Just a few days ago I had a blast again at this year’s Black Hat. Some of the talks were really worth listening to, so I wanted to point them out and give a short summary.
USING UNDOCUMENTED CPU BEHAVIOR TO SEE INTO KERNEL MODE AND BREAK KASLR IN THE PROCESS – Anders Fogh & Daniel Gruss
They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.
The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:
Quote out of the Intel manual:
“Using the PREFETCH instruction is recommended only if data does not fit in
cache. Use of software prefetch should be limited to memory addresses that are
managed or owned within the application context. Prefetching to addresses that
are not mapped to physical pages can experience non-deterministic performance
penalty. For example specifying a NULL pointer (0L) as address for a prefetch
can cause long delays.”
With this in mind, they tested if there are timing differences when they prefetch an address from Kernel Space where the Kernel is loaded or causing a memory read exception when they hit a non-allocated address in the Kernel-Memory-Space. The time when they prefetched a valid allocated memory was significant lower so they could use this instruction as Side-Channel Attack vector to break KASLR. One more interesting fact is that they operate on physical memory addresses which can be used for rowhammering (https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf) and they will present at USENIX their papers (https://gruss.cc/) about rowhammering on ARM. Can´t wait to see soon the first rowhammered Jailbreak on mobile devices :).
The second talk I can highlight was “DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR” by Tarjei Mandt, Mathew Solnik and David Wang
Personally I knew Tarjei Mandt previous research on Kernel exploiting, so I had to watch his new project.
This year they presented a deeper look in Apple´s Secure Enclave Processor (SEP). The talk was a lot about lifting the fog of the more or less undocumented SEP. They first analyzed the Hardware Design and iBoot process. Next was a further look into the communication between the Kernel and the SEP interfaces where they explained the Mailbox Mechanism more in detail. They also had a look at the SEP own operating system called SEPOS and reverse engineered some of the drivers and application.
When they reversed the SEPOS they found quite some funny characteristics like the check for privileges:
if ( ( name >= ‘A ‘ ) && ( name <= ‘ZZZZ’ ) )
privileged = 1;
or that they implemented Stack Cookies, but it was a static value “GARD”, which is… well… semi-effective.
They concluded that the hardware used by Apple is “light years ahead of competitors but the software does have weaknesses.”
Finally I also enjoyed “USING EMET TO DISABLE EMET” by Abdulellah Alsaheel & Raghav Pande
They started with a little history about techniques bypassing EMET and then explained how they bypassed it.
They basically found that EMET has their own disabling routine, which is reachable within the DLLMain function. It turns out that EMET also still refuses to hook GetModuleHandleA (Which is often a needed factor in bypassing EMET, but is still not considered dangerous) and DLLMain. This way an Attacker can craft a ROP Chain to simple unload EMET by calling the EMET function for unloading EMET… how convenient.
This “feature” appears to be fixed at version 5.5 by checking their own unloading function but GetModuleHandleA is still not hooked so older bypasses should still work.
I also listened to various other talks which had awesome content, such as:
– PWNING YOUR JAVA MESSAGING WITH DESERIALIZATION VULNERABILITIES – Matthias Kaiser
– $HELL ON EARTH: FROM BROWSER TO SYSTEM COMPROMISE – Matt Molinyawe & Jasiel Spelman & Abdul-Aziz Hariri & Joshua Smith
– THE LINUX KERNEL HIDDEN INSIDE WINDOWS 10 – Alex Ionescu
– PANGU 9 INTERNALS – Tielei Wang & Hao Xu & Xiaobo Chen
– …
and of course my colleague Felix Wilhelm with his awesome XENPWN talk.
Cheers,
Birk