over the edge silently owning windows 10 s secure browser
play

Over the Edge: Silently Owning Windows 10's Secure Browser Erik - PowerPoint PPT Presentation

Jan 03, 2024 •570 likes •1.87k views

Over the Edge: Silently Owning Windows 10's Secure Browser Erik Bosman , Kaveh Razavi, Herbert Bos and Cristiano Giu ff rida This presentation: Deduplication (software side-channel) 1 This presentation: Deduplication (software side-channel)

  1. Over the Edge: Silently Owning Windows 10's Secure Browser Erik Bosman , Kaveh Razavi, Herbert Bos and Cristiano Giu ff rida

  3. This presentation: Deduplication (software side-channel) 1

  4. This presentation: Deduplication (software side-channel) + Rowhammer (hardware bug) 1

  5. This presentation: Deduplication (software side-channel) + Rowhammer (hardware bug) Exploit MS Edge without software bugs (from JavaScript) 1

  6. This presentation: Deduplication (software side-channel) + Rowhammer a n i h c (hardware bug) a M t s e p u d e D Exploit MS Edge without software bugs (from JavaScript) 1

  7. Outline: Deduplication - leak heap & code addresses JavaScript Array +0.0 +3.141592 42. 1 NaN 2

  8. Outline: Deduplication - leak heap & code addresses chakra.dll JavaScript Array +0.0 +3.141592 42. 1 NaN 2

  9. Outline: Deduplication - leak heap & code addresses - create a fake object 2

  10. Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object 2

  11. Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object 2

  12. memory deduplication A method of reducing memory usage. Used in virtualisation environments, (was) also enabled by default on Windows 8.1 and 10. 3

  13. memory deduplication physical memory process A process B 4

  14. memory deduplication physical memory process A process B 4

  15. memory deduplication physical memory process A process B 4

  16. memory deduplication physical memory process A process B 4

  17. memory deduplication physical memory process A process B 4

  18. memory deduplication physical memory process A * * * * * * * * * * * * * * process B * * * * * * * * * * * * * 4

  19. memory deduplication: The Problem Deduplicated memory does not need to have the same origin. (unlike fork(), file-backed memory) An attacker can use deduplication as a side-channel 5

  20. deduplication side-channel attack normal write 6

  21. deduplication side-channel attack normal write write 6

  22. deduplication side-channel attack normal write write copy on write (due to deduplication) * 6

  23. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap to kernel 6

  24. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy to whole kernel page 6

  25. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update to whole page kernel page tables 6

  26. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update return to whole page from kernel page tables kernel 6

  27. deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy update return to whole page from write kernel page tables kernel 6

  28. deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries - cross VM - cross-process - leak process data from javascript code 7

