Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem

Similar documents
Malicious Code Injection via /dev/mem

Subverting the Linux Kernel Linux Kernel Rootkits 101

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CS 550 Operating Systems Spring System Call

W4118: interrupt and system call. Junfeng Yang

CSC369 Lecture 2. Larry Zhang

Mechanisms for entering the system

CSE 509: Computer Security

IA32 Intel 32-bit Architecture

Shell Code For Beginners

Virtual Memory: Systems

Kprobes Presentation Overview

Background. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW

Background. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW

CSC369 Lecture 2. Larry Zhang, September 21, 2015

Microkernel Construction

Microkernel Construction

Lecture 08 Control-flow Hijacking Defenses

Operating Systems Engineering Recitation #3 (part 2): Interrupt and Exception Handling on the x86. (heavily) based on MIT 6.

The Kernel Abstrac/on

CanSecWest Nicolás A. Economou Andrés Lopez Luksenberg

This lecture. Virtual Memory. Virtual memory (VM) CS Instructor: Sanjeev Se(a

Xosdev Chapter 1 [The Bootloader] by mr. xsism

CIS Operating Systems CPU Mode. Professor Qiang Zeng Spring 2018

Opera&ng Systems ECE344

CS 5460/6460 Operating Systems

Part I. X86 architecture overview. Secure Operating System Design and Implementation x86 architecture. x86 processor modes. X86 architecture overview

CS5460: Operating Systems

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 27, SPRING 2013

Virtual Memory: Concepts

Homework / Exam. Return and Review Exam #1 Reading. Machine Projects. Labs. S&S Extracts , PIC Data Sheet. Start on mp3 (Due Class 19)

Buffer Overflow and Protection Technology. Department of Computer Science,

NetWare Kernel Stack Overflow Exploitation.

Processes (Intro) Yannis Smaragdakis, U. Athens

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Pre-virtualization internals

Stealth Measurements for Cheat Detection in On-line Games. Ed Kaiser Wu-chang Feng Travis Schluessler

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

CS Lab 0.5: Fish

Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Function Call Convention

Main Points. Address Transla+on Concept. Flexible Address Transla+on. Efficient Address Transla+on

Introduction to Kernel Programming. Luca Abeni

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Memory Management Day 2. SWE3015 Sung- hun Kim

CS 550 Operating Systems Spring Interrupt

Rootkits n Stuff

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Hijacking the Linux Kernel

Return-orientated Programming

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Tutorial 10 Protection Cont.

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

Intel VMX technology

ICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017

Android Rootkits. Adam Zakaria. Ming Chow

Buffer Overflow Attack

Research opportuni/es with me

Virtual Memory: Concepts

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Hijacking the Linux Kernel

From local user to root Ac1dB1tch3z s exploit analysis. Nicolò October 28

Protection and System Calls. Otto J. Anshus

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 27, FALL 2012

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

VFS, Continued. Don Porter CSE 506

Virtual Memory: Systems

Computer Architecture and Assembly Language. Practical Session 5

iapx Systems Electronic Computers M

CSE 451 Autumn Final Solutions mean 77.53, median 79, stdev 12.03

Interrupts and System Calls

Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. November 15, MIT Fall 2018 L20-1

+ Overview. Projects: Developing an OS Kernel for x86. ! Handling Intel Processor Exceptions: the Interrupt Descriptor Table (IDT)

Computer Architecture Background

CS 104 Computer Organization and Design

Virtual Memory III /18-243: Introduc3on to Computer Systems 17 th Lecture, 23 March Instructors: Bill Nace and Gregory Kesden

CS 3803 Lab 6 Interrupts Assigned 2/25/10 Point Value: 30

Main Points. File systems. Storage hardware characteris7cs. File system usage Useful abstrac7ons on top of physical devices

SOEN228, Winter Revision 1.2 Date: October 25,

Virtualization. Adam Belay

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

What You Need to Know for Project Three. Dave Eckhardt Steve Muckle

3.6. PAGING (VIRTUAL MEMORY) OVERVIEW

238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018

MICROPROCESSOR MICROPROCESSOR ARCHITECTURE. Prof. P. C. Patil UOP S.E.COMP (SEM-II)

The Kernel Abstraction

hashfs Applying Hashing to Op2mize File Systems for Small File Reads

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O

Interrupts & System Calls

OpenBSD Remote Exploit

[537] Virtual Machines. Tyler Harter

W4118: virtual machines

Assembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam

bytes per disk block (a block is usually called sector in the disk drive literature), sectors in each track, read/write heads, and cylinders (tracks).

Summer 2003 Lecture 27 07/28/03

Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe

Transcription:

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009

Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses Injec:on via /dev/mem Fun things to do once you re in Proposed solu:ons

Part I Rootkit?

What is a rootkit? Way to maintain access (regain root aver successful exploita:on) Hide files, processes, etc Control ac:vity File I/O Network Keystroke Logger

Types of rootkits User Land (Ring 3) Trojaned Binaries (oldest trick in the book) Binary patching Source code modifica:on Process Injec:on/Thread Injec:on PTRACE_ATTACH, SIGNAL injec:on Does not affect stability of system

Types of rootkits Kernel Land (Ring 0) Kernel Modules/Drivers Hot Patching memory directly! (we ll get to that ;)

Part II Why are rootkits hard to defend against?

Why so hard? Can control most everything in the system System Calls cant be trusted Network traffic Can possibly detect if you are trying to detect it

Why so hard? Most modern rootkits live in the kernel Kernel is God Imprac:cal to check EVERYTHING inside kernel Speed hits Built in security can be circumvented by more kernel code (if an afacker can get code in, game over)

Part III Current Rootkit Defense

Current Defense Checking Tables in kernel (sys_call_table, IDT, etc) Compares tables against known good Can be bypassed by crea:ng duplicate table to use rather than modifying the main table Typical security cat and mouse game

Current Defense Hashes/Code Signing In kernel Hash cri:cal sec:ons of code Require signed kernel modules In userland Hashes of system binaries Tripwire, etc Signed binaries File System Integrity

Current Defense Non Modularity Main suggested end all way to stop kernel space rootkits (obviously this is a fail) /dev/kmem was previously used in a similar fashion, but read/write access has since been closed off in kernel mainline

Part IV Code Injec:on via /dev/mem

What is /dev/mem? /dev/mem Driver interface to physically addressable memory. lseek() to offset in file = offset in physical mem EG: Offset 0x100000 = Physical Address 0x100000 Reads/Writes like a regular character device Who needs this? X Server (Video Memory & Control Registers) DOSEmu

Hijacking the kernel Kernel addressing is virtual. How do we translate to physical addresses?

Address Transla:on Find a Page Table Directory (stored in cr3 register) Pros: Guaranteed to be able to locate any physical page Mi:gates page alloca:on randomiza:on situa:ons Allows us to find physical pages of process user space

Address Transla:on Find a Page Table Directory (stored in cr3 register) Cons: Finding one is easier said than done Heuris:c could be developed for loca:ng PTD in task struct, but there are easier ways.

Address Transla:on Higher half GDT loading concept applies Bootloader trick to use Virtual Addresses along with GDT in unprotected mode to resolve physical addresses. Kernel usually loaded at 0x100000 (1MB) in physical memory Mapped to 0xC0100000 (3GB+1MB) Virtually

Address Transla:on 0x40000000 GDT Base Address + 0xC0100000 Kernel Virtual Address = 0x00100000 Physical Address

Address Transla:on Obviously over thinking that No need to wrap around 32bit address, just subtract. 0xC0100000 0xC0000000 = 0x100000 If page alloca:on randomiza:on existed, this trick would not be possible

Hijacking the kernel #define KERN_START 0xC0000000 int read_virt(unsigned long addr, void *buf, unsigned int len) { if(addr < KERN_START) return -1; /* addr is now physical address */ addr -= KERN_START; lseek(memfd, addr, SEEK_START); } return read(memfd, buf, len);

Useful structures Determine offset to important structures IDT sys_call_table kmalloc() Where are they?

