Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control

Silently side-step software safeguards


Video Boffins in America, the Netherlands, and Switzerland have devised a Spectre-style attack on modern processors that can defeat defenses that are supposed to stop malicious software from hijacking a computer's operating system. The end result is exploit code able to bypass a crucial protection mechanism and take over a device to hand over root access.

That's a lot to unpack so we'll start from the top. Let's say you find a security vulnerability, such as a buffer overflow, in the kernel of an OS like Linux. Your aim is to use this programming flaw to execute code within the kernel so that you can take over the whole machine or device. One way to do this, and sidestep things like stack cookies and the prevention of data execution, is to use return-orientated programming (ROP). This involves chaining together snippets of instruction sequences in the kernel to form an ad-hoc program that does whatever you want: hand control of the machine to you, for example.

To thwart ROP-based exploits, a defense called Address Space Layout Randomization (ASLR) was devised some years back that, as the name suggests, randomizes the locations of an application or operating system kernel's code and libraries in memory. That makes it difficult to write working ROP exploits as the snippets of code they need aren't in their expected locations; they are randomly placed during boot. Some information needs to be leaked from the kernel that reveals the current layout of its components in RAM. If a ROP exploit just guesses the kernel's layout and is wrong, it will trigger a crash, and this can be detected and acted on by an administrator.

Enter Spectre. This is the family of vulnerabilities that can be exploited by malware or a rogue user to obtain secret, privileged information – such as passwords and keys – by taking advantage of speculative execution, which is when a processor performs an operation before it's needed and either retains or tosses the result, depending on the processor instructions ultimately executed.

What the team say they've done is designed a Spectre-style technique that can silently speculatively probe memory to determine the location of the kernel's parts without triggering a crash. And that makes a blind return-oriented programming (BROP) attack possible, bypassing any ASLR in the way.

Hijack merchant

The technique, dubbed BlindSide, is explained in a paper [PDF] by Enes Göktaş and Georgios Portokalidis (Stevens Institute of Technology), Herbert Bos and Cristiano Giuffrida (Vrije Universiteit Amsterdam), and Kaveh Razavi (ETH Zürich). Scheduled to be presented at the ACM Conference on Computer and Communications Security (CCS) 2020, it involves memory-corruption-based speculative control-flow hijacking.

"Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects," the paper stated. "Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectre-like attacks."

The basic memory write vulnerability in this case was a heap buffer overflow patched some time ago in the Linux kernel (CVE-2017-7308). But the boffins insist other vulnerabilities that provide access to a write primitive, such as CVE-2017-1000112, CVE-2017-7294, and CVE-2018-5332, would work too. So to be clear: you need to find an unpatched hole in the kernel, get some kind of code execution on the machine in question, and then deploy the BROP technique with an exploit to gain root privileges.

The boffins show that they can break KASLR (Kernel ASLR) to run an ROP exploit; leak the root password hash; and undo fine-grained randomization (FGR) and kernel execute-only memory (XoM) protections to access the entire kernel text and perform an ROP exploit.

A video of one such attack shows that the technique takes a few minutes, but does manage to elevate the user to root privileges:

Youtube Video

The computer scientists confirmed their technique on Linux kernel version 4.8.0 compiled with gcc and all mitigations enabled on a machine with an Intel Xeon E3-1270 v6 processor clocked at 3.80GHz with 16GB of RAM.

They also did so on Linux kernel version 5.3.0-40-generic with all the mitigations (e.g., Retpoline) enabled on an Intel i7-8565U chip (Whiskey Lake) with the microcode update for the IBPB, IBRS and STIBP mitigations. What's more, the technique worked on Intel Xeon E3-1505M v5, Xeon E3-1270 v6 and Core i9-9900K CPUs (Skylake, Kaby Lake, and Coffee Lake) and on AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs (Zen+ and Zen2).

"Overall, our results confirm speculative probing is effective on a modern Linux system on different microarchitectures, hardened with the latest mitigations," the paper stated.

Potential mitigations involve preventing, detecting, and hindering speculative probing, but none of these approaches, the authors suggest, can deal with the issue very well. Intel and AMD did not immediately respond to requests for comment. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022