Mission Impossible: Steal Kernel Data from User Space

Presented at DEF CON China 1.0 (2019), June 2, 2019, 1 p.m. (45 minutes).

With the introduction of GDPR and the emphasis on privacy, more and more companies and research institutions have begun to pay attention to data privacy protection. Among the protection schemes, using the kernel to protect private data plays an important role.

However, Meltdown and Spectre as a CPU vulnerability allow a rogue process to read the kernel data in CPU L1-d cache, even when it is not authorized to do so. Until now, the only effective mitigation approach was to isolate kernel memory from user-mode processes. This solution has different names on different platforms: Kernel Page-Table Isolation (KPTI) on Linux, Kernel Virtual Address (KVA) Shadow on Windows, and Double Map (DM) on OS X.

In this talk, however, we will prove the illusion that the strong isolation of KPTI has perfectly defeated Meltdown to be incorrect. First, we propose Variant V3r to demonstrate that Meltdown can be improved to be more powerful and reliable than what people originally thought. Variant V3r significantly increases the reliability for a rogue process to read any kernel data (not necessary in L1-d cache) on multiple platforms. Next, we further propose an even more powerful attack, Variant V3z, that allows a rogue process to bypass KPTI and reliably read any kernel data. To the best of our knowledge, V3z is the first Meltdown variant that is able to defeat KPTI.

To demonstrate the reliability, efficiency, and effectiveness of these two new variants, we will show demos that unprivileged processes can reliably leak secrets from anywhere in the kernel space, even in the presence of KALSR.

Finally, we will offer suggestions to mitigate our proposed threats, and we call for more and more parties to join in this effort to improve the security of processors and operating systems.


Presenters:

  • Yueqiang Cheng - Staff Security Scientist, Baidu USA X-Lab
    Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Side Channel Security. Zhaofeng Chen is a security researcher from Baidu X-Lab, focusing on iOS/macOS security. Yulong Zhang is currently working at Baidu conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats. Yu Ding is a staff security scientist at Baidu X-Lab. His research interests are security issues around Intel SGX, secure decentralized systems, and security protocol analysis . Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security.
  • Zhaofeng Chen - Staff Security Scientist, Baidu X-Lab
    Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Side Channel Security. Zhaofeng Chen is a security researcher from Baidu X-Lab, focusing on iOS/macOS security. Yulong Zhang is currently working at Baidu conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats. Yu Ding is a staff security scientist at Baidu X-Lab. His research interests are security issues around Intel SGX, secure decentralized systems, and security protocol analysis . Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security.
  • Yulong Zhang - Principle Security Scientist, Baidu
    Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Side Channel Security. Zhaofeng Chen is a security researcher from Baidu X-Lab, focusing on iOS/macOS security. Yulong Zhang is currently working at Baidu conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats. Yu Ding is a staff security scientist at Baidu X-Lab. His research interests are security issues around Intel SGX, secure decentralized systems, and security protocol analysis . Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security.
  • Yu Ding - Staff Security Scientist, Baidu X-Lab
    Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Side Channel Security. Zhaofeng Chen is a security researcher from Baidu X-Lab, focusing on iOS/macOS security. Yulong Zhang is currently working at Baidu conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats. Yu Ding is a staff security scientist at Baidu X-Lab. His research interests are security issues around Intel SGX, secure decentralized systems, and security protocol analysis . Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security.
  • Tao Wei - Chief Security Scientist, Baidu X-Lab

Links:

Similar Presentations: