1、对内核中“二次获取”漏洞的精确以及 大范围检测佐治亚理工学院计算机系博士在读 SSLab以及IISP成员什么是“二次获取”(What is Double-Fetch?)地址空间分离(Address Space Separation)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Add

2、ress Space 单次获取(How To Do A Single Fetch?)0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xF

3、FFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 0 xDEADBEEF单次获取(How To Do A Single Fetch?)0 xFFFFF

4、FFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)*kptr=*uptr;0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space XXXXXX(No Dereference on Userspace Pointer

5、s)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Virtual Address Space 指定的用户

6、层内存访问函数(Transfer Functions)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Address Space Separation Scheme with a 32-bit Vi

7、rtual Address Space 用户层指针多线程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEF0 xFFFFFFFF0 xC00000000 x000000001 GB3 GB用户/程序层(User/ProgramAddress Space)内核层(KernelAddress Space)void kfunc(int _user*uptr,int*kptr)copy_from_user(kptr,uptr,4);0 xDEADBEEFUninitialized32位系统上的内核与用户层地址空间分布A Typical Addr

8、ess Space Separation Scheme with a 32-bit Virtual Address Space 用户层指针多线程共享(Shared Userspace Pointer Across Threads)0 xDEADBEEF为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_u

9、ser(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first f

10、etch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4

11、5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struc

12、t perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_simplified2 (struct perf_event

13、_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes30为什么要“二次获取”(Why Double-Fetch?)1 static int perf_copy_attr_sim

14、plified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030为什么要“二次获取”(Why Double-Fetch?)1

15、static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes304 bytes3030“二

16、次获取”过程中潜藏的问题(What Can Go Wrong in This Process?)第一次获取之后的状态(Right After the First Fetch)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size

17、PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);?bytes304 bytes30用户层内存访问冲突(Race Condition in The Userspace)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return-

18、EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes655354 bytes301 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /first fetch8 if(get_user(size,&uattr-size)9 return

19、-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535第二次获取之后的状态(Right After the Second Fetch)1 static int perf_copy_attr_simplified2 (struct perf_event_attr _user*uattr,3 struct perf_event_attr*attr)4 5 u32 size;6 7 /firs

20、t fetch8 if(get_user(size,&uattr-size)9 return-EFAULT;10 11 /sanity checks12 if(size PAGE_SIZE|13 size size is used later24 memcpy(buf,attr,attr-size);30 bytes4 bytes306553565535之后对size的调用会导致内存泄漏(When Exploits Happen)内核端内存泄漏Kernel information leak!“二次获取”漏洞的根本原因(Root Cause of Double-Fetch Bugs)-错误的认为

21、在一个系统调用中对相同的用户层地址的访问会得到同样的结果-(FALSE ASSUMED ATOMICITY IN SYSCALL EXECUTION)-“二次获取”漏洞本质上是一个检查时与使用时不匹配的漏洞-(IN ESSENCE,A TIME-OF-CHECK-TO-TIME-OF-USE(TOCTOU)BUG)-检查整个信息的大小-(SIZE CHECKING)-查找处理这个信息所依赖的对象-(DEPENDENCY LOOKUP)-检查协议/签名-(PROTOCOL/SIGNATURE CHECKING)-补全信息-(INFORMATION GUESSING)-常见的“二次获取”情境(Do

22、uble-Fetch is Prevalent in Kernels)“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from _mptctl_ioctl in file drivers/message/fusion/mptctl.c“二次获取”案例2:依赖查找(Case 2:Dependency Lookup)Adapted from _mptctl_ioctl in file drivers/message/fusion/mptctl.cAcquire mutex lock for ioc01Release mutex lock for io

23、c01Perform do_fw_downloadfor ioc02“二次获取”案例3:协议检查(Case 3:Protocol/Signature Check)Adapted from do_tls_setsockopt_tx in file net/tls/tls_main.c“二次获取”案例4:信息补全(Case 4:Information Guessing)Adapted from con_font_set in file drivers/tty/vt/vt.c“二次获取”相关的研究(Prior Works)Bochspwn(BlackHat13)DECAF(arXiv17)Pengf

