对内核中“二次获取”漏洞的精确以及大范围检测课件.pptx

1、对内核中对内核中“二次获取二次获取”漏洞的精确漏洞的精确以以及大范围检测及大范围检测地址空间分离(Address Space Separation)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space单次获取(How To Do A Single Fetch?

2、)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)void kfunc(int user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程

3、序层(User/Program Address Space)内核层(Kernel Address Space)void kfunc(int user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space0 xDEADBEEF单次获取(How To Do A Single Fetch?)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(U

4、ser/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address SpaceXXXXXX(No Dereference on Userspace Pointers)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)*kptr=*uptr;0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000

5、000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space指定的用户层内存访问函数(Transfer Functions)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEF0 x

6、FFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space用户层指针多线程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEFvoid kfunc(int user*uptr,int*kpt

7、r)copy_from_user(kptr,uptr,4);0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space用户层指针多线程共享(Shared Userspace Pointer Across Threads

8、)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEF为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9return-EFAULT;10 11/sanit

9、y checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9return-EFAULT;10 11/

10、sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 retur

11、n-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size

12、,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/firs

13、t fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*a

14、ttr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*ua

15、ttr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030“二次获取”过程中潜藏的问题(What Can Go Wrong in This Process?)第一次获取之后的状态(Right After

16、the First Fetch)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 return-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 byt

17、es30用户层内存访问冲突(Race Condition in The Userspace)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 return-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf

18、,attr,attr-size);30 bytes655354 bytes301 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 /sanity checks16/second fetch17if(copy_from_user(attr,uattr,size)18return-EFAU

19、LT;20.21 22 23/BUG:when attr-size is used later 24 memcpy(buf,attr,attr-size);30 bytes4 bytes30655356553512 if(size PAGE_SIZE|13 size size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535之后对size的调用会导致内存泄漏(Wh

20、en Exploits Happen)内核端内存泄漏Kernel information leak!“二次获取”漏洞的根本原因(Root Cause of Double-Fetch Bugs)-错误的认为在一个系统调用中对相同的用户层地址的访问会得到同样的结果-(FALSE ASSUMED ATOMICITY IN SYSCALL EXECUTION)-“二次获取”漏洞本质上是一个检查时与使用时不匹配的漏洞-(IN ESSENCE,A TIME-OF-CHECK-TO-TIME-OF-USE(TOCTOU)BUG)-检查整个信息的大小-(SIZE CHECKING)-查找处理这个信息所依赖的对

21、象-(DEPENDENCY LOOKUP)-检查协议/签名-(PROTOCOL/SIGNATURE CHECKING)-补全信息-(INFORMATION GUESSING)-常见的“二次获取”情境(Double-Fetch is Prevalent in Kernels)“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from mptctl_ioctl in file drivers/message/fusion/mptctl.c“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from mptct

22、l_ioctl in file drivers/message/fusion/mptctl.cAcquire mutex lock for ioc 01Perform do_fw_download for ioc 02Release mutex lock for ioc 01“二次获取”案例3:协议检查(Case 3:Protocol/Signature Check)Adapted from do_tls_setsockopt_tx in file net/tls/tls_main.c“二次获取”案例4:信息补全(Case 4:Information Guessing)Adapted from

23、 con_font_set in file drivers/tty/vt/vt.c“二次获取”相关的研究(Prior Works)Bochspwn (BlackHat13)DECAF(arXiv17)Pengfei et.al.,(Security17)内核(Kernel)WindowsLinuxLinux,FreeBSD分析模式(Analysis)动态分析(Dynamic)动态分析(Dynamic)静态分析(Static)主要方法(Method)虚拟机检查(VMI)内核模糊测试(Kernel fuzzing)源代码匹配(Lexical Code Matching)“二次引用”模版 (Patt

