Anıl Sural - Globalization and Income Inequality and European Perspective
Anıl kurmuş pacsec3
Transcript of Anıl kurmuş pacsec3
![Page 1: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/1.jpg)
A �lesystem attack vectorfor backdoors, rowhammer-like attacks, and
more.
Anil Kurmus
with Nikolas Ioannou, Matthias Neugschwandtner,Nikolaos Papandreou and Thomas Parnell
IBM Research - Zurich
![Page 2: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/2.jpg)
This talkIntroduces �lesystem-tricks that can be used in two
attack scenarios (on ext3):
1. Persistence without tampering binaries/con�g2. Privilege escalation assuming rowhammer-like
attacks on storage media
![Page 3: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/3.jpg)
Outline1. Indirect block manipulation on ext32. Persistence backdoor3. Privesc for rowhammer-like attacks
![Page 4: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/4.jpg)
Primer on ext3... and similar indirect-block-based �lesystems
![Page 5: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/5.jpg)
Inodes
![Page 6: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/6.jpg)
Indirect blocks
![Page 7: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/7.jpg)
Indirect blockmanipulation
![Page 8: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/8.jpg)
It's a pointer... we can and should corrupt it!
![Page 9: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/9.jpg)
Application #1
![Page 10: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/10.jpg)
Persistence backdoorImplant a backdoor to persist root access acrossreboots without modifying system �les, binaries,
con�g �les.
![Page 11: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/11.jpg)
Threat modelAssume attacker has raw disk access (root access)
![Page 12: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/12.jpg)
IdeaCreate "backdoor" �leUpdate its inode: indirect block points to inodetablePersistence achieved!
![Page 13: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/13.jpg)
On rebootWrite into the "backdoor" �leUpdates inode of another �le: for example ashellGet root by creating a suid-root shellDone!
![Page 14: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/14.jpg)
Live demo
![Page 15: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/15.jpg)
Application #2
![Page 16: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/16.jpg)
Flash primer
![Page 17: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/17.jpg)
Flash weaknessesProgram/Erase wearCharge loss over timeCell-to-cell interferenceRead disturb
All were demonstrated, characterized
![Page 18: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/18.jpg)
Cell-to-cell interference
![Page 19: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/19.jpg)
MitigationsScramblerBlock allocation/wear levelingError correcting codes (ECC)
Implemented in SSDs
![Page 20: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/20.jpg)
Flash storage layers1. Flash chip2. Flash controller3. SSD controller4. OS (�lesystem/driver)5. User
![Page 21: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/21.jpg)
A path to rowhammer-likeattacks on �ash
1. Flash chip: cell-to-cell interference.2. Flash controller: scrambler and ECC bypass.3. SSD Controller: wear leveling and block
placement algorithm.4. OS: �lesystem caching and error detection
bypass.5. User: privilege escalation payload.
![Page 22: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/22.jpg)
Prior work1. [Flash chip: cell-to-cell interference.]2. Flash controller: [scrambler] and ECC bypass.3. SSD Controller: wear leveling and block
placement algorithm.4. OS: �lesystem caching and error detection
bypass.5. User: privilege escalation payload.
![Page 23: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/23.jpg)
Our WOOT paper1. Flash chip: cell-to-cell interference.2. Flash controller: scrambler and ECC bypass.3. SSD Controller: wear leveling and block
placement algorithm.4. OS: �lesystem caching and error detection
bypass.5. User: privilege escalation payload.
![Page 24: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/24.jpg)
Flash ECCLong codewords (e.g., >1KB)High correction capability (e.g., >50 bits)
![Page 25: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/25.jpg)
Codewords
![Page 26: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/26.jpg)
Codewords
![Page 27: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/27.jpg)
Codewords
![Page 28: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/28.jpg)
Codewords
Extremely di�cult to achieve this!
![Page 29: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/29.jpg)
The �lesystem attackAssumes:
Attacker can corrupt chosen blockrandom contents (weaker)ext3 �lesystem
![Page 30: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/30.jpg)
Filesystem attackMain idea:
Cause corruption of indirect blockGood chance one pointer points to inode tableOverwrite inode to set SUID-bit rootElevate by executing SUID-root shell
![Page 31: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/31.jpg)
Inodes, indirect blocks
![Page 32: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/32.jpg)
Indirect block corruption
![Page 33: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/33.jpg)
Overwrite inode entries
![Page 35: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/35.jpg)
Improved attackUses double indirect block insteadAchieves full �lesystem read/write99% success
![Page 36: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/36.jpg)
Limitations & Mitigationsunclear whether applicable beyond ext3data integrity checks prevent the attack (ZFS)more in the paper
![Page 37: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/37.jpg)
Conclusion 1/2Random corruption of a chosen block impliesprivilege escalation
with high probability on ext3There is a path to rowhammer-like attacks onSSDs
but none demonstrated yetThis is one piece of the puzzle: the �lesystempart.
![Page 38: Anıl kurmuş pacsec3](https://reader031.fdocuments.us/reader031/viewer/2022021507/5a64d4c67f8b9ac21c8b697d/html5/thumbnails/38.jpg)
Conclusion 2/2The technique is nevertheless applicable in otherdomains:
persistence without modifying binaries/con�g�lesactive attacks against XTS encryption? (futurework!)
We can do neat attacks by manipulating fspointers!