24、ei et.al.,(Security17)内核(Kernel)WindowsLinuxLinux,FreeBSD分析模式(Analysis)动态分析(Dynamic)动态分析(Dynamic)静态分析(Static)主要方法(Method)虚拟机检查(VMI)内核模糊测试(Kernel fuzzing)源代码匹配(Lexical Code Matching)“二次引用”模版(Patten)短时间内两次访问相同的内存地址(Memory access timing)基于缓存的侧信道(Cache side channel)基于信息大小检查的源代码模式(Size checking)代码覆盖率(Cod

25、e Coverage)低(Low)低(Low)高(High)手动辨识(Manual Effort)需要手动区分正常的”二次引用”与”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)“二次获取”相关的研究(Prior Works)Bochspwn(BlackHat13)DECAF(arXiv17)Pengfei et.al.,(Security17)Deadline(IEEE SP18)内核(Kernel)WindowsLinuxLinux,FreeBSDLinux,FreeBSD分析模式

26、(Analysis)动态分析(Dynamic)动态分析(Dynamic)静态分析(Static)静态分析(Static)主要方法(Method)虚拟机检查(VMI)内核模糊测试(Kernel fuzzing)源代码匹配(Lexical Code Matching)符号执行(Symbolic Execution)“二次引用”模版(Patten)短时间内两次访问相同的内存地址(Memory access timing)基于缓存的侧信道(Cache side channel)基于信息大小检查的源代码模式(Size checking)基于”二次获取”漏洞的严谨定义(Formal definitions

27、)代码覆盖率(Code Coverage)低(Low)低(Low)高(High)高(High)手动辨识(Manual Effort)需要手动区分正常的”二次引用”与”二次引用”漏洞(Manual checking required to differentiate double-fetch cases and bugs)无需手动区分(No manual checking)“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)获取：每一次获取可以表示为一个(A,S)对.A 获取的起始地址S 复制至内核层的信息的大小有重叠的获取：即两次获取，(A0,S

28、0)与(A1,S1)，-满足条件A0 A1 A0+S0|A1 A0 A1+S1-重叠的内存地址会被标记为(A01,S01)-第一次复制进来的内容会被标记为(A01,S01,0)-第二次复制进来的内容会被标记为(A01,S01,1)“二次获取”漏洞的直观（但不严谨）定义：(A01,S01,0)!=(A01,S01,1)Fetch:A pair(A,S),whereA-the starting address of the fetch,S-the size of memory copied into kernel.Overlapped-fetch:Two fetches,(A0,S0)and(A1

29、,S1),-A0 A1 A0+S0|A1 A0version=TLS_1_2_VERSION“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)数据流依赖：变量V (A01,S01)且V在第二次获取之前（或第二次获取中）被用于其他执行语句中，例如函数调用，变量的推倒等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calculation,passed to function calls,et

30、c).“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)数据流依赖：变量V (A01,S01)且V在第二次获取之前被用于其他语句中，例如函数调用等Data dependence:A variable V (A01,S01)and V is consumed before or on the second fetch(e.g.,involved in calculation,passed to function calls,etc).重叠的变量V(Overlapped variable V):khdr.iocnumV被用到的语句(The stat

31、ement whereVis consumed):mpt_verify_adapter(khdr.iocnum,&iocp)第二次获取后V期待的值(The expectation for Vafter second fetch)kfwdl.iocnum=khdr.iocnum“二次获取”漏洞的定义(Double-Fetch Bugs:A Formal Definition)1.两次从用户层内存空间的获取有重叠的区域。2.在重叠的区域里面有一个变量使得这两次获取之间可以建立某种联系。这种联系即可以是控制流依赖也可以是数据流依赖，还可能两者都有。3.在第二次获取之后无法证明这个变量没有变化。Two

32、 fetches from userspace memory that cover an overlapped region.A relation must exist on the overlapped region between the two fetches.The relation can be either control-dependence or data-dependence.We cannot prove that the relation established after first fetch still holds after the second fetch.1.

