1 / 54

Hardware Involved Software Attacks

Hardware Involved Software Attacks. App. App. OS. Jeff Forristal CanSecWest 2012. Hardware/Platform. ?. “Once you have root/admin,. what’s left to do?”. Question. Relevance. &. Attack surfaces. Attack patterns. Themes. X86-centric Other architectures may do it differently

gavan
Download Presentation

Hardware Involved Software Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardware Involved Software Attacks App App OS Jeff Forristal CanSecWest 2012 Hardware/Platform

  2. ? “Once you have root/admin, what’s left to do?” Question

  3. Relevance

  4. & Attack surfaces Attack patterns Themes

  5. X86-centricOther architectures may do it differently Not about hardware attacks* The final vulnerability lives in software Caveats

  6. Follow the RASQ’ally rabbit… Attack Surfaces

  7. App App Privilege OS Hardware The Stack

  8. App App Privilege OS Hardware OS The Stack

  9. App App Privilege OS Hardware OS ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? The Stack

  10. App App Privilege OS Hardware OS Driver Driver Driver Driver Driver Driver Driver Driver The Stack

  11. App App Privilege OS Hardware OS Driver Driver Driver Driver Driver Driver Driver Driver The Stack

  12. VM VM App App App App Privilege OS OS VMM/Hypervisor SMM/BIOS CPU Peripherals Memory Firmware Hardware Platform The Stack

  13. VM VM App App App App Privilege OS OS VMM/Hypervisor BIOS & OS/VMM share access, but not trust SMM/BIOS CPU Peripherals Memory Firmware Hardware Platform The Stack

  14. VM VM App App App App Privilege OS OS VMM/Hypervisor Hypervisor can grant VM direct HW access SMM/BIOS CPU Peripherals Memory Firmware Hardware Platform The Stack

  15. VM VM App App App App Privilege OS OS VMM/Hypervisor SMM/BIOS CPU Peripherals Memory Firmware Hardware DMA Platform The Stack

  16. Besides the obvious… • Direct capabilities to affect a critical system resource(e.g. DMA to system/software memory) • Indirect sideband access to a resource (e.g. PCI/e & ExpressCard access to SMBus) • Store executable code that is automatically invoked(e.g. HDD or USB drive; PCI/e device option ROM) • Proxy data from an untrusted external source*(e.g. NICs, Wifi radios) Hardware’s Involvement

  17. Memory? X86 HW Access Methods

  18. Mistakenly passed through by a higher privilege software layer • Explicitly passed through by a higher privilege software layer • Explicitly provided by hardware architectural intent • The attacker is already deemed to have access • The attacker is physically proximate to the system* Surface Transitions

  19. Buckets to describe stuff…because people like to categorize things Attack Patterns

  20. Originate in a lower-privileged software/layer or be remote/physically proximate Leverage or depend upon an operation of hardware* Achieve a vulnerability in a higher-privileged software/layer or a peer in current software/layer Commonality

  21. This is a conversation about forests Let’s not get pedantic about the individual trees Only these slides are black & white… Ambiguity Image: http://lyricsdog.eu/

  22. Categorization criteria isn’t always crisp (it’s like porn…) • Challenges on separating HW operation, TLP, and data • Bug DBs lack of consistent characterization of the problem, mention of hardware Challenges

  23. Inappropriate General Access to Hardware • Straight-forward driver failure • (Semi) arbitrary access to general purpose HW access (e.g. IO, MMIO, PCI config, MSRs) • Debug purposes, laziness, bad foresight, simplicity OS Driver Driver Driver Driver Driver Driver Driver Driver Pattern #1

  24. CVE-2005-0204Linux kernel on x64/em64t allows writing to IO ports via outs instruction CVE-2007-5633Speedfan (Windows) allows MSR reading/writing via IOCTLs CVE-2007-5761Nantsys (Windows) allows MSR reading/writing Pattern #1 Examples

  25. Unexpected Consequences of Specific Hardware Function • Given access because functionality seems safe • Extra/hidden/unexpected/bug functionality leads to a problem Pattern #2

  26. CVE-2011-1898DMA used to generate MSI interrupts, compromise of Xen hypervisor CVE-2011-1016Radeon Linux Gfx driver gives access to AA resolve registers, allows memory manipulation CVE-2011-2367WebGL in Firefox allows GPU memory reading, or crash Pattern #2 Examples Image: http://invisiblethingslab.com/

