2018年對內核中“二次獲取”漏洞的精確以及大范圍檢測.pdf

1、對內核中“二次獲取”漏洞的精確以及 大范圍檢測佐治亞理工學院計算機系博士在讀 SSLab以及IISP成員什么是“二次獲取”(What is Double-Fetch?)地址空間分離(Address Space Separation)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Virtual Add

2、ress Space 單次獲取(How To Do A Single Fetch?)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xF

3、FFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xDEADBEEF單次獲取(How To Do A Single Fetch?)0 xFFFFF

4、FFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)*kptr=*uptr;0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space XXXXXX(No Dereference on Userspace Pointer

5、s)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 指定的用戶

6、層內存訪問函數(Transfer Functions)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Address Space Separation Scheme with a 32-bit Vi

7、rtual Address Space 用戶層指針多線程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用戶/程序層(User/ProgramAddress Space)內核層(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系統上的內核與用戶層地址空間分布A Typical Addr

8、ess Space Separation Scheme with a 32-bit Virtual Address Space 用戶層指針多線程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEF為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_u

9、ser(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first f

10、etch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4

11、5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struc

12、t perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event

13、_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes30為什么要“二次獲取”(Why Double-Fetch?)1 static int perf_copy_attr_sim

14、plified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030為什么要“二次獲取”(Why Double-Fetch?)1

15、static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030“二

16、次獲取”過程中潛藏的問題(What Can Go Wrong in This Process?)第一次獲取之后的狀態(Right After the First Fetch)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size

17、PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30用戶層內存訪問沖突(Race Condition in The Userspace)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-

18、EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes655354 bytes301 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return

19、-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535第二次獲取之后的狀態(Right After the Second Fetch)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /firs

20、t fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535之后對size的調用會導致內存泄漏(When Exploits Happen)內核端內存泄漏Kernel information leak!“二次獲取”漏洞的根本原因(Root Cause of Double-Fetch Bugs)-錯誤的認為

21、在一個系統調用中對相同的用戶層地址的訪問會得到同樣的結果-(FALSE ASSUMED ATOMICITY IN SYSCALL EXECUTION)-“二次獲取”漏洞本質上是一個檢查時與使用時不匹配的漏洞-(IN ESSENCE,A TIME-OF-CHECK-TO-TIME-OF-USE(TOCTOU)BUG)-檢查整個信息的大小-(SIZE CHECKING)-查找處理這個信息所依賴的對象-(DEPENDENCY LOOKUP)-檢查協議/簽名-(PROTOCOL/SIGNATURE CHECKING)-補全信息-(INFORMATION GUESSING)-常見的“二次獲取”情境(Do

22、uble-Fetch is Prevalent in Kernels)“二次獲取”案例2:依賴查找(Case 2:Dependency Lookup)Adapted from _mptctl_ioctl in file drivers/message/fusion/mptctl.c“二次獲取”案例2:依賴查找(Case 2:Dependency Lookup)Adapted from _mptctl_ioctl in file drivers/message/fusion/mptctl.cAcquire mutex lock for ioc01Release mutex lock for io

23、c01Perform do_fw_downloadfor ioc02“二次獲取”案例3:協議檢查(Case 3:Protocol/Signature Check)Adapted from do_tls_setsockopt_tx in file net/tls/tls_main.c“二次獲取”案例4:信息補全(Case 4:Information Guessing)Adapted from con_font_set in file drivers/tty/vt/vt.c“二次獲取”相關的研究(Prior Works)Bochspwn(BlackHat13)DECAF(arXiv17)Pengf

24、ei et.al.,(Security17)內核(Kernel)WindowsLinuxLinux,FreeBSD分析模式(Analysis)動態分析(Dynamic)動態分析(Dynamic)靜態分析(Static)主要方法(Method)虛擬機檢查(VMI)內核模糊測試(Kernel fuzzing)源代碼匹配(Lexical Code Matching)“二次引用”模版(Patten)短時間內兩次訪問相同的內存地址(Memory access timing)基于緩存的側信道(Cache side channel)基于信息大小檢查的源代碼模式(Size checking)代碼覆蓋率(Cod