33、寻找尽可能多的“获取”对，并对每一对建立程序路径2.符号性的执行每一个程序路径并且由此来决定这两次“获取”是不是一个真正的漏洞Find as many double-fetch pairs as possible,construct the code paths associated with each pair.Symbolically check each code path and determine whether the two fetches makes a double-fetch bug.如何根据定义来寻找漏洞？(How to Find Double-Fetch Bugs?)目

34、标：静态的枚举所有在执行一个系统调用时可能的获取对Goal:Statically enumerate all pairs of fetches that could possibly occur.寻找“获取”对(Fetch Pair Collection)寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;从某一个获取开始(Start fr

35、om a fetch)寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;依次遍历之前的语句(Search through thereaching instructions)寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*up

36、tr,struct msg_full*kptr)if(get_user(size,&uptr-size)return-EFAULT;if(copy_from_user(kptr,uptr,size)return-EFAULT;第一种情况找到另一个“获取”Case 1Found another fetch寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)size=get_size_from_user(uptr);if(copy_fr

37、om_user(kptr,uptr,size)return-EFAULT;第二种情况找到另一个包含“获取”的函数Case 2Found a fetch-involved function寻找“获取”对(Fetch Pair Collection)static void enclosing_function(struct msg_hdr _user*uptr,struct msg_full*kptr)if(copy_from_user(kptr,uptr,size)return-EFAULT;第三种情况没有找到跟“获取”相关的语句Case 3No fetch-related instructio

38、n found目标：符号性的执行所有找到的链接两次获取的程序路径并根据定义来判断这两次获取是否构成二次获取漏洞Goal:Symbolically execute the code path that connects two fetches and determine whether the two fetches satisfy all the criteria set in formal definition of double-fetch bug符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执

39、行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)符号执行(Symbolic Checking)论文中有个更复杂的案例，该案例将展示如何处理程序中的循环以及简单的指针分析Please refer to our paper for a comprehensive demonstration on how Deadline handles loop unrolling and pointer resolving找到的漏洞(Fi

40、ndings)1.一共找到24个漏洞其中23个在LINUX内核，1个在FREEBSD内核2.我们为10个漏洞提供了补丁并且已经应用于代码中3.5个漏洞被维护者认可，但是相关补丁还没有发布4.7个漏洞还在审核之中5.2个漏洞被标记为“不处理”24 Bugs found in total.23 bugs in Linux kernel and 1 in FreeBSD kernel10 bugs have been patched with the fix we provide5 bugs are acknowledged,we are still working on the fix7 bugs

41、 are pending for review2 bugs are marked as“wont fix”“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)1.过载第二次获取的内容Override the second fetch“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)2.检查两次获取的内容是不是一致Abort on change detected“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)3.将两次获取重构成不重叠的两次获取Refactor overlapped copies in

42、to incremental copies.“二次获取”漏洞的补丁模式(Patching Double-Fetch Bugs)4.将两次获取重构成单次获取Refactor overlapped copies into a single-fetch.“二次获取”漏洞的一般性补丁(Generic Patch for Double-Fetch Bugs)并非所有“二次获取”漏洞都可以有一般性补丁或者都可以用以上几种模式来修补。某些漏洞需要复杂的代码重构或者重新设计用于信息传递的数据结构，这些都需要大量的工作。Unfortunately,not all double-fetch bugs can be

43、 patched with these patterns.Some requires heavy refactoring of existing codebase or re-designing of structs,which requires substantial manual effort.最近我们注意到了“DECAF”这个工作，似乎提供了一个很有价值也很有前景的思路：利用INTEL CPU的TSX技术来保证在一个系统调用中对用户层内存的访问是原子性的。Recently,DECAF has provided a promising solution in using TSX-based

44、 techniques to ensure user space memory access automaticity in syscall execution.有一个精确严谨的定义对寻找逻辑漏洞有重要意义，这样一个定义可以帮助排除误判，更精确的寻找漏洞我们的系统，DEADLINE，可以被用于不止是内核层“二次获取”漏洞的检测，我们相信在其他应用中也存在类似的漏洞，比如虚拟机管理程序，浏览器，TEE等在内存安全漏洞之后，逻辑漏洞也应当引起足够的重视。我们希望越来越多的逻辑漏洞可以被系统的建模并检测结语(Conclusion)Detecting double-fetch bugs without a precise and formal definition has led to many false alerts and tremendous manual effort.Application beyond kernels:hypervisors,browsers,TEE,etc.Logic bugs are on the rise!We hope that more logic bugs can be modeled and checked systematically谢 谢！谢 谢！