Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012.

Similar presentations


Presentation on theme: "Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012."— Presentation transcript:

1 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012

2 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ? Question “Once you have root/admin, what’s left to do?”

3 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Relevance RootkitsVM escapes BIOS hackingJail breaking App hacking/ priv escalation

4 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Themes & Attack surfaces Attack patterns

5 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Caveats X86-centric Other architectures may do it differently Not about hardware attacks* The final vulnerability lives in software

6 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ATTACK SURFACES Follow the RASQ’ally rabbit…

7 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware

8 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS

9 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS ? ? ? ? ? ? ? ? ? ? ? ?

10 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS Driver

11 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack App OS Privilege Hardware OS Driver

12 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege

13 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege BIOS & OS/VMM share access, but not trust

14 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege Hypervisor can grant VM direct HW access

15 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks The Stack OS App CPU App OS App VMM/Hypervisor Memory Peripherals SMM/BIOS Hardware Platform VM Firmware Privilege DMA

16 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware’s Involvement Besides the obvious…  Direct capabilities to affect a critical system resource (e.g. DMA to system/software memory)  Indirect sideband access to a resource (e.g. PCI/e & ExpressCard access to SMBus)  Store executable code that is automatically invoked (e.g. HDD or USB drive; PCI/e device option ROM)  Proxy data from an untrusted external source* (e.g. NICs, Wifi radios)

17 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks X86 HW Access Methods Traditional/legacy IO via in/out instructions A.k.a. DIO, PIO IO Memory-mapped IO via memory access instructions MMIO CPU config registers via rdmsr/wrmsr instructions MSRs PCI configuration space access Arguably a flavor of MMIO PCI/e MMCFG Memory?

18 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Surface Transitions  Mistakenly passed through by a higher privilege software layer  Explicitly passed through by a higher privilege software layer  Explicitly provided by hardware architectural intent  The attacker is already deemed to have access  The attacker is physically proximate to the system*

19 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ATTACK PATTERNS Buckets to describe stuff…because people like to categorize things

20 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Commonality Originate in a lower-privileged software/layer or be remote/physically proximate Leverage or depend upon an operation of hardware* Achieve a vulnerability in a higher-privileged software/layer or a peer in current software/layer

21 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Ambiguity This is a conversation about forests Let’s not get pedantic about the individual trees Only these slides are black & white… Image:

22 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Challenges  Categorization criteria isn’t always crisp (it’s like porn…)  Challenges on separating HW operation, TLP, and data  Bug DBs lack of consistent characterization of the problem, mention of hardware

23 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #1 Inappropriate General Access to Hardware  Straight-forward driver failure  (Semi) arbitrary access to general purpose HW access (e.g. IO, MMIO, PCI config, MSRs)  Debug purposes, laziness, bad foresight, simplicity OS Driver

24 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #1 Examples CVE Linux kernel on x64/em64t allows writing to IO ports via outs instruction CVE Speedfan (Windows) allows MSR reading/writing via IOCTLs CVE Nantsys (Windows) allows MSR reading/writing

25 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #2 Unexpected Consequences of Specific Hardware Function  Given access because functionality seems safe  Extra/hidden/unexpected/bug functionality leads to a problem

26 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #2 Examples CVE DMA used to generate MSI interrupts, compromise of Xen hypervisor CVE Radeon Linux Gfx driver gives access to AA resolve registers, allows memory manipulation CVE WebGL in Firefox allows GPU memory reading, or crash Image:

27 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 Hardware Reflected Injection Variants:  2 nd order injection through HW  Security-sensitive logic operation on HW value  Stored executable code blobs

28 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #1 Hardware Reflected Injection - 2 nd order injection  Trigger a traditional vuln via malicious data value inserted/stored in hardware  Integer issues, buffer overflows, etc.

