Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012.

Similar presentations


Presentation on theme: "Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012."— Presentation transcript:

1 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012

2 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ? Question “Once you have root/admin, what’s left to do?”

3 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Relevance RootkitsVM escapes BIOS hackingJail breaking App hacking/ priv escalation

4 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Themes & Attack surfaces Attack patterns

5 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Caveats X86-centric Other architectures may do it differently Not about hardware attacks* The final vulnerability lives in software

6 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ATTACK SURFACES Follow the RASQ’ally rabbit…

7 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware

8 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS

9 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS ? ? ? ? ? ? ? ? ? ? ? ?

10 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS Driver

11 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS Driver

12 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege

13 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege BIOS & OS/VMM share access, but not trust

14 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege Hypervisor can grant VM direct HW access

15 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege DMA

16 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware’s Involvement Besides the obvious…  Direct capabilities to affect a critical system resource (e.g. DMA to system/software memory)  Indirect sideband access to a resource (e.g. PCI/e & ExpressCard access to SMBus)  Store executable code that is automatically invoked (e.g. HDD or USB drive; PCI/e device option ROM)  Proxy data from an untrusted external source* (e.g. NICs, Wifi radios)

17 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks X86 HW Access Methods Traditional/legacy IO via in/out instructions A.k.a. DIO, PIO IO Memory-mapped IO via memory access instructions MMIO CPU config registers via rdmsr/wrmsr instructions MSRs PCI configuration space access Arguably a flavor of MMIO PCI/e MMCFG Memory?

18 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Surface Transitions  Mistakenly passed through by a higher privilege software layer  Explicitly passed through by a higher privilege software layer  Explicitly provided by hardware architectural intent  The attacker is already deemed to have access  The attacker is physically proximate to the system*

19 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ATTACK PATTERNS Buckets to describe stuff…because people like to categorize things

20 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Commonality Originate in a lower-privileged software/layer or be remote/physically proximate Leverage or depend upon an operation of hardware* Achieve a vulnerability in a higher-privileged software/layer or a peer in current software/layer

21 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Ambiguity This is a conversation about forests Let’s not get pedantic about the individual trees Only these slides are black & white… Image: http://lyricsdog.eu/

22 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Challenges  Categorization criteria isn’t always crisp (it’s like porn…)  Challenges on separating HW operation, TLP, and data  Bug DBs lack of consistent characterization of the problem, mention of hardware

23 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #1 Inappropriate General Access to Hardware  Straight-forward driver failure  (Semi) arbitrary access to general purpose HW access (e.g. IO, MMIO, PCI config, MSRs)  Debug purposes, laziness, bad foresight, simplicity OS Driver

24 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #1 Examples CVE-2005-0204 Linux kernel on x64/em64t allows writing to IO ports via outs instruction CVE-2007-5633 Speedfan (Windows) allows MSR reading/writing via IOCTLs CVE-2007-5761 Nantsys (Windows) allows MSR reading/writing

25 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #2 Unexpected Consequences of Specific Hardware Function  Given access because functionality seems safe  Extra/hidden/unexpected/bug functionality leads to a problem

26 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #2 Examples CVE-2011-1898 DMA used to generate MSI interrupts, compromise of Xen hypervisor CVE-2011-1016 Radeon Linux Gfx driver gives access to AA resolve registers, allows memory manipulation CVE-2011-2367 WebGL in Firefox allows GPU memory reading, or crash Image: http://invisiblethingslab.com/

27 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 Hardware Reflected Injection Variants:  2 nd order injection through HW  Security-sensitive logic operation on HW value  Stored executable code blobs

28 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #1 Hardware Reflected Injection - 2 nd order injection  Trigger a traditional vuln via malicious data value inserted/stored in hardware  Integer issues, buffer overflows, etc.