  29. having fun with deduplication - covert channel 8

  31. having fun with deduplication - covert channel - detect running software 9

  32. Wordpad memory dump wordpad not running 10

  33. Wordpad memory dump wordpad not running 10

  34. Wordpad memory dump wordpad running 11

  35. Wordpad memory dump wordpad running 11

  36. Signal not as clear as expected, Reason: file backed memory not deduplicated the same way on Windows. 12

  37. Skype memory dump skype not running 13

  38. Skype memory dump skype not running 13

  39. Skype memory dump skype running 14

  40. Skype memory dump skype running 14

  41. For our Edge exploit, a single-bit, page-granularity info leak isn't enough 15

  42. Can we generalize this to leaking arbitrary data, like an ASLR pointer or a password? 16

  43. Challenge 1: The secret we want to leak does not span an entire page. 17

  44. turning a secret into a page secret 18

  45. turning a secret into a page known data secret secret page 18

  46. Challenge 2: The secret we want to leak has too much entropy to leak all at once. 19

  47. primitive #1: alignment probing known data secret secret page 20

  48. primitive #1: alignment probing known data secret secret page 20

  49. primitive #2: partial reuse known data secret secret page 21

  50. primitive #2: partial reuse known data secret secret page 21

  51. Outline: Deduplication - leak heap & code addresses chakra.dll 22

  52. JIT function epilogue (MS Edge) secret mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap ... known data 23

  53. JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap 24

  54. JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap 24

  55. Outline: Deduplication - leak heap & code addresses chakra.dll 25

  56. Outline: Deduplication - leak heap & code addresses chakra.dll JavaScript Array +0.0 +3.141592 42. 1 NaN 25

  57. We were not able to create pages leaking only part of our heap pointer. 25

  58. Heap pointer entropy in Edge 0x5F48143540 26

  59. Heap pointer entropy in Edge advertised ASLR (24 bit) 0x5F48143540 26

  60. Heap pointer entropy in Edge advertised ASLR (24 bit) 0x5F48143540 non-deterministic bits (+/- 36 bit) 26

  61. Heap pointer entropy in Edge 64G advertised ASLR (24 bit) 0x5F48143540 non-deterministic bits (+/- 36 bit) 26

  62. Heap pointer entropy in Edge 64G advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits (+/- 36 bit) 26

  63. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits * redundancy (+/- 36 bit) 26

  64. Slab allocator for JavaScript objects array object 27

  65. Slab allocator for JavaScript objects array array object data 27

  66. Slab allocator for JavaScript objects array array object data Allocated together 27

  67. Slab allocator for JavaScript objects array (almost) object arbirary data Allocated together 27

  68. Slab allocator for JavaScript objects 16K slab 28

  69. Slab allocator for JavaScript objects ... 1M VirtualAlloc() 28

  70. Slab allocator for JavaScript objects 1st after VirtualAlloc() call ... 1M VirtualAlloc() 28

  71. Slab allocator for JavaScript objects 29

  72. Slab allocator for JavaScript objects potential 1M aligned objects 29

  73. Slab allocator for JavaScript objects potential 1M aligned objects 29

  74. Slab allocator for JavaScript objects potential 1M aligned objects 29

  75. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48143540 256T non-deterministic bits * redundancy (+/- 36 bit) 30

  76. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48100000 entropy after 1MB alignment (20 bit) 30

  77. Heap pointer entropy in Edge 64G * redundancy advertised ASLR (24 bit) 0x5F48100000 4G entropy after 1MB alignment * redundancy (20 bit) 30

  78. birthday problem 31

  79. birthday problem 31

  80. birthday problem 31

  81. birthday problem 31

  82. birthday problem 31

  83. birthday problem 31

  84. birthday problem 31

  85. birthday problem 31

  86. birthday problem 31

  87. birthday problem 31

  88. birthday problem 31

  89. birthday problem 31

  90. birthday problem 31

  91. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  92. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  93. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  94. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  95. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  96. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  97. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  98. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  99. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

  100. primitive #3: birthday heapspray physical memory attacker memory victim memory 32

Recommend

www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really

www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really

todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Your Browser no really Chrome IE Edge (barf!) Sleipnir, etc. Windows desktop Mac desktop Linux

601 views • 45 slides
IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat HUMANS HAVE DOMESTICATED MANY DIFFERENT TYPES OF ANIMALS AS PETS Canis lupus Oryctolagus Felis catus Carassius familiaris cuniculus auratus PHOTO

158 views • 11 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update

Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update

Updates on Windows TCP Praveen Balasubramanian pravb@microsoft.com Recap and deployment update Recap from Chicago IETF TFO (TCP Fast Open) enabled by default in the Edge browser in Creators Update Experimental support for CUBIC

344 views • 12 slides
ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to

ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to

ENGR/CS 101 CS Session Lecture 11 Log into Windows (reboot if in Linux) Use web browser to go to session webpage http://csserver.evansville.edu/~hwang/f11-courses/engrcs101/cs.html Right-click on Inclass11.zip link. Save link/target

386 views • 21 slides
Requirements for Secure Device Authentication Iden&ty in the browser

