
• Our new Meltdown variants is able to break the strongest protection (KPTI + SMAP + KUI).
• All existing kernels need to be patched to mitigate our new attack
![Page 43: Mission Impossible - media.defcon.org CON China 1/DEF CON... · Mission Impossible Steal Kernel Data from User Space Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei](https://reader033.vdocument.in/reader033/viewer/2022060501/5f1b737073652836735adca8/html5/thumbnails/43.jpg)
Mission Impossible Steal Kernel Data from User Space
Q&Aimageisfromhttps://i.redd.it/wbiwgnokgig11.jpg
YueqiangChengBaiduSecurity