  27. Hardware Reflected Injection Variants: • 2nd order injection through HW • Security-sensitive logic operation on HW value • Stored executable code blobs Pattern #3

  28. Hardware Reflected Injection - 2nd order injection • Trigger a traditional vuln via malicious data value inserted/stored in hardware • Integer issues, buffer overflows, etc. Pattern #3 – Variant #1

  29. AlexandreGazet – Recon 2011Update KBC FW, feed malicious value to SMM and cause a buffer overflow App App OS SMM/BIOS CPU KBC Memory Firmware Pattern #3 – Variant #1 Example

  30. Hardware Reflected Injection - Security-sensitive logic operation on HW value • One-off logic operation, not a general purpose weakness • Thus very contextual, particularly to security-specific software Pattern #3 – Variant #2

  31. CVE-2009-4419Malicious MCHBAR register value prevents proper VT-d policy application during TXT SENTER Hardware VT-d 00000001 FEC10000 SINIT ACM Memory Pattern #3 – Variant #2 Example Image: http://invisiblethingslab.com/

  32. Hardware Reflected Injection - Stored executable code blobs • BIOS flash • Option ROMs • Boot device MBRs* Pattern #3 – Variant #3

  33. Mebromi virusUpdated BIOS ISA ROM, which is executed upon system reboot Update CPU Reset BIOS OpROM MBR OS + Apps Flash PCIe Card Boot Dev Reboot Pattern #3 – Variant #3 Example

  34. Mebromi virusUpdated BIOS ISA ROM, which is executed upon system reboot CPU Reset BIOS OpROM MBR VMM Flash PCIe Card Boot Dev IOMMU VM Update Pattern #3 – Variant #3 Example

  35. Interference with Hardware Privilege Access Enforcement • Relevant to hypervisor & emulation • Hypervisor/emulator does operation with their (elevated) privilege, not requestors lower privilege • “Confused deputy” Pattern #4

  36. CVE-2009-1542MS Virtual PC/Server instruction decoding doesn’t enforce CPU privilege level requirements CVE-2010-0298KVM x86 emulator doesn’t consider CPL & IOPL in guest hardware accesses Pattern #4 Examples

  37. Access by a Parallel Executing Entity • Things running at the same time • One good, one bad • Sensitive use of shared resources • Programmable peripherals CPU Peripherals Memory Firmware Hardware Pattern #5

  38. CVE-2010-0306SMP guest uses one thread to change instructions of another thread while being interpreted by hypervisor, allowing for arbitrary instruction execution CVE-2005-0109Malicious CPU thread monitors cache misses of another thread, recovery of cryptographic keys, etc. Pattern #5 Examples

  39. Incorrect Hardware Use • Someone didn’t RTFM • In all fairness: • The manuals can be vague/cryptic • They tell you to do things without a reason for why • They say “should” instead of “must” Pattern #6

  40. CVE-2006-1056Linux didn’t notice AMD FXSAVE/FXRSTOR different than Intel, lead to leaking of floating point data between processes (cryptographic secrets, etc.) CVE-2006-0744Linux improper handling of uncanonical return address on EM64T, allowing exception handler to run on user stack with wrong GS CVE-2010-2938Xen/RedHat/Linux accesses VMCS fields without first seeing if hardware supports those fields, leading to crash/DoS Pattern #6 Examples

  41. External Control of a Hardware Device • The device (not the data it processes) is under malicious control • Variants: • Physically present/proximate • Reprogrammed Radios/comms? Pattern #7

  42. CVE-2011-3215Firewire port allows DMA, access to host memory CVE-2009-2834Reprogramming keyboard firmware SMM/BIOS CPU 1394/FW Memory Firmware Pattern #7 Examples Image: http://www.karbosguide.com/

  43. And it’s not a good offense… Defense

  44. Watch your“under surface” ! Developers

  45. Unused Devices Image: http://www.tomshardware.com/

  46. You, too, can crash your system without trying Experimenting With Hardware

  47. R/W Everything http://rweverything.myweb.hinet.net/ Windows

  48. Open Hardware Monitor C# .NET http://openhardwaremonitor.org/ Windows + Linux Image: http://openhardwaremonitor.org/

  49. LoLA – Low Level Access • Linux kernel module that provides IO, MSR, memory, & CPUID access • Programming API for access http://code.google.com/p/lola-linux/ Linux

  50. LoLA – Low Level Access • Linux kernel module that provides IO, MSR, memory, & CPUID access • Programming API for access http://code.google.com/p/lola-linux/ Pause for irony Linux

More Related