Requirements for Secure Device Authentication Iden&ty in the browser

Requirements for Secure Device Authentication Iden&ty in the browser workshop, 24-25 May 2011, Mountain View Mark Watson, Mitch Zollinger, Wesley Miaw 1

327 views • 9 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction SE 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based Laptop Workstation Workstation Laptop Internet moore (CAS Linux server) Secure Shell terminal Secure . Shell servers Requires:

841 views • 25 slides
Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based

Introduction CS 2XA3 Term I, 2020/21 BSB 244 and 249 labs Windows Windows based based Laptop Workstation Workstation Laptop Internet moore (CAS Linux server) Secure Shell terminal Secure . Shell servers Requires:

526 views • 25 slides
Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home

Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home

Courtyard House Anjuna Goa For Sale Imagine owning your own private forest your beautiful home nestled amidst trees every last detail perfectly fjnished all you need to bring are the keys Imagine low slung roofs and large bright windows the

913 views • 24 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud platform that lets organizations deliver amazing experiences and workflows to users on all connected devices . Pixels user input Confidential Why

540 views • 21 slides
IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM. Hanno Bck https://hboeck.de 1 This was too easy . It should not be possible to find a serious memory corruption vulnerability in the default

577 views • 31 slides
Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W

Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W

Log in using secure shell ssh Y user@tak PuTTY on Windows Unix: Beyond the Basics George W Bell, Ph.D. Terminal on Macs BaRC Hot Topics October, 2016 Bioinformatics and Research Computing Whitehead Institute Command prompt user@tak

249 views • 7 slides
Virtels Browser -Based 3270 Terminal Emulation Working from Home: Virtels Secure 3270 TE

Virtels Browser -Based 3270 Terminal Emulation Working from Home: Virtels Secure 3270 TE

Webinar Working from Home with Virtels Browser -Based 3270 Terminal Emulation Working from Home: Virtels Secure 3270 TE Limited Time Offer Shelter-in-place Plan Our Offer Everyone works from home Virtel Web Access = browser-based

219 views • 21 slides
Pipelight Windows browser plugins on Linux Michael Mller Sebastian Lackner Erich E. Hoover

Pipelight Windows browser plugins on Linux Michael Mller Sebastian Lackner Erich E. Hoover

Pipelight Windows browser plugins on Linux Michael Mller Sebastian Lackner Erich E. Hoover May 7, 2014 1 / 35 $ whoami Michael Mller (michael@fds-team.de) studying computer science at the university of Heidelberg, Germany Sebastian

1.25k views • 35 slides
The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for R esearch on C omputation and S ociety Harvard University 24 May 2007 web mashups : interesting combinations. Aggressive web 2.0

745 views • 18 slides
Session 1: Adverbs adver verb b Can you mime (silently act) what James was

Session 1: Adverbs adver verb b Can you mime (silently act) what James was

Session 1: Adverbs adver verb b Can you mime (silently act) what James was doing? adver verb b Can you mime (silently act) what Claire did? adver verb b Can you mime (silently act) what Gavin is doing? How? When?

1.18k views • 49 slides
Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Bypassing Secure Desktops Protections Bruno Oliveira & Mrcio Almeida Agenda Who Are We? Intro To Secure Desktop What is it? What does it work? Windows API Our PoC Mitigation Conclusions Who are we?

601 views • 23 slides
Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application Client server program with browser as client Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End

1.09k views • 34 slides
Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique

Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique

Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique de Louvain, Belgium 1 Internet of Things 2 Internet of Things but, more generally 2 Edge Computation Logical extremes Pushing both

1.86k views • 168 slides
Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com

Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com

Todd Klindt Todd.klindt@sympraxisconsulting.com @toddklindt www.toddklindt.com www.toddklindt.com/HSUS How Do I Get to it? Three Main Ways Your Browser no really Chrome IE Edge (barf!) Sleipnir, etc. Windows desktop

756 views • 53 slides

More recommend