25、e Coverage)低(Low)低(Low)高(High)手動辨識(Manual Effort)需要手動區分正常的”二次引用”與”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)“二次獲取”相關的研究(Prior Works)Bochspwn(BlackHat13)DECAF(arXiv17)Pengfei et.al.,(Security17)Deadline(IEEE SP18)內核(Kernel)WindowsLinuxLinux,FreeBSDLinux,FreeBSD分析模式

26、(Analysis)動態分析(Dynamic)動態分析(Dynamic)靜態分析(Static)靜態分析(Static)主要方法(Method)虛擬機檢查(VMI)內核模糊測試(Kernel fuzzing)源代碼匹配(Lexical Code Matching)符號執行(Symbolic Execution)“二次引用”模版(Patten)短時間內兩次訪問相同的內存地址(Memory access timing)基于緩存的側信道(Cache side channel)基于信息大小檢查的源代碼模式(Size checking)基于”二次獲取”漏洞的嚴謹定義(Formal definitions

27、)代碼覆蓋率(Code Coverage)低(Low)低(Low)高(High)高(High)手動辨識(Manual Effort)需要手動區分正常的”二次引用”與”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)無需手動區分(No manual checking)“二次獲取”漏洞的定義(Double-Fetch Bugs:A Formal Definition)獲?。好恳淮潍@取可以表示為一個(A,S)對.A 獲取的起始地址S 復制至內核層的信息的大小有重疊的獲?。杭磧纱潍@取，(A0,S

28、0)與(A1,S1)，-滿足條件A0 A1 A0+S0|A1 A0 A1+S1-重疊的內存地址會被標記為(A01,S01)-第一次復制進來的內容會被標記為(A01,S01,0)-第二次復制進來的內容會被標記為(A01,S01,1)“二次獲取”漏洞的直觀（但不嚴謹）定義：(A01,S01,0)!=(A01,S01,1)Fetch:A pair(A,S),whereA-the starting address of the fetch,S-the size of memory copied into kernel.Overlapped-fetch:Two fetches,(A0,S0)and(A1

29、,S1),-A0 A1 A0+S0|A1 A0version=TLS_1_2_VERSION“二次獲取”漏洞的定義(Double-Fetch Bugs:A Formal Definition)數據流依賴：變量V (A01,S01)且V在第二次獲取之前（或第二次獲取中）被用于其他執行語句中，例如函數調用，變量的推倒等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calculation,passed to function calls,et

30、c).“二次獲取”漏洞的定義(Double-Fetch Bugs:A Formal Definition)數據流依賴：變量V (A01,S01)且V在第二次獲取之前被用于其他語句中，例如函數調用等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calculation,passed to function calls,etc).重疊的變量V(Overlapped variable V):khdr.iocnumV被用到的語句(The stat

31、ement whereVis consumed):mpt_verify_adapter(khdr.iocnum,&iocp)第二次獲取后V期待的值(The expectation for Vafter second fetch)kfwdl.iocnum=khdr.iocnum“二次獲取”漏洞的定義(Double-Fetch Bugs:A Formal Definition)1.兩次從用戶層內存空間的獲取有重疊的區域。2.在重疊的區域里面有一個變量使得這兩次獲取之間可以建立某種聯系。這種聯系即可以是控制流依賴也可以是數據流依賴，還可能兩者都有。3.在第二次獲取之后無法證明這個變量沒有變化。Two

32、 fetches from userspace memory that cover an overlapped region.A relation must exist on the overlapped region between the two fetches.The relation can be either control-dependence or data-dependence.We cannot prove that the relation established after first fetch still holds after the second fetch.1.

33、尋找盡可能多的“獲取”對，并對每一對建立程序路徑2.符號性的執行每一個程序路徑并且由此來決定這兩次“獲取”是不是一個真正的漏洞Find as many double-fetch pairs as possible,construct the code paths associated with each pair.Symbolically check each code path and determine whether the two fetches makes a double-fetch bug.如何根據定義來尋找漏洞？(How to Find Double-Fetch Bugs?)目

34、標：靜態的枚舉所有在執行一個系統調用時可能的獲取對Goal:Statically enumerate all pairs of fetches that could possibly occur.尋找“獲取”對(Fetch Pair Collection)尋找“獲取”對(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;從某一個獲取開始(Start fr

35、om a fetch)尋找“獲取”對(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;依次遍歷之前的語句(Search through thereaching instructions)尋找“獲取”對(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*up

