escalating privileges in linux using fault injection
play

Escalating Privileges in Linux using Fault Injection Niek Timmers - PowerPoint PPT Presentation

Aug 13, 2022 •482 likes •969 views

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

  1. Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017

  2. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?

  3. Fault injection techniques clock voltage e-magnetic laser We used Voltage Fault Injection for all experiments!

  4. Fault injection techniques clock voltage e-magnetic laser We used Voltage Fault Injection for all experiments!

  5. Fault injection fault model Let’s keep it simple: instruction corruption Single-bit (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Multi-bit (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Includes other fault models (e.g. instruction skipping)

  6. Let’s inject faults!

  7. Fault injection setup Target • Fast and feature rich System-on-Chip (SoC) • ARM Cortex-A9 (32-bit) • Ubuntu 14.04 LTS (fully patched)

  8. Characterization • Determine if the target is vulnerable to fault injection • Determine if the fault injection setup is effective • Estimate required fault injection parameters for an attack • An open target is required; but not required for an attack

  9. Characterization Test Application

  10. Characterization – Alter a loop . . . set_trigger(1); for(i = 0; i < 10000; i++) { // glitch here j++; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are not that time dependent

  11. Characterization – Possible responses Expected: ’glitch is too soft’ counter = 00010000 Mute/Reset: ’glitch is too hard’ counter = Success: ’glitch is exactly right’ counter = 00009999 counter = 00010015 counter = 00008687

  12. Characterization – Alter a loop Remarks • We took 16428 experiments in 65 hours • We randomize the Glitch VCC Glitch Length Glitch Delay • We can fix either the Glitch VCC or the Glitch Length

  13. Characterization – Bypassing a check . . . set_trigger(1); if(cmd.cmdid < 0 || cmd.cmdid > 10) { return -1; } if(cmd.length > 0x100) { // glitch here return -1; // glitch here } // glitch here set_trigger(0); . . . Remarks • Implemented in a Linux Kernel Module (LKM) • Successful glitches are time dependent

  14. Characterization – Bypassing a check Remarks • We took 16315 experiments in 19 hours • The success rate between 6 . 2 µs and 6 . 8 µs is: 0.41% • The check is bypassed every 15 minutes !

  15. Let’s attack Linux! Relevant when vulnerabilities are not known!

  16. Attacking Linux

  17. Opening /dev/mem – Description (1) Open /dev/mem using open syscall (2) Bypass check performed by Linux kernel using a glitch (3) Map arbitrary address in physical address space

  18. Opening /dev/mem – Code Algorithm 1 Open /dev/mem 1: r 1 ← 2 2: r 0 ← ” / dev / mem ” 3: r 7 ← 0 x 5 4: svc # 0 5: if r 0 == 3 then address ← mmap ( ... ) 6: printf ( ∗ address ) 7: 8: end if Remarks • Implemented using ARM assembly • Linux syscall: sys open (0x5)

  19. Opening /dev/mem – Results Remarks • We took 22118 experiments in 17 hours • The success rate between 25 . 5 µs and 26 . 8 µs is: 0.53% • The Linux kernel is compromised every 10 minutes !

  20. Privilege escalation #1

  21. Spawning a root shell – Description (1) Set all registers to 0 to increase the probability 1 (2) Perform setresuid syscall to set process IDs to root (3) Bypass check performed by Linux kernel using a glitch (4) Execute root shell using system function 1 Linux uses 0 for valid return values

  22. Spawning a root shell – Code Algorithm 2 Executing a root shell 1: r 0 ← r 1 ← r 2 ← 0 2: r 3 ← r 4 ← r 5 ← 0 3: r 6 ← r 7 ← r 8 ← 0 4: r 9 ← r 10 ← r 11 ← 0 5: r 7 ← 0 xd 0 6: svc # 0 7: if r 0 == 0 then system (” / bin / sh ”) 8: 9: end if Remarks • Implemented using ARM assembly • Linux syscall: sys setresuid (0xd0)

  23. Spawning a root shell – Results Remarks • We took 18968 experiments in 21 hours • The success rate between 3 . 14 µs and 3 . 44 µs is: 1.3% • We spawn a root shell every 5 minutes !