24、en)短时间内两次访问相 同的内存地址(Memory access timing)基于缓存的侧信道(Cache side channel)基于信息大小检查的 源代码模式(Size checking)代码覆盖率(Code Coverage)低(Low)低(Low)高(High)手动辨识(Manual Effort)需要手动区分正常的”二次引用”与”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)“二次获取”相关的研究(Prior Works)Bochspwn (BlackHat13)DEC

25、AF(arXiv17)Pengfei et.al.,(Security17)Deadline(IEEE SP18)内核(Kernel)WindowsLinuxLinux,FreeBSDLinux,FreeBSD分析模式(Analysis)动态分析(Dynamic)动态分析(Dynamic)静态分析(Static)静态分析(Static)主要方法(Method)虚拟机检查(VMI)内核模糊测试(Kernel fuzzing)源代码匹配(Lexical Code Matching)符号执行(Symbolic Execution)“二次引用”模版 (Patten)短时间内两次访问相 同的内存地址(M

26、emory access timing)基于缓存的侧信道(Cache side channel)基于信息大小检查的 源代码模式(Size checking)基于”二次获取”漏洞 的严谨定义(Formal definitions)代码覆盖率(Code Coverage)低(Low)低(Low)高(High)高(High)手动辨识(Manual Effort)需要手动区分正常的”二次引用”与”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)无需手动区分(No manual checking)

27、“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)获获取取：每一次获取可以表示为一个(A,S)对.A 获取的起始地址S 复制至内核层的信息的大小0011有重叠的获取有重叠的获取：即两次获取，(A,S)与(A,S)，-满足条件 A0 A1 A0+S0|A1 A0 A1+S1-重叠的内存地址会被标记为(A01,S01)-Fetch:A pair(A,S),whereAS-the starting address of the fetch,-the size of memory copied into kernel.0011Overlapped-fe

28、tch:Two fetches,(A,S)and(A,S),-A0 A1 A0+S0|A1 A0 version=TLS_1_2_VERSION“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)数据流依赖数据流依赖：变量 V (A01,S01)且 V 在第二次获取之前（或第二次获取中）被用于其他执行 语句中，例如函数调用，变量的推倒等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calc

29、ulation,passed to function calls,etc).“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)数据流依赖数据流依赖：变量 V (A01,S01)且 V 在第二次获取之前被用于其他语句中，例如函数调用等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calculation,passed to function calls,etc).重叠的变量V(Overlap

30、ped variable V):khdr.iocnumV被用到的语句(The statement where V is consumed):mpt_verify_adapter(khdr.iocnum,&iocp)第二次获取后V期待的值(The expectation for V after second fetch)kfwdl.iocnum=khdr.iocnum“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)1.两次从用户层内存空间的获取有重叠重叠的的区域。区域。Two fetches from userspace memory that

31、 cover an overlapped region.2.在重叠的区域里面有一个变量使得这两次获取之间可以建立某种联系。这种联系即可以是控控 制流依制流依赖赖也可以是数据数据流流依赖依赖，还可能两者两者都都有有。A relation must exist on the overlapped region between the two fetches.The relation can be either control-dependence or data-dependence.3.在第二次获取之后无法证明这个变量没有变化。We cannot prove that the relation

32、established after first fetch still holds after the second fetch.1.寻找尽可能多的“获取”对，并对每一对建立程序路径Find as many double-fetch pairs as possible,construct the code paths associated with each pair.2.符号性的执行每一个程序路径并且由此来决定这两次“获取”是不是一个真正的漏洞Symbolically check each code path and determine whether the two fetches mak

33、es a double-fetch bug.如何根据定义来寻找漏洞？(How to Find Double-Fetch Bugs?)目目标标：静态的枚举所有在执行一个系统调用时可能的获取对Goal:Statically enumerate all pairs of fetches that could possibly occur.寻找“获取”对(Fetch Pair Collection)寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr user*uptr,struct msg_full*k