36、tr,struct msg_full*kptr)if(get_user(size,&uptr-size)return-EFAULT;if(copy_from_user(kptr,uptr,size)return-EFAULT;第一種情況找到另一個“獲取”Case 1Found another fetch尋找“獲取”對(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)size=get_size_from_user(uptr);if(copy_fr

37、om_user(kptr,uptr,size)return-EFAULT;第二種情況找到另一個包含“獲取”的函數Case 2Found a fetch-involved function尋找“獲取”對(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;第三種情況沒有找到跟“獲取”相關的語句Case 3No fetch-related instructio

38、n found目標：符號性的執行所有找到的鏈接兩次獲取的程序路徑并根據定義來判斷這兩次獲取是否構成二次獲取漏洞Goal:Symbolically execute the code path that connects two fetches and determine whether the two fetches satisfy all the criteria set in formal definition of double-fetch bug符號執行(Symbolic Checking)符號執行(Symbolic Checking)符號執行(Symbolic Checking)符號執

39、行(Symbolic Checking)符號執行(Symbolic Checking)符號執行(Symbolic Checking)符號執行(Symbolic Checking)符號執行(Symbolic Checking)符號執行(Symbolic Checking)論文中有個更復雜的案例，該案例將展示如何處理程序中的循環以及簡單的指針分析Please refer to our paper for a comprehensive demonstration on how Deadline handles loop unrolling and pointer resolving找到的漏洞(Fi

40、ndings)1.一共找到24個漏洞其中23個在LINUX內核，1個在FREEBSD內核2.我們為10個漏洞提供了補丁并且已經應用于代碼中3.5個漏洞被維護者認可，但是相關補丁還沒有發布4.7個漏洞還在審核之中5.2個漏洞被標記為“不處理”24 Bugs found in total.23 bugs in Linux kernel and 1 in FreeBSD kernel10 bugs have been patched with the fix we provide5 bugs are acknowledged,we are still working on the fix7 bugs

41、 are pending for review2 bugs are marked as“wont fix”“二次獲取”漏洞的補丁模式(Patching Double-Fetch Bugs)1.過載第二次獲取的內容Override the second fetch“二次獲取”漏洞的補丁模式(Patching Double-Fetch Bugs)2.檢查兩次獲取的內容是不是一致Abort on change detected“二次獲取”漏洞的補丁模式(Patching Double-Fetch Bugs)3.將兩次獲取重構成不重疊的兩次獲取Refactor overlapped copies in

42、to incremental copies.“二次獲取”漏洞的補丁模式(Patching Double-Fetch Bugs)4.將兩次獲取重構成單次獲取Refactor overlapped copies into a single-fetch.“二次獲取”漏洞的一般性補丁(Generic Patch for Double-Fetch Bugs)并非所有“二次獲取”漏洞都可以有一般性補丁或者都可以用以上幾種模式來修補。某些漏洞需要復雜的代碼重構或者重新設計用于信息傳遞的數據結構，這些都需要大量的工作。Unfortunately,not all double-fetch bugs can be

43、 patched with these patterns.Some requires heavy refactoring of existing codebase or re-designing of structs,which requires substantial manual effort.最近我們注意到了“DECAF”這個工作，似乎提供了一個很有價值也很有前景的思路：利用INTEL CPU的TSX技術來保證在一個系統調用中對用戶層內存的訪問是原子性的。Recently,DECAF has provided a promising solution in using TSX-based

44、 techniques to ensure user space memory access automaticity in syscall execution.有一個精確嚴謹的定義對尋找邏輯漏洞有重要意義，這樣一個定義可以幫助排除誤判，更精確的尋找漏洞我們的系統，DEADLINE，可以被用于不止是內核層“二次獲取”漏洞的檢測，我們相信在其他應用中也存在類似的漏洞，比如虛擬機管理程序，瀏覽器，TEE等在內存安全漏洞之后，邏輯漏洞也應當引起足夠的重視。我們希望越來越多的邏輯漏洞可以被系統的建模并檢測結語(Conclusion)Detecting double-fetch bugs without a precise and formal definition has led to many false alerts and tremendous manual effort.Application beyond kernels:hypervisors,browsers,TEE,etc.Logic bugs are on the rise!We hope that more logic bugs can be modeled and checked systematically謝 謝！謝 謝！