29 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #1 Example Alexandre Gazet – Recon 2011 Update KBC FW, feed malicious value to SMM and cause a buffer overflow CPU OS App Memory KBC SMM/BIOS Firmware

30 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #2 Hardware Reflected Injection - Security-sensitive logic operation on HW value  One-off logic operation, not a general purpose weakness  Thus very contextual, particularly to security- specific software

31 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #2 Example CVE Malicious MCHBAR register value prevents proper VT-d policy application during TXT SENTER Image: FEC VT-d Memory Hardware SINIT ACM

32 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Hardware Reflected Injection - Stored executable code blobs  BIOS flash  Option ROMs  Boot device MBRs*

33 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Example Mebromi virus Updated BIOS ISA ROM, which is executed upon system reboot Flash BIOS PCIe Card OpROM Boot Dev MBR OS + Apps CPU Reset Update Reboot

34 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #3 – Variant #3 Example Mebromi virus Updated BIOS ISA ROM, which is executed upon system reboot Flash BIOS PCIe Card OpROM Boot Dev MBR VMM CPU Reset VM IOMMU Update

35 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #4 Interference with Hardware Privilege Access Enforcement  Relevant to hypervisor & emulation  Hypervisor/emulator does operation with their (elevated) privilege, not requestors lower privilege  “Confused deputy”

36 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #4 Examples CVE MS Virtual PC/Server instruction decoding doesn’t enforce CPU privilege level requirements CVE KVM x86 emulator doesn’t consider CPL & IOPL in guest hardware accesses

37 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #5 Access by a Parallel Executing Entity  Things running at the same time  One good, one bad  Sensitive use of shared resources  Programmable peripherals CPU Memory Peripherals Hardware Firmware

38 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #5 Examples CVE SMP guest uses one thread to change instructions of another thread while being interpreted by hypervisor, allowing for arbitrary instruction execution CVE Malicious CPU thread monitors cache misses of another thread, recovery of cryptographic keys, etc.

39 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #6 Incorrect Hardware Use  Someone didn’t RTFM  In all fairness:  The manuals can be vague/cryptic  They tell you to do things without a reason for why  They say “should” instead of “must”

40 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #6 Examples CVE Linux didn’t notice AMD FXSAVE/FXRSTOR different than Intel, lead to leaking of floating point data between processes (cryptographic secrets, etc.) CVE Linux improper handling of uncanonical return address on EM64T, allowing exception handler to run on user stack with wrong GS CVE Xen/RedHat/Linux accesses VMCS fields without first seeing if hardware supports those fields, leading to crash/DoS

41 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #7 External Control of a Hardware Device  The device (not the data it processes) is under malicious control  Variants:  Physically present/proximate  Reprogrammed Radios/comms?

42 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Pattern #7 Examples CVE Firewire port allows DMA, access to host memory CVE Reprogramming keyboard firmware CPU Memory 1394/FW SMM/BIOS Firmware Image:

43 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks DEFENSE And it’s not a good offense…

44 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks ! Developers Watch your “under surface”

45 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Unused Devices Image:

46 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks EXPERIMENTING WITH HARDWARE You, too, can crash your system without trying

47 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Windows R/W Everything

48 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Windows + Linux Open Hardware Monitor C#.NET Image:

49 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Linux LoLA – Low Level Access  Linux kernel module that provides IO, MSR, memory, & CPUID access  Programming API for access

50 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Linux LoLA – Low Level Access  Linux kernel module that provides IO, MSR, memory, & CPUID access  Programming API for access

51 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Datasheets Vendor’s website, Internet datasheet archives

52 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks HW Schematics Google is your friend, as usual

53 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Background Infoz Free download for Cansecwest attendees*! *Cansecwest attendance not required, it’s free to everyone

54 Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Thanks!


Download ppt "Jeff Forristal / CanSecWest 2012 / Hardware Involved Software Attacks Hardware Involved Software Attacks Jeff Forristal CanSecWest 2012."

Similar presentations


Ads by Google