29 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #1 Example Alexandre Gazet – Recon 2011 Update KBC FW, feed malicious value to SMM and cause a buffer overflow CPU OS App Memory KBC SMM/BIOS Firmware

30 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #2 Hardware Reflected Injection - Security-sensitive logic operation on HW value  One-off logic operation, not a general purpose weakness  Thus very contextual, particularly to security- specific software

31 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #2 Example CVE-2009-4419 Malicious MCHBAR register value prevents proper VT-d policy application during TXT SENTER Image: http://invisiblethingslab.com/ FEC10000 00000001 VT-d Memory Hardware SINIT ACM

32 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Hardware Reflected Injection - Stored executable code blobs  BIOS flash  Option ROMs  Boot device MBRs*

33 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Example Mebromi virus Updated BIOS ISA ROM, which is executed upon system reboot Flash BIOS PCIe Card OpROM Boot Dev MBR OS + Apps CPU Reset Update Reboot

34 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Example Mebromi virus Updated BIOS ISA ROM, which is executed upon system reboot Flash BIOS PCIe Card OpROM Boot Dev MBR VMM CPU Reset VM IOMMU Update

35 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #4 Interference with Hardware Privilege Access Enforcement  Relevant to hypervisor & emulation  Hypervisor/emulator does operation with their (elevated) privilege, not requestors lower privilege  “Confused deputy”

36 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #4 Examples CVE-2009-1542 MS Virtual PC/Server instruction decoding doesn’t enforce CPU privilege level requirements CVE-2010-0298 KVM x86 emulator doesn’t consider CPL & IOPL in guest hardware accesses

37 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #5 Access by a Parallel Executing Entity  Things running at the same time  One good, one bad  Sensitive use of shared resources  Programmable peripherals CPU Memory Peripherals Hardware Firmware

38 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #5 Examples CVE-2010-0306 SMP guest uses one thread to change instructions of another thread while being interpreted by hypervisor, allowing for arbitrary instruction execution CVE-2005-0109 Malicious CPU thread monitors cache misses of another thread, recovery of cryptographic keys, etc.

39 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #6 Incorrect Hardware Use  Someone didn’t RTFM  In all fairness:  The manuals can be vague/cryptic  They tell you to do things without a reason for why  They say “should” instead of “must”

40 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #6 Examples CVE-2006-1056 Linux didn’t notice AMD FXSAVE/FXRSTOR different than Intel, lead to leaking of floating point data between processes (cryptographic secrets, etc.) CVE-2006-0744 Linux improper handling of uncanonical return address on EM64T, allowing exception handler to run on user stack with wrong GS CVE-2010-2938 Xen/RedHat/Linux accesses VMCS fields without first seeing if hardware supports those fields, leading to crash/DoS

41 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #7 External Control of a Hardware Device  The device (not the data it processes) is under malicious control  Variants:  Physically present/proximate  Reprogrammed Radios/comms?

42 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #7 Examples CVE-2011-3215 Firewire port allows DMA, access to host memory CVE-2009-2834 Reprogramming keyboard firmware CPU Memory 1394/FW SMM/BIOS Firmware Image: http://www.karbosguide.com/

43 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks DEFENSE And it’s not a good offense…

44 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ! Developers Watch your “under surface”

45 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Unused Devices Image: http://www.tomshardware.com/

46 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks EXPERIMENTING WITH HARDWARE You, too, can crash your system without trying

47 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Windows R/W Everything http://rweverything.myweb.hinet.net/

48 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Windows + Linux Open Hardware Monitor C#.NET http://openhardwaremonitor.org/ Image: http://openhardwaremonitor.org/

49 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Linux LoLA – Low Level Access  Linux kernel module that provides IO, MSR, memory, & CPUID access  Programming API for access http://code.google.com/p/lola-linux/

50 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Linux LoLA – Low Level Access  Linux kernel module that provides IO, MSR, memory, & CPUID access  Programming API for access http://code.google.com/p/lola-linux/

51 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Datasheets Vendor’s website, Internet datasheet archives

52 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks HW Schematics Google is your friend, as usual

53 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Background Infoz http://bioshacking.blogspot.com/ Free download for Cansecwest attendees*! *Cansecwest attendance not required, it’s free to everyone

54 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Thanks!


Download ppt "Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012."

Similar presentations


Ads by Google