34、ptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;从某一个获取开始(Start from a fetch)寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr user*uptr,struct msg_full*kptr)依次遍历之前的语句 (Search through the reaching instructions)if(copy_from_user(kptr,uptr,size)return-EFAULT;寻找“获取”对(Fetch P

35、air Collection)static void enclosing_function(struct msg_hdr user*uptr,struct msg_full*kptr)if(get_user(size,&uptr-size)return-EFAULT;if(copy_from_user(kptr,uptr,size)return-EFAULT;第一种情况找到另一个“获取”Case 1 Found another fetch寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr use

36、r*uptr,struct msg_full*kptr)size=get_size_from_user(uptr);if(copy_from_user(kptr,uptr,size)return-EFAULT;第二种情况找到另一个包含“获取”的函数Case 2ound a fetch-involved function寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)

37、return-EFAULT;第三种情况没有找到跟“获取”相关的语句Case 3o fetch-related instruction found目目标标：符号性的执行所有找到的链接两次获取的程序路径并根据定义来判断这两次获取是否构 成二次获取漏洞Goal:Symbolically execute the code path that connects two fetches and determine whether the two fetches satisfy all the criteria set in formal definition of double-fetch bug符号执行

38、(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)论文中有个更复杂的案例，该案例将展示如何处理程序中 的循环以及简单的指针分析Please refer to our paper for a comprehensive demonstration

39、 on how Deadline handles loop unrolling and pointer resolving找到的漏洞(Findings)1.一共找到24个漏洞24 Bugs found in total.其中23个在LINUX内核，1个在FREEBSD内核23 bugs in Linux kernel and 1 in FreeBSD kernel2.我们为10个漏洞提供了补丁并且已经应用于代码中10 bugs have been patched with the fix we provide3.5个漏洞被维护者认可，但是相关补丁还没有发布5 bugs are acknowle

40、dged,we are still working on the fix4.7个漏洞还在审核之中7 bugs are pending for review5.2个漏洞被标记为“不处理”2 bugs are marked as“wont fix”“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)1.过载第二次获取的内容Override the second fetch“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)2.检查两次获取的内容是不是一致Abort on change detected“二次获取”漏洞的补丁模式(Patch

41、ing Double-Fetch Bugs)3.将两次获取重构成不重叠的两次获取Refactor overlapped copies into incremental copies.“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)4.将两次获取重构成单次获取Refactor overlapped copies into a single-fetch.“二次获取”漏洞的一般性补丁(Generic Patch for Double-Fetch Bugs)并非所有“二次获取”漏洞都可以有一般性补丁或者都可以用以上几种模式来修补。某些漏洞 需要复杂的代码重构或者重新设

42、计用于信息传递的数据结构，这些都需要大量的工作。Unfortunately,not all double-fetch bugs can be patched with these patterns.Some requires heavy refactoring of existing codebase or re-designing of structs,which requires substantial manual effort.最近我们注意到了“DECAF”这个工作，似乎提供了一个很有价值也很有前景的思路：利用 INTEL CPU的TSX技术来保证在一个系统调用中对用户层内存的访问是原

43、子性的。Recently,DECAF has provided a promising solution in using TSX-based techniques to ensure user space memory access automaticity in syscall execution.结语(Conclusion)有一个精确严谨的定义对寻找逻辑漏洞有重要意义，这样一个定义可以帮助排除误判，更精确 的寻找漏洞Detecting double-fetch bugs without a precise and formal definition has led to many fal

44、se alerts and tremendous manual effort.我们的系统，DEADLINE，可以被用于不止是内核层“二次获取”漏洞的检测，我们相信在其 他应用中也存在类似的漏洞，比如虚拟机管理程序，浏览器，TEE等Application beyond kernels:hypervisors,browsers,TEE,etc.在内存安全漏洞之后，逻辑漏洞也应当引起足够的重视。我们希望越来越多的逻辑漏洞可以被 系统的建模并检测Logic bugs are on the rise!We hope that more logic bugs can be modeled and checked systematically谢 谢！谢 谢！