IDT Interrupt Descriptor Table (IDT) Table of interrupt handlers/call gates 0x80 th handler entry = Syscall Interrupt What can we do with it? Replace Interrupt Handlers Hardware: Network Cards, Disks, etc SoVware: System Calls,

IDTR IDTR holds structure with address of IDT Get/Set IDTR with LIDT/SIDT assembly instruc:ons Unlike LIDT instruc:on, SIDT is not protected and can be executed from user space to get IDT address. Wont work in most VM s Hypervisors return bogus IDT address

IDTR IDTR Structure Base Address (4 btyes) Limit (2 bytes) struct { uint32_t base; uint16_t limit; } idtr; asm ( sidt %0 : =m (idtr));

IDT Entry IDT Entry (8 bytes) 0 16 31 Low 16bits of Handler Address Flags Code Segment Selector High 16bits of Handler Address

IDT IDT idtr.base

IDT IDT idtr.base Entry for Syscall Interrupt idtr.base + (0x80 * 8)

IDT IDT idtr.base Entry for Syscall Interrupt idtr.base + (0x80 * 8) system_call()

System Calls system_call() Main entry point for system calls sys_call_table Array of func:on pointers sys_read(), sys_write(), etc

System Calls Syscall Number stored in EAX register call ptr 0x????????(eax,4) 0x???????? Is the address of sys_call_table Opcode for instruc:on: FF 14 85???????? Read in memory at system_call(), search for byte sequence \xff\x14\x85. Next 4 following bytes are address of sys_call_table!

Hijacking the kernel Now we can: Find IDT Find system_call() handler func:on Use simple heuris:c to find address of sys_call_table What now? Overwrite system calls with our own code!

Hijacking the kernel Where do we put our code? Kernel Memory Pool Traverse malloc headers looking for free blocks Not atomic opera:on, cant guarantee we ll beat kernel Certain guard pages in kernel Allocate space in the kernel We can locate kmalloc() inside the kernel and call that

Hijacking the kernel Finding kmalloc() Use heuris:cs push GFP_KERNEL push SIZE call kmalloc Find kernel symbol table Search for \0 kmalloc\0 in memory Find reference to address of above sequence then subtract 4 bytes from loca:on

Hijacking the kernel How can we allocate kernel memory from userspace? Locate address of kmalloc() in kernel space Overwrite a system call with code to call kmalloc() Call system call Someone else could poten:ally call the same system call and cause system instability

Func:on Clobbering sys_call_table sys_uname() Backup Buffer NR_uname kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

Func:on Clobbering sys_call_table sys_uname() Backup Buffer 100 bytes NR_uname kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

Func:on Clobbering sys_call_table sys_uname() Backup Buffer 100 bytes NR_uname kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

Func:on Clobbering sys_call_table sys_uname() Backup Buffer kmalloc stub 100 bytes NR_uname

Hijacking the kernel Call sys_uname() unsigned long kernel_buf; asm ( mov $122, %%eax \n int $0x80 \n mov %%eax, %0 : =r (kernel_buf)); Address of buffer allocated in kernel space returned by syscall in EAX register

Part V Fun things to do inside the kernel

Hijacking the kernel Recap: read/write anywhere in memory with /dev/mem sys_call_table Kernel alloca:on capabili:es Time to have fun!

Hijacking the kernel What can we do? Use our kernel buffers we allocated to store raw executable code. Overwrite func:on pointers in kernel with address of our allocated buffers sys_call_table entries, page fault handler code Setup code to use Debug registers to hook system call table

Hijacking the kernel What can we do with our injected code? Anything most other rootkits can do. Hide files, processes, etc Control network ac:vity Limita:ons All injected code must usually be handwrifen assembly Some structures/func:ons can be difficult to locate in memory

Part V Solu:ons/Mi:ga:on

Solu:ons Why does a legi:mate user process need access to read anything from above 16k in physical memory? SELinux has created a patch to address this problem (RHEL and Fedora kernels are safe) Modifies mem driver to disallow lseeks past 16k

Solu:ons Mainline kernel has addressed this as of 2.6.26!

Solu:ons Mainline kernel has addressed this as of 2.6.26! Sort of

Solu:ons Added func:ons in kernel range_is_alloc() Checks each page in range of address space being accessed devmem_is_allowed() Called by range_is_allowed() Checks if address is within first 256 pages (1MB)

Solu:ons So what s the problem? range_is_allowed() always returns true if CONFIG_STRICT_DEVMEM is turned off. Kernel defaults disables STRICT_DEVMEM by default Even though it suggests saying Y if you are unsure

Ques:ons?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback