exploiting kernel races through taming thread interleaving
play

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan - PowerPoint PPT Presentation

Nov 25, 2022 •145 likes •530 views

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS Summary New technique turning Background on races

  1. Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS

  2. Summary • New technique turning • Background on races • Classification on races unexploitable races to • Unexploitable races exploitable races #BHUSA @BLACKHATEVENTS

  3. Race condition is an increasing attack vector 30 bugs 143 bugs 104 bugs 81 bugs 15 bugs 111 bugs 7 bugs 59 bugs 67 bugs UAF UAF UAF OOB OOB Race Race Uninit OOB # of fixed bugs that Syzkaller found in 2017 # of fixed bugs that Syzkaller found in 2018 # of fixed bugs that Syzkaller found in 2019 • Razzer, IEEE S&P 2019, found more than 30 race bugs . • KCSAN, developed by Google 2019, found more than 300 race bugs . #BHUSA @BLACKHATEVENTS 3

  4. Background : Race condition Core 1 Core 2 current A Result can be a execution value stored in memory or B a value read by read instruction Pair of race instruction Access Order B A >> Result X è Instructions that A B access the same memory A B >> Result Y è • Accessing the same memory location from two processors è Execution results are different depending on the access order. #BHUSA @BLACKHATEVENTS 4

  5. Background : Race Condition Vulnerability Race Condition Race Condition = + Memory Corruption Vulnerability Race instruction pair A Overflow Race instruction pair B Use-After-Free . . . . . . #BHUSA @BLACKHATEVENTS 5

  6. Background : to trigger Race Condition Vulnerability if A B C , then memory corruption occurs. Brute forcing : Try until success #BHUSA @BLACKHATEVENTS 6

  7. Background : Exploitability of Race Condition Vulnerability A very specific Availability of Exploitable = + memory access order Memory Corruption Races? B C , then) A >> >> (e.g., if #BHUSA @BLACKHATEVENTS 7

  8. Classification of Race Condition Vulnerability Race Condition Vulnerability Single Variable Multi Variable Race Condition Race Condition Race instruction pair 1 for M1 Race instruction pair 1 for M1 Race instruction pair 2 for M1 Race instruction pair 2 for M2 Single variable Multi variable … … #BHUSA @BLACKHATEVENTS 8

  9. Single-variable Race Condition do_ip_setsockopt() raw_sendmsg() { Core 1 Core 2 { … Pair A … inet->hdrincl is 1 if ( ! inet->hdrincl ) { A // initialize rfv variable B inet->hdrincl = 0; rfv.msg = msg; Time … B … Window } C } inet->hdrincl is 0 if ( ! inet->hdrincl ) { memcpy(to, rfv->hdr.c, … ); C } Pair … } Case study : CVE-2017-17712 Control Flow Dependency A B C , then uninitialized buffer use occurs. Data Flow Dependency if >> >> #BHUSA @BLACKHATEVENTS 9

  10. Exploitability of Single-variable Race Core 1 Core 2 Order violation A Time B Window C Order violation • Brute-forcing would somehow trigger the race è if B can be executed within the time window • The smaller the time window is, the lower the probability of successful races. #BHUSA @BLACKHATEVENTS 10

  11. Multi-variable Race Condition Core 1 Core 2 Pair of race instruction A Instructions that B A access the M1 B Time Time Window Window Pair of race instruction x y C Instructions that C D access the M2 D B C A D if >> && >> , Control flow Dependency then memory corruption occurs. Data flow Dependency #BHUSA @BLACKHATEVENTS 11

  12. Multi-variable Race Condition Multi-variable Race Condition Core 1 Core 2 Core 1 Core 2 Inst pair to access M1 A Inst pair B to access M1 B A Ty Tx Tx Ty C D D C Inst pair Inst pair to access M2 to access M2 Tx > Ty Tx ≤ Ty Inclusive Multi-variable Race Non-inclusive Multi-variable Race #BHUSA @BLACKHATEVENTS 12

  13. Exploitability of Inclusive Multi-variable Race Core 1 Core 2 Race Pair A B Ty Tx C D Race Pair • Brute-force somehow works. • The more similar the two time windows are, the lower the probability that a race will occur. #BHUSA @BLACKHATEVENTS 13

  14. Problem : Exploitability of Non-inclusive Race Core 1 Core 2 binder_alloc_new_buf_locked() binder_alloc_mmap_handler() A { { // initialize vma B Tx B A if (alloc-> vma == NULL) return ERR; alloc-> vma = vma; D Tx = 18 cycles Ty = 2250 cycles D alloc-> vma_vm_mm = vma->vm_mm; Ty C mmget_not_zero(alloc-> vma_vm_mm )); Even if, A >> B is succeed, } C >> D will be failed } C Case study : Patch #987393 && C A B D C if >> >> , then uninitialized buffer use occurs in . • Brute-force never works. • impossible to execute with the order of . && C A B D >> >> #BHUSA @BLACKHATEVENTS 14

  15. Problem : Exploitability of Non-inclusive Race Core 1 Core 2 Tx Ty 35 450 A CVE-2017-15265 150 1,800 CVE-2019-1999 B Tx 50 600 CVE-2019-2025 D 18 1,210 CVE-2019-6974 Non-inclusive race vulnerabilities 1,153 13,121 #1035566 Ty Even if, found in linux kernel 18 2,250 #987393 A >> B is succeed, 120 730 #759959 C >> D will be failed C . . . • Brute-force never works. • impossible to execute with the order of . && C A B D >> >> #BHUSA @BLACKHATEVENTS 15

  16. Previous method : Using Different Core Latency Execution Order : C D A >> B & >> race_function1(): D A Core 1 1.6 Ghz race_function2(): C B Core 2 2.5 Ghz • e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz #BHUSA @BLACKHATEVENTS 16

  17. Previous method : Using Different Core Latency Execution Order : C D A >> B & >> race_function1(): D A Core 1 1.6 Ghz function2(): C B Core 2 2.5 Ghz • e.g., Qualcomm Snapdragon 845 4x 2.5GHz, 4x 1.6GHz #BHUSA @BLACKHATEVENTS 17

  18. Limitations of Use Different Core Latency • Must use the CPU that latency between the cores are different. CPU • Not applicable to vulnerabilities with large time window differences CPU dependency #BHUSA @BLACKHATEVENTS 18

  19. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C D A >> B & >> Core 0 Jann Horn, Linux Security Summit EU 2019, "Exploiting Race Conditions Using the Scheduler” Core 1 è sched_setaffinity() Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 19

  20. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : A sched_setaffinity(Core 1, self): R Core 0 Hey, you need to reschedule race_function1(): D A Core 1 race_function2(): C B Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 20

  21. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C A >> B & Core 0 sched_setaffinity(Core 1, self): R Core 1 function2(): C B Core 2 race_function1(): current Wait queue : D execution #BHUSA @BLACKHATEVENTS 21

  22. Previous Approach : Using scheduler (CONFIG_PREEMPT) Execution Order : C D A >> B & >> Core 0 race_function1(): D A Core 1 Core 2 current Wait queue : execution #BHUSA @BLACKHATEVENTS 22

  23. Limitation of Using scheduler • Can be used when COFIG_PREEMPT option is applied. • Linux uses CONFIG_PREEMPT_VOLUTARY option by default. Configuration dependency #BHUSA @BLACKHATEVENTS 23

  24. Each of methods has obvious limitations CPU CPU dependency Configuration dependency • All previous methods are hard to be used in general. • We need a new method that extends the time window. #BHUSA @BLACKHATEVENTS 24

  25. How to extend the time window? A D Core 1 Core 1 1. Stop the core 2. Degrade the performance #BHUSA @BLACKHATEVENTS 25

  26. Slow Fast ExpRace Performance : A Interrupt handler! Interrupt handler! Interrupt handler! D Core 1 Bullets • Inter-processor interrupt • Hardware Interrupt Attacker • The key idea of ExpRace is to keep raising interrupts to indirectly alter kernel thread’s interleaving. #BHUSA @BLACKHATEVENTS 26

  27. ExpRace : How to send IPI & IRQ with user priv user_function() syscall() Send IPI { { syscall(); send_IPI(); to core1 } } Attacker Core 1 User mode Kernel mode (User Priv) user_function() syscall() Request Send IRQ { { syscall(); send_REQ(); to device to core1 } } Hardware device Attacker Core 1 User mode Kernel mode (User Priv) #BHUSA @BLACKHATEVENTS 27

  28. ExpRace : TLB Shootdown ~ ~ ~ ~ ~ ~ 0xABC0 0xABD0 0xABE0 0xABC0 0xABD0 0xABE0 IPI cache Flush 0xABD0 cache ? IPI_handler() munmap(0xABD0) Core 1 Core 2 • Modern OSs implement a TLB shootdown mechanism to ensure that TLB entries are synchronized across different cores. • Syscalls that either modify the permission of the page (e.g., mprotect()) or unmap (e.g., munmap()) the page use IPI for TLB shootdown. #BHUSA @BLACKHATEVENTS 28

  29. ExpRace : IPI Environment setting mm α mm β mm α Process C Process A Process B Process C Process A Process B (Core 0) (Core 1) (Core 2) (Core 0) (Core 1) (Core 2) A A B B IPI_send IPI_send (core 1) (core 1 and core 2) Interrupt Interrupt α α handler Tx + α handler Interrupt Ty + α α Tx + α Ty handler D C C D If 3 processes have same mm If process A and C have same mm, and B have different mm #BHUSA @BLACKHATEVENTS 29

Recommend

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity

643 views • 31 slides
Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan

Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan

Pervasive Detection of Thread Process Races In Deployed Systems Columbia University Oren Laadan Nicolas Viennot Chia-Che Tsai Chris Blinn Junfeng Yang Jason Nieh ps aux | grep pizza ps aux | grep pizza outputs how many lines: A) 0 B)

768 views • 65 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer in shared

959 views • 42 slides
A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources for Improved Recommender Systems Oluwasanmi (Sanmi) Koyejo Joydeep Ghosh ECE Dept., University of Texas at Austin HetRec 11, October 27, 2011,

574 views • 43 slides
Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers Haehyun Cho , Jinbum Park, Joonwon Kang, Tiffany Bao Ruoyu Wang, Yan Shoshitaishvili, Adam Doup, Gail-Joon Ahn Uninitialized variables in the stack

806 views • 35 slides
Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing

Overview Problem Definition Interrupt- Driven Programs Data-Race Detection for Interrupt-Driven Data-Races and Happens- Kernels Before Analyzing FreeRTOS Kernel Library Nikita Chopra, Deepak DSouza and Rekha Pai Conclusion Indian

512 views • 21 slides
Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1

Software Tool Seminar WS1516 - Taming the Snake November 4, 2015 1 Taming the Snake 1.1 Understanding how Python works in N simple steps (with N still growing) 1.2 Step 0. What this talk is about (and what it isnt) Four basic things you

266 views • 12 slides
OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

www.bsc.es www.bsc.es OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray Ozen guray.ozen@bsc.es Exascale in BSC Marenostrum 4 (13.7 Petaflops ) General purpose cluster (3400 nodes) with Intel

464 views • 20 slides
Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are suitable for all execution policies Dependent task Task exploiting thread confinement Response time sensitive tasks ThreadLocal tasks

358 views • 32 slides
to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

Exploiting the DRAM row hammer bug to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction Exploit ! without exploiting software bug Row hammer repeated accesses DRAMs row DRAM chipset DRAM

932 views • 77 slides
Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T.

Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T.

Thread Packages Carsten Griwodz University of Oslo (includes slides from O. Anshus, T. Plagemann, M. van Steen and A. Tanenbaum) Overview What are threads? Why threads? Thread implementation User level Kernel level

580 views • 36 slides
13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread

13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread

Thread Pooling CHAPTER 13 IN THIS CHAPTER Benefits of Thread Pooling 308 Considerations and Costs of Thread Pooling 308 A Generic Thread Pool: ThreadPool 309 A Specialized Worker Thread Pool: HttpServer 319 Techniques

556 views • 34 slides
ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in Full Scale Exercise 2012 and 2013 Monroe County ARES / RACES Inc. Tools used

1.05k views • 93 slides
WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional

WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional

WaveScalar Dataflow machine good at exploiting ILP dataflow parallelism + traditional coarser-grain parallelism cheap thread management memory ordering enforced through wave-ordered memory Winter 2006 CSE 548 - WaveScalar 1

579 views • 27 slides
Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW, NICTA, Open Kernel Labs (Australia) The problem with drivers 70% of OS crashes are caused by device drivers Drivers contain 1.5x-7x bugs per loc

557 views • 36 slides
Exploiting Multi-Core Architectures for Fast Modular Synthesis LAC2008 Feb 29, 2008 Jrgen

Exploiting Multi-Core Architectures for Fast Modular Synthesis LAC2008 Feb 29, 2008 Jrgen

Exploiting Multi-Core Architectures for Fast Modular Synthesis LAC2008 Feb 29, 2008 Jrgen Reuter Multiple Cores CPU speed only slowly growing Multi-Core CPUs now pervade market Ideal for thread-parallel compute-intensive tasks

371 views • 19 slides
Error Resilient Image Communication with Chaotic Pixel Interleaving for Wireless Sensor Networks

Error Resilient Image Communication with Chaotic Pixel Interleaving for Wireless Sensor Networks

Introduction to image transmission over WSNs Pixel interleaving for robust image transport Experimentation and analysis results Conclusion and Future work Error Resilient Image Communication with Chaotic Pixel Interleaving for Wireless Sensor

581 views • 33 slides
Intention Interleaving Via Classical Replanning Mengwei Xu , Kim Bauters, Kevin McAreavey, Weiru

Intention Interleaving Via Classical Replanning Mengwei Xu , Kim Bauters, Kevin McAreavey, Weiru

Intention Interleaving Via Classical Replanning Mengwei Xu , Kim Bauters, Kevin McAreavey, Weiru Liu Extending Belief-Desire-Intention (BDI) Agents to Managing Intention Interleaving Intention Resolution: to avoid negative interference Guarantee

745 views • 29 slides
What is a Thread? A thread lives within a process; A process can have several threads.

What is a Thread? A thread lives within a process; A process can have several threads.

What is a Thread? A thread lives within a process; A process can have several threads. A thread possesses an independent flow of control, Threads and can be scheduled to run separately from other threads, because it maintains its

330 views • 4 slides
Thread and Synchronization Synchronization Mechanisms (Module 21) Yann-Hang Lee Arizona State

Thread and Synchronization Synchronization Mechanisms (Module 21) Yann-Hang Lee Arizona State

Thread and Synchronization Synchronization Mechanisms (Module 21) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Kernel Semaphores struct

120 views • 8 slides
User-level scheduling OS does all the scheduling work Simple as that! Don Porter

User-level scheduling OS does all the scheduling work Simple as that! Don Porter

11/14/11 Context Multi-threaded application; more threads than CPUs Simple threading approach: Create a kernel thread for each application thread User-level scheduling OS does all the scheduling work Simple as

350 views • 6 slides
MULTITREADING What is a thread? A thread is a concurrent unit of execution Threads share

MULTITREADING What is a thread? A thread is a concurrent unit of execution Threads share

MULTITREADING What is a thread? A thread is a concurrent unit of execution Threads share processs resource but are able to execute independently Each thread has a call stack for methods being invoked A VM may run several threads

350 views • 24 slides

More recommend