对内核中“二次获取”漏洞的精确以及大范围检测课件.pptx
- 【下载声明】
1. 本站全部试题类文档,若标题没写含答案,则无答案;标题注明含答案的文档,主观题也可能无答案。请谨慎下单,一旦售出,不予退换。
2. 本站全部PPT文档均不含视频和音频,PPT中出现的音频或视频标识(或文字)仅表示流程,实际无音频或视频文件。请谨慎下单,一旦售出,不予退换。
3. 本页资料《对内核中“二次获取”漏洞的精确以及大范围检测课件.pptx》由用户(晟晟文业)主动上传,其收益全归该用户。163文库仅提供信息存储空间,仅对该用户上传内容的表现方式做保护处理,对上传内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知163文库(点击联系客服),我们立即给予删除!
4. 请根据预览情况,自愿下载本文。本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
5. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007及以上版本和PDF阅读器,压缩文件请下载最新的WinRAR软件解压。
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 内核 二次 获取 漏洞 精确 以及 范围 检测 课件
- 资源描述:
-
1、对内核中对内核中“二次获取二次获取”漏洞的精确漏洞的精确以以及大范围检测及大范围检测地址空间分离(Address Space Separation)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space单次获取(How To Do A Single Fetch?
2、)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)void kfunc(int user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程
3、序层(User/Program Address Space)内核层(Kernel Address Space)void kfunc(int user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space0 xDEADBEEF单次获取(How To Do A Single Fetch?)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(U
4、ser/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address SpaceXXXXXX(No Dereference on Userspace Pointers)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)*kptr=*uptr;0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000
5、000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space指定的用户层内存访问函数(Transfer Functions)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEF0 x
6、FFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space用户层指针多线程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEFvoid kfunc(int user*uptr,int*kpt
7、r)copy_from_user(kptr,uptr,4);0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/Program Address Space)内核层(Kernel Address Space)Uninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space用户层指针多线程共享(Shared Userspace Pointer Across Threads
8、)0 xDEADBEEFvoid kfunc(int user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEF为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9return-EFAULT;10 11/sanit
9、y checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9return-EFAULT;10 11/
10、sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 retur
11、n-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size
12、,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/firs
13、t fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*a
14、ttr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*ua
15、ttr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later 24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030“二次获取”过程中潜藏的问题(What Can Go Wrong in This Process?)第一次获取之后的状态(Right After
16、the First Fetch)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 return-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf,attr,attr-size);?bytes304 byt
17、es30用户层内存访问冲突(Race Condition in The Userspace)1 static int perf_copy_attr_simplified2(struct perf_event_attr user*uattr,3struct perf_event_attr*attr)4 5u32 size;6 7/first fetch8if(get_user(size,&uattr-size)9 return-EFAULT;10 11/sanity checks12if(size PAGE_SIZE|13size size is used later 24 memcpy(buf
18、,attr,attr-size);30 bytes655354 bytes301 static int perf_copy_attr_simplified3 2(struct perf_event_attr user*uattr,struct perf_event_attr*attr)4 5u32 size;6 9 7/first fetch8if(get_user(size,&uattr-size)return-EFAULT;10 11 /sanity checks16/second fetch17if(copy_from_user(attr,uattr,size)18return-EFAU
19、LT;20.21 22 23/BUG:when attr-size is used later 24 memcpy(buf,attr,attr-size);30 bytes4 bytes30655356553512 if(size PAGE_SIZE|13 size size)return-EFAULT;10 11 12 13 14 /sanity checksif(size PAGE_SIZE|size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535之后对size的调用会导致内存泄漏(Wh
20、en Exploits Happen)内核端内存泄漏Kernel information leak!“二次获取”漏洞的根本原因(Root Cause of Double-Fetch Bugs)-错误的认为在一个系统调用中对相同的用户层地址的访问会得到同样的结果-(FALSE ASSUMED ATOMICITY IN SYSCALL EXECUTION)-“二次获取”漏洞本质上是一个检查时与使用时不匹配的漏洞-(IN ESSENCE,A TIME-OF-CHECK-TO-TIME-OF-USE(TOCTOU)BUG)-检查整个信息的大小-(SIZE CHECKING)-查找处理这个信息所依赖的对
21、象-(DEPENDENCY LOOKUP)-检查协议/签名-(PROTOCOL/SIGNATURE CHECKING)-补全信息-(INFORMATION GUESSING)-常见的“二次获取”情境(Double-Fetch is Prevalent in Kernels)“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from mptctl_ioctl in file drivers/message/fusion/mptctl.c“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from mptct
22、l_ioctl in file drivers/message/fusion/mptctl.cAcquire mutex lock for ioc 01Perform do_fw_download for ioc 02Release mutex lock for ioc 01“二次获取”案例3:协议检查(Case 3:Protocol/Signature Check)Adapted from do_tls_setsockopt_tx in file net/tls/tls_main.c“二次获取”案例4:信息补全(Case 4:Information Guessing)Adapted from
展开阅读全文