  24. Privilege escalation #2

  25. Reflection • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

  26. Reflection • Linux checks can be (easily) bypassed using fault injection • Attacks are identified and reproduced within a day • Full fault injection attack surface not explored Can we mitigate these type of attacks?

  27. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  28. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  29. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  30. Mitigations Software fault injection countermeasures • Double checks • Random delays • Flow counters Can these be implemented easily for larger code bases? Hardware fault injection countermeasures • Redundancy • Integrity • Sensors and detectors Are these implemented for standard embedded technology?

  31. Is this all?

  32. There are more attack vectors!

  33. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  34. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  35. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

  36. Controlling PC directly 2 • ARM (AArch32) has an interesting ISA characteristic • The program counter (PC) register is directly accessible Several valid ARM instructions MOV r7,r1 00000001 01110000 10100000 11100001 EOR r0,r1 00000001 00000000 00100000 11100000 LDR r0,[r1] 00000000 00000000 10010001 11100101 LDMIA r0,{r1} 00000010 00000000 10010000 11101000 Several corrupted ARM instructions setting PC directly MOV pc,r1 00000001 11110000 10100000 11100001 EOR pc,r1 00000001 11110000 00101111 11100000 LDR pc,[r1] 00000000 11110000 10010001 11100101 LDMIA r0,{r1, pc} 00000010 10000000 10010000 11101000 Variations of this attack affect other architectures! 2Controlling PC on ARM using Fault Injection – Timmers et al. (FDTC2016)

Recommend

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018 WHO AM I? Saar Amar Security Researcher Pasten CTF team member @AmarSaar saaramar OUTLINE World rld s quic ickest t in intr tro to

743 views • 43 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is strace? A diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions between processes and the Linux

541 views • 24 slides
KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 22, 2017 Who are we? Niek Timmers (@tieknimmers) Security Analyst @

1.08k views • 70 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Fall 2009 Lecture 4 Operating Systems: Configuration &amp; Use CIS345 Introduction to UBUNTU LINUX Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an account for a user named root (Superuser) who has

1.32k views • 62 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b , C. Roscian b , J.M. Dutertre b , M. Lisart a , O. Gagliano a , V. Serradeil a , A. Tria b . a STMicroelectronics, Avenue Clestin Coq 13790 Rousset,

273 views • 14 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

Practical Experience Report A TALE OF TWO INJECTORS: END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors: Guanpeng Li, Bo Fang, and Karthik Pattabiraman DEPART M ENT OF ELECT RIC AL AN D COM PUT ER

852 views • 56 slides
More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas ELCE17 Wolfram Sang, Consultant / Renesas Robust I2C with fault-injection ELCE17 1 / 24 Motivation It really got personal I2C maintainer since

258 views • 24 slides
Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Cheap &amp; Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,

667 views • 31 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
strategies for successful fault injection Rafael Boix Carpi 1 , Stjepan Picek 2,3 , Lejla Batina 2

strategies for successful fault injection Rafael Boix Carpi 1 , Stjepan Picek 2,3 , Lejla Batina 2

Glitch it if you can: parameter search strategies for successful fault injection Rafael Boix Carpi 1 , Stjepan Picek 2,3 , Lejla Batina 2 , Federico Menarini 1 , Domagoj Jakobovic 3 and Marin Golub 3 1 Riscure BV, The Netherlands 2 Radboud

711 views • 33 slides
Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

IBM T. J. Watson Research Center Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge Alper Buyuktosunoglu Pradip Bose 2 nd Workshop on Computer Architecture Research with RISC-V Motivation: Selective

395 views • 15 slides

More recommend